token-server: Delegation config import, validation and evaluation.

tokenserver/api/admin/v1/config.proto

Index: tokenserver/api/admin/v1/config.proto
diff --git a/tokenserver/api/admin/v1/config.proto b/tokenserver/api/admin/v1/config.proto
index 5cd9c602f63379b5fd99ac3e8828805f0f8966b4..6665325189a7224332a39d30cc58a9f4c54b253b 100644
--- a/tokenserver/api/admin/v1/config.proto
+++ b/tokenserver/api/admin/v1/config.proto
@@ -114,6 +114,8 @@ message DelegationRule {
   //  * A group reference ("group:<name>").
   //  * A special identifier "REQUESTOR" that is substituted by the requestor
   //    identity when evaluating the rule.
+  //  * A special token "*" that means "any bearer can use the new token,
+  //    including anonymous".
   //
   // "REQUESTOR" is typically used here for rules that allow requestors to
   // impersonate someone else. The corresponding tokens have the requestor as
@@ -122,7 +124,10 @@ message DelegationRule {
 
   // A set of services that should be able to accept the new token.
   //
-  // Each element is a service identity string ("service:<id>").
+  // Each element is either:
+  //  * A service identity string ("service:<id>").
+  //  * A special token "*" that mean "any LUCI service should accept the

[nodir, 2016/10/13 22:03:52]

means

+  //    token".
   repeated string target_service = 6;
 
   // Maximum allowed validity duration (sec) of minted delegation tokens.