token-server: Delegation config import, validation and evaluation.

tokenserver/api/admin/v1/config.pb.go

Index: tokenserver/api/admin/v1/config.pb.go
diff --git a/tokenserver/api/admin/v1/config.pb.go b/tokenserver/api/admin/v1/config.pb.go
index 91edd9dae09a82d62efc8a1a6e5c8585ae98b354..41dc19c599c219b4847f28b2a9236a8377bb15e9 100644
--- a/tokenserver/api/admin/v1/config.pb.go
+++ b/tokenserver/api/admin/v1/config.pb.go
@@ -149,6 +149,8 @@ type DelegationRule struct {
 	//  * A group reference ("group:<name>").
 	//  * A special identifier "REQUESTOR" that is substituted by the requestor
 	//    identity when evaluating the rule.
+	//  * A special token "*" that means "any bearer can use the new token,
+	//    including anonymous".
 	//
 	// "REQUESTOR" is typically used here for rules that allow requestors to
 	// impersonate someone else. The corresponding tokens have the requestor as
@@ -156,7 +158,10 @@ type DelegationRule struct {
 	AllowedAudience []string `protobuf:"bytes,5,rep,name=allowed_audience,json=allowedAudience" json:"allowed_audience,omitempty"`
 	// A set of services that should be able to accept the new token.
 	//
-	// Each element is a service identity string ("service:<id>").
+	// Each element is either:
+	//  * A service identity string ("service:<id>").
+	//  * A special token "*" that mean "any LUCI service should accept the
+	//    token".
 	TargetService []string `protobuf:"bytes,6,rep,name=target_service,json=targetService" json:"target_service,omitempty"`
 	// Maximum allowed validity duration (sec) of minted delegation tokens.
 	//