luci: Index | Files | Directories

package delegation

import ""

Package delegation contains low-level API for working with delegation tokens.

Prefer the high-level API in server/auth package, in particular `MintDelegationToken` and `auth.GetRPCTransport(ctx, auth.AsUser)`.


Package Files

checker.go doc.go


const (
    // HTTPHeaderName is name of HTTP header that carries the token.
    HTTPHeaderName = "X-Delegation-Token-V1"


var (
    // ErrMalformedDelegationToken is returned when delegation token cannot be
    // deserialized.
    ErrMalformedDelegationToken = errors.New("auth: malformed delegation token")

    // ErrUnsignedDelegationToken is returned if token's signature cannot be
    // verified.
    ErrUnsignedDelegationToken = errors.New("auth: unsigned delegation token")

    // ErrForbiddenDelegationToken is returned if token is structurally correct,
    // but some of its constraints prevents it from being used. For example, it is
    // already expired or it was minted for some other services, etc. See logs for
    // details.
    ErrForbiddenDelegationToken = errors.New("auth: forbidden delegation token")

func CheckToken Uses

func CheckToken(c context.Context, params CheckTokenParams) (_ identity.Identity, err error)

CheckToken verifies validity of a delegation token.

If the token is valid, it returns the delegated identity (embedded in the token).

May return transient errors.

type CertificatesProvider Uses

type CertificatesProvider interface {
    // GetCertificates returns a bundle with certificates of a trusted signer.
    // Returns (nil, nil) if the given signer is not trusted.
    // Returns errors (usually transient) if the bundle can't be fetched.
    GetCertificates(c context.Context, id identity.Identity) (*signing.PublicCertificates, error)

CertificatesProvider is used by 'CheckToken', it is implemented by authdb.DB.

It returns certificates of services trusted to sign tokens.

type CheckTokenParams Uses

type CheckTokenParams struct {
    Token                string               // the delegation token to check
    PeerID               identity.Identity    // identity of the caller, as extracted from its credentials
    CertificatesProvider CertificatesProvider // returns certificates with trusted keys
    GroupsChecker        GroupsChecker        // knows how to do group lookups
    OwnServiceIdentity   identity.Identity    // identity of the current service

CheckTokenParams is passed to CheckToken.

type GroupsChecker Uses

type GroupsChecker interface {
    // IsMember returns true if the given identity belongs to any of the groups.
    // Unknown groups are considered empty. May return errors if underlying
    // datastore has issues.
    IsMember(c context.Context, id identity.Identity, groups []string) (bool, error)

GroupsChecker is accepted by 'CheckToken', it is implemented by authdb.DB.



Package delegation imports 13 packages (graph) and is imported by 2 packages. Updated 2021-01-24. Refresh now. Tools for package owners.