Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(24)

Unified Diff: tokenserver/api/admin/v1/admin.proto

Issue 2993763002: tokenserver: Extract rules check into a separate function. (Closed)
Patch Set: more nits Created 3 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: tokenserver/api/admin/v1/admin.proto
diff --git a/tokenserver/api/admin/v1/admin.proto b/tokenserver/api/admin/v1/admin.proto
index 99992f4f2e81394077c46e067a1f582f2bca6870..1e437202dacd9711da0533a6f38bd66100333ad7 100644
--- a/tokenserver/api/admin/v1/admin.proto
+++ b/tokenserver/api/admin/v1/admin.proto
@@ -9,6 +9,7 @@ package tokenserver.admin;
import "google/protobuf/empty.proto";
import "github.com/luci/luci-go/server/auth/delegation/messages/delegation.proto";
+import "github.com/luci/luci-go/tokenserver/api/admin/v1/config.proto";
import "github.com/luci/luci-go/tokenserver/api/machine_token.proto";
import "github.com/luci/luci-go/tokenserver/api/oauth_token_grant.proto";
@@ -224,7 +225,8 @@ message InspectOAuthTokenGrantRequest {
message InspectOAuthTokenGrantResponse {
// True if the token is valid.
//
- // A token is valid if its signature is correct and it hasn't expired yet.
+ // A token is valid if its signature is correct, it hasn't expired yet and
+ // token server rules still allow it.
bool valid = 1;
// Human readable summary of why token is invalid.
@@ -261,4 +263,12 @@ message InspectOAuthTokenGrantResponse {
//
// May be empty if token was malformed and couldn't be deserialized.
tokenserver.OAuthTokenGrantBody token_body = 6;
+
+ // The service_accounts.cfg rule that governs the service account usage.
+ //
+ // May be present even if the token is not allowed by it.
+ admin.ServiceAccountRule matching_rule = 7;
+
+ // True if current service_accounts.cfg rules allow this token.
+ bool allowed_by_rules = 8;
}

Powered by Google App Engine
This is Rietveld 408576698