luci: Index | Files

package delegation

import ""


Package Files

bigquery_log.go config.go config_validation.go rpc_import_delegation_configs.go rpc_inspect_delegation_token.go rpc_mint_delegation_token.go token.go warmup.go


const (
    // Requestor is magical token that may be used in the config and requests as
    // a substitute for caller's ID.
    // See config.proto for more info.
    Requestor = "REQUESTOR"

    // Projects is a magical token that can be used in allowed_to_impersonate to
    // indicate that the caller can impersonate "project:*" identities.
    // TODO(vadimsh): Get rid of it.
    Projects = "PROJECTS"


var GlobalRulesCache = NewRulesCache()

GlobalRulesCache is the process-wide rules cache.

func FlushTokenLog Uses

func FlushTokenLog(c context.Context) error

FlushTokenLog sends all buffered logged tokens to BigQuery.

It is fine to call FlushTokenLog concurrently from multiple request handlers, if necessary (it will effectively parallelize the flush).

func InspectToken Uses

func InspectToken(c context.Context, certs tokensigning.CertificatesSupplier, tok string) (*tokensigning.Inspection, error)

InspectToken returns information about the delegation token.

Inspection.Envelope is either nil or *messages.DelegationToken. Inspection.Body is either nil or *messages.Subtoken.

func LogToken Uses

func LogToken(c context.Context, i *MintedTokenInfo) error

LogToken records information about the token in the BigQuery.

The signed token itself is not logged. Only first 16 bytes of its SHA256 hash (aka 'fingerprint') is. It is used only to identify this particular token in logs.

On dev server, logs to the GAE log only, not to BigQuery (to avoid accidentally pushing fake data to real BigQuery dataset).

func SignToken Uses

func SignToken(c context.Context, signer signing.Signer, subtok *messages.Subtoken) (string, error)

SignToken signs and serializes the delegation subtoken.

It doesn't do any validation. Assumes the prepared subtoken is valid.

Produces base64 URL-safe token or a transient error.

type ImportDelegationConfigsRPC Uses

type ImportDelegationConfigsRPC struct {
    RulesCache *RulesCache // usually GlobalRulesCache, but replaced in tests

ImportDelegationConfigsRPC implements Admin.ImportDelegationConfigs method.

func (*ImportDelegationConfigsRPC) ImportDelegationConfigs Uses

func (r *ImportDelegationConfigsRPC) ImportDelegationConfigs(c context.Context, _ *empty.Empty) (*admin.ImportedConfigs, error)

ImportDelegationConfigs fetches configs from from luci-config right now.

func (*ImportDelegationConfigsRPC) SetupConfigValidation Uses

func (r *ImportDelegationConfigsRPC) SetupConfigValidation(rules *validation.RuleSet)

SetupConfigValidation registers the config validation rules.

type InspectDelegationTokenRPC Uses

type InspectDelegationTokenRPC struct {
    // Signer is mocked in tests.
    // In prod it is gaesigner.Signer.
    Signer signing.Signer

InspectDelegationTokenRPC implements Admin.InspectDelegationToken RPC method.

It assumes authorization has happened already.

func (*InspectDelegationTokenRPC) InspectDelegationToken Uses

func (r *InspectDelegationTokenRPC) InspectDelegationToken(c context.Context, req *admin.InspectDelegationTokenRequest) (*admin.InspectDelegationTokenResponse, error)

type MintDelegationTokenRPC Uses

type MintDelegationTokenRPC struct {
    // Signer is mocked in tests.
    // In prod it is gaesigner.Signer.
    Signer signing.Signer

    // Rules returns delegation rules to use for the request.
    // In prod it is GlobalRulesCache.Rules.
    Rules func(context.Context) (*Rules, error)

    // LogToken is mocked in tests.
    // In prod it is LogDelegationToken from bigquery_log.go.
    LogToken func(context.Context, *MintedTokenInfo) error
    // contains filtered or unexported fields

MintDelegationTokenRPC implements TokenMinter.MintDelegationToken RPC method.

func (*MintDelegationTokenRPC) MintDelegationToken Uses

func (r *MintDelegationTokenRPC) MintDelegationToken(c context.Context, req *minter.MintDelegationTokenRequest) (*minter.MintDelegationTokenResponse, error)

MintDelegationToken generates a new bearer delegation token.

type MintedTokenInfo Uses

type MintedTokenInfo struct {
    Request   *minter.MintDelegationTokenRequest  // RPC input, as is
    Response  *minter.MintDelegationTokenResponse // RPC output, as is
    ConfigRev string                              // revision of the delegation.cfg used
    Rule      *admin.DelegationRule               // the particular rule used to authorize the request
    PeerIP    net.IP                              // caller IP address
    RequestID string                              // GAE request ID that handled the RPC
    AuthDBRev int64                               // revision of groups database (or 0 if unknown)

MintedTokenInfo is passed to LogToken.

It carries all information about the token minting operation and the produced token.

type Rules Uses

type Rules struct {
    // contains filtered or unexported fields

Rules is queryable representation of delegation.cfg rules.

func (*Rules) ConfigRevision Uses

func (r *Rules) ConfigRevision() string

ConfigRevision is part of policy.Queryable interface.

func (*Rules) FindMatchingRule Uses

func (r *Rules) FindMatchingRule(c context.Context, q *RulesQuery) (*admin.DelegationRule, error)

FindMatchingRule finds one and only one rule matching the query.

If multiple rules match or none rules match, an error is returned.

func (*Rules) IsAuthorizedRequestor Uses

func (r *Rules) IsAuthorizedRequestor(c context.Context, id identity.Identity) (bool, error)

IsAuthorizedRequestor returns true if the caller belongs to 'requestor' set of at least one rule.

type RulesCache Uses

type RulesCache struct {
    // contains filtered or unexported fields

RulesCache is a stateful object with parsed delegation.cfg rules.

It uses policy.Policy internally to manage datastore-cached copy of imported delegation configs.

Use NewRulesCache() to create a new instance. Each instance owns its own in-memory cache, but uses same shared datastore cache.

There's also a process global instance of RulesCache (GlobalRulesCache var) which is used by the main process. Unit tests don't use it though to avoid relying on shared state.

func NewRulesCache Uses

func NewRulesCache() *RulesCache

NewRulesCache properly initializes RulesCache instance.

func (*RulesCache) ImportConfigs Uses

func (rc *RulesCache) ImportConfigs(c context.Context) (rev string, err error)

ImportConfigs refetches delegation.cfg and updates datastore copy of it.

Called from cron.

func (*RulesCache) Rules Uses

func (rc *RulesCache) Rules(c context.Context) (*Rules, error)

Rules returns in-memory copy of delegation rules, ready for querying.

func (*RulesCache) SetupConfigValidation Uses

func (rc *RulesCache) SetupConfigValidation(rules *validation.RuleSet)

SetupConfigValidation registers the config validation rules.

type RulesQuery Uses

type RulesQuery struct {
    Requestor identity.Identity // who is requesting the token
    Delegator identity.Identity // what identity will be delegated/impersonated
    Audience  *identityset.Set  // the requested audience set (delegatees)
    Services  *identityset.Set  // the requested target services set

RulesQuery contains parameters to match against the delegation rules.

Used by 'FindMatchingRule'.

Package delegation imports 34 packages (graph) and is imported by 6 packages. Updated 2020-09-29. Refresh now. Tools for package owners.