luci: go.chromium.org/luci/tokenserver/appengine/impl/serviceaccounts Index | Files

package serviceaccounts

import "go.chromium.org/luci/tokenserver/appengine/impl/serviceaccounts"

Index

Package Files

config.go config_validation.go grant.go grant_bigquery_log.go oauth_token_bigquery_log.go rpc_import_service_accounts_configs.go rpc_inspect_oauth_token_grant.go rpc_mint_oauth_token_grant.go rpc_mint_oauth_token_via_grant.go

Variables

var GlobalRulesCache = NewRulesCache()

GlobalRulesCache is the process-wide rules cache.

func FlushGrantsLog Uses

func FlushGrantsLog(c context.Context) error

FlushGrantsLog sends all buffered logged grants to BigQuery.

It is fine to call FlushGrantLog concurrently from multiple request handlers, if necessary (it will effectively parallelize the flush).

func FlushOAuthTokensLog Uses

func FlushOAuthTokensLog(c context.Context) error

FlushOAuthTokensLog sends all buffered logged tokens to BigQuery.

It is fine to call FlushOAuthTokensLog concurrently from multiple request handlers, if necessary (it will effectively parallelize the flush).

func InspectGrant Uses

func InspectGrant(c context.Context, certs tokensigning.CertificatesSupplier, tok string) (*tokensigning.Inspection, error)

InspectGrant returns information about the OAuth grant.

Inspection.Envelope is either nil or *tokenserver.OAuthTokenGrantEnvelope. Inspection.Body is either nil or *tokenserver.OAuthTokenGrantBody.

func LogGrant Uses

func LogGrant(c context.Context, i *MintedGrantInfo) error

LogGrant records information about the OAuth token grant in the BigQuery.

The grant itself is not logged. Only first 16 bytes of its SHA256 hash (aka 'fingerprint') is. It is used only to identify this particular token in logs.

On dev server, logs to the GAE log only, not to BigQuery (to avoid accidentally pushing fake data to real BigQuery dataset).

func LogOAuthToken Uses

func LogOAuthToken(c context.Context, i *MintedOAuthTokenInfo) error

LogOAuthToken records information about the OAuth token in the BigQuery.

The token itself is not logged. Only first 16 bytes of its SHA256 hash (aka 'fingerprint') is. It is used only to identify this particular token in logs.

On dev server, logs to the GAE log only, not to BigQuery (to avoid accidentally pushing fake data to real BigQuery dataset).

func SignGrant Uses

func SignGrant(c context.Context, signer signing.Signer, tok *tokenserver.OAuthTokenGrantBody) (string, error)

SignGrant signs and serializes the OAuth grant.

It doesn't do any validation. Assumes the prepared body is valid.

Produces base64 URL-safe token or a transient error.

type ImportServiceAccountsConfigsRPC Uses

type ImportServiceAccountsConfigsRPC struct {
    RulesCache *RulesCache // usually GlobalRulesCache, but replaced in tests
}

ImportServiceAccountsConfigsRPC implements admin.ImportServiceAccountsConfigs method.

func (*ImportServiceAccountsConfigsRPC) ImportServiceAccountsConfigs Uses

func (r *ImportServiceAccountsConfigsRPC) ImportServiceAccountsConfigs(c context.Context, _ *empty.Empty) (*admin.ImportedConfigs, error)

ImportServiceAccountsConfigs fetches configs from from luci-config right now.

func (*ImportServiceAccountsConfigsRPC) SetupConfigValidation Uses

func (r *ImportServiceAccountsConfigsRPC) SetupConfigValidation(rules *validation.RuleSet)

SetupConfigValidation registers the config validation rules.

type InspectOAuthTokenGrantRPC Uses

type InspectOAuthTokenGrantRPC struct {
    // Signer is mocked in tests.
    //
    // In prod it is gaesigner.Signer.
    Signer signing.Signer

    // Rules returns service account rules to use for the request.
    //
    // In prod it is GlobalRulesCache.Rules.
    Rules func(context.Context) (*Rules, error)
}

InspectOAuthTokenGrantRPC implements admin.InspectOAuthTokenGrant method.

func (*InspectOAuthTokenGrantRPC) InspectOAuthTokenGrant Uses

func (r *InspectOAuthTokenGrantRPC) InspectOAuthTokenGrant(c context.Context, req *admin.InspectOAuthTokenGrantRequest) (*admin.InspectOAuthTokenGrantResponse, error)

InspectOAuthTokenGrant decodes the given OAuth token grant.

type MintOAuthTokenGrantRPC Uses

type MintOAuthTokenGrantRPC struct {
    // Signer is mocked in tests.
    //
    // In prod it is gaesigner.Signer.
    Signer signing.Signer

    // Rules returns service account rules to use for the request.
    //
    // In prod it is GlobalRulesCache.Rules.
    Rules func(context.Context) (*Rules, error)

    // LogGrant is mocked in tests.
    //
    // In prod it is LogGrant from grant_bigquery_log.go.
    LogGrant func(context.Context, *MintedGrantInfo) error
    // contains filtered or unexported fields
}

MintOAuthTokenGrantRPC implements TokenMinter.MintOAuthTokenGrant method.

func (*MintOAuthTokenGrantRPC) MintOAuthTokenGrant Uses

func (r *MintOAuthTokenGrantRPC) MintOAuthTokenGrant(c context.Context, req *minter.MintOAuthTokenGrantRequest) (*minter.MintOAuthTokenGrantResponse, error)

MintOAuthTokenGrant produces new OAuth token grant.

type MintOAuthTokenViaGrantRPC Uses

type MintOAuthTokenViaGrantRPC struct {
    // Signer is mocked in tests.
    //
    // In prod it is gaesigner.Signer.
    Signer signing.Signer

    // Rules returns service account rules to use for the request.
    //
    // In prod it is GlobalRulesCache.Rules.
    Rules func(context.Context) (*Rules, error)

    // MintAccessToken produces an OAuth token for a service account.
    //
    // In prod it is auth.MintAccessTokenForServiceAccount.
    MintAccessToken func(context.Context, auth.MintAccessTokenParams) (*oauth2.Token, error)

    // LogOAuthToken is mocked in tests.
    //
    // In prod it is LogOAuthToken from oauth_token_bigquery_log.go.
    LogOAuthToken func(context.Context, *MintedOAuthTokenInfo) error
}

MintOAuthTokenViaGrantRPC implements TokenMinter.MintOAuthTokenViaGrant method.

func (*MintOAuthTokenViaGrantRPC) MintOAuthTokenViaGrant Uses

func (r *MintOAuthTokenViaGrantRPC) MintOAuthTokenViaGrant(c context.Context, req *minter.MintOAuthTokenViaGrantRequest) (*minter.MintOAuthTokenViaGrantResponse, error)

MintOAuthTokenViaGrant produces new OAuth token given a grant.

type MintedGrantInfo Uses

type MintedGrantInfo struct {
    Request   *minter.MintOAuthTokenGrantRequest  // RPC input, as is
    Response  *minter.MintOAuthTokenGrantResponse // RPC output, as is
    GrantBody *tokenserver.OAuthTokenGrantBody    // deserialized grant
    ConfigRev string                              // revision of the service_accounts.cfg used
    Rule      *admin.ServiceAccountRule           // the particular rule used to authorize the request
    PeerIP    net.IP                              // caller IP address
    RequestID string                              // GAE request ID that handled the RPC
    AuthDBRev int64                               // revision of groups database (or 0 if unknown)
}

MintedGrantInfo is passed to LogGrant.

It carries all information about the grant minting operation and the produced grant token.

type MintedOAuthTokenInfo Uses

type MintedOAuthTokenInfo struct {
    RequestedAt time.Time                              // when the RPC happened
    Request     *minter.MintOAuthTokenViaGrantRequest  // RPC input, as is
    Response    *minter.MintOAuthTokenViaGrantResponse // RPC output, as is
    GrantBody   *tokenserver.OAuthTokenGrantBody       // deserialized grant
    ConfigRev   string                                 // revision of the service_accounts.cfg used
    Rule        *admin.ServiceAccountRule              // the particular rule used to authorize the request
    PeerIP      net.IP                                 // caller IP address
    RequestID   string                                 // GAE request ID that handled the RPC
    AuthDBRev   int64                                  // revision of groups database (or 0 if unknown)
}

MintedOAuthTokenInfo is passed to LogOAuthToken.

It carries all information about the returned token.

type Rule Uses

type Rule struct {
    Rule           *admin.ServiceAccountRule // original proto with the rule
    Revision       string                    // revision of the file with the rule
    AllowedScopes  stringset.Set             // parsed 'allowed_scope'
    EndUsers       *identityset.Set          // parsed 'end_user'
    Proxies        *identityset.Set          // parsed 'proxy'
    TrustedProxies *identityset.Set          // parsed 'trusted_proxy'
    AllProxies     *identityset.Set          // union of 'proxy' and 'trusted_proxy'
}

Rule is queriable in-memory representation of ServiceAccountRule.

It should be treated like read-only object. It is shared by many concurrent requests.

func (*Rule) CheckScopes Uses

func (r *Rule) CheckScopes(scopes []string) error

CheckScopes returns no errors if all passed scopes are allowed.

type Rules Uses

type Rules struct {
    // contains filtered or unexported fields
}

Rules is queryable representation of service_accounts.cfg rules.

func (*Rules) Check Uses

func (r *Rules) Check(c context.Context, query *RulesQuery) (*Rule, error)

Check checks that rules allow the requested usage.

Returns the corresponding rule on success, or gRPC error on failure. The returned rule can be consulted further to check additional restrictions, such as allowed OAuth scopes or validity duration.

Note that ambiguities in rules are forbidden: an account must match at most one rule. If it matches multiple rules, PermissionDenied error will be returned, indicating the account is misconfigured and must not be used until the ambiguity is fixed.

Supposed to be called as part of some RPC handler. It logs errors internally, so no need to log them outside.

func (*Rules) ConfigRevision Uses

func (r *Rules) ConfigRevision() string

ConfigRevision is part of policy.Queryable interface.

func (*Rules) MatchingRules Uses

func (r *Rules) MatchingRules(c context.Context, serviceAccount string) ([]*Rule, error)

MatchingRules returns all rules (zero or more, sorted by name) that apply to the given service account.

Returns an error if the group membership check fails.

Relatively heavy operation, try to reuse the result.

func (*Rules) Rule Uses

func (r *Rules) Rule(c context.Context, serviceAccount string, proxy identity.Identity) (*Rule, error)

Rule returns a rule matching the service account or a grpc error.

It uses the given 'proxy' exclusively to decide whether it is okay to put detailed error message in the response. Unknown proxies get only vague generic reply. It does NOT check whether proxy is allowed to use the rule, this should be done by the caller.

If 'proxy' is an empty string, the error message contains all possible details (this is used only from admin RPCs).

Always logs detailed errors.

type RulesCache Uses

type RulesCache struct {
    // contains filtered or unexported fields
}

RulesCache is a stateful object with parsed service_accounts.cfg rules.

It uses policy.Policy internally to manage datastore-cached copy of imported service accounts configs.

Use NewRulesCache() to create a new instance. Each instance owns its own in-memory cache, but uses same shared datastore cache.

There's also a process global instance of RulesCache (GlobalRulesCache var) which is used by the main process. Unit tests don't use it though to avoid relying on shared state.

func NewRulesCache Uses

func NewRulesCache() *RulesCache

NewRulesCache properly initializes RulesCache instance.

func (*RulesCache) ImportConfigs Uses

func (rc *RulesCache) ImportConfigs(c context.Context) (rev string, err error)

ImportConfigs refetches service_accounts.cfg and updates the datastore copy.

Called from cron.

func (*RulesCache) Rules Uses

func (rc *RulesCache) Rules(c context.Context) (*Rules, error)

Rules returns in-memory copy of service accounts rules, ready for querying.

func (*RulesCache) SetupConfigValidation Uses

func (rc *RulesCache) SetupConfigValidation(rules *validation.RuleSet)

SetupConfigValidation registers the config validation rules.

type RulesQuery Uses

type RulesQuery struct {
    ServiceAccount string            // email of an account being used
    Rule           *Rule             // the matching rule, if already known
    Proxy          identity.Identity // who's calling the Token Server
    EndUser        identity.Identity // who initiates the usage of an account
}

RulesQuery describes circumstances of using some service account.

Passed to 'Check'.

Package serviceaccounts imports 33 packages (graph) and is imported by 6 packages. Updated 2018-08-19. Refresh now. Tools for package owners.