From a37c56e6837afe6a28095494ef778d16a4fe6da4 Mon Sep 17 00:00:00 2001 From: Becca Petrin Date: Fri, 27 Apr 2018 14:59:16 -0700 Subject: [PATCH 1/7] bind cidrs to auth certs --- builtin/credential/cert/backend_test.go | 126 +++++++++++++++++++++ builtin/credential/cert/path_certs.go | 27 +++++ builtin/credential/cert/path_login.go | 36 ++++++ website/source/api/auth/cert/index.html.md | 6 +- 4 files changed, 194 insertions(+), 1 deletion(-) diff --git a/builtin/credential/cert/backend_test.go b/builtin/credential/cert/backend_test.go index ec1c83139415..8942e736697d 100644 --- a/builtin/credential/cert/backend_test.go +++ b/builtin/credential/cert/backend_test.go @@ -1033,6 +1033,132 @@ func TestBackend_untrusted(t *testing.T) { }) } +func TestBackend_validCIDR(t *testing.T) { + config := logical.TestBackendConfig() + storage := &logical.InmemStorage{} + config.StorageView = storage + + b, err := Factory(context.Background(), config) + if err != nil { + t.Fatal(err) + } + + connState, err := testConnState("test-fixtures/keys/cert.pem", + "test-fixtures/keys/key.pem", "test-fixtures/root/rootcacert.pem") + if err != nil { + t.Fatalf("error testing connection state: %v", err) + } + ca, err := ioutil.ReadFile("test-fixtures/root/rootcacert.pem") + if err != nil { + t.Fatalf("err: %v", err) + } + + name := "web" + + addCertReq := &logical.Request{ + Operation: logical.UpdateOperation, + Path: "certs/" + name, + Data: map[string]interface{}{ + "certificate": string(ca), + "policies": "foo", + "display_name": name, + "allowed_names": "", + "required_extensions": "", + "lease": 1000, + "bound_cidrs": []string{"127.0.0.1/32", "128.252.0.0/16"}, + }, + Storage: storage, + Connection: &logical.Connection{ConnState: &connState}, + } + + _, err = b.HandleRequest(context.Background(), addCertReq) + if err != nil { + t.Fatal(err) + } + + loginReq := &logical.Request{ + Operation: logical.UpdateOperation, + Path: "login", + Unauthenticated: true, + Data: map[string]interface{}{ + "name": name, + }, + Storage: storage, + Connection: &logical.Connection{ConnState: &connState}, + } + + // override the remote address with an IPV4 that is authorized + loginReq.Connection.RemoteAddr = "127.0.0.1/32" + + _, err = b.HandleRequest(context.Background(), loginReq) + if err != nil { + t.Fatal(err.Error()) + } +} + +func TestBackend_invalidCIDR(t *testing.T) { + config := logical.TestBackendConfig() + storage := &logical.InmemStorage{} + config.StorageView = storage + + b, err := Factory(context.Background(), config) + if err != nil { + t.Fatal(err) + } + + connState, err := testConnState("test-fixtures/keys/cert.pem", + "test-fixtures/keys/key.pem", "test-fixtures/root/rootcacert.pem") + if err != nil { + t.Fatalf("error testing connection state: %v", err) + } + ca, err := ioutil.ReadFile("test-fixtures/root/rootcacert.pem") + if err != nil { + t.Fatalf("err: %v", err) + } + + name := "web" + + addCertReq := &logical.Request{ + Operation: logical.UpdateOperation, + Path: "certs/" + name, + Data: map[string]interface{}{ + "certificate": string(ca), + "policies": "foo", + "display_name": name, + "allowed_names": "", + "required_extensions": "", + "lease": 1000, + "bound_cidrs": []string{"127.0.0.1/32", "128.252.0.0/16"}, + }, + Storage: storage, + Connection: &logical.Connection{ConnState: &connState}, + } + + _, err = b.HandleRequest(context.Background(), addCertReq) + if err != nil { + t.Fatal(err) + } + + loginReq := &logical.Request{ + Operation: logical.UpdateOperation, + Path: "login", + Unauthenticated: true, + Data: map[string]interface{}{ + "name": name, + }, + Storage: storage, + Connection: &logical.Connection{ConnState: &connState}, + } + + // override the remote address with an IPV4 that isn't authorized + loginReq.Connection.RemoteAddr = "127.0.0.1/8" + + _, err = b.HandleRequest(context.Background(), loginReq) + if err == nil { + t.Fatal("expected \"ERROR: permission denied\"") + } +} + func testAccStepAddCRL(t *testing.T, crl []byte, connState tls.ConnectionState) logicaltest.TestStep { return logicaltest.TestStep{ Operation: logical.UpdateOperation, diff --git a/builtin/credential/cert/path_certs.go b/builtin/credential/cert/path_certs.go index 511b240c489f..f3a0ec8d2093 100644 --- a/builtin/credential/cert/path_certs.go +++ b/builtin/credential/cert/path_certs.go @@ -7,6 +7,7 @@ import ( "strings" "time" + "github.com/hashicorp/go-sockaddr" "github.com/hashicorp/vault/helper/policyutil" "github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical/framework" @@ -88,6 +89,11 @@ should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this parameter.`, }, + "bound_cidrs": &framework.FieldSchema{ + Type: framework.TypeCommaStringSlice, + Description: `Comma separated string or list of CIDR blocks. If set, specifies the blocks of +IP addresses which can perform the login operation.`, + }, }, Callbacks: map[logical.Operation]framework.OperationFunc{ @@ -228,6 +234,25 @@ func (b *backend) pathCertWrite(ctx context.Context, req *logical.Request, d *fr } } + var parsedCIDRs []*sockaddr.SockAddrMarshaler + if boundCIDRListRaw, ok := d.GetOk("bound_cidrs"); ok { + + var boundCIDRList []string + if boundCIDRs, ok := boundCIDRListRaw.([]string); ok { + boundCIDRList = boundCIDRs + } else if boundCIDRListStr, ok := boundCIDRListRaw.(string); ok { + boundCIDRList = strings.Split(boundCIDRListStr, ",") + } + + for _, v := range boundCIDRList { + parsedCIDR, err := sockaddr.NewSockAddr(v) + if err != nil { + return nil, err + } + parsedCIDRs = append(parsedCIDRs, &sockaddr.SockAddrMarshaler{parsedCIDR}) + } + } + certEntry := &CertEntry{ Name: name, Certificate: certificate, @@ -238,6 +263,7 @@ func (b *backend) pathCertWrite(ctx context.Context, req *logical.Request, d *fr TTL: ttl, MaxTTL: maxTTL, Period: period, + BoundCIDRs: parsedCIDRs, } // Store it @@ -266,6 +292,7 @@ type CertEntry struct { Period time.Duration AllowedNames []string RequiredExtensions []string + BoundCIDRs []*sockaddr.SockAddrMarshaler } const pathCertHelpSyn = ` diff --git a/builtin/credential/cert/path_login.go b/builtin/credential/cert/path_login.go index 65e06b987b69..f1ccb7b6f3c4 100644 --- a/builtin/credential/cert/path_login.go +++ b/builtin/credential/cert/path_login.go @@ -17,6 +17,7 @@ import ( "github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical/framework" + "github.com/hashicorp/go-sockaddr" "github.com/ryanuber/go-glob" ) @@ -71,6 +72,10 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, data *fra return nil, nil } + if err := b.checkCIDR(matched.Entry, req); err != nil { + return nil, err + } + clientCerts := req.Connection.ConnState.PeerCertificates if len(clientCerts) == 0 { return logical.ErrorResponse("no client certificate found"), nil @@ -152,6 +157,10 @@ func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, d *f return nil, nil } + if err := b.checkCIDR(cert, req); err != nil { + return nil, err + } + if !policyutil.EquivalentPolicies(cert.Policies, req.Auth.Policies) { return nil, fmt.Errorf("policies have changed, not renewing") } @@ -371,6 +380,33 @@ func (b *backend) checkForValidChain(chains [][]*x509.Certificate) bool { return false } +func (b *backend) checkCIDR(cert *CertEntry, req *logical.Request) error { + + if len(cert.BoundCIDRs) <= 0 { + // short-circuit the below logic + return nil + } + + var valid bool + remoteSockAddr, err := sockaddr.NewSockAddr(req.Connection.RemoteAddr) + if err != nil { + if b.Logger().IsDebug() { + b.Logger().Debug("could not parse remote addr into sockaddr", "error", err, "remote_addr", req.Connection.RemoteAddr) + } + return logical.ErrPermissionDenied + } + for _, cidr := range cert.BoundCIDRs { + if cidr.Contains(remoteSockAddr) { + valid = true + break + } + } + if !valid { + return logical.ErrPermissionDenied + } + return nil +} + // parsePEM parses a PEM encoded x509 certificate func parsePEM(raw []byte) (certs []*x509.Certificate) { for len(raw) > 0 { diff --git a/website/source/api/auth/cert/index.html.md b/website/source/api/auth/cert/index.html.md index 9d94aef3dd23..a3d2f505f283 100644 --- a/website/source/api/auth/cert/index.html.md +++ b/website/source/api/auth/cert/index.html.md @@ -54,13 +54,17 @@ Sets a CA cert and associated parameters in a role name. as it is renewed it never expires unless `max_ttl` is also set, but the TTL set on the token at each renewal is fixed to the value specified here. If this value is modified, the token will pick up the new value at its next renewal. +- `bound_cidrs` `(string: "", or list: [])` – If set, restricts usage of the + certificates to client IPs falling within the range of the specified + CIDR(s). ### Sample Payload ```json { "certificate": "-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----", - "display_name": "test" + "display_name": "test", + "bound_cidrs": ["127.0.0.1/32", "128.252.0.0/16"] } ``` From cbe4684b957b6ec8860e32aaf92026f72c92db2f Mon Sep 17 00:00:00 2001 From: Becca Petrin Date: Mon, 30 Apr 2018 10:41:17 -0700 Subject: [PATCH 2/7] check bound cidrs in resultant tokens --- builtin/credential/cert/path_certs.go | 2 -- builtin/credential/cert/path_login.go | 2 ++ logical/auth.go | 5 +++++ vault/request_handling.go | 24 ++++++++++++++++++++++++ 4 files changed, 31 insertions(+), 2 deletions(-) diff --git a/builtin/credential/cert/path_certs.go b/builtin/credential/cert/path_certs.go index f3a0ec8d2093..ef1d38815db5 100644 --- a/builtin/credential/cert/path_certs.go +++ b/builtin/credential/cert/path_certs.go @@ -240,8 +240,6 @@ func (b *backend) pathCertWrite(ctx context.Context, req *logical.Request, d *fr var boundCIDRList []string if boundCIDRs, ok := boundCIDRListRaw.([]string); ok { boundCIDRList = boundCIDRs - } else if boundCIDRListStr, ok := boundCIDRListRaw.(string); ok { - boundCIDRList = strings.Split(boundCIDRListStr, ",") } for _, v := range boundCIDRList { diff --git a/builtin/credential/cert/path_login.go b/builtin/credential/cert/path_login.go index f1ccb7b6f3c4..713ad72a5697 100644 --- a/builtin/credential/cert/path_login.go +++ b/builtin/credential/cert/path_login.go @@ -106,6 +106,7 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, data *fra Alias: &logical.Alias{ Name: clientCerts[0].SerialNumber.String(), }, + BoundCIDRs: matched.Entry.BoundCIDRs, }, } @@ -169,6 +170,7 @@ func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, d *f resp.Auth.TTL = cert.TTL resp.Auth.MaxTTL = cert.MaxTTL resp.Auth.Period = cert.Period + resp.Auth.BoundCIDRs = cert.BoundCIDRs return resp, nil } diff --git a/logical/auth.go b/logical/auth.go index 2012418ad5e3..144b5467ad80 100644 --- a/logical/auth.go +++ b/logical/auth.go @@ -3,6 +3,8 @@ package logical import ( "fmt" "time" + + "github.com/hashicorp/go-sockaddr" ) // Auth is the resulting authentication information that is part of @@ -69,6 +71,9 @@ type Auth struct { // mappings groups for the group aliases in identity store. For all the // matching groups, the entity ID of the user will be added. GroupAliases []*Alias `json:"group_aliases" mapstructure:"group_aliases" structs:"group_aliases"` + + // The set of CIDRs that this token can be used with + BoundCIDRs []*sockaddr.SockAddrMarshaler `json:"bound_cidrs"` } func (a *Auth) GoString() string { diff --git a/vault/request_handling.go b/vault/request_handling.go index 0536c8020d60..e1b2503e3794 100644 --- a/vault/request_handling.go +++ b/vault/request_handling.go @@ -8,6 +8,7 @@ import ( "github.com/armon/go-metrics" "github.com/hashicorp/go-multierror" + "github.com/hashicorp/go-sockaddr" "github.com/hashicorp/vault/audit" "github.com/hashicorp/vault/helper/consts" "github.com/hashicorp/vault/helper/identity" @@ -494,6 +495,28 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re // If the response generated an authentication, then generate the token if resp != nil && resp.Auth != nil { + + // First ensure the login request originated from a white-listed CIDR, if provided + if len(resp.Auth.BoundCIDRs) > 0 { + var valid bool + remoteSockAddr, err := sockaddr.NewSockAddr(req.Connection.RemoteAddr) + if err != nil { + if c.Logger().IsDebug() { + c.Logger().Debug("could not parse remote addr into sockaddr", "error", err, "remote_addr", req.Connection.RemoteAddr) + } + return nil, nil, logical.ErrPermissionDenied + } + for _, cidr := range auth.BoundCIDRs { + if cidr.Contains(remoteSockAddr) { + valid = true + break + } + } + if !valid { + return nil, nil, logical.ErrPermissionDenied + } + } + var entity *identity.Entity auth = resp.Auth @@ -574,6 +597,7 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re TTL: tokenTTL, NumUses: auth.NumUses, EntityID: auth.EntityID, + BoundCIDRs: auth.BoundCIDRs, } te.Policies = policyutil.SanitizePolicies(te.Policies, true) From 6c1977318f53663d2ebf6d9dd5da75c7d1605dd9 Mon Sep 17 00:00:00 2001 From: Becca Petrin Date: Mon, 30 Apr 2018 13:59:03 -0700 Subject: [PATCH 3/7] only check cidrs once --- vault/request_handling.go | 22 ---------------------- 1 file changed, 22 deletions(-) diff --git a/vault/request_handling.go b/vault/request_handling.go index e1b2503e3794..022952a16e56 100644 --- a/vault/request_handling.go +++ b/vault/request_handling.go @@ -8,7 +8,6 @@ import ( "github.com/armon/go-metrics" "github.com/hashicorp/go-multierror" - "github.com/hashicorp/go-sockaddr" "github.com/hashicorp/vault/audit" "github.com/hashicorp/vault/helper/consts" "github.com/hashicorp/vault/helper/identity" @@ -496,27 +495,6 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re // If the response generated an authentication, then generate the token if resp != nil && resp.Auth != nil { - // First ensure the login request originated from a white-listed CIDR, if provided - if len(resp.Auth.BoundCIDRs) > 0 { - var valid bool - remoteSockAddr, err := sockaddr.NewSockAddr(req.Connection.RemoteAddr) - if err != nil { - if c.Logger().IsDebug() { - c.Logger().Debug("could not parse remote addr into sockaddr", "error", err, "remote_addr", req.Connection.RemoteAddr) - } - return nil, nil, logical.ErrPermissionDenied - } - for _, cidr := range auth.BoundCIDRs { - if cidr.Contains(remoteSockAddr) { - valid = true - break - } - } - if !valid { - return nil, nil, logical.ErrPermissionDenied - } - } - var entity *identity.Entity auth = resp.Auth From c5b9f294e1b1c8bd9742e84e2f04ad7db091b9d3 Mon Sep 17 00:00:00 2001 From: Becca Petrin Date: Tue, 1 May 2018 09:24:45 -0700 Subject: [PATCH 4/7] drop unnecessary ok checks --- builtin/credential/cert/path_certs.go | 18 +++++------------- builtin/credential/cert/path_login.go | 2 +- 2 files changed, 6 insertions(+), 14 deletions(-) diff --git a/builtin/credential/cert/path_certs.go b/builtin/credential/cert/path_certs.go index ef1d38815db5..14881acc27da 100644 --- a/builtin/credential/cert/path_certs.go +++ b/builtin/credential/cert/path_certs.go @@ -235,20 +235,12 @@ func (b *backend) pathCertWrite(ctx context.Context, req *logical.Request, d *fr } var parsedCIDRs []*sockaddr.SockAddrMarshaler - if boundCIDRListRaw, ok := d.GetOk("bound_cidrs"); ok { - - var boundCIDRList []string - if boundCIDRs, ok := boundCIDRListRaw.([]string); ok { - boundCIDRList = boundCIDRs - } - - for _, v := range boundCIDRList { - parsedCIDR, err := sockaddr.NewSockAddr(v) - if err != nil { - return nil, err - } - parsedCIDRs = append(parsedCIDRs, &sockaddr.SockAddrMarshaler{parsedCIDR}) + for _, v := range d.Get("bound_cidrs").([]string) { + parsedCIDR, err := sockaddr.NewSockAddr(v) + if err != nil { + return nil, err } + parsedCIDRs = append(parsedCIDRs, &sockaddr.SockAddrMarshaler{parsedCIDR}) } certEntry := &CertEntry{ diff --git a/builtin/credential/cert/path_login.go b/builtin/credential/cert/path_login.go index 713ad72a5697..3a336cd35b09 100644 --- a/builtin/credential/cert/path_login.go +++ b/builtin/credential/cert/path_login.go @@ -384,7 +384,7 @@ func (b *backend) checkForValidChain(chains [][]*x509.Certificate) bool { func (b *backend) checkCIDR(cert *CertEntry, req *logical.Request) error { - if len(cert.BoundCIDRs) <= 0 { + if len(cert.BoundCIDRs) == 0 { // short-circuit the below logic return nil } From f2075653556dd7586f6e825ac4f6d8fcbd6cfa7b Mon Sep 17 00:00:00 2001 From: Becca Petrin Date: Tue, 8 May 2018 11:20:59 -0700 Subject: [PATCH 5/7] update proto, move cidr check to helper --- builtin/credential/cert/path_certs.go | 5 +- builtin/credential/cert/path_login.go | 26 +- helper/cidrutil/cidr.go | 24 ++ helper/cidrutil/cidr_test.go | 32 ++- logical/plugin/pb/backend.pb.go | 370 +++++++++++++------------- logical/plugin/pb/backend.proto | 4 + logical/plugin/pb/translation.go | 17 ++ 7 files changed, 274 insertions(+), 204 deletions(-) diff --git a/builtin/credential/cert/path_certs.go b/builtin/credential/cert/path_certs.go index 14881acc27da..fc51a7d9d1e5 100644 --- a/builtin/credential/cert/path_certs.go +++ b/builtin/credential/cert/path_certs.go @@ -238,7 +238,10 @@ func (b *backend) pathCertWrite(ctx context.Context, req *logical.Request, d *fr for _, v := range d.Get("bound_cidrs").([]string) { parsedCIDR, err := sockaddr.NewSockAddr(v) if err != nil { - return nil, err + if b.Logger().IsDebug() { + b.Logger().Debug(fmt.Sprintf("unable to parse %s as a cidr: %s", v, err)) + } + return nil, logical.ErrPermissionDenied } parsedCIDRs = append(parsedCIDRs, &sockaddr.SockAddrMarshaler{parsedCIDR}) } diff --git a/builtin/credential/cert/path_login.go b/builtin/credential/cert/path_login.go index da4b7216fc03..cf1c6c68f48e 100644 --- a/builtin/credential/cert/path_login.go +++ b/builtin/credential/cert/path_login.go @@ -17,7 +17,7 @@ import ( "github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical/framework" - "github.com/hashicorp/go-sockaddr" + "github.com/hashicorp/vault/helper/cidrutil" "github.com/ryanuber/go-glob" ) @@ -384,30 +384,10 @@ func (b *backend) checkForValidChain(chains [][]*x509.Certificate) bool { } func (b *backend) checkCIDR(cert *CertEntry, req *logical.Request) error { - - if len(cert.BoundCIDRs) == 0 { - // short-circuit the below logic + if cidrutil.RemoteAddrIsOk(req.Connection.RemoteAddr, cert.BoundCIDRs) { return nil } - - var valid bool - remoteSockAddr, err := sockaddr.NewSockAddr(req.Connection.RemoteAddr) - if err != nil { - if b.Logger().IsDebug() { - b.Logger().Debug("could not parse remote addr into sockaddr", "error", err, "remote_addr", req.Connection.RemoteAddr) - } - return logical.ErrPermissionDenied - } - for _, cidr := range cert.BoundCIDRs { - if cidr.Contains(remoteSockAddr) { - valid = true - break - } - } - if !valid { - return logical.ErrPermissionDenied - } - return nil + return logical.ErrPermissionDenied } // parsePEM parses a PEM encoded x509 certificate diff --git a/helper/cidrutil/cidr.go b/helper/cidrutil/cidr.go index 13552232c593..6ecdba71ad0b 100644 --- a/helper/cidrutil/cidr.go +++ b/helper/cidrutil/cidr.go @@ -6,9 +6,33 @@ import ( "strings" "github.com/hashicorp/errwrap" + "github.com/hashicorp/go-sockaddr" "github.com/hashicorp/vault/helper/strutil" ) +// RemoteAddrIsOk checks if the given remote address is either: +// - OK because there's no CIDR whitelist +// - OK because it's in the CIDR whitelist +func RemoteAddrIsOk(remoteAddr string, boundCIDRs []*sockaddr.SockAddrMarshaler) bool { + if len(boundCIDRs) == 0 { + // There's no CIDR whitelist. + return true + } + remoteSockAddr, err := sockaddr.NewSockAddr(remoteAddr) + if err != nil { + // Can't tell, err on the side of less access. + return false + } + for _, cidr := range boundCIDRs { + if cidr.Contains(remoteSockAddr) { + // Whitelisted. + return true + } + } + // Not whitelisted. + return false +} + // IPBelongsToCIDR checks if the given IP is encompassed by the given CIDR block func IPBelongsToCIDR(ipAddr string, cidr string) (bool, error) { if ipAddr == "" { diff --git a/helper/cidrutil/cidr_test.go b/helper/cidrutil/cidr_test.go index 220afecc1ffa..c961ff069fa4 100644 --- a/helper/cidrutil/cidr_test.go +++ b/helper/cidrutil/cidr_test.go @@ -1,6 +1,10 @@ package cidrutil -import "testing" +import ( + "testing" + + "github.com/hashicorp/go-sockaddr" +) func TestCIDRUtil_IPBelongsToCIDR(t *testing.T) { ip := "192.168.25.30" @@ -194,3 +198,29 @@ func TestCIDRUtil_SubsetBlocks(t *testing.T) { t.Fatalf("expected CIDR blocks %q to not be a subset of CIDR blocks %q", cidrBlocks2, cidrBlocks1) } } + +func TestCIDRUtil_RemoteAddrIsOk_NegativeTest(t *testing.T) { + addr, err := sockaddr.NewSockAddr("127.0.0.1/8") + if err != nil { + t.Fatal(err) + } + boundCIDRs := []*sockaddr.SockAddrMarshaler{ + {addr}, + } + if RemoteAddrIsOk("123.0.0.1", boundCIDRs) { + t.Fatal("remote address of 123.0.0.1/2 should not be allowed for 127.0.0.1/8") + } +} + +func TestCIDRUtil_RemoteAddrIsOk_PositiveTest(t *testing.T) { + addr, err := sockaddr.NewSockAddr("127.0.0.1/8") + if err != nil { + t.Fatal(err) + } + boundCIDRs := []*sockaddr.SockAddrMarshaler{ + {addr}, + } + if !RemoteAddrIsOk("127.0.0.1", boundCIDRs) { + t.Fatal("remote address of 127.0.0.1 should be allowed for 127.0.0.1/8") + } +} diff --git a/logical/plugin/pb/backend.pb.go b/logical/plugin/pb/backend.pb.go index a04800866c0b..d4e6fc44ae17 100644 --- a/logical/plugin/pb/backend.pb.go +++ b/logical/plugin/pb/backend.pb.go @@ -34,7 +34,7 @@ func (m *Empty) Reset() { *m = Empty{} } func (m *Empty) String() string { return proto.CompactTextString(m) } func (*Empty) ProtoMessage() {} func (*Empty) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{0} + return fileDescriptor_backend_a4dea436a6c1c127, []int{0} } func (m *Empty) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_Empty.Unmarshal(m, b) @@ -65,7 +65,7 @@ func (m *Header) Reset() { *m = Header{} } func (m *Header) String() string { return proto.CompactTextString(m) } func (*Header) ProtoMessage() {} func (*Header) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{1} + return fileDescriptor_backend_a4dea436a6c1c127, []int{1} } func (m *Header) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_Header.Unmarshal(m, b) @@ -116,7 +116,7 @@ func (m *ProtoError) Reset() { *m = ProtoError{} } func (m *ProtoError) String() string { return proto.CompactTextString(m) } func (*ProtoError) ProtoMessage() {} func (*ProtoError) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{2} + return fileDescriptor_backend_a4dea436a6c1c127, []int{2} } func (m *ProtoError) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_ProtoError.Unmarshal(m, b) @@ -179,7 +179,7 @@ func (m *Paths) Reset() { *m = Paths{} } func (m *Paths) String() string { return proto.CompactTextString(m) } func (*Paths) ProtoMessage() {} func (*Paths) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{3} + return fileDescriptor_backend_a4dea436a6c1c127, []int{3} } func (m *Paths) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_Paths.Unmarshal(m, b) @@ -303,7 +303,7 @@ func (m *Request) Reset() { *m = Request{} } func (m *Request) String() string { return proto.CompactTextString(m) } func (*Request) ProtoMessage() {} func (*Request) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{4} + return fileDescriptor_backend_a4dea436a6c1c127, []int{4} } func (m *Request) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_Request.Unmarshal(m, b) @@ -480,7 +480,7 @@ func (m *Alias) Reset() { *m = Alias{} } func (m *Alias) String() string { return proto.CompactTextString(m) } func (*Alias) ProtoMessage() {} func (*Alias) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{5} + return fileDescriptor_backend_a4dea436a6c1c127, []int{5} } func (m *Alias) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_Alias.Unmarshal(m, b) @@ -567,7 +567,10 @@ type Auth struct { // authenticated user belongs to. This is used to check if there are // mappings groups for the group aliases in identity store. For all the // matching groups, the entity ID of the user will be added. - GroupAliases []*Alias `sentinel:"" protobuf:"bytes,12,rep,name=group_aliases,json=groupAliases" json:"group_aliases,omitempty"` + GroupAliases []*Alias `sentinel:"" protobuf:"bytes,12,rep,name=group_aliases,json=groupAliases" json:"group_aliases,omitempty"` + // If set, restricts usage of the certificates to client IPs falling within + // the range of the specified CIDR(s). + BoundCidrs []string `sentinel:"" protobuf:"bytes,13,rep,name=bound_cidrs,json=boundCidrs" json:"bound_cidrs,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -577,7 +580,7 @@ func (m *Auth) Reset() { *m = Auth{} } func (m *Auth) String() string { return proto.CompactTextString(m) } func (*Auth) ProtoMessage() {} func (*Auth) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{6} + return fileDescriptor_backend_a4dea436a6c1c127, []int{6} } func (m *Auth) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_Auth.Unmarshal(m, b) @@ -681,6 +684,13 @@ func (m *Auth) GetGroupAliases() []*Alias { return nil } +func (m *Auth) GetBoundCidrs() []string { + if m != nil { + return m.BoundCidrs + } + return nil +} + type LeaseOptions struct { TTL int64 `sentinel:"" protobuf:"varint,1,opt,name=TTL" json:"TTL,omitempty"` Renewable bool `sentinel:"" protobuf:"varint,2,opt,name=renewable" json:"renewable,omitempty"` @@ -696,7 +706,7 @@ func (m *LeaseOptions) Reset() { *m = LeaseOptions{} } func (m *LeaseOptions) String() string { return proto.CompactTextString(m) } func (*LeaseOptions) ProtoMessage() {} func (*LeaseOptions) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{7} + return fileDescriptor_backend_a4dea436a6c1c127, []int{7} } func (m *LeaseOptions) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_LeaseOptions.Unmarshal(m, b) @@ -770,7 +780,7 @@ func (m *Secret) Reset() { *m = Secret{} } func (m *Secret) String() string { return proto.CompactTextString(m) } func (*Secret) ProtoMessage() {} func (*Secret) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{8} + return fileDescriptor_backend_a4dea436a6c1c127, []int{8} } func (m *Secret) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_Secret.Unmarshal(m, b) @@ -841,7 +851,7 @@ func (m *Response) Reset() { *m = Response{} } func (m *Response) String() string { return proto.CompactTextString(m) } func (*Response) ProtoMessage() {} func (*Response) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{9} + return fileDescriptor_backend_a4dea436a6c1c127, []int{9} } func (m *Response) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_Response.Unmarshal(m, b) @@ -936,7 +946,7 @@ func (m *ResponseWrapInfo) Reset() { *m = ResponseWrapInfo{} } func (m *ResponseWrapInfo) String() string { return proto.CompactTextString(m) } func (*ResponseWrapInfo) ProtoMessage() {} func (*ResponseWrapInfo) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{10} + return fileDescriptor_backend_a4dea436a6c1c127, []int{10} } func (m *ResponseWrapInfo) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_ResponseWrapInfo.Unmarshal(m, b) @@ -1038,7 +1048,7 @@ func (m *RequestWrapInfo) Reset() { *m = RequestWrapInfo{} } func (m *RequestWrapInfo) String() string { return proto.CompactTextString(m) } func (*RequestWrapInfo) ProtoMessage() {} func (*RequestWrapInfo) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{11} + return fileDescriptor_backend_a4dea436a6c1c127, []int{11} } func (m *RequestWrapInfo) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_RequestWrapInfo.Unmarshal(m, b) @@ -1092,7 +1102,7 @@ func (m *HandleRequestArgs) Reset() { *m = HandleRequestArgs{} } func (m *HandleRequestArgs) String() string { return proto.CompactTextString(m) } func (*HandleRequestArgs) ProtoMessage() {} func (*HandleRequestArgs) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{12} + return fileDescriptor_backend_a4dea436a6c1c127, []int{12} } func (m *HandleRequestArgs) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_HandleRequestArgs.Unmarshal(m, b) @@ -1139,7 +1149,7 @@ func (m *HandleRequestReply) Reset() { *m = HandleRequestReply{} } func (m *HandleRequestReply) String() string { return proto.CompactTextString(m) } func (*HandleRequestReply) ProtoMessage() {} func (*HandleRequestReply) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{13} + return fileDescriptor_backend_a4dea436a6c1c127, []int{13} } func (m *HandleRequestReply) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_HandleRequestReply.Unmarshal(m, b) @@ -1185,7 +1195,7 @@ func (m *SpecialPathsReply) Reset() { *m = SpecialPathsReply{} } func (m *SpecialPathsReply) String() string { return proto.CompactTextString(m) } func (*SpecialPathsReply) ProtoMessage() {} func (*SpecialPathsReply) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{14} + return fileDescriptor_backend_a4dea436a6c1c127, []int{14} } func (m *SpecialPathsReply) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_SpecialPathsReply.Unmarshal(m, b) @@ -1225,7 +1235,7 @@ func (m *HandleExistenceCheckArgs) Reset() { *m = HandleExistenceCheckAr func (m *HandleExistenceCheckArgs) String() string { return proto.CompactTextString(m) } func (*HandleExistenceCheckArgs) ProtoMessage() {} func (*HandleExistenceCheckArgs) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{15} + return fileDescriptor_backend_a4dea436a6c1c127, []int{15} } func (m *HandleExistenceCheckArgs) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_HandleExistenceCheckArgs.Unmarshal(m, b) @@ -1273,7 +1283,7 @@ func (m *HandleExistenceCheckReply) Reset() { *m = HandleExistenceCheckR func (m *HandleExistenceCheckReply) String() string { return proto.CompactTextString(m) } func (*HandleExistenceCheckReply) ProtoMessage() {} func (*HandleExistenceCheckReply) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{16} + return fileDescriptor_backend_a4dea436a6c1c127, []int{16} } func (m *HandleExistenceCheckReply) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_HandleExistenceCheckReply.Unmarshal(m, b) @@ -1328,7 +1338,7 @@ func (m *SetupArgs) Reset() { *m = SetupArgs{} } func (m *SetupArgs) String() string { return proto.CompactTextString(m) } func (*SetupArgs) ProtoMessage() {} func (*SetupArgs) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{17} + return fileDescriptor_backend_a4dea436a6c1c127, []int{17} } func (m *SetupArgs) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_SetupArgs.Unmarshal(m, b) @@ -1381,7 +1391,7 @@ func (m *SetupReply) Reset() { *m = SetupReply{} } func (m *SetupReply) String() string { return proto.CompactTextString(m) } func (*SetupReply) ProtoMessage() {} func (*SetupReply) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{18} + return fileDescriptor_backend_a4dea436a6c1c127, []int{18} } func (m *SetupReply) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_SetupReply.Unmarshal(m, b) @@ -1420,7 +1430,7 @@ func (m *TypeReply) Reset() { *m = TypeReply{} } func (m *TypeReply) String() string { return proto.CompactTextString(m) } func (*TypeReply) ProtoMessage() {} func (*TypeReply) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{19} + return fileDescriptor_backend_a4dea436a6c1c127, []int{19} } func (m *TypeReply) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_TypeReply.Unmarshal(m, b) @@ -1458,7 +1468,7 @@ func (m *InvalidateKeyArgs) Reset() { *m = InvalidateKeyArgs{} } func (m *InvalidateKeyArgs) String() string { return proto.CompactTextString(m) } func (*InvalidateKeyArgs) ProtoMessage() {} func (*InvalidateKeyArgs) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{20} + return fileDescriptor_backend_a4dea436a6c1c127, []int{20} } func (m *InvalidateKeyArgs) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_InvalidateKeyArgs.Unmarshal(m, b) @@ -1498,7 +1508,7 @@ func (m *StorageEntry) Reset() { *m = StorageEntry{} } func (m *StorageEntry) String() string { return proto.CompactTextString(m) } func (*StorageEntry) ProtoMessage() {} func (*StorageEntry) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{21} + return fileDescriptor_backend_a4dea436a6c1c127, []int{21} } func (m *StorageEntry) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_StorageEntry.Unmarshal(m, b) @@ -1550,7 +1560,7 @@ func (m *StorageListArgs) Reset() { *m = StorageListArgs{} } func (m *StorageListArgs) String() string { return proto.CompactTextString(m) } func (*StorageListArgs) ProtoMessage() {} func (*StorageListArgs) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{22} + return fileDescriptor_backend_a4dea436a6c1c127, []int{22} } func (m *StorageListArgs) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_StorageListArgs.Unmarshal(m, b) @@ -1589,7 +1599,7 @@ func (m *StorageListReply) Reset() { *m = StorageListReply{} } func (m *StorageListReply) String() string { return proto.CompactTextString(m) } func (*StorageListReply) ProtoMessage() {} func (*StorageListReply) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{23} + return fileDescriptor_backend_a4dea436a6c1c127, []int{23} } func (m *StorageListReply) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_StorageListReply.Unmarshal(m, b) @@ -1634,7 +1644,7 @@ func (m *StorageGetArgs) Reset() { *m = StorageGetArgs{} } func (m *StorageGetArgs) String() string { return proto.CompactTextString(m) } func (*StorageGetArgs) ProtoMessage() {} func (*StorageGetArgs) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{24} + return fileDescriptor_backend_a4dea436a6c1c127, []int{24} } func (m *StorageGetArgs) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_StorageGetArgs.Unmarshal(m, b) @@ -1673,7 +1683,7 @@ func (m *StorageGetReply) Reset() { *m = StorageGetReply{} } func (m *StorageGetReply) String() string { return proto.CompactTextString(m) } func (*StorageGetReply) ProtoMessage() {} func (*StorageGetReply) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{25} + return fileDescriptor_backend_a4dea436a6c1c127, []int{25} } func (m *StorageGetReply) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_StorageGetReply.Unmarshal(m, b) @@ -1718,7 +1728,7 @@ func (m *StoragePutArgs) Reset() { *m = StoragePutArgs{} } func (m *StoragePutArgs) String() string { return proto.CompactTextString(m) } func (*StoragePutArgs) ProtoMessage() {} func (*StoragePutArgs) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{26} + return fileDescriptor_backend_a4dea436a6c1c127, []int{26} } func (m *StoragePutArgs) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_StoragePutArgs.Unmarshal(m, b) @@ -1756,7 +1766,7 @@ func (m *StoragePutReply) Reset() { *m = StoragePutReply{} } func (m *StoragePutReply) String() string { return proto.CompactTextString(m) } func (*StoragePutReply) ProtoMessage() {} func (*StoragePutReply) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{27} + return fileDescriptor_backend_a4dea436a6c1c127, []int{27} } func (m *StoragePutReply) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_StoragePutReply.Unmarshal(m, b) @@ -1794,7 +1804,7 @@ func (m *StorageDeleteArgs) Reset() { *m = StorageDeleteArgs{} } func (m *StorageDeleteArgs) String() string { return proto.CompactTextString(m) } func (*StorageDeleteArgs) ProtoMessage() {} func (*StorageDeleteArgs) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{28} + return fileDescriptor_backend_a4dea436a6c1c127, []int{28} } func (m *StorageDeleteArgs) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_StorageDeleteArgs.Unmarshal(m, b) @@ -1832,7 +1842,7 @@ func (m *StorageDeleteReply) Reset() { *m = StorageDeleteReply{} } func (m *StorageDeleteReply) String() string { return proto.CompactTextString(m) } func (*StorageDeleteReply) ProtoMessage() {} func (*StorageDeleteReply) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{29} + return fileDescriptor_backend_a4dea436a6c1c127, []int{29} } func (m *StorageDeleteReply) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_StorageDeleteReply.Unmarshal(m, b) @@ -1870,7 +1880,7 @@ func (m *TTLReply) Reset() { *m = TTLReply{} } func (m *TTLReply) String() string { return proto.CompactTextString(m) } func (*TTLReply) ProtoMessage() {} func (*TTLReply) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{30} + return fileDescriptor_backend_a4dea436a6c1c127, []int{30} } func (m *TTLReply) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_TTLReply.Unmarshal(m, b) @@ -1909,7 +1919,7 @@ func (m *SudoPrivilegeArgs) Reset() { *m = SudoPrivilegeArgs{} } func (m *SudoPrivilegeArgs) String() string { return proto.CompactTextString(m) } func (*SudoPrivilegeArgs) ProtoMessage() {} func (*SudoPrivilegeArgs) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{31} + return fileDescriptor_backend_a4dea436a6c1c127, []int{31} } func (m *SudoPrivilegeArgs) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_SudoPrivilegeArgs.Unmarshal(m, b) @@ -1954,7 +1964,7 @@ func (m *SudoPrivilegeReply) Reset() { *m = SudoPrivilegeReply{} } func (m *SudoPrivilegeReply) String() string { return proto.CompactTextString(m) } func (*SudoPrivilegeReply) ProtoMessage() {} func (*SudoPrivilegeReply) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{32} + return fileDescriptor_backend_a4dea436a6c1c127, []int{32} } func (m *SudoPrivilegeReply) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_SudoPrivilegeReply.Unmarshal(m, b) @@ -1992,7 +2002,7 @@ func (m *TaintedReply) Reset() { *m = TaintedReply{} } func (m *TaintedReply) String() string { return proto.CompactTextString(m) } func (*TaintedReply) ProtoMessage() {} func (*TaintedReply) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{33} + return fileDescriptor_backend_a4dea436a6c1c127, []int{33} } func (m *TaintedReply) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_TaintedReply.Unmarshal(m, b) @@ -2030,7 +2040,7 @@ func (m *CachingDisabledReply) Reset() { *m = CachingDisabledReply{} } func (m *CachingDisabledReply) String() string { return proto.CompactTextString(m) } func (*CachingDisabledReply) ProtoMessage() {} func (*CachingDisabledReply) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{34} + return fileDescriptor_backend_a4dea436a6c1c127, []int{34} } func (m *CachingDisabledReply) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_CachingDisabledReply.Unmarshal(m, b) @@ -2068,7 +2078,7 @@ func (m *ReplicationStateReply) Reset() { *m = ReplicationStateReply{} } func (m *ReplicationStateReply) String() string { return proto.CompactTextString(m) } func (*ReplicationStateReply) ProtoMessage() {} func (*ReplicationStateReply) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{35} + return fileDescriptor_backend_a4dea436a6c1c127, []int{35} } func (m *ReplicationStateReply) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_ReplicationStateReply.Unmarshal(m, b) @@ -2108,7 +2118,7 @@ func (m *ResponseWrapDataArgs) Reset() { *m = ResponseWrapDataArgs{} } func (m *ResponseWrapDataArgs) String() string { return proto.CompactTextString(m) } func (*ResponseWrapDataArgs) ProtoMessage() {} func (*ResponseWrapDataArgs) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{36} + return fileDescriptor_backend_a4dea436a6c1c127, []int{36} } func (m *ResponseWrapDataArgs) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_ResponseWrapDataArgs.Unmarshal(m, b) @@ -2161,7 +2171,7 @@ func (m *ResponseWrapDataReply) Reset() { *m = ResponseWrapDataReply{} } func (m *ResponseWrapDataReply) String() string { return proto.CompactTextString(m) } func (*ResponseWrapDataReply) ProtoMessage() {} func (*ResponseWrapDataReply) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{37} + return fileDescriptor_backend_a4dea436a6c1c127, []int{37} } func (m *ResponseWrapDataReply) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_ResponseWrapDataReply.Unmarshal(m, b) @@ -2206,7 +2216,7 @@ func (m *MlockEnabledReply) Reset() { *m = MlockEnabledReply{} } func (m *MlockEnabledReply) String() string { return proto.CompactTextString(m) } func (*MlockEnabledReply) ProtoMessage() {} func (*MlockEnabledReply) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{38} + return fileDescriptor_backend_a4dea436a6c1c127, []int{38} } func (m *MlockEnabledReply) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_MlockEnabledReply.Unmarshal(m, b) @@ -2244,7 +2254,7 @@ func (m *LocalMountReply) Reset() { *m = LocalMountReply{} } func (m *LocalMountReply) String() string { return proto.CompactTextString(m) } func (*LocalMountReply) ProtoMessage() {} func (*LocalMountReply) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{39} + return fileDescriptor_backend_a4dea436a6c1c127, []int{39} } func (m *LocalMountReply) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_LocalMountReply.Unmarshal(m, b) @@ -2283,7 +2293,7 @@ func (m *Connection) Reset() { *m = Connection{} } func (m *Connection) String() string { return proto.CompactTextString(m) } func (*Connection) ProtoMessage() {} func (*Connection) Descriptor() ([]byte, []int) { - return fileDescriptor_backend_bf8da362534328ce, []int{40} + return fileDescriptor_backend_a4dea436a6c1c127, []int{40} } func (m *Connection) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_Connection.Unmarshal(m, b) @@ -3215,141 +3225,143 @@ var _SystemView_serviceDesc = grpc.ServiceDesc{ } func init() { - proto.RegisterFile("logical/plugin/pb/backend.proto", fileDescriptor_backend_bf8da362534328ce) -} - -var fileDescriptor_backend_bf8da362534328ce = []byte{ - // 2112 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x58, 0x5b, 0x6f, 0xdb, 0xc8, - 0x15, 0x86, 0x24, 0x4b, 0xa2, 0x8e, 0x24, 0x5f, 0x26, 0x4e, 0xca, 0x28, 0xd9, 0x5a, 0xe5, 0x22, - 0x59, 0x6d, 0xd0, 0xc8, 0x89, 0x7a, 0xcb, 0xb6, 0xd8, 0x2d, 0x5c, 0xdb, 0x9b, 0x75, 0xd7, 0xde, - 0x35, 0x68, 0xa7, 0xdb, 0xa2, 0x05, 0xb4, 0x63, 0xf2, 0x58, 0x26, 0x4c, 0x91, 0xec, 0x70, 0x68, - 0x47, 0x4f, 0xfd, 0x17, 0xfd, 0x1b, 0x7d, 0xed, 0x5b, 0x5f, 0x0b, 0xf4, 0xb9, 0xbf, 0xa0, 0xef, - 0x7d, 0xe8, 0x2f, 0x28, 0xe6, 0x42, 0x6a, 0x28, 0xc9, 0x4d, 0x0a, 0xb4, 0x6f, 0x73, 0x2e, 0x33, - 0xe7, 0xc2, 0x73, 0xbe, 0x33, 0x43, 0xd8, 0x09, 0xe3, 0x49, 0xe0, 0xd1, 0x70, 0x37, 0x09, 0xb3, - 0x49, 0x10, 0xed, 0x26, 0x17, 0xbb, 0x17, 0xd4, 0xbb, 0xc6, 0xc8, 0x1f, 0x26, 0x2c, 0xe6, 0x31, - 0xa9, 0x26, 0x17, 0xbd, 0x9d, 0x49, 0x1c, 0x4f, 0x42, 0xdc, 0x95, 0x9c, 0x8b, 0xec, 0x72, 0x97, - 0x07, 0x53, 0x4c, 0x39, 0x9d, 0x26, 0x4a, 0xc9, 0x69, 0x42, 0xfd, 0x70, 0x9a, 0xf0, 0x99, 0xd3, - 0x87, 0xc6, 0x17, 0x48, 0x7d, 0x64, 0xe4, 0x01, 0x34, 0xae, 0xe4, 0xca, 0xae, 0xf4, 0x6b, 0x83, - 0x96, 0xab, 0x29, 0xe7, 0xb7, 0x00, 0xa7, 0x62, 0xcf, 0x21, 0x63, 0x31, 0x23, 0x0f, 0xc1, 0x42, - 0xc6, 0xc6, 0x7c, 0x96, 0xa0, 0x5d, 0xe9, 0x57, 0x06, 0x5d, 0xb7, 0x89, 0x8c, 0x9d, 0xcf, 0x12, - 0x24, 0xdf, 0x01, 0xb1, 0x1c, 0x4f, 0xd3, 0x89, 0x5d, 0xed, 0x57, 0xc4, 0x09, 0xc8, 0xd8, 0x49, - 0x3a, 0xc9, 0xf7, 0x78, 0xb1, 0x8f, 0x76, 0xad, 0x5f, 0x19, 0xd4, 0xe4, 0x9e, 0xfd, 0xd8, 0x47, - 0xe7, 0x8f, 0x15, 0xa8, 0x9f, 0x52, 0x7e, 0x95, 0x12, 0x02, 0x6b, 0x2c, 0x8e, 0xb9, 0x36, 0x2e, - 0xd7, 0x64, 0x00, 0x1b, 0x59, 0x44, 0x33, 0x7e, 0x85, 0x11, 0x0f, 0x3c, 0xca, 0xd1, 0xb7, 0xab, - 0x52, 0xbc, 0xc8, 0x26, 0x1f, 0x42, 0x37, 0x8c, 0x3d, 0x1a, 0x8e, 0x53, 0x1e, 0x33, 0x3a, 0x11, - 0x76, 0x84, 0x5e, 0x47, 0x32, 0xcf, 0x14, 0x8f, 0x3c, 0x83, 0xad, 0x14, 0x69, 0x38, 0xbe, 0x65, - 0x34, 0x29, 0x14, 0xd7, 0xd4, 0x81, 0x42, 0xf0, 0x0d, 0xa3, 0x89, 0xd6, 0x75, 0xfe, 0xd2, 0x80, - 0xa6, 0x8b, 0xbf, 0xcf, 0x30, 0xe5, 0x64, 0x1d, 0xaa, 0x81, 0x2f, 0xa3, 0x6d, 0xb9, 0xd5, 0xc0, - 0x27, 0x43, 0x20, 0x2e, 0x26, 0xa1, 0x30, 0x1d, 0xc4, 0xd1, 0x7e, 0x98, 0xa5, 0x1c, 0x99, 0x8e, - 0x79, 0x85, 0x84, 0x3c, 0x86, 0x56, 0x9c, 0x20, 0x93, 0x3c, 0x99, 0x80, 0x96, 0x3b, 0x67, 0x88, - 0xc0, 0x13, 0xca, 0xaf, 0xec, 0x35, 0x29, 0x90, 0x6b, 0xc1, 0xf3, 0x29, 0xa7, 0x76, 0x5d, 0xf1, - 0xc4, 0x9a, 0x38, 0xd0, 0x48, 0xd1, 0x63, 0xc8, 0xed, 0x46, 0xbf, 0x32, 0x68, 0x8f, 0x60, 0x98, - 0x5c, 0x0c, 0xcf, 0x24, 0xc7, 0xd5, 0x12, 0xf2, 0x18, 0xd6, 0x44, 0x5e, 0xec, 0xa6, 0xd4, 0xb0, - 0x84, 0xc6, 0x5e, 0xc6, 0xaf, 0x5c, 0xc9, 0x25, 0x23, 0x68, 0xaa, 0x6f, 0x9a, 0xda, 0x56, 0xbf, - 0x36, 0x68, 0x8f, 0x6c, 0xa1, 0xa0, 0xa3, 0x1c, 0xaa, 0x32, 0x48, 0x0f, 0x23, 0xce, 0x66, 0x6e, - 0xae, 0x48, 0xbe, 0x07, 0x1d, 0x2f, 0x0c, 0x30, 0xe2, 0x63, 0x1e, 0x5f, 0x63, 0x64, 0xb7, 0xa4, - 0x47, 0x6d, 0xc5, 0x3b, 0x17, 0x2c, 0x32, 0x82, 0xfb, 0xa6, 0xca, 0x98, 0x7a, 0x1e, 0xa6, 0x69, - 0xcc, 0x6c, 0x90, 0xba, 0xf7, 0x0c, 0xdd, 0x3d, 0x2d, 0x12, 0xc7, 0xfa, 0x41, 0x9a, 0x84, 0x74, - 0x36, 0x8e, 0xe8, 0x14, 0xed, 0xb6, 0x3a, 0x56, 0xf3, 0xbe, 0xa2, 0x53, 0x24, 0x3b, 0xd0, 0x9e, - 0xc6, 0x59, 0xc4, 0xc7, 0x49, 0x1c, 0x44, 0xdc, 0xee, 0x48, 0x0d, 0x90, 0xac, 0x53, 0xc1, 0x21, - 0x1f, 0x80, 0xa2, 0x54, 0x31, 0x76, 0x55, 0x5e, 0x25, 0x47, 0x96, 0xe3, 0x13, 0x58, 0x57, 0xe2, - 0xc2, 0x9f, 0x75, 0xa9, 0xd2, 0x95, 0xdc, 0xc2, 0x93, 0x17, 0xd0, 0x92, 0xf5, 0x10, 0x44, 0x97, - 0xb1, 0xbd, 0x21, 0xf3, 0x76, 0xcf, 0x48, 0x8b, 0xa8, 0x89, 0xa3, 0xe8, 0x32, 0x76, 0xad, 0x5b, - 0xbd, 0x22, 0x9f, 0xc2, 0xa3, 0x52, 0xbc, 0x0c, 0xa7, 0x34, 0x88, 0x82, 0x68, 0x32, 0xce, 0x52, - 0x4c, 0xed, 0x4d, 0x59, 0xe1, 0xb6, 0x11, 0xb5, 0x9b, 0x2b, 0xbc, 0x49, 0x31, 0x25, 0x8f, 0xa0, - 0x25, 0xea, 0x96, 0xcf, 0xc6, 0x81, 0x6f, 0x6f, 0x49, 0x97, 0x2c, 0xc5, 0x38, 0xf2, 0xc9, 0x47, - 0xb0, 0x91, 0xc4, 0x61, 0xe0, 0xcd, 0xc6, 0xf1, 0x0d, 0x32, 0x16, 0xf8, 0x68, 0x93, 0x7e, 0x65, - 0x60, 0xb9, 0xeb, 0x8a, 0xfd, 0xb5, 0xe6, 0xae, 0x6a, 0x8d, 0x7b, 0x52, 0x71, 0xa9, 0x35, 0x86, - 0x00, 0x5e, 0x1c, 0x45, 0xe8, 0xc9, 0xf2, 0xdb, 0x96, 0x11, 0xae, 0x8b, 0x08, 0xf7, 0x0b, 0xae, - 0x6b, 0x68, 0xf4, 0x3e, 0x87, 0x8e, 0x59, 0x0a, 0x64, 0x13, 0x6a, 0xd7, 0x38, 0xd3, 0xe5, 0x2f, - 0x96, 0xa4, 0x0f, 0xf5, 0x1b, 0x1a, 0x66, 0x28, 0x4b, 0x5e, 0x17, 0xa2, 0xda, 0xe2, 0x2a, 0xc1, - 0x4f, 0xab, 0xaf, 0x2a, 0x0e, 0x85, 0xfa, 0x5e, 0x18, 0xd0, 0x74, 0xe1, 0x3b, 0x55, 0xde, 0xfd, - 0x9d, 0xaa, 0xab, 0xbe, 0x13, 0x81, 0x35, 0x59, 0x29, 0xaa, 0x7f, 0xe4, 0xda, 0xf9, 0x57, 0x0d, - 0xd6, 0x44, 0x7d, 0x93, 0x1f, 0x41, 0x37, 0x44, 0x9a, 0xe2, 0x38, 0x4e, 0x44, 0x0c, 0xa9, 0xb4, - 0xd2, 0x1e, 0x6d, 0x0a, 0xcf, 0x8e, 0x85, 0xe0, 0x6b, 0xc5, 0x77, 0x3b, 0xa1, 0x41, 0x09, 0xd4, - 0x08, 0x22, 0x8e, 0x2c, 0xa2, 0xe1, 0x58, 0xf6, 0x9b, 0xb2, 0xdc, 0xc9, 0x99, 0x07, 0xa2, 0xef, - 0x16, 0x4b, 0xb5, 0xb6, 0x5c, 0xaa, 0x3d, 0xb0, 0xe4, 0xe7, 0x09, 0x30, 0xd5, 0x78, 0x52, 0xd0, - 0x64, 0x04, 0xd6, 0x14, 0x39, 0xd5, 0xed, 0x2c, 0xba, 0xee, 0x41, 0xde, 0x96, 0xc3, 0x13, 0x2d, - 0x50, 0x3d, 0x57, 0xe8, 0x2d, 0x35, 0x5d, 0x63, 0xb9, 0xe9, 0x7a, 0x60, 0x15, 0xf9, 0x6a, 0xaa, - 0x22, 0xca, 0x69, 0x81, 0xe4, 0x09, 0xb2, 0x20, 0xf6, 0x6d, 0x4b, 0xd6, 0xa2, 0xa6, 0x04, 0x0e, - 0x47, 0xd9, 0x54, 0x55, 0x69, 0x4b, 0xe1, 0x70, 0x94, 0x4d, 0x97, 0x8b, 0x12, 0x16, 0x8a, 0x72, - 0x07, 0xea, 0x54, 0x7c, 0x49, 0xd9, 0xa5, 0xed, 0x51, 0x4b, 0xfa, 0x2f, 0x18, 0xae, 0xe2, 0x93, - 0x21, 0x74, 0x27, 0x2c, 0xce, 0x92, 0xb1, 0x24, 0x31, 0xb5, 0x3b, 0x32, 0x50, 0x43, 0xb1, 0x23, - 0xe5, 0x7b, 0x4a, 0xdc, 0xfb, 0x19, 0x74, 0x4b, 0xa1, 0xaf, 0xa8, 0xb1, 0x6d, 0xb3, 0xc6, 0x5a, - 0x66, 0x5d, 0xfd, 0xa9, 0x02, 0x1d, 0xf3, 0x9b, 0x8a, 0xcd, 0xe7, 0xe7, 0xc7, 0x72, 0x73, 0xcd, - 0x15, 0x4b, 0x01, 0xb8, 0x0c, 0x23, 0xbc, 0xa5, 0x17, 0xa1, 0x3a, 0xc0, 0x72, 0xe7, 0x0c, 0x21, - 0x0d, 0x22, 0x8f, 0xe1, 0x14, 0x23, 0xae, 0xe7, 0xd1, 0x9c, 0x41, 0x3e, 0x01, 0x08, 0xd2, 0x34, - 0xc3, 0xb1, 0x18, 0x99, 0x12, 0x94, 0xdb, 0xa3, 0xde, 0x50, 0xcd, 0xd3, 0x61, 0x3e, 0x4f, 0x87, - 0xe7, 0xf9, 0x3c, 0x75, 0x5b, 0x52, 0x5b, 0xd0, 0x22, 0xef, 0x27, 0xf4, 0xad, 0xf0, 0xa5, 0xae, - 0xf2, 0xae, 0x28, 0xe7, 0x0f, 0xd0, 0x50, 0x38, 0xfd, 0x7f, 0xad, 0xd3, 0x87, 0x60, 0xa9, 0xb3, - 0x03, 0x5f, 0xd7, 0x68, 0x53, 0xd2, 0x47, 0xbe, 0xf3, 0xb7, 0x0a, 0x58, 0x2e, 0xa6, 0x49, 0x1c, - 0xa5, 0x68, 0xcc, 0x91, 0xca, 0x3b, 0xe7, 0x48, 0x75, 0xe5, 0x1c, 0xc9, 0xa7, 0x53, 0xcd, 0x98, - 0x4e, 0x3d, 0xb0, 0x18, 0xfa, 0x01, 0x43, 0x8f, 0xeb, 0x49, 0x56, 0xd0, 0x42, 0x76, 0x4b, 0x99, - 0x00, 0xc0, 0x54, 0xb6, 0x40, 0xcb, 0x2d, 0x68, 0xf2, 0xd2, 0x84, 0x5f, 0x35, 0xd8, 0xb6, 0x15, - 0xfc, 0x2a, 0x77, 0x97, 0xf1, 0xd7, 0xf9, 0x6b, 0x15, 0x36, 0x17, 0xc5, 0x2b, 0x8a, 0x60, 0x1b, - 0xea, 0xaa, 0x7b, 0x74, 0x05, 0xf1, 0xa5, 0xbe, 0xa9, 0x2d, 0xf4, 0xcd, 0xcf, 0xa1, 0xeb, 0x31, - 0x94, 0x53, 0xf9, 0x7d, 0xbf, 0x7e, 0x27, 0xdf, 0x20, 0x0b, 0xe0, 0x63, 0xd8, 0x14, 0x5e, 0x26, - 0xe8, 0xcf, 0xc1, 0x4c, 0x8d, 0xf0, 0x0d, 0xcd, 0x2f, 0xe0, 0xec, 0x19, 0x6c, 0xe5, 0xaa, 0xf3, - 0xc6, 0x6b, 0x94, 0x74, 0x0f, 0xf3, 0xfe, 0x7b, 0x00, 0x8d, 0xcb, 0x98, 0x4d, 0x29, 0xd7, 0x9d, - 0xae, 0x29, 0x51, 0x16, 0x85, 0xbf, 0xf2, 0x0a, 0x61, 0xa9, 0xb2, 0xc8, 0x99, 0xe2, 0x62, 0x25, - 0x3a, 0xbb, 0xb8, 0xf4, 0xc8, 0xae, 0xb7, 0x5c, 0x2b, 0xbf, 0xec, 0x38, 0xbf, 0x86, 0x8d, 0x85, - 0x39, 0xb7, 0x22, 0x91, 0x73, 0xf3, 0xd5, 0x92, 0xf9, 0xd2, 0xc9, 0xb5, 0x85, 0x93, 0x7f, 0x03, - 0x5b, 0x5f, 0xd0, 0xc8, 0x0f, 0x51, 0x9f, 0xbf, 0xc7, 0x26, 0x72, 0x12, 0xe8, 0x6b, 0xd7, 0x58, - 0x5f, 0xa8, 0xba, 0x6e, 0x4b, 0x73, 0x8e, 0x7c, 0xf2, 0x04, 0x9a, 0x4c, 0x69, 0xeb, 0xc2, 0x6b, - 0x1b, 0x83, 0xd8, 0xcd, 0x65, 0xce, 0xb7, 0x40, 0x4a, 0x47, 0x8b, 0x1b, 0xd7, 0x8c, 0x0c, 0x44, - 0x01, 0xaa, 0xa2, 0xd0, 0x85, 0xdd, 0x31, 0xeb, 0xc8, 0x2d, 0xa4, 0xa4, 0x0f, 0x35, 0x64, 0x4c, - 0x9b, 0x90, 0x93, 0x70, 0x7e, 0xbf, 0x75, 0x85, 0xc8, 0xf9, 0x21, 0x6c, 0x9d, 0x25, 0xe8, 0x05, - 0x34, 0x94, 0x77, 0x53, 0x65, 0x60, 0x07, 0xea, 0x22, 0xc9, 0x79, 0xcf, 0x4a, 0x70, 0x53, 0x62, - 0xc5, 0x77, 0xbe, 0x05, 0x5b, 0xf9, 0x75, 0xf8, 0x36, 0x48, 0x39, 0x46, 0x1e, 0xee, 0x5f, 0xa1, - 0x77, 0xfd, 0x3f, 0x8c, 0xfc, 0x06, 0x1e, 0xae, 0xb2, 0x90, 0xfb, 0xd7, 0xf6, 0x04, 0x35, 0xbe, - 0x8c, 0xb3, 0x48, 0xd9, 0xb0, 0x5c, 0x90, 0xac, 0xcf, 0x05, 0x47, 0x7c, 0x47, 0x14, 0xfb, 0x52, - 0x0d, 0x89, 0x9a, 0xca, 0xf3, 0x51, 0xbb, 0x3b, 0x1f, 0x7f, 0xae, 0x40, 0xeb, 0x0c, 0x79, 0x96, - 0xc8, 0x58, 0x1e, 0x41, 0xeb, 0x82, 0xc5, 0xd7, 0xc8, 0xe6, 0xa1, 0x58, 0x8a, 0x71, 0xe4, 0x93, - 0x97, 0xd0, 0xd8, 0x8f, 0xa3, 0xcb, 0x60, 0x22, 0x6f, 0xea, 0xed, 0xd1, 0x43, 0x85, 0x2e, 0x7a, - 0xef, 0x50, 0xc9, 0xd4, 0xbc, 0xd3, 0x8a, 0xa4, 0x0f, 0x6d, 0xfd, 0x82, 0x79, 0xf3, 0xe6, 0xe8, - 0x20, 0x9f, 0xaf, 0x06, 0xab, 0xf7, 0x09, 0xb4, 0x8d, 0x8d, 0xff, 0xd5, 0xb4, 0xf8, 0x2e, 0x80, - 0xb4, 0xae, 0x72, 0xb4, 0xa9, 0x42, 0xd5, 0x3b, 0x45, 0x68, 0x3b, 0xd0, 0x12, 0xb7, 0x10, 0x25, - 0x26, 0xb0, 0x66, 0x3c, 0x6c, 0xe4, 0xda, 0x79, 0x02, 0x5b, 0x47, 0xd1, 0x0d, 0x0d, 0x03, 0x9f, - 0x72, 0xfc, 0x12, 0x67, 0x32, 0x05, 0x4b, 0x1e, 0x38, 0x67, 0xd0, 0xd1, 0x4f, 0x87, 0xf7, 0xf2, - 0xb1, 0xa3, 0x7d, 0xfc, 0xcf, 0x4d, 0xf4, 0x31, 0x6c, 0xe8, 0x43, 0x8f, 0x03, 0xdd, 0x42, 0x62, - 0xb6, 0x33, 0xbc, 0x0c, 0xde, 0xea, 0xa3, 0x35, 0xe5, 0xbc, 0x82, 0x4d, 0x43, 0xb5, 0x08, 0xe7, - 0x1a, 0x67, 0x69, 0xfe, 0xa4, 0x12, 0xeb, 0x3c, 0x03, 0xd5, 0x79, 0x06, 0x1c, 0x58, 0xd7, 0x3b, - 0x5f, 0x23, 0xbf, 0x23, 0xba, 0x2f, 0x0b, 0x47, 0x5e, 0xa3, 0x3e, 0xfc, 0x29, 0xd4, 0x51, 0x44, - 0x6a, 0x8e, 0x30, 0x33, 0x03, 0xae, 0x12, 0xaf, 0x30, 0xf8, 0xaa, 0x30, 0x78, 0x9a, 0x29, 0x83, - 0xef, 0x79, 0x96, 0xf3, 0x61, 0xe1, 0xc6, 0x69, 0xc6, 0xef, 0xfa, 0xa2, 0x4f, 0x60, 0x4b, 0x2b, - 0x1d, 0x60, 0x88, 0x1c, 0xef, 0x08, 0xe9, 0x29, 0x90, 0x92, 0xda, 0x5d, 0xc7, 0x3d, 0x06, 0xeb, - 0xfc, 0xfc, 0xb8, 0x90, 0x96, 0xb1, 0xd1, 0xf9, 0x14, 0xb6, 0xce, 0x32, 0x3f, 0x3e, 0x65, 0xc1, - 0x4d, 0x10, 0xe2, 0x44, 0x19, 0xcb, 0x5f, 0x74, 0x15, 0xe3, 0x45, 0xb7, 0x72, 0x1a, 0x39, 0x03, - 0x20, 0xa5, 0xed, 0xc5, 0x77, 0x4b, 0x33, 0x3f, 0xd6, 0x2d, 0x2c, 0xd7, 0xce, 0x00, 0x3a, 0xe7, - 0x54, 0xcc, 0x7b, 0x5f, 0xe9, 0xd8, 0xd0, 0xe4, 0x8a, 0xd6, 0x6a, 0x39, 0xe9, 0x8c, 0x60, 0x7b, - 0x9f, 0x7a, 0x57, 0x41, 0x34, 0x39, 0x08, 0x52, 0x71, 0xe1, 0xd1, 0x3b, 0x7a, 0x60, 0xf9, 0x9a, - 0xa1, 0xb7, 0x14, 0xb4, 0xf3, 0x1c, 0xee, 0x1b, 0xef, 0xd6, 0x33, 0x4e, 0xf3, 0x7c, 0x6c, 0x43, - 0x3d, 0x15, 0x94, 0xdc, 0x51, 0x77, 0x15, 0xe1, 0x7c, 0x05, 0xdb, 0xe6, 0x00, 0x16, 0xd7, 0x8f, - 0x3c, 0x70, 0x79, 0x31, 0xa8, 0x18, 0x17, 0x03, 0x9d, 0xb3, 0xea, 0x7c, 0x9e, 0x6c, 0x42, 0xed, - 0x97, 0xdf, 0x9c, 0xeb, 0x62, 0x17, 0x4b, 0xe7, 0x77, 0xc2, 0x7c, 0xf9, 0x3c, 0x65, 0xbe, 0x74, - 0x3b, 0xa8, 0xbc, 0xcf, 0xed, 0x60, 0x45, 0xbd, 0x3d, 0x87, 0xad, 0x93, 0x30, 0xf6, 0xae, 0x0f, - 0x23, 0x23, 0x1b, 0x36, 0x34, 0x31, 0x32, 0x93, 0x91, 0x93, 0xce, 0x47, 0xb0, 0x71, 0x1c, 0x7b, - 0x34, 0x3c, 0x11, 0xcf, 0x8f, 0x22, 0x0b, 0xf2, 0x47, 0x82, 0x56, 0x55, 0x84, 0xf3, 0x1c, 0x60, - 0xfe, 0x84, 0x12, 0xf0, 0xcb, 0x70, 0x1a, 0x73, 0x1c, 0x53, 0xdf, 0xcf, 0x2b, 0x08, 0x14, 0x6b, - 0xcf, 0xf7, 0xd9, 0xe8, 0x9f, 0x55, 0x68, 0xfe, 0x42, 0x81, 0x1a, 0xf9, 0x0c, 0xba, 0xa5, 0x11, - 0x46, 0xee, 0xcb, 0x37, 0xd4, 0xe2, 0xc0, 0xec, 0x3d, 0x58, 0x62, 0x2b, 0x87, 0x5e, 0x40, 0xc7, - 0x1c, 0x50, 0x44, 0x0e, 0x23, 0xf9, 0x43, 0xa7, 0x27, 0x4f, 0x5a, 0x9e, 0x5e, 0x67, 0xb0, 0xbd, - 0x6a, 0x74, 0x90, 0xc7, 0x73, 0x0b, 0xcb, 0x63, 0xab, 0xf7, 0xc1, 0x5d, 0xd2, 0x7c, 0xe4, 0x34, - 0xf7, 0x43, 0xa4, 0x51, 0x96, 0x98, 0x1e, 0xcc, 0x97, 0xe4, 0x25, 0x74, 0x4b, 0xe0, 0xa9, 0xe2, - 0x5c, 0xc2, 0x53, 0x73, 0xcb, 0x53, 0xa8, 0x4b, 0xc0, 0x26, 0xdd, 0xd2, 0xe4, 0xe8, 0xad, 0x17, - 0xa4, 0xb2, 0xdd, 0x87, 0x35, 0xf9, 0x7c, 0x34, 0x0c, 0xcb, 0x1d, 0x05, 0x9a, 0x8f, 0xfe, 0x5e, - 0x81, 0x66, 0xfe, 0xeb, 0xe7, 0x25, 0xac, 0x09, 0x5c, 0x24, 0xf7, 0x0c, 0x68, 0xc9, 0x31, 0xb5, - 0xb7, 0xbd, 0xc0, 0x54, 0x06, 0x86, 0x50, 0x7b, 0x8d, 0x9c, 0x10, 0x43, 0xa8, 0x01, 0xb2, 0x77, - 0xaf, 0xcc, 0x2b, 0xf4, 0x4f, 0xb3, 0xb2, 0xbe, 0xc6, 0xb7, 0x92, 0x7e, 0x81, 0x5c, 0x3f, 0x81, - 0x86, 0x42, 0x1e, 0x95, 0x94, 0x25, 0xcc, 0x52, 0x1f, 0x7f, 0x19, 0xa3, 0x46, 0xff, 0xa8, 0x01, - 0x9c, 0xcd, 0x52, 0x8e, 0xd3, 0x5f, 0x05, 0x78, 0x4b, 0x9e, 0xc1, 0xc6, 0x01, 0x5e, 0xd2, 0x2c, - 0xe4, 0xf2, 0x05, 0x21, 0x3a, 0xcc, 0xc8, 0x89, 0xbc, 0x04, 0x15, 0x00, 0xf6, 0x14, 0xda, 0x27, - 0xf4, 0xed, 0xbb, 0xf5, 0x3e, 0x83, 0x6e, 0x09, 0x97, 0xb4, 0x8b, 0x8b, 0x48, 0xa7, 0x5d, 0x5c, - 0x46, 0xb0, 0xa7, 0xd0, 0xd4, 0x68, 0x65, 0xda, 0x90, 0xb8, 0x5e, 0x42, 0xb1, 0x1f, 0xc3, 0xc6, - 0x02, 0x56, 0x99, 0xfa, 0xf2, 0xf7, 0xd4, 0x4a, 0x2c, 0x7b, 0x25, 0x5e, 0x00, 0x65, 0xbc, 0x32, - 0x37, 0x3e, 0x54, 0x18, 0xb1, 0x0a, 0xd0, 0x5e, 0x97, 0xdf, 0x0e, 0xf2, 0xe5, 0x64, 0x2f, 0x42, - 0x4a, 0x0e, 0x68, 0xf9, 0x41, 0xab, 0xa0, 0xe9, 0x05, 0x74, 0x4c, 0x54, 0x59, 0x6a, 0xc1, 0x65, - 0xc8, 0xf9, 0x3e, 0xc0, 0x1c, 0x58, 0x4c, 0x7d, 0x59, 0x1e, 0x0b, 0x98, 0x73, 0xd1, 0x90, 0xaf, - 0x8d, 0x1f, 0xfc, 0x3b, 0x00, 0x00, 0xff, 0xff, 0x3f, 0x7b, 0x3e, 0xd0, 0xf0, 0x15, 0x00, 0x00, + proto.RegisterFile("logical/plugin/pb/backend.proto", fileDescriptor_backend_a4dea436a6c1c127) +} + +var fileDescriptor_backend_a4dea436a6c1c127 = []byte{ + // 2134 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x58, 0x5f, 0x6f, 0xdb, 0xc8, + 0x11, 0x87, 0x24, 0x4b, 0xa2, 0x46, 0x92, 0xff, 0x6c, 0x7c, 0x29, 0xa3, 0xcb, 0xd5, 0x2a, 0x0f, + 0xc9, 0xf9, 0x82, 0x46, 0x49, 0xd4, 0x7f, 0xb9, 0x16, 0x77, 0x85, 0xeb, 0xf8, 0x72, 0xee, 0xc5, + 0x77, 0x06, 0xed, 0xf4, 0x5a, 0xb4, 0x80, 0x6e, 0x4d, 0x8e, 0x65, 0xc2, 0x14, 0xc9, 0x2e, 0x97, + 0x49, 0xf4, 0xd4, 0x0f, 0x51, 0xa0, 0x5f, 0xa3, 0xaf, 0x7d, 0xeb, 0x6b, 0x81, 0x3e, 0xf7, 0x13, + 0xf4, 0xbd, 0x9f, 0xa1, 0xd8, 0xd9, 0x25, 0x45, 0x4a, 0x72, 0x93, 0x02, 0xed, 0x1b, 0xe7, 0x37, + 0xb3, 0x3b, 0xbb, 0xb3, 0x33, 0xbf, 0xd9, 0x25, 0xec, 0x85, 0xf1, 0x34, 0xf0, 0x78, 0xf8, 0x28, + 0x09, 0xb3, 0x69, 0x10, 0x3d, 0x4a, 0x2e, 0x1e, 0x5d, 0x70, 0xef, 0x1a, 0x23, 0x7f, 0x94, 0x88, + 0x58, 0xc6, 0xac, 0x9e, 0x5c, 0x0c, 0xf6, 0xa6, 0x71, 0x3c, 0x0d, 0xf1, 0x11, 0x21, 0x17, 0xd9, + 0xe5, 0x23, 0x19, 0xcc, 0x30, 0x95, 0x7c, 0x96, 0x68, 0x23, 0xa7, 0x0d, 0xcd, 0xa3, 0x59, 0x22, + 0xe7, 0xce, 0x10, 0x5a, 0x5f, 0x20, 0xf7, 0x51, 0xb0, 0xdb, 0xd0, 0xba, 0xa2, 0x2f, 0xbb, 0x36, + 0x6c, 0xec, 0x77, 0x5c, 0x23, 0x39, 0xbf, 0x05, 0x38, 0x55, 0x63, 0x8e, 0x84, 0x88, 0x05, 0xbb, + 0x03, 0x16, 0x0a, 0x31, 0x91, 0xf3, 0x04, 0xed, 0xda, 0xb0, 0xb6, 0xdf, 0x77, 0xdb, 0x28, 0xc4, + 0xf9, 0x3c, 0x41, 0xf6, 0x1d, 0x50, 0x9f, 0x93, 0x59, 0x3a, 0xb5, 0xeb, 0xc3, 0x9a, 0x9a, 0x01, + 0x85, 0x38, 0x49, 0xa7, 0xf9, 0x18, 0x2f, 0xf6, 0xd1, 0x6e, 0x0c, 0x6b, 0xfb, 0x0d, 0x1a, 0x73, + 0x18, 0xfb, 0xe8, 0xfc, 0xa9, 0x06, 0xcd, 0x53, 0x2e, 0xaf, 0x52, 0xc6, 0x60, 0x43, 0xc4, 0xb1, + 0x34, 0xce, 0xe9, 0x9b, 0xed, 0xc3, 0x56, 0x16, 0xf1, 0x4c, 0x5e, 0x61, 0x24, 0x03, 0x8f, 0x4b, + 0xf4, 0xed, 0x3a, 0xa9, 0x97, 0x61, 0xf6, 0x21, 0xf4, 0xc3, 0xd8, 0xe3, 0xe1, 0x24, 0x95, 0xb1, + 0xe0, 0x53, 0xe5, 0x47, 0xd9, 0xf5, 0x08, 0x3c, 0xd3, 0x18, 0x7b, 0x00, 0x3b, 0x29, 0xf2, 0x70, + 0xf2, 0x5a, 0xf0, 0xa4, 0x30, 0xdc, 0xd0, 0x13, 0x2a, 0xc5, 0x37, 0x82, 0x27, 0xc6, 0xd6, 0xf9, + 0x6b, 0x0b, 0xda, 0x2e, 0xfe, 0x3e, 0xc3, 0x54, 0xb2, 0x4d, 0xa8, 0x07, 0x3e, 0xed, 0xb6, 0xe3, + 0xd6, 0x03, 0x9f, 0x8d, 0x80, 0xb9, 0x98, 0x84, 0xca, 0x75, 0x10, 0x47, 0x87, 0x61, 0x96, 0x4a, + 0x14, 0x66, 0xcf, 0x6b, 0x34, 0xec, 0x2e, 0x74, 0xe2, 0x04, 0x05, 0x61, 0x14, 0x80, 0x8e, 0xbb, + 0x00, 0xd4, 0xc6, 0x13, 0x2e, 0xaf, 0xec, 0x0d, 0x52, 0xd0, 0xb7, 0xc2, 0x7c, 0x2e, 0xb9, 0xdd, + 0xd4, 0x98, 0xfa, 0x66, 0x0e, 0xb4, 0x52, 0xf4, 0x04, 0x4a, 0xbb, 0x35, 0xac, 0xed, 0x77, 0xc7, + 0x30, 0x4a, 0x2e, 0x46, 0x67, 0x84, 0xb8, 0x46, 0xc3, 0xee, 0xc2, 0x86, 0x8a, 0x8b, 0xdd, 0x26, + 0x0b, 0x4b, 0x59, 0x1c, 0x64, 0xf2, 0xca, 0x25, 0x94, 0x8d, 0xa1, 0xad, 0xcf, 0x34, 0xb5, 0xad, + 0x61, 0x63, 0xbf, 0x3b, 0xb6, 0x95, 0x81, 0xd9, 0xe5, 0x48, 0xa7, 0x41, 0x7a, 0x14, 0x49, 0x31, + 0x77, 0x73, 0x43, 0xf6, 0x3d, 0xe8, 0x79, 0x61, 0x80, 0x91, 0x9c, 0xc8, 0xf8, 0x1a, 0x23, 0xbb, + 0x43, 0x2b, 0xea, 0x6a, 0xec, 0x5c, 0x41, 0x6c, 0x0c, 0xef, 0x95, 0x4d, 0x26, 0xdc, 0xf3, 0x30, + 0x4d, 0x63, 0x61, 0x03, 0xd9, 0xde, 0x2a, 0xd9, 0x1e, 0x18, 0x95, 0x9a, 0xd6, 0x0f, 0xd2, 0x24, + 0xe4, 0xf3, 0x49, 0xc4, 0x67, 0x68, 0x77, 0xf5, 0xb4, 0x06, 0xfb, 0x8a, 0xcf, 0x90, 0xed, 0x41, + 0x77, 0x16, 0x67, 0x91, 0x9c, 0x24, 0x71, 0x10, 0x49, 0xbb, 0x47, 0x16, 0x40, 0xd0, 0xa9, 0x42, + 0xd8, 0x07, 0xa0, 0x25, 0x9d, 0x8c, 0x7d, 0x1d, 0x57, 0x42, 0x28, 0x1d, 0xef, 0xc1, 0xa6, 0x56, + 0x17, 0xeb, 0xd9, 0x24, 0x93, 0x3e, 0xa1, 0xc5, 0x4a, 0x1e, 0x43, 0x87, 0xf2, 0x21, 0x88, 0x2e, + 0x63, 0x7b, 0x8b, 0xe2, 0x76, 0xab, 0x14, 0x16, 0x95, 0x13, 0xc7, 0xd1, 0x65, 0xec, 0x5a, 0xaf, + 0xcd, 0x17, 0xfb, 0x14, 0xde, 0xaf, 0xec, 0x57, 0xe0, 0x8c, 0x07, 0x51, 0x10, 0x4d, 0x27, 0x59, + 0x8a, 0xa9, 0xbd, 0x4d, 0x19, 0x6e, 0x97, 0x76, 0xed, 0xe6, 0x06, 0x2f, 0x53, 0x4c, 0xd9, 0xfb, + 0xd0, 0x51, 0x79, 0x2b, 0xe7, 0x93, 0xc0, 0xb7, 0x77, 0x68, 0x49, 0x96, 0x06, 0x8e, 0x7d, 0xf6, + 0x11, 0x6c, 0x25, 0x71, 0x18, 0x78, 0xf3, 0x49, 0xfc, 0x0a, 0x85, 0x08, 0x7c, 0xb4, 0xd9, 0xb0, + 0xb6, 0x6f, 0xb9, 0x9b, 0x1a, 0xfe, 0xda, 0xa0, 0xeb, 0x4a, 0xe3, 0x16, 0x19, 0xae, 0x94, 0xc6, + 0x08, 0xc0, 0x8b, 0xa3, 0x08, 0x3d, 0x4a, 0xbf, 0x5d, 0xda, 0xe1, 0xa6, 0xda, 0xe1, 0x61, 0x81, + 0xba, 0x25, 0x8b, 0xc1, 0xe7, 0xd0, 0x2b, 0xa7, 0x02, 0xdb, 0x86, 0xc6, 0x35, 0xce, 0x4d, 0xfa, + 0xab, 0x4f, 0x36, 0x84, 0xe6, 0x2b, 0x1e, 0x66, 0x48, 0x29, 0x6f, 0x12, 0x51, 0x0f, 0x71, 0xb5, + 0xe2, 0xa7, 0xf5, 0xa7, 0x35, 0x87, 0x43, 0xf3, 0x20, 0x0c, 0x78, 0xba, 0x74, 0x4e, 0xb5, 0xb7, + 0x9f, 0x53, 0x7d, 0xdd, 0x39, 0x31, 0xd8, 0xa0, 0x4c, 0xd1, 0xf5, 0x43, 0xdf, 0xce, 0x1f, 0x37, + 0x60, 0x43, 0xe5, 0x37, 0xfb, 0x11, 0xf4, 0x43, 0xe4, 0x29, 0x4e, 0xe2, 0x44, 0xed, 0x21, 0x25, + 0x2f, 0xdd, 0xf1, 0xb6, 0x5a, 0xd9, 0x0b, 0xa5, 0xf8, 0x5a, 0xe3, 0x6e, 0x2f, 0x2c, 0x49, 0x8a, + 0x35, 0x82, 0x48, 0xa2, 0x88, 0x78, 0x38, 0xa1, 0x7a, 0xd3, 0x9e, 0x7b, 0x39, 0xf8, 0x4c, 0xd5, + 0xdd, 0x72, 0xaa, 0x36, 0x56, 0x53, 0x75, 0x00, 0x16, 0x1d, 0x4f, 0x80, 0xa9, 0xe1, 0x93, 0x42, + 0x66, 0x63, 0xb0, 0x66, 0x28, 0xb9, 0x29, 0x67, 0x55, 0x75, 0xb7, 0xf3, 0xb2, 0x1c, 0x9d, 0x18, + 0x85, 0xae, 0xb9, 0xc2, 0x6e, 0xa5, 0xe8, 0x5a, 0xab, 0x45, 0x37, 0x00, 0xab, 0x88, 0x57, 0x5b, + 0x27, 0x51, 0x2e, 0x2b, 0x26, 0x4f, 0x50, 0x04, 0xb1, 0x6f, 0x5b, 0x94, 0x8b, 0x46, 0x52, 0x3c, + 0x1c, 0x65, 0x33, 0x9d, 0xa5, 0x1d, 0xcd, 0xc3, 0x51, 0x36, 0x5b, 0x4d, 0x4a, 0x58, 0x4a, 0xca, + 0x3d, 0x68, 0x72, 0x75, 0x92, 0x54, 0xa5, 0xdd, 0x71, 0x87, 0xd6, 0xaf, 0x00, 0x57, 0xe3, 0x6c, + 0x04, 0xfd, 0xa9, 0x88, 0xb3, 0x64, 0x42, 0x22, 0xa6, 0x76, 0x8f, 0x36, 0x5a, 0x32, 0xec, 0x91, + 0xfe, 0x40, 0xab, 0x55, 0x69, 0x5f, 0xc4, 0x59, 0xe4, 0x4f, 0xbc, 0xc0, 0x17, 0xa9, 0xdd, 0xa7, + 0x90, 0x01, 0x41, 0x87, 0x0a, 0x19, 0xfc, 0x0c, 0xfa, 0x95, 0xd8, 0xac, 0x49, 0xc2, 0xdd, 0x72, + 0x12, 0x76, 0xca, 0x89, 0xf7, 0xe7, 0x1a, 0xf4, 0xca, 0x87, 0xae, 0x06, 0x9f, 0x9f, 0xbf, 0xa0, + 0xc1, 0x0d, 0x57, 0x7d, 0x2a, 0x46, 0x16, 0x18, 0xe1, 0x6b, 0x7e, 0x11, 0xea, 0x09, 0x2c, 0x77, + 0x01, 0x28, 0x6d, 0x10, 0x79, 0x02, 0x67, 0x18, 0x49, 0xd3, 0xb0, 0x16, 0x00, 0xfb, 0x04, 0x20, + 0x48, 0xd3, 0x0c, 0x27, 0xaa, 0xa7, 0x12, 0x6b, 0x77, 0xc7, 0x83, 0x91, 0x6e, 0xb8, 0xa3, 0xbc, + 0xe1, 0x8e, 0xce, 0xf3, 0x86, 0xeb, 0x76, 0xc8, 0x5a, 0xc9, 0xea, 0x60, 0x4e, 0xf8, 0x1b, 0xb5, + 0x96, 0xa6, 0x3e, 0x18, 0x2d, 0x39, 0x7f, 0x80, 0x96, 0x26, 0xf2, 0xff, 0x6b, 0x22, 0xdf, 0x01, + 0x4b, 0xcf, 0x1d, 0xf8, 0x26, 0x89, 0xdb, 0x24, 0x1f, 0xfb, 0xce, 0xdf, 0x6b, 0x60, 0xb9, 0x98, + 0x26, 0x71, 0x94, 0x62, 0xa9, 0xd1, 0xd4, 0xde, 0xda, 0x68, 0xea, 0x6b, 0x1b, 0x4d, 0xde, 0xbe, + 0x1a, 0xa5, 0xf6, 0x35, 0x00, 0x4b, 0xa0, 0x1f, 0x08, 0xf4, 0xa4, 0x69, 0x75, 0x85, 0xac, 0x74, + 0xaf, 0xb9, 0x50, 0x0c, 0x99, 0x52, 0x8d, 0x74, 0xdc, 0x42, 0x66, 0x4f, 0xca, 0xfc, 0xac, 0x3b, + 0xdf, 0xae, 0xe6, 0x67, 0xbd, 0xdc, 0x55, 0x82, 0x76, 0xfe, 0x56, 0x87, 0xed, 0x65, 0xf5, 0x9a, + 0x24, 0xd8, 0x85, 0xa6, 0x2e, 0x2f, 0x93, 0x41, 0x72, 0xa5, 0xb0, 0x1a, 0x4b, 0x85, 0xf5, 0x73, + 0xe8, 0x7b, 0x02, 0xa9, 0x6d, 0xbf, 0xeb, 0xe9, 0xf7, 0xf2, 0x01, 0x94, 0x00, 0x1f, 0xc3, 0xb6, + 0x5a, 0x65, 0x82, 0xfe, 0x82, 0xed, 0x74, 0x8f, 0xdf, 0x32, 0x78, 0xc1, 0x77, 0x0f, 0x60, 0x27, + 0x37, 0x5d, 0x54, 0x66, 0xab, 0x62, 0x7b, 0x94, 0x17, 0xe8, 0x6d, 0x68, 0x5d, 0xc6, 0x62, 0xc6, + 0xa5, 0xa1, 0x02, 0x23, 0xa9, 0xb4, 0x28, 0xd6, 0x4b, 0x77, 0x0c, 0x4b, 0xa7, 0x45, 0x0e, 0xaa, + 0x9b, 0x97, 0x2a, 0xfd, 0xe2, 0x56, 0x44, 0xb4, 0x60, 0xb9, 0x56, 0x7e, 0x1b, 0x72, 0x7e, 0x0d, + 0x5b, 0x4b, 0x8d, 0x70, 0x4d, 0x20, 0x17, 0xee, 0xeb, 0x15, 0xf7, 0x95, 0x99, 0x1b, 0x4b, 0x33, + 0xff, 0x06, 0x76, 0xbe, 0xe0, 0x91, 0x1f, 0xa2, 0x99, 0xff, 0x40, 0x4c, 0xa9, 0x55, 0x98, 0x7b, + 0xd9, 0xc4, 0xdc, 0xb8, 0xfa, 0x6e, 0xc7, 0x20, 0xc7, 0x3e, 0xbb, 0x07, 0x6d, 0xa1, 0xad, 0x4d, + 0xe2, 0x75, 0x4b, 0x9d, 0xda, 0xcd, 0x75, 0xce, 0xb7, 0xc0, 0x2a, 0x53, 0xab, 0x2b, 0xd9, 0x9c, + 0xed, 0xab, 0x04, 0xd4, 0x49, 0x61, 0x12, 0xbb, 0x57, 0xce, 0x23, 0xb7, 0xd0, 0xb2, 0x21, 0x34, + 0x50, 0x08, 0xe3, 0x82, 0x5a, 0xe5, 0xe2, 0x02, 0xec, 0x2a, 0x95, 0xf3, 0x43, 0xd8, 0x39, 0x4b, + 0xd0, 0x0b, 0x78, 0x48, 0x97, 0x57, 0xed, 0x60, 0x0f, 0x9a, 0x2a, 0xc8, 0x79, 0xcd, 0x12, 0xfb, + 0x69, 0xb5, 0xc6, 0x9d, 0x6f, 0xc1, 0xd6, 0xeb, 0x3a, 0x7a, 0x13, 0xa4, 0x12, 0x23, 0x0f, 0x0f, + 0xaf, 0xd0, 0xbb, 0xfe, 0x1f, 0xee, 0xfc, 0x15, 0xdc, 0x59, 0xe7, 0x21, 0x5f, 0x5f, 0xd7, 0x53, + 0xd2, 0xe4, 0x52, 0x11, 0x2d, 0xf9, 0xb0, 0x5c, 0x20, 0xe8, 0x73, 0x85, 0xa8, 0x73, 0x44, 0x35, + 0x2e, 0x35, 0x94, 0x68, 0xa4, 0x3c, 0x1e, 0x8d, 0x9b, 0xe3, 0xf1, 0x97, 0x1a, 0x74, 0xce, 0x50, + 0x66, 0x09, 0xed, 0xe5, 0x7d, 0xe8, 0x5c, 0x88, 0xf8, 0x1a, 0xc5, 0x62, 0x2b, 0x96, 0x06, 0x8e, + 0x7d, 0xf6, 0x04, 0x5a, 0x87, 0x71, 0x74, 0x19, 0x4c, 0xe9, 0x2a, 0xdf, 0x1d, 0xdf, 0xd1, 0xec, + 0x62, 0xc6, 0x8e, 0xb4, 0x4e, 0x37, 0x44, 0x63, 0xc8, 0x86, 0xd0, 0x35, 0x4f, 0x9c, 0x97, 0x2f, + 0x8f, 0x9f, 0xe5, 0x0d, 0xb8, 0x04, 0x0d, 0x3e, 0x81, 0x6e, 0x69, 0xe0, 0x7f, 0xd5, 0x2d, 0xbe, + 0x0b, 0x40, 0xde, 0x75, 0x8c, 0xb6, 0xf5, 0x56, 0xcd, 0x48, 0xb5, 0xb5, 0x3d, 0xe8, 0xa8, 0x6b, + 0x8a, 0x56, 0x33, 0xd8, 0x28, 0xbd, 0x7c, 0xe8, 0xdb, 0xb9, 0x07, 0x3b, 0xc7, 0xd1, 0x2b, 0x1e, + 0x06, 0x3e, 0x97, 0xf8, 0x25, 0xce, 0x29, 0x04, 0x2b, 0x2b, 0x70, 0xce, 0xa0, 0x67, 0xde, 0x16, + 0xef, 0xb4, 0xc6, 0x9e, 0x59, 0xe3, 0x7f, 0x2e, 0xa2, 0x8f, 0x61, 0xcb, 0x4c, 0xfa, 0x22, 0x30, + 0x25, 0xa4, 0x9a, 0xbf, 0xc0, 0xcb, 0xe0, 0x8d, 0x99, 0xda, 0x48, 0xce, 0x53, 0xd8, 0x2e, 0x99, + 0x16, 0xdb, 0xb9, 0xc6, 0x79, 0x9a, 0xbf, 0xb9, 0xd4, 0x77, 0x1e, 0x81, 0xfa, 0x22, 0x02, 0x0e, + 0x6c, 0x9a, 0x91, 0xcf, 0x51, 0xde, 0xb0, 0xbb, 0x2f, 0x8b, 0x85, 0x3c, 0x47, 0x33, 0xf9, 0x7d, + 0x68, 0xa2, 0xda, 0x69, 0xb9, 0x85, 0x95, 0x23, 0xe0, 0x6a, 0xf5, 0x1a, 0x87, 0x4f, 0x0b, 0x87, + 0xa7, 0x99, 0x76, 0xf8, 0x8e, 0x73, 0x39, 0x1f, 0x16, 0xcb, 0x38, 0xcd, 0xe4, 0x4d, 0x27, 0x7a, + 0x0f, 0x76, 0x8c, 0xd1, 0x33, 0x0c, 0x51, 0xe2, 0x0d, 0x5b, 0xba, 0x0f, 0xac, 0x62, 0x76, 0xd3, + 0x74, 0x77, 0xc1, 0x3a, 0x3f, 0x7f, 0x51, 0x68, 0xab, 0xdc, 0xe8, 0x7c, 0x0a, 0x3b, 0x67, 0x99, + 0x1f, 0x9f, 0x8a, 0xe0, 0x55, 0x10, 0xe2, 0x54, 0x3b, 0xcb, 0x9f, 0x7c, 0xb5, 0xd2, 0x93, 0x6f, + 0x6d, 0x37, 0x72, 0xf6, 0x81, 0x55, 0x86, 0x17, 0xe7, 0x96, 0x66, 0x7e, 0x6c, 0x4a, 0x98, 0xbe, + 0x9d, 0x7d, 0xe8, 0x9d, 0x73, 0xd5, 0xef, 0x7d, 0x6d, 0x63, 0x43, 0x5b, 0x6a, 0xd9, 0x98, 0xe5, + 0xa2, 0x33, 0x86, 0xdd, 0x43, 0xee, 0x5d, 0x05, 0xd1, 0xf4, 0x59, 0x90, 0xaa, 0x0b, 0x8f, 0x19, + 0x31, 0x00, 0xcb, 0x37, 0x80, 0x19, 0x52, 0xc8, 0xce, 0x43, 0x78, 0xaf, 0xf4, 0xb0, 0x3d, 0x93, + 0x3c, 0x8f, 0xc7, 0x2e, 0x34, 0x53, 0x25, 0xd1, 0x88, 0xa6, 0xab, 0x05, 0xe7, 0x2b, 0xd8, 0x2d, + 0x37, 0x60, 0x75, 0xfd, 0xc8, 0x37, 0x4e, 0x17, 0x83, 0x5a, 0xe9, 0x62, 0x60, 0x62, 0x56, 0x5f, + 0xf4, 0x93, 0x6d, 0x68, 0xfc, 0xf2, 0x9b, 0x73, 0x93, 0xec, 0xea, 0xd3, 0xf9, 0x9d, 0x72, 0x5f, + 0x9d, 0x4f, 0xbb, 0xaf, 0xdc, 0x0e, 0x6a, 0xef, 0x72, 0x3b, 0x58, 0x93, 0x6f, 0x0f, 0x61, 0xe7, + 0x24, 0x8c, 0xbd, 0xeb, 0xa3, 0xa8, 0x14, 0x0d, 0x1b, 0xda, 0x18, 0x95, 0x83, 0x91, 0x8b, 0xce, + 0x47, 0xb0, 0xf5, 0x22, 0xf6, 0x78, 0x78, 0xa2, 0xde, 0x27, 0x45, 0x14, 0xe8, 0x4f, 0x83, 0x31, + 0xd5, 0x82, 0xf3, 0x10, 0x60, 0xf1, 0xc6, 0x52, 0xf4, 0x2b, 0x70, 0x16, 0x4b, 0x9c, 0x70, 0xdf, + 0xcf, 0x33, 0x08, 0x34, 0x74, 0xe0, 0xfb, 0x62, 0xfc, 0xaf, 0x3a, 0xb4, 0x7f, 0xa1, 0x49, 0x8d, + 0x7d, 0x06, 0xfd, 0x4a, 0x0b, 0x63, 0xef, 0xd1, 0x23, 0x6b, 0xb9, 0x61, 0x0e, 0x6e, 0xaf, 0xc0, + 0x7a, 0x41, 0x8f, 0xa1, 0x57, 0x6e, 0x50, 0x8c, 0x9a, 0x11, 0xfd, 0xf1, 0x19, 0xd0, 0x4c, 0xab, + 0xdd, 0xeb, 0x0c, 0x76, 0xd7, 0xb5, 0x0e, 0x76, 0x77, 0xe1, 0x61, 0xb5, 0x6d, 0x0d, 0x3e, 0xb8, + 0x49, 0x9b, 0xb7, 0x9c, 0xf6, 0x61, 0x88, 0x3c, 0xca, 0x92, 0xf2, 0x0a, 0x16, 0x9f, 0xec, 0x09, + 0xf4, 0x2b, 0xe4, 0xa9, 0xf7, 0xb9, 0xc2, 0xa7, 0xe5, 0x21, 0xf7, 0xa1, 0x49, 0x84, 0xcd, 0xfa, + 0x95, 0xce, 0x31, 0xd8, 0x2c, 0x44, 0xed, 0x7b, 0x08, 0x1b, 0xf4, 0xbe, 0x2c, 0x39, 0xa6, 0x11, + 0x05, 0x9b, 0x8f, 0xff, 0x51, 0x83, 0x76, 0xfe, 0x6f, 0xe8, 0x09, 0x6c, 0x28, 0x5e, 0x64, 0xb7, + 0x4a, 0xd4, 0x92, 0x73, 0xea, 0x60, 0x77, 0x09, 0xd4, 0x0e, 0x46, 0xd0, 0x78, 0x8e, 0x92, 0xb1, + 0x92, 0xd2, 0x10, 0xe4, 0xe0, 0x56, 0x15, 0x2b, 0xec, 0x4f, 0xb3, 0xaa, 0xbd, 0xe1, 0xb7, 0x8a, + 0x7d, 0xc1, 0x5c, 0x3f, 0x81, 0x96, 0x66, 0x1e, 0x1d, 0x94, 0x15, 0xce, 0xd2, 0x87, 0xbf, 0xca, + 0x51, 0xe3, 0x7f, 0x36, 0x00, 0xce, 0xe6, 0xa9, 0xc4, 0xd9, 0xaf, 0x02, 0x7c, 0xcd, 0x1e, 0xc0, + 0xd6, 0x33, 0xbc, 0xe4, 0x59, 0x28, 0xe9, 0x05, 0xa1, 0x2a, 0xac, 0x14, 0x13, 0xba, 0x04, 0x15, + 0x04, 0x76, 0x1f, 0xba, 0x27, 0xfc, 0xcd, 0xdb, 0xed, 0x3e, 0x83, 0x7e, 0x85, 0x97, 0xcc, 0x12, + 0x97, 0x99, 0xce, 0x2c, 0x71, 0x95, 0xc1, 0xee, 0x43, 0xdb, 0xb0, 0x55, 0xd9, 0x07, 0xf1, 0x7a, + 0x85, 0xc5, 0x7e, 0x0c, 0x5b, 0x4b, 0x5c, 0x55, 0xb6, 0xa7, 0xff, 0x57, 0x6b, 0xb9, 0xec, 0xa9, + 0x7a, 0x01, 0x54, 0xf9, 0xaa, 0x3c, 0xf0, 0x8e, 0xe6, 0x88, 0x75, 0x84, 0xf6, 0xbc, 0xfa, 0x76, + 0xa0, 0x97, 0x93, 0xbd, 0x4c, 0x29, 0x39, 0xa1, 0xe5, 0x13, 0xad, 0xa3, 0xa6, 0xc7, 0xd0, 0x2b, + 0xb3, 0xca, 0x4a, 0x09, 0xae, 0x52, 0xce, 0xf7, 0x01, 0x16, 0xc4, 0x52, 0xb6, 0xa7, 0xf4, 0x58, + 0xe2, 0x9c, 0x8b, 0x16, 0xbd, 0x36, 0x7e, 0xf0, 0xef, 0x00, 0x00, 0x00, 0xff, 0xff, 0x7a, 0x48, + 0x91, 0x8a, 0x11, 0x16, 0x00, 0x00, } diff --git a/logical/plugin/pb/backend.proto b/logical/plugin/pb/backend.proto index d8f6dec86880..8e6ef614af04 100644 --- a/logical/plugin/pb/backend.proto +++ b/logical/plugin/pb/backend.proto @@ -202,6 +202,10 @@ message Auth { // mappings groups for the group aliases in identity store. For all the // matching groups, the entity ID of the user will be added. repeated Alias group_aliases = 12; + + // If set, restricts usage of the certificates to client IPs falling within + // the range of the specified CIDR(s). + repeated string bound_cidrs = 13; } message LeaseOptions { diff --git a/logical/plugin/pb/translation.go b/logical/plugin/pb/translation.go index 1abf540ed086..32f127488f4c 100644 --- a/logical/plugin/pb/translation.go +++ b/logical/plugin/pb/translation.go @@ -6,6 +6,7 @@ import ( "time" "github.com/golang/protobuf/ptypes" + "github.com/hashicorp/go-sockaddr" "github.com/hashicorp/vault/helper/errutil" "github.com/hashicorp/vault/helper/wrapping" "github.com/hashicorp/vault/logical" @@ -507,6 +508,11 @@ func LogicalAuthToProtoAuth(a *logical.Auth) (*Auth, error) { return nil, err } + boundCIDRs := make([]string, len(a.BoundCIDRs)) + for i, cidr := range a.BoundCIDRs { + boundCIDRs[i] = cidr.String() + } + return &Auth{ LeaseOptions: lo, InternalData: string(buf[:]), @@ -520,6 +526,7 @@ func LogicalAuthToProtoAuth(a *logical.Auth) (*Auth, error) { EntityID: a.EntityID, Alias: LogicalAliasToProtoAlias(a.Alias), GroupAliases: groupAliases, + BoundCidrs: boundCIDRs, }, nil } @@ -544,6 +551,15 @@ func ProtoAuthToLogicalAuth(a *Auth) (*logical.Auth, error) { return nil, err } + var boundCIDRs []*sockaddr.SockAddrMarshaler + for _, cidr := range a.BoundCidrs { + parsedCIDR, err := sockaddr.NewSockAddr(cidr) + if err != nil { + return nil, err + } + boundCIDRs = append(boundCIDRs, &sockaddr.SockAddrMarshaler{parsedCIDR}) + } + return &logical.Auth{ LeaseOptions: lo, InternalData: data, @@ -557,5 +573,6 @@ func ProtoAuthToLogicalAuth(a *Auth) (*logical.Auth, error) { EntityID: a.EntityID, Alias: ProtoAliasToLogicalAlias(a.Alias), GroupAliases: groupAliases, + BoundCIDRs: boundCIDRs, }, nil } From cbb5cad13599f01aa5ec1d443316740b85863798 Mon Sep 17 00:00:00 2001 From: Becca Petrin Date: Wed, 9 May 2018 13:58:19 -0700 Subject: [PATCH 6/7] return ErrInvalidRequest --- builtin/credential/cert/path_certs.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/builtin/credential/cert/path_certs.go b/builtin/credential/cert/path_certs.go index fc51a7d9d1e5..30eaf7ec4575 100644 --- a/builtin/credential/cert/path_certs.go +++ b/builtin/credential/cert/path_certs.go @@ -241,7 +241,7 @@ func (b *backend) pathCertWrite(ctx context.Context, req *logical.Request, d *fr if b.Logger().IsDebug() { b.Logger().Debug(fmt.Sprintf("unable to parse %s as a cidr: %s", v, err)) } - return nil, logical.ErrPermissionDenied + return nil, logical.ErrInvalidRequest } parsedCIDRs = append(parsedCIDRs, &sockaddr.SockAddrMarshaler{parsedCIDR}) } From 25d5f6b7b3b3917409f99e39a7339a9599b32bd9 Mon Sep 17 00:00:00 2001 From: Becca Petrin Date: Wed, 9 May 2018 15:35:17 -0700 Subject: [PATCH 7/7] add debug info to ErrInvalidRequest --- builtin/credential/cert/path_certs.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/builtin/credential/cert/path_certs.go b/builtin/credential/cert/path_certs.go index 30eaf7ec4575..7b6057a11665 100644 --- a/builtin/credential/cert/path_certs.go +++ b/builtin/credential/cert/path_certs.go @@ -241,7 +241,7 @@ func (b *backend) pathCertWrite(ctx context.Context, req *logical.Request, d *fr if b.Logger().IsDebug() { b.Logger().Debug(fmt.Sprintf("unable to parse %s as a cidr: %s", v, err)) } - return nil, logical.ErrInvalidRequest + return logical.ErrorResponse(fmt.Sprintf("unable to parse %s as a cidr", v)), logical.ErrInvalidRequest } parsedCIDRs = append(parsedCIDRs, &sockaddr.SockAddrMarshaler{parsedCIDR}) }