import "github.com/luci/luci-go/server/auth/delegation"
Package delegation contains low-level API for working with delegation tokens.
Prefer the high-level API in server/auth package, in particular `MintDelegationToken` and `auth.GetRPCTransport(ctx, auth.AsUser)`.
const (
// HTTPHeaderName is name of HTTP header that carries the token.
HTTPHeaderName = "X-Delegation-Token-V1"
)var (
// ErrMalformedDelegationToken is returned when delegation token cannot be
// deserialized.
ErrMalformedDelegationToken = errors.New("auth: malformed delegation token")
// ErrUnsignedDelegationToken is returned if token's signature cannot be
// verified.
ErrUnsignedDelegationToken = errors.New("auth: unsigned delegation token")
// ErrForbiddenDelegationToken is returned if token is structurally correct,
// but some of its constraints prevents it from being used. For example, it is
// already expired or it was minted for some other services, etc. See logs for
// details.
ErrForbiddenDelegationToken = errors.New("auth: forbidden delegation token")
)CheckToken verifies validity of a delegation token.
If the token is valid, it returns the delegated identity (embedded in the token).
May return transient errors.
type CertificatesProvider interface {
// GetCertificates returns a bundle with certificates of a trusted signer.
//
// Returns (nil, nil) if the given signer is not trusted.
//
// Returns errors (usually transient) if the bundle can't be fetched.
GetCertificates(c context.Context, id identity.Identity) (*signing.PublicCertificates, error)
}CertificatesProvider is used by 'CheckToken', it is implemented by authdb.DB.
It returns certificates of services trusted to sign tokens.
type CheckTokenParams struct {
Token string // the delegation token to check
PeerID identity.Identity // identity of the caller, as extracted from its credentials
CertificatesProvider CertificatesProvider // returns certificates with trusted keys
GroupsChecker GroupsChecker // knows how to do group lookups
OwnServiceIdentity identity.Identity // identity of the current service
}CheckTokenParams is passed to CheckToken.
type GroupsChecker interface {
// IsMember returns true if the given identity belongs to any of the groups.
//
// Unknown groups are considered empty. May return errors if underlying
// datastore has issues.
IsMember(c context.Context, id identity.Identity, groups []string) (bool, error)
}GroupsChecker is accepted by 'CheckToken', it is implemented by authdb.DB.
| Path | Synopsis |
|---|---|
| messages |
Package delegation imports 13 packages (graph). Updated 2020-08-05. Refresh now. Tools for package owners.