diff options
| author | Taras Madan <tarasmadan@google.com> | 2025-01-22 16:07:17 +0100 |
|---|---|---|
| committer | Taras Madan <tarasmadan@google.com> | 2025-01-23 10:42:36 +0000 |
| commit | 7b4377ad9d8a7205416df8d6217ef2b010f89481 (patch) | |
| tree | e6fec4fd12ff807a16d847923f501075bf71d16c /vendor/github.com/google/s2a-go | |
| parent | 475a4c203afb8b7d3af51c4fd32bb170ff32a45e (diff) | |
vendor: delete
Diffstat (limited to 'vendor/github.com/google/s2a-go')
38 files changed, 0 insertions, 10494 deletions
diff --git a/vendor/github.com/google/s2a-go/.gitignore b/vendor/github.com/google/s2a-go/.gitignore deleted file mode 100644 index 01764d1cd..000000000 --- a/vendor/github.com/google/s2a-go/.gitignore +++ /dev/null @@ -1,6 +0,0 @@ -# Ignore binaries without extension -//example/client/client -//example/server/server -//internal/v2/fakes2av2_server/fakes2av2_server - -.idea/
\ No newline at end of file diff --git a/vendor/github.com/google/s2a-go/CODE_OF_CONDUCT.md b/vendor/github.com/google/s2a-go/CODE_OF_CONDUCT.md deleted file mode 100644 index dc079b4d6..000000000 --- a/vendor/github.com/google/s2a-go/CODE_OF_CONDUCT.md +++ /dev/null @@ -1,93 +0,0 @@ -# Code of Conduct - -## Our Pledge - -In the interest of fostering an open and welcoming environment, we as -contributors and maintainers pledge to making participation in our project and -our community a harassment-free experience for everyone, regardless of age, body -size, disability, ethnicity, gender identity and expression, level of -experience, education, socio-economic status, nationality, personal appearance, -race, religion, or sexual identity and orientation. - -## Our Standards - -Examples of behavior that contributes to creating a positive environment -include: - -* Using welcoming and inclusive language -* Being respectful of differing viewpoints and experiences -* Gracefully accepting constructive criticism -* Focusing on what is best for the community -* Showing empathy towards other community members - -Examples of unacceptable behavior by participants include: - -* The use of sexualized language or imagery and unwelcome sexual attention or - advances -* Trolling, insulting/derogatory comments, and personal or political attacks -* Public or private harassment -* Publishing others' private information, such as a physical or electronic - address, without explicit permission -* Other conduct which could reasonably be considered inappropriate in a - professional setting - -## Our Responsibilities - -Project maintainers are responsible for clarifying the standards of acceptable -behavior and are expected to take appropriate and fair corrective action in -response to any instances of unacceptable behavior. - -Project maintainers have the right and responsibility to remove, edit, or reject -comments, commits, code, wiki edits, issues, and other contributions that are -not aligned to this Code of Conduct, or to ban temporarily or permanently any -contributor for other behaviors that they deem inappropriate, threatening, -offensive, or harmful. - -## Scope - -This Code of Conduct applies both within project spaces and in public spaces -when an individual is representing the project or its community. Examples of -representing a project or community include using an official project e-mail -address, posting via an official social media account, or acting as an appointed -representative at an online or offline event. Representation of a project may be -further defined and clarified by project maintainers. - -This Code of Conduct also applies outside the project spaces when the Project -Steward has a reasonable belief that an individual's behavior may have a -negative impact on the project or its community. - -## Conflict Resolution - -We do not believe that all conflict is bad; healthy debate and disagreement -often yield positive results. However, it is never okay to be disrespectful or -to engage in behavior that violates the project’s code of conduct. - -If you see someone violating the code of conduct, you are encouraged to address -the behavior directly with those involved. Many issues can be resolved quickly -and easily, and this gives people more control over the outcome of their -dispute. If you are unable to resolve the matter for any reason, or if the -behavior is threatening or harassing, report it. We are dedicated to providing -an environment where participants feel welcome and safe. - -Reports should be directed to *[PROJECT STEWARD NAME(s) AND EMAIL(s)]*, the -Project Steward(s) for *[PROJECT NAME]*. It is the Project Steward’s duty to -receive and address reported violations of the code of conduct. They will then -work with a committee consisting of representatives from the Open Source -Programs Office and the Google Open Source Strategy team. If for any reason you -are uncomfortable reaching out to the Project Steward, please email -opensource@google.com. - -We will investigate every complaint, but you may not receive a direct response. -We will use our discretion in determining when and how to follow up on reported -incidents, which may range from not taking action to permanent expulsion from -the project and project-sponsored spaces. We will notify the accused of the -report and provide them an opportunity to discuss it before any action is taken. -The identity of the reporter will be omitted from the details of the report -supplied to the accused. In potentially harmful situations, such as ongoing -harassment or threats to anyone's safety, we may take action without notice. - -## Attribution - -This Code of Conduct is adapted from the Contributor Covenant, version 1.4, -available at -https://www.contributor-covenant.org/version/1/4/code-of-conduct.html diff --git a/vendor/github.com/google/s2a-go/CONTRIBUTING.md b/vendor/github.com/google/s2a-go/CONTRIBUTING.md deleted file mode 100644 index 22b241cb7..000000000 --- a/vendor/github.com/google/s2a-go/CONTRIBUTING.md +++ /dev/null @@ -1,29 +0,0 @@ -# How to Contribute - -We'd love to accept your patches and contributions to this project. There are -just a few small guidelines you need to follow. - -## Contributor License Agreement - -Contributions to this project must be accompanied by a Contributor License -Agreement (CLA). You (or your employer) retain the copyright to your -contribution; this simply gives us permission to use and redistribute your -contributions as part of the project. Head over to -<https://cla.developers.google.com/> to see your current agreements on file or -to sign a new one. - -You generally only need to submit a CLA once, so if you've already submitted one -(even if it was for a different project), you probably don't need to do it -again. - -## Code reviews - -All submissions, including submissions by project members, require review. We -use GitHub pull requests for this purpose. Consult -[GitHub Help](https://help.github.com/articles/about-pull-requests/) for more -information on using pull requests. - -## Community Guidelines - -This project follows -[Google's Open Source Community Guidelines](https://opensource.google/conduct/). diff --git a/vendor/github.com/google/s2a-go/LICENSE.md b/vendor/github.com/google/s2a-go/LICENSE.md deleted file mode 100644 index d64569567..000000000 --- a/vendor/github.com/google/s2a-go/LICENSE.md +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/vendor/github.com/google/s2a-go/README.md b/vendor/github.com/google/s2a-go/README.md deleted file mode 100644 index fe0f5c1da..000000000 --- a/vendor/github.com/google/s2a-go/README.md +++ /dev/null @@ -1,14 +0,0 @@ -# Secure Session Agent Client Libraries - -The Secure Session Agent is a service that enables a workload to offload select -operations from the mTLS handshake and protects a workload's private key -material from exfiltration. Specifically, the workload asks the Secure Session -Agent for the TLS configuration to use during the handshake, to perform private -key operations, and to validate the peer certificate chain. The Secure Session -Agent's client libraries enable applications to communicate with the Secure -Session Agent during the TLS handshake, and to encrypt traffic to the peer -after the TLS handshake is complete. - -This repository contains the source code for the Secure Session Agent's Go -client libraries, which allow gRPC and HTTP Go applications to use the Secure Session -Agent. diff --git a/vendor/github.com/google/s2a-go/fallback/s2a_fallback.go b/vendor/github.com/google/s2a-go/fallback/s2a_fallback.go deleted file mode 100644 index 034d1b912..000000000 --- a/vendor/github.com/google/s2a-go/fallback/s2a_fallback.go +++ /dev/null @@ -1,167 +0,0 @@ -/* - * - * Copyright 2023 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -// Package fallback provides default implementations of fallback options when S2A fails. -package fallback - -import ( - "context" - "crypto/tls" - "fmt" - "net" - - "google.golang.org/grpc/credentials" - "google.golang.org/grpc/grpclog" -) - -const ( - alpnProtoStrH2 = "h2" - alpnProtoStrHTTP = "http/1.1" - defaultHTTPSPort = "443" -) - -// FallbackTLSConfigGRPC is a tls.Config used by the DefaultFallbackClientHandshakeFunc function. -// It supports GRPC use case, thus the alpn is set to 'h2'. -var FallbackTLSConfigGRPC = tls.Config{ - MinVersion: tls.VersionTLS13, - ClientSessionCache: nil, - NextProtos: []string{alpnProtoStrH2}, -} - -// FallbackTLSConfigHTTP is a tls.Config used by the DefaultFallbackDialerAndAddress func. -// It supports the HTTP use case and the alpn is set to both 'http/1.1' and 'h2'. -var FallbackTLSConfigHTTP = tls.Config{ - MinVersion: tls.VersionTLS13, - ClientSessionCache: nil, - NextProtos: []string{alpnProtoStrH2, alpnProtoStrHTTP}, -} - -// ClientHandshake establishes a TLS connection and returns it, plus its auth info. -// Inputs: -// -// targetServer: the server attempted with S2A. -// conn: the tcp connection to the server at address targetServer that was passed into S2A's ClientHandshake func. -// If fallback is successful, the `conn` should be closed. -// err: the error encountered when performing the client-side TLS handshake with S2A. -type ClientHandshake func(ctx context.Context, targetServer string, conn net.Conn, err error) (net.Conn, credentials.AuthInfo, error) - -// DefaultFallbackClientHandshakeFunc returns a ClientHandshake function, -// which establishes a TLS connection to the provided fallbackAddr, returns the new connection and its auth info. -// Example use: -// -// transportCreds, _ = s2a.NewClientCreds(&s2a.ClientOptions{ -// S2AAddress: s2aAddress, -// FallbackOpts: &s2a.FallbackOptions{ // optional -// FallbackClientHandshakeFunc: fallback.DefaultFallbackClientHandshakeFunc(fallbackAddr), -// }, -// }) -// -// The fallback server's certificate must be verifiable using OS root store. -// The fallbackAddr is expected to be a network address, e.g. example.com:port. If port is not specified, -// it uses default port 443. -// In the returned function's TLS config, ClientSessionCache is explicitly set to nil to disable TLS resumption, -// and min TLS version is set to 1.3. -func DefaultFallbackClientHandshakeFunc(fallbackAddr string) (ClientHandshake, error) { - var fallbackDialer = tls.Dialer{Config: &FallbackTLSConfigGRPC} - return defaultFallbackClientHandshakeFuncInternal(fallbackAddr, fallbackDialer.DialContext) -} - -func defaultFallbackClientHandshakeFuncInternal(fallbackAddr string, dialContextFunc func(context.Context, string, string) (net.Conn, error)) (ClientHandshake, error) { - fallbackServerAddr, err := processFallbackAddr(fallbackAddr) - if err != nil { - if grpclog.V(1) { - grpclog.Infof("error processing fallback address [%s]: %v", fallbackAddr, err) - } - return nil, err - } - return func(ctx context.Context, targetServer string, conn net.Conn, s2aErr error) (net.Conn, credentials.AuthInfo, error) { - fbConn, fbErr := dialContextFunc(ctx, "tcp", fallbackServerAddr) - if fbErr != nil { - grpclog.Infof("dialing to fallback server %s failed: %v", fallbackServerAddr, fbErr) - return nil, nil, fmt.Errorf("dialing to fallback server %s failed: %v; S2A client handshake with %s error: %w", fallbackServerAddr, fbErr, targetServer, s2aErr) - } - - tc, success := fbConn.(*tls.Conn) - if !success { - grpclog.Infof("the connection with fallback server is expected to be tls but isn't") - return nil, nil, fmt.Errorf("the connection with fallback server is expected to be tls but isn't; S2A client handshake with %s error: %w", targetServer, s2aErr) - } - - tlsInfo := credentials.TLSInfo{ - State: tc.ConnectionState(), - CommonAuthInfo: credentials.CommonAuthInfo{ - SecurityLevel: credentials.PrivacyAndIntegrity, - }, - } - if grpclog.V(1) { - grpclog.Infof("ConnectionState.NegotiatedProtocol: %v", tc.ConnectionState().NegotiatedProtocol) - grpclog.Infof("ConnectionState.HandshakeComplete: %v", tc.ConnectionState().HandshakeComplete) - grpclog.Infof("ConnectionState.ServerName: %v", tc.ConnectionState().ServerName) - } - conn.Close() - return fbConn, tlsInfo, nil - }, nil -} - -// DefaultFallbackDialerAndAddress returns a TLS dialer and the network address to dial. -// Example use: -// -// fallbackDialer, fallbackServerAddr := fallback.DefaultFallbackDialerAndAddress(fallbackAddr) -// dialTLSContext := s2a.NewS2aDialTLSContextFunc(&s2a.ClientOptions{ -// S2AAddress: s2aAddress, // required -// FallbackOpts: &s2a.FallbackOptions{ -// FallbackDialer: &s2a.FallbackDialer{ -// Dialer: fallbackDialer, -// ServerAddr: fallbackServerAddr, -// }, -// }, -// }) -// -// The fallback server's certificate should be verifiable using OS root store. -// The fallbackAddr is expected to be a network address, e.g. example.com:port. If port is not specified, -// it uses default port 443. -// In the returned function's TLS config, ClientSessionCache is explicitly set to nil to disable TLS resumption, -// and min TLS version is set to 1.3. -func DefaultFallbackDialerAndAddress(fallbackAddr string) (*tls.Dialer, string, error) { - fallbackServerAddr, err := processFallbackAddr(fallbackAddr) - if err != nil { - if grpclog.V(1) { - grpclog.Infof("error processing fallback address [%s]: %v", fallbackAddr, err) - } - return nil, "", err - } - return &tls.Dialer{Config: &FallbackTLSConfigHTTP}, fallbackServerAddr, nil -} - -func processFallbackAddr(fallbackAddr string) (string, error) { - var fallbackServerAddr string - var err error - - if fallbackAddr == "" { - return "", fmt.Errorf("empty fallback address") - } - _, _, err = net.SplitHostPort(fallbackAddr) - if err != nil { - // fallbackAddr does not have port suffix - fallbackServerAddr = net.JoinHostPort(fallbackAddr, defaultHTTPSPort) - } else { - // FallbackServerAddr already has port suffix - fallbackServerAddr = fallbackAddr - } - return fallbackServerAddr, nil -} diff --git a/vendor/github.com/google/s2a-go/internal/authinfo/authinfo.go b/vendor/github.com/google/s2a-go/internal/authinfo/authinfo.go deleted file mode 100644 index aa3967f9d..000000000 --- a/vendor/github.com/google/s2a-go/internal/authinfo/authinfo.go +++ /dev/null @@ -1,119 +0,0 @@ -/* - * - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -// Package authinfo provides authentication and authorization information that -// results from the TLS handshake. -package authinfo - -import ( - "errors" - - commonpb "github.com/google/s2a-go/internal/proto/common_go_proto" - contextpb "github.com/google/s2a-go/internal/proto/s2a_context_go_proto" - grpcpb "github.com/google/s2a-go/internal/proto/s2a_go_proto" - "google.golang.org/grpc/credentials" -) - -var _ credentials.AuthInfo = (*S2AAuthInfo)(nil) - -const s2aAuthType = "s2a" - -// S2AAuthInfo exposes authentication and authorization information from the -// S2A session result to the gRPC stack. -type S2AAuthInfo struct { - s2aContext *contextpb.S2AContext - commonAuthInfo credentials.CommonAuthInfo -} - -// NewS2AAuthInfo returns a new S2AAuthInfo object from the S2A session result. -func NewS2AAuthInfo(result *grpcpb.SessionResult) (credentials.AuthInfo, error) { - return newS2AAuthInfo(result) -} - -func newS2AAuthInfo(result *grpcpb.SessionResult) (*S2AAuthInfo, error) { - if result == nil { - return nil, errors.New("NewS2aAuthInfo given nil session result") - } - return &S2AAuthInfo{ - s2aContext: &contextpb.S2AContext{ - ApplicationProtocol: result.GetApplicationProtocol(), - TlsVersion: result.GetState().GetTlsVersion(), - Ciphersuite: result.GetState().GetTlsCiphersuite(), - PeerIdentity: result.GetPeerIdentity(), - LocalIdentity: result.GetLocalIdentity(), - PeerCertFingerprint: result.GetPeerCertFingerprint(), - LocalCertFingerprint: result.GetLocalCertFingerprint(), - IsHandshakeResumed: result.GetState().GetIsHandshakeResumed(), - }, - commonAuthInfo: credentials.CommonAuthInfo{SecurityLevel: credentials.PrivacyAndIntegrity}, - }, nil -} - -// AuthType returns the authentication type. -func (s *S2AAuthInfo) AuthType() string { - return s2aAuthType -} - -// ApplicationProtocol returns the application protocol, e.g. "grpc". -func (s *S2AAuthInfo) ApplicationProtocol() string { - return s.s2aContext.GetApplicationProtocol() -} - -// TLSVersion returns the TLS version negotiated during the handshake. -func (s *S2AAuthInfo) TLSVersion() commonpb.TLSVersion { - return s.s2aContext.GetTlsVersion() -} - -// Ciphersuite returns the ciphersuite negotiated during the handshake. -func (s *S2AAuthInfo) Ciphersuite() commonpb.Ciphersuite { - return s.s2aContext.GetCiphersuite() -} - -// PeerIdentity returns the authenticated identity of the peer. -func (s *S2AAuthInfo) PeerIdentity() *commonpb.Identity { - return s.s2aContext.GetPeerIdentity() -} - -// LocalIdentity returns the local identity of the application used during -// session setup. -func (s *S2AAuthInfo) LocalIdentity() *commonpb.Identity { - return s.s2aContext.GetLocalIdentity() -} - -// PeerCertFingerprint returns the SHA256 hash of the peer certificate used in -// the S2A handshake. -func (s *S2AAuthInfo) PeerCertFingerprint() []byte { - return s.s2aContext.GetPeerCertFingerprint() -} - -// LocalCertFingerprint returns the SHA256 hash of the local certificate used -// in the S2A handshake. -func (s *S2AAuthInfo) LocalCertFingerprint() []byte { - return s.s2aContext.GetLocalCertFingerprint() -} - -// IsHandshakeResumed returns true if a cached session was used to resume -// the handshake. -func (s *S2AAuthInfo) IsHandshakeResumed() bool { - return s.s2aContext.GetIsHandshakeResumed() -} - -// SecurityLevel returns the security level of the connection. -func (s *S2AAuthInfo) SecurityLevel() credentials.SecurityLevel { - return s.commonAuthInfo.SecurityLevel -} diff --git a/vendor/github.com/google/s2a-go/internal/handshaker/handshaker.go b/vendor/github.com/google/s2a-go/internal/handshaker/handshaker.go deleted file mode 100644 index 8297c9a97..000000000 --- a/vendor/github.com/google/s2a-go/internal/handshaker/handshaker.go +++ /dev/null @@ -1,438 +0,0 @@ -/* - * - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -// Package handshaker communicates with the S2A handshaker service. -package handshaker - -import ( - "context" - "errors" - "fmt" - "io" - "net" - "sync" - - "github.com/google/s2a-go/internal/authinfo" - commonpb "github.com/google/s2a-go/internal/proto/common_go_proto" - s2apb "github.com/google/s2a-go/internal/proto/s2a_go_proto" - "github.com/google/s2a-go/internal/record" - "github.com/google/s2a-go/internal/tokenmanager" - grpc "google.golang.org/grpc" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/credentials" - "google.golang.org/grpc/grpclog" -) - -var ( - // appProtocol contains the application protocol accepted by the handshaker. - appProtocol = "grpc" - // frameLimit is the maximum size of a frame in bytes. - frameLimit = 1024 * 64 - // peerNotRespondingError is the error thrown when the peer doesn't respond. - errPeerNotResponding = errors.New("peer is not responding and re-connection should be attempted") -) - -// Handshaker defines a handshaker interface. -type Handshaker interface { - // ClientHandshake starts and completes a TLS handshake from the client side, - // and returns a secure connection along with additional auth information. - ClientHandshake(ctx context.Context) (net.Conn, credentials.AuthInfo, error) - // ServerHandshake starts and completes a TLS handshake from the server side, - // and returns a secure connection along with additional auth information. - ServerHandshake(ctx context.Context) (net.Conn, credentials.AuthInfo, error) - // Close terminates the Handshaker. It should be called when the handshake - // is complete. - Close() error -} - -// ClientHandshakerOptions contains the options needed to configure the S2A -// handshaker service on the client-side. -type ClientHandshakerOptions struct { - // MinTLSVersion specifies the min TLS version supported by the client. - MinTLSVersion commonpb.TLSVersion - // MaxTLSVersion specifies the max TLS version supported by the client. - MaxTLSVersion commonpb.TLSVersion - // TLSCiphersuites is the ordered list of ciphersuites supported by the - // client. - TLSCiphersuites []commonpb.Ciphersuite - // TargetIdentities contains a list of allowed server identities. One of the - // target identities should match the peer identity in the handshake - // result; otherwise, the handshake fails. - TargetIdentities []*commonpb.Identity - // LocalIdentity is the local identity of the client application. If none is - // provided, then the S2A will choose the default identity. - LocalIdentity *commonpb.Identity - // TargetName is the allowed server name, which may be used for server - // authorization check by the S2A if it is provided. - TargetName string - // EnsureProcessSessionTickets allows users to wait and ensure that all - // available session tickets are sent to S2A before a process completes. - EnsureProcessSessionTickets *sync.WaitGroup -} - -// ServerHandshakerOptions contains the options needed to configure the S2A -// handshaker service on the server-side. -type ServerHandshakerOptions struct { - // MinTLSVersion specifies the min TLS version supported by the server. - MinTLSVersion commonpb.TLSVersion - // MaxTLSVersion specifies the max TLS version supported by the server. - MaxTLSVersion commonpb.TLSVersion - // TLSCiphersuites is the ordered list of ciphersuites supported by the - // server. - TLSCiphersuites []commonpb.Ciphersuite - // LocalIdentities is the list of local identities that may be assumed by - // the server. If no local identity is specified, then the S2A chooses a - // default local identity. - LocalIdentities []*commonpb.Identity -} - -// s2aHandshaker performs a TLS handshake using the S2A handshaker service. -type s2aHandshaker struct { - // stream is used to communicate with the S2A handshaker service. - stream s2apb.S2AService_SetUpSessionClient - // conn is the connection to the peer. - conn net.Conn - // clientOpts should be non-nil iff the handshaker is client-side. - clientOpts *ClientHandshakerOptions - // serverOpts should be non-nil iff the handshaker is server-side. - serverOpts *ServerHandshakerOptions - // isClient determines if the handshaker is client or server side. - isClient bool - // hsAddr stores the address of the S2A handshaker service. - hsAddr string - // tokenManager manages access tokens for authenticating to S2A. - tokenManager tokenmanager.AccessTokenManager - // localIdentities is the set of local identities for whom the - // tokenManager should fetch a token when preparing a request to be - // sent to S2A. - localIdentities []*commonpb.Identity -} - -// NewClientHandshaker creates an s2aHandshaker instance that performs a -// client-side TLS handshake using the S2A handshaker service. -func NewClientHandshaker(ctx context.Context, conn *grpc.ClientConn, c net.Conn, hsAddr string, opts *ClientHandshakerOptions) (Handshaker, error) { - stream, err := s2apb.NewS2AServiceClient(conn).SetUpSession(ctx, grpc.WaitForReady(true)) - if err != nil { - return nil, err - } - tokenManager, err := tokenmanager.NewSingleTokenAccessTokenManager() - if err != nil { - grpclog.Infof("failed to create single token access token manager: %v", err) - } - return newClientHandshaker(stream, c, hsAddr, opts, tokenManager), nil -} - -func newClientHandshaker(stream s2apb.S2AService_SetUpSessionClient, c net.Conn, hsAddr string, opts *ClientHandshakerOptions, tokenManager tokenmanager.AccessTokenManager) *s2aHandshaker { - var localIdentities []*commonpb.Identity - if opts != nil { - localIdentities = []*commonpb.Identity{opts.LocalIdentity} - } - return &s2aHandshaker{ - stream: stream, - conn: c, - clientOpts: opts, - isClient: true, - hsAddr: hsAddr, - tokenManager: tokenManager, - localIdentities: localIdentities, - } -} - -// NewServerHandshaker creates an s2aHandshaker instance that performs a -// server-side TLS handshake using the S2A handshaker service. -func NewServerHandshaker(ctx context.Context, conn *grpc.ClientConn, c net.Conn, hsAddr string, opts *ServerHandshakerOptions) (Handshaker, error) { - stream, err := s2apb.NewS2AServiceClient(conn).SetUpSession(ctx, grpc.WaitForReady(true)) - if err != nil { - return nil, err - } - tokenManager, err := tokenmanager.NewSingleTokenAccessTokenManager() - if err != nil { - grpclog.Infof("failed to create single token access token manager: %v", err) - } - return newServerHandshaker(stream, c, hsAddr, opts, tokenManager), nil -} - -func newServerHandshaker(stream s2apb.S2AService_SetUpSessionClient, c net.Conn, hsAddr string, opts *ServerHandshakerOptions, tokenManager tokenmanager.AccessTokenManager) *s2aHandshaker { - var localIdentities []*commonpb.Identity - if opts != nil { - localIdentities = opts.LocalIdentities - } - return &s2aHandshaker{ - stream: stream, - conn: c, - serverOpts: opts, - isClient: false, - hsAddr: hsAddr, - tokenManager: tokenManager, - localIdentities: localIdentities, - } -} - -// ClientHandshake performs a client-side TLS handshake using the S2A handshaker -// service. When complete, returns a TLS connection. -func (h *s2aHandshaker) ClientHandshake(_ context.Context) (net.Conn, credentials.AuthInfo, error) { - if !h.isClient { - return nil, nil, errors.New("only handshakers created using NewClientHandshaker can perform a client-side handshake") - } - // Extract the hostname from the target name. The target name is assumed to be an authority. - hostname, _, err := net.SplitHostPort(h.clientOpts.TargetName) - if err != nil { - // If the target name had no host port or could not be parsed, use it as is. - hostname = h.clientOpts.TargetName - } - - // Prepare a client start message to send to the S2A handshaker service. - req := &s2apb.SessionReq{ - ReqOneof: &s2apb.SessionReq_ClientStart{ - ClientStart: &s2apb.ClientSessionStartReq{ - ApplicationProtocols: []string{appProtocol}, - MinTlsVersion: h.clientOpts.MinTLSVersion, - MaxTlsVersion: h.clientOpts.MaxTLSVersion, - TlsCiphersuites: h.clientOpts.TLSCiphersuites, - TargetIdentities: h.clientOpts.TargetIdentities, - LocalIdentity: h.clientOpts.LocalIdentity, - TargetName: hostname, - }, - }, - AuthMechanisms: h.getAuthMechanisms(), - } - conn, result, err := h.setUpSession(req) - if err != nil { - return nil, nil, err - } - authInfo, err := authinfo.NewS2AAuthInfo(result) - if err != nil { - return nil, nil, err - } - return conn, authInfo, nil -} - -// ServerHandshake performs a server-side TLS handshake using the S2A handshaker -// service. When complete, returns a TLS connection. -func (h *s2aHandshaker) ServerHandshake(_ context.Context) (net.Conn, credentials.AuthInfo, error) { - if h.isClient { - return nil, nil, errors.New("only handshakers created using NewServerHandshaker can perform a server-side handshake") - } - p := make([]byte, frameLimit) - n, err := h.conn.Read(p) - if err != nil { - return nil, nil, err - } - // Prepare a server start message to send to the S2A handshaker service. - req := &s2apb.SessionReq{ - ReqOneof: &s2apb.SessionReq_ServerStart{ - ServerStart: &s2apb.ServerSessionStartReq{ - ApplicationProtocols: []string{appProtocol}, - MinTlsVersion: h.serverOpts.MinTLSVersion, - MaxTlsVersion: h.serverOpts.MaxTLSVersion, - TlsCiphersuites: h.serverOpts.TLSCiphersuites, - LocalIdentities: h.serverOpts.LocalIdentities, - InBytes: p[:n], - }, - }, - AuthMechanisms: h.getAuthMechanisms(), - } - conn, result, err := h.setUpSession(req) - if err != nil { - return nil, nil, err - } - authInfo, err := authinfo.NewS2AAuthInfo(result) - if err != nil { - return nil, nil, err - } - return conn, authInfo, nil -} - -// setUpSession proxies messages between the peer and the S2A handshaker -// service. -func (h *s2aHandshaker) setUpSession(req *s2apb.SessionReq) (net.Conn, *s2apb.SessionResult, error) { - resp, err := h.accessHandshakerService(req) - if err != nil { - return nil, nil, err - } - // Check if the returned status is an error. - if resp.GetStatus() != nil { - if got, want := resp.GetStatus().Code, uint32(codes.OK); got != want { - return nil, nil, fmt.Errorf("%v", resp.GetStatus().Details) - } - } - // Calculate the extra unread bytes from the Session. Attempting to consume - // more than the bytes sent will throw an error. - var extra []byte - if req.GetServerStart() != nil { - if resp.GetBytesConsumed() > uint32(len(req.GetServerStart().GetInBytes())) { - return nil, nil, errors.New("handshaker service consumed bytes value is out-of-bounds") - } - extra = req.GetServerStart().GetInBytes()[resp.GetBytesConsumed():] - } - result, extra, err := h.processUntilDone(resp, extra) - if err != nil { - return nil, nil, err - } - if result.GetLocalIdentity() == nil { - return nil, nil, errors.New("local identity must be populated in session result") - } - - // Create a new TLS record protocol using the Session Result. - newConn, err := record.NewConn(&record.ConnParameters{ - NetConn: h.conn, - Ciphersuite: result.GetState().GetTlsCiphersuite(), - TLSVersion: result.GetState().GetTlsVersion(), - InTrafficSecret: result.GetState().GetInKey(), - OutTrafficSecret: result.GetState().GetOutKey(), - UnusedBuf: extra, - InSequence: result.GetState().GetInSequence(), - OutSequence: result.GetState().GetOutSequence(), - HSAddr: h.hsAddr, - ConnectionID: result.GetState().GetConnectionId(), - LocalIdentity: result.GetLocalIdentity(), - EnsureProcessSessionTickets: h.ensureProcessSessionTickets(), - }) - if err != nil { - return nil, nil, err - } - return newConn, result, nil -} - -func (h *s2aHandshaker) ensureProcessSessionTickets() *sync.WaitGroup { - if h.clientOpts == nil { - return nil - } - return h.clientOpts.EnsureProcessSessionTickets -} - -// accessHandshakerService sends the session request to the S2A handshaker -// service and returns the session response. -func (h *s2aHandshaker) accessHandshakerService(req *s2apb.SessionReq) (*s2apb.SessionResp, error) { - if err := h.stream.Send(req); err != nil { - return nil, err - } - resp, err := h.stream.Recv() - if err != nil { - return nil, err - } - return resp, nil -} - -// processUntilDone continues proxying messages between the peer and the S2A -// handshaker service until the handshaker service returns the SessionResult at -// the end of the handshake or an error occurs. -func (h *s2aHandshaker) processUntilDone(resp *s2apb.SessionResp, unusedBytes []byte) (*s2apb.SessionResult, []byte, error) { - for { - if len(resp.OutFrames) > 0 { - if _, err := h.conn.Write(resp.OutFrames); err != nil { - return nil, nil, err - } - } - if resp.Result != nil { - return resp.Result, unusedBytes, nil - } - buf := make([]byte, frameLimit) - n, err := h.conn.Read(buf) - if err != nil && err != io.EOF { - return nil, nil, err - } - // If there is nothing to send to the handshaker service and nothing is - // received from the peer, then we are stuck. This covers the case when - // the peer is not responding. Note that handshaker service connection - // issues are caught in accessHandshakerService before we even get - // here. - if len(resp.OutFrames) == 0 && n == 0 { - return nil, nil, errPeerNotResponding - } - // Append extra bytes from the previous interaction with the handshaker - // service with the current buffer read from conn. - p := append(unusedBytes, buf[:n]...) - // From here on, p and unusedBytes point to the same slice. - resp, err = h.accessHandshakerService(&s2apb.SessionReq{ - ReqOneof: &s2apb.SessionReq_Next{ - Next: &s2apb.SessionNextReq{ - InBytes: p, - }, - }, - AuthMechanisms: h.getAuthMechanisms(), - }) - if err != nil { - return nil, nil, err - } - - // Cache the local identity returned by S2A, if it is populated. This - // overwrites any existing local identities. This is done because, once the - // S2A has selected a local identity, then only that local identity should - // be asserted in future requests until the end of the current handshake. - if resp.GetLocalIdentity() != nil { - h.localIdentities = []*commonpb.Identity{resp.GetLocalIdentity()} - } - - // Set unusedBytes based on the handshaker service response. - if resp.GetBytesConsumed() > uint32(len(p)) { - return nil, nil, errors.New("handshaker service consumed bytes value is out-of-bounds") - } - unusedBytes = p[resp.GetBytesConsumed():] - } -} - -// Close shuts down the handshaker and the stream to the S2A handshaker service -// when the handshake is complete. It should be called when the caller obtains -// the secure connection at the end of the handshake. -func (h *s2aHandshaker) Close() error { - return h.stream.CloseSend() -} - -func (h *s2aHandshaker) getAuthMechanisms() []*s2apb.AuthenticationMechanism { - if h.tokenManager == nil { - return nil - } - // First handle the special case when no local identities have been provided - // by the application. In this case, an AuthenticationMechanism with no local - // identity will be sent. - if len(h.localIdentities) == 0 { - token, err := h.tokenManager.DefaultToken() - if err != nil { - grpclog.Infof("unable to get token for empty local identity: %v", err) - return nil - } - return []*s2apb.AuthenticationMechanism{ - { - MechanismOneof: &s2apb.AuthenticationMechanism_Token{ - Token: token, - }, - }, - } - } - - // Next, handle the case where the application (or the S2A) has provided - // one or more local identities. - var authMechanisms []*s2apb.AuthenticationMechanism - for _, localIdentity := range h.localIdentities { - token, err := h.tokenManager.Token(localIdentity) - if err != nil { - grpclog.Infof("unable to get token for local identity %v: %v", localIdentity, err) - continue - } - - authMechanism := &s2apb.AuthenticationMechanism{ - Identity: localIdentity, - MechanismOneof: &s2apb.AuthenticationMechanism_Token{ - Token: token, - }, - } - authMechanisms = append(authMechanisms, authMechanism) - } - return authMechanisms -} diff --git a/vendor/github.com/google/s2a-go/internal/handshaker/service/service.go b/vendor/github.com/google/s2a-go/internal/handshaker/service/service.go deleted file mode 100644 index ed4496537..000000000 --- a/vendor/github.com/google/s2a-go/internal/handshaker/service/service.go +++ /dev/null @@ -1,66 +0,0 @@ -/* - * - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -// Package service is a utility for calling the S2A handshaker service. -package service - -import ( - "context" - "sync" - - grpc "google.golang.org/grpc" - "google.golang.org/grpc/credentials" - "google.golang.org/grpc/credentials/insecure" -) - -var ( - // mu guards hsConnMap and hsDialer. - mu sync.Mutex - // hsConnMap represents a mapping from an S2A handshaker service address - // to a corresponding connection to an S2A handshaker service instance. - hsConnMap = make(map[string]*grpc.ClientConn) - // hsDialer will be reassigned in tests. - hsDialer = grpc.DialContext -) - -// Dial dials the S2A handshaker service. If a connection has already been -// established, this function returns it. Otherwise, a new connection is -// created. -func Dial(ctx context.Context, handshakerServiceAddress string, transportCreds credentials.TransportCredentials) (*grpc.ClientConn, error) { - mu.Lock() - defer mu.Unlock() - - hsConn, ok := hsConnMap[handshakerServiceAddress] - if !ok { - // Create a new connection to the S2A handshaker service. Note that - // this connection stays open until the application is closed. - var grpcOpts []grpc.DialOption - if transportCreds != nil { - grpcOpts = append(grpcOpts, grpc.WithTransportCredentials(transportCreds)) - } else { - grpcOpts = append(grpcOpts, grpc.WithTransportCredentials(insecure.NewCredentials())) - } - var err error - hsConn, err = hsDialer(ctx, handshakerServiceAddress, grpcOpts...) - if err != nil { - return nil, err - } - hsConnMap[handshakerServiceAddress] = hsConn - } - return hsConn, nil -} diff --git a/vendor/github.com/google/s2a-go/internal/proto/common_go_proto/common.pb.go b/vendor/github.com/google/s2a-go/internal/proto/common_go_proto/common.pb.go deleted file mode 100644 index fcd049de9..000000000 --- a/vendor/github.com/google/s2a-go/internal/proto/common_go_proto/common.pb.go +++ /dev/null @@ -1,388 +0,0 @@ -// Copyright 2021 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// https://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Code generated by protoc-gen-go. DO NOT EDIT. -// versions: -// protoc-gen-go v1.34.2 -// protoc v3.21.12 -// source: internal/proto/common/common.proto - -package common_go_proto - -import ( - protoreflect "google.golang.org/protobuf/reflect/protoreflect" - protoimpl "google.golang.org/protobuf/runtime/protoimpl" - reflect "reflect" - sync "sync" -) - -const ( - // Verify that this generated code is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) - // Verify that runtime/protoimpl is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) -) - -// The ciphersuites supported by S2A. The name determines the confidentiality, -// and authentication ciphers as well as the hash algorithm used for PRF in -// TLS 1.2 or HKDF in TLS 1.3. Thus, the components of the name are: -// - AEAD -- for encryption and authentication, e.g., AES_128_GCM. -// - Hash algorithm -- used in PRF or HKDF, e.g., SHA256. -type Ciphersuite int32 - -const ( - Ciphersuite_AES_128_GCM_SHA256 Ciphersuite = 0 - Ciphersuite_AES_256_GCM_SHA384 Ciphersuite = 1 - Ciphersuite_CHACHA20_POLY1305_SHA256 Ciphersuite = 2 -) - -// Enum value maps for Ciphersuite. -var ( - Ciphersuite_name = map[int32]string{ - 0: "AES_128_GCM_SHA256", - 1: "AES_256_GCM_SHA384", - 2: "CHACHA20_POLY1305_SHA256", - } - Ciphersuite_value = map[string]int32{ - "AES_128_GCM_SHA256": 0, - "AES_256_GCM_SHA384": 1, - "CHACHA20_POLY1305_SHA256": 2, - } -) - -func (x Ciphersuite) Enum() *Ciphersuite { - p := new(Ciphersuite) - *p = x - return p -} - -func (x Ciphersuite) String() string { - return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) -} - -func (Ciphersuite) Descriptor() protoreflect.EnumDescriptor { - return file_internal_proto_common_common_proto_enumTypes[0].Descriptor() -} - -func (Ciphersuite) Type() protoreflect.EnumType { - return &file_internal_proto_common_common_proto_enumTypes[0] -} - -func (x Ciphersuite) Number() protoreflect.EnumNumber { - return protoreflect.EnumNumber(x) -} - -// Deprecated: Use Ciphersuite.Descriptor instead. -func (Ciphersuite) EnumDescriptor() ([]byte, []int) { - return file_internal_proto_common_common_proto_rawDescGZIP(), []int{0} -} - -// The TLS versions supported by S2A's handshaker module. -type TLSVersion int32 - -const ( - TLSVersion_TLS1_2 TLSVersion = 0 - TLSVersion_TLS1_3 TLSVersion = 1 -) - -// Enum value maps for TLSVersion. -var ( - TLSVersion_name = map[int32]string{ - 0: "TLS1_2", - 1: "TLS1_3", - } - TLSVersion_value = map[string]int32{ - "TLS1_2": 0, - "TLS1_3": 1, - } -) - -func (x TLSVersion) Enum() *TLSVersion { - p := new(TLSVersion) - *p = x - return p -} - -func (x TLSVersion) String() string { - return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) -} - -func (TLSVersion) Descriptor() protoreflect.EnumDescriptor { - return file_internal_proto_common_common_proto_enumTypes[1].Descriptor() -} - -func (TLSVersion) Type() protoreflect.EnumType { - return &file_internal_proto_common_common_proto_enumTypes[1] -} - -func (x TLSVersion) Number() protoreflect.EnumNumber { - return protoreflect.EnumNumber(x) -} - -// Deprecated: Use TLSVersion.Descriptor instead. -func (TLSVersion) EnumDescriptor() ([]byte, []int) { - return file_internal_proto_common_common_proto_rawDescGZIP(), []int{1} -} - -type Identity struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Types that are assignable to IdentityOneof: - // - // *Identity_SpiffeId - // *Identity_Hostname - // *Identity_Uid - // *Identity_Username - // *Identity_GcpId - IdentityOneof isIdentity_IdentityOneof `protobuf_oneof:"identity_oneof"` - // Additional identity-specific attributes. - Attributes map[string]string `protobuf:"bytes,3,rep,name=attributes,proto3" json:"attributes,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` -} - -func (x *Identity) Reset() { - *x = Identity{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_common_common_proto_msgTypes[0] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *Identity) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*Identity) ProtoMessage() {} - -func (x *Identity) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_common_common_proto_msgTypes[0] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use Identity.ProtoReflect.Descriptor instead. -func (*Identity) Descriptor() ([]byte, []int) { - return file_internal_proto_common_common_proto_rawDescGZIP(), []int{0} -} - -func (m *Identity) GetIdentityOneof() isIdentity_IdentityOneof { - if m != nil { - return m.IdentityOneof - } - return nil -} - -func (x *Identity) GetSpiffeId() string { - if x, ok := x.GetIdentityOneof().(*Identity_SpiffeId); ok { - return x.SpiffeId - } - return "" -} - -func (x *Identity) GetHostname() string { - if x, ok := x.GetIdentityOneof().(*Identity_Hostname); ok { - return x.Hostname - } - return "" -} - -func (x *Identity) GetUid() string { - if x, ok := x.GetIdentityOneof().(*Identity_Uid); ok { - return x.Uid - } - return "" -} - -func (x *Identity) GetUsername() string { - if x, ok := x.GetIdentityOneof().(*Identity_Username); ok { - return x.Username - } - return "" -} - -func (x *Identity) GetGcpId() string { - if x, ok := x.GetIdentityOneof().(*Identity_GcpId); ok { - return x.GcpId - } - return "" -} - -func (x *Identity) GetAttributes() map[string]string { - if x != nil { - return x.Attributes - } - return nil -} - -type isIdentity_IdentityOneof interface { - isIdentity_IdentityOneof() -} - -type Identity_SpiffeId struct { - // The SPIFFE ID of a connection endpoint. - SpiffeId string `protobuf:"bytes,1,opt,name=spiffe_id,json=spiffeId,proto3,oneof"` -} - -type Identity_Hostname struct { - // The hostname of a connection endpoint. - Hostname string `protobuf:"bytes,2,opt,name=hostname,proto3,oneof"` -} - -type Identity_Uid struct { - // The UID of a connection endpoint. - Uid string `protobuf:"bytes,4,opt,name=uid,proto3,oneof"` -} - -type Identity_Username struct { - // The username of a connection endpoint. - Username string `protobuf:"bytes,5,opt,name=username,proto3,oneof"` -} - -type Identity_GcpId struct { - // The GCP ID of a connection endpoint. - GcpId string `protobuf:"bytes,6,opt,name=gcp_id,json=gcpId,proto3,oneof"` -} - -func (*Identity_SpiffeId) isIdentity_IdentityOneof() {} - -func (*Identity_Hostname) isIdentity_IdentityOneof() {} - -func (*Identity_Uid) isIdentity_IdentityOneof() {} - -func (*Identity_Username) isIdentity_IdentityOneof() {} - -func (*Identity_GcpId) isIdentity_IdentityOneof() {} - -var File_internal_proto_common_common_proto protoreflect.FileDescriptor - -var file_internal_proto_common_common_proto_rawDesc = []byte{ - 0x0a, 0x22, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x09, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, - 0xa8, 0x02, 0x0a, 0x08, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x12, 0x1d, 0x0a, 0x09, - 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x48, - 0x00, 0x52, 0x08, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x49, 0x64, 0x12, 0x1c, 0x0a, 0x08, 0x68, - 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, - 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x03, 0x75, 0x69, 0x64, - 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x03, 0x75, 0x69, 0x64, 0x12, 0x1c, 0x0a, - 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x48, - 0x00, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x17, 0x0a, 0x06, 0x67, - 0x63, 0x70, 0x5f, 0x69, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x05, 0x67, - 0x63, 0x70, 0x49, 0x64, 0x12, 0x43, 0x0a, 0x0a, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, - 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x23, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x41, 0x74, - 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0a, 0x61, - 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x1a, 0x3d, 0x0a, 0x0f, 0x41, 0x74, 0x74, - 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, - 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, - 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, - 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x10, 0x0a, 0x0e, 0x69, 0x64, 0x65, 0x6e, - 0x74, 0x69, 0x74, 0x79, 0x5f, 0x6f, 0x6e, 0x65, 0x6f, 0x66, 0x2a, 0x5b, 0x0a, 0x0b, 0x43, 0x69, - 0x70, 0x68, 0x65, 0x72, 0x73, 0x75, 0x69, 0x74, 0x65, 0x12, 0x16, 0x0a, 0x12, 0x41, 0x45, 0x53, - 0x5f, 0x31, 0x32, 0x38, 0x5f, 0x47, 0x43, 0x4d, 0x5f, 0x53, 0x48, 0x41, 0x32, 0x35, 0x36, 0x10, - 0x00, 0x12, 0x16, 0x0a, 0x12, 0x41, 0x45, 0x53, 0x5f, 0x32, 0x35, 0x36, 0x5f, 0x47, 0x43, 0x4d, - 0x5f, 0x53, 0x48, 0x41, 0x33, 0x38, 0x34, 0x10, 0x01, 0x12, 0x1c, 0x0a, 0x18, 0x43, 0x48, 0x41, - 0x43, 0x48, 0x41, 0x32, 0x30, 0x5f, 0x50, 0x4f, 0x4c, 0x59, 0x31, 0x33, 0x30, 0x35, 0x5f, 0x53, - 0x48, 0x41, 0x32, 0x35, 0x36, 0x10, 0x02, 0x2a, 0x24, 0x0a, 0x0a, 0x54, 0x4c, 0x53, 0x56, 0x65, - 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x0a, 0x0a, 0x06, 0x54, 0x4c, 0x53, 0x31, 0x5f, 0x32, 0x10, - 0x00, 0x12, 0x0a, 0x0a, 0x06, 0x54, 0x4c, 0x53, 0x31, 0x5f, 0x33, 0x10, 0x01, 0x42, 0x36, 0x5a, - 0x34, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x6f, 0x6f, 0x67, - 0x6c, 0x65, 0x2f, 0x73, 0x32, 0x61, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x5f, 0x67, 0x6f, 0x5f, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, -} - -var ( - file_internal_proto_common_common_proto_rawDescOnce sync.Once - file_internal_proto_common_common_proto_rawDescData = file_internal_proto_common_common_proto_rawDesc -) - -func file_internal_proto_common_common_proto_rawDescGZIP() []byte { - file_internal_proto_common_common_proto_rawDescOnce.Do(func() { - file_internal_proto_common_common_proto_rawDescData = protoimpl.X.CompressGZIP(file_internal_proto_common_common_proto_rawDescData) - }) - return file_internal_proto_common_common_proto_rawDescData -} - -var file_internal_proto_common_common_proto_enumTypes = make([]protoimpl.EnumInfo, 2) -var file_internal_proto_common_common_proto_msgTypes = make([]protoimpl.MessageInfo, 2) -var file_internal_proto_common_common_proto_goTypes = []any{ - (Ciphersuite)(0), // 0: s2a.proto.Ciphersuite - (TLSVersion)(0), // 1: s2a.proto.TLSVersion - (*Identity)(nil), // 2: s2a.proto.Identity - nil, // 3: s2a.proto.Identity.AttributesEntry -} -var file_internal_proto_common_common_proto_depIdxs = []int32{ - 3, // 0: s2a.proto.Identity.attributes:type_name -> s2a.proto.Identity.AttributesEntry - 1, // [1:1] is the sub-list for method output_type - 1, // [1:1] is the sub-list for method input_type - 1, // [1:1] is the sub-list for extension type_name - 1, // [1:1] is the sub-list for extension extendee - 0, // [0:1] is the sub-list for field type_name -} - -func init() { file_internal_proto_common_common_proto_init() } -func file_internal_proto_common_common_proto_init() { - if File_internal_proto_common_common_proto != nil { - return - } - if !protoimpl.UnsafeEnabled { - file_internal_proto_common_common_proto_msgTypes[0].Exporter = func(v any, i int) any { - switch v := v.(*Identity); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - } - file_internal_proto_common_common_proto_msgTypes[0].OneofWrappers = []any{ - (*Identity_SpiffeId)(nil), - (*Identity_Hostname)(nil), - (*Identity_Uid)(nil), - (*Identity_Username)(nil), - (*Identity_GcpId)(nil), - } - type x struct{} - out := protoimpl.TypeBuilder{ - File: protoimpl.DescBuilder{ - GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_internal_proto_common_common_proto_rawDesc, - NumEnums: 2, - NumMessages: 2, - NumExtensions: 0, - NumServices: 0, - }, - GoTypes: file_internal_proto_common_common_proto_goTypes, - DependencyIndexes: file_internal_proto_common_common_proto_depIdxs, - EnumInfos: file_internal_proto_common_common_proto_enumTypes, - MessageInfos: file_internal_proto_common_common_proto_msgTypes, - }.Build() - File_internal_proto_common_common_proto = out.File - file_internal_proto_common_common_proto_rawDesc = nil - file_internal_proto_common_common_proto_goTypes = nil - file_internal_proto_common_common_proto_depIdxs = nil -} diff --git a/vendor/github.com/google/s2a-go/internal/proto/s2a_context_go_proto/s2a_context.pb.go b/vendor/github.com/google/s2a-go/internal/proto/s2a_context_go_proto/s2a_context.pb.go deleted file mode 100644 index 2af3ee3dc..000000000 --- a/vendor/github.com/google/s2a-go/internal/proto/s2a_context_go_proto/s2a_context.pb.go +++ /dev/null @@ -1,267 +0,0 @@ -// Copyright 2021 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// https://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Code generated by protoc-gen-go. DO NOT EDIT. -// versions: -// protoc-gen-go v1.34.2 -// protoc v3.21.12 -// source: internal/proto/s2a_context/s2a_context.proto - -package s2a_context_go_proto - -import ( - common_go_proto "github.com/google/s2a-go/internal/proto/common_go_proto" - protoreflect "google.golang.org/protobuf/reflect/protoreflect" - protoimpl "google.golang.org/protobuf/runtime/protoimpl" - reflect "reflect" - sync "sync" -) - -const ( - // Verify that this generated code is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) - // Verify that runtime/protoimpl is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) -) - -type S2AContext struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The application protocol negotiated for this connection, e.g., 'grpc'. - ApplicationProtocol string `protobuf:"bytes,1,opt,name=application_protocol,json=applicationProtocol,proto3" json:"application_protocol,omitempty"` - // The TLS version number that the S2A's handshaker module used to set up the - // session. - TlsVersion common_go_proto.TLSVersion `protobuf:"varint,2,opt,name=tls_version,json=tlsVersion,proto3,enum=s2a.proto.TLSVersion" json:"tls_version,omitempty"` - // The TLS ciphersuite negotiated by the S2A's handshaker module. - Ciphersuite common_go_proto.Ciphersuite `protobuf:"varint,3,opt,name=ciphersuite,proto3,enum=s2a.proto.Ciphersuite" json:"ciphersuite,omitempty"` - // The authenticated identity of the peer. - PeerIdentity *common_go_proto.Identity `protobuf:"bytes,4,opt,name=peer_identity,json=peerIdentity,proto3" json:"peer_identity,omitempty"` - // The local identity used during session setup. This could be: - // - The local identity that the client specifies in ClientSessionStartReq. - // - One of the local identities that the server specifies in - // ServerSessionStartReq. - // - If neither client or server specifies local identities, the S2A picks the - // default one. In this case, this field will contain that identity. - LocalIdentity *common_go_proto.Identity `protobuf:"bytes,5,opt,name=local_identity,json=localIdentity,proto3" json:"local_identity,omitempty"` - // The SHA256 hash of the peer certificate used in the handshake. - PeerCertFingerprint []byte `protobuf:"bytes,6,opt,name=peer_cert_fingerprint,json=peerCertFingerprint,proto3" json:"peer_cert_fingerprint,omitempty"` - // The SHA256 hash of the local certificate used in the handshake. - LocalCertFingerprint []byte `protobuf:"bytes,7,opt,name=local_cert_fingerprint,json=localCertFingerprint,proto3" json:"local_cert_fingerprint,omitempty"` - // Set to true if a cached session was reused to resume the handshake. - IsHandshakeResumed bool `protobuf:"varint,8,opt,name=is_handshake_resumed,json=isHandshakeResumed,proto3" json:"is_handshake_resumed,omitempty"` -} - -func (x *S2AContext) Reset() { - *x = S2AContext{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_s2a_context_s2a_context_proto_msgTypes[0] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *S2AContext) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*S2AContext) ProtoMessage() {} - -func (x *S2AContext) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_s2a_context_s2a_context_proto_msgTypes[0] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use S2AContext.ProtoReflect.Descriptor instead. -func (*S2AContext) Descriptor() ([]byte, []int) { - return file_internal_proto_s2a_context_s2a_context_proto_rawDescGZIP(), []int{0} -} - -func (x *S2AContext) GetApplicationProtocol() string { - if x != nil { - return x.ApplicationProtocol - } - return "" -} - -func (x *S2AContext) GetTlsVersion() common_go_proto.TLSVersion { - if x != nil { - return x.TlsVersion - } - return common_go_proto.TLSVersion(0) -} - -func (x *S2AContext) GetCiphersuite() common_go_proto.Ciphersuite { - if x != nil { - return x.Ciphersuite - } - return common_go_proto.Ciphersuite(0) -} - -func (x *S2AContext) GetPeerIdentity() *common_go_proto.Identity { - if x != nil { - return x.PeerIdentity - } - return nil -} - -func (x *S2AContext) GetLocalIdentity() *common_go_proto.Identity { - if x != nil { - return x.LocalIdentity - } - return nil -} - -func (x *S2AContext) GetPeerCertFingerprint() []byte { - if x != nil { - return x.PeerCertFingerprint - } - return nil -} - -func (x *S2AContext) GetLocalCertFingerprint() []byte { - if x != nil { - return x.LocalCertFingerprint - } - return nil -} - -func (x *S2AContext) GetIsHandshakeResumed() bool { - if x != nil { - return x.IsHandshakeResumed - } - return false -} - -var File_internal_proto_s2a_context_s2a_context_proto protoreflect.FileDescriptor - -var file_internal_proto_s2a_context_s2a_context_proto_rawDesc = []byte{ - 0x0a, 0x2c, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x2f, 0x73, 0x32, 0x61, 0x5f, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x2f, 0x73, 0x32, 0x61, - 0x5f, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x09, - 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x22, 0x69, 0x6e, 0x74, 0x65, 0x72, - 0x6e, 0x61, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, - 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xc3, 0x03, - 0x0a, 0x0a, 0x53, 0x32, 0x41, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x12, 0x31, 0x0a, 0x14, - 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x13, 0x61, 0x70, 0x70, 0x6c, - 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, - 0x36, 0x0a, 0x0b, 0x74, 0x6c, 0x73, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x02, - 0x20, 0x01, 0x28, 0x0e, 0x32, 0x15, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x2e, 0x54, 0x4c, 0x53, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x0a, 0x74, 0x6c, 0x73, - 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x38, 0x0a, 0x0b, 0x63, 0x69, 0x70, 0x68, 0x65, - 0x72, 0x73, 0x75, 0x69, 0x74, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x16, 0x2e, 0x73, - 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x43, 0x69, 0x70, 0x68, 0x65, 0x72, 0x73, - 0x75, 0x69, 0x74, 0x65, 0x52, 0x0b, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x73, 0x75, 0x69, 0x74, - 0x65, 0x12, 0x38, 0x0a, 0x0d, 0x70, 0x65, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, - 0x74, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, 0x0c, 0x70, - 0x65, 0x65, 0x72, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x12, 0x3a, 0x0a, 0x0e, 0x6c, - 0x6f, 0x63, 0x61, 0x6c, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x18, 0x05, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, - 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, 0x0d, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x49, - 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x12, 0x32, 0x0a, 0x15, 0x70, 0x65, 0x65, 0x72, 0x5f, - 0x63, 0x65, 0x72, 0x74, 0x5f, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, - 0x18, 0x06, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x13, 0x70, 0x65, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, - 0x46, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x12, 0x34, 0x0a, 0x16, 0x6c, - 0x6f, 0x63, 0x61, 0x6c, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, - 0x70, 0x72, 0x69, 0x6e, 0x74, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x14, 0x6c, 0x6f, 0x63, - 0x61, 0x6c, 0x43, 0x65, 0x72, 0x74, 0x46, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, - 0x74, 0x12, 0x30, 0x0a, 0x14, 0x69, 0x73, 0x5f, 0x68, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, - 0x65, 0x5f, 0x72, 0x65, 0x73, 0x75, 0x6d, 0x65, 0x64, 0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x52, - 0x12, 0x69, 0x73, 0x48, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x52, 0x65, 0x73, 0x75, - 0x6d, 0x65, 0x64, 0x42, 0x3b, 0x5a, 0x39, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, - 0x6d, 0x2f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x73, 0x32, 0x61, 0x2f, 0x69, 0x6e, 0x74, - 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x73, 0x32, 0x61, 0x5f, - 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x5f, 0x67, 0x6f, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, -} - -var ( - file_internal_proto_s2a_context_s2a_context_proto_rawDescOnce sync.Once - file_internal_proto_s2a_context_s2a_context_proto_rawDescData = file_internal_proto_s2a_context_s2a_context_proto_rawDesc -) - -func file_internal_proto_s2a_context_s2a_context_proto_rawDescGZIP() []byte { - file_internal_proto_s2a_context_s2a_context_proto_rawDescOnce.Do(func() { - file_internal_proto_s2a_context_s2a_context_proto_rawDescData = protoimpl.X.CompressGZIP(file_internal_proto_s2a_context_s2a_context_proto_rawDescData) - }) - return file_internal_proto_s2a_context_s2a_context_proto_rawDescData -} - -var file_internal_proto_s2a_context_s2a_context_proto_msgTypes = make([]protoimpl.MessageInfo, 1) -var file_internal_proto_s2a_context_s2a_context_proto_goTypes = []any{ - (*S2AContext)(nil), // 0: s2a.proto.S2AContext - (common_go_proto.TLSVersion)(0), // 1: s2a.proto.TLSVersion - (common_go_proto.Ciphersuite)(0), // 2: s2a.proto.Ciphersuite - (*common_go_proto.Identity)(nil), // 3: s2a.proto.Identity -} -var file_internal_proto_s2a_context_s2a_context_proto_depIdxs = []int32{ - 1, // 0: s2a.proto.S2AContext.tls_version:type_name -> s2a.proto.TLSVersion - 2, // 1: s2a.proto.S2AContext.ciphersuite:type_name -> s2a.proto.Ciphersuite - 3, // 2: s2a.proto.S2AContext.peer_identity:type_name -> s2a.proto.Identity - 3, // 3: s2a.proto.S2AContext.local_identity:type_name -> s2a.proto.Identity - 4, // [4:4] is the sub-list for method output_type - 4, // [4:4] is the sub-list for method input_type - 4, // [4:4] is the sub-list for extension type_name - 4, // [4:4] is the sub-list for extension extendee - 0, // [0:4] is the sub-list for field type_name -} - -func init() { file_internal_proto_s2a_context_s2a_context_proto_init() } -func file_internal_proto_s2a_context_s2a_context_proto_init() { - if File_internal_proto_s2a_context_s2a_context_proto != nil { - return - } - if !protoimpl.UnsafeEnabled { - file_internal_proto_s2a_context_s2a_context_proto_msgTypes[0].Exporter = func(v any, i int) any { - switch v := v.(*S2AContext); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - } - type x struct{} - out := protoimpl.TypeBuilder{ - File: protoimpl.DescBuilder{ - GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_internal_proto_s2a_context_s2a_context_proto_rawDesc, - NumEnums: 0, - NumMessages: 1, - NumExtensions: 0, - NumServices: 0, - }, - GoTypes: file_internal_proto_s2a_context_s2a_context_proto_goTypes, - DependencyIndexes: file_internal_proto_s2a_context_s2a_context_proto_depIdxs, - MessageInfos: file_internal_proto_s2a_context_s2a_context_proto_msgTypes, - }.Build() - File_internal_proto_s2a_context_s2a_context_proto = out.File - file_internal_proto_s2a_context_s2a_context_proto_rawDesc = nil - file_internal_proto_s2a_context_s2a_context_proto_goTypes = nil - file_internal_proto_s2a_context_s2a_context_proto_depIdxs = nil -} diff --git a/vendor/github.com/google/s2a-go/internal/proto/s2a_go_proto/s2a.pb.go b/vendor/github.com/google/s2a-go/internal/proto/s2a_go_proto/s2a.pb.go deleted file mode 100644 index 8919232fd..000000000 --- a/vendor/github.com/google/s2a-go/internal/proto/s2a_go_proto/s2a.pb.go +++ /dev/null @@ -1,1377 +0,0 @@ -// Copyright 2021 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// https://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Code generated by protoc-gen-go. DO NOT EDIT. -// versions: -// protoc-gen-go v1.34.2 -// protoc v3.21.12 -// source: internal/proto/s2a/s2a.proto - -package s2a_go_proto - -import ( - common_go_proto "github.com/google/s2a-go/internal/proto/common_go_proto" - protoreflect "google.golang.org/protobuf/reflect/protoreflect" - protoimpl "google.golang.org/protobuf/runtime/protoimpl" - reflect "reflect" - sync "sync" -) - -const ( - // Verify that this generated code is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) - // Verify that runtime/protoimpl is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) -) - -type AuthenticationMechanism struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // (Optional) Application may specify an identity associated to an - // authentication mechanism. Otherwise, S2A assumes that the authentication - // mechanism is associated with the default identity. If the default identity - // cannot be determined, session setup fails. - Identity *common_go_proto.Identity `protobuf:"bytes,1,opt,name=identity,proto3" json:"identity,omitempty"` - // Types that are assignable to MechanismOneof: - // - // *AuthenticationMechanism_Token - MechanismOneof isAuthenticationMechanism_MechanismOneof `protobuf_oneof:"mechanism_oneof"` -} - -func (x *AuthenticationMechanism) Reset() { - *x = AuthenticationMechanism{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_s2a_s2a_proto_msgTypes[0] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *AuthenticationMechanism) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*AuthenticationMechanism) ProtoMessage() {} - -func (x *AuthenticationMechanism) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_s2a_s2a_proto_msgTypes[0] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use AuthenticationMechanism.ProtoReflect.Descriptor instead. -func (*AuthenticationMechanism) Descriptor() ([]byte, []int) { - return file_internal_proto_s2a_s2a_proto_rawDescGZIP(), []int{0} -} - -func (x *AuthenticationMechanism) GetIdentity() *common_go_proto.Identity { - if x != nil { - return x.Identity - } - return nil -} - -func (m *AuthenticationMechanism) GetMechanismOneof() isAuthenticationMechanism_MechanismOneof { - if m != nil { - return m.MechanismOneof - } - return nil -} - -func (x *AuthenticationMechanism) GetToken() string { - if x, ok := x.GetMechanismOneof().(*AuthenticationMechanism_Token); ok { - return x.Token - } - return "" -} - -type isAuthenticationMechanism_MechanismOneof interface { - isAuthenticationMechanism_MechanismOneof() -} - -type AuthenticationMechanism_Token struct { - // A token that the application uses to authenticate itself to the S2A. - Token string `protobuf:"bytes,2,opt,name=token,proto3,oneof"` -} - -func (*AuthenticationMechanism_Token) isAuthenticationMechanism_MechanismOneof() {} - -type ClientSessionStartReq struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The application protocols supported by the client, e.g., "grpc". - ApplicationProtocols []string `protobuf:"bytes,1,rep,name=application_protocols,json=applicationProtocols,proto3" json:"application_protocols,omitempty"` - // (Optional) The minimum TLS version number that the S2A's handshaker module - // will use to set up the session. If this field is not provided, S2A will use - // the minimum version it supports. - MinTlsVersion common_go_proto.TLSVersion `protobuf:"varint,2,opt,name=min_tls_version,json=minTlsVersion,proto3,enum=s2a.proto.TLSVersion" json:"min_tls_version,omitempty"` - // (Optional) The maximum TLS version number that the S2A's handshaker module - // will use to set up the session. If this field is not provided, S2A will use - // the maximum version it supports. - MaxTlsVersion common_go_proto.TLSVersion `protobuf:"varint,3,opt,name=max_tls_version,json=maxTlsVersion,proto3,enum=s2a.proto.TLSVersion" json:"max_tls_version,omitempty"` - // The TLS ciphersuites that the client is willing to support. - TlsCiphersuites []common_go_proto.Ciphersuite `protobuf:"varint,4,rep,packed,name=tls_ciphersuites,json=tlsCiphersuites,proto3,enum=s2a.proto.Ciphersuite" json:"tls_ciphersuites,omitempty"` - // (Optional) Describes which server identities are acceptable by the client. - // If target identities are provided and none of them matches the peer - // identity of the server, session setup fails. - TargetIdentities []*common_go_proto.Identity `protobuf:"bytes,5,rep,name=target_identities,json=targetIdentities,proto3" json:"target_identities,omitempty"` - // (Optional) Application may specify a local identity. Otherwise, S2A chooses - // the default local identity. If the default identity cannot be determined, - // session setup fails. - LocalIdentity *common_go_proto.Identity `protobuf:"bytes,6,opt,name=local_identity,json=localIdentity,proto3" json:"local_identity,omitempty"` - // The target name that is used by S2A to configure SNI in the TLS handshake. - // It is also used to perform server authorization check if avaiable. This - // check is intended to verify that the peer authenticated identity is - // authorized to run a service with the target name. - // This field MUST only contain the host portion of the server address. It - // MUST not contain the scheme or the port number. For example, if the server - // address is dns://www.example.com:443, the value of this field should be - // set to www.example.com. - TargetName string `protobuf:"bytes,7,opt,name=target_name,json=targetName,proto3" json:"target_name,omitempty"` -} - -func (x *ClientSessionStartReq) Reset() { - *x = ClientSessionStartReq{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_s2a_s2a_proto_msgTypes[1] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *ClientSessionStartReq) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*ClientSessionStartReq) ProtoMessage() {} - -func (x *ClientSessionStartReq) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_s2a_s2a_proto_msgTypes[1] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use ClientSessionStartReq.ProtoReflect.Descriptor instead. -func (*ClientSessionStartReq) Descriptor() ([]byte, []int) { - return file_internal_proto_s2a_s2a_proto_rawDescGZIP(), []int{1} -} - -func (x *ClientSessionStartReq) GetApplicationProtocols() []string { - if x != nil { - return x.ApplicationProtocols - } - return nil -} - -func (x *ClientSessionStartReq) GetMinTlsVersion() common_go_proto.TLSVersion { - if x != nil { - return x.MinTlsVersion - } - return common_go_proto.TLSVersion(0) -} - -func (x *ClientSessionStartReq) GetMaxTlsVersion() common_go_proto.TLSVersion { - if x != nil { - return x.MaxTlsVersion - } - return common_go_proto.TLSVersion(0) -} - -func (x *ClientSessionStartReq) GetTlsCiphersuites() []common_go_proto.Ciphersuite { - if x != nil { - return x.TlsCiphersuites - } - return nil -} - -func (x *ClientSessionStartReq) GetTargetIdentities() []*common_go_proto.Identity { - if x != nil { - return x.TargetIdentities - } - return nil -} - -func (x *ClientSessionStartReq) GetLocalIdentity() *common_go_proto.Identity { - if x != nil { - return x.LocalIdentity - } - return nil -} - -func (x *ClientSessionStartReq) GetTargetName() string { - if x != nil { - return x.TargetName - } - return "" -} - -type ServerSessionStartReq struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The application protocols supported by the server, e.g., "grpc". - ApplicationProtocols []string `protobuf:"bytes,1,rep,name=application_protocols,json=applicationProtocols,proto3" json:"application_protocols,omitempty"` - // (Optional) The minimum TLS version number that the S2A's handshaker module - // will use to set up the session. If this field is not provided, S2A will use - // the minimum version it supports. - MinTlsVersion common_go_proto.TLSVersion `protobuf:"varint,2,opt,name=min_tls_version,json=minTlsVersion,proto3,enum=s2a.proto.TLSVersion" json:"min_tls_version,omitempty"` - // (Optional) The maximum TLS version number that the S2A's handshaker module - // will use to set up the session. If this field is not provided, S2A will use - // the maximum version it supports. - MaxTlsVersion common_go_proto.TLSVersion `protobuf:"varint,3,opt,name=max_tls_version,json=maxTlsVersion,proto3,enum=s2a.proto.TLSVersion" json:"max_tls_version,omitempty"` - // The TLS ciphersuites that the server is willing to support. - TlsCiphersuites []common_go_proto.Ciphersuite `protobuf:"varint,4,rep,packed,name=tls_ciphersuites,json=tlsCiphersuites,proto3,enum=s2a.proto.Ciphersuite" json:"tls_ciphersuites,omitempty"` - // (Optional) A list of local identities supported by the server, if - // specified. Otherwise, S2A chooses the default local identity. If the - // default identity cannot be determined, session setup fails. - LocalIdentities []*common_go_proto.Identity `protobuf:"bytes,5,rep,name=local_identities,json=localIdentities,proto3" json:"local_identities,omitempty"` - // The byte representation of the first handshake message received from the - // client peer. It is possible that this first message is split into multiple - // chunks. In this case, the first chunk is sent using this field and the - // following chunks are sent using the in_bytes field of SessionNextReq - // Specifically, if the client peer is using S2A, this field contains the - // bytes in the out_frames field of SessionResp message that the client peer - // received from its S2A after initiating the handshake. - InBytes []byte `protobuf:"bytes,6,opt,name=in_bytes,json=inBytes,proto3" json:"in_bytes,omitempty"` -} - -func (x *ServerSessionStartReq) Reset() { - *x = ServerSessionStartReq{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_s2a_s2a_proto_msgTypes[2] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *ServerSessionStartReq) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*ServerSessionStartReq) ProtoMessage() {} - -func (x *ServerSessionStartReq) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_s2a_s2a_proto_msgTypes[2] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use ServerSessionStartReq.ProtoReflect.Descriptor instead. -func (*ServerSessionStartReq) Descriptor() ([]byte, []int) { - return file_internal_proto_s2a_s2a_proto_rawDescGZIP(), []int{2} -} - -func (x *ServerSessionStartReq) GetApplicationProtocols() []string { - if x != nil { - return x.ApplicationProtocols - } - return nil -} - -func (x *ServerSessionStartReq) GetMinTlsVersion() common_go_proto.TLSVersion { - if x != nil { - return x.MinTlsVersion - } - return common_go_proto.TLSVersion(0) -} - -func (x *ServerSessionStartReq) GetMaxTlsVersion() common_go_proto.TLSVersion { - if x != nil { - return x.MaxTlsVersion - } - return common_go_proto.TLSVersion(0) -} - -func (x *ServerSessionStartReq) GetTlsCiphersuites() []common_go_proto.Ciphersuite { - if x != nil { - return x.TlsCiphersuites - } - return nil -} - -func (x *ServerSessionStartReq) GetLocalIdentities() []*common_go_proto.Identity { - if x != nil { - return x.LocalIdentities - } - return nil -} - -func (x *ServerSessionStartReq) GetInBytes() []byte { - if x != nil { - return x.InBytes - } - return nil -} - -type SessionNextReq struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The byte representation of session setup, i.e., handshake messages. - // Specifically: - // - All handshake messages sent from the server to the client. - // - All, except for the first, handshake messages sent from the client to - // the server. Note that the first message is communicated to S2A using the - // in_bytes field of ServerSessionStartReq. - // - // If the peer is using S2A, this field contains the bytes in the out_frames - // field of SessionResp message that the peer received from its S2A. - InBytes []byte `protobuf:"bytes,1,opt,name=in_bytes,json=inBytes,proto3" json:"in_bytes,omitempty"` -} - -func (x *SessionNextReq) Reset() { - *x = SessionNextReq{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_s2a_s2a_proto_msgTypes[3] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *SessionNextReq) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*SessionNextReq) ProtoMessage() {} - -func (x *SessionNextReq) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_s2a_s2a_proto_msgTypes[3] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use SessionNextReq.ProtoReflect.Descriptor instead. -func (*SessionNextReq) Descriptor() ([]byte, []int) { - return file_internal_proto_s2a_s2a_proto_rawDescGZIP(), []int{3} -} - -func (x *SessionNextReq) GetInBytes() []byte { - if x != nil { - return x.InBytes - } - return nil -} - -type ResumptionTicketReq struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The byte representation of a NewSessionTicket message received from the - // server. - InBytes [][]byte `protobuf:"bytes,1,rep,name=in_bytes,json=inBytes,proto3" json:"in_bytes,omitempty"` - // A connection identifier that was created and sent by S2A at the end of a - // handshake. - ConnectionId uint64 `protobuf:"varint,2,opt,name=connection_id,json=connectionId,proto3" json:"connection_id,omitempty"` - // The local identity that was used by S2A during session setup and included - // in |SessionResult|. - LocalIdentity *common_go_proto.Identity `protobuf:"bytes,3,opt,name=local_identity,json=localIdentity,proto3" json:"local_identity,omitempty"` -} - -func (x *ResumptionTicketReq) Reset() { - *x = ResumptionTicketReq{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_s2a_s2a_proto_msgTypes[4] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *ResumptionTicketReq) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*ResumptionTicketReq) ProtoMessage() {} - -func (x *ResumptionTicketReq) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_s2a_s2a_proto_msgTypes[4] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use ResumptionTicketReq.ProtoReflect.Descriptor instead. -func (*ResumptionTicketReq) Descriptor() ([]byte, []int) { - return file_internal_proto_s2a_s2a_proto_rawDescGZIP(), []int{4} -} - -func (x *ResumptionTicketReq) GetInBytes() [][]byte { - if x != nil { - return x.InBytes - } - return nil -} - -func (x *ResumptionTicketReq) GetConnectionId() uint64 { - if x != nil { - return x.ConnectionId - } - return 0 -} - -func (x *ResumptionTicketReq) GetLocalIdentity() *common_go_proto.Identity { - if x != nil { - return x.LocalIdentity - } - return nil -} - -type SessionReq struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Types that are assignable to ReqOneof: - // - // *SessionReq_ClientStart - // *SessionReq_ServerStart - // *SessionReq_Next - // *SessionReq_ResumptionTicket - ReqOneof isSessionReq_ReqOneof `protobuf_oneof:"req_oneof"` - // (Optional) The authentication mechanisms that the client wishes to use to - // authenticate to the S2A, ordered by preference. The S2A will always use the - // first authentication mechanism that appears in the list and is supported by - // the S2A. - AuthMechanisms []*AuthenticationMechanism `protobuf:"bytes,5,rep,name=auth_mechanisms,json=authMechanisms,proto3" json:"auth_mechanisms,omitempty"` -} - -func (x *SessionReq) Reset() { - *x = SessionReq{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_s2a_s2a_proto_msgTypes[5] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *SessionReq) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*SessionReq) ProtoMessage() {} - -func (x *SessionReq) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_s2a_s2a_proto_msgTypes[5] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use SessionReq.ProtoReflect.Descriptor instead. -func (*SessionReq) Descriptor() ([]byte, []int) { - return file_internal_proto_s2a_s2a_proto_rawDescGZIP(), []int{5} -} - -func (m *SessionReq) GetReqOneof() isSessionReq_ReqOneof { - if m != nil { - return m.ReqOneof - } - return nil -} - -func (x *SessionReq) GetClientStart() *ClientSessionStartReq { - if x, ok := x.GetReqOneof().(*SessionReq_ClientStart); ok { - return x.ClientStart - } - return nil -} - -func (x *SessionReq) GetServerStart() *ServerSessionStartReq { - if x, ok := x.GetReqOneof().(*SessionReq_ServerStart); ok { - return x.ServerStart - } - return nil -} - -func (x *SessionReq) GetNext() *SessionNextReq { - if x, ok := x.GetReqOneof().(*SessionReq_Next); ok { - return x.Next - } - return nil -} - -func (x *SessionReq) GetResumptionTicket() *ResumptionTicketReq { - if x, ok := x.GetReqOneof().(*SessionReq_ResumptionTicket); ok { - return x.ResumptionTicket - } - return nil -} - -func (x *SessionReq) GetAuthMechanisms() []*AuthenticationMechanism { - if x != nil { - return x.AuthMechanisms - } - return nil -} - -type isSessionReq_ReqOneof interface { - isSessionReq_ReqOneof() -} - -type SessionReq_ClientStart struct { - // The client session setup request message. - ClientStart *ClientSessionStartReq `protobuf:"bytes,1,opt,name=client_start,json=clientStart,proto3,oneof"` -} - -type SessionReq_ServerStart struct { - // The server session setup request message. - ServerStart *ServerSessionStartReq `protobuf:"bytes,2,opt,name=server_start,json=serverStart,proto3,oneof"` -} - -type SessionReq_Next struct { - // The next session setup message request message. - Next *SessionNextReq `protobuf:"bytes,3,opt,name=next,proto3,oneof"` -} - -type SessionReq_ResumptionTicket struct { - // The resumption ticket that is received from the server. This message is - // only accepted by S2A if it is running as a client and if it is received - // after session setup is complete. If S2A is running as a server and it - // receives this message, the session is terminated. - ResumptionTicket *ResumptionTicketReq `protobuf:"bytes,4,opt,name=resumption_ticket,json=resumptionTicket,proto3,oneof"` -} - -func (*SessionReq_ClientStart) isSessionReq_ReqOneof() {} - -func (*SessionReq_ServerStart) isSessionReq_ReqOneof() {} - -func (*SessionReq_Next) isSessionReq_ReqOneof() {} - -func (*SessionReq_ResumptionTicket) isSessionReq_ReqOneof() {} - -type SessionState struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The TLS version number that the S2A's handshaker module used to set up the - // session. - TlsVersion common_go_proto.TLSVersion `protobuf:"varint,1,opt,name=tls_version,json=tlsVersion,proto3,enum=s2a.proto.TLSVersion" json:"tls_version,omitempty"` - // The TLS ciphersuite negotiated by the S2A's handshaker module. - TlsCiphersuite common_go_proto.Ciphersuite `protobuf:"varint,2,opt,name=tls_ciphersuite,json=tlsCiphersuite,proto3,enum=s2a.proto.Ciphersuite" json:"tls_ciphersuite,omitempty"` - // The sequence number of the next, incoming, TLS record. - InSequence uint64 `protobuf:"varint,3,opt,name=in_sequence,json=inSequence,proto3" json:"in_sequence,omitempty"` - // The sequence number of the next, outgoing, TLS record. - OutSequence uint64 `protobuf:"varint,4,opt,name=out_sequence,json=outSequence,proto3" json:"out_sequence,omitempty"` - // The key for the inbound direction. - InKey []byte `protobuf:"bytes,5,opt,name=in_key,json=inKey,proto3" json:"in_key,omitempty"` - // The key for the outbound direction. - OutKey []byte `protobuf:"bytes,6,opt,name=out_key,json=outKey,proto3" json:"out_key,omitempty"` - // The constant part of the record nonce for the outbound direction. - InFixedNonce []byte `protobuf:"bytes,7,opt,name=in_fixed_nonce,json=inFixedNonce,proto3" json:"in_fixed_nonce,omitempty"` - // The constant part of the record nonce for the inbound direction. - OutFixedNonce []byte `protobuf:"bytes,8,opt,name=out_fixed_nonce,json=outFixedNonce,proto3" json:"out_fixed_nonce,omitempty"` - // A connection identifier that can be provided to S2A to perform operations - // related to this connection. This identifier will be stored by the record - // protocol, and included in the |ResumptionTicketReq| message that is later - // sent back to S2A. This field is set only for client-side connections. - ConnectionId uint64 `protobuf:"varint,9,opt,name=connection_id,json=connectionId,proto3" json:"connection_id,omitempty"` - // Set to true if a cached session was reused to do an abbreviated handshake. - IsHandshakeResumed bool `protobuf:"varint,10,opt,name=is_handshake_resumed,json=isHandshakeResumed,proto3" json:"is_handshake_resumed,omitempty"` -} - -func (x *SessionState) Reset() { - *x = SessionState{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_s2a_s2a_proto_msgTypes[6] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *SessionState) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*SessionState) ProtoMessage() {} - -func (x *SessionState) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_s2a_s2a_proto_msgTypes[6] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use SessionState.ProtoReflect.Descriptor instead. -func (*SessionState) Descriptor() ([]byte, []int) { - return file_internal_proto_s2a_s2a_proto_rawDescGZIP(), []int{6} -} - -func (x *SessionState) GetTlsVersion() common_go_proto.TLSVersion { - if x != nil { - return x.TlsVersion - } - return common_go_proto.TLSVersion(0) -} - -func (x *SessionState) GetTlsCiphersuite() common_go_proto.Ciphersuite { - if x != nil { - return x.TlsCiphersuite - } - return common_go_proto.Ciphersuite(0) -} - -func (x *SessionState) GetInSequence() uint64 { - if x != nil { - return x.InSequence - } - return 0 -} - -func (x *SessionState) GetOutSequence() uint64 { - if x != nil { - return x.OutSequence - } - return 0 -} - -func (x *SessionState) GetInKey() []byte { - if x != nil { - return x.InKey - } - return nil -} - -func (x *SessionState) GetOutKey() []byte { - if x != nil { - return x.OutKey - } - return nil -} - -func (x *SessionState) GetInFixedNonce() []byte { - if x != nil { - return x.InFixedNonce - } - return nil -} - -func (x *SessionState) GetOutFixedNonce() []byte { - if x != nil { - return x.OutFixedNonce - } - return nil -} - -func (x *SessionState) GetConnectionId() uint64 { - if x != nil { - return x.ConnectionId - } - return 0 -} - -func (x *SessionState) GetIsHandshakeResumed() bool { - if x != nil { - return x.IsHandshakeResumed - } - return false -} - -type SessionResult struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The application protocol negotiated for this session. - ApplicationProtocol string `protobuf:"bytes,1,opt,name=application_protocol,json=applicationProtocol,proto3" json:"application_protocol,omitempty"` - // The session state at the end. This state contains all cryptographic - // material required to initialize the record protocol object. - State *SessionState `protobuf:"bytes,2,opt,name=state,proto3" json:"state,omitempty"` - // The authenticated identity of the peer. - PeerIdentity *common_go_proto.Identity `protobuf:"bytes,4,opt,name=peer_identity,json=peerIdentity,proto3" json:"peer_identity,omitempty"` - // The local identity used during session setup. This could be: - // - The local identity that the client specifies in ClientSessionStartReq. - // - One of the local identities that the server specifies in - // ServerSessionStartReq. - // - If neither client or server specifies local identities, the S2A picks the - // default one. In this case, this field will contain that identity. - LocalIdentity *common_go_proto.Identity `protobuf:"bytes,5,opt,name=local_identity,json=localIdentity,proto3" json:"local_identity,omitempty"` - // The SHA256 hash of the local certificate used in the handshake. - LocalCertFingerprint []byte `protobuf:"bytes,6,opt,name=local_cert_fingerprint,json=localCertFingerprint,proto3" json:"local_cert_fingerprint,omitempty"` - // The SHA256 hash of the peer certificate used in the handshake. - PeerCertFingerprint []byte `protobuf:"bytes,7,opt,name=peer_cert_fingerprint,json=peerCertFingerprint,proto3" json:"peer_cert_fingerprint,omitempty"` -} - -func (x *SessionResult) Reset() { - *x = SessionResult{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_s2a_s2a_proto_msgTypes[7] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *SessionResult) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*SessionResult) ProtoMessage() {} - -func (x *SessionResult) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_s2a_s2a_proto_msgTypes[7] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use SessionResult.ProtoReflect.Descriptor instead. -func (*SessionResult) Descriptor() ([]byte, []int) { - return file_internal_proto_s2a_s2a_proto_rawDescGZIP(), []int{7} -} - -func (x *SessionResult) GetApplicationProtocol() string { - if x != nil { - return x.ApplicationProtocol - } - return "" -} - -func (x *SessionResult) GetState() *SessionState { - if x != nil { - return x.State - } - return nil -} - -func (x *SessionResult) GetPeerIdentity() *common_go_proto.Identity { - if x != nil { - return x.PeerIdentity - } - return nil -} - -func (x *SessionResult) GetLocalIdentity() *common_go_proto.Identity { - if x != nil { - return x.LocalIdentity - } - return nil -} - -func (x *SessionResult) GetLocalCertFingerprint() []byte { - if x != nil { - return x.LocalCertFingerprint - } - return nil -} - -func (x *SessionResult) GetPeerCertFingerprint() []byte { - if x != nil { - return x.PeerCertFingerprint - } - return nil -} - -type SessionStatus struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The status code that is specific to the application and the implementation - // of S2A, e.g., gRPC status code. - Code uint32 `protobuf:"varint,1,opt,name=code,proto3" json:"code,omitempty"` - // The status details. - Details string `protobuf:"bytes,2,opt,name=details,proto3" json:"details,omitempty"` -} - -func (x *SessionStatus) Reset() { - *x = SessionStatus{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_s2a_s2a_proto_msgTypes[8] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *SessionStatus) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*SessionStatus) ProtoMessage() {} - -func (x *SessionStatus) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_s2a_s2a_proto_msgTypes[8] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use SessionStatus.ProtoReflect.Descriptor instead. -func (*SessionStatus) Descriptor() ([]byte, []int) { - return file_internal_proto_s2a_s2a_proto_rawDescGZIP(), []int{8} -} - -func (x *SessionStatus) GetCode() uint32 { - if x != nil { - return x.Code - } - return 0 -} - -func (x *SessionStatus) GetDetails() string { - if x != nil { - return x.Details - } - return "" -} - -type SessionResp struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The local identity used during session setup. This could be: - // - The local identity that the client specifies in ClientSessionStartReq. - // - One of the local identities that the server specifies in - // ServerSessionStartReq. - // - If neither client or server specifies local identities, the S2A picks the - // default one. In this case, this field will contain that identity. - // - // If the SessionResult is populated, then this must coincide with the local - // identity specified in the SessionResult; otherwise, the handshake must - // fail. - LocalIdentity *common_go_proto.Identity `protobuf:"bytes,1,opt,name=local_identity,json=localIdentity,proto3" json:"local_identity,omitempty"` - // The byte representation of the frames that should be sent to the peer. May - // be empty if nothing needs to be sent to the peer or if in_bytes in the - // SessionReq is incomplete. All bytes in a non-empty out_frames must be sent - // to the peer even if the session setup status is not OK as these frames may - // contain appropriate alerts. - OutFrames []byte `protobuf:"bytes,2,opt,name=out_frames,json=outFrames,proto3" json:"out_frames,omitempty"` - // Number of bytes in the in_bytes field that are consumed by S2A. It is - // possible that part of in_bytes is unrelated to the session setup process. - BytesConsumed uint32 `protobuf:"varint,3,opt,name=bytes_consumed,json=bytesConsumed,proto3" json:"bytes_consumed,omitempty"` - // This is set if the session is successfully set up. out_frames may - // still be set to frames that needs to be forwarded to the peer. - Result *SessionResult `protobuf:"bytes,4,opt,name=result,proto3" json:"result,omitempty"` - // Status of session setup at the current stage. - Status *SessionStatus `protobuf:"bytes,5,opt,name=status,proto3" json:"status,omitempty"` -} - -func (x *SessionResp) Reset() { - *x = SessionResp{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_s2a_s2a_proto_msgTypes[9] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *SessionResp) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*SessionResp) ProtoMessage() {} - -func (x *SessionResp) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_s2a_s2a_proto_msgTypes[9] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use SessionResp.ProtoReflect.Descriptor instead. -func (*SessionResp) Descriptor() ([]byte, []int) { - return file_internal_proto_s2a_s2a_proto_rawDescGZIP(), []int{9} -} - -func (x *SessionResp) GetLocalIdentity() *common_go_proto.Identity { - if x != nil { - return x.LocalIdentity - } - return nil -} - -func (x *SessionResp) GetOutFrames() []byte { - if x != nil { - return x.OutFrames - } - return nil -} - -func (x *SessionResp) GetBytesConsumed() uint32 { - if x != nil { - return x.BytesConsumed - } - return 0 -} - -func (x *SessionResp) GetResult() *SessionResult { - if x != nil { - return x.Result - } - return nil -} - -func (x *SessionResp) GetStatus() *SessionStatus { - if x != nil { - return x.Status - } - return nil -} - -var File_internal_proto_s2a_s2a_proto protoreflect.FileDescriptor - -var file_internal_proto_s2a_s2a_proto_rawDesc = []byte{ - 0x0a, 0x1c, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x2f, 0x73, 0x32, 0x61, 0x2f, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x09, - 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x22, 0x69, 0x6e, 0x74, 0x65, 0x72, - 0x6e, 0x61, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, - 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x75, 0x0a, - 0x17, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, - 0x65, 0x63, 0x68, 0x61, 0x6e, 0x69, 0x73, 0x6d, 0x12, 0x2f, 0x0a, 0x08, 0x69, 0x64, 0x65, 0x6e, - 0x74, 0x69, 0x74, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x73, 0x32, 0x61, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, - 0x08, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x12, 0x16, 0x0a, 0x05, 0x74, 0x6f, 0x6b, - 0x65, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65, - 0x6e, 0x42, 0x11, 0x0a, 0x0f, 0x6d, 0x65, 0x63, 0x68, 0x61, 0x6e, 0x69, 0x73, 0x6d, 0x5f, 0x6f, - 0x6e, 0x65, 0x6f, 0x66, 0x22, 0xac, 0x03, 0x0a, 0x15, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x53, - 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x72, 0x74, 0x52, 0x65, 0x71, 0x12, 0x33, - 0x0a, 0x15, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x14, 0x61, - 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, - 0x6f, 0x6c, 0x73, 0x12, 0x3d, 0x0a, 0x0f, 0x6d, 0x69, 0x6e, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x76, - 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x15, 0x2e, 0x73, - 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x54, 0x4c, 0x53, 0x56, 0x65, 0x72, 0x73, - 0x69, 0x6f, 0x6e, 0x52, 0x0d, 0x6d, 0x69, 0x6e, 0x54, 0x6c, 0x73, 0x56, 0x65, 0x72, 0x73, 0x69, - 0x6f, 0x6e, 0x12, 0x3d, 0x0a, 0x0f, 0x6d, 0x61, 0x78, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x76, 0x65, - 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x15, 0x2e, 0x73, 0x32, - 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x54, 0x4c, 0x53, 0x56, 0x65, 0x72, 0x73, 0x69, - 0x6f, 0x6e, 0x52, 0x0d, 0x6d, 0x61, 0x78, 0x54, 0x6c, 0x73, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, - 0x6e, 0x12, 0x41, 0x0a, 0x10, 0x74, 0x6c, 0x73, 0x5f, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x73, - 0x75, 0x69, 0x74, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0e, 0x32, 0x16, 0x2e, 0x73, 0x32, - 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x43, 0x69, 0x70, 0x68, 0x65, 0x72, 0x73, 0x75, - 0x69, 0x74, 0x65, 0x52, 0x0f, 0x74, 0x6c, 0x73, 0x43, 0x69, 0x70, 0x68, 0x65, 0x72, 0x73, 0x75, - 0x69, 0x74, 0x65, 0x73, 0x12, 0x40, 0x0a, 0x11, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, 0x69, - 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x69, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, - 0x13, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x49, 0x64, 0x65, 0x6e, - 0x74, 0x69, 0x74, 0x79, 0x52, 0x10, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x49, 0x64, 0x65, 0x6e, - 0x74, 0x69, 0x74, 0x69, 0x65, 0x73, 0x12, 0x3a, 0x0a, 0x0e, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x5f, - 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, - 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x49, 0x64, 0x65, 0x6e, 0x74, - 0x69, 0x74, 0x79, 0x52, 0x0d, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, - 0x74, 0x79, 0x12, 0x1f, 0x0a, 0x0b, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, 0x6e, 0x61, 0x6d, - 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x4e, - 0x61, 0x6d, 0x65, 0x22, 0xe8, 0x02, 0x0a, 0x15, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x53, 0x65, - 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x72, 0x74, 0x52, 0x65, 0x71, 0x12, 0x33, 0x0a, - 0x15, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x14, 0x61, 0x70, - 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, - 0x6c, 0x73, 0x12, 0x3d, 0x0a, 0x0f, 0x6d, 0x69, 0x6e, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x76, 0x65, - 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x15, 0x2e, 0x73, 0x32, - 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x54, 0x4c, 0x53, 0x56, 0x65, 0x72, 0x73, 0x69, - 0x6f, 0x6e, 0x52, 0x0d, 0x6d, 0x69, 0x6e, 0x54, 0x6c, 0x73, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, - 0x6e, 0x12, 0x3d, 0x0a, 0x0f, 0x6d, 0x61, 0x78, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x76, 0x65, 0x72, - 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x15, 0x2e, 0x73, 0x32, 0x61, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x54, 0x4c, 0x53, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, - 0x6e, 0x52, 0x0d, 0x6d, 0x61, 0x78, 0x54, 0x6c, 0x73, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, - 0x12, 0x41, 0x0a, 0x10, 0x74, 0x6c, 0x73, 0x5f, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x73, 0x75, - 0x69, 0x74, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0e, 0x32, 0x16, 0x2e, 0x73, 0x32, 0x61, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x43, 0x69, 0x70, 0x68, 0x65, 0x72, 0x73, 0x75, 0x69, - 0x74, 0x65, 0x52, 0x0f, 0x74, 0x6c, 0x73, 0x43, 0x69, 0x70, 0x68, 0x65, 0x72, 0x73, 0x75, 0x69, - 0x74, 0x65, 0x73, 0x12, 0x3e, 0x0a, 0x10, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x5f, 0x69, 0x64, 0x65, - 0x6e, 0x74, 0x69, 0x74, 0x69, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x13, 0x2e, - 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, - 0x74, 0x79, 0x52, 0x0f, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, - 0x69, 0x65, 0x73, 0x12, 0x19, 0x0a, 0x08, 0x69, 0x6e, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x18, - 0x06, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x69, 0x6e, 0x42, 0x79, 0x74, 0x65, 0x73, 0x22, 0x2b, - 0x0a, 0x0e, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x4e, 0x65, 0x78, 0x74, 0x52, 0x65, 0x71, - 0x12, 0x19, 0x0a, 0x08, 0x69, 0x6e, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x0c, 0x52, 0x07, 0x69, 0x6e, 0x42, 0x79, 0x74, 0x65, 0x73, 0x22, 0x91, 0x01, 0x0a, 0x13, - 0x52, 0x65, 0x73, 0x75, 0x6d, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, - 0x52, 0x65, 0x71, 0x12, 0x19, 0x0a, 0x08, 0x69, 0x6e, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x18, - 0x01, 0x20, 0x03, 0x28, 0x0c, 0x52, 0x07, 0x69, 0x6e, 0x42, 0x79, 0x74, 0x65, 0x73, 0x12, 0x23, - 0x0a, 0x0d, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x18, - 0x02, 0x20, 0x01, 0x28, 0x04, 0x52, 0x0c, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, - 0x6e, 0x49, 0x64, 0x12, 0x3a, 0x0a, 0x0e, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x5f, 0x69, 0x64, 0x65, - 0x6e, 0x74, 0x69, 0x74, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x73, 0x32, - 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, - 0x52, 0x0d, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x22, - 0xf4, 0x02, 0x0a, 0x0a, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x12, 0x45, - 0x0a, 0x0c, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x73, 0x74, 0x61, 0x72, 0x74, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x2e, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x53, 0x74, - 0x61, 0x72, 0x74, 0x52, 0x65, 0x71, 0x48, 0x00, 0x52, 0x0b, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, - 0x53, 0x74, 0x61, 0x72, 0x74, 0x12, 0x45, 0x0a, 0x0c, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, - 0x73, 0x74, 0x61, 0x72, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x73, 0x32, - 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x53, 0x65, - 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x72, 0x74, 0x52, 0x65, 0x71, 0x48, 0x00, 0x52, - 0x0b, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x53, 0x74, 0x61, 0x72, 0x74, 0x12, 0x2f, 0x0a, 0x04, - 0x6e, 0x65, 0x78, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x73, 0x32, 0x61, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x4e, 0x65, - 0x78, 0x74, 0x52, 0x65, 0x71, 0x48, 0x00, 0x52, 0x04, 0x6e, 0x65, 0x78, 0x74, 0x12, 0x4d, 0x0a, - 0x11, 0x72, 0x65, 0x73, 0x75, 0x6d, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x74, 0x69, 0x63, 0x6b, - 0x65, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1e, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x73, 0x75, 0x6d, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x54, - 0x69, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, 0x71, 0x48, 0x00, 0x52, 0x10, 0x72, 0x65, 0x73, 0x75, - 0x6d, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x12, 0x4b, 0x0a, 0x0f, - 0x61, 0x75, 0x74, 0x68, 0x5f, 0x6d, 0x65, 0x63, 0x68, 0x61, 0x6e, 0x69, 0x73, 0x6d, 0x73, 0x18, - 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x4d, 0x65, 0x63, 0x68, 0x61, 0x6e, 0x69, 0x73, 0x6d, 0x52, 0x0e, 0x61, 0x75, 0x74, 0x68, 0x4d, - 0x65, 0x63, 0x68, 0x61, 0x6e, 0x69, 0x73, 0x6d, 0x73, 0x42, 0x0b, 0x0a, 0x09, 0x72, 0x65, 0x71, - 0x5f, 0x6f, 0x6e, 0x65, 0x6f, 0x66, 0x22, 0xa0, 0x03, 0x0a, 0x0c, 0x53, 0x65, 0x73, 0x73, 0x69, - 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x36, 0x0a, 0x0b, 0x74, 0x6c, 0x73, 0x5f, 0x76, - 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x15, 0x2e, 0x73, - 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x54, 0x4c, 0x53, 0x56, 0x65, 0x72, 0x73, - 0x69, 0x6f, 0x6e, 0x52, 0x0a, 0x74, 0x6c, 0x73, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, - 0x3f, 0x0a, 0x0f, 0x74, 0x6c, 0x73, 0x5f, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x73, 0x75, 0x69, - 0x74, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x16, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x43, 0x69, 0x70, 0x68, 0x65, 0x72, 0x73, 0x75, 0x69, 0x74, 0x65, - 0x52, 0x0e, 0x74, 0x6c, 0x73, 0x43, 0x69, 0x70, 0x68, 0x65, 0x72, 0x73, 0x75, 0x69, 0x74, 0x65, - 0x12, 0x1f, 0x0a, 0x0b, 0x69, 0x6e, 0x5f, 0x73, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x18, - 0x03, 0x20, 0x01, 0x28, 0x04, 0x52, 0x0a, 0x69, 0x6e, 0x53, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, - 0x65, 0x12, 0x21, 0x0a, 0x0c, 0x6f, 0x75, 0x74, 0x5f, 0x73, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, - 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x04, 0x52, 0x0b, 0x6f, 0x75, 0x74, 0x53, 0x65, 0x71, 0x75, - 0x65, 0x6e, 0x63, 0x65, 0x12, 0x15, 0x0a, 0x06, 0x69, 0x6e, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x05, - 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05, 0x69, 0x6e, 0x4b, 0x65, 0x79, 0x12, 0x17, 0x0a, 0x07, 0x6f, - 0x75, 0x74, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x06, 0x6f, 0x75, - 0x74, 0x4b, 0x65, 0x79, 0x12, 0x24, 0x0a, 0x0e, 0x69, 0x6e, 0x5f, 0x66, 0x69, 0x78, 0x65, 0x64, - 0x5f, 0x6e, 0x6f, 0x6e, 0x63, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0c, 0x69, 0x6e, - 0x46, 0x69, 0x78, 0x65, 0x64, 0x4e, 0x6f, 0x6e, 0x63, 0x65, 0x12, 0x26, 0x0a, 0x0f, 0x6f, 0x75, - 0x74, 0x5f, 0x66, 0x69, 0x78, 0x65, 0x64, 0x5f, 0x6e, 0x6f, 0x6e, 0x63, 0x65, 0x18, 0x08, 0x20, - 0x01, 0x28, 0x0c, 0x52, 0x0d, 0x6f, 0x75, 0x74, 0x46, 0x69, 0x78, 0x65, 0x64, 0x4e, 0x6f, 0x6e, - 0x63, 0x65, 0x12, 0x23, 0x0a, 0x0d, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, - 0x5f, 0x69, 0x64, 0x18, 0x09, 0x20, 0x01, 0x28, 0x04, 0x52, 0x0c, 0x63, 0x6f, 0x6e, 0x6e, 0x65, - 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x64, 0x12, 0x30, 0x0a, 0x14, 0x69, 0x73, 0x5f, 0x68, 0x61, - 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x5f, 0x72, 0x65, 0x73, 0x75, 0x6d, 0x65, 0x64, 0x18, - 0x0a, 0x20, 0x01, 0x28, 0x08, 0x52, 0x12, 0x69, 0x73, 0x48, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, - 0x6b, 0x65, 0x52, 0x65, 0x73, 0x75, 0x6d, 0x65, 0x64, 0x22, 0xd1, 0x02, 0x0a, 0x0d, 0x53, 0x65, - 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, 0x31, 0x0a, 0x14, 0x61, - 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x63, 0x6f, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x13, 0x61, 0x70, 0x70, 0x6c, 0x69, - 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x2d, - 0x0a, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, - 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, - 0x6e, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65, 0x12, 0x38, 0x0a, - 0x0d, 0x70, 0x65, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x18, 0x04, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x2e, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, 0x0c, 0x70, 0x65, 0x65, 0x72, 0x49, - 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x12, 0x3a, 0x0a, 0x0e, 0x6c, 0x6f, 0x63, 0x61, 0x6c, - 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x13, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x49, 0x64, 0x65, 0x6e, - 0x74, 0x69, 0x74, 0x79, 0x52, 0x0d, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x49, 0x64, 0x65, 0x6e, 0x74, - 0x69, 0x74, 0x79, 0x12, 0x34, 0x0a, 0x16, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x5f, 0x63, 0x65, 0x72, - 0x74, 0x5f, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x18, 0x06, 0x20, - 0x01, 0x28, 0x0c, 0x52, 0x14, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x43, 0x65, 0x72, 0x74, 0x46, 0x69, - 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x12, 0x32, 0x0a, 0x15, 0x70, 0x65, 0x65, - 0x72, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, - 0x6e, 0x74, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x13, 0x70, 0x65, 0x65, 0x72, 0x43, 0x65, - 0x72, 0x74, 0x46, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x22, 0x3d, 0x0a, - 0x0d, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x12, - 0x0a, 0x04, 0x63, 0x6f, 0x64, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x04, 0x63, 0x6f, - 0x64, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x18, 0x02, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x07, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x22, 0xf3, 0x01, 0x0a, - 0x0b, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x12, 0x3a, 0x0a, 0x0e, - 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x2e, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, 0x0d, 0x6c, 0x6f, 0x63, 0x61, 0x6c, - 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x12, 0x1d, 0x0a, 0x0a, 0x6f, 0x75, 0x74, 0x5f, - 0x66, 0x72, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x6f, 0x75, - 0x74, 0x46, 0x72, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x62, 0x79, 0x74, 0x65, 0x73, - 0x5f, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6d, 0x65, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, 0x52, - 0x0d, 0x62, 0x79, 0x74, 0x65, 0x73, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6d, 0x65, 0x64, 0x12, 0x30, - 0x0a, 0x06, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x18, - 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x53, 0x65, 0x73, 0x73, 0x69, - 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x52, 0x06, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, - 0x12, 0x30, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, - 0x32, 0x18, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x53, 0x65, 0x73, - 0x73, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, - 0x75, 0x73, 0x32, 0x51, 0x0a, 0x0a, 0x53, 0x32, 0x41, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, - 0x12, 0x43, 0x0a, 0x0c, 0x53, 0x65, 0x74, 0x55, 0x70, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, - 0x12, 0x15, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x53, 0x65, 0x73, - 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x1a, 0x16, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x2e, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x22, - 0x00, 0x28, 0x01, 0x30, 0x01, 0x42, 0x33, 0x5a, 0x31, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, - 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x73, 0x32, 0x61, 0x2f, 0x69, - 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x73, 0x32, - 0x61, 0x5f, 0x67, 0x6f, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x33, -} - -var ( - file_internal_proto_s2a_s2a_proto_rawDescOnce sync.Once - file_internal_proto_s2a_s2a_proto_rawDescData = file_internal_proto_s2a_s2a_proto_rawDesc -) - -func file_internal_proto_s2a_s2a_proto_rawDescGZIP() []byte { - file_internal_proto_s2a_s2a_proto_rawDescOnce.Do(func() { - file_internal_proto_s2a_s2a_proto_rawDescData = protoimpl.X.CompressGZIP(file_internal_proto_s2a_s2a_proto_rawDescData) - }) - return file_internal_proto_s2a_s2a_proto_rawDescData -} - -var file_internal_proto_s2a_s2a_proto_msgTypes = make([]protoimpl.MessageInfo, 10) -var file_internal_proto_s2a_s2a_proto_goTypes = []any{ - (*AuthenticationMechanism)(nil), // 0: s2a.proto.AuthenticationMechanism - (*ClientSessionStartReq)(nil), // 1: s2a.proto.ClientSessionStartReq - (*ServerSessionStartReq)(nil), // 2: s2a.proto.ServerSessionStartReq - (*SessionNextReq)(nil), // 3: s2a.proto.SessionNextReq - (*ResumptionTicketReq)(nil), // 4: s2a.proto.ResumptionTicketReq - (*SessionReq)(nil), // 5: s2a.proto.SessionReq - (*SessionState)(nil), // 6: s2a.proto.SessionState - (*SessionResult)(nil), // 7: s2a.proto.SessionResult - (*SessionStatus)(nil), // 8: s2a.proto.SessionStatus - (*SessionResp)(nil), // 9: s2a.proto.SessionResp - (*common_go_proto.Identity)(nil), // 10: s2a.proto.Identity - (common_go_proto.TLSVersion)(0), // 11: s2a.proto.TLSVersion - (common_go_proto.Ciphersuite)(0), // 12: s2a.proto.Ciphersuite -} -var file_internal_proto_s2a_s2a_proto_depIdxs = []int32{ - 10, // 0: s2a.proto.AuthenticationMechanism.identity:type_name -> s2a.proto.Identity - 11, // 1: s2a.proto.ClientSessionStartReq.min_tls_version:type_name -> s2a.proto.TLSVersion - 11, // 2: s2a.proto.ClientSessionStartReq.max_tls_version:type_name -> s2a.proto.TLSVersion - 12, // 3: s2a.proto.ClientSessionStartReq.tls_ciphersuites:type_name -> s2a.proto.Ciphersuite - 10, // 4: s2a.proto.ClientSessionStartReq.target_identities:type_name -> s2a.proto.Identity - 10, // 5: s2a.proto.ClientSessionStartReq.local_identity:type_name -> s2a.proto.Identity - 11, // 6: s2a.proto.ServerSessionStartReq.min_tls_version:type_name -> s2a.proto.TLSVersion - 11, // 7: s2a.proto.ServerSessionStartReq.max_tls_version:type_name -> s2a.proto.TLSVersion - 12, // 8: s2a.proto.ServerSessionStartReq.tls_ciphersuites:type_name -> s2a.proto.Ciphersuite - 10, // 9: s2a.proto.ServerSessionStartReq.local_identities:type_name -> s2a.proto.Identity - 10, // 10: s2a.proto.ResumptionTicketReq.local_identity:type_name -> s2a.proto.Identity - 1, // 11: s2a.proto.SessionReq.client_start:type_name -> s2a.proto.ClientSessionStartReq - 2, // 12: s2a.proto.SessionReq.server_start:type_name -> s2a.proto.ServerSessionStartReq - 3, // 13: s2a.proto.SessionReq.next:type_name -> s2a.proto.SessionNextReq - 4, // 14: s2a.proto.SessionReq.resumption_ticket:type_name -> s2a.proto.ResumptionTicketReq - 0, // 15: s2a.proto.SessionReq.auth_mechanisms:type_name -> s2a.proto.AuthenticationMechanism - 11, // 16: s2a.proto.SessionState.tls_version:type_name -> s2a.proto.TLSVersion - 12, // 17: s2a.proto.SessionState.tls_ciphersuite:type_name -> s2a.proto.Ciphersuite - 6, // 18: s2a.proto.SessionResult.state:type_name -> s2a.proto.SessionState - 10, // 19: s2a.proto.SessionResult.peer_identity:type_name -> s2a.proto.Identity - 10, // 20: s2a.proto.SessionResult.local_identity:type_name -> s2a.proto.Identity - 10, // 21: s2a.proto.SessionResp.local_identity:type_name -> s2a.proto.Identity - 7, // 22: s2a.proto.SessionResp.result:type_name -> s2a.proto.SessionResult - 8, // 23: s2a.proto.SessionResp.status:type_name -> s2a.proto.SessionStatus - 5, // 24: s2a.proto.S2AService.SetUpSession:input_type -> s2a.proto.SessionReq - 9, // 25: s2a.proto.S2AService.SetUpSession:output_type -> s2a.proto.SessionResp - 25, // [25:26] is the sub-list for method output_type - 24, // [24:25] is the sub-list for method input_type - 24, // [24:24] is the sub-list for extension type_name - 24, // [24:24] is the sub-list for extension extendee - 0, // [0:24] is the sub-list for field type_name -} - -func init() { file_internal_proto_s2a_s2a_proto_init() } -func file_internal_proto_s2a_s2a_proto_init() { - if File_internal_proto_s2a_s2a_proto != nil { - return - } - if !protoimpl.UnsafeEnabled { - file_internal_proto_s2a_s2a_proto_msgTypes[0].Exporter = func(v any, i int) any { - switch v := v.(*AuthenticationMechanism); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_internal_proto_s2a_s2a_proto_msgTypes[1].Exporter = func(v any, i int) any { - switch v := v.(*ClientSessionStartReq); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_internal_proto_s2a_s2a_proto_msgTypes[2].Exporter = func(v any, i int) any { - switch v := v.(*ServerSessionStartReq); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_internal_proto_s2a_s2a_proto_msgTypes[3].Exporter = func(v any, i int) any { - switch v := v.(*SessionNextReq); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_internal_proto_s2a_s2a_proto_msgTypes[4].Exporter = func(v any, i int) any { - switch v := v.(*ResumptionTicketReq); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_internal_proto_s2a_s2a_proto_msgTypes[5].Exporter = func(v any, i int) any { - switch v := v.(*SessionReq); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_internal_proto_s2a_s2a_proto_msgTypes[6].Exporter = func(v any, i int) any { - switch v := v.(*SessionState); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_internal_proto_s2a_s2a_proto_msgTypes[7].Exporter = func(v any, i int) any { - switch v := v.(*SessionResult); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_internal_proto_s2a_s2a_proto_msgTypes[8].Exporter = func(v any, i int) any { - switch v := v.(*SessionStatus); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_internal_proto_s2a_s2a_proto_msgTypes[9].Exporter = func(v any, i int) any { - switch v := v.(*SessionResp); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - } - file_internal_proto_s2a_s2a_proto_msgTypes[0].OneofWrappers = []any{ - (*AuthenticationMechanism_Token)(nil), - } - file_internal_proto_s2a_s2a_proto_msgTypes[5].OneofWrappers = []any{ - (*SessionReq_ClientStart)(nil), - (*SessionReq_ServerStart)(nil), - (*SessionReq_Next)(nil), - (*SessionReq_ResumptionTicket)(nil), - } - type x struct{} - out := protoimpl.TypeBuilder{ - File: protoimpl.DescBuilder{ - GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_internal_proto_s2a_s2a_proto_rawDesc, - NumEnums: 0, - NumMessages: 10, - NumExtensions: 0, - NumServices: 1, - }, - GoTypes: file_internal_proto_s2a_s2a_proto_goTypes, - DependencyIndexes: file_internal_proto_s2a_s2a_proto_depIdxs, - MessageInfos: file_internal_proto_s2a_s2a_proto_msgTypes, - }.Build() - File_internal_proto_s2a_s2a_proto = out.File - file_internal_proto_s2a_s2a_proto_rawDesc = nil - file_internal_proto_s2a_s2a_proto_goTypes = nil - file_internal_proto_s2a_s2a_proto_depIdxs = nil -} diff --git a/vendor/github.com/google/s2a-go/internal/proto/s2a_go_proto/s2a_grpc.pb.go b/vendor/github.com/google/s2a-go/internal/proto/s2a_go_proto/s2a_grpc.pb.go deleted file mode 100644 index 8fac3841b..000000000 --- a/vendor/github.com/google/s2a-go/internal/proto/s2a_go_proto/s2a_grpc.pb.go +++ /dev/null @@ -1,174 +0,0 @@ -// Copyright 2021 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// https://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Code generated by protoc-gen-go-grpc. DO NOT EDIT. -// versions: -// - protoc-gen-go-grpc v1.4.0 -// - protoc v3.21.12 -// source: internal/proto/s2a/s2a.proto - -package s2a_go_proto - -import ( - context "context" - grpc "google.golang.org/grpc" - codes "google.golang.org/grpc/codes" - status "google.golang.org/grpc/status" -) - -// This is a compile-time assertion to ensure that this generated file -// is compatible with the grpc package it is being compiled against. -// Requires gRPC-Go v1.62.0 or later. -const _ = grpc.SupportPackageIsVersion8 - -const ( - S2AService_SetUpSession_FullMethodName = "/s2a.proto.S2AService/SetUpSession" -) - -// S2AServiceClient is the client API for S2AService service. -// -// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. -type S2AServiceClient interface { - // S2A service accepts a stream of session setup requests and returns a stream - // of session setup responses. The client of this service is expected to send - // exactly one client_start or server_start message followed by at least one - // next message. Applications running TLS clients can send requests with - // resumption_ticket messages only after the session is successfully set up. - // - // Every time S2A client sends a request, this service sends a response. - // However, clients do not have to wait for service response before sending - // the next request. - SetUpSession(ctx context.Context, opts ...grpc.CallOption) (S2AService_SetUpSessionClient, error) -} - -type s2AServiceClient struct { - cc grpc.ClientConnInterface -} - -func NewS2AServiceClient(cc grpc.ClientConnInterface) S2AServiceClient { - return &s2AServiceClient{cc} -} - -func (c *s2AServiceClient) SetUpSession(ctx context.Context, opts ...grpc.CallOption) (S2AService_SetUpSessionClient, error) { - cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) - stream, err := c.cc.NewStream(ctx, &S2AService_ServiceDesc.Streams[0], S2AService_SetUpSession_FullMethodName, cOpts...) - if err != nil { - return nil, err - } - x := &s2AServiceSetUpSessionClient{ClientStream: stream} - return x, nil -} - -type S2AService_SetUpSessionClient interface { - Send(*SessionReq) error - Recv() (*SessionResp, error) - grpc.ClientStream -} - -type s2AServiceSetUpSessionClient struct { - grpc.ClientStream -} - -func (x *s2AServiceSetUpSessionClient) Send(m *SessionReq) error { - return x.ClientStream.SendMsg(m) -} - -func (x *s2AServiceSetUpSessionClient) Recv() (*SessionResp, error) { - m := new(SessionResp) - if err := x.ClientStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} - -// S2AServiceServer is the server API for S2AService service. -// All implementations must embed UnimplementedS2AServiceServer -// for forward compatibility -type S2AServiceServer interface { - // S2A service accepts a stream of session setup requests and returns a stream - // of session setup responses. The client of this service is expected to send - // exactly one client_start or server_start message followed by at least one - // next message. Applications running TLS clients can send requests with - // resumption_ticket messages only after the session is successfully set up. - // - // Every time S2A client sends a request, this service sends a response. - // However, clients do not have to wait for service response before sending - // the next request. - SetUpSession(S2AService_SetUpSessionServer) error - mustEmbedUnimplementedS2AServiceServer() -} - -// UnimplementedS2AServiceServer must be embedded to have forward compatible implementations. -type UnimplementedS2AServiceServer struct { -} - -func (UnimplementedS2AServiceServer) SetUpSession(S2AService_SetUpSessionServer) error { - return status.Errorf(codes.Unimplemented, "method SetUpSession not implemented") -} -func (UnimplementedS2AServiceServer) mustEmbedUnimplementedS2AServiceServer() {} - -// UnsafeS2AServiceServer may be embedded to opt out of forward compatibility for this service. -// Use of this interface is not recommended, as added methods to S2AServiceServer will -// result in compilation errors. -type UnsafeS2AServiceServer interface { - mustEmbedUnimplementedS2AServiceServer() -} - -func RegisterS2AServiceServer(s grpc.ServiceRegistrar, srv S2AServiceServer) { - s.RegisterService(&S2AService_ServiceDesc, srv) -} - -func _S2AService_SetUpSession_Handler(srv interface{}, stream grpc.ServerStream) error { - return srv.(S2AServiceServer).SetUpSession(&s2AServiceSetUpSessionServer{ServerStream: stream}) -} - -type S2AService_SetUpSessionServer interface { - Send(*SessionResp) error - Recv() (*SessionReq, error) - grpc.ServerStream -} - -type s2AServiceSetUpSessionServer struct { - grpc.ServerStream -} - -func (x *s2AServiceSetUpSessionServer) Send(m *SessionResp) error { - return x.ServerStream.SendMsg(m) -} - -func (x *s2AServiceSetUpSessionServer) Recv() (*SessionReq, error) { - m := new(SessionReq) - if err := x.ServerStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} - -// S2AService_ServiceDesc is the grpc.ServiceDesc for S2AService service. -// It's only intended for direct use with grpc.RegisterService, -// and not to be introspected or modified (even as a copy) -var S2AService_ServiceDesc = grpc.ServiceDesc{ - ServiceName: "s2a.proto.S2AService", - HandlerType: (*S2AServiceServer)(nil), - Methods: []grpc.MethodDesc{}, - Streams: []grpc.StreamDesc{ - { - StreamName: "SetUpSession", - Handler: _S2AService_SetUpSession_Handler, - ServerStreams: true, - ClientStreams: true, - }, - }, - Metadata: "internal/proto/s2a/s2a.proto", -} diff --git a/vendor/github.com/google/s2a-go/internal/proto/v2/common_go_proto/common.pb.go b/vendor/github.com/google/s2a-go/internal/proto/v2/common_go_proto/common.pb.go deleted file mode 100644 index e9aa5d14c..000000000 --- a/vendor/github.com/google/s2a-go/internal/proto/v2/common_go_proto/common.pb.go +++ /dev/null @@ -1,549 +0,0 @@ -// Copyright 2022 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// https://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Code generated by protoc-gen-go. DO NOT EDIT. -// versions: -// protoc-gen-go v1.34.2 -// protoc v3.21.12 -// source: internal/proto/v2/common/common.proto - -package common_go_proto - -import ( - protoreflect "google.golang.org/protobuf/reflect/protoreflect" - protoimpl "google.golang.org/protobuf/runtime/protoimpl" - reflect "reflect" - sync "sync" -) - -const ( - // Verify that this generated code is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) - // Verify that runtime/protoimpl is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) -) - -// The TLS 1.0-1.2 ciphersuites that the application can negotiate when using -// S2A. -type Ciphersuite int32 - -const ( - Ciphersuite_CIPHERSUITE_UNSPECIFIED Ciphersuite = 0 - Ciphersuite_CIPHERSUITE_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 Ciphersuite = 1 - Ciphersuite_CIPHERSUITE_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 Ciphersuite = 2 - Ciphersuite_CIPHERSUITE_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 Ciphersuite = 3 - Ciphersuite_CIPHERSUITE_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Ciphersuite = 4 - Ciphersuite_CIPHERSUITE_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Ciphersuite = 5 - Ciphersuite_CIPHERSUITE_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Ciphersuite = 6 -) - -// Enum value maps for Ciphersuite. -var ( - Ciphersuite_name = map[int32]string{ - 0: "CIPHERSUITE_UNSPECIFIED", - 1: "CIPHERSUITE_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - 2: "CIPHERSUITE_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - 3: "CIPHERSUITE_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - 4: "CIPHERSUITE_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - 5: "CIPHERSUITE_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - 6: "CIPHERSUITE_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - } - Ciphersuite_value = map[string]int32{ - "CIPHERSUITE_UNSPECIFIED": 0, - "CIPHERSUITE_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": 1, - "CIPHERSUITE_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": 2, - "CIPHERSUITE_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256": 3, - "CIPHERSUITE_ECDHE_RSA_WITH_AES_128_GCM_SHA256": 4, - "CIPHERSUITE_ECDHE_RSA_WITH_AES_256_GCM_SHA384": 5, - "CIPHERSUITE_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256": 6, - } -) - -func (x Ciphersuite) Enum() *Ciphersuite { - p := new(Ciphersuite) - *p = x - return p -} - -func (x Ciphersuite) String() string { - return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) -} - -func (Ciphersuite) Descriptor() protoreflect.EnumDescriptor { - return file_internal_proto_v2_common_common_proto_enumTypes[0].Descriptor() -} - -func (Ciphersuite) Type() protoreflect.EnumType { - return &file_internal_proto_v2_common_common_proto_enumTypes[0] -} - -func (x Ciphersuite) Number() protoreflect.EnumNumber { - return protoreflect.EnumNumber(x) -} - -// Deprecated: Use Ciphersuite.Descriptor instead. -func (Ciphersuite) EnumDescriptor() ([]byte, []int) { - return file_internal_proto_v2_common_common_proto_rawDescGZIP(), []int{0} -} - -// The TLS versions supported by S2A's handshaker module. -type TLSVersion int32 - -const ( - TLSVersion_TLS_VERSION_UNSPECIFIED TLSVersion = 0 - TLSVersion_TLS_VERSION_1_0 TLSVersion = 1 - TLSVersion_TLS_VERSION_1_1 TLSVersion = 2 - TLSVersion_TLS_VERSION_1_2 TLSVersion = 3 - TLSVersion_TLS_VERSION_1_3 TLSVersion = 4 -) - -// Enum value maps for TLSVersion. -var ( - TLSVersion_name = map[int32]string{ - 0: "TLS_VERSION_UNSPECIFIED", - 1: "TLS_VERSION_1_0", - 2: "TLS_VERSION_1_1", - 3: "TLS_VERSION_1_2", - 4: "TLS_VERSION_1_3", - } - TLSVersion_value = map[string]int32{ - "TLS_VERSION_UNSPECIFIED": 0, - "TLS_VERSION_1_0": 1, - "TLS_VERSION_1_1": 2, - "TLS_VERSION_1_2": 3, - "TLS_VERSION_1_3": 4, - } -) - -func (x TLSVersion) Enum() *TLSVersion { - p := new(TLSVersion) - *p = x - return p -} - -func (x TLSVersion) String() string { - return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) -} - -func (TLSVersion) Descriptor() protoreflect.EnumDescriptor { - return file_internal_proto_v2_common_common_proto_enumTypes[1].Descriptor() -} - -func (TLSVersion) Type() protoreflect.EnumType { - return &file_internal_proto_v2_common_common_proto_enumTypes[1] -} - -func (x TLSVersion) Number() protoreflect.EnumNumber { - return protoreflect.EnumNumber(x) -} - -// Deprecated: Use TLSVersion.Descriptor instead. -func (TLSVersion) EnumDescriptor() ([]byte, []int) { - return file_internal_proto_v2_common_common_proto_rawDescGZIP(), []int{1} -} - -// The side in the TLS connection. -type ConnectionSide int32 - -const ( - ConnectionSide_CONNECTION_SIDE_UNSPECIFIED ConnectionSide = 0 - ConnectionSide_CONNECTION_SIDE_CLIENT ConnectionSide = 1 - ConnectionSide_CONNECTION_SIDE_SERVER ConnectionSide = 2 -) - -// Enum value maps for ConnectionSide. -var ( - ConnectionSide_name = map[int32]string{ - 0: "CONNECTION_SIDE_UNSPECIFIED", - 1: "CONNECTION_SIDE_CLIENT", - 2: "CONNECTION_SIDE_SERVER", - } - ConnectionSide_value = map[string]int32{ - "CONNECTION_SIDE_UNSPECIFIED": 0, - "CONNECTION_SIDE_CLIENT": 1, - "CONNECTION_SIDE_SERVER": 2, - } -) - -func (x ConnectionSide) Enum() *ConnectionSide { - p := new(ConnectionSide) - *p = x - return p -} - -func (x ConnectionSide) String() string { - return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) -} - -func (ConnectionSide) Descriptor() protoreflect.EnumDescriptor { - return file_internal_proto_v2_common_common_proto_enumTypes[2].Descriptor() -} - -func (ConnectionSide) Type() protoreflect.EnumType { - return &file_internal_proto_v2_common_common_proto_enumTypes[2] -} - -func (x ConnectionSide) Number() protoreflect.EnumNumber { - return protoreflect.EnumNumber(x) -} - -// Deprecated: Use ConnectionSide.Descriptor instead. -func (ConnectionSide) EnumDescriptor() ([]byte, []int) { - return file_internal_proto_v2_common_common_proto_rawDescGZIP(), []int{2} -} - -// The ALPN protocols that the application can negotiate during a TLS handshake. -type AlpnProtocol int32 - -const ( - AlpnProtocol_ALPN_PROTOCOL_UNSPECIFIED AlpnProtocol = 0 - AlpnProtocol_ALPN_PROTOCOL_GRPC AlpnProtocol = 1 - AlpnProtocol_ALPN_PROTOCOL_HTTP2 AlpnProtocol = 2 - AlpnProtocol_ALPN_PROTOCOL_HTTP1_1 AlpnProtocol = 3 -) - -// Enum value maps for AlpnProtocol. -var ( - AlpnProtocol_name = map[int32]string{ - 0: "ALPN_PROTOCOL_UNSPECIFIED", - 1: "ALPN_PROTOCOL_GRPC", - 2: "ALPN_PROTOCOL_HTTP2", - 3: "ALPN_PROTOCOL_HTTP1_1", - } - AlpnProtocol_value = map[string]int32{ - "ALPN_PROTOCOL_UNSPECIFIED": 0, - "ALPN_PROTOCOL_GRPC": 1, - "ALPN_PROTOCOL_HTTP2": 2, - "ALPN_PROTOCOL_HTTP1_1": 3, - } -) - -func (x AlpnProtocol) Enum() *AlpnProtocol { - p := new(AlpnProtocol) - *p = x - return p -} - -func (x AlpnProtocol) String() string { - return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) -} - -func (AlpnProtocol) Descriptor() protoreflect.EnumDescriptor { - return file_internal_proto_v2_common_common_proto_enumTypes[3].Descriptor() -} - -func (AlpnProtocol) Type() protoreflect.EnumType { - return &file_internal_proto_v2_common_common_proto_enumTypes[3] -} - -func (x AlpnProtocol) Number() protoreflect.EnumNumber { - return protoreflect.EnumNumber(x) -} - -// Deprecated: Use AlpnProtocol.Descriptor instead. -func (AlpnProtocol) EnumDescriptor() ([]byte, []int) { - return file_internal_proto_v2_common_common_proto_rawDescGZIP(), []int{3} -} - -type Identity struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Types that are assignable to IdentityOneof: - // - // *Identity_SpiffeId - // *Identity_Hostname - // *Identity_Uid - // *Identity_Username - // *Identity_GcpId - IdentityOneof isIdentity_IdentityOneof `protobuf_oneof:"identity_oneof"` - // Additional identity-specific attributes. - Attributes map[string]string `protobuf:"bytes,3,rep,name=attributes,proto3" json:"attributes,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` -} - -func (x *Identity) Reset() { - *x = Identity{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_v2_common_common_proto_msgTypes[0] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *Identity) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*Identity) ProtoMessage() {} - -func (x *Identity) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_v2_common_common_proto_msgTypes[0] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use Identity.ProtoReflect.Descriptor instead. -func (*Identity) Descriptor() ([]byte, []int) { - return file_internal_proto_v2_common_common_proto_rawDescGZIP(), []int{0} -} - -func (m *Identity) GetIdentityOneof() isIdentity_IdentityOneof { - if m != nil { - return m.IdentityOneof - } - return nil -} - -func (x *Identity) GetSpiffeId() string { - if x, ok := x.GetIdentityOneof().(*Identity_SpiffeId); ok { - return x.SpiffeId - } - return "" -} - -func (x *Identity) GetHostname() string { - if x, ok := x.GetIdentityOneof().(*Identity_Hostname); ok { - return x.Hostname - } - return "" -} - -func (x *Identity) GetUid() string { - if x, ok := x.GetIdentityOneof().(*Identity_Uid); ok { - return x.Uid - } - return "" -} - -func (x *Identity) GetUsername() string { - if x, ok := x.GetIdentityOneof().(*Identity_Username); ok { - return x.Username - } - return "" -} - -func (x *Identity) GetGcpId() string { - if x, ok := x.GetIdentityOneof().(*Identity_GcpId); ok { - return x.GcpId - } - return "" -} - -func (x *Identity) GetAttributes() map[string]string { - if x != nil { - return x.Attributes - } - return nil -} - -type isIdentity_IdentityOneof interface { - isIdentity_IdentityOneof() -} - -type Identity_SpiffeId struct { - // The SPIFFE ID of a connection endpoint. - SpiffeId string `protobuf:"bytes,1,opt,name=spiffe_id,json=spiffeId,proto3,oneof"` -} - -type Identity_Hostname struct { - // The hostname of a connection endpoint. - Hostname string `protobuf:"bytes,2,opt,name=hostname,proto3,oneof"` -} - -type Identity_Uid struct { - // The UID of a connection endpoint. - Uid string `protobuf:"bytes,4,opt,name=uid,proto3,oneof"` -} - -type Identity_Username struct { - // The username of a connection endpoint. - Username string `protobuf:"bytes,5,opt,name=username,proto3,oneof"` -} - -type Identity_GcpId struct { - // The GCP ID of a connection endpoint. - GcpId string `protobuf:"bytes,6,opt,name=gcp_id,json=gcpId,proto3,oneof"` -} - -func (*Identity_SpiffeId) isIdentity_IdentityOneof() {} - -func (*Identity_Hostname) isIdentity_IdentityOneof() {} - -func (*Identity_Uid) isIdentity_IdentityOneof() {} - -func (*Identity_Username) isIdentity_IdentityOneof() {} - -func (*Identity_GcpId) isIdentity_IdentityOneof() {} - -var File_internal_proto_v2_common_common_proto protoreflect.FileDescriptor - -var file_internal_proto_v2_common_common_proto_rawDesc = []byte{ - 0x0a, 0x25, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x2f, 0x76, 0x32, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, - 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0c, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x22, 0xab, 0x02, 0x0a, 0x08, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, - 0x74, 0x79, 0x12, 0x1d, 0x0a, 0x09, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x5f, 0x69, 0x64, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x08, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x49, - 0x64, 0x12, 0x1c, 0x0a, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, - 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x12, - 0x12, 0x0a, 0x03, 0x75, 0x69, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x03, - 0x75, 0x69, 0x64, 0x12, 0x1c, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, - 0x05, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, - 0x65, 0x12, 0x17, 0x0a, 0x06, 0x67, 0x63, 0x70, 0x5f, 0x69, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, - 0x09, 0x48, 0x00, 0x52, 0x05, 0x67, 0x63, 0x70, 0x49, 0x64, 0x12, 0x46, 0x0a, 0x0a, 0x61, 0x74, - 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x26, - 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x49, 0x64, - 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, - 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0a, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, - 0x65, 0x73, 0x1a, 0x3d, 0x0a, 0x0f, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, - 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, - 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, - 0x01, 0x42, 0x10, 0x0a, 0x0e, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5f, 0x6f, 0x6e, - 0x65, 0x6f, 0x66, 0x2a, 0xee, 0x02, 0x0a, 0x0b, 0x43, 0x69, 0x70, 0x68, 0x65, 0x72, 0x73, 0x75, - 0x69, 0x74, 0x65, 0x12, 0x1b, 0x0a, 0x17, 0x43, 0x49, 0x50, 0x48, 0x45, 0x52, 0x53, 0x55, 0x49, - 0x54, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, - 0x12, 0x33, 0x0a, 0x2f, 0x43, 0x49, 0x50, 0x48, 0x45, 0x52, 0x53, 0x55, 0x49, 0x54, 0x45, 0x5f, - 0x45, 0x43, 0x44, 0x48, 0x45, 0x5f, 0x45, 0x43, 0x44, 0x53, 0x41, 0x5f, 0x57, 0x49, 0x54, 0x48, - 0x5f, 0x41, 0x45, 0x53, 0x5f, 0x31, 0x32, 0x38, 0x5f, 0x47, 0x43, 0x4d, 0x5f, 0x53, 0x48, 0x41, - 0x32, 0x35, 0x36, 0x10, 0x01, 0x12, 0x33, 0x0a, 0x2f, 0x43, 0x49, 0x50, 0x48, 0x45, 0x52, 0x53, - 0x55, 0x49, 0x54, 0x45, 0x5f, 0x45, 0x43, 0x44, 0x48, 0x45, 0x5f, 0x45, 0x43, 0x44, 0x53, 0x41, - 0x5f, 0x57, 0x49, 0x54, 0x48, 0x5f, 0x41, 0x45, 0x53, 0x5f, 0x32, 0x35, 0x36, 0x5f, 0x47, 0x43, - 0x4d, 0x5f, 0x53, 0x48, 0x41, 0x33, 0x38, 0x34, 0x10, 0x02, 0x12, 0x39, 0x0a, 0x35, 0x43, 0x49, - 0x50, 0x48, 0x45, 0x52, 0x53, 0x55, 0x49, 0x54, 0x45, 0x5f, 0x45, 0x43, 0x44, 0x48, 0x45, 0x5f, - 0x45, 0x43, 0x44, 0x53, 0x41, 0x5f, 0x57, 0x49, 0x54, 0x48, 0x5f, 0x43, 0x48, 0x41, 0x43, 0x48, - 0x41, 0x32, 0x30, 0x5f, 0x50, 0x4f, 0x4c, 0x59, 0x31, 0x33, 0x30, 0x35, 0x5f, 0x53, 0x48, 0x41, - 0x32, 0x35, 0x36, 0x10, 0x03, 0x12, 0x31, 0x0a, 0x2d, 0x43, 0x49, 0x50, 0x48, 0x45, 0x52, 0x53, - 0x55, 0x49, 0x54, 0x45, 0x5f, 0x45, 0x43, 0x44, 0x48, 0x45, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x57, - 0x49, 0x54, 0x48, 0x5f, 0x41, 0x45, 0x53, 0x5f, 0x31, 0x32, 0x38, 0x5f, 0x47, 0x43, 0x4d, 0x5f, - 0x53, 0x48, 0x41, 0x32, 0x35, 0x36, 0x10, 0x04, 0x12, 0x31, 0x0a, 0x2d, 0x43, 0x49, 0x50, 0x48, - 0x45, 0x52, 0x53, 0x55, 0x49, 0x54, 0x45, 0x5f, 0x45, 0x43, 0x44, 0x48, 0x45, 0x5f, 0x52, 0x53, - 0x41, 0x5f, 0x57, 0x49, 0x54, 0x48, 0x5f, 0x41, 0x45, 0x53, 0x5f, 0x32, 0x35, 0x36, 0x5f, 0x47, - 0x43, 0x4d, 0x5f, 0x53, 0x48, 0x41, 0x33, 0x38, 0x34, 0x10, 0x05, 0x12, 0x37, 0x0a, 0x33, 0x43, - 0x49, 0x50, 0x48, 0x45, 0x52, 0x53, 0x55, 0x49, 0x54, 0x45, 0x5f, 0x45, 0x43, 0x44, 0x48, 0x45, - 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x57, 0x49, 0x54, 0x48, 0x5f, 0x43, 0x48, 0x41, 0x43, 0x48, 0x41, - 0x32, 0x30, 0x5f, 0x50, 0x4f, 0x4c, 0x59, 0x31, 0x33, 0x30, 0x35, 0x5f, 0x53, 0x48, 0x41, 0x32, - 0x35, 0x36, 0x10, 0x06, 0x2a, 0x7d, 0x0a, 0x0a, 0x54, 0x4c, 0x53, 0x56, 0x65, 0x72, 0x73, 0x69, - 0x6f, 0x6e, 0x12, 0x1b, 0x0a, 0x17, 0x54, 0x4c, 0x53, 0x5f, 0x56, 0x45, 0x52, 0x53, 0x49, 0x4f, - 0x4e, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, - 0x13, 0x0a, 0x0f, 0x54, 0x4c, 0x53, 0x5f, 0x56, 0x45, 0x52, 0x53, 0x49, 0x4f, 0x4e, 0x5f, 0x31, - 0x5f, 0x30, 0x10, 0x01, 0x12, 0x13, 0x0a, 0x0f, 0x54, 0x4c, 0x53, 0x5f, 0x56, 0x45, 0x52, 0x53, - 0x49, 0x4f, 0x4e, 0x5f, 0x31, 0x5f, 0x31, 0x10, 0x02, 0x12, 0x13, 0x0a, 0x0f, 0x54, 0x4c, 0x53, - 0x5f, 0x56, 0x45, 0x52, 0x53, 0x49, 0x4f, 0x4e, 0x5f, 0x31, 0x5f, 0x32, 0x10, 0x03, 0x12, 0x13, - 0x0a, 0x0f, 0x54, 0x4c, 0x53, 0x5f, 0x56, 0x45, 0x52, 0x53, 0x49, 0x4f, 0x4e, 0x5f, 0x31, 0x5f, - 0x33, 0x10, 0x04, 0x2a, 0x69, 0x0a, 0x0e, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, - 0x6e, 0x53, 0x69, 0x64, 0x65, 0x12, 0x1f, 0x0a, 0x1b, 0x43, 0x4f, 0x4e, 0x4e, 0x45, 0x43, 0x54, - 0x49, 0x4f, 0x4e, 0x5f, 0x53, 0x49, 0x44, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, - 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x1a, 0x0a, 0x16, 0x43, 0x4f, 0x4e, 0x4e, 0x45, 0x43, - 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x53, 0x49, 0x44, 0x45, 0x5f, 0x43, 0x4c, 0x49, 0x45, 0x4e, 0x54, - 0x10, 0x01, 0x12, 0x1a, 0x0a, 0x16, 0x43, 0x4f, 0x4e, 0x4e, 0x45, 0x43, 0x54, 0x49, 0x4f, 0x4e, - 0x5f, 0x53, 0x49, 0x44, 0x45, 0x5f, 0x53, 0x45, 0x52, 0x56, 0x45, 0x52, 0x10, 0x02, 0x2a, 0x79, - 0x0a, 0x0c, 0x41, 0x6c, 0x70, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x1d, - 0x0a, 0x19, 0x41, 0x4c, 0x50, 0x4e, 0x5f, 0x50, 0x52, 0x4f, 0x54, 0x4f, 0x43, 0x4f, 0x4c, 0x5f, - 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x16, 0x0a, - 0x12, 0x41, 0x4c, 0x50, 0x4e, 0x5f, 0x50, 0x52, 0x4f, 0x54, 0x4f, 0x43, 0x4f, 0x4c, 0x5f, 0x47, - 0x52, 0x50, 0x43, 0x10, 0x01, 0x12, 0x17, 0x0a, 0x13, 0x41, 0x4c, 0x50, 0x4e, 0x5f, 0x50, 0x52, - 0x4f, 0x54, 0x4f, 0x43, 0x4f, 0x4c, 0x5f, 0x48, 0x54, 0x54, 0x50, 0x32, 0x10, 0x02, 0x12, 0x19, - 0x0a, 0x15, 0x41, 0x4c, 0x50, 0x4e, 0x5f, 0x50, 0x52, 0x4f, 0x54, 0x4f, 0x43, 0x4f, 0x4c, 0x5f, - 0x48, 0x54, 0x54, 0x50, 0x31, 0x5f, 0x31, 0x10, 0x03, 0x42, 0x39, 0x5a, 0x37, 0x67, 0x69, 0x74, - 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x73, - 0x32, 0x61, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x2f, 0x76, 0x32, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x5f, 0x67, 0x6f, 0x5f, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, -} - -var ( - file_internal_proto_v2_common_common_proto_rawDescOnce sync.Once - file_internal_proto_v2_common_common_proto_rawDescData = file_internal_proto_v2_common_common_proto_rawDesc -) - -func file_internal_proto_v2_common_common_proto_rawDescGZIP() []byte { - file_internal_proto_v2_common_common_proto_rawDescOnce.Do(func() { - file_internal_proto_v2_common_common_proto_rawDescData = protoimpl.X.CompressGZIP(file_internal_proto_v2_common_common_proto_rawDescData) - }) - return file_internal_proto_v2_common_common_proto_rawDescData -} - -var file_internal_proto_v2_common_common_proto_enumTypes = make([]protoimpl.EnumInfo, 4) -var file_internal_proto_v2_common_common_proto_msgTypes = make([]protoimpl.MessageInfo, 2) -var file_internal_proto_v2_common_common_proto_goTypes = []any{ - (Ciphersuite)(0), // 0: s2a.proto.v2.Ciphersuite - (TLSVersion)(0), // 1: s2a.proto.v2.TLSVersion - (ConnectionSide)(0), // 2: s2a.proto.v2.ConnectionSide - (AlpnProtocol)(0), // 3: s2a.proto.v2.AlpnProtocol - (*Identity)(nil), // 4: s2a.proto.v2.Identity - nil, // 5: s2a.proto.v2.Identity.AttributesEntry -} -var file_internal_proto_v2_common_common_proto_depIdxs = []int32{ - 5, // 0: s2a.proto.v2.Identity.attributes:type_name -> s2a.proto.v2.Identity.AttributesEntry - 1, // [1:1] is the sub-list for method output_type - 1, // [1:1] is the sub-list for method input_type - 1, // [1:1] is the sub-list for extension type_name - 1, // [1:1] is the sub-list for extension extendee - 0, // [0:1] is the sub-list for field type_name -} - -func init() { file_internal_proto_v2_common_common_proto_init() } -func file_internal_proto_v2_common_common_proto_init() { - if File_internal_proto_v2_common_common_proto != nil { - return - } - if !protoimpl.UnsafeEnabled { - file_internal_proto_v2_common_common_proto_msgTypes[0].Exporter = func(v any, i int) any { - switch v := v.(*Identity); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - } - file_internal_proto_v2_common_common_proto_msgTypes[0].OneofWrappers = []any{ - (*Identity_SpiffeId)(nil), - (*Identity_Hostname)(nil), - (*Identity_Uid)(nil), - (*Identity_Username)(nil), - (*Identity_GcpId)(nil), - } - type x struct{} - out := protoimpl.TypeBuilder{ - File: protoimpl.DescBuilder{ - GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_internal_proto_v2_common_common_proto_rawDesc, - NumEnums: 4, - NumMessages: 2, - NumExtensions: 0, - NumServices: 0, - }, - GoTypes: file_internal_proto_v2_common_common_proto_goTypes, - DependencyIndexes: file_internal_proto_v2_common_common_proto_depIdxs, - EnumInfos: file_internal_proto_v2_common_common_proto_enumTypes, - MessageInfos: file_internal_proto_v2_common_common_proto_msgTypes, - }.Build() - File_internal_proto_v2_common_common_proto = out.File - file_internal_proto_v2_common_common_proto_rawDesc = nil - file_internal_proto_v2_common_common_proto_goTypes = nil - file_internal_proto_v2_common_common_proto_depIdxs = nil -} diff --git a/vendor/github.com/google/s2a-go/internal/proto/v2/s2a_context_go_proto/s2a_context.pb.go b/vendor/github.com/google/s2a-go/internal/proto/v2/s2a_context_go_proto/s2a_context.pb.go deleted file mode 100644 index 418331a4b..000000000 --- a/vendor/github.com/google/s2a-go/internal/proto/v2/s2a_context_go_proto/s2a_context.pb.go +++ /dev/null @@ -1,249 +0,0 @@ -// Copyright 2022 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// https://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Code generated by protoc-gen-go. DO NOT EDIT. -// versions: -// protoc-gen-go v1.34.2 -// protoc v3.21.12 -// source: internal/proto/v2/s2a_context/s2a_context.proto - -package s2a_context_go_proto - -import ( - common_go_proto "github.com/google/s2a-go/internal/proto/v2/common_go_proto" - protoreflect "google.golang.org/protobuf/reflect/protoreflect" - protoimpl "google.golang.org/protobuf/runtime/protoimpl" - reflect "reflect" - sync "sync" -) - -const ( - // Verify that this generated code is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) - // Verify that runtime/protoimpl is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) -) - -type S2AContext struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The SPIFFE ID from the peer leaf certificate, if present. - // - // This field is only populated if the leaf certificate is a valid SPIFFE - // SVID; in particular, there is a unique URI SAN and this URI SAN is a valid - // SPIFFE ID. - LeafCertSpiffeId string `protobuf:"bytes,1,opt,name=leaf_cert_spiffe_id,json=leafCertSpiffeId,proto3" json:"leaf_cert_spiffe_id,omitempty"` - // The URIs that are present in the SubjectAltName extension of the peer leaf - // certificate. - // - // Note that the extracted URIs are not validated and may not be properly - // formatted. - LeafCertUris []string `protobuf:"bytes,2,rep,name=leaf_cert_uris,json=leafCertUris,proto3" json:"leaf_cert_uris,omitempty"` - // The DNSNames that are present in the SubjectAltName extension of the peer - // leaf certificate. - LeafCertDnsnames []string `protobuf:"bytes,3,rep,name=leaf_cert_dnsnames,json=leafCertDnsnames,proto3" json:"leaf_cert_dnsnames,omitempty"` - // The (ordered) list of fingerprints in the certificate chain used to verify - // the given leaf certificate. The order MUST be from leaf certificate - // fingerprint to root certificate fingerprint. - // - // A fingerprint is the base-64 encoding of the SHA256 hash of the - // DER-encoding of a certificate. The list MAY be populated even if the peer - // certificate chain was NOT validated successfully. - PeerCertificateChainFingerprints []string `protobuf:"bytes,4,rep,name=peer_certificate_chain_fingerprints,json=peerCertificateChainFingerprints,proto3" json:"peer_certificate_chain_fingerprints,omitempty"` - // The local identity used during session setup. - LocalIdentity *common_go_proto.Identity `protobuf:"bytes,9,opt,name=local_identity,json=localIdentity,proto3" json:"local_identity,omitempty"` - // The SHA256 hash of the DER-encoding of the local leaf certificate used in - // the handshake. - LocalLeafCertFingerprint []byte `protobuf:"bytes,6,opt,name=local_leaf_cert_fingerprint,json=localLeafCertFingerprint,proto3" json:"local_leaf_cert_fingerprint,omitempty"` -} - -func (x *S2AContext) Reset() { - *x = S2AContext{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_v2_s2a_context_s2a_context_proto_msgTypes[0] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *S2AContext) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*S2AContext) ProtoMessage() {} - -func (x *S2AContext) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_v2_s2a_context_s2a_context_proto_msgTypes[0] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use S2AContext.ProtoReflect.Descriptor instead. -func (*S2AContext) Descriptor() ([]byte, []int) { - return file_internal_proto_v2_s2a_context_s2a_context_proto_rawDescGZIP(), []int{0} -} - -func (x *S2AContext) GetLeafCertSpiffeId() string { - if x != nil { - return x.LeafCertSpiffeId - } - return "" -} - -func (x *S2AContext) GetLeafCertUris() []string { - if x != nil { - return x.LeafCertUris - } - return nil -} - -func (x *S2AContext) GetLeafCertDnsnames() []string { - if x != nil { - return x.LeafCertDnsnames - } - return nil -} - -func (x *S2AContext) GetPeerCertificateChainFingerprints() []string { - if x != nil { - return x.PeerCertificateChainFingerprints - } - return nil -} - -func (x *S2AContext) GetLocalIdentity() *common_go_proto.Identity { - if x != nil { - return x.LocalIdentity - } - return nil -} - -func (x *S2AContext) GetLocalLeafCertFingerprint() []byte { - if x != nil { - return x.LocalLeafCertFingerprint - } - return nil -} - -var File_internal_proto_v2_s2a_context_s2a_context_proto protoreflect.FileDescriptor - -var file_internal_proto_v2_s2a_context_s2a_context_proto_rawDesc = []byte{ - 0x0a, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x2f, 0x76, 0x32, 0x2f, 0x73, 0x32, 0x61, 0x5f, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x2f, - 0x73, 0x32, 0x61, 0x5f, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x12, 0x0c, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x1a, - 0x25, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, - 0x76, 0x32, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xee, 0x02, 0x0a, 0x0a, 0x53, 0x32, 0x41, 0x43, 0x6f, - 0x6e, 0x74, 0x65, 0x78, 0x74, 0x12, 0x2d, 0x0a, 0x13, 0x6c, 0x65, 0x61, 0x66, 0x5f, 0x63, 0x65, - 0x72, 0x74, 0x5f, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x10, 0x6c, 0x65, 0x61, 0x66, 0x43, 0x65, 0x72, 0x74, 0x53, 0x70, 0x69, 0x66, - 0x66, 0x65, 0x49, 0x64, 0x12, 0x24, 0x0a, 0x0e, 0x6c, 0x65, 0x61, 0x66, 0x5f, 0x63, 0x65, 0x72, - 0x74, 0x5f, 0x75, 0x72, 0x69, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x6c, 0x65, - 0x61, 0x66, 0x43, 0x65, 0x72, 0x74, 0x55, 0x72, 0x69, 0x73, 0x12, 0x2c, 0x0a, 0x12, 0x6c, 0x65, - 0x61, 0x66, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x64, 0x6e, 0x73, 0x6e, 0x61, 0x6d, 0x65, 0x73, - 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x10, 0x6c, 0x65, 0x61, 0x66, 0x43, 0x65, 0x72, 0x74, - 0x44, 0x6e, 0x73, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x4d, 0x0a, 0x23, 0x70, 0x65, 0x65, 0x72, - 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x63, 0x68, 0x61, - 0x69, 0x6e, 0x5f, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x73, 0x18, - 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x20, 0x70, 0x65, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x69, - 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x46, 0x69, 0x6e, 0x67, 0x65, - 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x73, 0x12, 0x3d, 0x0a, 0x0e, 0x6c, 0x6f, 0x63, 0x61, 0x6c, - 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x16, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x49, - 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, 0x0d, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x49, 0x64, - 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x12, 0x3d, 0x0a, 0x1b, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x5f, - 0x6c, 0x65, 0x61, 0x66, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, - 0x70, 0x72, 0x69, 0x6e, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x18, 0x6c, 0x6f, 0x63, - 0x61, 0x6c, 0x4c, 0x65, 0x61, 0x66, 0x43, 0x65, 0x72, 0x74, 0x46, 0x69, 0x6e, 0x67, 0x65, 0x72, - 0x70, 0x72, 0x69, 0x6e, 0x74, 0x4a, 0x04, 0x08, 0x05, 0x10, 0x06, 0x4a, 0x04, 0x08, 0x07, 0x10, - 0x08, 0x4a, 0x04, 0x08, 0x08, 0x10, 0x09, 0x42, 0x3e, 0x5a, 0x3c, 0x67, 0x69, 0x74, 0x68, 0x75, - 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x73, 0x32, 0x61, - 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, - 0x76, 0x32, 0x2f, 0x73, 0x32, 0x61, 0x5f, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x5f, 0x67, - 0x6f, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, -} - -var ( - file_internal_proto_v2_s2a_context_s2a_context_proto_rawDescOnce sync.Once - file_internal_proto_v2_s2a_context_s2a_context_proto_rawDescData = file_internal_proto_v2_s2a_context_s2a_context_proto_rawDesc -) - -func file_internal_proto_v2_s2a_context_s2a_context_proto_rawDescGZIP() []byte { - file_internal_proto_v2_s2a_context_s2a_context_proto_rawDescOnce.Do(func() { - file_internal_proto_v2_s2a_context_s2a_context_proto_rawDescData = protoimpl.X.CompressGZIP(file_internal_proto_v2_s2a_context_s2a_context_proto_rawDescData) - }) - return file_internal_proto_v2_s2a_context_s2a_context_proto_rawDescData -} - -var file_internal_proto_v2_s2a_context_s2a_context_proto_msgTypes = make([]protoimpl.MessageInfo, 1) -var file_internal_proto_v2_s2a_context_s2a_context_proto_goTypes = []any{ - (*S2AContext)(nil), // 0: s2a.proto.v2.S2AContext - (*common_go_proto.Identity)(nil), // 1: s2a.proto.v2.Identity -} -var file_internal_proto_v2_s2a_context_s2a_context_proto_depIdxs = []int32{ - 1, // 0: s2a.proto.v2.S2AContext.local_identity:type_name -> s2a.proto.v2.Identity - 1, // [1:1] is the sub-list for method output_type - 1, // [1:1] is the sub-list for method input_type - 1, // [1:1] is the sub-list for extension type_name - 1, // [1:1] is the sub-list for extension extendee - 0, // [0:1] is the sub-list for field type_name -} - -func init() { file_internal_proto_v2_s2a_context_s2a_context_proto_init() } -func file_internal_proto_v2_s2a_context_s2a_context_proto_init() { - if File_internal_proto_v2_s2a_context_s2a_context_proto != nil { - return - } - if !protoimpl.UnsafeEnabled { - file_internal_proto_v2_s2a_context_s2a_context_proto_msgTypes[0].Exporter = func(v any, i int) any { - switch v := v.(*S2AContext); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - } - type x struct{} - out := protoimpl.TypeBuilder{ - File: protoimpl.DescBuilder{ - GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_internal_proto_v2_s2a_context_s2a_context_proto_rawDesc, - NumEnums: 0, - NumMessages: 1, - NumExtensions: 0, - NumServices: 0, - }, - GoTypes: file_internal_proto_v2_s2a_context_s2a_context_proto_goTypes, - DependencyIndexes: file_internal_proto_v2_s2a_context_s2a_context_proto_depIdxs, - MessageInfos: file_internal_proto_v2_s2a_context_s2a_context_proto_msgTypes, - }.Build() - File_internal_proto_v2_s2a_context_s2a_context_proto = out.File - file_internal_proto_v2_s2a_context_s2a_context_proto_rawDesc = nil - file_internal_proto_v2_s2a_context_s2a_context_proto_goTypes = nil - file_internal_proto_v2_s2a_context_s2a_context_proto_depIdxs = nil -} diff --git a/vendor/github.com/google/s2a-go/internal/proto/v2/s2a_go_proto/s2a.pb.go b/vendor/github.com/google/s2a-go/internal/proto/v2/s2a_go_proto/s2a.pb.go deleted file mode 100644 index 548f31da2..000000000 --- a/vendor/github.com/google/s2a-go/internal/proto/v2/s2a_go_proto/s2a.pb.go +++ /dev/null @@ -1,2512 +0,0 @@ -// Copyright 2022 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// https://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Code generated by protoc-gen-go. DO NOT EDIT. -// versions: -// protoc-gen-go v1.34.2 -// protoc v3.21.12 -// source: internal/proto/v2/s2a/s2a.proto - -package s2a_go_proto - -import ( - common_go_proto "github.com/google/s2a-go/internal/proto/v2/common_go_proto" - s2a_context_go_proto "github.com/google/s2a-go/internal/proto/v2/s2a_context_go_proto" - protoreflect "google.golang.org/protobuf/reflect/protoreflect" - protoimpl "google.golang.org/protobuf/runtime/protoimpl" - reflect "reflect" - sync "sync" -) - -const ( - // Verify that this generated code is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) - // Verify that runtime/protoimpl is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) -) - -type SignatureAlgorithm int32 - -const ( - SignatureAlgorithm_S2A_SSL_SIGN_UNSPECIFIED SignatureAlgorithm = 0 - // RSA Public-Key Cryptography Standards #1. - SignatureAlgorithm_S2A_SSL_SIGN_RSA_PKCS1_SHA256 SignatureAlgorithm = 1 - SignatureAlgorithm_S2A_SSL_SIGN_RSA_PKCS1_SHA384 SignatureAlgorithm = 2 - SignatureAlgorithm_S2A_SSL_SIGN_RSA_PKCS1_SHA512 SignatureAlgorithm = 3 - // ECDSA. - SignatureAlgorithm_S2A_SSL_SIGN_ECDSA_SECP256R1_SHA256 SignatureAlgorithm = 4 - SignatureAlgorithm_S2A_SSL_SIGN_ECDSA_SECP384R1_SHA384 SignatureAlgorithm = 5 - SignatureAlgorithm_S2A_SSL_SIGN_ECDSA_SECP521R1_SHA512 SignatureAlgorithm = 6 - // RSA Probabilistic Signature Scheme. - SignatureAlgorithm_S2A_SSL_SIGN_RSA_PSS_RSAE_SHA256 SignatureAlgorithm = 7 - SignatureAlgorithm_S2A_SSL_SIGN_RSA_PSS_RSAE_SHA384 SignatureAlgorithm = 8 - SignatureAlgorithm_S2A_SSL_SIGN_RSA_PSS_RSAE_SHA512 SignatureAlgorithm = 9 - // ED25519. - SignatureAlgorithm_S2A_SSL_SIGN_ED25519 SignatureAlgorithm = 10 -) - -// Enum value maps for SignatureAlgorithm. -var ( - SignatureAlgorithm_name = map[int32]string{ - 0: "S2A_SSL_SIGN_UNSPECIFIED", - 1: "S2A_SSL_SIGN_RSA_PKCS1_SHA256", - 2: "S2A_SSL_SIGN_RSA_PKCS1_SHA384", - 3: "S2A_SSL_SIGN_RSA_PKCS1_SHA512", - 4: "S2A_SSL_SIGN_ECDSA_SECP256R1_SHA256", - 5: "S2A_SSL_SIGN_ECDSA_SECP384R1_SHA384", - 6: "S2A_SSL_SIGN_ECDSA_SECP521R1_SHA512", - 7: "S2A_SSL_SIGN_RSA_PSS_RSAE_SHA256", - 8: "S2A_SSL_SIGN_RSA_PSS_RSAE_SHA384", - 9: "S2A_SSL_SIGN_RSA_PSS_RSAE_SHA512", - 10: "S2A_SSL_SIGN_ED25519", - } - SignatureAlgorithm_value = map[string]int32{ - "S2A_SSL_SIGN_UNSPECIFIED": 0, - "S2A_SSL_SIGN_RSA_PKCS1_SHA256": 1, - "S2A_SSL_SIGN_RSA_PKCS1_SHA384": 2, - "S2A_SSL_SIGN_RSA_PKCS1_SHA512": 3, - "S2A_SSL_SIGN_ECDSA_SECP256R1_SHA256": 4, - "S2A_SSL_SIGN_ECDSA_SECP384R1_SHA384": 5, - "S2A_SSL_SIGN_ECDSA_SECP521R1_SHA512": 6, - "S2A_SSL_SIGN_RSA_PSS_RSAE_SHA256": 7, - "S2A_SSL_SIGN_RSA_PSS_RSAE_SHA384": 8, - "S2A_SSL_SIGN_RSA_PSS_RSAE_SHA512": 9, - "S2A_SSL_SIGN_ED25519": 10, - } -) - -func (x SignatureAlgorithm) Enum() *SignatureAlgorithm { - p := new(SignatureAlgorithm) - *p = x - return p -} - -func (x SignatureAlgorithm) String() string { - return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) -} - -func (SignatureAlgorithm) Descriptor() protoreflect.EnumDescriptor { - return file_internal_proto_v2_s2a_s2a_proto_enumTypes[0].Descriptor() -} - -func (SignatureAlgorithm) Type() protoreflect.EnumType { - return &file_internal_proto_v2_s2a_s2a_proto_enumTypes[0] -} - -func (x SignatureAlgorithm) Number() protoreflect.EnumNumber { - return protoreflect.EnumNumber(x) -} - -// Deprecated: Use SignatureAlgorithm.Descriptor instead. -func (SignatureAlgorithm) EnumDescriptor() ([]byte, []int) { - return file_internal_proto_v2_s2a_s2a_proto_rawDescGZIP(), []int{0} -} - -type GetTlsConfigurationResp_ServerTlsConfiguration_RequestClientCertificate int32 - -const ( - GetTlsConfigurationResp_ServerTlsConfiguration_UNSPECIFIED GetTlsConfigurationResp_ServerTlsConfiguration_RequestClientCertificate = 0 - GetTlsConfigurationResp_ServerTlsConfiguration_DONT_REQUEST_CLIENT_CERTIFICATE GetTlsConfigurationResp_ServerTlsConfiguration_RequestClientCertificate = 1 - GetTlsConfigurationResp_ServerTlsConfiguration_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY GetTlsConfigurationResp_ServerTlsConfiguration_RequestClientCertificate = 2 - GetTlsConfigurationResp_ServerTlsConfiguration_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY GetTlsConfigurationResp_ServerTlsConfiguration_RequestClientCertificate = 3 - GetTlsConfigurationResp_ServerTlsConfiguration_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY GetTlsConfigurationResp_ServerTlsConfiguration_RequestClientCertificate = 4 - GetTlsConfigurationResp_ServerTlsConfiguration_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY GetTlsConfigurationResp_ServerTlsConfiguration_RequestClientCertificate = 5 -) - -// Enum value maps for GetTlsConfigurationResp_ServerTlsConfiguration_RequestClientCertificate. -var ( - GetTlsConfigurationResp_ServerTlsConfiguration_RequestClientCertificate_name = map[int32]string{ - 0: "UNSPECIFIED", - 1: "DONT_REQUEST_CLIENT_CERTIFICATE", - 2: "REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY", - 3: "REQUEST_CLIENT_CERTIFICATE_AND_VERIFY", - 4: "REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY", - 5: "REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY", - } - GetTlsConfigurationResp_ServerTlsConfiguration_RequestClientCertificate_value = map[string]int32{ - "UNSPECIFIED": 0, - "DONT_REQUEST_CLIENT_CERTIFICATE": 1, - "REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY": 2, - "REQUEST_CLIENT_CERTIFICATE_AND_VERIFY": 3, - "REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY": 4, - "REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY": 5, - } -) - -func (x GetTlsConfigurationResp_ServerTlsConfiguration_RequestClientCertificate) Enum() *GetTlsConfigurationResp_ServerTlsConfiguration_RequestClientCertificate { - p := new(GetTlsConfigurationResp_ServerTlsConfiguration_RequestClientCertificate) - *p = x - return p -} - -func (x GetTlsConfigurationResp_ServerTlsConfiguration_RequestClientCertificate) String() string { - return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) -} - -func (GetTlsConfigurationResp_ServerTlsConfiguration_RequestClientCertificate) Descriptor() protoreflect.EnumDescriptor { - return file_internal_proto_v2_s2a_s2a_proto_enumTypes[1].Descriptor() -} - -func (GetTlsConfigurationResp_ServerTlsConfiguration_RequestClientCertificate) Type() protoreflect.EnumType { - return &file_internal_proto_v2_s2a_s2a_proto_enumTypes[1] -} - -func (x GetTlsConfigurationResp_ServerTlsConfiguration_RequestClientCertificate) Number() protoreflect.EnumNumber { - return protoreflect.EnumNumber(x) -} - -// Deprecated: Use GetTlsConfigurationResp_ServerTlsConfiguration_RequestClientCertificate.Descriptor instead. -func (GetTlsConfigurationResp_ServerTlsConfiguration_RequestClientCertificate) EnumDescriptor() ([]byte, []int) { - return file_internal_proto_v2_s2a_s2a_proto_rawDescGZIP(), []int{4, 1, 0} -} - -type OffloadPrivateKeyOperationReq_PrivateKeyOperation int32 - -const ( - OffloadPrivateKeyOperationReq_UNSPECIFIED OffloadPrivateKeyOperationReq_PrivateKeyOperation = 0 - // When performing a TLS 1.2 or 1.3 handshake, the (partial) transcript of - // the TLS handshake must be signed to prove possession of the private key. - // - // See https://www.rfc-editor.org/rfc/rfc8446.html#section-4.4.3. - OffloadPrivateKeyOperationReq_SIGN OffloadPrivateKeyOperationReq_PrivateKeyOperation = 1 - // When performing a TLS 1.2 handshake using an RSA algorithm, the key - // exchange algorithm involves the client generating a premaster secret, - // encrypting it using the server's public key, and sending this encrypted - // blob to the server in a ClientKeyExchange message. - // - // See https://www.rfc-editor.org/rfc/rfc4346#section-7.4.7.1. - OffloadPrivateKeyOperationReq_DECRYPT OffloadPrivateKeyOperationReq_PrivateKeyOperation = 2 -) - -// Enum value maps for OffloadPrivateKeyOperationReq_PrivateKeyOperation. -var ( - OffloadPrivateKeyOperationReq_PrivateKeyOperation_name = map[int32]string{ - 0: "UNSPECIFIED", - 1: "SIGN", - 2: "DECRYPT", - } - OffloadPrivateKeyOperationReq_PrivateKeyOperation_value = map[string]int32{ - "UNSPECIFIED": 0, - "SIGN": 1, - "DECRYPT": 2, - } -) - -func (x OffloadPrivateKeyOperationReq_PrivateKeyOperation) Enum() *OffloadPrivateKeyOperationReq_PrivateKeyOperation { - p := new(OffloadPrivateKeyOperationReq_PrivateKeyOperation) - *p = x - return p -} - -func (x OffloadPrivateKeyOperationReq_PrivateKeyOperation) String() string { - return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) -} - -func (OffloadPrivateKeyOperationReq_PrivateKeyOperation) Descriptor() protoreflect.EnumDescriptor { - return file_internal_proto_v2_s2a_s2a_proto_enumTypes[2].Descriptor() -} - -func (OffloadPrivateKeyOperationReq_PrivateKeyOperation) Type() protoreflect.EnumType { - return &file_internal_proto_v2_s2a_s2a_proto_enumTypes[2] -} - -func (x OffloadPrivateKeyOperationReq_PrivateKeyOperation) Number() protoreflect.EnumNumber { - return protoreflect.EnumNumber(x) -} - -// Deprecated: Use OffloadPrivateKeyOperationReq_PrivateKeyOperation.Descriptor instead. -func (OffloadPrivateKeyOperationReq_PrivateKeyOperation) EnumDescriptor() ([]byte, []int) { - return file_internal_proto_v2_s2a_s2a_proto_rawDescGZIP(), []int{5, 0} -} - -type OffloadResumptionKeyOperationReq_ResumptionKeyOperation int32 - -const ( - OffloadResumptionKeyOperationReq_UNSPECIFIED OffloadResumptionKeyOperationReq_ResumptionKeyOperation = 0 - OffloadResumptionKeyOperationReq_ENCRYPT OffloadResumptionKeyOperationReq_ResumptionKeyOperation = 1 - OffloadResumptionKeyOperationReq_DECRYPT OffloadResumptionKeyOperationReq_ResumptionKeyOperation = 2 -) - -// Enum value maps for OffloadResumptionKeyOperationReq_ResumptionKeyOperation. -var ( - OffloadResumptionKeyOperationReq_ResumptionKeyOperation_name = map[int32]string{ - 0: "UNSPECIFIED", - 1: "ENCRYPT", - 2: "DECRYPT", - } - OffloadResumptionKeyOperationReq_ResumptionKeyOperation_value = map[string]int32{ - "UNSPECIFIED": 0, - "ENCRYPT": 1, - "DECRYPT": 2, - } -) - -func (x OffloadResumptionKeyOperationReq_ResumptionKeyOperation) Enum() *OffloadResumptionKeyOperationReq_ResumptionKeyOperation { - p := new(OffloadResumptionKeyOperationReq_ResumptionKeyOperation) - *p = x - return p -} - -func (x OffloadResumptionKeyOperationReq_ResumptionKeyOperation) String() string { - return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) -} - -func (OffloadResumptionKeyOperationReq_ResumptionKeyOperation) Descriptor() protoreflect.EnumDescriptor { - return file_internal_proto_v2_s2a_s2a_proto_enumTypes[3].Descriptor() -} - -func (OffloadResumptionKeyOperationReq_ResumptionKeyOperation) Type() protoreflect.EnumType { - return &file_internal_proto_v2_s2a_s2a_proto_enumTypes[3] -} - -func (x OffloadResumptionKeyOperationReq_ResumptionKeyOperation) Number() protoreflect.EnumNumber { - return protoreflect.EnumNumber(x) -} - -// Deprecated: Use OffloadResumptionKeyOperationReq_ResumptionKeyOperation.Descriptor instead. -func (OffloadResumptionKeyOperationReq_ResumptionKeyOperation) EnumDescriptor() ([]byte, []int) { - return file_internal_proto_v2_s2a_s2a_proto_rawDescGZIP(), []int{7, 0} -} - -type ValidatePeerCertificateChainReq_VerificationMode int32 - -const ( - // The default verification mode supported by S2A. - ValidatePeerCertificateChainReq_UNSPECIFIED ValidatePeerCertificateChainReq_VerificationMode = 0 - // The SPIFFE verification mode selects the set of trusted certificates to - // use for path building based on the SPIFFE trust domain in the peer's leaf - // certificate. - ValidatePeerCertificateChainReq_SPIFFE ValidatePeerCertificateChainReq_VerificationMode = 1 - // The connect-to-Google verification mode uses the trust bundle for - // connecting to Google, e.g. *.mtls.googleapis.com endpoints. - ValidatePeerCertificateChainReq_CONNECT_TO_GOOGLE ValidatePeerCertificateChainReq_VerificationMode = 2 - // Internal use only. - ValidatePeerCertificateChainReq_RESERVED_CUSTOM_VERIFICATION_MODE_3 ValidatePeerCertificateChainReq_VerificationMode = 3 - // Internal use only. - ValidatePeerCertificateChainReq_RESERVED_CUSTOM_VERIFICATION_MODE_4 ValidatePeerCertificateChainReq_VerificationMode = 4 - // Internal use only. - ValidatePeerCertificateChainReq_RESERVED_CUSTOM_VERIFICATION_MODE_5 ValidatePeerCertificateChainReq_VerificationMode = 5 -) - -// Enum value maps for ValidatePeerCertificateChainReq_VerificationMode. -var ( - ValidatePeerCertificateChainReq_VerificationMode_name = map[int32]string{ - 0: "UNSPECIFIED", - 1: "SPIFFE", - 2: "CONNECT_TO_GOOGLE", - 3: "RESERVED_CUSTOM_VERIFICATION_MODE_3", - 4: "RESERVED_CUSTOM_VERIFICATION_MODE_4", - 5: "RESERVED_CUSTOM_VERIFICATION_MODE_5", - } - ValidatePeerCertificateChainReq_VerificationMode_value = map[string]int32{ - "UNSPECIFIED": 0, - "SPIFFE": 1, - "CONNECT_TO_GOOGLE": 2, - "RESERVED_CUSTOM_VERIFICATION_MODE_3": 3, - "RESERVED_CUSTOM_VERIFICATION_MODE_4": 4, - "RESERVED_CUSTOM_VERIFICATION_MODE_5": 5, - } -) - -func (x ValidatePeerCertificateChainReq_VerificationMode) Enum() *ValidatePeerCertificateChainReq_VerificationMode { - p := new(ValidatePeerCertificateChainReq_VerificationMode) - *p = x - return p -} - -func (x ValidatePeerCertificateChainReq_VerificationMode) String() string { - return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) -} - -func (ValidatePeerCertificateChainReq_VerificationMode) Descriptor() protoreflect.EnumDescriptor { - return file_internal_proto_v2_s2a_s2a_proto_enumTypes[4].Descriptor() -} - -func (ValidatePeerCertificateChainReq_VerificationMode) Type() protoreflect.EnumType { - return &file_internal_proto_v2_s2a_s2a_proto_enumTypes[4] -} - -func (x ValidatePeerCertificateChainReq_VerificationMode) Number() protoreflect.EnumNumber { - return protoreflect.EnumNumber(x) -} - -// Deprecated: Use ValidatePeerCertificateChainReq_VerificationMode.Descriptor instead. -func (ValidatePeerCertificateChainReq_VerificationMode) EnumDescriptor() ([]byte, []int) { - return file_internal_proto_v2_s2a_s2a_proto_rawDescGZIP(), []int{9, 0} -} - -type ValidatePeerCertificateChainResp_ValidationResult int32 - -const ( - ValidatePeerCertificateChainResp_UNSPECIFIED ValidatePeerCertificateChainResp_ValidationResult = 0 - ValidatePeerCertificateChainResp_SUCCESS ValidatePeerCertificateChainResp_ValidationResult = 1 - ValidatePeerCertificateChainResp_FAILURE ValidatePeerCertificateChainResp_ValidationResult = 2 -) - -// Enum value maps for ValidatePeerCertificateChainResp_ValidationResult. -var ( - ValidatePeerCertificateChainResp_ValidationResult_name = map[int32]string{ - 0: "UNSPECIFIED", - 1: "SUCCESS", - 2: "FAILURE", - } - ValidatePeerCertificateChainResp_ValidationResult_value = map[string]int32{ - "UNSPECIFIED": 0, - "SUCCESS": 1, - "FAILURE": 2, - } -) - -func (x ValidatePeerCertificateChainResp_ValidationResult) Enum() *ValidatePeerCertificateChainResp_ValidationResult { - p := new(ValidatePeerCertificateChainResp_ValidationResult) - *p = x - return p -} - -func (x ValidatePeerCertificateChainResp_ValidationResult) String() string { - return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) -} - -func (ValidatePeerCertificateChainResp_ValidationResult) Descriptor() protoreflect.EnumDescriptor { - return file_internal_proto_v2_s2a_s2a_proto_enumTypes[5].Descriptor() -} - -func (ValidatePeerCertificateChainResp_ValidationResult) Type() protoreflect.EnumType { - return &file_internal_proto_v2_s2a_s2a_proto_enumTypes[5] -} - -func (x ValidatePeerCertificateChainResp_ValidationResult) Number() protoreflect.EnumNumber { - return protoreflect.EnumNumber(x) -} - -// Deprecated: Use ValidatePeerCertificateChainResp_ValidationResult.Descriptor instead. -func (ValidatePeerCertificateChainResp_ValidationResult) EnumDescriptor() ([]byte, []int) { - return file_internal_proto_v2_s2a_s2a_proto_rawDescGZIP(), []int{10, 0} -} - -type AlpnPolicy struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // If true, the application MUST perform ALPN negotiation. - EnableAlpnNegotiation bool `protobuf:"varint,1,opt,name=enable_alpn_negotiation,json=enableAlpnNegotiation,proto3" json:"enable_alpn_negotiation,omitempty"` - // The ordered list of ALPN protocols that specify how the application SHOULD - // negotiate ALPN during the TLS handshake. - // - // The application MAY ignore any ALPN protocols in this list that are not - // supported by the application. - AlpnProtocols []common_go_proto.AlpnProtocol `protobuf:"varint,2,rep,packed,name=alpn_protocols,json=alpnProtocols,proto3,enum=s2a.proto.v2.AlpnProtocol" json:"alpn_protocols,omitempty"` -} - -func (x *AlpnPolicy) Reset() { - *x = AlpnPolicy{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[0] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *AlpnPolicy) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*AlpnPolicy) ProtoMessage() {} - -func (x *AlpnPolicy) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[0] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use AlpnPolicy.ProtoReflect.Descriptor instead. -func (*AlpnPolicy) Descriptor() ([]byte, []int) { - return file_internal_proto_v2_s2a_s2a_proto_rawDescGZIP(), []int{0} -} - -func (x *AlpnPolicy) GetEnableAlpnNegotiation() bool { - if x != nil { - return x.EnableAlpnNegotiation - } - return false -} - -func (x *AlpnPolicy) GetAlpnProtocols() []common_go_proto.AlpnProtocol { - if x != nil { - return x.AlpnProtocols - } - return nil -} - -type AuthenticationMechanism struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Applications may specify an identity associated to an authentication - // mechanism. Otherwise, S2A assumes that the authentication mechanism is - // associated with the default identity. If the default identity cannot be - // determined, the request is rejected. - Identity *common_go_proto.Identity `protobuf:"bytes,3,opt,name=identity,proto3" json:"identity,omitempty"` - // Types that are assignable to MechanismOneof: - // - // *AuthenticationMechanism_Token - MechanismOneof isAuthenticationMechanism_MechanismOneof `protobuf_oneof:"mechanism_oneof"` -} - -func (x *AuthenticationMechanism) Reset() { - *x = AuthenticationMechanism{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[1] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *AuthenticationMechanism) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*AuthenticationMechanism) ProtoMessage() {} - -func (x *AuthenticationMechanism) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[1] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use AuthenticationMechanism.ProtoReflect.Descriptor instead. -func (*AuthenticationMechanism) Descriptor() ([]byte, []int) { - return file_internal_proto_v2_s2a_s2a_proto_rawDescGZIP(), []int{1} -} - -func (x *AuthenticationMechanism) GetIdentity() *common_go_proto.Identity { - if x != nil { - return x.Identity - } - return nil -} - -func (m *AuthenticationMechanism) GetMechanismOneof() isAuthenticationMechanism_MechanismOneof { - if m != nil { - return m.MechanismOneof - } - return nil -} - -func (x *AuthenticationMechanism) GetToken() string { - if x, ok := x.GetMechanismOneof().(*AuthenticationMechanism_Token); ok { - return x.Token - } - return "" -} - -type isAuthenticationMechanism_MechanismOneof interface { - isAuthenticationMechanism_MechanismOneof() -} - -type AuthenticationMechanism_Token struct { - // A token that the application uses to authenticate itself to S2A. - Token string `protobuf:"bytes,2,opt,name=token,proto3,oneof"` -} - -func (*AuthenticationMechanism_Token) isAuthenticationMechanism_MechanismOneof() {} - -type Status struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The status code that is specific to the application and the implementation - // of S2A, e.g., gRPC status code. - Code uint32 `protobuf:"varint,1,opt,name=code,proto3" json:"code,omitempty"` - // The status details. - Details string `protobuf:"bytes,2,opt,name=details,proto3" json:"details,omitempty"` -} - -func (x *Status) Reset() { - *x = Status{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[2] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *Status) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*Status) ProtoMessage() {} - -func (x *Status) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[2] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use Status.ProtoReflect.Descriptor instead. -func (*Status) Descriptor() ([]byte, []int) { - return file_internal_proto_v2_s2a_s2a_proto_rawDescGZIP(), []int{2} -} - -func (x *Status) GetCode() uint32 { - if x != nil { - return x.Code - } - return 0 -} - -func (x *Status) GetDetails() string { - if x != nil { - return x.Details - } - return "" -} - -type GetTlsConfigurationReq struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The role of the application in the TLS connection. - ConnectionSide common_go_proto.ConnectionSide `protobuf:"varint,1,opt,name=connection_side,json=connectionSide,proto3,enum=s2a.proto.v2.ConnectionSide" json:"connection_side,omitempty"` - // The server name indication (SNI) extension, which MAY be populated when a - // server is offloading to S2A. The SNI is used to determine the server - // identity if the local identity in the request is empty. - Sni string `protobuf:"bytes,2,opt,name=sni,proto3" json:"sni,omitempty"` -} - -func (x *GetTlsConfigurationReq) Reset() { - *x = GetTlsConfigurationReq{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[3] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *GetTlsConfigurationReq) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*GetTlsConfigurationReq) ProtoMessage() {} - -func (x *GetTlsConfigurationReq) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[3] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use GetTlsConfigurationReq.ProtoReflect.Descriptor instead. -func (*GetTlsConfigurationReq) Descriptor() ([]byte, []int) { - return file_internal_proto_v2_s2a_s2a_proto_rawDescGZIP(), []int{3} -} - -func (x *GetTlsConfigurationReq) GetConnectionSide() common_go_proto.ConnectionSide { - if x != nil { - return x.ConnectionSide - } - return common_go_proto.ConnectionSide(0) -} - -func (x *GetTlsConfigurationReq) GetSni() string { - if x != nil { - return x.Sni - } - return "" -} - -type GetTlsConfigurationResp struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Types that are assignable to TlsConfiguration: - // - // *GetTlsConfigurationResp_ClientTlsConfiguration_ - // *GetTlsConfigurationResp_ServerTlsConfiguration_ - TlsConfiguration isGetTlsConfigurationResp_TlsConfiguration `protobuf_oneof:"tls_configuration"` -} - -func (x *GetTlsConfigurationResp) Reset() { - *x = GetTlsConfigurationResp{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[4] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *GetTlsConfigurationResp) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*GetTlsConfigurationResp) ProtoMessage() {} - -func (x *GetTlsConfigurationResp) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[4] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use GetTlsConfigurationResp.ProtoReflect.Descriptor instead. -func (*GetTlsConfigurationResp) Descriptor() ([]byte, []int) { - return file_internal_proto_v2_s2a_s2a_proto_rawDescGZIP(), []int{4} -} - -func (m *GetTlsConfigurationResp) GetTlsConfiguration() isGetTlsConfigurationResp_TlsConfiguration { - if m != nil { - return m.TlsConfiguration - } - return nil -} - -func (x *GetTlsConfigurationResp) GetClientTlsConfiguration() *GetTlsConfigurationResp_ClientTlsConfiguration { - if x, ok := x.GetTlsConfiguration().(*GetTlsConfigurationResp_ClientTlsConfiguration_); ok { - return x.ClientTlsConfiguration - } - return nil -} - -func (x *GetTlsConfigurationResp) GetServerTlsConfiguration() *GetTlsConfigurationResp_ServerTlsConfiguration { - if x, ok := x.GetTlsConfiguration().(*GetTlsConfigurationResp_ServerTlsConfiguration_); ok { - return x.ServerTlsConfiguration - } - return nil -} - -type isGetTlsConfigurationResp_TlsConfiguration interface { - isGetTlsConfigurationResp_TlsConfiguration() -} - -type GetTlsConfigurationResp_ClientTlsConfiguration_ struct { - ClientTlsConfiguration *GetTlsConfigurationResp_ClientTlsConfiguration `protobuf:"bytes,1,opt,name=client_tls_configuration,json=clientTlsConfiguration,proto3,oneof"` -} - -type GetTlsConfigurationResp_ServerTlsConfiguration_ struct { - ServerTlsConfiguration *GetTlsConfigurationResp_ServerTlsConfiguration `protobuf:"bytes,2,opt,name=server_tls_configuration,json=serverTlsConfiguration,proto3,oneof"` -} - -func (*GetTlsConfigurationResp_ClientTlsConfiguration_) isGetTlsConfigurationResp_TlsConfiguration() { -} - -func (*GetTlsConfigurationResp_ServerTlsConfiguration_) isGetTlsConfigurationResp_TlsConfiguration() { -} - -type OffloadPrivateKeyOperationReq struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The operation the private key is used for. - Operation OffloadPrivateKeyOperationReq_PrivateKeyOperation `protobuf:"varint,1,opt,name=operation,proto3,enum=s2a.proto.v2.OffloadPrivateKeyOperationReq_PrivateKeyOperation" json:"operation,omitempty"` - // The signature algorithm to be used for signing operations. - SignatureAlgorithm SignatureAlgorithm `protobuf:"varint,2,opt,name=signature_algorithm,json=signatureAlgorithm,proto3,enum=s2a.proto.v2.SignatureAlgorithm" json:"signature_algorithm,omitempty"` - // The input bytes to be signed or decrypted. - // - // Types that are assignable to InBytes: - // - // *OffloadPrivateKeyOperationReq_RawBytes - // *OffloadPrivateKeyOperationReq_Sha256Digest - // *OffloadPrivateKeyOperationReq_Sha384Digest - // *OffloadPrivateKeyOperationReq_Sha512Digest - InBytes isOffloadPrivateKeyOperationReq_InBytes `protobuf_oneof:"in_bytes"` -} - -func (x *OffloadPrivateKeyOperationReq) Reset() { - *x = OffloadPrivateKeyOperationReq{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[5] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *OffloadPrivateKeyOperationReq) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*OffloadPrivateKeyOperationReq) ProtoMessage() {} - -func (x *OffloadPrivateKeyOperationReq) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[5] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use OffloadPrivateKeyOperationReq.ProtoReflect.Descriptor instead. -func (*OffloadPrivateKeyOperationReq) Descriptor() ([]byte, []int) { - return file_internal_proto_v2_s2a_s2a_proto_rawDescGZIP(), []int{5} -} - -func (x *OffloadPrivateKeyOperationReq) GetOperation() OffloadPrivateKeyOperationReq_PrivateKeyOperation { - if x != nil { - return x.Operation - } - return OffloadPrivateKeyOperationReq_UNSPECIFIED -} - -func (x *OffloadPrivateKeyOperationReq) GetSignatureAlgorithm() SignatureAlgorithm { - if x != nil { - return x.SignatureAlgorithm - } - return SignatureAlgorithm_S2A_SSL_SIGN_UNSPECIFIED -} - -func (m *OffloadPrivateKeyOperationReq) GetInBytes() isOffloadPrivateKeyOperationReq_InBytes { - if m != nil { - return m.InBytes - } - return nil -} - -func (x *OffloadPrivateKeyOperationReq) GetRawBytes() []byte { - if x, ok := x.GetInBytes().(*OffloadPrivateKeyOperationReq_RawBytes); ok { - return x.RawBytes - } - return nil -} - -func (x *OffloadPrivateKeyOperationReq) GetSha256Digest() []byte { - if x, ok := x.GetInBytes().(*OffloadPrivateKeyOperationReq_Sha256Digest); ok { - return x.Sha256Digest - } - return nil -} - -func (x *OffloadPrivateKeyOperationReq) GetSha384Digest() []byte { - if x, ok := x.GetInBytes().(*OffloadPrivateKeyOperationReq_Sha384Digest); ok { - return x.Sha384Digest - } - return nil -} - -func (x *OffloadPrivateKeyOperationReq) GetSha512Digest() []byte { - if x, ok := x.GetInBytes().(*OffloadPrivateKeyOperationReq_Sha512Digest); ok { - return x.Sha512Digest - } - return nil -} - -type isOffloadPrivateKeyOperationReq_InBytes interface { - isOffloadPrivateKeyOperationReq_InBytes() -} - -type OffloadPrivateKeyOperationReq_RawBytes struct { - // Raw bytes to be hashed and signed, or decrypted. - RawBytes []byte `protobuf:"bytes,4,opt,name=raw_bytes,json=rawBytes,proto3,oneof"` -} - -type OffloadPrivateKeyOperationReq_Sha256Digest struct { - // A SHA256 hash to be signed. Must be 32 bytes. - Sha256Digest []byte `protobuf:"bytes,5,opt,name=sha256_digest,json=sha256Digest,proto3,oneof"` -} - -type OffloadPrivateKeyOperationReq_Sha384Digest struct { - // A SHA384 hash to be signed. Must be 48 bytes. - Sha384Digest []byte `protobuf:"bytes,6,opt,name=sha384_digest,json=sha384Digest,proto3,oneof"` -} - -type OffloadPrivateKeyOperationReq_Sha512Digest struct { - // A SHA512 hash to be signed. Must be 64 bytes. - Sha512Digest []byte `protobuf:"bytes,7,opt,name=sha512_digest,json=sha512Digest,proto3,oneof"` -} - -func (*OffloadPrivateKeyOperationReq_RawBytes) isOffloadPrivateKeyOperationReq_InBytes() {} - -func (*OffloadPrivateKeyOperationReq_Sha256Digest) isOffloadPrivateKeyOperationReq_InBytes() {} - -func (*OffloadPrivateKeyOperationReq_Sha384Digest) isOffloadPrivateKeyOperationReq_InBytes() {} - -func (*OffloadPrivateKeyOperationReq_Sha512Digest) isOffloadPrivateKeyOperationReq_InBytes() {} - -type OffloadPrivateKeyOperationResp struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The signed or decrypted output bytes. - OutBytes []byte `protobuf:"bytes,1,opt,name=out_bytes,json=outBytes,proto3" json:"out_bytes,omitempty"` -} - -func (x *OffloadPrivateKeyOperationResp) Reset() { - *x = OffloadPrivateKeyOperationResp{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[6] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *OffloadPrivateKeyOperationResp) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*OffloadPrivateKeyOperationResp) ProtoMessage() {} - -func (x *OffloadPrivateKeyOperationResp) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[6] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use OffloadPrivateKeyOperationResp.ProtoReflect.Descriptor instead. -func (*OffloadPrivateKeyOperationResp) Descriptor() ([]byte, []int) { - return file_internal_proto_v2_s2a_s2a_proto_rawDescGZIP(), []int{6} -} - -func (x *OffloadPrivateKeyOperationResp) GetOutBytes() []byte { - if x != nil { - return x.OutBytes - } - return nil -} - -type OffloadResumptionKeyOperationReq struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The operation the resumption key is used for. - Operation OffloadResumptionKeyOperationReq_ResumptionKeyOperation `protobuf:"varint,1,opt,name=operation,proto3,enum=s2a.proto.v2.OffloadResumptionKeyOperationReq_ResumptionKeyOperation" json:"operation,omitempty"` - // The bytes to be encrypted or decrypted. - InBytes []byte `protobuf:"bytes,2,opt,name=in_bytes,json=inBytes,proto3" json:"in_bytes,omitempty"` -} - -func (x *OffloadResumptionKeyOperationReq) Reset() { - *x = OffloadResumptionKeyOperationReq{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[7] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *OffloadResumptionKeyOperationReq) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*OffloadResumptionKeyOperationReq) ProtoMessage() {} - -func (x *OffloadResumptionKeyOperationReq) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[7] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use OffloadResumptionKeyOperationReq.ProtoReflect.Descriptor instead. -func (*OffloadResumptionKeyOperationReq) Descriptor() ([]byte, []int) { - return file_internal_proto_v2_s2a_s2a_proto_rawDescGZIP(), []int{7} -} - -func (x *OffloadResumptionKeyOperationReq) GetOperation() OffloadResumptionKeyOperationReq_ResumptionKeyOperation { - if x != nil { - return x.Operation - } - return OffloadResumptionKeyOperationReq_UNSPECIFIED -} - -func (x *OffloadResumptionKeyOperationReq) GetInBytes() []byte { - if x != nil { - return x.InBytes - } - return nil -} - -type OffloadResumptionKeyOperationResp struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The encrypted or decrypted bytes. - OutBytes []byte `protobuf:"bytes,1,opt,name=out_bytes,json=outBytes,proto3" json:"out_bytes,omitempty"` -} - -func (x *OffloadResumptionKeyOperationResp) Reset() { - *x = OffloadResumptionKeyOperationResp{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[8] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *OffloadResumptionKeyOperationResp) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*OffloadResumptionKeyOperationResp) ProtoMessage() {} - -func (x *OffloadResumptionKeyOperationResp) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[8] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use OffloadResumptionKeyOperationResp.ProtoReflect.Descriptor instead. -func (*OffloadResumptionKeyOperationResp) Descriptor() ([]byte, []int) { - return file_internal_proto_v2_s2a_s2a_proto_rawDescGZIP(), []int{8} -} - -func (x *OffloadResumptionKeyOperationResp) GetOutBytes() []byte { - if x != nil { - return x.OutBytes - } - return nil -} - -type ValidatePeerCertificateChainReq struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The verification mode that S2A MUST use to validate the peer certificate - // chain. - Mode ValidatePeerCertificateChainReq_VerificationMode `protobuf:"varint,1,opt,name=mode,proto3,enum=s2a.proto.v2.ValidatePeerCertificateChainReq_VerificationMode" json:"mode,omitempty"` - // Types that are assignable to PeerOneof: - // - // *ValidatePeerCertificateChainReq_ClientPeer_ - // *ValidatePeerCertificateChainReq_ServerPeer_ - PeerOneof isValidatePeerCertificateChainReq_PeerOneof `protobuf_oneof:"peer_oneof"` -} - -func (x *ValidatePeerCertificateChainReq) Reset() { - *x = ValidatePeerCertificateChainReq{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[9] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *ValidatePeerCertificateChainReq) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*ValidatePeerCertificateChainReq) ProtoMessage() {} - -func (x *ValidatePeerCertificateChainReq) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[9] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use ValidatePeerCertificateChainReq.ProtoReflect.Descriptor instead. -func (*ValidatePeerCertificateChainReq) Descriptor() ([]byte, []int) { - return file_internal_proto_v2_s2a_s2a_proto_rawDescGZIP(), []int{9} -} - -func (x *ValidatePeerCertificateChainReq) GetMode() ValidatePeerCertificateChainReq_VerificationMode { - if x != nil { - return x.Mode - } - return ValidatePeerCertificateChainReq_UNSPECIFIED -} - -func (m *ValidatePeerCertificateChainReq) GetPeerOneof() isValidatePeerCertificateChainReq_PeerOneof { - if m != nil { - return m.PeerOneof - } - return nil -} - -func (x *ValidatePeerCertificateChainReq) GetClientPeer() *ValidatePeerCertificateChainReq_ClientPeer { - if x, ok := x.GetPeerOneof().(*ValidatePeerCertificateChainReq_ClientPeer_); ok { - return x.ClientPeer - } - return nil -} - -func (x *ValidatePeerCertificateChainReq) GetServerPeer() *ValidatePeerCertificateChainReq_ServerPeer { - if x, ok := x.GetPeerOneof().(*ValidatePeerCertificateChainReq_ServerPeer_); ok { - return x.ServerPeer - } - return nil -} - -type isValidatePeerCertificateChainReq_PeerOneof interface { - isValidatePeerCertificateChainReq_PeerOneof() -} - -type ValidatePeerCertificateChainReq_ClientPeer_ struct { - ClientPeer *ValidatePeerCertificateChainReq_ClientPeer `protobuf:"bytes,2,opt,name=client_peer,json=clientPeer,proto3,oneof"` -} - -type ValidatePeerCertificateChainReq_ServerPeer_ struct { - ServerPeer *ValidatePeerCertificateChainReq_ServerPeer `protobuf:"bytes,3,opt,name=server_peer,json=serverPeer,proto3,oneof"` -} - -func (*ValidatePeerCertificateChainReq_ClientPeer_) isValidatePeerCertificateChainReq_PeerOneof() {} - -func (*ValidatePeerCertificateChainReq_ServerPeer_) isValidatePeerCertificateChainReq_PeerOneof() {} - -type ValidatePeerCertificateChainResp struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The result of validating the peer certificate chain. - ValidationResult ValidatePeerCertificateChainResp_ValidationResult `protobuf:"varint,1,opt,name=validation_result,json=validationResult,proto3,enum=s2a.proto.v2.ValidatePeerCertificateChainResp_ValidationResult" json:"validation_result,omitempty"` - // The validation details. This field is only populated when the validation - // result is NOT SUCCESS. - ValidationDetails string `protobuf:"bytes,2,opt,name=validation_details,json=validationDetails,proto3" json:"validation_details,omitempty"` - // The S2A context contains information from the peer certificate chain. - // - // The S2A context MAY be populated even if validation of the peer certificate - // chain fails. - Context *s2a_context_go_proto.S2AContext `protobuf:"bytes,3,opt,name=context,proto3" json:"context,omitempty"` -} - -func (x *ValidatePeerCertificateChainResp) Reset() { - *x = ValidatePeerCertificateChainResp{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[10] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *ValidatePeerCertificateChainResp) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*ValidatePeerCertificateChainResp) ProtoMessage() {} - -func (x *ValidatePeerCertificateChainResp) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[10] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use ValidatePeerCertificateChainResp.ProtoReflect.Descriptor instead. -func (*ValidatePeerCertificateChainResp) Descriptor() ([]byte, []int) { - return file_internal_proto_v2_s2a_s2a_proto_rawDescGZIP(), []int{10} -} - -func (x *ValidatePeerCertificateChainResp) GetValidationResult() ValidatePeerCertificateChainResp_ValidationResult { - if x != nil { - return x.ValidationResult - } - return ValidatePeerCertificateChainResp_UNSPECIFIED -} - -func (x *ValidatePeerCertificateChainResp) GetValidationDetails() string { - if x != nil { - return x.ValidationDetails - } - return "" -} - -func (x *ValidatePeerCertificateChainResp) GetContext() *s2a_context_go_proto.S2AContext { - if x != nil { - return x.Context - } - return nil -} - -type SessionReq struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The identity corresponding to the TLS configurations that MUST be used for - // the TLS handshake. - // - // If a managed identity already exists, the local identity and authentication - // mechanisms are ignored. If a managed identity doesn't exist and the local - // identity is not populated, S2A will try to deduce the managed identity to - // use from the SNI extension. If that also fails, S2A uses the default - // identity (if one exists). - LocalIdentity *common_go_proto.Identity `protobuf:"bytes,7,opt,name=local_identity,json=localIdentity,proto3" json:"local_identity,omitempty"` - // The authentication mechanisms that the application wishes to use to - // authenticate to S2A, ordered by preference. S2A will always use the first - // authentication mechanism that matches the managed identity. - AuthenticationMechanisms []*AuthenticationMechanism `protobuf:"bytes,2,rep,name=authentication_mechanisms,json=authenticationMechanisms,proto3" json:"authentication_mechanisms,omitempty"` - // Types that are assignable to ReqOneof: - // - // *SessionReq_GetTlsConfigurationReq - // *SessionReq_OffloadPrivateKeyOperationReq - // *SessionReq_OffloadResumptionKeyOperationReq - // *SessionReq_ValidatePeerCertificateChainReq - ReqOneof isSessionReq_ReqOneof `protobuf_oneof:"req_oneof"` -} - -func (x *SessionReq) Reset() { - *x = SessionReq{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[11] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *SessionReq) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*SessionReq) ProtoMessage() {} - -func (x *SessionReq) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[11] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use SessionReq.ProtoReflect.Descriptor instead. -func (*SessionReq) Descriptor() ([]byte, []int) { - return file_internal_proto_v2_s2a_s2a_proto_rawDescGZIP(), []int{11} -} - -func (x *SessionReq) GetLocalIdentity() *common_go_proto.Identity { - if x != nil { - return x.LocalIdentity - } - return nil -} - -func (x *SessionReq) GetAuthenticationMechanisms() []*AuthenticationMechanism { - if x != nil { - return x.AuthenticationMechanisms - } - return nil -} - -func (m *SessionReq) GetReqOneof() isSessionReq_ReqOneof { - if m != nil { - return m.ReqOneof - } - return nil -} - -func (x *SessionReq) GetGetTlsConfigurationReq() *GetTlsConfigurationReq { - if x, ok := x.GetReqOneof().(*SessionReq_GetTlsConfigurationReq); ok { - return x.GetTlsConfigurationReq - } - return nil -} - -func (x *SessionReq) GetOffloadPrivateKeyOperationReq() *OffloadPrivateKeyOperationReq { - if x, ok := x.GetReqOneof().(*SessionReq_OffloadPrivateKeyOperationReq); ok { - return x.OffloadPrivateKeyOperationReq - } - return nil -} - -func (x *SessionReq) GetOffloadResumptionKeyOperationReq() *OffloadResumptionKeyOperationReq { - if x, ok := x.GetReqOneof().(*SessionReq_OffloadResumptionKeyOperationReq); ok { - return x.OffloadResumptionKeyOperationReq - } - return nil -} - -func (x *SessionReq) GetValidatePeerCertificateChainReq() *ValidatePeerCertificateChainReq { - if x, ok := x.GetReqOneof().(*SessionReq_ValidatePeerCertificateChainReq); ok { - return x.ValidatePeerCertificateChainReq - } - return nil -} - -type isSessionReq_ReqOneof interface { - isSessionReq_ReqOneof() -} - -type SessionReq_GetTlsConfigurationReq struct { - // Requests the certificate chain and TLS configuration corresponding to the - // local identity, which the application MUST use to negotiate the TLS - // handshake. - GetTlsConfigurationReq *GetTlsConfigurationReq `protobuf:"bytes,3,opt,name=get_tls_configuration_req,json=getTlsConfigurationReq,proto3,oneof"` -} - -type SessionReq_OffloadPrivateKeyOperationReq struct { - // Signs or decrypts the input bytes using a private key corresponding to - // the local identity in the request. - // - // WARNING: More than one OffloadPrivateKeyOperationReq may be sent to the - // S2Av2 by a server during a TLS 1.2 handshake. - OffloadPrivateKeyOperationReq *OffloadPrivateKeyOperationReq `protobuf:"bytes,4,opt,name=offload_private_key_operation_req,json=offloadPrivateKeyOperationReq,proto3,oneof"` -} - -type SessionReq_OffloadResumptionKeyOperationReq struct { - // Encrypts or decrypts the input bytes using a resumption key corresponding - // to the local identity in the request. - OffloadResumptionKeyOperationReq *OffloadResumptionKeyOperationReq `protobuf:"bytes,5,opt,name=offload_resumption_key_operation_req,json=offloadResumptionKeyOperationReq,proto3,oneof"` -} - -type SessionReq_ValidatePeerCertificateChainReq struct { - // Verifies the peer's certificate chain using - // (a) trust bundles corresponding to the local identity in the request, and - // (b) the verification mode in the request. - ValidatePeerCertificateChainReq *ValidatePeerCertificateChainReq `protobuf:"bytes,6,opt,name=validate_peer_certificate_chain_req,json=validatePeerCertificateChainReq,proto3,oneof"` -} - -func (*SessionReq_GetTlsConfigurationReq) isSessionReq_ReqOneof() {} - -func (*SessionReq_OffloadPrivateKeyOperationReq) isSessionReq_ReqOneof() {} - -func (*SessionReq_OffloadResumptionKeyOperationReq) isSessionReq_ReqOneof() {} - -func (*SessionReq_ValidatePeerCertificateChainReq) isSessionReq_ReqOneof() {} - -type SessionResp struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Status of the session response. - // - // The status field is populated so that if an error occurs when making an - // individual request, then communication with the S2A may continue. If an - // error is returned directly (e.g. at the gRPC layer), then it may result - // that the bidirectional stream being closed. - Status *Status `protobuf:"bytes,1,opt,name=status,proto3" json:"status,omitempty"` - // Types that are assignable to RespOneof: - // - // *SessionResp_GetTlsConfigurationResp - // *SessionResp_OffloadPrivateKeyOperationResp - // *SessionResp_OffloadResumptionKeyOperationResp - // *SessionResp_ValidatePeerCertificateChainResp - RespOneof isSessionResp_RespOneof `protobuf_oneof:"resp_oneof"` -} - -func (x *SessionResp) Reset() { - *x = SessionResp{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[12] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *SessionResp) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*SessionResp) ProtoMessage() {} - -func (x *SessionResp) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[12] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use SessionResp.ProtoReflect.Descriptor instead. -func (*SessionResp) Descriptor() ([]byte, []int) { - return file_internal_proto_v2_s2a_s2a_proto_rawDescGZIP(), []int{12} -} - -func (x *SessionResp) GetStatus() *Status { - if x != nil { - return x.Status - } - return nil -} - -func (m *SessionResp) GetRespOneof() isSessionResp_RespOneof { - if m != nil { - return m.RespOneof - } - return nil -} - -func (x *SessionResp) GetGetTlsConfigurationResp() *GetTlsConfigurationResp { - if x, ok := x.GetRespOneof().(*SessionResp_GetTlsConfigurationResp); ok { - return x.GetTlsConfigurationResp - } - return nil -} - -func (x *SessionResp) GetOffloadPrivateKeyOperationResp() *OffloadPrivateKeyOperationResp { - if x, ok := x.GetRespOneof().(*SessionResp_OffloadPrivateKeyOperationResp); ok { - return x.OffloadPrivateKeyOperationResp - } - return nil -} - -func (x *SessionResp) GetOffloadResumptionKeyOperationResp() *OffloadResumptionKeyOperationResp { - if x, ok := x.GetRespOneof().(*SessionResp_OffloadResumptionKeyOperationResp); ok { - return x.OffloadResumptionKeyOperationResp - } - return nil -} - -func (x *SessionResp) GetValidatePeerCertificateChainResp() *ValidatePeerCertificateChainResp { - if x, ok := x.GetRespOneof().(*SessionResp_ValidatePeerCertificateChainResp); ok { - return x.ValidatePeerCertificateChainResp - } - return nil -} - -type isSessionResp_RespOneof interface { - isSessionResp_RespOneof() -} - -type SessionResp_GetTlsConfigurationResp struct { - // Contains the certificate chain and TLS configurations corresponding to - // the local identity. - GetTlsConfigurationResp *GetTlsConfigurationResp `protobuf:"bytes,2,opt,name=get_tls_configuration_resp,json=getTlsConfigurationResp,proto3,oneof"` -} - -type SessionResp_OffloadPrivateKeyOperationResp struct { - // Contains the signed or encrypted output bytes using the private key - // corresponding to the local identity. - OffloadPrivateKeyOperationResp *OffloadPrivateKeyOperationResp `protobuf:"bytes,3,opt,name=offload_private_key_operation_resp,json=offloadPrivateKeyOperationResp,proto3,oneof"` -} - -type SessionResp_OffloadResumptionKeyOperationResp struct { - // Contains the encrypted or decrypted output bytes using the resumption key - // corresponding to the local identity. - OffloadResumptionKeyOperationResp *OffloadResumptionKeyOperationResp `protobuf:"bytes,4,opt,name=offload_resumption_key_operation_resp,json=offloadResumptionKeyOperationResp,proto3,oneof"` -} - -type SessionResp_ValidatePeerCertificateChainResp struct { - // Contains the validation result, peer identity and fingerprints of peer - // certificates. - ValidatePeerCertificateChainResp *ValidatePeerCertificateChainResp `protobuf:"bytes,5,opt,name=validate_peer_certificate_chain_resp,json=validatePeerCertificateChainResp,proto3,oneof"` -} - -func (*SessionResp_GetTlsConfigurationResp) isSessionResp_RespOneof() {} - -func (*SessionResp_OffloadPrivateKeyOperationResp) isSessionResp_RespOneof() {} - -func (*SessionResp_OffloadResumptionKeyOperationResp) isSessionResp_RespOneof() {} - -func (*SessionResp_ValidatePeerCertificateChainResp) isSessionResp_RespOneof() {} - -// Next ID: 8 -type GetTlsConfigurationResp_ClientTlsConfiguration struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The certificate chain that the client MUST use for the TLS handshake. - // It's a list of PEM-encoded certificates, ordered from leaf to root, - // excluding the root. - CertificateChain []string `protobuf:"bytes,1,rep,name=certificate_chain,json=certificateChain,proto3" json:"certificate_chain,omitempty"` - // The minimum TLS version number that the client MUST use for the TLS - // handshake. If this field is not provided, the client MUST use the default - // minimum version of the client's TLS library. - MinTlsVersion common_go_proto.TLSVersion `protobuf:"varint,2,opt,name=min_tls_version,json=minTlsVersion,proto3,enum=s2a.proto.v2.TLSVersion" json:"min_tls_version,omitempty"` - // The maximum TLS version number that the client MUST use for the TLS - // handshake. If this field is not provided, the client MUST use the default - // maximum version of the client's TLS library. - MaxTlsVersion common_go_proto.TLSVersion `protobuf:"varint,3,opt,name=max_tls_version,json=maxTlsVersion,proto3,enum=s2a.proto.v2.TLSVersion" json:"max_tls_version,omitempty"` - // The ordered list of TLS 1.0-1.2 ciphersuites that the client MAY offer to - // negotiate in the TLS handshake. - Ciphersuites []common_go_proto.Ciphersuite `protobuf:"varint,6,rep,packed,name=ciphersuites,proto3,enum=s2a.proto.v2.Ciphersuite" json:"ciphersuites,omitempty"` - // The policy that dictates how the client negotiates ALPN during the TLS - // handshake. - AlpnPolicy *AlpnPolicy `protobuf:"bytes,7,opt,name=alpn_policy,json=alpnPolicy,proto3" json:"alpn_policy,omitempty"` -} - -func (x *GetTlsConfigurationResp_ClientTlsConfiguration) Reset() { - *x = GetTlsConfigurationResp_ClientTlsConfiguration{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[13] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *GetTlsConfigurationResp_ClientTlsConfiguration) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*GetTlsConfigurationResp_ClientTlsConfiguration) ProtoMessage() {} - -func (x *GetTlsConfigurationResp_ClientTlsConfiguration) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[13] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use GetTlsConfigurationResp_ClientTlsConfiguration.ProtoReflect.Descriptor instead. -func (*GetTlsConfigurationResp_ClientTlsConfiguration) Descriptor() ([]byte, []int) { - return file_internal_proto_v2_s2a_s2a_proto_rawDescGZIP(), []int{4, 0} -} - -func (x *GetTlsConfigurationResp_ClientTlsConfiguration) GetCertificateChain() []string { - if x != nil { - return x.CertificateChain - } - return nil -} - -func (x *GetTlsConfigurationResp_ClientTlsConfiguration) GetMinTlsVersion() common_go_proto.TLSVersion { - if x != nil { - return x.MinTlsVersion - } - return common_go_proto.TLSVersion(0) -} - -func (x *GetTlsConfigurationResp_ClientTlsConfiguration) GetMaxTlsVersion() common_go_proto.TLSVersion { - if x != nil { - return x.MaxTlsVersion - } - return common_go_proto.TLSVersion(0) -} - -func (x *GetTlsConfigurationResp_ClientTlsConfiguration) GetCiphersuites() []common_go_proto.Ciphersuite { - if x != nil { - return x.Ciphersuites - } - return nil -} - -func (x *GetTlsConfigurationResp_ClientTlsConfiguration) GetAlpnPolicy() *AlpnPolicy { - if x != nil { - return x.AlpnPolicy - } - return nil -} - -// Next ID: 12 -type GetTlsConfigurationResp_ServerTlsConfiguration struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The certificate chain that the server MUST use for the TLS handshake. - // It's a list of PEM-encoded certificates, ordered from leaf to root, - // excluding the root. - CertificateChain []string `protobuf:"bytes,1,rep,name=certificate_chain,json=certificateChain,proto3" json:"certificate_chain,omitempty"` - // The minimum TLS version number that the server MUST use for the TLS - // handshake. If this field is not provided, the server MUST use the default - // minimum version of the server's TLS library. - MinTlsVersion common_go_proto.TLSVersion `protobuf:"varint,2,opt,name=min_tls_version,json=minTlsVersion,proto3,enum=s2a.proto.v2.TLSVersion" json:"min_tls_version,omitempty"` - // The maximum TLS version number that the server MUST use for the TLS - // handshake. If this field is not provided, the server MUST use the default - // maximum version of the server's TLS library. - MaxTlsVersion common_go_proto.TLSVersion `protobuf:"varint,3,opt,name=max_tls_version,json=maxTlsVersion,proto3,enum=s2a.proto.v2.TLSVersion" json:"max_tls_version,omitempty"` - // The ordered list of TLS 1.0-1.2 ciphersuites that the server MAY offer to - // negotiate in the TLS handshake. - Ciphersuites []common_go_proto.Ciphersuite `protobuf:"varint,10,rep,packed,name=ciphersuites,proto3,enum=s2a.proto.v2.Ciphersuite" json:"ciphersuites,omitempty"` - // Whether to enable TLS resumption. - TlsResumptionEnabled bool `protobuf:"varint,6,opt,name=tls_resumption_enabled,json=tlsResumptionEnabled,proto3" json:"tls_resumption_enabled,omitempty"` - // Whether the server MUST request a client certificate (i.e. to negotiate - // TLS vs. mTLS). - RequestClientCertificate GetTlsConfigurationResp_ServerTlsConfiguration_RequestClientCertificate `protobuf:"varint,7,opt,name=request_client_certificate,json=requestClientCertificate,proto3,enum=s2a.proto.v2.GetTlsConfigurationResp_ServerTlsConfiguration_RequestClientCertificate" json:"request_client_certificate,omitempty"` - // Returns the maximum number of extra bytes that - // |OffloadResumptionKeyOperation| can add to the number of unencrypted - // bytes to form the encrypted bytes. - MaxOverheadOfTicketAead uint32 `protobuf:"varint,9,opt,name=max_overhead_of_ticket_aead,json=maxOverheadOfTicketAead,proto3" json:"max_overhead_of_ticket_aead,omitempty"` - // The policy that dictates how the server negotiates ALPN during the TLS - // handshake. - AlpnPolicy *AlpnPolicy `protobuf:"bytes,11,opt,name=alpn_policy,json=alpnPolicy,proto3" json:"alpn_policy,omitempty"` -} - -func (x *GetTlsConfigurationResp_ServerTlsConfiguration) Reset() { - *x = GetTlsConfigurationResp_ServerTlsConfiguration{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[14] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *GetTlsConfigurationResp_ServerTlsConfiguration) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*GetTlsConfigurationResp_ServerTlsConfiguration) ProtoMessage() {} - -func (x *GetTlsConfigurationResp_ServerTlsConfiguration) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[14] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use GetTlsConfigurationResp_ServerTlsConfiguration.ProtoReflect.Descriptor instead. -func (*GetTlsConfigurationResp_ServerTlsConfiguration) Descriptor() ([]byte, []int) { - return file_internal_proto_v2_s2a_s2a_proto_rawDescGZIP(), []int{4, 1} -} - -func (x *GetTlsConfigurationResp_ServerTlsConfiguration) GetCertificateChain() []string { - if x != nil { - return x.CertificateChain - } - return nil -} - -func (x *GetTlsConfigurationResp_ServerTlsConfiguration) GetMinTlsVersion() common_go_proto.TLSVersion { - if x != nil { - return x.MinTlsVersion - } - return common_go_proto.TLSVersion(0) -} - -func (x *GetTlsConfigurationResp_ServerTlsConfiguration) GetMaxTlsVersion() common_go_proto.TLSVersion { - if x != nil { - return x.MaxTlsVersion - } - return common_go_proto.TLSVersion(0) -} - -func (x *GetTlsConfigurationResp_ServerTlsConfiguration) GetCiphersuites() []common_go_proto.Ciphersuite { - if x != nil { - return x.Ciphersuites - } - return nil -} - -func (x *GetTlsConfigurationResp_ServerTlsConfiguration) GetTlsResumptionEnabled() bool { - if x != nil { - return x.TlsResumptionEnabled - } - return false -} - -func (x *GetTlsConfigurationResp_ServerTlsConfiguration) GetRequestClientCertificate() GetTlsConfigurationResp_ServerTlsConfiguration_RequestClientCertificate { - if x != nil { - return x.RequestClientCertificate - } - return GetTlsConfigurationResp_ServerTlsConfiguration_UNSPECIFIED -} - -func (x *GetTlsConfigurationResp_ServerTlsConfiguration) GetMaxOverheadOfTicketAead() uint32 { - if x != nil { - return x.MaxOverheadOfTicketAead - } - return 0 -} - -func (x *GetTlsConfigurationResp_ServerTlsConfiguration) GetAlpnPolicy() *AlpnPolicy { - if x != nil { - return x.AlpnPolicy - } - return nil -} - -type ValidatePeerCertificateChainReq_ClientPeer struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The certificate chain to be verified. The chain MUST be a list of - // DER-encoded certificates, ordered from leaf to root, excluding the root. - CertificateChain [][]byte `protobuf:"bytes,1,rep,name=certificate_chain,json=certificateChain,proto3" json:"certificate_chain,omitempty"` -} - -func (x *ValidatePeerCertificateChainReq_ClientPeer) Reset() { - *x = ValidatePeerCertificateChainReq_ClientPeer{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[15] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *ValidatePeerCertificateChainReq_ClientPeer) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*ValidatePeerCertificateChainReq_ClientPeer) ProtoMessage() {} - -func (x *ValidatePeerCertificateChainReq_ClientPeer) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[15] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use ValidatePeerCertificateChainReq_ClientPeer.ProtoReflect.Descriptor instead. -func (*ValidatePeerCertificateChainReq_ClientPeer) Descriptor() ([]byte, []int) { - return file_internal_proto_v2_s2a_s2a_proto_rawDescGZIP(), []int{9, 0} -} - -func (x *ValidatePeerCertificateChainReq_ClientPeer) GetCertificateChain() [][]byte { - if x != nil { - return x.CertificateChain - } - return nil -} - -type ValidatePeerCertificateChainReq_ServerPeer struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The certificate chain to be verified. The chain MUST be a list of - // DER-encoded certificates, ordered from leaf to root, excluding the root. - CertificateChain [][]byte `protobuf:"bytes,1,rep,name=certificate_chain,json=certificateChain,proto3" json:"certificate_chain,omitempty"` - // The expected hostname of the server. - ServerHostname string `protobuf:"bytes,2,opt,name=server_hostname,json=serverHostname,proto3" json:"server_hostname,omitempty"` - // The UnrestrictedClientPolicy specified by the user. - SerializedUnrestrictedClientPolicy []byte `protobuf:"bytes,3,opt,name=serialized_unrestricted_client_policy,json=serializedUnrestrictedClientPolicy,proto3" json:"serialized_unrestricted_client_policy,omitempty"` -} - -func (x *ValidatePeerCertificateChainReq_ServerPeer) Reset() { - *x = ValidatePeerCertificateChainReq_ServerPeer{} - if protoimpl.UnsafeEnabled { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[16] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *ValidatePeerCertificateChainReq_ServerPeer) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*ValidatePeerCertificateChainReq_ServerPeer) ProtoMessage() {} - -func (x *ValidatePeerCertificateChainReq_ServerPeer) ProtoReflect() protoreflect.Message { - mi := &file_internal_proto_v2_s2a_s2a_proto_msgTypes[16] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use ValidatePeerCertificateChainReq_ServerPeer.ProtoReflect.Descriptor instead. -func (*ValidatePeerCertificateChainReq_ServerPeer) Descriptor() ([]byte, []int) { - return file_internal_proto_v2_s2a_s2a_proto_rawDescGZIP(), []int{9, 1} -} - -func (x *ValidatePeerCertificateChainReq_ServerPeer) GetCertificateChain() [][]byte { - if x != nil { - return x.CertificateChain - } - return nil -} - -func (x *ValidatePeerCertificateChainReq_ServerPeer) GetServerHostname() string { - if x != nil { - return x.ServerHostname - } - return "" -} - -func (x *ValidatePeerCertificateChainReq_ServerPeer) GetSerializedUnrestrictedClientPolicy() []byte { - if x != nil { - return x.SerializedUnrestrictedClientPolicy - } - return nil -} - -var File_internal_proto_v2_s2a_s2a_proto protoreflect.FileDescriptor - -var file_internal_proto_v2_s2a_s2a_proto_rawDesc = []byte{ - 0x0a, 0x1f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x2f, 0x76, 0x32, 0x2f, 0x73, 0x32, 0x61, 0x2f, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x12, 0x0c, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x1a, - 0x25, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, - 0x76, 0x32, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, - 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x76, 0x32, 0x2f, 0x73, 0x32, 0x61, 0x5f, 0x63, 0x6f, - 0x6e, 0x74, 0x65, 0x78, 0x74, 0x2f, 0x73, 0x32, 0x61, 0x5f, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, - 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x87, 0x01, 0x0a, 0x0a, 0x41, 0x6c, 0x70, 0x6e, - 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x36, 0x0a, 0x17, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, - 0x5f, 0x61, 0x6c, 0x70, 0x6e, 0x5f, 0x6e, 0x65, 0x67, 0x6f, 0x74, 0x69, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x15, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x41, - 0x6c, 0x70, 0x6e, 0x4e, 0x65, 0x67, 0x6f, 0x74, 0x69, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x41, - 0x0a, 0x0e, 0x61, 0x6c, 0x70, 0x6e, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x73, - 0x18, 0x02, 0x20, 0x03, 0x28, 0x0e, 0x32, 0x1a, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x41, 0x6c, 0x70, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, - 0x6f, 0x6c, 0x52, 0x0d, 0x61, 0x6c, 0x70, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, - 0x73, 0x22, 0x7e, 0x0a, 0x17, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, - 0x69, 0x6f, 0x6e, 0x4d, 0x65, 0x63, 0x68, 0x61, 0x6e, 0x69, 0x73, 0x6d, 0x12, 0x32, 0x0a, 0x08, - 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, - 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x49, 0x64, - 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, 0x08, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, - 0x12, 0x16, 0x0a, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x48, - 0x00, 0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x42, 0x11, 0x0a, 0x0f, 0x6d, 0x65, 0x63, 0x68, - 0x61, 0x6e, 0x69, 0x73, 0x6d, 0x5f, 0x6f, 0x6e, 0x65, 0x6f, 0x66, 0x4a, 0x04, 0x08, 0x01, 0x10, - 0x02, 0x22, 0x36, 0x0a, 0x06, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x63, - 0x6f, 0x64, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x04, 0x63, 0x6f, 0x64, 0x65, 0x12, - 0x18, 0x0a, 0x07, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x07, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x22, 0x71, 0x0a, 0x16, 0x47, 0x65, 0x74, - 0x54, 0x6c, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x52, 0x65, 0x71, 0x12, 0x45, 0x0a, 0x0f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, - 0x6e, 0x5f, 0x73, 0x69, 0x64, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1c, 0x2e, 0x73, - 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x43, 0x6f, 0x6e, 0x6e, - 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x69, 0x64, 0x65, 0x52, 0x0e, 0x63, 0x6f, 0x6e, 0x6e, - 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x69, 0x64, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x73, 0x6e, - 0x69, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x73, 0x6e, 0x69, 0x22, 0xf1, 0x0b, 0x0a, - 0x17, 0x47, 0x65, 0x74, 0x54, 0x6c, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x12, 0x78, 0x0a, 0x18, 0x63, 0x6c, 0x69, 0x65, - 0x6e, 0x74, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3c, 0x2e, 0x73, 0x32, 0x61, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x47, 0x65, 0x74, 0x54, 0x6c, 0x73, - 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, - 0x70, 0x2e, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x54, 0x6c, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, - 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x48, 0x00, 0x52, 0x16, 0x63, 0x6c, 0x69, 0x65, - 0x6e, 0x74, 0x54, 0x6c, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x12, 0x78, 0x0a, 0x18, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x74, 0x6c, 0x73, - 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3c, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x2e, 0x76, 0x32, 0x2e, 0x47, 0x65, 0x74, 0x54, 0x6c, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, - 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x2e, 0x53, 0x65, 0x72, 0x76, - 0x65, 0x72, 0x54, 0x6c, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x48, 0x00, 0x52, 0x16, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x6c, 0x73, 0x43, - 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x1a, 0xcf, 0x02, 0x0a, - 0x16, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x54, 0x6c, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, - 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x2b, 0x0a, 0x11, 0x63, 0x65, 0x72, 0x74, 0x69, - 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x03, - 0x28, 0x09, 0x52, 0x10, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, - 0x68, 0x61, 0x69, 0x6e, 0x12, 0x40, 0x0a, 0x0f, 0x6d, 0x69, 0x6e, 0x5f, 0x74, 0x6c, 0x73, 0x5f, - 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x18, 0x2e, - 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x54, 0x4c, 0x53, - 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x0d, 0x6d, 0x69, 0x6e, 0x54, 0x6c, 0x73, 0x56, - 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x40, 0x0a, 0x0f, 0x6d, 0x61, 0x78, 0x5f, 0x74, 0x6c, - 0x73, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, - 0x18, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x54, - 0x4c, 0x53, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x0d, 0x6d, 0x61, 0x78, 0x54, 0x6c, - 0x73, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x3d, 0x0a, 0x0c, 0x63, 0x69, 0x70, 0x68, - 0x65, 0x72, 0x73, 0x75, 0x69, 0x74, 0x65, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x0e, 0x32, 0x19, - 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x43, 0x69, - 0x70, 0x68, 0x65, 0x72, 0x73, 0x75, 0x69, 0x74, 0x65, 0x52, 0x0c, 0x63, 0x69, 0x70, 0x68, 0x65, - 0x72, 0x73, 0x75, 0x69, 0x74, 0x65, 0x73, 0x12, 0x39, 0x0a, 0x0b, 0x61, 0x6c, 0x70, 0x6e, 0x5f, - 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x73, - 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x41, 0x6c, 0x70, 0x6e, - 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x0a, 0x61, 0x6c, 0x70, 0x6e, 0x50, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x4a, 0x04, 0x08, 0x04, 0x10, 0x05, 0x4a, 0x04, 0x08, 0x05, 0x10, 0x06, 0x1a, 0xfa, - 0x06, 0x0a, 0x16, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x6c, 0x73, 0x43, 0x6f, 0x6e, 0x66, - 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x2b, 0x0a, 0x11, 0x63, 0x65, 0x72, - 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x18, 0x01, - 0x20, 0x03, 0x28, 0x09, 0x52, 0x10, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, - 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x12, 0x40, 0x0a, 0x0f, 0x6d, 0x69, 0x6e, 0x5f, 0x74, 0x6c, - 0x73, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, - 0x18, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x54, - 0x4c, 0x53, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x0d, 0x6d, 0x69, 0x6e, 0x54, 0x6c, - 0x73, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x40, 0x0a, 0x0f, 0x6d, 0x61, 0x78, 0x5f, - 0x74, 0x6c, 0x73, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, - 0x0e, 0x32, 0x18, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, - 0x2e, 0x54, 0x4c, 0x53, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x0d, 0x6d, 0x61, 0x78, - 0x54, 0x6c, 0x73, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x3d, 0x0a, 0x0c, 0x63, 0x69, - 0x70, 0x68, 0x65, 0x72, 0x73, 0x75, 0x69, 0x74, 0x65, 0x73, 0x18, 0x0a, 0x20, 0x03, 0x28, 0x0e, - 0x32, 0x19, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, - 0x43, 0x69, 0x70, 0x68, 0x65, 0x72, 0x73, 0x75, 0x69, 0x74, 0x65, 0x52, 0x0c, 0x63, 0x69, 0x70, - 0x68, 0x65, 0x72, 0x73, 0x75, 0x69, 0x74, 0x65, 0x73, 0x12, 0x34, 0x0a, 0x16, 0x74, 0x6c, 0x73, - 0x5f, 0x72, 0x65, 0x73, 0x75, 0x6d, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x65, 0x6e, 0x61, 0x62, - 0x6c, 0x65, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x14, 0x74, 0x6c, 0x73, 0x52, 0x65, - 0x73, 0x75, 0x6d, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, - 0x93, 0x01, 0x0a, 0x1a, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x63, 0x6c, 0x69, 0x65, - 0x6e, 0x74, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x18, 0x07, - 0x20, 0x01, 0x28, 0x0e, 0x32, 0x55, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x2e, 0x76, 0x32, 0x2e, 0x47, 0x65, 0x74, 0x54, 0x6c, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, - 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x2e, 0x53, 0x65, 0x72, 0x76, - 0x65, 0x72, 0x54, 0x6c, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x2e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, - 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x18, 0x72, 0x65, 0x71, - 0x75, 0x65, 0x73, 0x74, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, - 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x3c, 0x0a, 0x1b, 0x6d, 0x61, 0x78, 0x5f, 0x6f, 0x76, 0x65, - 0x72, 0x68, 0x65, 0x61, 0x64, 0x5f, 0x6f, 0x66, 0x5f, 0x74, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x5f, - 0x61, 0x65, 0x61, 0x64, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x17, 0x6d, 0x61, 0x78, 0x4f, - 0x76, 0x65, 0x72, 0x68, 0x65, 0x61, 0x64, 0x4f, 0x66, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x41, - 0x65, 0x61, 0x64, 0x12, 0x39, 0x0a, 0x0b, 0x61, 0x6c, 0x70, 0x6e, 0x5f, 0x70, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x41, 0x6c, 0x70, 0x6e, 0x50, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x52, 0x0a, 0x61, 0x6c, 0x70, 0x6e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x22, 0x9e, - 0x02, 0x0a, 0x18, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, - 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x0f, 0x0a, 0x0b, 0x55, - 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x23, 0x0a, 0x1f, - 0x44, 0x4f, 0x4e, 0x54, 0x5f, 0x52, 0x45, 0x51, 0x55, 0x45, 0x53, 0x54, 0x5f, 0x43, 0x4c, 0x49, - 0x45, 0x4e, 0x54, 0x5f, 0x43, 0x45, 0x52, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x10, - 0x01, 0x12, 0x2e, 0x0a, 0x2a, 0x52, 0x45, 0x51, 0x55, 0x45, 0x53, 0x54, 0x5f, 0x43, 0x4c, 0x49, - 0x45, 0x4e, 0x54, 0x5f, 0x43, 0x45, 0x52, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x5f, - 0x42, 0x55, 0x54, 0x5f, 0x44, 0x4f, 0x4e, 0x54, 0x5f, 0x56, 0x45, 0x52, 0x49, 0x46, 0x59, 0x10, - 0x02, 0x12, 0x29, 0x0a, 0x25, 0x52, 0x45, 0x51, 0x55, 0x45, 0x53, 0x54, 0x5f, 0x43, 0x4c, 0x49, - 0x45, 0x4e, 0x54, 0x5f, 0x43, 0x45, 0x52, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x5f, - 0x41, 0x4e, 0x44, 0x5f, 0x56, 0x45, 0x52, 0x49, 0x46, 0x59, 0x10, 0x03, 0x12, 0x3a, 0x0a, 0x36, - 0x52, 0x45, 0x51, 0x55, 0x45, 0x53, 0x54, 0x5f, 0x41, 0x4e, 0x44, 0x5f, 0x52, 0x45, 0x51, 0x55, - 0x49, 0x52, 0x45, 0x5f, 0x43, 0x4c, 0x49, 0x45, 0x4e, 0x54, 0x5f, 0x43, 0x45, 0x52, 0x54, 0x49, - 0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x5f, 0x42, 0x55, 0x54, 0x5f, 0x44, 0x4f, 0x4e, 0x54, 0x5f, - 0x56, 0x45, 0x52, 0x49, 0x46, 0x59, 0x10, 0x04, 0x12, 0x35, 0x0a, 0x31, 0x52, 0x45, 0x51, 0x55, - 0x45, 0x53, 0x54, 0x5f, 0x41, 0x4e, 0x44, 0x5f, 0x52, 0x45, 0x51, 0x55, 0x49, 0x52, 0x45, 0x5f, - 0x43, 0x4c, 0x49, 0x45, 0x4e, 0x54, 0x5f, 0x43, 0x45, 0x52, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, - 0x54, 0x45, 0x5f, 0x41, 0x4e, 0x44, 0x5f, 0x56, 0x45, 0x52, 0x49, 0x46, 0x59, 0x10, 0x05, 0x4a, - 0x04, 0x08, 0x04, 0x10, 0x05, 0x4a, 0x04, 0x08, 0x05, 0x10, 0x06, 0x42, 0x13, 0x0a, 0x11, 0x74, - 0x6c, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x22, 0xb0, 0x03, 0x0a, 0x1d, 0x4f, 0x66, 0x66, 0x6c, 0x6f, 0x61, 0x64, 0x50, 0x72, 0x69, 0x76, - 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, - 0x65, 0x71, 0x12, 0x5d, 0x0a, 0x09, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x3f, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x4f, 0x66, 0x66, 0x6c, 0x6f, 0x61, 0x64, 0x50, 0x72, 0x69, 0x76, - 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, - 0x65, 0x71, 0x2e, 0x50, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x4f, 0x70, 0x65, - 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x09, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x12, 0x51, 0x0a, 0x13, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x5f, 0x61, - 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x20, - 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x69, - 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, - 0x52, 0x12, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x41, 0x6c, 0x67, 0x6f, 0x72, - 0x69, 0x74, 0x68, 0x6d, 0x12, 0x1d, 0x0a, 0x09, 0x72, 0x61, 0x77, 0x5f, 0x62, 0x79, 0x74, 0x65, - 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x48, 0x00, 0x52, 0x08, 0x72, 0x61, 0x77, 0x42, 0x79, - 0x74, 0x65, 0x73, 0x12, 0x25, 0x0a, 0x0d, 0x73, 0x68, 0x61, 0x32, 0x35, 0x36, 0x5f, 0x64, 0x69, - 0x67, 0x65, 0x73, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0c, 0x48, 0x00, 0x52, 0x0c, 0x73, 0x68, - 0x61, 0x32, 0x35, 0x36, 0x44, 0x69, 0x67, 0x65, 0x73, 0x74, 0x12, 0x25, 0x0a, 0x0d, 0x73, 0x68, - 0x61, 0x33, 0x38, 0x34, 0x5f, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, - 0x0c, 0x48, 0x00, 0x52, 0x0c, 0x73, 0x68, 0x61, 0x33, 0x38, 0x34, 0x44, 0x69, 0x67, 0x65, 0x73, - 0x74, 0x12, 0x25, 0x0a, 0x0d, 0x73, 0x68, 0x61, 0x35, 0x31, 0x32, 0x5f, 0x64, 0x69, 0x67, 0x65, - 0x73, 0x74, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0c, 0x48, 0x00, 0x52, 0x0c, 0x73, 0x68, 0x61, 0x35, - 0x31, 0x32, 0x44, 0x69, 0x67, 0x65, 0x73, 0x74, 0x22, 0x3d, 0x0a, 0x13, 0x50, 0x72, 0x69, 0x76, - 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, - 0x0f, 0x0a, 0x0b, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, - 0x12, 0x08, 0x0a, 0x04, 0x53, 0x49, 0x47, 0x4e, 0x10, 0x01, 0x12, 0x0b, 0x0a, 0x07, 0x44, 0x45, - 0x43, 0x52, 0x59, 0x50, 0x54, 0x10, 0x02, 0x42, 0x0a, 0x0a, 0x08, 0x69, 0x6e, 0x5f, 0x62, 0x79, - 0x74, 0x65, 0x73, 0x22, 0x3d, 0x0a, 0x1e, 0x4f, 0x66, 0x66, 0x6c, 0x6f, 0x61, 0x64, 0x50, 0x72, - 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x52, 0x65, 0x73, 0x70, 0x12, 0x1b, 0x0a, 0x09, 0x6f, 0x75, 0x74, 0x5f, 0x62, 0x79, 0x74, - 0x65, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x08, 0x6f, 0x75, 0x74, 0x42, 0x79, 0x74, - 0x65, 0x73, 0x22, 0xe7, 0x01, 0x0a, 0x20, 0x4f, 0x66, 0x66, 0x6c, 0x6f, 0x61, 0x64, 0x52, 0x65, - 0x73, 0x75, 0x6d, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79, 0x4f, 0x70, 0x65, 0x72, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x12, 0x63, 0x0a, 0x09, 0x6f, 0x70, 0x65, 0x72, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x45, 0x2e, 0x73, 0x32, 0x61, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x4f, 0x66, 0x66, 0x6c, 0x6f, 0x61, - 0x64, 0x52, 0x65, 0x73, 0x75, 0x6d, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79, 0x4f, 0x70, - 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x2e, 0x52, 0x65, 0x73, 0x75, 0x6d, - 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x52, 0x09, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x19, 0x0a, 0x08, - 0x69, 0x6e, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, - 0x69, 0x6e, 0x42, 0x79, 0x74, 0x65, 0x73, 0x22, 0x43, 0x0a, 0x16, 0x52, 0x65, 0x73, 0x75, 0x6d, - 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x12, 0x0f, 0x0a, 0x0b, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, - 0x10, 0x00, 0x12, 0x0b, 0x0a, 0x07, 0x45, 0x4e, 0x43, 0x52, 0x59, 0x50, 0x54, 0x10, 0x01, 0x12, - 0x0b, 0x0a, 0x07, 0x44, 0x45, 0x43, 0x52, 0x59, 0x50, 0x54, 0x10, 0x02, 0x22, 0x40, 0x0a, 0x21, - 0x4f, 0x66, 0x66, 0x6c, 0x6f, 0x61, 0x64, 0x52, 0x65, 0x73, 0x75, 0x6d, 0x70, 0x74, 0x69, 0x6f, - 0x6e, 0x4b, 0x65, 0x79, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, - 0x70, 0x12, 0x1b, 0x0a, 0x09, 0x6f, 0x75, 0x74, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x0c, 0x52, 0x08, 0x6f, 0x75, 0x74, 0x42, 0x79, 0x74, 0x65, 0x73, 0x22, 0xf4, - 0x05, 0x0a, 0x1f, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x43, - 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x52, - 0x65, 0x71, 0x12, 0x52, 0x0a, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, - 0x32, 0x3e, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, - 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, - 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x52, 0x65, 0x71, 0x2e, - 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x6f, 0x64, 0x65, - 0x52, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x12, 0x5b, 0x0a, 0x0b, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, - 0x5f, 0x70, 0x65, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x38, 0x2e, 0x73, 0x32, - 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x56, 0x61, 0x6c, 0x69, 0x64, - 0x61, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, - 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x52, 0x65, 0x71, 0x2e, 0x43, 0x6c, 0x69, 0x65, 0x6e, - 0x74, 0x50, 0x65, 0x65, 0x72, 0x48, 0x00, 0x52, 0x0a, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x50, - 0x65, 0x65, 0x72, 0x12, 0x5b, 0x0a, 0x0b, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x70, 0x65, - 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x38, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, - 0x50, 0x65, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, - 0x68, 0x61, 0x69, 0x6e, 0x52, 0x65, 0x71, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x50, 0x65, - 0x65, 0x72, 0x48, 0x00, 0x52, 0x0a, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x50, 0x65, 0x65, 0x72, - 0x1a, 0x39, 0x0a, 0x0a, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x50, 0x65, 0x65, 0x72, 0x12, 0x2b, - 0x0a, 0x11, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x63, 0x68, - 0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0c, 0x52, 0x10, 0x63, 0x65, 0x72, 0x74, 0x69, - 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x1a, 0xb5, 0x01, 0x0a, 0x0a, - 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x50, 0x65, 0x65, 0x72, 0x12, 0x2b, 0x0a, 0x11, 0x63, 0x65, - 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x18, - 0x01, 0x20, 0x03, 0x28, 0x0c, 0x52, 0x10, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, - 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x12, 0x27, 0x0a, 0x0f, 0x73, 0x65, 0x72, 0x76, 0x65, - 0x72, 0x5f, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x0e, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x48, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, - 0x12, 0x51, 0x0a, 0x25, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x64, 0x5f, 0x75, - 0x6e, 0x72, 0x65, 0x73, 0x74, 0x72, 0x69, 0x63, 0x74, 0x65, 0x64, 0x5f, 0x63, 0x6c, 0x69, 0x65, - 0x6e, 0x74, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, - 0x22, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x64, 0x55, 0x6e, 0x72, 0x65, 0x73, - 0x74, 0x72, 0x69, 0x63, 0x74, 0x65, 0x64, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x50, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x22, 0xc1, 0x01, 0x0a, 0x10, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x0f, 0x0a, 0x0b, 0x55, 0x4e, 0x53, 0x50, - 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06, 0x53, 0x50, 0x49, - 0x46, 0x46, 0x45, 0x10, 0x01, 0x12, 0x15, 0x0a, 0x11, 0x43, 0x4f, 0x4e, 0x4e, 0x45, 0x43, 0x54, - 0x5f, 0x54, 0x4f, 0x5f, 0x47, 0x4f, 0x4f, 0x47, 0x4c, 0x45, 0x10, 0x02, 0x12, 0x27, 0x0a, 0x23, - 0x52, 0x45, 0x53, 0x45, 0x52, 0x56, 0x45, 0x44, 0x5f, 0x43, 0x55, 0x53, 0x54, 0x4f, 0x4d, 0x5f, - 0x56, 0x45, 0x52, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4d, 0x4f, 0x44, - 0x45, 0x5f, 0x33, 0x10, 0x03, 0x12, 0x27, 0x0a, 0x23, 0x52, 0x45, 0x53, 0x45, 0x52, 0x56, 0x45, - 0x44, 0x5f, 0x43, 0x55, 0x53, 0x54, 0x4f, 0x4d, 0x5f, 0x56, 0x45, 0x52, 0x49, 0x46, 0x49, 0x43, - 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x34, 0x10, 0x04, 0x12, 0x27, - 0x0a, 0x23, 0x52, 0x45, 0x53, 0x45, 0x52, 0x56, 0x45, 0x44, 0x5f, 0x43, 0x55, 0x53, 0x54, 0x4f, - 0x4d, 0x5f, 0x56, 0x45, 0x52, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4d, - 0x4f, 0x44, 0x45, 0x5f, 0x35, 0x10, 0x05, 0x42, 0x0c, 0x0a, 0x0a, 0x70, 0x65, 0x65, 0x72, 0x5f, - 0x6f, 0x6e, 0x65, 0x6f, 0x66, 0x22, 0xb2, 0x02, 0x0a, 0x20, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, - 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, - 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x12, 0x6c, 0x0a, 0x11, 0x76, 0x61, - 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x3f, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x50, 0x65, 0x65, - 0x72, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, - 0x6e, 0x52, 0x65, 0x73, 0x70, 0x2e, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x52, 0x10, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, 0x2d, 0x0a, 0x12, 0x76, 0x61, 0x6c, 0x69, - 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x18, 0x02, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x44, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x12, 0x32, 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, - 0x78, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x32, 0x41, 0x43, 0x6f, 0x6e, 0x74, 0x65, - 0x78, 0x74, 0x52, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x22, 0x3d, 0x0a, 0x10, 0x56, - 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, - 0x0f, 0x0a, 0x0b, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, - 0x12, 0x0b, 0x0a, 0x07, 0x53, 0x55, 0x43, 0x43, 0x45, 0x53, 0x53, 0x10, 0x01, 0x12, 0x0b, 0x0a, - 0x07, 0x46, 0x41, 0x49, 0x4c, 0x55, 0x52, 0x45, 0x10, 0x02, 0x22, 0xa0, 0x05, 0x0a, 0x0a, 0x53, - 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x12, 0x3d, 0x0a, 0x0e, 0x6c, 0x6f, 0x63, - 0x61, 0x6c, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x18, 0x07, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x16, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, - 0x2e, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, 0x0d, 0x6c, 0x6f, 0x63, 0x61, 0x6c, - 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x12, 0x62, 0x0a, 0x19, 0x61, 0x75, 0x74, 0x68, - 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x65, 0x63, 0x68, 0x61, - 0x6e, 0x69, 0x73, 0x6d, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x73, 0x32, - 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x65, - 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x65, 0x63, 0x68, 0x61, 0x6e, 0x69, - 0x73, 0x6d, 0x52, 0x18, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x4d, 0x65, 0x63, 0x68, 0x61, 0x6e, 0x69, 0x73, 0x6d, 0x73, 0x12, 0x61, 0x0a, 0x19, - 0x67, 0x65, 0x74, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x72, 0x65, 0x71, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x24, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x47, - 0x65, 0x74, 0x54, 0x6c, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x48, 0x00, 0x52, 0x16, 0x67, 0x65, 0x74, 0x54, 0x6c, 0x73, 0x43, - 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x12, - 0x77, 0x0a, 0x21, 0x6f, 0x66, 0x66, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x70, 0x72, 0x69, 0x76, 0x61, - 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x5f, 0x72, 0x65, 0x71, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x73, 0x32, 0x61, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x4f, 0x66, 0x66, 0x6c, 0x6f, 0x61, - 0x64, 0x50, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x4f, 0x70, 0x65, 0x72, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x48, 0x00, 0x52, 0x1d, 0x6f, 0x66, 0x66, 0x6c, 0x6f, - 0x61, 0x64, 0x50, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x4f, 0x70, 0x65, 0x72, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x12, 0x80, 0x01, 0x0a, 0x24, 0x6f, 0x66, 0x66, - 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x72, 0x65, 0x73, 0x75, 0x6d, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x5f, - 0x6b, 0x65, 0x79, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x72, 0x65, - 0x71, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2e, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x4f, 0x66, 0x66, 0x6c, 0x6f, 0x61, 0x64, 0x52, 0x65, - 0x73, 0x75, 0x6d, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79, 0x4f, 0x70, 0x65, 0x72, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x48, 0x00, 0x52, 0x20, 0x6f, 0x66, 0x66, 0x6c, 0x6f, - 0x61, 0x64, 0x52, 0x65, 0x73, 0x75, 0x6d, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79, 0x4f, - 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x12, 0x7d, 0x0a, 0x23, 0x76, - 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x5f, 0x70, 0x65, 0x65, 0x72, 0x5f, 0x63, 0x65, 0x72, - 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x5f, 0x72, - 0x65, 0x71, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, - 0x50, 0x65, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, - 0x68, 0x61, 0x69, 0x6e, 0x52, 0x65, 0x71, 0x48, 0x00, 0x52, 0x1f, 0x76, 0x61, 0x6c, 0x69, 0x64, - 0x61, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, - 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x52, 0x65, 0x71, 0x42, 0x0b, 0x0a, 0x09, 0x72, 0x65, - 0x71, 0x5f, 0x6f, 0x6e, 0x65, 0x6f, 0x66, 0x4a, 0x04, 0x08, 0x01, 0x10, 0x02, 0x22, 0xb4, 0x04, - 0x0a, 0x0b, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x12, 0x2c, 0x0a, - 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, - 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x74, 0x61, - 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x64, 0x0a, 0x1a, 0x67, - 0x65, 0x74, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x72, 0x65, 0x73, 0x70, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x25, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x47, - 0x65, 0x74, 0x54, 0x6c, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x48, 0x00, 0x52, 0x17, 0x67, 0x65, 0x74, 0x54, 0x6c, 0x73, - 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, - 0x70, 0x12, 0x7a, 0x0a, 0x22, 0x6f, 0x66, 0x66, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x70, 0x72, 0x69, - 0x76, 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x5f, 0x72, 0x65, 0x73, 0x70, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2c, 0x2e, - 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x4f, 0x66, 0x66, - 0x6c, 0x6f, 0x61, 0x64, 0x50, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x4f, 0x70, - 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x48, 0x00, 0x52, 0x1e, 0x6f, - 0x66, 0x66, 0x6c, 0x6f, 0x61, 0x64, 0x50, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, - 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x12, 0x83, 0x01, - 0x0a, 0x25, 0x6f, 0x66, 0x66, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x72, 0x65, 0x73, 0x75, 0x6d, 0x70, - 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x5f, 0x72, 0x65, 0x73, 0x70, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2f, 0x2e, - 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x4f, 0x66, 0x66, - 0x6c, 0x6f, 0x61, 0x64, 0x52, 0x65, 0x73, 0x75, 0x6d, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x4b, 0x65, - 0x79, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x48, 0x00, - 0x52, 0x21, 0x6f, 0x66, 0x66, 0x6c, 0x6f, 0x61, 0x64, 0x52, 0x65, 0x73, 0x75, 0x6d, 0x70, 0x74, - 0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, - 0x65, 0x73, 0x70, 0x12, 0x80, 0x01, 0x0a, 0x24, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, - 0x5f, 0x70, 0x65, 0x65, 0x72, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, - 0x65, 0x5f, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x5f, 0x72, 0x65, 0x73, 0x70, 0x18, 0x05, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x2e, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, - 0x32, 0x2e, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x43, 0x65, - 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x52, 0x65, - 0x73, 0x70, 0x48, 0x00, 0x52, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x50, 0x65, - 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, - 0x69, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x42, 0x0c, 0x0a, 0x0a, 0x72, 0x65, 0x73, 0x70, 0x5f, 0x6f, - 0x6e, 0x65, 0x6f, 0x66, 0x2a, 0xa2, 0x03, 0x0a, 0x12, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, - 0x72, 0x65, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x1c, 0x0a, 0x18, 0x53, - 0x32, 0x41, 0x5f, 0x53, 0x53, 0x4c, 0x5f, 0x53, 0x49, 0x47, 0x4e, 0x5f, 0x55, 0x4e, 0x53, 0x50, - 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x21, 0x0a, 0x1d, 0x53, 0x32, 0x41, - 0x5f, 0x53, 0x53, 0x4c, 0x5f, 0x53, 0x49, 0x47, 0x4e, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x4b, - 0x43, 0x53, 0x31, 0x5f, 0x53, 0x48, 0x41, 0x32, 0x35, 0x36, 0x10, 0x01, 0x12, 0x21, 0x0a, 0x1d, - 0x53, 0x32, 0x41, 0x5f, 0x53, 0x53, 0x4c, 0x5f, 0x53, 0x49, 0x47, 0x4e, 0x5f, 0x52, 0x53, 0x41, - 0x5f, 0x50, 0x4b, 0x43, 0x53, 0x31, 0x5f, 0x53, 0x48, 0x41, 0x33, 0x38, 0x34, 0x10, 0x02, 0x12, - 0x21, 0x0a, 0x1d, 0x53, 0x32, 0x41, 0x5f, 0x53, 0x53, 0x4c, 0x5f, 0x53, 0x49, 0x47, 0x4e, 0x5f, - 0x52, 0x53, 0x41, 0x5f, 0x50, 0x4b, 0x43, 0x53, 0x31, 0x5f, 0x53, 0x48, 0x41, 0x35, 0x31, 0x32, - 0x10, 0x03, 0x12, 0x27, 0x0a, 0x23, 0x53, 0x32, 0x41, 0x5f, 0x53, 0x53, 0x4c, 0x5f, 0x53, 0x49, - 0x47, 0x4e, 0x5f, 0x45, 0x43, 0x44, 0x53, 0x41, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x32, 0x35, 0x36, - 0x52, 0x31, 0x5f, 0x53, 0x48, 0x41, 0x32, 0x35, 0x36, 0x10, 0x04, 0x12, 0x27, 0x0a, 0x23, 0x53, - 0x32, 0x41, 0x5f, 0x53, 0x53, 0x4c, 0x5f, 0x53, 0x49, 0x47, 0x4e, 0x5f, 0x45, 0x43, 0x44, 0x53, - 0x41, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x33, 0x38, 0x34, 0x52, 0x31, 0x5f, 0x53, 0x48, 0x41, 0x33, - 0x38, 0x34, 0x10, 0x05, 0x12, 0x27, 0x0a, 0x23, 0x53, 0x32, 0x41, 0x5f, 0x53, 0x53, 0x4c, 0x5f, - 0x53, 0x49, 0x47, 0x4e, 0x5f, 0x45, 0x43, 0x44, 0x53, 0x41, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x35, - 0x32, 0x31, 0x52, 0x31, 0x5f, 0x53, 0x48, 0x41, 0x35, 0x31, 0x32, 0x10, 0x06, 0x12, 0x24, 0x0a, - 0x20, 0x53, 0x32, 0x41, 0x5f, 0x53, 0x53, 0x4c, 0x5f, 0x53, 0x49, 0x47, 0x4e, 0x5f, 0x52, 0x53, - 0x41, 0x5f, 0x50, 0x53, 0x53, 0x5f, 0x52, 0x53, 0x41, 0x45, 0x5f, 0x53, 0x48, 0x41, 0x32, 0x35, - 0x36, 0x10, 0x07, 0x12, 0x24, 0x0a, 0x20, 0x53, 0x32, 0x41, 0x5f, 0x53, 0x53, 0x4c, 0x5f, 0x53, - 0x49, 0x47, 0x4e, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x53, 0x53, 0x5f, 0x52, 0x53, 0x41, 0x45, - 0x5f, 0x53, 0x48, 0x41, 0x33, 0x38, 0x34, 0x10, 0x08, 0x12, 0x24, 0x0a, 0x20, 0x53, 0x32, 0x41, - 0x5f, 0x53, 0x53, 0x4c, 0x5f, 0x53, 0x49, 0x47, 0x4e, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x53, - 0x53, 0x5f, 0x52, 0x53, 0x41, 0x45, 0x5f, 0x53, 0x48, 0x41, 0x35, 0x31, 0x32, 0x10, 0x09, 0x12, - 0x18, 0x0a, 0x14, 0x53, 0x32, 0x41, 0x5f, 0x53, 0x53, 0x4c, 0x5f, 0x53, 0x49, 0x47, 0x4e, 0x5f, - 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 0x39, 0x10, 0x0a, 0x32, 0x57, 0x0a, 0x0a, 0x53, 0x32, 0x41, - 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x49, 0x0a, 0x0c, 0x53, 0x65, 0x74, 0x55, 0x70, - 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x18, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x65, - 0x71, 0x1a, 0x19, 0x2e, 0x73, 0x32, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x32, - 0x2e, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x22, 0x00, 0x28, 0x01, - 0x30, 0x01, 0x42, 0x36, 0x5a, 0x34, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, - 0x2f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x73, 0x32, 0x61, 0x2f, 0x69, 0x6e, 0x74, 0x65, - 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x76, 0x32, 0x2f, 0x73, 0x32, - 0x61, 0x5f, 0x67, 0x6f, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x33, -} - -var ( - file_internal_proto_v2_s2a_s2a_proto_rawDescOnce sync.Once - file_internal_proto_v2_s2a_s2a_proto_rawDescData = file_internal_proto_v2_s2a_s2a_proto_rawDesc -) - -func file_internal_proto_v2_s2a_s2a_proto_rawDescGZIP() []byte { - file_internal_proto_v2_s2a_s2a_proto_rawDescOnce.Do(func() { - file_internal_proto_v2_s2a_s2a_proto_rawDescData = protoimpl.X.CompressGZIP(file_internal_proto_v2_s2a_s2a_proto_rawDescData) - }) - return file_internal_proto_v2_s2a_s2a_proto_rawDescData -} - -var file_internal_proto_v2_s2a_s2a_proto_enumTypes = make([]protoimpl.EnumInfo, 6) -var file_internal_proto_v2_s2a_s2a_proto_msgTypes = make([]protoimpl.MessageInfo, 17) -var file_internal_proto_v2_s2a_s2a_proto_goTypes = []any{ - (SignatureAlgorithm)(0), // 0: s2a.proto.v2.SignatureAlgorithm - (GetTlsConfigurationResp_ServerTlsConfiguration_RequestClientCertificate)(0), // 1: s2a.proto.v2.GetTlsConfigurationResp.ServerTlsConfiguration.RequestClientCertificate - (OffloadPrivateKeyOperationReq_PrivateKeyOperation)(0), // 2: s2a.proto.v2.OffloadPrivateKeyOperationReq.PrivateKeyOperation - (OffloadResumptionKeyOperationReq_ResumptionKeyOperation)(0), // 3: s2a.proto.v2.OffloadResumptionKeyOperationReq.ResumptionKeyOperation - (ValidatePeerCertificateChainReq_VerificationMode)(0), // 4: s2a.proto.v2.ValidatePeerCertificateChainReq.VerificationMode - (ValidatePeerCertificateChainResp_ValidationResult)(0), // 5: s2a.proto.v2.ValidatePeerCertificateChainResp.ValidationResult - (*AlpnPolicy)(nil), // 6: s2a.proto.v2.AlpnPolicy - (*AuthenticationMechanism)(nil), // 7: s2a.proto.v2.AuthenticationMechanism - (*Status)(nil), // 8: s2a.proto.v2.Status - (*GetTlsConfigurationReq)(nil), // 9: s2a.proto.v2.GetTlsConfigurationReq - (*GetTlsConfigurationResp)(nil), // 10: s2a.proto.v2.GetTlsConfigurationResp - (*OffloadPrivateKeyOperationReq)(nil), // 11: s2a.proto.v2.OffloadPrivateKeyOperationReq - (*OffloadPrivateKeyOperationResp)(nil), // 12: s2a.proto.v2.OffloadPrivateKeyOperationResp - (*OffloadResumptionKeyOperationReq)(nil), // 13: s2a.proto.v2.OffloadResumptionKeyOperationReq - (*OffloadResumptionKeyOperationResp)(nil), // 14: s2a.proto.v2.OffloadResumptionKeyOperationResp - (*ValidatePeerCertificateChainReq)(nil), // 15: s2a.proto.v2.ValidatePeerCertificateChainReq - (*ValidatePeerCertificateChainResp)(nil), // 16: s2a.proto.v2.ValidatePeerCertificateChainResp - (*SessionReq)(nil), // 17: s2a.proto.v2.SessionReq - (*SessionResp)(nil), // 18: s2a.proto.v2.SessionResp - (*GetTlsConfigurationResp_ClientTlsConfiguration)(nil), // 19: s2a.proto.v2.GetTlsConfigurationResp.ClientTlsConfiguration - (*GetTlsConfigurationResp_ServerTlsConfiguration)(nil), // 20: s2a.proto.v2.GetTlsConfigurationResp.ServerTlsConfiguration - (*ValidatePeerCertificateChainReq_ClientPeer)(nil), // 21: s2a.proto.v2.ValidatePeerCertificateChainReq.ClientPeer - (*ValidatePeerCertificateChainReq_ServerPeer)(nil), // 22: s2a.proto.v2.ValidatePeerCertificateChainReq.ServerPeer - (common_go_proto.AlpnProtocol)(0), // 23: s2a.proto.v2.AlpnProtocol - (*common_go_proto.Identity)(nil), // 24: s2a.proto.v2.Identity - (common_go_proto.ConnectionSide)(0), // 25: s2a.proto.v2.ConnectionSide - (*s2a_context_go_proto.S2AContext)(nil), // 26: s2a.proto.v2.S2AContext - (common_go_proto.TLSVersion)(0), // 27: s2a.proto.v2.TLSVersion - (common_go_proto.Ciphersuite)(0), // 28: s2a.proto.v2.Ciphersuite -} -var file_internal_proto_v2_s2a_s2a_proto_depIdxs = []int32{ - 23, // 0: s2a.proto.v2.AlpnPolicy.alpn_protocols:type_name -> s2a.proto.v2.AlpnProtocol - 24, // 1: s2a.proto.v2.AuthenticationMechanism.identity:type_name -> s2a.proto.v2.Identity - 25, // 2: s2a.proto.v2.GetTlsConfigurationReq.connection_side:type_name -> s2a.proto.v2.ConnectionSide - 19, // 3: s2a.proto.v2.GetTlsConfigurationResp.client_tls_configuration:type_name -> s2a.proto.v2.GetTlsConfigurationResp.ClientTlsConfiguration - 20, // 4: s2a.proto.v2.GetTlsConfigurationResp.server_tls_configuration:type_name -> s2a.proto.v2.GetTlsConfigurationResp.ServerTlsConfiguration - 2, // 5: s2a.proto.v2.OffloadPrivateKeyOperationReq.operation:type_name -> s2a.proto.v2.OffloadPrivateKeyOperationReq.PrivateKeyOperation - 0, // 6: s2a.proto.v2.OffloadPrivateKeyOperationReq.signature_algorithm:type_name -> s2a.proto.v2.SignatureAlgorithm - 3, // 7: s2a.proto.v2.OffloadResumptionKeyOperationReq.operation:type_name -> s2a.proto.v2.OffloadResumptionKeyOperationReq.ResumptionKeyOperation - 4, // 8: s2a.proto.v2.ValidatePeerCertificateChainReq.mode:type_name -> s2a.proto.v2.ValidatePeerCertificateChainReq.VerificationMode - 21, // 9: s2a.proto.v2.ValidatePeerCertificateChainReq.client_peer:type_name -> s2a.proto.v2.ValidatePeerCertificateChainReq.ClientPeer - 22, // 10: s2a.proto.v2.ValidatePeerCertificateChainReq.server_peer:type_name -> s2a.proto.v2.ValidatePeerCertificateChainReq.ServerPeer - 5, // 11: s2a.proto.v2.ValidatePeerCertificateChainResp.validation_result:type_name -> s2a.proto.v2.ValidatePeerCertificateChainResp.ValidationResult - 26, // 12: s2a.proto.v2.ValidatePeerCertificateChainResp.context:type_name -> s2a.proto.v2.S2AContext - 24, // 13: s2a.proto.v2.SessionReq.local_identity:type_name -> s2a.proto.v2.Identity - 7, // 14: s2a.proto.v2.SessionReq.authentication_mechanisms:type_name -> s2a.proto.v2.AuthenticationMechanism - 9, // 15: s2a.proto.v2.SessionReq.get_tls_configuration_req:type_name -> s2a.proto.v2.GetTlsConfigurationReq - 11, // 16: s2a.proto.v2.SessionReq.offload_private_key_operation_req:type_name -> s2a.proto.v2.OffloadPrivateKeyOperationReq - 13, // 17: s2a.proto.v2.SessionReq.offload_resumption_key_operation_req:type_name -> s2a.proto.v2.OffloadResumptionKeyOperationReq - 15, // 18: s2a.proto.v2.SessionReq.validate_peer_certificate_chain_req:type_name -> s2a.proto.v2.ValidatePeerCertificateChainReq - 8, // 19: s2a.proto.v2.SessionResp.status:type_name -> s2a.proto.v2.Status - 10, // 20: s2a.proto.v2.SessionResp.get_tls_configuration_resp:type_name -> s2a.proto.v2.GetTlsConfigurationResp - 12, // 21: s2a.proto.v2.SessionResp.offload_private_key_operation_resp:type_name -> s2a.proto.v2.OffloadPrivateKeyOperationResp - 14, // 22: s2a.proto.v2.SessionResp.offload_resumption_key_operation_resp:type_name -> s2a.proto.v2.OffloadResumptionKeyOperationResp - 16, // 23: s2a.proto.v2.SessionResp.validate_peer_certificate_chain_resp:type_name -> s2a.proto.v2.ValidatePeerCertificateChainResp - 27, // 24: s2a.proto.v2.GetTlsConfigurationResp.ClientTlsConfiguration.min_tls_version:type_name -> s2a.proto.v2.TLSVersion - 27, // 25: s2a.proto.v2.GetTlsConfigurationResp.ClientTlsConfiguration.max_tls_version:type_name -> s2a.proto.v2.TLSVersion - 28, // 26: s2a.proto.v2.GetTlsConfigurationResp.ClientTlsConfiguration.ciphersuites:type_name -> s2a.proto.v2.Ciphersuite - 6, // 27: s2a.proto.v2.GetTlsConfigurationResp.ClientTlsConfiguration.alpn_policy:type_name -> s2a.proto.v2.AlpnPolicy - 27, // 28: s2a.proto.v2.GetTlsConfigurationResp.ServerTlsConfiguration.min_tls_version:type_name -> s2a.proto.v2.TLSVersion - 27, // 29: s2a.proto.v2.GetTlsConfigurationResp.ServerTlsConfiguration.max_tls_version:type_name -> s2a.proto.v2.TLSVersion - 28, // 30: s2a.proto.v2.GetTlsConfigurationResp.ServerTlsConfiguration.ciphersuites:type_name -> s2a.proto.v2.Ciphersuite - 1, // 31: s2a.proto.v2.GetTlsConfigurationResp.ServerTlsConfiguration.request_client_certificate:type_name -> s2a.proto.v2.GetTlsConfigurationResp.ServerTlsConfiguration.RequestClientCertificate - 6, // 32: s2a.proto.v2.GetTlsConfigurationResp.ServerTlsConfiguration.alpn_policy:type_name -> s2a.proto.v2.AlpnPolicy - 17, // 33: s2a.proto.v2.S2AService.SetUpSession:input_type -> s2a.proto.v2.SessionReq - 18, // 34: s2a.proto.v2.S2AService.SetUpSession:output_type -> s2a.proto.v2.SessionResp - 34, // [34:35] is the sub-list for method output_type - 33, // [33:34] is the sub-list for method input_type - 33, // [33:33] is the sub-list for extension type_name - 33, // [33:33] is the sub-list for extension extendee - 0, // [0:33] is the sub-list for field type_name -} - -func init() { file_internal_proto_v2_s2a_s2a_proto_init() } -func file_internal_proto_v2_s2a_s2a_proto_init() { - if File_internal_proto_v2_s2a_s2a_proto != nil { - return - } - if !protoimpl.UnsafeEnabled { - file_internal_proto_v2_s2a_s2a_proto_msgTypes[0].Exporter = func(v any, i int) any { - switch v := v.(*AlpnPolicy); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_internal_proto_v2_s2a_s2a_proto_msgTypes[1].Exporter = func(v any, i int) any { - switch v := v.(*AuthenticationMechanism); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_internal_proto_v2_s2a_s2a_proto_msgTypes[2].Exporter = func(v any, i int) any { - switch v := v.(*Status); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_internal_proto_v2_s2a_s2a_proto_msgTypes[3].Exporter = func(v any, i int) any { - switch v := v.(*GetTlsConfigurationReq); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_internal_proto_v2_s2a_s2a_proto_msgTypes[4].Exporter = func(v any, i int) any { - switch v := v.(*GetTlsConfigurationResp); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_internal_proto_v2_s2a_s2a_proto_msgTypes[5].Exporter = func(v any, i int) any { - switch v := v.(*OffloadPrivateKeyOperationReq); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_internal_proto_v2_s2a_s2a_proto_msgTypes[6].Exporter = func(v any, i int) any { - switch v := v.(*OffloadPrivateKeyOperationResp); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_internal_proto_v2_s2a_s2a_proto_msgTypes[7].Exporter = func(v any, i int) any { - switch v := v.(*OffloadResumptionKeyOperationReq); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_internal_proto_v2_s2a_s2a_proto_msgTypes[8].Exporter = func(v any, i int) any { - switch v := v.(*OffloadResumptionKeyOperationResp); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_internal_proto_v2_s2a_s2a_proto_msgTypes[9].Exporter = func(v any, i int) any { - switch v := v.(*ValidatePeerCertificateChainReq); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_internal_proto_v2_s2a_s2a_proto_msgTypes[10].Exporter = func(v any, i int) any { - switch v := v.(*ValidatePeerCertificateChainResp); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_internal_proto_v2_s2a_s2a_proto_msgTypes[11].Exporter = func(v any, i int) any { - switch v := v.(*SessionReq); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_internal_proto_v2_s2a_s2a_proto_msgTypes[12].Exporter = func(v any, i int) any { - switch v := v.(*SessionResp); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_internal_proto_v2_s2a_s2a_proto_msgTypes[13].Exporter = func(v any, i int) any { - switch v := v.(*GetTlsConfigurationResp_ClientTlsConfiguration); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_internal_proto_v2_s2a_s2a_proto_msgTypes[14].Exporter = func(v any, i int) any { - switch v := v.(*GetTlsConfigurationResp_ServerTlsConfiguration); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_internal_proto_v2_s2a_s2a_proto_msgTypes[15].Exporter = func(v any, i int) any { - switch v := v.(*ValidatePeerCertificateChainReq_ClientPeer); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_internal_proto_v2_s2a_s2a_proto_msgTypes[16].Exporter = func(v any, i int) any { - switch v := v.(*ValidatePeerCertificateChainReq_ServerPeer); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - } - file_internal_proto_v2_s2a_s2a_proto_msgTypes[1].OneofWrappers = []any{ - (*AuthenticationMechanism_Token)(nil), - } - file_internal_proto_v2_s2a_s2a_proto_msgTypes[4].OneofWrappers = []any{ - (*GetTlsConfigurationResp_ClientTlsConfiguration_)(nil), - (*GetTlsConfigurationResp_ServerTlsConfiguration_)(nil), - } - file_internal_proto_v2_s2a_s2a_proto_msgTypes[5].OneofWrappers = []any{ - (*OffloadPrivateKeyOperationReq_RawBytes)(nil), - (*OffloadPrivateKeyOperationReq_Sha256Digest)(nil), - (*OffloadPrivateKeyOperationReq_Sha384Digest)(nil), - (*OffloadPrivateKeyOperationReq_Sha512Digest)(nil), - } - file_internal_proto_v2_s2a_s2a_proto_msgTypes[9].OneofWrappers = []any{ - (*ValidatePeerCertificateChainReq_ClientPeer_)(nil), - (*ValidatePeerCertificateChainReq_ServerPeer_)(nil), - } - file_internal_proto_v2_s2a_s2a_proto_msgTypes[11].OneofWrappers = []any{ - (*SessionReq_GetTlsConfigurationReq)(nil), - (*SessionReq_OffloadPrivateKeyOperationReq)(nil), - (*SessionReq_OffloadResumptionKeyOperationReq)(nil), - (*SessionReq_ValidatePeerCertificateChainReq)(nil), - } - file_internal_proto_v2_s2a_s2a_proto_msgTypes[12].OneofWrappers = []any{ - (*SessionResp_GetTlsConfigurationResp)(nil), - (*SessionResp_OffloadPrivateKeyOperationResp)(nil), - (*SessionResp_OffloadResumptionKeyOperationResp)(nil), - (*SessionResp_ValidatePeerCertificateChainResp)(nil), - } - type x struct{} - out := protoimpl.TypeBuilder{ - File: protoimpl.DescBuilder{ - GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_internal_proto_v2_s2a_s2a_proto_rawDesc, - NumEnums: 6, - NumMessages: 17, - NumExtensions: 0, - NumServices: 1, - }, - GoTypes: file_internal_proto_v2_s2a_s2a_proto_goTypes, - DependencyIndexes: file_internal_proto_v2_s2a_s2a_proto_depIdxs, - EnumInfos: file_internal_proto_v2_s2a_s2a_proto_enumTypes, - MessageInfos: file_internal_proto_v2_s2a_s2a_proto_msgTypes, - }.Build() - File_internal_proto_v2_s2a_s2a_proto = out.File - file_internal_proto_v2_s2a_s2a_proto_rawDesc = nil - file_internal_proto_v2_s2a_s2a_proto_goTypes = nil - file_internal_proto_v2_s2a_s2a_proto_depIdxs = nil -} diff --git a/vendor/github.com/google/s2a-go/internal/proto/v2/s2a_go_proto/s2a_grpc.pb.go b/vendor/github.com/google/s2a-go/internal/proto/v2/s2a_go_proto/s2a_grpc.pb.go deleted file mode 100644 index c93f75a78..000000000 --- a/vendor/github.com/google/s2a-go/internal/proto/v2/s2a_go_proto/s2a_grpc.pb.go +++ /dev/null @@ -1,160 +0,0 @@ -// Copyright 2022 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// https://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Code generated by protoc-gen-go-grpc. DO NOT EDIT. -// versions: -// - protoc-gen-go-grpc v1.4.0 -// - protoc v3.21.12 -// source: internal/proto/v2/s2a/s2a.proto - -package s2a_go_proto - -import ( - context "context" - grpc "google.golang.org/grpc" - codes "google.golang.org/grpc/codes" - status "google.golang.org/grpc/status" -) - -// This is a compile-time assertion to ensure that this generated file -// is compatible with the grpc package it is being compiled against. -// Requires gRPC-Go v1.62.0 or later. -const _ = grpc.SupportPackageIsVersion8 - -const ( - S2AService_SetUpSession_FullMethodName = "/s2a.proto.v2.S2AService/SetUpSession" -) - -// S2AServiceClient is the client API for S2AService service. -// -// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. -type S2AServiceClient interface { - // SetUpSession is a bidirectional stream used by applications to offload - // operations from the TLS handshake. - SetUpSession(ctx context.Context, opts ...grpc.CallOption) (S2AService_SetUpSessionClient, error) -} - -type s2AServiceClient struct { - cc grpc.ClientConnInterface -} - -func NewS2AServiceClient(cc grpc.ClientConnInterface) S2AServiceClient { - return &s2AServiceClient{cc} -} - -func (c *s2AServiceClient) SetUpSession(ctx context.Context, opts ...grpc.CallOption) (S2AService_SetUpSessionClient, error) { - cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) - stream, err := c.cc.NewStream(ctx, &S2AService_ServiceDesc.Streams[0], S2AService_SetUpSession_FullMethodName, cOpts...) - if err != nil { - return nil, err - } - x := &s2AServiceSetUpSessionClient{ClientStream: stream} - return x, nil -} - -type S2AService_SetUpSessionClient interface { - Send(*SessionReq) error - Recv() (*SessionResp, error) - grpc.ClientStream -} - -type s2AServiceSetUpSessionClient struct { - grpc.ClientStream -} - -func (x *s2AServiceSetUpSessionClient) Send(m *SessionReq) error { - return x.ClientStream.SendMsg(m) -} - -func (x *s2AServiceSetUpSessionClient) Recv() (*SessionResp, error) { - m := new(SessionResp) - if err := x.ClientStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} - -// S2AServiceServer is the server API for S2AService service. -// All implementations must embed UnimplementedS2AServiceServer -// for forward compatibility -type S2AServiceServer interface { - // SetUpSession is a bidirectional stream used by applications to offload - // operations from the TLS handshake. - SetUpSession(S2AService_SetUpSessionServer) error - mustEmbedUnimplementedS2AServiceServer() -} - -// UnimplementedS2AServiceServer must be embedded to have forward compatible implementations. -type UnimplementedS2AServiceServer struct { -} - -func (UnimplementedS2AServiceServer) SetUpSession(S2AService_SetUpSessionServer) error { - return status.Errorf(codes.Unimplemented, "method SetUpSession not implemented") -} -func (UnimplementedS2AServiceServer) mustEmbedUnimplementedS2AServiceServer() {} - -// UnsafeS2AServiceServer may be embedded to opt out of forward compatibility for this service. -// Use of this interface is not recommended, as added methods to S2AServiceServer will -// result in compilation errors. -type UnsafeS2AServiceServer interface { - mustEmbedUnimplementedS2AServiceServer() -} - -func RegisterS2AServiceServer(s grpc.ServiceRegistrar, srv S2AServiceServer) { - s.RegisterService(&S2AService_ServiceDesc, srv) -} - -func _S2AService_SetUpSession_Handler(srv interface{}, stream grpc.ServerStream) error { - return srv.(S2AServiceServer).SetUpSession(&s2AServiceSetUpSessionServer{ServerStream: stream}) -} - -type S2AService_SetUpSessionServer interface { - Send(*SessionResp) error - Recv() (*SessionReq, error) - grpc.ServerStream -} - -type s2AServiceSetUpSessionServer struct { - grpc.ServerStream -} - -func (x *s2AServiceSetUpSessionServer) Send(m *SessionResp) error { - return x.ServerStream.SendMsg(m) -} - -func (x *s2AServiceSetUpSessionServer) Recv() (*SessionReq, error) { - m := new(SessionReq) - if err := x.ServerStream.RecvMsg(m); err != nil { - return nil, err - } - return m, nil -} - -// S2AService_ServiceDesc is the grpc.ServiceDesc for S2AService service. -// It's only intended for direct use with grpc.RegisterService, -// and not to be introspected or modified (even as a copy) -var S2AService_ServiceDesc = grpc.ServiceDesc{ - ServiceName: "s2a.proto.v2.S2AService", - HandlerType: (*S2AServiceServer)(nil), - Methods: []grpc.MethodDesc{}, - Streams: []grpc.StreamDesc{ - { - StreamName: "SetUpSession", - Handler: _S2AService_SetUpSession_Handler, - ServerStreams: true, - ClientStreams: true, - }, - }, - Metadata: "internal/proto/v2/s2a/s2a.proto", -} diff --git a/vendor/github.com/google/s2a-go/internal/record/internal/aeadcrypter/aeadcrypter.go b/vendor/github.com/google/s2a-go/internal/record/internal/aeadcrypter/aeadcrypter.go deleted file mode 100644 index 486f4ec4f..000000000 --- a/vendor/github.com/google/s2a-go/internal/record/internal/aeadcrypter/aeadcrypter.go +++ /dev/null @@ -1,34 +0,0 @@ -/* - * - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -// Package aeadcrypter provides the interface for AEAD cipher implementations -// used by S2A's record protocol. -package aeadcrypter - -// S2AAEADCrypter is the interface for an AEAD cipher used by the S2A record -// protocol. -type S2AAEADCrypter interface { - // Encrypt encrypts the plaintext and computes the tag of dst and plaintext. - // dst and plaintext may fully overlap or not at all. - Encrypt(dst, plaintext, nonce, aad []byte) ([]byte, error) - // Decrypt decrypts ciphertext and verifies the tag. dst and ciphertext may - // fully overlap or not at all. - Decrypt(dst, ciphertext, nonce, aad []byte) ([]byte, error) - // TagSize returns the tag size in bytes. - TagSize() int -} diff --git a/vendor/github.com/google/s2a-go/internal/record/internal/aeadcrypter/aesgcm.go b/vendor/github.com/google/s2a-go/internal/record/internal/aeadcrypter/aesgcm.go deleted file mode 100644 index 85c4e595d..000000000 --- a/vendor/github.com/google/s2a-go/internal/record/internal/aeadcrypter/aesgcm.go +++ /dev/null @@ -1,70 +0,0 @@ -/* - * - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -package aeadcrypter - -import ( - "crypto/aes" - "crypto/cipher" - "fmt" -) - -// Supported key sizes in bytes. -const ( - AES128GCMKeySize = 16 - AES256GCMKeySize = 32 -) - -// aesgcm is the struct that holds an AES-GCM cipher for the S2A AEAD crypter. -type aesgcm struct { - aead cipher.AEAD -} - -// NewAESGCM creates an AES-GCM crypter instance. Note that the key must be -// either 128 bits or 256 bits. -func NewAESGCM(key []byte) (S2AAEADCrypter, error) { - if len(key) != AES128GCMKeySize && len(key) != AES256GCMKeySize { - return nil, fmt.Errorf("%d or %d bytes, given: %d", AES128GCMKeySize, AES256GCMKeySize, len(key)) - } - c, err := aes.NewCipher(key) - if err != nil { - return nil, err - } - a, err := cipher.NewGCM(c) - if err != nil { - return nil, err - } - return &aesgcm{aead: a}, nil -} - -// Encrypt is the encryption function. dst can contain bytes at the beginning of -// the ciphertext that will not be encrypted but will be authenticated. If dst -// has enough capacity to hold these bytes, the ciphertext and the tag, no -// allocation and copy operations will be performed. dst and plaintext may -// fully overlap or not at all. -func (s *aesgcm) Encrypt(dst, plaintext, nonce, aad []byte) ([]byte, error) { - return encrypt(s.aead, dst, plaintext, nonce, aad) -} - -func (s *aesgcm) Decrypt(dst, ciphertext, nonce, aad []byte) ([]byte, error) { - return decrypt(s.aead, dst, ciphertext, nonce, aad) -} - -func (s *aesgcm) TagSize() int { - return TagSize -} diff --git a/vendor/github.com/google/s2a-go/internal/record/internal/aeadcrypter/chachapoly.go b/vendor/github.com/google/s2a-go/internal/record/internal/aeadcrypter/chachapoly.go deleted file mode 100644 index 214df4ca4..000000000 --- a/vendor/github.com/google/s2a-go/internal/record/internal/aeadcrypter/chachapoly.go +++ /dev/null @@ -1,67 +0,0 @@ -/* - * - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -package aeadcrypter - -import ( - "crypto/cipher" - "fmt" - - "golang.org/x/crypto/chacha20poly1305" -) - -// Supported key size in bytes. -const ( - Chacha20Poly1305KeySize = 32 -) - -// chachapoly is the struct that holds a CHACHA-POLY cipher for the S2A AEAD -// crypter. -type chachapoly struct { - aead cipher.AEAD -} - -// NewChachaPoly creates a Chacha-Poly crypter instance. Note that the key must -// be Chacha20Poly1305KeySize bytes in length. -func NewChachaPoly(key []byte) (S2AAEADCrypter, error) { - if len(key) != Chacha20Poly1305KeySize { - return nil, fmt.Errorf("%d bytes, given: %d", Chacha20Poly1305KeySize, len(key)) - } - c, err := chacha20poly1305.New(key) - if err != nil { - return nil, err - } - return &chachapoly{aead: c}, nil -} - -// Encrypt is the encryption function. dst can contain bytes at the beginning of -// the ciphertext that will not be encrypted but will be authenticated. If dst -// has enough capacity to hold these bytes, the ciphertext and the tag, no -// allocation and copy operations will be performed. dst and plaintext may -// fully overlap or not at all. -func (s *chachapoly) Encrypt(dst, plaintext, nonce, aad []byte) ([]byte, error) { - return encrypt(s.aead, dst, plaintext, nonce, aad) -} - -func (s *chachapoly) Decrypt(dst, ciphertext, nonce, aad []byte) ([]byte, error) { - return decrypt(s.aead, dst, ciphertext, nonce, aad) -} - -func (s *chachapoly) TagSize() int { - return TagSize -} diff --git a/vendor/github.com/google/s2a-go/internal/record/internal/aeadcrypter/common.go b/vendor/github.com/google/s2a-go/internal/record/internal/aeadcrypter/common.go deleted file mode 100644 index b3c36ad95..000000000 --- a/vendor/github.com/google/s2a-go/internal/record/internal/aeadcrypter/common.go +++ /dev/null @@ -1,92 +0,0 @@ -/* - * - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -package aeadcrypter - -import ( - "crypto/cipher" - "fmt" -) - -const ( - // TagSize is the tag size in bytes for AES-128-GCM-SHA256, - // AES-256-GCM-SHA384, and CHACHA20-POLY1305-SHA256. - TagSize = 16 - // NonceSize is the size of the nonce in number of bytes for - // AES-128-GCM-SHA256, AES-256-GCM-SHA384, and CHACHA20-POLY1305-SHA256. - NonceSize = 12 - // SHA256DigestSize is the digest size of sha256 in bytes. - SHA256DigestSize = 32 - // SHA384DigestSize is the digest size of sha384 in bytes. - SHA384DigestSize = 48 -) - -// sliceForAppend takes a slice and a requested number of bytes. It returns a -// slice with the contents of the given slice followed by that many bytes and a -// second slice that aliases into it and contains only the extra bytes. If the -// original slice has sufficient capacity then no allocation is performed. -func sliceForAppend(in []byte, n int) (head, tail []byte) { - if total := len(in) + n; cap(in) >= total { - head = in[:total] - } else { - head = make([]byte, total) - copy(head, in) - } - tail = head[len(in):] - return head, tail -} - -// encrypt is the encryption function for an AEAD crypter. aead determines -// the type of AEAD crypter. dst can contain bytes at the beginning of the -// ciphertext that will not be encrypted but will be authenticated. If dst has -// enough capacity to hold these bytes, the ciphertext and the tag, no -// allocation and copy operations will be performed. dst and plaintext may -// fully overlap or not at all. -func encrypt(aead cipher.AEAD, dst, plaintext, nonce, aad []byte) ([]byte, error) { - if len(nonce) != NonceSize { - return nil, fmt.Errorf("nonce size must be %d bytes. received: %d", NonceSize, len(nonce)) - } - // If we need to allocate an output buffer, we want to include space for - // the tag to avoid forcing the caller to reallocate as well. - dlen := len(dst) - dst, out := sliceForAppend(dst, len(plaintext)+TagSize) - data := out[:len(plaintext)] - copy(data, plaintext) // data may fully overlap plaintext - - // Seal appends the ciphertext and the tag to its first argument and - // returns the updated slice. However, sliceForAppend above ensures that - // dst has enough capacity to avoid a reallocation and copy due to the - // append. - dst = aead.Seal(dst[:dlen], nonce, data, aad) - return dst, nil -} - -// decrypt is the decryption function for an AEAD crypter, where aead determines -// the type of AEAD crypter, and dst the destination bytes for the decrypted -// ciphertext. The dst buffer may fully overlap with plaintext or not at all. -func decrypt(aead cipher.AEAD, dst, ciphertext, nonce, aad []byte) ([]byte, error) { - if len(nonce) != NonceSize { - return nil, fmt.Errorf("nonce size must be %d bytes. received: %d", NonceSize, len(nonce)) - } - // If dst is equal to ciphertext[:0], ciphertext storage is reused. - plaintext, err := aead.Open(dst, nonce, ciphertext, aad) - if err != nil { - return nil, fmt.Errorf("message auth failed: %v", err) - } - return plaintext, nil -} diff --git a/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/ciphersuite.go b/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/ciphersuite.go deleted file mode 100644 index ddeaa6d77..000000000 --- a/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/ciphersuite.go +++ /dev/null @@ -1,98 +0,0 @@ -/* - * - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -package halfconn - -import ( - "crypto/sha256" - "crypto/sha512" - "fmt" - "hash" - - s2apb "github.com/google/s2a-go/internal/proto/common_go_proto" - "github.com/google/s2a-go/internal/record/internal/aeadcrypter" -) - -// ciphersuite is the interface for retrieving ciphersuite-specific information -// and utilities. -type ciphersuite interface { - // keySize returns the key size in bytes. This refers to the key used by - // the AEAD crypter. This is derived by calling HKDF expand on the traffic - // secret. - keySize() int - // nonceSize returns the nonce size in bytes. - nonceSize() int - // trafficSecretSize returns the traffic secret size in bytes. This refers - // to the secret used to derive the traffic key and nonce, as specified in - // https://tools.ietf.org/html/rfc8446#section-7. - trafficSecretSize() int - // hashFunction returns the hash function for the ciphersuite. - hashFunction() func() hash.Hash - // aeadCrypter takes a key and creates an AEAD crypter for the ciphersuite - // using that key. - aeadCrypter(key []byte) (aeadcrypter.S2AAEADCrypter, error) -} - -func newCiphersuite(ciphersuite s2apb.Ciphersuite) (ciphersuite, error) { - switch ciphersuite { - case s2apb.Ciphersuite_AES_128_GCM_SHA256: - return &aesgcm128sha256{}, nil - case s2apb.Ciphersuite_AES_256_GCM_SHA384: - return &aesgcm256sha384{}, nil - case s2apb.Ciphersuite_CHACHA20_POLY1305_SHA256: - return &chachapolysha256{}, nil - default: - return nil, fmt.Errorf("unrecognized ciphersuite: %v", ciphersuite) - } -} - -// aesgcm128sha256 is the AES-128-GCM-SHA256 implementation of the ciphersuite -// interface. -type aesgcm128sha256 struct{} - -func (aesgcm128sha256) keySize() int { return aeadcrypter.AES128GCMKeySize } -func (aesgcm128sha256) nonceSize() int { return aeadcrypter.NonceSize } -func (aesgcm128sha256) trafficSecretSize() int { return aeadcrypter.SHA256DigestSize } -func (aesgcm128sha256) hashFunction() func() hash.Hash { return sha256.New } -func (aesgcm128sha256) aeadCrypter(key []byte) (aeadcrypter.S2AAEADCrypter, error) { - return aeadcrypter.NewAESGCM(key) -} - -// aesgcm256sha384 is the AES-256-GCM-SHA384 implementation of the ciphersuite -// interface. -type aesgcm256sha384 struct{} - -func (aesgcm256sha384) keySize() int { return aeadcrypter.AES256GCMKeySize } -func (aesgcm256sha384) nonceSize() int { return aeadcrypter.NonceSize } -func (aesgcm256sha384) trafficSecretSize() int { return aeadcrypter.SHA384DigestSize } -func (aesgcm256sha384) hashFunction() func() hash.Hash { return sha512.New384 } -func (aesgcm256sha384) aeadCrypter(key []byte) (aeadcrypter.S2AAEADCrypter, error) { - return aeadcrypter.NewAESGCM(key) -} - -// chachapolysha256 is the ChaChaPoly-SHA256 implementation of the ciphersuite -// interface. -type chachapolysha256 struct{} - -func (chachapolysha256) keySize() int { return aeadcrypter.Chacha20Poly1305KeySize } -func (chachapolysha256) nonceSize() int { return aeadcrypter.NonceSize } -func (chachapolysha256) trafficSecretSize() int { return aeadcrypter.SHA256DigestSize } -func (chachapolysha256) hashFunction() func() hash.Hash { return sha256.New } -func (chachapolysha256) aeadCrypter(key []byte) (aeadcrypter.S2AAEADCrypter, error) { - return aeadcrypter.NewChachaPoly(key) -} diff --git a/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/counter.go b/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/counter.go deleted file mode 100644 index 9499cdca7..000000000 --- a/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/counter.go +++ /dev/null @@ -1,60 +0,0 @@ -/* - * - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -package halfconn - -import "errors" - -// counter is a 64-bit counter. -type counter struct { - val uint64 - hasOverflowed bool -} - -// newCounter creates a new counter with the initial value set to val. -func newCounter(val uint64) counter { - return counter{val: val} -} - -// value returns the current value of the counter. -func (c *counter) value() (uint64, error) { - if c.hasOverflowed { - return 0, errors.New("counter has overflowed") - } - return c.val, nil -} - -// increment increments the counter and checks for overflow. -func (c *counter) increment() { - // If the counter is already invalid due to overflow, there is no need to - // increase it. We check for the hasOverflowed flag in the call to value(). - if c.hasOverflowed { - return - } - c.val++ - if c.val == 0 { - c.hasOverflowed = true - } -} - -// reset sets the counter value to zero and sets the hasOverflowed flag to -// false. -func (c *counter) reset() { - c.val = 0 - c.hasOverflowed = false -} diff --git a/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/expander.go b/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/expander.go deleted file mode 100644 index e05f2c36a..000000000 --- a/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/expander.go +++ /dev/null @@ -1,59 +0,0 @@ -/* - * - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -package halfconn - -import ( - "fmt" - "hash" - - "golang.org/x/crypto/hkdf" -) - -// hkdfExpander is the interface for the HKDF expansion function; see -// https://tools.ietf.org/html/rfc5869 for details. its use in TLS 1.3 is -// specified in https://tools.ietf.org/html/rfc8446#section-7.2 -type hkdfExpander interface { - // expand takes a secret, a label, and the output length in bytes, and - // returns the resulting expanded key. - expand(secret, label []byte, length int) ([]byte, error) -} - -// defaultHKDFExpander is the default HKDF expander which uses Go's crypto/hkdf -// for HKDF expansion. -type defaultHKDFExpander struct { - h func() hash.Hash -} - -// newDefaultHKDFExpander creates an instance of the default HKDF expander -// using the given hash function. -func newDefaultHKDFExpander(h func() hash.Hash) hkdfExpander { - return &defaultHKDFExpander{h: h} -} - -func (d *defaultHKDFExpander) expand(secret, label []byte, length int) ([]byte, error) { - outBuf := make([]byte, length) - n, err := hkdf.Expand(d.h, secret, label).Read(outBuf) - if err != nil { - return nil, fmt.Errorf("hkdf.Expand.Read failed with error: %v", err) - } - if n < length { - return nil, fmt.Errorf("hkdf.Expand.Read returned unexpected length, got %d, want %d", n, length) - } - return outBuf, nil -} diff --git a/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/halfconn.go b/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/halfconn.go deleted file mode 100644 index dff99ff59..000000000 --- a/vendor/github.com/google/s2a-go/internal/record/internal/halfconn/halfconn.go +++ /dev/null @@ -1,193 +0,0 @@ -/* - * - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -// Package halfconn manages the inbound or outbound traffic of a TLS 1.3 -// connection. -package halfconn - -import ( - "fmt" - "sync" - - s2apb "github.com/google/s2a-go/internal/proto/common_go_proto" - "github.com/google/s2a-go/internal/record/internal/aeadcrypter" - "golang.org/x/crypto/cryptobyte" -) - -// The constants below were taken from Section 7.2 and 7.3 in -// https://tools.ietf.org/html/rfc8446#section-7. They are used as the label -// in HKDF-Expand-Label. -const ( - tls13Key = "tls13 key" - tls13Nonce = "tls13 iv" - tls13Update = "tls13 traffic upd" -) - -// S2AHalfConnection stores the state of the TLS 1.3 connection in the -// inbound or outbound direction. -type S2AHalfConnection struct { - cs ciphersuite - expander hkdfExpander - // mutex guards sequence, aeadCrypter, trafficSecret, and nonce. - mutex sync.Mutex - aeadCrypter aeadcrypter.S2AAEADCrypter - sequence counter - trafficSecret []byte - nonce []byte -} - -// New creates a new instance of S2AHalfConnection given a ciphersuite and a -// traffic secret. -func New(ciphersuite s2apb.Ciphersuite, trafficSecret []byte, sequence uint64) (*S2AHalfConnection, error) { - cs, err := newCiphersuite(ciphersuite) - if err != nil { - return nil, fmt.Errorf("failed to create new ciphersuite: %v", ciphersuite) - } - if cs.trafficSecretSize() != len(trafficSecret) { - return nil, fmt.Errorf("supplied traffic secret must be %v bytes, given: %v bytes", cs.trafficSecretSize(), len(trafficSecret)) - } - - hc := &S2AHalfConnection{cs: cs, expander: newDefaultHKDFExpander(cs.hashFunction()), sequence: newCounter(sequence), trafficSecret: trafficSecret} - if err = hc.updateCrypterAndNonce(hc.trafficSecret); err != nil { - return nil, fmt.Errorf("failed to create half connection using traffic secret: %v", err) - } - - return hc, nil -} - -// Encrypt encrypts the plaintext and computes the tag of dst and plaintext. -// dst and plaintext may fully overlap or not at all. Note that the sequence -// number will still be incremented on failure, unless the sequence has -// overflowed. -func (hc *S2AHalfConnection) Encrypt(dst, plaintext, aad []byte) ([]byte, error) { - hc.mutex.Lock() - sequence, err := hc.getAndIncrementSequence() - if err != nil { - hc.mutex.Unlock() - return nil, err - } - nonce := hc.maskedNonce(sequence) - crypter := hc.aeadCrypter - hc.mutex.Unlock() - return crypter.Encrypt(dst, plaintext, nonce, aad) -} - -// Decrypt decrypts ciphertext and verifies the tag. dst and ciphertext may -// fully overlap or not at all. Note that the sequence number will still be -// incremented on failure, unless the sequence has overflowed. -func (hc *S2AHalfConnection) Decrypt(dst, ciphertext, aad []byte) ([]byte, error) { - hc.mutex.Lock() - sequence, err := hc.getAndIncrementSequence() - if err != nil { - hc.mutex.Unlock() - return nil, err - } - nonce := hc.maskedNonce(sequence) - crypter := hc.aeadCrypter - hc.mutex.Unlock() - return crypter.Decrypt(dst, ciphertext, nonce, aad) -} - -// UpdateKey advances the traffic secret key, as specified in -// https://tools.ietf.org/html/rfc8446#section-7.2. In addition, it derives -// a new key and nonce, and resets the sequence number. -func (hc *S2AHalfConnection) UpdateKey() error { - hc.mutex.Lock() - defer hc.mutex.Unlock() - - var err error - hc.trafficSecret, err = hc.deriveSecret(hc.trafficSecret, []byte(tls13Update), hc.cs.trafficSecretSize()) - if err != nil { - return fmt.Errorf("failed to derive traffic secret: %v", err) - } - - if err = hc.updateCrypterAndNonce(hc.trafficSecret); err != nil { - return fmt.Errorf("failed to update half connection: %v", err) - } - - hc.sequence.reset() - return nil -} - -// TagSize returns the tag size in bytes of the underlying AEAD crypter. -func (hc *S2AHalfConnection) TagSize() int { - return hc.aeadCrypter.TagSize() -} - -// updateCrypterAndNonce takes a new traffic secret and updates the crypter -// and nonce. Note that the mutex must be held while calling this function. -func (hc *S2AHalfConnection) updateCrypterAndNonce(newTrafficSecret []byte) error { - key, err := hc.deriveSecret(newTrafficSecret, []byte(tls13Key), hc.cs.keySize()) - if err != nil { - return fmt.Errorf("failed to update key: %v", err) - } - - hc.nonce, err = hc.deriveSecret(newTrafficSecret, []byte(tls13Nonce), hc.cs.nonceSize()) - if err != nil { - return fmt.Errorf("failed to update nonce: %v", err) - } - - hc.aeadCrypter, err = hc.cs.aeadCrypter(key) - if err != nil { - return fmt.Errorf("failed to update AEAD crypter: %v", err) - } - return nil -} - -// getAndIncrement returns the current sequence number and increments it. Note -// that the mutex must be held while calling this function. -func (hc *S2AHalfConnection) getAndIncrementSequence() (uint64, error) { - sequence, err := hc.sequence.value() - if err != nil { - return 0, err - } - hc.sequence.increment() - return sequence, nil -} - -// maskedNonce creates a copy of the nonce that is masked with the sequence -// number. Note that the mutex must be held while calling this function. -func (hc *S2AHalfConnection) maskedNonce(sequence uint64) []byte { - const uint64Size = 8 - nonce := make([]byte, len(hc.nonce)) - copy(nonce, hc.nonce) - for i := 0; i < uint64Size; i++ { - nonce[aeadcrypter.NonceSize-uint64Size+i] ^= byte(sequence >> uint64(56-uint64Size*i)) - } - return nonce -} - -// deriveSecret implements the Derive-Secret function, as specified in -// https://tools.ietf.org/html/rfc8446#section-7.1. -func (hc *S2AHalfConnection) deriveSecret(secret, label []byte, length int) ([]byte, error) { - var hkdfLabel cryptobyte.Builder - hkdfLabel.AddUint16(uint16(length)) - hkdfLabel.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { - b.AddBytes(label) - }) - // Append an empty `Context` field to the label, as specified in the RFC. - // The half connection does not use the `Context` field. - hkdfLabel.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { - b.AddBytes([]byte("")) - }) - hkdfLabelBytes, err := hkdfLabel.Bytes() - if err != nil { - return nil, fmt.Errorf("deriveSecret failed: %v", err) - } - return hc.expander.expand(secret, hkdfLabelBytes, length) -} diff --git a/vendor/github.com/google/s2a-go/internal/record/record.go b/vendor/github.com/google/s2a-go/internal/record/record.go deleted file mode 100644 index e76509ef0..000000000 --- a/vendor/github.com/google/s2a-go/internal/record/record.go +++ /dev/null @@ -1,729 +0,0 @@ -/* - * - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -// Package record implements the TLS 1.3 record protocol used by the S2A -// transport credentials. -package record - -import ( - "encoding/binary" - "errors" - "fmt" - "math" - "net" - "sync" - - commonpb "github.com/google/s2a-go/internal/proto/common_go_proto" - "github.com/google/s2a-go/internal/record/internal/halfconn" - "github.com/google/s2a-go/internal/tokenmanager" - "google.golang.org/grpc/grpclog" -) - -// recordType is the `ContentType` as described in -// https://tools.ietf.org/html/rfc8446#section-5.1. -type recordType byte - -const ( - alert recordType = 21 - handshake recordType = 22 - applicationData recordType = 23 -) - -// keyUpdateRequest is the `KeyUpdateRequest` as described in -// https://tools.ietf.org/html/rfc8446#section-4.6.3. -type keyUpdateRequest byte - -const ( - updateNotRequested keyUpdateRequest = 0 - updateRequested keyUpdateRequest = 1 -) - -// alertDescription is the `AlertDescription` as described in -// https://tools.ietf.org/html/rfc8446#section-6. -type alertDescription byte - -const ( - closeNotify alertDescription = 0 -) - -// sessionTicketState is used to determine whether session tickets have not yet -// been received, are in the process of being received, or have finished -// receiving. -type sessionTicketState byte - -const ( - ticketsNotYetReceived sessionTicketState = 0 - receivingTickets sessionTicketState = 1 - notReceivingTickets sessionTicketState = 2 -) - -const ( - // The TLS 1.3-specific constants below (tlsRecordMaxPlaintextSize, - // tlsRecordHeaderSize, tlsRecordTypeSize) were taken from - // https://tools.ietf.org/html/rfc8446#section-5.1. - - // tlsRecordMaxPlaintextSize is the maximum size in bytes of the plaintext - // in a single TLS 1.3 record. - tlsRecordMaxPlaintextSize = 16384 // 2^14 - // tlsRecordTypeSize is the size in bytes of the TLS 1.3 record type. - tlsRecordTypeSize = 1 - // tlsTagSize is the size in bytes of the tag of the following three - // ciphersuites: AES-128-GCM-SHA256, AES-256-GCM-SHA384, - // CHACHA20-POLY1305-SHA256. - tlsTagSize = 16 - // tlsRecordMaxPayloadSize is the maximum size in bytes of the payload in a - // single TLS 1.3 record. This is the maximum size of the plaintext plus the - // record type byte and 16 bytes of the tag. - tlsRecordMaxPayloadSize = tlsRecordMaxPlaintextSize + tlsRecordTypeSize + tlsTagSize - // tlsRecordHeaderTypeSize is the size in bytes of the TLS 1.3 record - // header type. - tlsRecordHeaderTypeSize = 1 - // tlsRecordHeaderLegacyRecordVersionSize is the size in bytes of the TLS - // 1.3 record header legacy record version. - tlsRecordHeaderLegacyRecordVersionSize = 2 - // tlsRecordHeaderPayloadLengthSize is the size in bytes of the TLS 1.3 - // record header payload length. - tlsRecordHeaderPayloadLengthSize = 2 - // tlsRecordHeaderSize is the size in bytes of the TLS 1.3 record header. - tlsRecordHeaderSize = tlsRecordHeaderTypeSize + tlsRecordHeaderLegacyRecordVersionSize + tlsRecordHeaderPayloadLengthSize - // tlsRecordMaxSize - tlsRecordMaxSize = tlsRecordMaxPayloadSize + tlsRecordHeaderSize - // tlsApplicationData is the application data type of the TLS 1.3 record - // header. - tlsApplicationData = 23 - // tlsLegacyRecordVersion is the legacy record version of the TLS record. - tlsLegacyRecordVersion = 3 - // tlsAlertSize is the size in bytes of an alert of TLS 1.3. - tlsAlertSize = 2 -) - -const ( - // These are TLS 1.3 handshake-specific constants. - - // tlsHandshakeNewSessionTicketType is the prefix of a handshake new session - // ticket message of TLS 1.3. - tlsHandshakeNewSessionTicketType = 4 - // tlsHandshakeKeyUpdateType is the prefix of a handshake key update message - // of TLS 1.3. - tlsHandshakeKeyUpdateType = 24 - // tlsHandshakeMsgTypeSize is the size in bytes of the TLS 1.3 handshake - // message type field. - tlsHandshakeMsgTypeSize = 1 - // tlsHandshakeLengthSize is the size in bytes of the TLS 1.3 handshake - // message length field. - tlsHandshakeLengthSize = 3 - // tlsHandshakeKeyUpdateMsgSize is the size in bytes of the TLS 1.3 - // handshake key update message. - tlsHandshakeKeyUpdateMsgSize = 1 - // tlsHandshakePrefixSize is the size in bytes of the prefix of the TLS 1.3 - // handshake message. - tlsHandshakePrefixSize = 4 - // tlsMaxSessionTicketSize is the maximum size of a NewSessionTicket message - // in TLS 1.3. This is the sum of the max sizes of all the fields in the - // NewSessionTicket struct specified in - // https://tools.ietf.org/html/rfc8446#section-4.6.1. - tlsMaxSessionTicketSize = 131338 -) - -const ( - // outBufMaxRecords is the maximum number of records that can fit in the - // ourRecordsBuf buffer. - outBufMaxRecords = 16 - // outBufMaxSize is the maximum size (in bytes) of the outRecordsBuf buffer. - outBufMaxSize = outBufMaxRecords * tlsRecordMaxSize - // maxAllowedTickets is the maximum number of session tickets that are - // allowed. The number of tickets are limited to ensure that the size of the - // ticket queue does not grow indefinitely. S2A also keeps a limit on the - // number of tickets that it caches. - maxAllowedTickets = 5 -) - -// preConstructedKeyUpdateMsg holds the key update message. This is needed as an -// optimization so that the same message does not need to be constructed every -// time a key update message is sent. -var preConstructedKeyUpdateMsg = buildKeyUpdateRequest() - -// conn represents a secured TLS connection. It implements the net.Conn -// interface. -type conn struct { - net.Conn - // inConn is the half connection responsible for decrypting incoming bytes. - inConn *halfconn.S2AHalfConnection - // outConn is the half connection responsible for encrypting outgoing bytes. - outConn *halfconn.S2AHalfConnection - // pendingApplicationData holds data that has been read from the connection - // and decrypted, but has not yet been returned by Read. - pendingApplicationData []byte - // unusedBuf holds data read from the network that has not yet been - // decrypted. This data might not consist of a complete record. It may - // consist of several records, the last of which could be incomplete. - unusedBuf []byte - // outRecordsBuf is a buffer used to store outgoing TLS records before - // they are written to the network. - outRecordsBuf []byte - // nextRecord stores the next record info in the unusedBuf buffer. - nextRecord []byte - // overheadSize is the overhead size in bytes of each TLS 1.3 record, which - // is computed as overheadSize = header size + record type byte + tag size. - // Note that there is no padding by zeros in the overhead calculation. - overheadSize int - // readMutex guards against concurrent calls to Read. This is required since - // Close may be called during a Read. - readMutex sync.Mutex - // writeMutex guards against concurrent calls to Write. This is required - // since Close may be called during a Write, and also because a key update - // message may be written during a Read. - writeMutex sync.Mutex - // handshakeBuf holds handshake messages while they are being processed. - handshakeBuf []byte - // ticketState is the current processing state of the session tickets. - ticketState sessionTicketState - // sessionTickets holds the completed session tickets until they are sent to - // the handshaker service for processing. - sessionTickets [][]byte - // ticketSender sends session tickets to the S2A handshaker service. - ticketSender s2aTicketSender - // callComplete is a channel that blocks closing the record protocol until a - // pending call to the S2A completes. - callComplete chan bool -} - -// ConnParameters holds the parameters used for creating a new conn object. -type ConnParameters struct { - // NetConn is the TCP connection to the peer. This parameter is required. - NetConn net.Conn - // Ciphersuite is the TLS ciphersuite negotiated by the S2A handshaker - // service. This parameter is required. - Ciphersuite commonpb.Ciphersuite - // TLSVersion is the TLS version number negotiated by the S2A handshaker - // service. This parameter is required. - TLSVersion commonpb.TLSVersion - // InTrafficSecret is the traffic secret used to derive the session key for - // the inbound direction. This parameter is required. - InTrafficSecret []byte - // OutTrafficSecret is the traffic secret used to derive the session key - // for the outbound direction. This parameter is required. - OutTrafficSecret []byte - // UnusedBuf is the data read from the network that has not yet been - // decrypted. This parameter is optional. If not provided, then no - // application data was sent in the same flight of messages as the final - // handshake message. - UnusedBuf []byte - // InSequence is the sequence number of the next, incoming, TLS record. - // This parameter is required. - InSequence uint64 - // OutSequence is the sequence number of the next, outgoing, TLS record. - // This parameter is required. - OutSequence uint64 - // HSAddr stores the address of the S2A handshaker service. This parameter - // is optional. If not provided, then TLS resumption is disabled. - HSAddr string - // ConnectionId is the connection identifier that was created and sent by - // S2A at the end of a handshake. - ConnectionID uint64 - // LocalIdentity is the local identity that was used by S2A during session - // setup and included in the session result. - LocalIdentity *commonpb.Identity - // EnsureProcessSessionTickets allows users to wait and ensure that all - // available session tickets are sent to S2A before a process completes. - EnsureProcessSessionTickets *sync.WaitGroup -} - -// NewConn creates a TLS record protocol that wraps the TCP connection. -func NewConn(o *ConnParameters) (net.Conn, error) { - if o == nil { - return nil, errors.New("conn options must not be nil") - } - if o.TLSVersion != commonpb.TLSVersion_TLS1_3 { - return nil, errors.New("TLS version must be TLS 1.3") - } - - inConn, err := halfconn.New(o.Ciphersuite, o.InTrafficSecret, o.InSequence) - if err != nil { - return nil, fmt.Errorf("failed to create inbound half connection: %v", err) - } - outConn, err := halfconn.New(o.Ciphersuite, o.OutTrafficSecret, o.OutSequence) - if err != nil { - return nil, fmt.Errorf("failed to create outbound half connection: %v", err) - } - - // The tag size for the in/out connections should be the same. - overheadSize := tlsRecordHeaderSize + tlsRecordTypeSize + inConn.TagSize() - var unusedBuf []byte - if o.UnusedBuf == nil { - // We pre-allocate unusedBuf to be of size - // 2*tlsRecordMaxSize-1 during initialization. We only read from the - // network into unusedBuf when unusedBuf does not contain a complete - // record and the incomplete record is at most tlsRecordMaxSize-1 - // (bytes). And we read at most tlsRecordMaxSize bytes of data from the - // network into unusedBuf at one time. Therefore, 2*tlsRecordMaxSize-1 - // is large enough to buffer data read from the network. - unusedBuf = make([]byte, 0, 2*tlsRecordMaxSize-1) - } else { - unusedBuf = make([]byte, len(o.UnusedBuf)) - copy(unusedBuf, o.UnusedBuf) - } - - tokenManager, err := tokenmanager.NewSingleTokenAccessTokenManager() - if err != nil { - grpclog.Infof("failed to create single token access token manager: %v", err) - } - - s2aConn := &conn{ - Conn: o.NetConn, - inConn: inConn, - outConn: outConn, - unusedBuf: unusedBuf, - outRecordsBuf: make([]byte, tlsRecordMaxSize), - nextRecord: unusedBuf, - overheadSize: overheadSize, - ticketState: ticketsNotYetReceived, - // Pre-allocate the buffer for one session ticket message and the max - // plaintext size. This is the largest size that handshakeBuf will need - // to hold. The largest incomplete handshake message is the - // [handshake header size] + [max session ticket size] - 1. - // Then, tlsRecordMaxPlaintextSize is the maximum size that will be - // appended to the handshakeBuf before the handshake message is - // completed. Therefore, the buffer size below should be large enough to - // buffer any handshake messages. - handshakeBuf: make([]byte, 0, tlsHandshakePrefixSize+tlsMaxSessionTicketSize+tlsRecordMaxPlaintextSize-1), - ticketSender: &ticketSender{ - hsAddr: o.HSAddr, - connectionID: o.ConnectionID, - localIdentity: o.LocalIdentity, - tokenManager: tokenManager, - ensureProcessSessionTickets: o.EnsureProcessSessionTickets, - }, - callComplete: make(chan bool), - } - return s2aConn, nil -} - -// Read reads and decrypts a TLS 1.3 record from the underlying connection, and -// copies any application data received from the peer into b. If the size of the -// payload is greater than len(b), Read retains the remaining bytes in an -// internal buffer, and subsequent calls to Read will read from this buffer -// until it is exhausted. At most 1 TLS record worth of application data is -// written to b for each call to Read. -// -// Note that for the user to efficiently call this method, the user should -// ensure that the buffer b is allocated such that the buffer does not have any -// unused segments. This can be done by calling Read via io.ReadFull, which -// continually calls Read until the specified buffer has been filled. Also note -// that the user should close the connection via Close() if an error is thrown -// by a call to Read. -func (p *conn) Read(b []byte) (n int, err error) { - p.readMutex.Lock() - defer p.readMutex.Unlock() - // Check if p.pendingApplication data has leftover application data from - // the previous call to Read. - if len(p.pendingApplicationData) == 0 { - // Read a full record from the wire. - record, err := p.readFullRecord() - if err != nil { - return 0, err - } - // Now we have a complete record, so split the header and validate it - // The TLS record is split into 2 pieces: the record header and the - // payload. The payload has the following form: - // [payload] = [ciphertext of application data] - // + [ciphertext of record type byte] - // + [(optionally) ciphertext of padding by zeros] - // + [tag] - header, payload, err := splitAndValidateHeader(record) - if err != nil { - return 0, err - } - // Decrypt the ciphertext. - p.pendingApplicationData, err = p.inConn.Decrypt(payload[:0], payload, header) - if err != nil { - return 0, err - } - // Remove the padding by zeros and the record type byte from the - // p.pendingApplicationData buffer. - msgType, err := p.stripPaddingAndType() - if err != nil { - return 0, err - } - // Check that the length of the plaintext after stripping the padding - // and record type byte is under the maximum plaintext size. - if len(p.pendingApplicationData) > tlsRecordMaxPlaintextSize { - return 0, errors.New("plaintext size larger than maximum") - } - // The expected message types are application data, alert, and - // handshake. For application data, the bytes are directly copied into - // b. For an alert, the type of the alert is checked and the connection - // is closed on a close notify alert. For a handshake message, the - // handshake message type is checked. The handshake message type can be - // a key update type, for which we advance the traffic secret, and a - // new session ticket type, for which we send the received ticket to S2A - // for processing. - switch msgType { - case applicationData: - if len(p.handshakeBuf) > 0 { - return 0, errors.New("application data received while processing fragmented handshake messages") - } - case alert: - return 0, p.handleAlertMessage() - case handshake: - if err = p.handleHandshakeMessage(); err != nil { - return 0, err - } - return 0, nil - default: - return 0, errors.New("unknown record type") - } - } - // Write as much application data as possible to b, the output buffer. - n = copy(b, p.pendingApplicationData) - p.pendingApplicationData = p.pendingApplicationData[n:] - return n, nil -} - -// Write divides b into segments of size tlsRecordMaxPlaintextSize, builds a -// TLS 1.3 record (of type "application data") from each segment, and sends -// the record to the peer. It returns the number of plaintext bytes that were -// successfully sent to the peer. -func (p *conn) Write(b []byte) (n int, err error) { - p.writeMutex.Lock() - defer p.writeMutex.Unlock() - return p.writeTLSRecord(b, tlsApplicationData) -} - -// writeTLSRecord divides b into segments of size maxPlaintextBytesPerRecord, -// builds a TLS 1.3 record (of type recordType) from each segment, and sends -// the record to the peer. It returns the number of plaintext bytes that were -// successfully sent to the peer. -func (p *conn) writeTLSRecord(b []byte, recordType byte) (n int, err error) { - // Create a record of only header, record type, and tag if given empty - // byte array. - if len(b) == 0 { - recordEndIndex, _, err := p.buildRecord(b, recordType, 0) - if err != nil { - return 0, err - } - - // Write the bytes stored in outRecordsBuf to p.Conn. Since we return - // the number of plaintext bytes written without overhead, we will - // always return 0 while p.Conn.Write returns the entire record length. - _, err = p.Conn.Write(p.outRecordsBuf[:recordEndIndex]) - return 0, err - } - - numRecords := int(math.Ceil(float64(len(b)) / float64(tlsRecordMaxPlaintextSize))) - totalRecordsSize := len(b) + numRecords*p.overheadSize - partialBSize := len(b) - if totalRecordsSize > outBufMaxSize { - totalRecordsSize = outBufMaxSize - partialBSize = outBufMaxRecords * tlsRecordMaxPlaintextSize - } - if len(p.outRecordsBuf) < totalRecordsSize { - p.outRecordsBuf = make([]byte, totalRecordsSize) - } - for bStart := 0; bStart < len(b); bStart += partialBSize { - bEnd := bStart + partialBSize - if bEnd > len(b) { - bEnd = len(b) - } - partialB := b[bStart:bEnd] - recordEndIndex := 0 - for len(partialB) > 0 { - recordEndIndex, partialB, err = p.buildRecord(partialB, recordType, recordEndIndex) - if err != nil { - // Return the amount of bytes written prior to the error. - return bStart, err - } - } - // Write the bytes stored in outRecordsBuf to p.Conn. If there is an - // error, calculate the total number of plaintext bytes of complete - // records successfully written to the peer and return it. - nn, err := p.Conn.Write(p.outRecordsBuf[:recordEndIndex]) - if err != nil { - numberOfCompletedRecords := int(math.Floor(float64(nn) / float64(tlsRecordMaxSize))) - return bStart + numberOfCompletedRecords*tlsRecordMaxPlaintextSize, err - } - } - return len(b), nil -} - -// buildRecord builds a TLS 1.3 record of type recordType from plaintext, -// and writes the record to outRecordsBuf at recordStartIndex. The record will -// have at most tlsRecordMaxPlaintextSize bytes of payload. It returns the -// index of outRecordsBuf where the current record ends, as well as any -// remaining plaintext bytes. -func (p *conn) buildRecord(plaintext []byte, recordType byte, recordStartIndex int) (n int, remainingPlaintext []byte, err error) { - // Construct the payload, which consists of application data and record type. - dataLen := len(plaintext) - if dataLen > tlsRecordMaxPlaintextSize { - dataLen = tlsRecordMaxPlaintextSize - } - remainingPlaintext = plaintext[dataLen:] - newRecordBuf := p.outRecordsBuf[recordStartIndex:] - - copy(newRecordBuf[tlsRecordHeaderSize:], plaintext[:dataLen]) - newRecordBuf[tlsRecordHeaderSize+dataLen] = recordType - payload := newRecordBuf[tlsRecordHeaderSize : tlsRecordHeaderSize+dataLen+1] // 1 is for the recordType. - // Construct the header. - newRecordBuf[0] = tlsApplicationData - newRecordBuf[1] = tlsLegacyRecordVersion - newRecordBuf[2] = tlsLegacyRecordVersion - binary.BigEndian.PutUint16(newRecordBuf[3:], uint16(len(payload)+tlsTagSize)) - header := newRecordBuf[:tlsRecordHeaderSize] - - // Encrypt the payload using header as aad. - encryptedPayload, err := p.outConn.Encrypt(newRecordBuf[tlsRecordHeaderSize:][:0], payload, header) - if err != nil { - return 0, plaintext, err - } - recordStartIndex += len(header) + len(encryptedPayload) - return recordStartIndex, remainingPlaintext, nil -} - -func (p *conn) Close() error { - // Close the connection immediately. - return p.Conn.Close() -} - -// stripPaddingAndType strips the padding by zeros and record type from -// p.pendingApplicationData and returns the record type. Note that -// p.pendingApplicationData should be of the form: -// [application data] + [record type byte] + [trailing zeros] -func (p *conn) stripPaddingAndType() (recordType, error) { - if len(p.pendingApplicationData) == 0 { - return 0, errors.New("application data had length 0") - } - i := len(p.pendingApplicationData) - 1 - // Search for the index of the record type byte. - for i > 0 { - if p.pendingApplicationData[i] != 0 { - break - } - i-- - } - rt := recordType(p.pendingApplicationData[i]) - p.pendingApplicationData = p.pendingApplicationData[:i] - return rt, nil -} - -// readFullRecord reads from the wire until a record is completed and returns -// the full record. -func (p *conn) readFullRecord() (fullRecord []byte, err error) { - fullRecord, p.nextRecord, err = parseReadBuffer(p.nextRecord, tlsRecordMaxPayloadSize) - if err != nil { - return nil, err - } - // Check whether the next record to be decrypted has been completely - // received. - if len(fullRecord) == 0 { - copy(p.unusedBuf, p.nextRecord) - p.unusedBuf = p.unusedBuf[:len(p.nextRecord)] - // Always copy next incomplete record to the beginning of the - // unusedBuf buffer and reset nextRecord to it. - p.nextRecord = p.unusedBuf - } - // Keep reading from the wire until we have a complete record. - for len(fullRecord) == 0 { - if len(p.unusedBuf) == cap(p.unusedBuf) { - tmp := make([]byte, len(p.unusedBuf), cap(p.unusedBuf)+tlsRecordMaxSize) - copy(tmp, p.unusedBuf) - p.unusedBuf = tmp - } - n, err := p.Conn.Read(p.unusedBuf[len(p.unusedBuf):min(cap(p.unusedBuf), len(p.unusedBuf)+tlsRecordMaxSize)]) - if err != nil { - return nil, err - } - p.unusedBuf = p.unusedBuf[:len(p.unusedBuf)+n] - fullRecord, p.nextRecord, err = parseReadBuffer(p.unusedBuf, tlsRecordMaxPayloadSize) - if err != nil { - return nil, err - } - } - return fullRecord, nil -} - -// parseReadBuffer parses the provided buffer and returns a full record and any -// remaining bytes in that buffer. If the record is incomplete, nil is returned -// for the first return value and the given byte buffer is returned for the -// second return value. The length of the payload specified by the header should -// not be greater than maxLen, otherwise an error is returned. Note that this -// function does not allocate or copy any buffers. -func parseReadBuffer(b []byte, maxLen uint16) (fullRecord, remaining []byte, err error) { - // If the header is not complete, return the provided buffer as remaining - // buffer. - if len(b) < tlsRecordHeaderSize { - return nil, b, nil - } - msgLenField := b[tlsRecordHeaderTypeSize+tlsRecordHeaderLegacyRecordVersionSize : tlsRecordHeaderSize] - length := binary.BigEndian.Uint16(msgLenField) - if length > maxLen { - return nil, nil, fmt.Errorf("record length larger than the limit %d", maxLen) - } - if len(b) < int(length)+tlsRecordHeaderSize { - // Record is not complete yet. - return nil, b, nil - } - return b[:tlsRecordHeaderSize+length], b[tlsRecordHeaderSize+length:], nil -} - -// splitAndValidateHeader splits the header from the payload in the TLS 1.3 -// record and returns them. Note that the header is checked for validity, and an -// error is returned when an invalid header is parsed. Also note that this -// function does not allocate or copy any buffers. -func splitAndValidateHeader(record []byte) (header, payload []byte, err error) { - if len(record) < tlsRecordHeaderSize { - return nil, nil, fmt.Errorf("record was smaller than the header size") - } - header = record[:tlsRecordHeaderSize] - payload = record[tlsRecordHeaderSize:] - if header[0] != tlsApplicationData { - return nil, nil, fmt.Errorf("incorrect type in the header") - } - // Check the legacy record version, which should be 0x03, 0x03. - if header[1] != 0x03 || header[2] != 0x03 { - return nil, nil, fmt.Errorf("incorrect legacy record version in the header") - } - return header, payload, nil -} - -// handleAlertMessage handles an alert message. -func (p *conn) handleAlertMessage() error { - if len(p.pendingApplicationData) != tlsAlertSize { - return errors.New("invalid alert message size") - } - alertType := p.pendingApplicationData[1] - // Clear the body of the alert message. - p.pendingApplicationData = p.pendingApplicationData[:0] - if alertType == byte(closeNotify) { - return errors.New("received a close notify alert") - } - // TODO(matthewstevenson88): Add support for more alert types. - return fmt.Errorf("received an unrecognized alert type: %v", alertType) -} - -// parseHandshakeHeader parses a handshake message from the handshake buffer. -// It returns the message type, the message length, the message, the raw message -// that includes the type and length bytes and a flag indicating whether the -// handshake message has been fully parsed. i.e. whether the entire handshake -// message was in the handshake buffer. -func (p *conn) parseHandshakeMsg() (msgType byte, msgLen uint32, msg []byte, rawMsg []byte, ok bool) { - // Handle the case where the 4 byte handshake header is fragmented. - if len(p.handshakeBuf) < tlsHandshakePrefixSize { - return 0, 0, nil, nil, false - } - msgType = p.handshakeBuf[0] - msgLen = bigEndianInt24(p.handshakeBuf[tlsHandshakeMsgTypeSize : tlsHandshakeMsgTypeSize+tlsHandshakeLengthSize]) - if msgLen > uint32(len(p.handshakeBuf)-tlsHandshakePrefixSize) { - return 0, 0, nil, nil, false - } - msg = p.handshakeBuf[tlsHandshakePrefixSize : tlsHandshakePrefixSize+msgLen] - rawMsg = p.handshakeBuf[:tlsHandshakeMsgTypeSize+tlsHandshakeLengthSize+msgLen] - p.handshakeBuf = p.handshakeBuf[tlsHandshakePrefixSize+msgLen:] - return msgType, msgLen, msg, rawMsg, true -} - -// handleHandshakeMessage handles a handshake message. Note that the first -// complete handshake message from the handshake buffer is removed, if it -// exists. -func (p *conn) handleHandshakeMessage() error { - // Copy the pending application data to the handshake buffer. At this point, - // we are guaranteed that the pending application data contains only parts - // of a handshake message. - p.handshakeBuf = append(p.handshakeBuf, p.pendingApplicationData...) - p.pendingApplicationData = p.pendingApplicationData[:0] - // Several handshake messages may be coalesced into a single record. - // Continue reading them until the handshake buffer is empty. - for len(p.handshakeBuf) > 0 { - handshakeMsgType, msgLen, msg, _, ok := p.parseHandshakeMsg() - if !ok { - // The handshake could not be fully parsed, so read in another - // record and try again later. - break - } - switch handshakeMsgType { - case tlsHandshakeKeyUpdateType: - if msgLen != tlsHandshakeKeyUpdateMsgSize { - return errors.New("invalid handshake key update message length") - } - if len(p.handshakeBuf) != 0 { - return errors.New("key update message must be the last message of a handshake record") - } - if err := p.handleKeyUpdateMsg(msg); err != nil { - return err - } - case tlsHandshakeNewSessionTicketType: - // Do nothing for session ticket. - default: - return errors.New("unknown handshake message type") - } - } - return nil -} - -func buildKeyUpdateRequest() []byte { - b := make([]byte, tlsHandshakePrefixSize+tlsHandshakeKeyUpdateMsgSize) - b[0] = tlsHandshakeKeyUpdateType - b[1] = 0 - b[2] = 0 - b[3] = tlsHandshakeKeyUpdateMsgSize - b[4] = byte(updateNotRequested) - return b -} - -// handleKeyUpdateMsg handles a key update message. -func (p *conn) handleKeyUpdateMsg(msg []byte) error { - keyUpdateRequest := msg[0] - if keyUpdateRequest != byte(updateNotRequested) && - keyUpdateRequest != byte(updateRequested) { - return errors.New("invalid handshake key update message") - } - if err := p.inConn.UpdateKey(); err != nil { - return err - } - // Send a key update message back to the peer if requested. - if keyUpdateRequest == byte(updateRequested) { - p.writeMutex.Lock() - defer p.writeMutex.Unlock() - n, err := p.writeTLSRecord(preConstructedKeyUpdateMsg, byte(handshake)) - if err != nil { - return err - } - if n != tlsHandshakePrefixSize+tlsHandshakeKeyUpdateMsgSize { - return errors.New("key update request message wrote less bytes than expected") - } - if err = p.outConn.UpdateKey(); err != nil { - return err - } - } - return nil -} - -// bidEndianInt24 converts the given byte buffer of at least size 3 and -// outputs the resulting 24 bit integer as a uint32. This is needed because -// TLS 1.3 requires 3 byte integers, and the binary.BigEndian package does -// not provide a way to transform a byte buffer into a 3 byte integer. -func bigEndianInt24(b []byte) uint32 { - _ = b[2] // bounds check hint to compiler; see golang.org/issue/14808 - return uint32(b[2]) | uint32(b[1])<<8 | uint32(b[0])<<16 -} - -func min(a, b int) int { - if a < b { - return a - } - return b -} diff --git a/vendor/github.com/google/s2a-go/internal/record/ticketsender.go b/vendor/github.com/google/s2a-go/internal/record/ticketsender.go deleted file mode 100644 index e51199ab3..000000000 --- a/vendor/github.com/google/s2a-go/internal/record/ticketsender.go +++ /dev/null @@ -1,178 +0,0 @@ -/* - * - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -package record - -import ( - "context" - "fmt" - "sync" - "time" - - "github.com/google/s2a-go/internal/handshaker/service" - commonpb "github.com/google/s2a-go/internal/proto/common_go_proto" - s2apb "github.com/google/s2a-go/internal/proto/s2a_go_proto" - "github.com/google/s2a-go/internal/tokenmanager" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/grpclog" -) - -// sessionTimeout is the timeout for creating a session with the S2A handshaker -// service. -const sessionTimeout = time.Second * 5 - -// s2aTicketSender sends session tickets to the S2A handshaker service. -type s2aTicketSender interface { - // sendTicketsToS2A sends the given session tickets to the S2A handshaker - // service. - sendTicketsToS2A(sessionTickets [][]byte, callComplete chan bool) -} - -// ticketStream is the stream used to send and receive session information. -type ticketStream interface { - Send(*s2apb.SessionReq) error - Recv() (*s2apb.SessionResp, error) -} - -type ticketSender struct { - // hsAddr stores the address of the S2A handshaker service. - hsAddr string - // connectionID is the connection identifier that was created and sent by - // S2A at the end of a handshake. - connectionID uint64 - // localIdentity is the local identity that was used by S2A during session - // setup and included in the session result. - localIdentity *commonpb.Identity - // tokenManager manages access tokens for authenticating to S2A. - tokenManager tokenmanager.AccessTokenManager - // ensureProcessSessionTickets allows users to wait and ensure that all - // available session tickets are sent to S2A before a process completes. - ensureProcessSessionTickets *sync.WaitGroup -} - -// sendTicketsToS2A sends the given sessionTickets to the S2A handshaker -// service. This is done asynchronously and writes to the error logs if an error -// occurs. -func (t *ticketSender) sendTicketsToS2A(sessionTickets [][]byte, callComplete chan bool) { - // Note that the goroutine is in the function rather than at the caller - // because the fake ticket sender used for testing must run synchronously - // so that the session tickets can be accessed from it after the tests have - // been run. - if t.ensureProcessSessionTickets != nil { - t.ensureProcessSessionTickets.Add(1) - } - go func() { - if err := func() error { - defer func() { - if t.ensureProcessSessionTickets != nil { - t.ensureProcessSessionTickets.Done() - } - }() - ctx, cancel := context.WithTimeout(context.Background(), sessionTimeout) - defer cancel() - // The transportCreds only needs to be set when talking to S2AV2 and also - // if mTLS is required. - hsConn, err := service.Dial(ctx, t.hsAddr, nil) - if err != nil { - return err - } - client := s2apb.NewS2AServiceClient(hsConn) - session, err := client.SetUpSession(ctx) - if err != nil { - return err - } - defer func() { - if err := session.CloseSend(); err != nil { - grpclog.Error(err) - } - }() - return t.writeTicketsToStream(session, sessionTickets) - }(); err != nil { - grpclog.Errorf("failed to send resumption tickets to S2A with identity: %v, %v", - t.localIdentity, err) - } - callComplete <- true - close(callComplete) - }() -} - -// writeTicketsToStream writes the given session tickets to the given stream. -func (t *ticketSender) writeTicketsToStream(stream ticketStream, sessionTickets [][]byte) error { - if err := stream.Send( - &s2apb.SessionReq{ - ReqOneof: &s2apb.SessionReq_ResumptionTicket{ - ResumptionTicket: &s2apb.ResumptionTicketReq{ - InBytes: sessionTickets, - ConnectionId: t.connectionID, - LocalIdentity: t.localIdentity, - }, - }, - AuthMechanisms: t.getAuthMechanisms(), - }, - ); err != nil { - return err - } - sessionResp, err := stream.Recv() - if err != nil { - return err - } - if sessionResp.GetStatus().GetCode() != uint32(codes.OK) { - return fmt.Errorf("s2a session ticket response had error status: %v, %v", - sessionResp.GetStatus().GetCode(), sessionResp.GetStatus().GetDetails()) - } - return nil -} - -func (t *ticketSender) getAuthMechanisms() []*s2apb.AuthenticationMechanism { - if t.tokenManager == nil { - return nil - } - // First handle the special case when no local identity has been provided - // by the application. In this case, an AuthenticationMechanism with no local - // identity will be sent. - if t.localIdentity == nil { - token, err := t.tokenManager.DefaultToken() - if err != nil { - grpclog.Infof("unable to get token for empty local identity: %v", err) - return nil - } - return []*s2apb.AuthenticationMechanism{ - { - MechanismOneof: &s2apb.AuthenticationMechanism_Token{ - Token: token, - }, - }, - } - } - - // Next, handle the case where the application (or the S2A) has specified - // a local identity. - token, err := t.tokenManager.Token(t.localIdentity) - if err != nil { - grpclog.Infof("unable to get token for local identity %v: %v", t.localIdentity, err) - return nil - } - return []*s2apb.AuthenticationMechanism{ - { - Identity: t.localIdentity, - MechanismOneof: &s2apb.AuthenticationMechanism_Token{ - Token: token, - }, - }, - } -} diff --git a/vendor/github.com/google/s2a-go/internal/tokenmanager/tokenmanager.go b/vendor/github.com/google/s2a-go/internal/tokenmanager/tokenmanager.go deleted file mode 100644 index 4057e70c8..000000000 --- a/vendor/github.com/google/s2a-go/internal/tokenmanager/tokenmanager.go +++ /dev/null @@ -1,79 +0,0 @@ -/* - * - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -// Package tokenmanager provides tokens for authenticating to S2A. -package tokenmanager - -import ( - "fmt" - "os" - - commonpbv1 "github.com/google/s2a-go/internal/proto/common_go_proto" - commonpb "github.com/google/s2a-go/internal/proto/v2/common_go_proto" -) - -const ( - s2aAccessTokenEnvironmentVariable = "S2A_ACCESS_TOKEN" -) - -// AccessTokenManager manages tokens for authenticating to S2A. -type AccessTokenManager interface { - // DefaultToken returns a token that an application with no specified local - // identity must use to authenticate to S2A. - DefaultToken() (token string, err error) - // Token returns a token that an application with local identity equal to - // identity must use to authenticate to S2A. - Token(identity interface{}) (token string, err error) -} - -type singleTokenAccessTokenManager struct { - token string -} - -// NewSingleTokenAccessTokenManager returns a new AccessTokenManager instance -// that will always manage the same token. -// -// The token to be managed is read from the s2aAccessTokenEnvironmentVariable -// environment variable. If this environment variable is not set, then this -// function returns an error. -func NewSingleTokenAccessTokenManager() (AccessTokenManager, error) { - token, variableExists := os.LookupEnv(s2aAccessTokenEnvironmentVariable) - if !variableExists { - return nil, fmt.Errorf("%s environment variable is not set", s2aAccessTokenEnvironmentVariable) - } - return &singleTokenAccessTokenManager{token: token}, nil -} - -// DefaultToken always returns the token managed by the -// singleTokenAccessTokenManager. -func (m *singleTokenAccessTokenManager) DefaultToken() (string, error) { - return m.token, nil -} - -// Token always returns the token managed by the singleTokenAccessTokenManager. -func (m *singleTokenAccessTokenManager) Token(identity interface{}) (string, error) { - switch v := identity.(type) { - case *commonpbv1.Identity: - // valid type. - case *commonpb.Identity: - // valid type. - default: - return "", fmt.Errorf("Incorrect identity type: %v", v) - } - return m.token, nil -} diff --git a/vendor/github.com/google/s2a-go/internal/v2/README.md b/vendor/github.com/google/s2a-go/internal/v2/README.md deleted file mode 100644 index 3806d1e9c..000000000 --- a/vendor/github.com/google/s2a-go/internal/v2/README.md +++ /dev/null @@ -1 +0,0 @@ -**This directory has the implementation of the S2Av2's gRPC-Go client libraries** diff --git a/vendor/github.com/google/s2a-go/internal/v2/certverifier/certverifier.go b/vendor/github.com/google/s2a-go/internal/v2/certverifier/certverifier.go deleted file mode 100644 index cc811879b..000000000 --- a/vendor/github.com/google/s2a-go/internal/v2/certverifier/certverifier.go +++ /dev/null @@ -1,122 +0,0 @@ -/* - * - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -// Package certverifier offloads verifications to S2Av2. -package certverifier - -import ( - "crypto/x509" - "fmt" - - "github.com/google/s2a-go/stream" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/grpclog" - - s2av2pb "github.com/google/s2a-go/internal/proto/v2/s2a_go_proto" -) - -// VerifyClientCertificateChain builds a SessionReq, sends it to S2Av2 and -// receives a SessionResp. -func VerifyClientCertificateChain(verificationMode s2av2pb.ValidatePeerCertificateChainReq_VerificationMode, s2AStream stream.S2AStream) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { - return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { - // Offload verification to S2Av2. - if grpclog.V(1) { - grpclog.Infof("Sending request to S2Av2 for client peer cert chain validation.") - } - if err := s2AStream.Send(&s2av2pb.SessionReq{ - ReqOneof: &s2av2pb.SessionReq_ValidatePeerCertificateChainReq{ - ValidatePeerCertificateChainReq: &s2av2pb.ValidatePeerCertificateChainReq{ - Mode: verificationMode, - PeerOneof: &s2av2pb.ValidatePeerCertificateChainReq_ClientPeer_{ - ClientPeer: &s2av2pb.ValidatePeerCertificateChainReq_ClientPeer{ - CertificateChain: rawCerts, - }, - }, - }, - }, - }); err != nil { - grpclog.Infof("Failed to send request to S2Av2 for client peer cert chain validation.") - return err - } - - // Get the response from S2Av2. - resp, err := s2AStream.Recv() - if err != nil { - grpclog.Infof("Failed to receive client peer cert chain validation response from S2Av2.") - return err - } - - // Parse the response. - if (resp.GetStatus() != nil) && (resp.GetStatus().Code != uint32(codes.OK)) { - return fmt.Errorf("failed to offload client cert verification to S2A: %d, %v", resp.GetStatus().Code, resp.GetStatus().Details) - - } - - if resp.GetValidatePeerCertificateChainResp().ValidationResult != s2av2pb.ValidatePeerCertificateChainResp_SUCCESS { - return fmt.Errorf("client cert verification failed: %v", resp.GetValidatePeerCertificateChainResp().ValidationDetails) - } - - return nil - } -} - -// VerifyServerCertificateChain builds a SessionReq, sends it to S2Av2 and -// receives a SessionResp. -func VerifyServerCertificateChain(hostname string, verificationMode s2av2pb.ValidatePeerCertificateChainReq_VerificationMode, s2AStream stream.S2AStream, serverAuthorizationPolicy []byte) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { - return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { - // Offload verification to S2Av2. - if grpclog.V(1) { - grpclog.Infof("Sending request to S2Av2 for server peer cert chain validation.") - } - if err := s2AStream.Send(&s2av2pb.SessionReq{ - ReqOneof: &s2av2pb.SessionReq_ValidatePeerCertificateChainReq{ - ValidatePeerCertificateChainReq: &s2av2pb.ValidatePeerCertificateChainReq{ - Mode: verificationMode, - PeerOneof: &s2av2pb.ValidatePeerCertificateChainReq_ServerPeer_{ - ServerPeer: &s2av2pb.ValidatePeerCertificateChainReq_ServerPeer{ - CertificateChain: rawCerts, - ServerHostname: hostname, - SerializedUnrestrictedClientPolicy: serverAuthorizationPolicy, - }, - }, - }, - }, - }); err != nil { - grpclog.Infof("Failed to send request to S2Av2 for server peer cert chain validation.") - return err - } - - // Get the response from S2Av2. - resp, err := s2AStream.Recv() - if err != nil { - grpclog.Infof("Failed to receive server peer cert chain validation response from S2Av2.") - return err - } - - // Parse the response. - if (resp.GetStatus() != nil) && (resp.GetStatus().Code != uint32(codes.OK)) { - return fmt.Errorf("failed to offload server cert verification to S2A: %d, %v", resp.GetStatus().Code, resp.GetStatus().Details) - } - - if resp.GetValidatePeerCertificateChainResp().ValidationResult != s2av2pb.ValidatePeerCertificateChainResp_SUCCESS { - return fmt.Errorf("server cert verification failed: %v", resp.GetValidatePeerCertificateChainResp().ValidationDetails) - } - - return nil - } -} diff --git a/vendor/github.com/google/s2a-go/internal/v2/remotesigner/remotesigner.go b/vendor/github.com/google/s2a-go/internal/v2/remotesigner/remotesigner.go deleted file mode 100644 index e7478d43f..000000000 --- a/vendor/github.com/google/s2a-go/internal/v2/remotesigner/remotesigner.go +++ /dev/null @@ -1,186 +0,0 @@ -/* - * - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -// Package remotesigner offloads private key operations to S2Av2. -package remotesigner - -import ( - "crypto" - "crypto/rsa" - "crypto/x509" - "fmt" - "io" - - "github.com/google/s2a-go/stream" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/grpclog" - - s2av2pb "github.com/google/s2a-go/internal/proto/v2/s2a_go_proto" -) - -// remoteSigner implementes the crypto.Signer interface. -type remoteSigner struct { - leafCert *x509.Certificate - s2AStream stream.S2AStream -} - -// New returns an instance of RemoteSigner, an implementation of the -// crypto.Signer interface. -func New(leafCert *x509.Certificate, s2AStream stream.S2AStream) crypto.Signer { - return &remoteSigner{leafCert, s2AStream} -} - -func (s *remoteSigner) Public() crypto.PublicKey { - return s.leafCert.PublicKey -} - -func (s *remoteSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error) { - signatureAlgorithm, err := getSignatureAlgorithm(opts, s.leafCert) - if err != nil { - return nil, err - } - - req, err := getSignReq(signatureAlgorithm, digest) - if err != nil { - return nil, err - } - if grpclog.V(1) { - grpclog.Infof("Sending request to S2Av2 for signing operation.") - } - if err := s.s2AStream.Send(&s2av2pb.SessionReq{ - ReqOneof: &s2av2pb.SessionReq_OffloadPrivateKeyOperationReq{ - OffloadPrivateKeyOperationReq: req, - }, - }); err != nil { - grpclog.Infof("Failed to send request to S2Av2 for signing operation.") - return nil, err - } - - resp, err := s.s2AStream.Recv() - if err != nil { - grpclog.Infof("Failed to receive signing operation response from S2Av2.") - return nil, err - } - - if (resp.GetStatus() != nil) && (resp.GetStatus().Code != uint32(codes.OK)) { - return nil, fmt.Errorf("failed to offload signing with private key to S2A: %d, %v", resp.GetStatus().Code, resp.GetStatus().Details) - } - - return resp.GetOffloadPrivateKeyOperationResp().GetOutBytes(), nil -} - -// getCert returns the leafCert field in s. -func (s *remoteSigner) getCert() *x509.Certificate { - return s.leafCert -} - -// getStream returns the s2AStream field in s. -func (s *remoteSigner) getStream() stream.S2AStream { - return s.s2AStream -} - -func getSignReq(signatureAlgorithm s2av2pb.SignatureAlgorithm, digest []byte) (*s2av2pb.OffloadPrivateKeyOperationReq, error) { - if (signatureAlgorithm == s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_RSA_PKCS1_SHA256) || (signatureAlgorithm == s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_ECDSA_SECP256R1_SHA256) || (signatureAlgorithm == s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_RSA_PSS_RSAE_SHA256) { - return &s2av2pb.OffloadPrivateKeyOperationReq{ - Operation: s2av2pb.OffloadPrivateKeyOperationReq_SIGN, - SignatureAlgorithm: signatureAlgorithm, - InBytes: &s2av2pb.OffloadPrivateKeyOperationReq_Sha256Digest{ - Sha256Digest: digest, - }, - }, nil - } else if (signatureAlgorithm == s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_RSA_PKCS1_SHA384) || (signatureAlgorithm == s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_ECDSA_SECP384R1_SHA384) || (signatureAlgorithm == s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_RSA_PSS_RSAE_SHA384) { - return &s2av2pb.OffloadPrivateKeyOperationReq{ - Operation: s2av2pb.OffloadPrivateKeyOperationReq_SIGN, - SignatureAlgorithm: signatureAlgorithm, - InBytes: &s2av2pb.OffloadPrivateKeyOperationReq_Sha384Digest{ - Sha384Digest: digest, - }, - }, nil - } else if (signatureAlgorithm == s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_RSA_PKCS1_SHA512) || (signatureAlgorithm == s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_ECDSA_SECP521R1_SHA512) || (signatureAlgorithm == s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_RSA_PSS_RSAE_SHA512) || (signatureAlgorithm == s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_ED25519) { - return &s2av2pb.OffloadPrivateKeyOperationReq{ - Operation: s2av2pb.OffloadPrivateKeyOperationReq_SIGN, - SignatureAlgorithm: signatureAlgorithm, - InBytes: &s2av2pb.OffloadPrivateKeyOperationReq_Sha512Digest{ - Sha512Digest: digest, - }, - }, nil - } else { - return nil, fmt.Errorf("unknown signature algorithm: %v", signatureAlgorithm) - } -} - -// getSignatureAlgorithm returns the signature algorithm that S2A must use when -// performing a signing operation that has been offloaded by an application -// using the crypto/tls libraries. -func getSignatureAlgorithm(opts crypto.SignerOpts, leafCert *x509.Certificate) (s2av2pb.SignatureAlgorithm, error) { - if opts == nil || leafCert == nil { - return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_UNSPECIFIED, fmt.Errorf("unknown signature algorithm") - } - switch leafCert.PublicKeyAlgorithm { - case x509.RSA: - if rsaPSSOpts, ok := opts.(*rsa.PSSOptions); ok { - return rsaPSSAlgorithm(rsaPSSOpts) - } - return rsaPPKCS1Algorithm(opts) - case x509.ECDSA: - return ecdsaAlgorithm(opts) - case x509.Ed25519: - return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_ED25519, nil - default: - return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_UNSPECIFIED, fmt.Errorf("unknown signature algorithm: %q", leafCert.PublicKeyAlgorithm) - } -} - -func rsaPSSAlgorithm(opts *rsa.PSSOptions) (s2av2pb.SignatureAlgorithm, error) { - switch opts.HashFunc() { - case crypto.SHA256: - return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_RSA_PSS_RSAE_SHA256, nil - case crypto.SHA384: - return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_RSA_PSS_RSAE_SHA384, nil - case crypto.SHA512: - return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_RSA_PSS_RSAE_SHA512, nil - default: - return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_UNSPECIFIED, fmt.Errorf("unknown signature algorithm") - } -} - -func rsaPPKCS1Algorithm(opts crypto.SignerOpts) (s2av2pb.SignatureAlgorithm, error) { - switch opts.HashFunc() { - case crypto.SHA256: - return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_RSA_PKCS1_SHA256, nil - case crypto.SHA384: - return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_RSA_PKCS1_SHA384, nil - case crypto.SHA512: - return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_RSA_PKCS1_SHA512, nil - default: - return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_UNSPECIFIED, fmt.Errorf("unknown signature algorithm") - } -} - -func ecdsaAlgorithm(opts crypto.SignerOpts) (s2av2pb.SignatureAlgorithm, error) { - switch opts.HashFunc() { - case crypto.SHA256: - return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_ECDSA_SECP256R1_SHA256, nil - case crypto.SHA384: - return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_ECDSA_SECP384R1_SHA384, nil - case crypto.SHA512: - return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_ECDSA_SECP521R1_SHA512, nil - default: - return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_UNSPECIFIED, fmt.Errorf("unknown signature algorithm") - } -} diff --git a/vendor/github.com/google/s2a-go/internal/v2/s2av2.go b/vendor/github.com/google/s2a-go/internal/v2/s2av2.go deleted file mode 100644 index a6402ee48..000000000 --- a/vendor/github.com/google/s2a-go/internal/v2/s2av2.go +++ /dev/null @@ -1,379 +0,0 @@ -/* - * - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -// Package v2 provides the S2Av2 transport credentials used by a gRPC -// application. -package v2 - -import ( - "context" - "crypto/tls" - "errors" - "net" - "os" - "time" - - "github.com/google/s2a-go/fallback" - "github.com/google/s2a-go/internal/handshaker/service" - "github.com/google/s2a-go/internal/tokenmanager" - "github.com/google/s2a-go/internal/v2/tlsconfigstore" - "github.com/google/s2a-go/retry" - "github.com/google/s2a-go/stream" - "google.golang.org/grpc" - "google.golang.org/grpc/credentials" - "google.golang.org/grpc/grpclog" - "google.golang.org/protobuf/proto" - - commonpb "github.com/google/s2a-go/internal/proto/v2/common_go_proto" - s2av2pb "github.com/google/s2a-go/internal/proto/v2/s2a_go_proto" -) - -const ( - s2aSecurityProtocol = "tls" - defaultS2ATimeout = 6 * time.Second -) - -// An environment variable, which sets the timeout enforced on the connection to the S2A service for handshake. -const s2aTimeoutEnv = "S2A_TIMEOUT" - -type s2av2TransportCreds struct { - info *credentials.ProtocolInfo - isClient bool - serverName string - s2av2Address string - transportCreds credentials.TransportCredentials - tokenManager *tokenmanager.AccessTokenManager - // localIdentity should only be used by the client. - localIdentity *commonpb.Identity - // localIdentities should only be used by the server. - localIdentities []*commonpb.Identity - verificationMode s2av2pb.ValidatePeerCertificateChainReq_VerificationMode - fallbackClientHandshake fallback.ClientHandshake - getS2AStream func(ctx context.Context, s2av2Address string) (stream.S2AStream, error) - serverAuthorizationPolicy []byte -} - -// NewClientCreds returns a client-side transport credentials object that uses -// the S2Av2 to establish a secure connection with a server. -func NewClientCreds(s2av2Address string, transportCreds credentials.TransportCredentials, localIdentity *commonpb.Identity, verificationMode s2av2pb.ValidatePeerCertificateChainReq_VerificationMode, fallbackClientHandshakeFunc fallback.ClientHandshake, getS2AStream func(ctx context.Context, s2av2Address string) (stream.S2AStream, error), serverAuthorizationPolicy []byte) (credentials.TransportCredentials, error) { - // Create an AccessTokenManager instance to use to authenticate to S2Av2. - accessTokenManager, err := tokenmanager.NewSingleTokenAccessTokenManager() - - creds := &s2av2TransportCreds{ - info: &credentials.ProtocolInfo{ - SecurityProtocol: s2aSecurityProtocol, - }, - isClient: true, - serverName: "", - s2av2Address: s2av2Address, - transportCreds: transportCreds, - localIdentity: localIdentity, - verificationMode: verificationMode, - fallbackClientHandshake: fallbackClientHandshakeFunc, - getS2AStream: getS2AStream, - serverAuthorizationPolicy: serverAuthorizationPolicy, - } - if err != nil { - creds.tokenManager = nil - } else { - creds.tokenManager = &accessTokenManager - } - if grpclog.V(1) { - grpclog.Info("Created client S2Av2 transport credentials.") - } - return creds, nil -} - -// NewServerCreds returns a server-side transport credentials object that uses -// the S2Av2 to establish a secure connection with a client. -func NewServerCreds(s2av2Address string, transportCreds credentials.TransportCredentials, localIdentities []*commonpb.Identity, verificationMode s2av2pb.ValidatePeerCertificateChainReq_VerificationMode, getS2AStream func(ctx context.Context, s2av2Address string) (stream.S2AStream, error)) (credentials.TransportCredentials, error) { - // Create an AccessTokenManager instance to use to authenticate to S2Av2. - accessTokenManager, err := tokenmanager.NewSingleTokenAccessTokenManager() - creds := &s2av2TransportCreds{ - info: &credentials.ProtocolInfo{ - SecurityProtocol: s2aSecurityProtocol, - }, - isClient: false, - s2av2Address: s2av2Address, - transportCreds: transportCreds, - localIdentities: localIdentities, - verificationMode: verificationMode, - getS2AStream: getS2AStream, - } - if err != nil { - creds.tokenManager = nil - } else { - creds.tokenManager = &accessTokenManager - } - if grpclog.V(1) { - grpclog.Info("Created server S2Av2 transport credentials.") - } - return creds, nil -} - -// ClientHandshake performs a client-side mTLS handshake using the S2Av2. -func (c *s2av2TransportCreds) ClientHandshake(ctx context.Context, serverAuthority string, rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) { - if !c.isClient { - return nil, nil, errors.New("client handshake called using server transport credentials") - } - // Remove the port from serverAuthority. - serverName := removeServerNamePort(serverAuthority) - timeoutCtx, cancel := context.WithTimeout(ctx, GetS2ATimeout()) - defer cancel() - var s2AStream stream.S2AStream - var err error - retry.Run(timeoutCtx, - func() error { - s2AStream, err = createStream(timeoutCtx, c.s2av2Address, c.transportCreds, c.getS2AStream) - return err - }) - if err != nil { - grpclog.Infof("Failed to connect to S2Av2: %v", err) - if c.fallbackClientHandshake != nil { - return c.fallbackClientHandshake(ctx, serverAuthority, rawConn, err) - } - return nil, nil, err - } - defer s2AStream.CloseSend() - if grpclog.V(1) { - grpclog.Infof("Connected to S2Av2.") - } - var config *tls.Config - - var tokenManager tokenmanager.AccessTokenManager - if c.tokenManager == nil { - tokenManager = nil - } else { - tokenManager = *c.tokenManager - } - - sn := serverName - if c.serverName != "" { - sn = c.serverName - } - retry.Run(timeoutCtx, - func() error { - config, err = tlsconfigstore.GetTLSConfigurationForClient(sn, s2AStream, tokenManager, c.localIdentity, c.verificationMode, c.serverAuthorizationPolicy) - return err - }) - if err != nil { - grpclog.Info("Failed to get client TLS config from S2Av2: %v", err) - if c.fallbackClientHandshake != nil { - return c.fallbackClientHandshake(ctx, serverAuthority, rawConn, err) - } - return nil, nil, err - } - if grpclog.V(1) { - grpclog.Infof("Got client TLS config from S2Av2.") - } - - creds := credentials.NewTLS(config) - conn, authInfo, err := creds.ClientHandshake(timeoutCtx, serverName, rawConn) - if err != nil { - grpclog.Infof("Failed to do client handshake using S2Av2: %v", err) - if c.fallbackClientHandshake != nil { - return c.fallbackClientHandshake(ctx, serverAuthority, rawConn, err) - } - return nil, nil, err - } - grpclog.Infof("client-side handshake is done using S2Av2 to: %s", serverName) - - return conn, authInfo, err -} - -// ServerHandshake performs a server-side mTLS handshake using the S2Av2. -func (c *s2av2TransportCreds) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) { - if c.isClient { - return nil, nil, errors.New("server handshake called using client transport credentials") - } - ctx, cancel := context.WithTimeout(context.Background(), GetS2ATimeout()) - defer cancel() - var s2AStream stream.S2AStream - var err error - retry.Run(ctx, - func() error { - s2AStream, err = createStream(ctx, c.s2av2Address, c.transportCreds, c.getS2AStream) - return err - }) - if err != nil { - grpclog.Infof("Failed to connect to S2Av2: %v", err) - return nil, nil, err - } - defer s2AStream.CloseSend() - if grpclog.V(1) { - grpclog.Infof("Connected to S2Av2.") - } - - var tokenManager tokenmanager.AccessTokenManager - if c.tokenManager == nil { - tokenManager = nil - } else { - tokenManager = *c.tokenManager - } - - var config *tls.Config - retry.Run(ctx, - func() error { - config, err = tlsconfigstore.GetTLSConfigurationForServer(s2AStream, tokenManager, c.localIdentities, c.verificationMode) - return err - }) - if err != nil { - grpclog.Infof("Failed to get server TLS config from S2Av2: %v", err) - return nil, nil, err - } - if grpclog.V(1) { - grpclog.Infof("Got server TLS config from S2Av2.") - } - - creds := credentials.NewTLS(config) - conn, authInfo, err := creds.ServerHandshake(rawConn) - if err != nil { - grpclog.Infof("Failed to do server handshake using S2Av2: %v", err) - return nil, nil, err - } - return conn, authInfo, err -} - -// Info returns protocol info of s2av2TransportCreds. -func (c *s2av2TransportCreds) Info() credentials.ProtocolInfo { - return *c.info -} - -// Clone makes a deep copy of s2av2TransportCreds. -func (c *s2av2TransportCreds) Clone() credentials.TransportCredentials { - info := *c.info - serverName := c.serverName - fallbackClientHandshake := c.fallbackClientHandshake - - s2av2Address := c.s2av2Address - var tokenManager tokenmanager.AccessTokenManager - if c.tokenManager == nil { - tokenManager = nil - } else { - tokenManager = *c.tokenManager - } - verificationMode := c.verificationMode - var localIdentity *commonpb.Identity - if c.localIdentity != nil { - localIdentity = proto.Clone(c.localIdentity).(*commonpb.Identity) - } - var localIdentities []*commonpb.Identity - if c.localIdentities != nil { - localIdentities = make([]*commonpb.Identity, len(c.localIdentities)) - for i, localIdentity := range c.localIdentities { - localIdentities[i] = proto.Clone(localIdentity).(*commonpb.Identity) - } - } - creds := &s2av2TransportCreds{ - info: &info, - isClient: c.isClient, - serverName: serverName, - fallbackClientHandshake: fallbackClientHandshake, - s2av2Address: s2av2Address, - localIdentity: localIdentity, - localIdentities: localIdentities, - verificationMode: verificationMode, - } - if c.tokenManager == nil { - creds.tokenManager = nil - } else { - creds.tokenManager = &tokenManager - } - return creds -} - -// NewClientTLSConfig returns a tls.Config instance that uses S2Av2 to establish a TLS connection as -// a client. The tls.Config MUST only be used to establish a single TLS connection. -func NewClientTLSConfig( - ctx context.Context, - s2av2Address string, - transportCreds credentials.TransportCredentials, - tokenManager tokenmanager.AccessTokenManager, - verificationMode s2av2pb.ValidatePeerCertificateChainReq_VerificationMode, - serverName string, - serverAuthorizationPolicy []byte) (*tls.Config, error) { - s2AStream, err := createStream(ctx, s2av2Address, transportCreds, nil) - if err != nil { - grpclog.Infof("Failed to connect to S2Av2: %v", err) - return nil, err - } - - return tlsconfigstore.GetTLSConfigurationForClient(removeServerNamePort(serverName), s2AStream, tokenManager, nil, verificationMode, serverAuthorizationPolicy) -} - -// OverrideServerName sets the ServerName in the s2av2TransportCreds protocol -// info. The ServerName MUST be a hostname. -func (c *s2av2TransportCreds) OverrideServerName(serverNameOverride string) error { - serverName := removeServerNamePort(serverNameOverride) - c.info.ServerName = serverName - c.serverName = serverName - return nil -} - -// Remove the trailing port from server name. -func removeServerNamePort(serverName string) string { - name, _, err := net.SplitHostPort(serverName) - if err != nil { - name = serverName - } - return name -} - -type s2AGrpcStream struct { - stream s2av2pb.S2AService_SetUpSessionClient -} - -func (x s2AGrpcStream) Send(m *s2av2pb.SessionReq) error { - return x.stream.Send(m) -} - -func (x s2AGrpcStream) Recv() (*s2av2pb.SessionResp, error) { - return x.stream.Recv() -} - -func (x s2AGrpcStream) CloseSend() error { - return x.stream.CloseSend() -} - -func createStream(ctx context.Context, s2av2Address string, transportCreds credentials.TransportCredentials, getS2AStream func(ctx context.Context, s2av2Address string) (stream.S2AStream, error)) (stream.S2AStream, error) { - if getS2AStream != nil { - return getS2AStream(ctx, s2av2Address) - } - // TODO(rmehta19): Consider whether to close the connection to S2Av2. - conn, err := service.Dial(ctx, s2av2Address, transportCreds) - if err != nil { - return nil, err - } - client := s2av2pb.NewS2AServiceClient(conn) - gRPCStream, err := client.SetUpSession(ctx, []grpc.CallOption{}...) - if err != nil { - return nil, err - } - return &s2AGrpcStream{ - stream: gRPCStream, - }, nil -} - -// GetS2ATimeout returns the timeout enforced on the connection to the S2A service for handshake. -func GetS2ATimeout() time.Duration { - timeout, err := time.ParseDuration(os.Getenv(s2aTimeoutEnv)) - if err != nil { - return defaultS2ATimeout - } - return timeout -} diff --git a/vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/tlsconfigstore.go b/vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/tlsconfigstore.go deleted file mode 100644 index fa0002e36..000000000 --- a/vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/tlsconfigstore.go +++ /dev/null @@ -1,403 +0,0 @@ -/* - * - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -// Package tlsconfigstore offloads operations to S2Av2. -package tlsconfigstore - -import ( - "crypto/tls" - "crypto/x509" - "encoding/pem" - "errors" - "fmt" - - "github.com/google/s2a-go/internal/tokenmanager" - "github.com/google/s2a-go/internal/v2/certverifier" - "github.com/google/s2a-go/internal/v2/remotesigner" - "github.com/google/s2a-go/stream" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/grpclog" - - commonpb "github.com/google/s2a-go/internal/proto/v2/common_go_proto" - s2av2pb "github.com/google/s2a-go/internal/proto/v2/s2a_go_proto" -) - -const ( - // HTTP/2 - h2 = "h2" -) - -// GetTLSConfigurationForClient returns a tls.Config instance for use by a client application. -func GetTLSConfigurationForClient(serverHostname string, s2AStream stream.S2AStream, tokenManager tokenmanager.AccessTokenManager, localIdentity *commonpb.Identity, verificationMode s2av2pb.ValidatePeerCertificateChainReq_VerificationMode, serverAuthorizationPolicy []byte) (*tls.Config, error) { - authMechanisms := getAuthMechanisms(tokenManager, []*commonpb.Identity{localIdentity}) - - if grpclog.V(1) { - grpclog.Infof("Sending request to S2Av2 for client TLS config.") - } - // Send request to S2Av2 for config. - if err := s2AStream.Send(&s2av2pb.SessionReq{ - LocalIdentity: localIdentity, - AuthenticationMechanisms: authMechanisms, - ReqOneof: &s2av2pb.SessionReq_GetTlsConfigurationReq{ - GetTlsConfigurationReq: &s2av2pb.GetTlsConfigurationReq{ - ConnectionSide: commonpb.ConnectionSide_CONNECTION_SIDE_CLIENT, - }, - }, - }); err != nil { - grpclog.Infof("Failed to send request to S2Av2 for client TLS config") - return nil, err - } - - // Get the response containing config from S2Av2. - resp, err := s2AStream.Recv() - if err != nil { - grpclog.Infof("Failed to receive client TLS config response from S2Av2.") - return nil, err - } - - // TODO(rmehta19): Add unit test for this if statement. - if (resp.GetStatus() != nil) && (resp.GetStatus().Code != uint32(codes.OK)) { - return nil, fmt.Errorf("failed to get TLS configuration from S2A: %d, %v", resp.GetStatus().Code, resp.GetStatus().Details) - } - - // Extract TLS configiguration from SessionResp. - tlsConfig := resp.GetGetTlsConfigurationResp().GetClientTlsConfiguration() - - var cert tls.Certificate - for i, v := range tlsConfig.CertificateChain { - // Populate Certificates field. - block, _ := pem.Decode([]byte(v)) - if block == nil { - return nil, errors.New("certificate in CertificateChain obtained from S2Av2 is empty") - } - x509Cert, err := x509.ParseCertificate(block.Bytes) - if err != nil { - return nil, err - } - cert.Certificate = append(cert.Certificate, x509Cert.Raw) - if i == 0 { - cert.Leaf = x509Cert - } - } - - if len(tlsConfig.CertificateChain) > 0 { - cert.PrivateKey = remotesigner.New(cert.Leaf, s2AStream) - if cert.PrivateKey == nil { - return nil, errors.New("failed to retrieve Private Key from Remote Signer Library") - } - } - - minVersion, maxVersion, err := getTLSMinMaxVersionsClient(tlsConfig) - if err != nil { - return nil, err - } - - // Create mTLS credentials for client. - config := &tls.Config{ - VerifyPeerCertificate: certverifier.VerifyServerCertificateChain(serverHostname, verificationMode, s2AStream, serverAuthorizationPolicy), - ServerName: serverHostname, - InsecureSkipVerify: true, // NOLINT - ClientSessionCache: nil, - SessionTicketsDisabled: true, - MinVersion: minVersion, - MaxVersion: maxVersion, - NextProtos: []string{h2}, - } - if len(tlsConfig.CertificateChain) > 0 { - config.Certificates = []tls.Certificate{cert} - } - return config, nil -} - -// GetTLSConfigurationForServer returns a tls.Config instance for use by a server application. -func GetTLSConfigurationForServer(s2AStream stream.S2AStream, tokenManager tokenmanager.AccessTokenManager, localIdentities []*commonpb.Identity, verificationMode s2av2pb.ValidatePeerCertificateChainReq_VerificationMode) (*tls.Config, error) { - return &tls.Config{ - GetConfigForClient: ClientConfig(tokenManager, localIdentities, verificationMode, s2AStream), - }, nil -} - -// ClientConfig builds a TLS config for a server to establish a secure -// connection with a client, based on SNI communicated during ClientHello. -// Ensures that server presents the correct certificate to establish a TLS -// connection. -func ClientConfig(tokenManager tokenmanager.AccessTokenManager, localIdentities []*commonpb.Identity, verificationMode s2av2pb.ValidatePeerCertificateChainReq_VerificationMode, s2AStream stream.S2AStream) func(chi *tls.ClientHelloInfo) (*tls.Config, error) { - return func(chi *tls.ClientHelloInfo) (*tls.Config, error) { - tlsConfig, err := getServerConfigFromS2Av2(tokenManager, localIdentities, chi.ServerName, s2AStream) - if err != nil { - return nil, err - } - - var cert tls.Certificate - for i, v := range tlsConfig.CertificateChain { - // Populate Certificates field. - block, _ := pem.Decode([]byte(v)) - if block == nil { - return nil, errors.New("certificate in CertificateChain obtained from S2Av2 is empty") - } - x509Cert, err := x509.ParseCertificate(block.Bytes) - if err != nil { - return nil, err - } - cert.Certificate = append(cert.Certificate, x509Cert.Raw) - if i == 0 { - cert.Leaf = x509Cert - } - } - - cert.PrivateKey = remotesigner.New(cert.Leaf, s2AStream) - if cert.PrivateKey == nil { - return nil, errors.New("failed to retrieve Private Key from Remote Signer Library") - } - - minVersion, maxVersion, err := getTLSMinMaxVersionsServer(tlsConfig) - if err != nil { - return nil, err - } - - clientAuth := getTLSClientAuthType(tlsConfig) - - var cipherSuites []uint16 - cipherSuites = getCipherSuites(tlsConfig.Ciphersuites) - - // Create mTLS credentials for server. - return &tls.Config{ - Certificates: []tls.Certificate{cert}, - VerifyPeerCertificate: certverifier.VerifyClientCertificateChain(verificationMode, s2AStream), - ClientAuth: clientAuth, - CipherSuites: cipherSuites, - SessionTicketsDisabled: true, - MinVersion: minVersion, - MaxVersion: maxVersion, - NextProtos: []string{h2}, - }, nil - } -} - -func getCipherSuites(tlsConfigCipherSuites []commonpb.Ciphersuite) []uint16 { - var tlsGoCipherSuites []uint16 - for _, v := range tlsConfigCipherSuites { - s := getTLSCipherSuite(v) - if s != 0xffff { - tlsGoCipherSuites = append(tlsGoCipherSuites, s) - } - } - return tlsGoCipherSuites -} - -func getTLSCipherSuite(tlsCipherSuite commonpb.Ciphersuite) uint16 { - switch tlsCipherSuite { - case commonpb.Ciphersuite_CIPHERSUITE_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: - return tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - case commonpb.Ciphersuite_CIPHERSUITE_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: - return tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - case commonpb.Ciphersuite_CIPHERSUITE_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: - return tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - case commonpb.Ciphersuite_CIPHERSUITE_ECDHE_RSA_WITH_AES_128_GCM_SHA256: - return tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - case commonpb.Ciphersuite_CIPHERSUITE_ECDHE_RSA_WITH_AES_256_GCM_SHA384: - return tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - case commonpb.Ciphersuite_CIPHERSUITE_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: - return tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - default: - return 0xffff - } -} - -func getServerConfigFromS2Av2(tokenManager tokenmanager.AccessTokenManager, localIdentities []*commonpb.Identity, sni string, s2AStream stream.S2AStream) (*s2av2pb.GetTlsConfigurationResp_ServerTlsConfiguration, error) { - authMechanisms := getAuthMechanisms(tokenManager, localIdentities) - var locID *commonpb.Identity - if localIdentities != nil { - locID = localIdentities[0] - } - - if err := s2AStream.Send(&s2av2pb.SessionReq{ - LocalIdentity: locID, - AuthenticationMechanisms: authMechanisms, - ReqOneof: &s2av2pb.SessionReq_GetTlsConfigurationReq{ - GetTlsConfigurationReq: &s2av2pb.GetTlsConfigurationReq{ - ConnectionSide: commonpb.ConnectionSide_CONNECTION_SIDE_SERVER, - Sni: sni, - }, - }, - }); err != nil { - return nil, err - } - - resp, err := s2AStream.Recv() - if err != nil { - return nil, err - } - - // TODO(rmehta19): Add unit test for this if statement. - if (resp.GetStatus() != nil) && (resp.GetStatus().Code != uint32(codes.OK)) { - return nil, fmt.Errorf("failed to get TLS configuration from S2A: %d, %v", resp.GetStatus().Code, resp.GetStatus().Details) - } - - return resp.GetGetTlsConfigurationResp().GetServerTlsConfiguration(), nil -} - -func getTLSClientAuthType(tlsConfig *s2av2pb.GetTlsConfigurationResp_ServerTlsConfiguration) tls.ClientAuthType { - var clientAuth tls.ClientAuthType - switch x := tlsConfig.RequestClientCertificate; x { - case s2av2pb.GetTlsConfigurationResp_ServerTlsConfiguration_DONT_REQUEST_CLIENT_CERTIFICATE: - clientAuth = tls.NoClientCert - case s2av2pb.GetTlsConfigurationResp_ServerTlsConfiguration_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY: - clientAuth = tls.RequestClientCert - case s2av2pb.GetTlsConfigurationResp_ServerTlsConfiguration_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY: - // This case actually maps to tls.VerifyClientCertIfGiven. However this - // mapping triggers normal verification, followed by custom verification, - // specified in VerifyPeerCertificate. To bypass normal verification, and - // only do custom verification we set clientAuth to RequireAnyClientCert or - // RequestClientCert. See https://github.com/google/s2a-go/pull/43 for full - // discussion. - clientAuth = tls.RequireAnyClientCert - case s2av2pb.GetTlsConfigurationResp_ServerTlsConfiguration_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY: - clientAuth = tls.RequireAnyClientCert - case s2av2pb.GetTlsConfigurationResp_ServerTlsConfiguration_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY: - // This case actually maps to tls.RequireAndVerifyClientCert. However this - // mapping triggers normal verification, followed by custom verification, - // specified in VerifyPeerCertificate. To bypass normal verification, and - // only do custom verification we set clientAuth to RequireAnyClientCert or - // RequestClientCert. See https://github.com/google/s2a-go/pull/43 for full - // discussion. - clientAuth = tls.RequireAnyClientCert - default: - clientAuth = tls.RequireAnyClientCert - } - return clientAuth -} - -func getAuthMechanisms(tokenManager tokenmanager.AccessTokenManager, localIdentities []*commonpb.Identity) []*s2av2pb.AuthenticationMechanism { - if tokenManager == nil { - return nil - } - if len(localIdentities) == 0 { - token, err := tokenManager.DefaultToken() - if err != nil { - grpclog.Infof("Unable to get token for empty local identity: %v", err) - return nil - } - return []*s2av2pb.AuthenticationMechanism{ - { - MechanismOneof: &s2av2pb.AuthenticationMechanism_Token{ - Token: token, - }, - }, - } - } - var authMechanisms []*s2av2pb.AuthenticationMechanism - for _, localIdentity := range localIdentities { - if localIdentity == nil { - token, err := tokenManager.DefaultToken() - if err != nil { - grpclog.Infof("Unable to get default token for local identity %v: %v", localIdentity, err) - continue - } - authMechanisms = append(authMechanisms, &s2av2pb.AuthenticationMechanism{ - Identity: localIdentity, - MechanismOneof: &s2av2pb.AuthenticationMechanism_Token{ - Token: token, - }, - }) - } else { - token, err := tokenManager.Token(localIdentity) - if err != nil { - grpclog.Infof("Unable to get token for local identity %v: %v", localIdentity, err) - continue - } - authMechanisms = append(authMechanisms, &s2av2pb.AuthenticationMechanism{ - Identity: localIdentity, - MechanismOneof: &s2av2pb.AuthenticationMechanism_Token{ - Token: token, - }, - }) - } - } - return authMechanisms -} - -// TODO(rmehta19): refactor switch statements into a helper function. -func getTLSMinMaxVersionsClient(tlsConfig *s2av2pb.GetTlsConfigurationResp_ClientTlsConfiguration) (uint16, uint16, error) { - // Map S2Av2 TLSVersion to consts defined in tls package. - var minVersion uint16 - var maxVersion uint16 - switch x := tlsConfig.MinTlsVersion; x { - case commonpb.TLSVersion_TLS_VERSION_1_0: - minVersion = tls.VersionTLS10 - case commonpb.TLSVersion_TLS_VERSION_1_1: - minVersion = tls.VersionTLS11 - case commonpb.TLSVersion_TLS_VERSION_1_2: - minVersion = tls.VersionTLS12 - case commonpb.TLSVersion_TLS_VERSION_1_3: - minVersion = tls.VersionTLS13 - default: - return minVersion, maxVersion, fmt.Errorf("S2Av2 provided invalid MinTlsVersion: %v", x) - } - - switch x := tlsConfig.MaxTlsVersion; x { - case commonpb.TLSVersion_TLS_VERSION_1_0: - maxVersion = tls.VersionTLS10 - case commonpb.TLSVersion_TLS_VERSION_1_1: - maxVersion = tls.VersionTLS11 - case commonpb.TLSVersion_TLS_VERSION_1_2: - maxVersion = tls.VersionTLS12 - case commonpb.TLSVersion_TLS_VERSION_1_3: - maxVersion = tls.VersionTLS13 - default: - return minVersion, maxVersion, fmt.Errorf("S2Av2 provided invalid MaxTlsVersion: %v", x) - } - if minVersion > maxVersion { - return minVersion, maxVersion, errors.New("S2Av2 provided minVersion > maxVersion") - } - return minVersion, maxVersion, nil -} - -func getTLSMinMaxVersionsServer(tlsConfig *s2av2pb.GetTlsConfigurationResp_ServerTlsConfiguration) (uint16, uint16, error) { - // Map S2Av2 TLSVersion to consts defined in tls package. - var minVersion uint16 - var maxVersion uint16 - switch x := tlsConfig.MinTlsVersion; x { - case commonpb.TLSVersion_TLS_VERSION_1_0: - minVersion = tls.VersionTLS10 - case commonpb.TLSVersion_TLS_VERSION_1_1: - minVersion = tls.VersionTLS11 - case commonpb.TLSVersion_TLS_VERSION_1_2: - minVersion = tls.VersionTLS12 - case commonpb.TLSVersion_TLS_VERSION_1_3: - minVersion = tls.VersionTLS13 - default: - return minVersion, maxVersion, fmt.Errorf("S2Av2 provided invalid MinTlsVersion: %v", x) - } - - switch x := tlsConfig.MaxTlsVersion; x { - case commonpb.TLSVersion_TLS_VERSION_1_0: - maxVersion = tls.VersionTLS10 - case commonpb.TLSVersion_TLS_VERSION_1_1: - maxVersion = tls.VersionTLS11 - case commonpb.TLSVersion_TLS_VERSION_1_2: - maxVersion = tls.VersionTLS12 - case commonpb.TLSVersion_TLS_VERSION_1_3: - maxVersion = tls.VersionTLS13 - default: - return minVersion, maxVersion, fmt.Errorf("S2Av2 provided invalid MaxTlsVersion: %v", x) - } - if minVersion > maxVersion { - return minVersion, maxVersion, errors.New("S2Av2 provided minVersion > maxVersion") - } - return minVersion, maxVersion, nil -} diff --git a/vendor/github.com/google/s2a-go/retry/retry.go b/vendor/github.com/google/s2a-go/retry/retry.go deleted file mode 100644 index f7e0a2377..000000000 --- a/vendor/github.com/google/s2a-go/retry/retry.go +++ /dev/null @@ -1,144 +0,0 @@ -/* - * - * Copyright 2023 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -// Package retry provides a retry helper for talking to S2A gRPC server. -// The implementation is modeled after -// https://github.com/googleapis/google-cloud-go/blob/main/compute/metadata/retry.go -package retry - -import ( - "context" - "math/rand" - "time" - - "google.golang.org/grpc/grpclog" -) - -const ( - maxRetryAttempts = 5 - maxRetryForLoops = 10 -) - -type defaultBackoff struct { - max time.Duration - mul float64 - cur time.Duration -} - -// Pause returns a duration, which is used as the backoff wait time -// before the next retry. -func (b *defaultBackoff) Pause() time.Duration { - d := time.Duration(1 + rand.Int63n(int64(b.cur))) - b.cur = time.Duration(float64(b.cur) * b.mul) - if b.cur > b.max { - b.cur = b.max - } - return d -} - -// Sleep will wait for the specified duration or return on context -// expiration. -func Sleep(ctx context.Context, d time.Duration) error { - t := time.NewTimer(d) - select { - case <-ctx.Done(): - t.Stop() - return ctx.Err() - case <-t.C: - return nil - } -} - -// NewRetryer creates an instance of S2ARetryer using the defaultBackoff -// implementation. -var NewRetryer = func() *S2ARetryer { - return &S2ARetryer{bo: &defaultBackoff{ - cur: 100 * time.Millisecond, - max: 30 * time.Second, - mul: 2, - }} -} - -type backoff interface { - Pause() time.Duration -} - -// S2ARetryer implements a retry helper for talking to S2A gRPC server. -type S2ARetryer struct { - bo backoff - attempts int -} - -// Attempts return the number of retries attempted. -func (r *S2ARetryer) Attempts() int { - return r.attempts -} - -// Retry returns a boolean indicating whether retry should be performed -// and the backoff duration. -func (r *S2ARetryer) Retry(err error) (time.Duration, bool) { - if err == nil { - return 0, false - } - if r.attempts >= maxRetryAttempts { - return 0, false - } - r.attempts++ - return r.bo.Pause(), true -} - -// Run uses S2ARetryer to execute the function passed in, until success or reaching -// max number of retry attempts. -func Run(ctx context.Context, f func() error) { - retryer := NewRetryer() - forLoopCnt := 0 - var err error - for { - err = f() - if bo, shouldRetry := retryer.Retry(err); shouldRetry { - if grpclog.V(1) { - grpclog.Infof("will attempt retry: %v", err) - } - if ctx.Err() != nil { - if grpclog.V(1) { - grpclog.Infof("exit retry loop due to context error: %v", ctx.Err()) - } - break - } - if errSleep := Sleep(ctx, bo); errSleep != nil { - if grpclog.V(1) { - grpclog.Infof("exit retry loop due to sleep error: %v", errSleep) - } - break - } - // This shouldn't happen, just make sure we are not stuck in the for loops. - forLoopCnt++ - if forLoopCnt > maxRetryForLoops { - if grpclog.V(1) { - grpclog.Infof("exit the for loop after too many retries") - } - break - } - continue - } - if grpclog.V(1) { - grpclog.Infof("retry conditions not met, exit the loop") - } - break - } -} diff --git a/vendor/github.com/google/s2a-go/s2a.go b/vendor/github.com/google/s2a-go/s2a.go deleted file mode 100644 index cc79bd09a..000000000 --- a/vendor/github.com/google/s2a-go/s2a.go +++ /dev/null @@ -1,442 +0,0 @@ -/* - * - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -// Package s2a provides the S2A transport credentials used by a gRPC -// application. -package s2a - -import ( - "context" - "crypto/tls" - "errors" - "fmt" - "net" - "sync" - "time" - - "github.com/google/s2a-go/fallback" - "github.com/google/s2a-go/internal/handshaker" - "github.com/google/s2a-go/internal/handshaker/service" - "github.com/google/s2a-go/internal/tokenmanager" - "github.com/google/s2a-go/internal/v2" - "github.com/google/s2a-go/retry" - "google.golang.org/grpc/credentials" - "google.golang.org/grpc/grpclog" - "google.golang.org/protobuf/proto" - - commonpbv1 "github.com/google/s2a-go/internal/proto/common_go_proto" - commonpb "github.com/google/s2a-go/internal/proto/v2/common_go_proto" - s2av2pb "github.com/google/s2a-go/internal/proto/v2/s2a_go_proto" -) - -const ( - s2aSecurityProtocol = "tls" - // defaultTimeout specifies the default server handshake timeout. - defaultTimeout = 30.0 * time.Second -) - -// s2aTransportCreds are the transport credentials required for establishing -// a secure connection using the S2A. They implement the -// credentials.TransportCredentials interface. -type s2aTransportCreds struct { - info *credentials.ProtocolInfo - minTLSVersion commonpbv1.TLSVersion - maxTLSVersion commonpbv1.TLSVersion - // tlsCiphersuites contains the ciphersuites used in the S2A connection. - // Note that these are currently unconfigurable. - tlsCiphersuites []commonpbv1.Ciphersuite - // localIdentity should only be used by the client. - localIdentity *commonpbv1.Identity - // localIdentities should only be used by the server. - localIdentities []*commonpbv1.Identity - // targetIdentities should only be used by the client. - targetIdentities []*commonpbv1.Identity - isClient bool - s2aAddr string - ensureProcessSessionTickets *sync.WaitGroup -} - -// NewClientCreds returns a client-side transport credentials object that uses -// the S2A to establish a secure connection with a server. -func NewClientCreds(opts *ClientOptions) (credentials.TransportCredentials, error) { - if opts == nil { - return nil, errors.New("nil client options") - } - var targetIdentities []*commonpbv1.Identity - for _, targetIdentity := range opts.TargetIdentities { - protoTargetIdentity, err := toProtoIdentity(targetIdentity) - if err != nil { - return nil, err - } - targetIdentities = append(targetIdentities, protoTargetIdentity) - } - localIdentity, err := toProtoIdentity(opts.LocalIdentity) - if err != nil { - return nil, err - } - if opts.EnableLegacyMode { - return &s2aTransportCreds{ - info: &credentials.ProtocolInfo{ - SecurityProtocol: s2aSecurityProtocol, - }, - minTLSVersion: commonpbv1.TLSVersion_TLS1_3, - maxTLSVersion: commonpbv1.TLSVersion_TLS1_3, - tlsCiphersuites: []commonpbv1.Ciphersuite{ - commonpbv1.Ciphersuite_AES_128_GCM_SHA256, - commonpbv1.Ciphersuite_AES_256_GCM_SHA384, - commonpbv1.Ciphersuite_CHACHA20_POLY1305_SHA256, - }, - localIdentity: localIdentity, - targetIdentities: targetIdentities, - isClient: true, - s2aAddr: opts.S2AAddress, - ensureProcessSessionTickets: opts.EnsureProcessSessionTickets, - }, nil - } - verificationMode := getVerificationMode(opts.VerificationMode) - var fallbackFunc fallback.ClientHandshake - if opts.FallbackOpts != nil && opts.FallbackOpts.FallbackClientHandshakeFunc != nil { - fallbackFunc = opts.FallbackOpts.FallbackClientHandshakeFunc - } - v2LocalIdentity, err := toV2ProtoIdentity(opts.LocalIdentity) - if err != nil { - return nil, err - } - return v2.NewClientCreds(opts.S2AAddress, opts.TransportCreds, v2LocalIdentity, verificationMode, fallbackFunc, opts.getS2AStream, opts.serverAuthorizationPolicy) -} - -// NewServerCreds returns a server-side transport credentials object that uses -// the S2A to establish a secure connection with a client. -func NewServerCreds(opts *ServerOptions) (credentials.TransportCredentials, error) { - if opts == nil { - return nil, errors.New("nil server options") - } - var localIdentities []*commonpbv1.Identity - for _, localIdentity := range opts.LocalIdentities { - protoLocalIdentity, err := toProtoIdentity(localIdentity) - if err != nil { - return nil, err - } - localIdentities = append(localIdentities, protoLocalIdentity) - } - if opts.EnableLegacyMode { - return &s2aTransportCreds{ - info: &credentials.ProtocolInfo{ - SecurityProtocol: s2aSecurityProtocol, - }, - minTLSVersion: commonpbv1.TLSVersion_TLS1_3, - maxTLSVersion: commonpbv1.TLSVersion_TLS1_3, - tlsCiphersuites: []commonpbv1.Ciphersuite{ - commonpbv1.Ciphersuite_AES_128_GCM_SHA256, - commonpbv1.Ciphersuite_AES_256_GCM_SHA384, - commonpbv1.Ciphersuite_CHACHA20_POLY1305_SHA256, - }, - localIdentities: localIdentities, - isClient: false, - s2aAddr: opts.S2AAddress, - }, nil - } - verificationMode := getVerificationMode(opts.VerificationMode) - var v2LocalIdentities []*commonpb.Identity - for _, localIdentity := range opts.LocalIdentities { - protoLocalIdentity, err := toV2ProtoIdentity(localIdentity) - if err != nil { - return nil, err - } - v2LocalIdentities = append(v2LocalIdentities, protoLocalIdentity) - } - return v2.NewServerCreds(opts.S2AAddress, opts.TransportCreds, v2LocalIdentities, verificationMode, opts.getS2AStream) -} - -// ClientHandshake initiates a client-side TLS handshake using the S2A. -func (c *s2aTransportCreds) ClientHandshake(ctx context.Context, serverAuthority string, rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) { - if !c.isClient { - return nil, nil, errors.New("client handshake called using server transport credentials") - } - - var cancel context.CancelFunc - ctx, cancel = context.WithCancel(ctx) - defer cancel() - - // Connect to the S2A. - hsConn, err := service.Dial(ctx, c.s2aAddr, nil) - if err != nil { - grpclog.Infof("Failed to connect to S2A: %v", err) - return nil, nil, err - } - - opts := &handshaker.ClientHandshakerOptions{ - MinTLSVersion: c.minTLSVersion, - MaxTLSVersion: c.maxTLSVersion, - TLSCiphersuites: c.tlsCiphersuites, - TargetIdentities: c.targetIdentities, - LocalIdentity: c.localIdentity, - TargetName: serverAuthority, - EnsureProcessSessionTickets: c.ensureProcessSessionTickets, - } - chs, err := handshaker.NewClientHandshaker(ctx, hsConn, rawConn, c.s2aAddr, opts) - if err != nil { - grpclog.Infof("Call to handshaker.NewClientHandshaker failed: %v", err) - return nil, nil, err - } - defer func() { - if err != nil { - if closeErr := chs.Close(); closeErr != nil { - grpclog.Infof("Close failed unexpectedly: %v", err) - err = fmt.Errorf("%v: close unexpectedly failed: %v", err, closeErr) - } - } - }() - - secConn, authInfo, err := chs.ClientHandshake(context.Background()) - if err != nil { - grpclog.Infof("Handshake failed: %v", err) - return nil, nil, err - } - return secConn, authInfo, nil -} - -// ServerHandshake initiates a server-side TLS handshake using the S2A. -func (c *s2aTransportCreds) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) { - if c.isClient { - return nil, nil, errors.New("server handshake called using client transport credentials") - } - - ctx, cancel := context.WithTimeout(context.Background(), defaultTimeout) - defer cancel() - - // Connect to the S2A. - hsConn, err := service.Dial(ctx, c.s2aAddr, nil) - if err != nil { - grpclog.Infof("Failed to connect to S2A: %v", err) - return nil, nil, err - } - - opts := &handshaker.ServerHandshakerOptions{ - MinTLSVersion: c.minTLSVersion, - MaxTLSVersion: c.maxTLSVersion, - TLSCiphersuites: c.tlsCiphersuites, - LocalIdentities: c.localIdentities, - } - shs, err := handshaker.NewServerHandshaker(ctx, hsConn, rawConn, c.s2aAddr, opts) - if err != nil { - grpclog.Infof("Call to handshaker.NewServerHandshaker failed: %v", err) - return nil, nil, err - } - defer func() { - if err != nil { - if closeErr := shs.Close(); closeErr != nil { - grpclog.Infof("Close failed unexpectedly: %v", err) - err = fmt.Errorf("%v: close unexpectedly failed: %v", err, closeErr) - } - } - }() - - secConn, authInfo, err := shs.ServerHandshake(context.Background()) - if err != nil { - grpclog.Infof("Handshake failed: %v", err) - return nil, nil, err - } - return secConn, authInfo, nil -} - -func (c *s2aTransportCreds) Info() credentials.ProtocolInfo { - return *c.info -} - -func (c *s2aTransportCreds) Clone() credentials.TransportCredentials { - info := *c.info - var localIdentity *commonpbv1.Identity - if c.localIdentity != nil { - localIdentity = proto.Clone(c.localIdentity).(*commonpbv1.Identity) - } - var localIdentities []*commonpbv1.Identity - if c.localIdentities != nil { - localIdentities = make([]*commonpbv1.Identity, len(c.localIdentities)) - for i, localIdentity := range c.localIdentities { - localIdentities[i] = proto.Clone(localIdentity).(*commonpbv1.Identity) - } - } - var targetIdentities []*commonpbv1.Identity - if c.targetIdentities != nil { - targetIdentities = make([]*commonpbv1.Identity, len(c.targetIdentities)) - for i, targetIdentity := range c.targetIdentities { - targetIdentities[i] = proto.Clone(targetIdentity).(*commonpbv1.Identity) - } - } - return &s2aTransportCreds{ - info: &info, - minTLSVersion: c.minTLSVersion, - maxTLSVersion: c.maxTLSVersion, - tlsCiphersuites: c.tlsCiphersuites, - localIdentity: localIdentity, - localIdentities: localIdentities, - targetIdentities: targetIdentities, - isClient: c.isClient, - s2aAddr: c.s2aAddr, - } -} - -func (c *s2aTransportCreds) OverrideServerName(serverNameOverride string) error { - c.info.ServerName = serverNameOverride - return nil -} - -// TLSClientConfigOptions specifies parameters for creating client TLS config. -type TLSClientConfigOptions struct { - // ServerName is required by s2a as the expected name when verifying the hostname found in server's certificate. - // tlsConfig, _ := factory.Build(ctx, &s2a.TLSClientConfigOptions{ - // ServerName: "example.com", - // }) - ServerName string -} - -// TLSClientConfigFactory defines the interface for a client TLS config factory. -type TLSClientConfigFactory interface { - Build(ctx context.Context, opts *TLSClientConfigOptions) (*tls.Config, error) -} - -// NewTLSClientConfigFactory returns an instance of s2aTLSClientConfigFactory. -func NewTLSClientConfigFactory(opts *ClientOptions) (TLSClientConfigFactory, error) { - if opts == nil { - return nil, fmt.Errorf("opts must be non-nil") - } - if opts.EnableLegacyMode { - return nil, fmt.Errorf("NewTLSClientConfigFactory only supports S2Av2") - } - tokenManager, err := tokenmanager.NewSingleTokenAccessTokenManager() - if err != nil { - // The only possible error is: access token not set in the environment, - // which is okay in environments other than serverless. - grpclog.Infof("Access token manager not initialized: %v", err) - return &s2aTLSClientConfigFactory{ - s2av2Address: opts.S2AAddress, - transportCreds: opts.TransportCreds, - tokenManager: nil, - verificationMode: getVerificationMode(opts.VerificationMode), - serverAuthorizationPolicy: opts.serverAuthorizationPolicy, - }, nil - } - return &s2aTLSClientConfigFactory{ - s2av2Address: opts.S2AAddress, - transportCreds: opts.TransportCreds, - tokenManager: tokenManager, - verificationMode: getVerificationMode(opts.VerificationMode), - serverAuthorizationPolicy: opts.serverAuthorizationPolicy, - }, nil -} - -type s2aTLSClientConfigFactory struct { - s2av2Address string - transportCreds credentials.TransportCredentials - tokenManager tokenmanager.AccessTokenManager - verificationMode s2av2pb.ValidatePeerCertificateChainReq_VerificationMode - serverAuthorizationPolicy []byte -} - -func (f *s2aTLSClientConfigFactory) Build( - ctx context.Context, opts *TLSClientConfigOptions) (*tls.Config, error) { - serverName := "" - if opts != nil && opts.ServerName != "" { - serverName = opts.ServerName - } - return v2.NewClientTLSConfig(ctx, f.s2av2Address, f.transportCreds, f.tokenManager, f.verificationMode, serverName, f.serverAuthorizationPolicy) -} - -func getVerificationMode(verificationMode VerificationModeType) s2av2pb.ValidatePeerCertificateChainReq_VerificationMode { - switch verificationMode { - case ConnectToGoogle: - return s2av2pb.ValidatePeerCertificateChainReq_CONNECT_TO_GOOGLE - case Spiffe: - return s2av2pb.ValidatePeerCertificateChainReq_SPIFFE - case ReservedCustomVerificationMode3: - return s2av2pb.ValidatePeerCertificateChainReq_RESERVED_CUSTOM_VERIFICATION_MODE_3 - case ReservedCustomVerificationMode4: - return s2av2pb.ValidatePeerCertificateChainReq_RESERVED_CUSTOM_VERIFICATION_MODE_4 - case ReservedCustomVerificationMode5: - return s2av2pb.ValidatePeerCertificateChainReq_RESERVED_CUSTOM_VERIFICATION_MODE_5 - default: - return s2av2pb.ValidatePeerCertificateChainReq_UNSPECIFIED - } -} - -// NewS2ADialTLSContextFunc returns a dialer which establishes an MTLS connection using S2A. -// Example use with http.RoundTripper: -// -// dialTLSContext := s2a.NewS2aDialTLSContextFunc(&s2a.ClientOptions{ -// S2AAddress: s2aAddress, // required -// }) -// transport := http.DefaultTransport -// transport.DialTLSContext = dialTLSContext -func NewS2ADialTLSContextFunc(opts *ClientOptions) func(ctx context.Context, network, addr string) (net.Conn, error) { - - return func(ctx context.Context, network, addr string) (net.Conn, error) { - - fallback := func(err error) (net.Conn, error) { - if opts.FallbackOpts != nil && opts.FallbackOpts.FallbackDialer != nil && - opts.FallbackOpts.FallbackDialer.Dialer != nil && opts.FallbackOpts.FallbackDialer.ServerAddr != "" { - fbDialer := opts.FallbackOpts.FallbackDialer - grpclog.Infof("fall back to dial: %s", fbDialer.ServerAddr) - fbConn, fbErr := fbDialer.Dialer.DialContext(ctx, network, fbDialer.ServerAddr) - if fbErr != nil { - return nil, fmt.Errorf("error fallback to %s: %v; S2A error: %w", fbDialer.ServerAddr, fbErr, err) - } - return fbConn, nil - } - return nil, err - } - - factory, err := NewTLSClientConfigFactory(opts) - if err != nil { - grpclog.Infof("error creating S2A client config factory: %v", err) - return fallback(err) - } - - serverName, _, err := net.SplitHostPort(addr) - if err != nil { - serverName = addr - } - timeoutCtx, cancel := context.WithTimeout(ctx, v2.GetS2ATimeout()) - defer cancel() - - var s2aTLSConfig *tls.Config - var c net.Conn - retry.Run(timeoutCtx, - func() error { - s2aTLSConfig, err = factory.Build(timeoutCtx, &TLSClientConfigOptions{ - ServerName: serverName, - }) - if err != nil { - grpclog.Infof("error building S2A TLS config: %v", err) - return err - } - - s2aDialer := &tls.Dialer{ - Config: s2aTLSConfig, - } - c, err = s2aDialer.DialContext(timeoutCtx, network, addr) - return err - }) - if err != nil { - grpclog.Infof("error dialing with S2A to %s: %v", addr, err) - return fallback(err) - } - grpclog.Infof("success dialing MTLS to %s with S2A", addr) - return c, nil - } -} diff --git a/vendor/github.com/google/s2a-go/s2a_options.go b/vendor/github.com/google/s2a-go/s2a_options.go deleted file mode 100644 index 5bbf31bf4..000000000 --- a/vendor/github.com/google/s2a-go/s2a_options.go +++ /dev/null @@ -1,235 +0,0 @@ -/* - * - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -package s2a - -import ( - "context" - "crypto/tls" - "errors" - "sync" - - "github.com/google/s2a-go/fallback" - "github.com/google/s2a-go/stream" - "google.golang.org/grpc/credentials" - - s2apbv1 "github.com/google/s2a-go/internal/proto/common_go_proto" - s2apb "github.com/google/s2a-go/internal/proto/v2/common_go_proto" -) - -// Identity is the interface for S2A identities. -type Identity interface { - // Name returns the name of the identity. - Name() string -} - -type spiffeID struct { - spiffeID string -} - -func (s *spiffeID) Name() string { return s.spiffeID } - -// NewSpiffeID creates a SPIFFE ID from id. -func NewSpiffeID(id string) Identity { - return &spiffeID{spiffeID: id} -} - -type hostname struct { - hostname string -} - -func (h *hostname) Name() string { return h.hostname } - -// NewHostname creates a hostname from name. -func NewHostname(name string) Identity { - return &hostname{hostname: name} -} - -type uid struct { - uid string -} - -func (h *uid) Name() string { return h.uid } - -// NewUID creates a UID from name. -func NewUID(name string) Identity { - return &uid{uid: name} -} - -// VerificationModeType specifies the mode that S2A must use to verify the peer -// certificate chain. -type VerificationModeType int - -// Three types of verification modes. -const ( - Unspecified VerificationModeType = iota - Spiffe - ConnectToGoogle - ReservedCustomVerificationMode3 - ReservedCustomVerificationMode4 - ReservedCustomVerificationMode5 -) - -// ClientOptions contains the client-side options used to establish a secure -// channel using the S2A handshaker service. -type ClientOptions struct { - // TargetIdentities contains a list of allowed server identities. One of the - // target identities should match the peer identity in the handshake - // result; otherwise, the handshake fails. - TargetIdentities []Identity - // LocalIdentity is the local identity of the client application. If none is - // provided, then the S2A will choose the default identity, if one exists. - LocalIdentity Identity - // S2AAddress is the address of the S2A. - S2AAddress string - // Optional transport credentials. - // If set, this will be used for the gRPC connection to the S2A server. - TransportCreds credentials.TransportCredentials - // EnsureProcessSessionTickets waits for all session tickets to be sent to - // S2A before a process completes. - // - // This functionality is crucial for processes that complete very soon after - // using S2A to establish a TLS connection, but it can be ignored for longer - // lived processes. - // - // Usage example: - // func main() { - // var ensureProcessSessionTickets sync.WaitGroup - // clientOpts := &s2a.ClientOptions{ - // EnsureProcessSessionTickets: &ensureProcessSessionTickets, - // // Set other members. - // } - // creds, _ := s2a.NewClientCreds(clientOpts) - // conn, _ := grpc.Dial(serverAddr, grpc.WithTransportCredentials(creds)) - // defer conn.Close() - // - // // Make RPC call. - // - // // The process terminates right after the RPC call ends. - // // ensureProcessSessionTickets can be used to ensure resumption - // // tickets are fully processed. If the process is long-lived, using - // // ensureProcessSessionTickets is not necessary. - // ensureProcessSessionTickets.Wait() - // } - EnsureProcessSessionTickets *sync.WaitGroup - // If true, enables the use of legacy S2Av1. - EnableLegacyMode bool - // VerificationMode specifies the mode that S2A must use to verify the - // peer certificate chain. - VerificationMode VerificationModeType - - // Optional fallback after dialing with S2A fails. - FallbackOpts *FallbackOptions - - // Generates an S2AStream interface for talking to the S2A server. - getS2AStream func(ctx context.Context, s2av2Address string) (stream.S2AStream, error) - - // Serialized user specified policy for server authorization. - serverAuthorizationPolicy []byte -} - -// FallbackOptions prescribes the fallback logic that should be taken if the application fails to connect with S2A. -type FallbackOptions struct { - // FallbackClientHandshakeFunc is used to specify fallback behavior when calling s2a.NewClientCreds(). - // It will be called by ClientHandshake function, after handshake with S2A fails. - // s2a.NewClientCreds() ignores the other FallbackDialer field. - FallbackClientHandshakeFunc fallback.ClientHandshake - - // FallbackDialer is used to specify fallback behavior when calling s2a.NewS2aDialTLSContextFunc(). - // It passes in a custom fallback dialer and server address to use after dialing with S2A fails. - // s2a.NewS2aDialTLSContextFunc() ignores the other FallbackClientHandshakeFunc field. - FallbackDialer *FallbackDialer -} - -// FallbackDialer contains a fallback tls.Dialer and a server address to connect to. -type FallbackDialer struct { - // Dialer specifies a fallback tls.Dialer. - Dialer *tls.Dialer - // ServerAddr is used by Dialer to establish fallback connection. - ServerAddr string -} - -// DefaultClientOptions returns the default client options. -func DefaultClientOptions(s2aAddress string) *ClientOptions { - return &ClientOptions{ - S2AAddress: s2aAddress, - VerificationMode: ConnectToGoogle, - } -} - -// ServerOptions contains the server-side options used to establish a secure -// channel using the S2A handshaker service. -type ServerOptions struct { - // LocalIdentities is the list of local identities that may be assumed by - // the server. If no local identity is specified, then the S2A chooses a - // default local identity, if one exists. - LocalIdentities []Identity - // S2AAddress is the address of the S2A. - S2AAddress string - // Optional transport credentials. - // If set, this will be used for the gRPC connection to the S2A server. - TransportCreds credentials.TransportCredentials - // If true, enables the use of legacy S2Av1. - EnableLegacyMode bool - // VerificationMode specifies the mode that S2A must use to verify the - // peer certificate chain. - VerificationMode VerificationModeType - - // Generates an S2AStream interface for talking to the S2A server. - getS2AStream func(ctx context.Context, s2av2Address string) (stream.S2AStream, error) -} - -// DefaultServerOptions returns the default server options. -func DefaultServerOptions(s2aAddress string) *ServerOptions { - return &ServerOptions{ - S2AAddress: s2aAddress, - VerificationMode: ConnectToGoogle, - } -} - -func toProtoIdentity(identity Identity) (*s2apbv1.Identity, error) { - if identity == nil { - return nil, nil - } - switch id := identity.(type) { - case *spiffeID: - return &s2apbv1.Identity{IdentityOneof: &s2apbv1.Identity_SpiffeId{SpiffeId: id.Name()}}, nil - case *hostname: - return &s2apbv1.Identity{IdentityOneof: &s2apbv1.Identity_Hostname{Hostname: id.Name()}}, nil - case *uid: - return &s2apbv1.Identity{IdentityOneof: &s2apbv1.Identity_Uid{Uid: id.Name()}}, nil - default: - return nil, errors.New("unrecognized identity type") - } -} - -func toV2ProtoIdentity(identity Identity) (*s2apb.Identity, error) { - if identity == nil { - return nil, nil - } - switch id := identity.(type) { - case *spiffeID: - return &s2apb.Identity{IdentityOneof: &s2apb.Identity_SpiffeId{SpiffeId: id.Name()}}, nil - case *hostname: - return &s2apb.Identity{IdentityOneof: &s2apb.Identity_Hostname{Hostname: id.Name()}}, nil - case *uid: - return &s2apb.Identity{IdentityOneof: &s2apb.Identity_Uid{Uid: id.Name()}}, nil - default: - return nil, errors.New("unrecognized identity type") - } -} diff --git a/vendor/github.com/google/s2a-go/s2a_utils.go b/vendor/github.com/google/s2a-go/s2a_utils.go deleted file mode 100644 index d649cc461..000000000 --- a/vendor/github.com/google/s2a-go/s2a_utils.go +++ /dev/null @@ -1,79 +0,0 @@ -/* - * - * Copyright 2021 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -package s2a - -import ( - "context" - "errors" - - commonpb "github.com/google/s2a-go/internal/proto/common_go_proto" - "google.golang.org/grpc/credentials" - "google.golang.org/grpc/peer" -) - -// AuthInfo exposes security information from the S2A to the application. -type AuthInfo interface { - // AuthType returns the authentication type. - AuthType() string - // ApplicationProtocol returns the application protocol, e.g. "grpc". - ApplicationProtocol() string - // TLSVersion returns the TLS version negotiated during the handshake. - TLSVersion() commonpb.TLSVersion - // Ciphersuite returns the ciphersuite negotiated during the handshake. - Ciphersuite() commonpb.Ciphersuite - // PeerIdentity returns the authenticated identity of the peer. - PeerIdentity() *commonpb.Identity - // LocalIdentity returns the local identity of the application used during - // session setup. - LocalIdentity() *commonpb.Identity - // PeerCertFingerprint returns the SHA256 hash of the peer certificate used in - // the S2A handshake. - PeerCertFingerprint() []byte - // LocalCertFingerprint returns the SHA256 hash of the local certificate used - // in the S2A handshake. - LocalCertFingerprint() []byte - // IsHandshakeResumed returns true if a cached session was used to resume - // the handshake. - IsHandshakeResumed() bool - // SecurityLevel returns the security level of the connection. - SecurityLevel() credentials.SecurityLevel -} - -// AuthInfoFromPeer extracts the authinfo.S2AAuthInfo object from the given -// peer, if it exists. This API should be used by gRPC clients after -// obtaining a peer object using the grpc.Peer() CallOption. -func AuthInfoFromPeer(p *peer.Peer) (AuthInfo, error) { - s2aAuthInfo, ok := p.AuthInfo.(AuthInfo) - if !ok { - return nil, errors.New("no S2AAuthInfo found in Peer") - } - return s2aAuthInfo, nil -} - -// AuthInfoFromContext extracts the authinfo.S2AAuthInfo object from the given -// context, if it exists. This API should be used by gRPC server RPC handlers -// to get information about the peer. On the client-side, use the grpc.Peer() -// CallOption and the AuthInfoFromPeer function. -func AuthInfoFromContext(ctx context.Context) (AuthInfo, error) { - p, ok := peer.FromContext(ctx) - if !ok { - return nil, errors.New("no Peer found in Context") - } - return AuthInfoFromPeer(p) -} diff --git a/vendor/github.com/google/s2a-go/stream/s2a_stream.go b/vendor/github.com/google/s2a-go/stream/s2a_stream.go deleted file mode 100644 index 584bf32b1..000000000 --- a/vendor/github.com/google/s2a-go/stream/s2a_stream.go +++ /dev/null @@ -1,34 +0,0 @@ -/* - * - * Copyright 2023 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -// Package stream provides an interface for bidirectional streaming to the S2A server. -package stream - -import ( - s2av2pb "github.com/google/s2a-go/internal/proto/v2/s2a_go_proto" -) - -// S2AStream defines the operation for communicating with the S2A server over a bidirectional stream. -type S2AStream interface { - // Send sends the message to the S2A server. - Send(*s2av2pb.SessionReq) error - // Recv receives the message from the S2A server. - Recv() (*s2av2pb.SessionResp, error) - // Closes the channel to the S2A server. - CloseSend() error -} |