delegation

package

v0.0.0-...-51f9457 Latest Latest Go to latest Published: Jul 9, 2021 License: Apache-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/luci/luci-go

Documentation ¶

Overview ¶

Package delegation contains low-level API for working with delegation tokens.

Prefer the high-level API in server/auth package, in particular `MintDelegationToken` and `auth.GetRPCTransport(ctx, auth.AsUser)`.

Index ¶

Constants
Variables
func CheckToken(c context.Context, params CheckTokenParams) (_ identity.Identity, err error)
type CertificatesProvider
type CheckTokenParams
type GroupsChecker

Constants ¶

View Source

const (
	// HTTPHeaderName is name of HTTP header that carries the token.
	HTTPHeaderName = "X-Delegation-Token-V1"
)

Variables ¶

View Source

var (
	// ErrMalformedDelegationToken is returned when delegation token cannot be
	// deserialized.
	ErrMalformedDelegationToken = errors.New("auth: malformed delegation token")

	// ErrUnsignedDelegationToken is returned if token's signature cannot be
	// verified.
	ErrUnsignedDelegationToken = errors.New("auth: unsigned delegation token")

	// ErrForbiddenDelegationToken is returned if token is structurally correct,
	// but some of its constraints prevents it from being used. For example, it is
	// already expired or it was minted for some other services, etc. See logs for
	// details.
	ErrForbiddenDelegationToken = errors.New("auth: forbidden delegation token")
)

Functions ¶

func CheckToken ¶

func CheckToken(c context.Context, params CheckTokenParams) (_ identity.Identity, err error)

CheckToken verifies validity of a delegation token.

If the token is valid, it returns the delegated identity (embedded in the token).

May return transient errors.

Types ¶

type CertificatesProvider ¶

type CertificatesProvider interface {
	// GetCertificates returns a bundle with certificates of a trusted signer.
	//
	// Returns (nil, nil) if the given signer is not trusted.
	//
	// Returns errors (usually transient) if the bundle can't be fetched.
	GetCertificates(c context.Context, id identity.Identity) (*signing.PublicCertificates, error)
}

CertificatesProvider is used by 'CheckToken', it is implemented by authdb.DB.

It returns certificates of services trusted to sign tokens.

type CheckTokenParams ¶

type CheckTokenParams struct {
	Token                string               // the delegation token to check
	PeerID               identity.Identity    // identity of the caller, as extracted from its credentials
	CertificatesProvider CertificatesProvider // returns certificates with trusted keys
	GroupsChecker        GroupsChecker        // knows how to do group lookups
	OwnServiceIdentity   identity.Identity    // identity of the current service
}

CheckTokenParams is passed to CheckToken.

type GroupsChecker ¶

type GroupsChecker interface {
	// IsMember returns true if the given identity belongs to any of the groups.
	//
	// Unknown groups are considered empty. May return errors if underlying
	// datastore has issues.
	IsMember(c context.Context, id identity.Identity, groups []string) (bool, error)
}

GroupsChecker is accepted by 'CheckToken', it is implemented by authdb.DB.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
messages

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL