token-server: Add protos for new API for generating service account tokens.

tokenserver/api/admin/v1/admin.pb.go

Index: tokenserver/api/admin/v1/admin.pb.go
diff --git a/tokenserver/api/admin/v1/admin.pb.go b/tokenserver/api/admin/v1/admin.pb.go
index 4c9c35ead0e83da0838862289bc4f0c8dcb127de..38a87a2f7cdba6e4aa03f65f6bf5f4aaeedad5ed 100644
--- a/tokenserver/api/admin/v1/admin.pb.go
+++ b/tokenserver/api/admin/v1/admin.pb.go
@@ -15,6 +15,8 @@ It has these top-level messages:
 	InspectMachineTokenResponse
 	InspectDelegationTokenRequest
 	InspectDelegationTokenResponse
+	InspectOAuthTokenGrantRequest
+	InspectOAuthTokenGrantResponse
 	FetchCRLRequest
 	FetchCRLResponse
 	ListCAsResponse
@@ -30,6 +32,8 @@ It has these top-level messages:
 	DomainConfig
 	DelegationPermissions
 	DelegationRule
+	ServiceAccountsPermissions
+	ServiceAccountRule
 */
 package admin
 
@@ -41,6 +45,7 @@ import math "math"
 import google_protobuf "github.com/golang/protobuf/ptypes/empty"
 import messages "github.com/luci/luci-go/server/auth/delegation/messages"
 import tokenserver "github.com/luci/luci-go/tokenserver/api"
+import tokenserver1 "github.com/luci/luci-go/tokenserver/api"
 
 import (
 	context "golang.org/x/net/context"
@@ -400,12 +405,117 @@ func (m *InspectDelegationTokenResponse) GetSubtoken() *messages.Subtoken {
 	return nil
 }
 
+// InspectOAuthTokenGrantRequest is body of InspectOAuthTokenGrant RPC call.
+type InspectOAuthTokenGrantRequest struct {
+	// The token body.
+	Token string `protobuf:"bytes,1,opt,name=token" json:"token,omitempty"`
+}
+
+func (m *InspectOAuthTokenGrantRequest) Reset()                    { *m = InspectOAuthTokenGrantRequest{} }
+func (m *InspectOAuthTokenGrantRequest) String() string            { return proto.CompactTextString(m) }
+func (*InspectOAuthTokenGrantRequest) ProtoMessage()               {}
+func (*InspectOAuthTokenGrantRequest) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{5} }
+
+func (m *InspectOAuthTokenGrantRequest) GetToken() string {
+	if m != nil {
+		return m.Token
+	}
+	return ""
+}
+
+// InspectOAuthTokenGrantResponse is return value of InspectOAuthTokenGrant RPC.
+type InspectOAuthTokenGrantResponse struct {
+	// True if the token is valid.
+	//
+	// A token is valid if its signature is correct and it hasn't expired yet.
+	Valid bool `protobuf:"varint,1,opt,name=valid" json:"valid,omitempty"`
+	// Human readable summary of why token is invalid.
+	//
+	// Summarizes the rest of the fields of this struct. Set only if 'valid' is
+	// false.
+	InvalidityReason string `protobuf:"bytes,2,opt,name=invalidity_reason,json=invalidityReason" json:"invalidity_reason,omitempty"`
+	// True if the token signature was verified.
+	//
+	// It means the token was generated by the token server and its body is not
+	// a garbage. Note that a token can be correctly signed, but invalid (if it
+	// has expired).
+	//
+	// If 'signed' is false, the fields below may (or may not) be a garbage.
+	//
+	// The token server uses private keys managed by Google Cloud Platform, they
+	// are constantly being rotated and "old" signatures become invalid over time
+	// (when corresponding keys are rotated out of existence).
+	//
+	// If 'signed' is false, use the rest of the response only as FYI, possibly
+	// invalid or even maliciously constructed.
+	Signed bool `protobuf:"varint,3,opt,name=signed" json:"signed,omitempty"`
+	// True if the token signature was verified and token hasn't expired yet.
+	//
+	// We use "non_" prefix to make default 'false' value safer.
+	NonExpired bool `protobuf:"varint,4,opt,name=non_expired,json=nonExpired" json:"non_expired,omitempty"`
+	// ID of a token server private key used to sign the token.
+	SigningKeyId string `protobuf:"bytes,5,opt,name=signing_key_id,json=signingKeyId" json:"signing_key_id,omitempty"`
+	// The deserialized token body.
+	//
+	// May be empty if token was malformed and couldn't be deserialized.
+	TokenBody *tokenserver1.OAuthTokenGrantBody `protobuf:"bytes,6,opt,name=token_body,json=tokenBody" json:"token_body,omitempty"`
+}
+
+func (m *InspectOAuthTokenGrantResponse) Reset()                    { *m = InspectOAuthTokenGrantResponse{} }
+func (m *InspectOAuthTokenGrantResponse) String() string            { return proto.CompactTextString(m) }
+func (*InspectOAuthTokenGrantResponse) ProtoMessage()               {}
+func (*InspectOAuthTokenGrantResponse) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{6} }
+
+func (m *InspectOAuthTokenGrantResponse) GetValid() bool {
+	if m != nil {
+		return m.Valid
+	}
+	return false
+}
+
+func (m *InspectOAuthTokenGrantResponse) GetInvalidityReason() string {
+	if m != nil {
+		return m.InvalidityReason
+	}
+	return ""
+}
+
+func (m *InspectOAuthTokenGrantResponse) GetSigned() bool {
+	if m != nil {
+		return m.Signed
+	}
+	return false
+}
+
+func (m *InspectOAuthTokenGrantResponse) GetNonExpired() bool {
+	if m != nil {
+		return m.NonExpired
+	}
+	return false
+}
+
+func (m *InspectOAuthTokenGrantResponse) GetSigningKeyId() string {
+	if m != nil {
+		return m.SigningKeyId
+	}
+	return ""
+}
+
+func (m *InspectOAuthTokenGrantResponse) GetTokenBody() *tokenserver1.OAuthTokenGrantBody {
+	if m != nil {
+		return m.TokenBody
+	}
+	return nil
+}
+
 func init() {
 	proto.RegisterType((*ImportedConfigs)(nil), "tokenserver.admin.ImportedConfigs")
 	proto.RegisterType((*InspectMachineTokenRequest)(nil), "tokenserver.admin.InspectMachineTokenRequest")
 	proto.RegisterType((*InspectMachineTokenResponse)(nil), "tokenserver.admin.InspectMachineTokenResponse")
 	proto.RegisterType((*InspectDelegationTokenRequest)(nil), "tokenserver.admin.InspectDelegationTokenRequest")
 	proto.RegisterType((*InspectDelegationTokenResponse)(nil), "tokenserver.admin.InspectDelegationTokenResponse")
+	proto.RegisterType((*InspectOAuthTokenGrantRequest)(nil), "tokenserver.admin.InspectOAuthTokenGrantRequest")
+	proto.RegisterType((*InspectOAuthTokenGrantResponse)(nil), "tokenserver.admin.InspectOAuthTokenGrantResponse")
 }
 
 // Reference imports to suppress errors if they are not otherwise used.
@@ -419,20 +529,12 @@ const _ = grpc.SupportPackageIsVersion4
 // Client API for Admin service
 
 type AdminClient interface {
-	// ImportCAConfigs makes the server read CA configs from luci-config.
-	//
-	// This reads 'tokenserver.cfg' file.
-	//
-	// Note that regularly configs are read in background each 5 min.
-	// ImportCAConfigs can be used to force config reread immediately. It will
-	// block until the configs are read.
+	// ImportCAConfigs makes the server read 'tokenserver.cfg'.
 	ImportCAConfigs(ctx context.Context, in *google_protobuf.Empty, opts ...grpc.CallOption) (*ImportedConfigs, error)
-	// ImportDelegationConfigs makes the server read 'delegation.cfg' config.
-	//
-	// Note that regularly configs are read in background each 5 min.
-	// ImportDelegationConfigs can be used to force config reread immediately. It
-	// will block until the configs are read.
+	// ImportDelegationConfigs makes the server read 'delegation.cfg'.
 	ImportDelegationConfigs(ctx context.Context, in *google_protobuf.Empty, opts ...grpc.CallOption) (*ImportedConfigs, error)
+	// ImportServiceAccountsConfigs makes the server read 'service_accounts.cfg'.
+	ImportServiceAccountsConfigs(ctx context.Context, in *google_protobuf.Empty, opts ...grpc.CallOption) (*ImportedConfigs, error)
 	// InspectMachineToken decodes a machine token and verifies it is valid.
 	//
 	// It verifies the token was signed by a private key of the token server and
@@ -465,6 +567,22 @@ type AdminClient interface {
 	//   grpc.InvalidArgument error for unsupported token kind.
 	//   grpc.Internal error for transient errors.
 	InspectDelegationToken(ctx context.Context, in *InspectDelegationTokenRequest, opts ...grpc.CallOption) (*InspectDelegationTokenResponse, error)
+	// InspectOAuthTokenGrant decodes OAuth token grant and verifies it is valid.
+	//
+	// It verifies the token was signed by a private key of the token server and
+	// checks token's expiration time.
+	//
+	// It tries to give as much information about the token and its status as
+	// possible (e.g. attempts to decode the body even if the signing key has been
+	// rotated already).
+	//
+	// Administrators can use this call to debug issues with tokens.
+	//
+	// Returns:
+	//   InspectOAuthTokenGrantResponse for tokens of supported kind.
+	//   grpc.InvalidArgument error for unsupported token kind.
+	//   grpc.Internal error for transient errors.
+	InspectOAuthTokenGrant(ctx context.Context, in *InspectOAuthTokenGrantRequest, opts ...grpc.CallOption) (*InspectOAuthTokenGrantResponse, error)
 }
 type adminPRPCClient struct {
 	client *prpc.Client
@@ -492,6 +610,15 @@ func (c *adminPRPCClient) ImportDelegationConfigs(ctx context.Context, in *googl
 	return out, nil
 }
 
+func (c *adminPRPCClient) ImportServiceAccountsConfigs(ctx context.Context, in *google_protobuf.Empty, opts ...grpc.CallOption) (*ImportedConfigs, error) {
+	out := new(ImportedConfigs)
+	err := c.client.Call(ctx, "tokenserver.admin.Admin", "ImportServiceAccountsConfigs", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *adminPRPCClient) InspectMachineToken(ctx context.Context, in *InspectMachineTokenRequest, opts ...grpc.CallOption) (*InspectMachineTokenResponse, error) {
 	out := new(InspectMachineTokenResponse)
 	err := c.client.Call(ctx, "tokenserver.admin.Admin", "InspectMachineToken", in, out, opts...)
@@ -510,6 +637,15 @@ func (c *adminPRPCClient) InspectDelegationToken(ctx context.Context, in *Inspec
 	return out, nil
 }
 
+func (c *adminPRPCClient) InspectOAuthTokenGrant(ctx context.Context, in *InspectOAuthTokenGrantRequest, opts ...grpc.CallOption) (*InspectOAuthTokenGrantResponse, error) {
+	out := new(InspectOAuthTokenGrantResponse)
+	err := c.client.Call(ctx, "tokenserver.admin.Admin", "InspectOAuthTokenGrant", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 type adminClient struct {
 	cc *grpc.ClientConn
 }
@@ -536,6 +672,15 @@ func (c *adminClient) ImportDelegationConfigs(ctx context.Context, in *google_pr
 	return out, nil
 }
 
+func (c *adminClient) ImportServiceAccountsConfigs(ctx context.Context, in *google_protobuf.Empty, opts ...grpc.CallOption) (*ImportedConfigs, error) {
+	out := new(ImportedConfigs)
+	err := grpc.Invoke(ctx, "/tokenserver.admin.Admin/ImportServiceAccountsConfigs", in, out, c.cc, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *adminClient) InspectMachineToken(ctx context.Context, in *InspectMachineTokenRequest, opts ...grpc.CallOption) (*InspectMachineTokenResponse, error) {
 	out := new(InspectMachineTokenResponse)
 	err := grpc.Invoke(ctx, "/tokenserver.admin.Admin/InspectMachineToken", in, out, c.cc, opts...)
@@ -554,23 +699,24 @@ func (c *adminClient) InspectDelegationToken(ctx context.Context, in *InspectDel
 	return out, nil
 }
 
+func (c *adminClient) InspectOAuthTokenGrant(ctx context.Context, in *InspectOAuthTokenGrantRequest, opts ...grpc.CallOption) (*InspectOAuthTokenGrantResponse, error) {
+	out := new(InspectOAuthTokenGrantResponse)
+	err := grpc.Invoke(ctx, "/tokenserver.admin.Admin/InspectOAuthTokenGrant", in, out, c.cc, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // Server API for Admin service
 
 type AdminServer interface {
-	// ImportCAConfigs makes the server read CA configs from luci-config.
-	//
-	// This reads 'tokenserver.cfg' file.
-	//
-	// Note that regularly configs are read in background each 5 min.
-	// ImportCAConfigs can be used to force config reread immediately. It will
-	// block until the configs are read.
+	// ImportCAConfigs makes the server read 'tokenserver.cfg'.
 	ImportCAConfigs(context.Context, *google_protobuf.Empty) (*ImportedConfigs, error)
-	// ImportDelegationConfigs makes the server read 'delegation.cfg' config.
-	//
-	// Note that regularly configs are read in background each 5 min.
-	// ImportDelegationConfigs can be used to force config reread immediately. It
-	// will block until the configs are read.
+	// ImportDelegationConfigs makes the server read 'delegation.cfg'.
 	ImportDelegationConfigs(context.Context, *google_protobuf.Empty) (*ImportedConfigs, error)
+	// ImportServiceAccountsConfigs makes the server read 'service_accounts.cfg'.
+	ImportServiceAccountsConfigs(context.Context, *google_protobuf.Empty) (*ImportedConfigs, error)
 	// InspectMachineToken decodes a machine token and verifies it is valid.
 	//
 	// It verifies the token was signed by a private key of the token server and
@@ -603,6 +749,22 @@ type AdminServer interface {
 	//   grpc.InvalidArgument error for unsupported token kind.
 	//   grpc.Internal error for transient errors.
 	InspectDelegationToken(context.Context, *InspectDelegationTokenRequest) (*InspectDelegationTokenResponse, error)
+	// InspectOAuthTokenGrant decodes OAuth token grant and verifies it is valid.
+	//
+	// It verifies the token was signed by a private key of the token server and
+	// checks token's expiration time.
+	//
+	// It tries to give as much information about the token and its status as
+	// possible (e.g. attempts to decode the body even if the signing key has been
+	// rotated already).
+	//
+	// Administrators can use this call to debug issues with tokens.
+	//
+	// Returns:
+	//   InspectOAuthTokenGrantResponse for tokens of supported kind.
+	//   grpc.InvalidArgument error for unsupported token kind.
+	//   grpc.Internal error for transient errors.
+	InspectOAuthTokenGrant(context.Context, *InspectOAuthTokenGrantRequest) (*InspectOAuthTokenGrantResponse, error)
 }
 
 func RegisterAdminServer(s prpc.Registrar, srv AdminServer) {
@@ -645,6 +807,24 @@ func _Admin_ImportDelegationConfigs_Handler(srv interface{}, ctx context.Context
 	return interceptor(ctx, in, info, handler)
 }
 
+func _Admin_ImportServiceAccountsConfigs_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(google_protobuf.Empty)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(AdminServer).ImportServiceAccountsConfigs(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/tokenserver.admin.Admin/ImportServiceAccountsConfigs",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(AdminServer).ImportServiceAccountsConfigs(ctx, req.(*google_protobuf.Empty))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _Admin_InspectMachineToken_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(InspectMachineTokenRequest)
 	if err := dec(in); err != nil {
@@ -681,6 +861,24 @@ func _Admin_InspectDelegationToken_Handler(srv interface{}, ctx context.Context,
 	return interceptor(ctx, in, info, handler)
 }
 
+func _Admin_InspectOAuthTokenGrant_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(InspectOAuthTokenGrantRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(AdminServer).InspectOAuthTokenGrant(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/tokenserver.admin.Admin/InspectOAuthTokenGrant",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(AdminServer).InspectOAuthTokenGrant(ctx, req.(*InspectOAuthTokenGrantRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 var _Admin_serviceDesc = grpc.ServiceDesc{
 	ServiceName: "tokenserver.admin.Admin",
 	HandlerType: (*AdminServer)(nil),
@@ -694,6 +892,10 @@ var _Admin_serviceDesc = grpc.ServiceDesc{
 			Handler:    _Admin_ImportDelegationConfigs_Handler,
 		},
 		{
+			MethodName: "ImportServiceAccountsConfigs",
+			Handler:    _Admin_ImportServiceAccountsConfigs_Handler,
+		},
+		{
 			MethodName: "InspectMachineToken",
 			Handler:    _Admin_InspectMachineToken_Handler,
 		},
@@ -701,6 +903,10 @@ var _Admin_serviceDesc = grpc.ServiceDesc{
 			MethodName: "InspectDelegationToken",
 			Handler:    _Admin_InspectDelegationToken_Handler,
 		},
+		{
+			MethodName: "InspectOAuthTokenGrant",
+			Handler:    _Admin_InspectOAuthTokenGrant_Handler,
+		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "github.com/luci/luci-go/tokenserver/api/admin/v1/admin.proto",
@@ -711,42 +917,47 @@ func init() {
 }
 
 var fileDescriptor0 = []byte{
-	// 578 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x54, 0x41, 0x4f, 0xd4, 0x40,
-	0x14, 0x76, 0x41, 0xd6, 0xe5, 0x41, 0x10, 0x46, 0x82, 0xb5, 0x04, 0x25, 0x1b, 0x0f, 0x24, 0x86,
-	0xa9, 0x60, 0x38, 0xc9, 0x05, 0x91, 0x84, 0x8d, 0x59, 0x0f, 0x15, 0xcf, 0x4d, 0xb7, 0x7d, 0x74,
-	0x27, 0xbb, 0x9d, 0xa9, 0x9d, 0x69, 0x63, 0x0f, 0x9e, 0xfc, 0x27, 0xfe, 0x31, 0xff, 0x8a, 0xe9,
-	0x4c, 0xdb, 0xed, 0xe2, 0xae, 0xc1, 0xc4, 0x83, 0x97, 0x66, 0xde, 0x37, 0xdf, 0xf7, 0xbd, 0xe9,
-	0xbc, 0x79, 0x0f, 0xce, 0x23, 0xa6, 0xc6, 0xd9, 0x88, 0x06, 0x22, 0x76, 0xa6, 0x59, 0xc0, 0xf4,
-	0xe7, 0x38, 0x12, 0x8e, 0x12, 0x13, 0xe4, 0x12, 0xd3, 0x1c, 0x53, 0xc7, 0x4f, 0x98, 0xe3, 0x87,
-	0x31, 0xe3, 0x4e, 0x7e, 0x62, 0x16, 0x34, 0x49, 0x85, 0x12, 0x64, 0xa7, 0xc5, 0xa2, 0x7a, 0xc3,
-	0xde, 0x8f, 0x84, 0x88, 0xa6, 0xe8, 0x68, 0xc2, 0x28, 0xbb, 0x75, 0x30, 0x4e, 0x54, 0x61, 0xf8,
-	0xf6, 0xf5, 0xb2, 0x6c, 0x75, 0xa2, 0x4c, 0x8d, 0x9d, 0x10, 0xa7, 0x18, 0xf9, 0x8a, 0x09, 0xee,
-	0xc4, 0x28, 0xa5, 0x1f, 0xa1, 0x6c, 0x61, 0x95, 0xd3, 0xdb, 0xfb, 0x9e, 0x3b, 0xf6, 0x83, 0x31,
-	0xe3, 0xe8, 0x69, 0xdc, 0x88, 0xfb, 0xc7, 0xf0, 0x78, 0x10, 0x27, 0x22, 0x55, 0x18, 0x5e, 0x0a,
-	0x7e, 0xcb, 0x22, 0x49, 0x6c, 0xe8, 0xa5, 0x98, 0x33, 0xc9, 0x04, 0xb7, 0x3a, 0x87, 0x9d, 0xa3,
-	0x75, 0xb7, 0x89, 0xfb, 0x09, 0xd8, 0x03, 0x2e, 0x13, 0x0c, 0xd4, 0xd0, 0x98, 0xdd, 0x94, 0x5e,
-	0x2e, 0x7e, 0xc9, 0x50, 0x2a, 0x72, 0x0e, 0xa0, 0xbd, 0x3d, 0x55, 0x24, 0xa8, 0xb5, 0x5b, 0xa7,
-	0x07, 0xb4, 0x7d, 0x31, 0x6d, 0xd5, 0x4d, 0x91, 0xa0, 0xbb, 0xae, 0xea, 0x25, 0xd9, 0x85, 0x35,
-	0x1d, 0x58, 0x2b, 0x3a, 0xa9, 0x09, 0xfa, 0x3f, 0x57, 0x60, 0x7f, 0x61, 0x4a, 0x99, 0x08, 0x2e,
-	0xb5, 0x2a, 0xf7, 0xa7, 0x2c, 0xd4, 0xe9, 0x7a, 0xae, 0x09, 0xc8, 0x2b, 0xd8, 0x61, 0x5c, 0x2f,
-	0x99, 0x2a, 0xbc, 0x14, 0x7d, 0x29, 0x6a, 0xdf, 0xed, 0xd9, 0x86, 0xab, 0x71, 0xb2, 0x07, 0x5d,
-	0xc9, 0x22, 0x8e, 0xa1, 0xb5, 0xaa, 0x3d, 0xaa, 0x88, 0xbc, 0x80, 0x0d, 0x2e, 0xb8, 0x87, 0x5f,
-	0x13, 0x96, 0x62, 0x68, 0x3d, 0xd4, 0x9b, 0xc0, 0x05, 0xbf, 0x32, 0x48, 0x4d, 0x48, 0x31, 0x17,
-	0x13, 0x0c, 0xad, 0xb5, 0x86, 0xe0, 0x1a, 0x84, 0xbc, 0x84, 0xad, 0xd2, 0x8b, 0xf1, 0xc8, 0x9b,
-	0x60, 0xe1, 0xb1, 0xd0, 0xea, 0xea, 0x33, 0x6c, 0x56, 0xe8, 0x07, 0x2c, 0x06, 0x21, 0x39, 0x84,
-	0xcd, 0x00, 0x53, 0xe5, 0x05, 0xbe, 0xc7, 0xfd, 0x18, 0xad, 0x47, 0x9a, 0x03, 0x25, 0x76, 0xe9,
-	0x7f, 0xf4, 0x63, 0x24, 0x43, 0x20, 0x65, 0x51, 0xbd, 0xb9, 0x0a, 0x5a, 0xbb, 0x87, 0x9d, 0xa3,
-	0x8d, 0x3f, 0x5c, 0xf0, 0x3b, 0x11, 0x16, 0xd7, 0x0f, 0xdc, 0xed, 0x52, 0x3a, 0x87, 0x6f, 0xb6,
-	0xeb, 0xd4, 0x3f, 0x83, 0x83, 0xea, 0x82, 0xdf, 0x37, 0x4f, 0x6b, 0xae, 0xac, 0x4d, 0x61, 0x3a,
-	0xed, 0xc2, 0x7c, 0x5f, 0x81, 0xe7, 0xcb, 0x74, 0xff, 0x41, 0x6d, 0xce, 0xa0, 0x87, 0x3c, 0xc7,
-	0xa9, 0x48, 0x50, 0x17, 0x66, 0xe3, 0xf4, 0x19, 0xad, 0x7b, 0x88, 0xde, 0x3d, 0x70, 0x43, 0x25,
-	0x14, 0x7a, 0x32, 0x1b, 0x99, 0xdf, 0xed, 0x6a, 0x19, 0x99, 0xc9, 0x3e, 0x55, 0x3b, 0x6e, 0xc3,
-	0x39, 0xfd, 0xb1, 0x0a, 0x6b, 0x17, 0x65, 0xb7, 0x93, 0x61, 0xdd, 0x49, 0x97, 0x17, 0x75, 0x27,
-	0xed, 0x51, 0x33, 0x01, 0x68, 0x3d, 0x01, 0xe8, 0x55, 0x39, 0x01, 0xec, 0x3e, 0xfd, 0x6d, 0x58,
-	0xd0, 0xbb, 0x5d, 0xf8, 0x19, 0x9e, 0x1a, 0x68, 0x76, 0xd6, 0x7f, 0x61, 0xab, 0xe0, 0xc9, 0x82,
-	0x6e, 0x22, 0xc7, 0x8b, 0xa4, 0x4b, 0x1b, 0xdd, 0xa6, 0xf7, 0xa5, 0x57, 0x0f, 0xe1, 0x1b, 0xec,
-	0x2d, 0x7e, 0x2a, 0xe4, 0xf5, 0x72, 0xa7, 0xc5, 0xaf, 0xd1, 0x3e, 0xf9, 0x0b, 0x85, 0x49, 0x3f,
-	0xea, 0xea, 0x8b, 0x7a, 0xf3, 0x2b, 0x00, 0x00, 0xff, 0xff, 0x6c, 0x3a, 0xc8, 0x7a, 0xe2, 0x05,
-	0x00, 0x00,
+	// 672 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x54, 0x4f, 0x4f, 0xdb, 0x4e,
+	0x10, 0xfd, 0x85, 0x1f, 0x49, 0xc3, 0x82, 0x28, 0x6c, 0x11, 0x75, 0x4d, 0x69, 0xa3, 0xa8, 0x07,
+	0xa4, 0x8a, 0x75, 0xa1, 0xe2, 0x54, 0x24, 0x94, 0x52, 0x54, 0x50, 0x45, 0x2b, 0x19, 0x7a, 0xe9,
+	0xc5, 0x72, 0xec, 0xc1, 0x59, 0x11, 0xef, 0xba, 0xde, 0xb5, 0x55, 0x1f, 0x7a, 0xea, 0x07, 0xed,
+	0x27, 0xa9, 0x54, 0x79, 0xd7, 0x0e, 0x4e, 0xe2, 0x44, 0xa9, 0xc4, 0x81, 0x8b, 0xb5, 0x3b, 0x3b,
+	0xef, 0xcd, 0x78, 0xfe, 0x3c, 0x74, 0x1c, 0x50, 0x39, 0x48, 0xfa, 0xc4, 0xe3, 0xa1, 0x35, 0x4c,
+	0x3c, 0xaa, 0x3e, 0xfb, 0x01, 0xb7, 0x24, 0xbf, 0x05, 0x26, 0x20, 0x4e, 0x21, 0xb6, 0xdc, 0x88,
+	0x5a, 0xae, 0x1f, 0x52, 0x66, 0xa5, 0x07, 0xfa, 0x40, 0xa2, 0x98, 0x4b, 0x8e, 0x37, 0x2b, 0x5e,
+	0x44, 0x3d, 0x98, 0x3b, 0x01, 0xe7, 0xc1, 0x10, 0x2c, 0xe5, 0xd0, 0x4f, 0x6e, 0x2c, 0x08, 0x23,
+	0x99, 0x69, 0x7f, 0xf3, 0x7c, 0x56, 0xb4, 0x32, 0x50, 0x22, 0x07, 0x96, 0x0f, 0x43, 0x08, 0x5c,
+	0x49, 0x39, 0xb3, 0x42, 0x10, 0xc2, 0x0d, 0x40, 0x54, 0x6c, 0x05, 0xd3, 0xbb, 0x45, 0xf3, 0x0e,
+	0x5d, 0x6f, 0x40, 0x19, 0x38, 0xca, 0x5e, 0x80, 0x4f, 0x16, 0x05, 0xf3, 0x3c, 0x21, 0x0d, 0x75,
+	0x82, 0xd8, 0x65, 0x52, 0x13, 0x74, 0xf7, 0xd1, 0xe3, 0x8b, 0x30, 0xe2, 0xb1, 0x04, 0xff, 0x94,
+	0xb3, 0x1b, 0x1a, 0x08, 0x6c, 0xa2, 0x76, 0x0c, 0x29, 0x15, 0x94, 0x33, 0xa3, 0xd1, 0x69, 0xec,
+	0xad, 0xd8, 0xa3, 0x7b, 0x37, 0x42, 0xe6, 0x05, 0x13, 0x11, 0x78, 0xf2, 0x52, 0x67, 0x73, 0x9d,
+	0x33, 0xda, 0xf0, 0x3d, 0x01, 0x21, 0xf1, 0x31, 0x42, 0x3a, 0x82, 0xcc, 0x22, 0x50, 0xd8, 0xf5,
+	0xc3, 0x5d, 0x52, 0xad, 0x6c, 0x15, 0x75, 0x9d, 0x45, 0x60, 0xaf, 0xc8, 0xf2, 0x88, 0xb7, 0x50,
+	0x53, 0x5d, 0x8c, 0x25, 0x15, 0x54, 0x5f, 0xba, 0xbf, 0x97, 0xd0, 0x4e, 0x6d, 0x48, 0x11, 0x71,
+	0x26, 0x14, 0x2a, 0x75, 0x87, 0xd4, 0x57, 0xe1, 0xda, 0xb6, 0xbe, 0xe0, 0xd7, 0x68, 0x93, 0x32,
+	0x75, 0xa4, 0x32, 0x73, 0x62, 0x70, 0x05, 0x2f, 0x79, 0x37, 0xee, 0x1e, 0x6c, 0x65, 0xc7, 0xdb,
+	0xa8, 0x25, 0x68, 0xc0, 0xc0, 0x37, 0xfe, 0x57, 0x1c, 0xc5, 0x0d, 0xbf, 0x44, 0xab, 0x8c, 0x33,
+	0x07, 0x7e, 0x44, 0x34, 0x06, 0xdf, 0x58, 0x56, 0x8f, 0x88, 0x71, 0x76, 0xa6, 0x2d, 0xa5, 0x43,
+	0x0c, 0x29, 0xbf, 0x05, 0xdf, 0x68, 0x8e, 0x1c, 0x6c, 0x6d, 0xc1, 0xaf, 0xd0, 0x7a, 0xce, 0x45,
+	0x59, 0xe0, 0xdc, 0x42, 0xe6, 0x50, 0xdf, 0x68, 0xa9, 0x1c, 0xd6, 0x0a, 0xeb, 0x27, 0xc8, 0x2e,
+	0x7c, 0xdc, 0x41, 0x6b, 0x1e, 0xc4, 0xd2, 0xf1, 0x5c, 0x87, 0xb9, 0x21, 0x18, 0x8f, 0x94, 0x0f,
+	0xca, 0x6d, 0xa7, 0xee, 0x67, 0x37, 0x04, 0x7c, 0x89, 0x70, 0xde, 0x58, 0x67, 0x6c, 0x04, 0x8c,
+	0xad, 0x4e, 0x63, 0x6f, 0x75, 0x4e, 0x81, 0xdf, 0x73, 0x3f, 0x3b, 0xff, 0xcf, 0xde, 0xc8, 0xa1,
+	0x63, 0xf6, 0xb5, 0x6a, 0x9f, 0xba, 0x47, 0x68, 0xb7, 0x28, 0xf0, 0x87, 0xd1, 0x6c, 0x8e, 0xb5,
+	0x75, 0xd4, 0x98, 0x46, 0xb5, 0x31, 0xbf, 0x96, 0xd0, 0x8b, 0x59, 0xb8, 0x07, 0xd0, 0x9b, 0x23,
+	0xd4, 0x06, 0x96, 0xc2, 0x90, 0x47, 0xa0, 0x1a, 0xb3, 0x7a, 0xf8, 0x8c, 0x94, 0x4b, 0x48, 0x26,
+	0x13, 0x1e, 0xb9, 0x62, 0x82, 0xda, 0x22, 0xe9, 0xeb, 0xdf, 0x6d, 0x29, 0x18, 0xbe, 0x83, 0x5d,
+	0x15, 0x2f, 0xf6, 0xc8, 0xa7, 0x52, 0xbc, 0x2f, 0xbd, 0x44, 0x0e, 0x14, 0xdd, 0xc7, 0x7c, 0xbf,
+	0x16, 0x2e, 0xde, 0x14, 0xee, 0x01, 0x14, 0x6f, 0x7a, 0x6e, 0x9b, 0x35, 0x73, 0x7b, 0x52, 0x8e,
+	0x51, 0x9f, 0xfb, 0x59, 0x51, 0xad, 0xce, 0xd8, 0x34, 0x4e, 0xfc, 0x5b, 0x3e, 0x90, 0xc5, 0xc6,
+	0xe7, 0xc7, 0xc3, 0x3f, 0xcb, 0xa8, 0xd9, 0xcb, 0xb5, 0x16, 0x5f, 0x96, 0x32, 0x74, 0xda, 0x2b,
+	0x65, 0x68, 0x9b, 0x68, 0xfd, 0x25, 0xa5, 0xfe, 0x92, 0xb3, 0x5c, 0x7f, 0xcd, 0x2e, 0x99, 0x92,
+	0x6a, 0x32, 0x29, 0x61, 0x5f, 0xd1, 0x53, 0x6d, 0xba, 0x6b, 0xf4, 0x7d, 0xd0, 0x7e, 0x43, 0xcf,
+	0xb5, 0xe9, 0x0a, 0xe2, 0x94, 0x7a, 0xd0, 0xf3, 0x3c, 0x9e, 0x30, 0x29, 0xee, 0x83, 0x5b, 0xa2,
+	0x27, 0x35, 0x32, 0x87, 0xf7, 0xeb, 0xa0, 0x33, 0x15, 0xd8, 0x24, 0x8b, 0xba, 0x17, 0x43, 0xf6,
+	0x13, 0x6d, 0xd7, 0xef, 0x30, 0x7e, 0x33, 0x9b, 0xa9, 0x5e, 0x26, 0xcc, 0x83, 0x7f, 0x40, 0x4c,
+	0x85, 0x9f, 0x98, 0x94, 0x79, 0xe1, 0xeb, 0x17, 0x6d, 0x5e, 0xf8, 0x19, 0x2b, 0xd6, 0x6f, 0xa9,
+	0x3e, 0xbd, 0xfd, 0x1b, 0x00, 0x00, 0xff, 0xff, 0x36, 0x69, 0x05, 0x5b, 0x3b, 0x08, 0x00, 0x00,
 }