luci: go.chromium.org/luci/tokenserver/appengine/impl/serviceaccountsv2 Index | Files

package serviceaccountsv2

import "go.chromium.org/luci/tokenserver/appengine/impl/serviceaccountsv2"

Package serviceaccountsv2 implements MintServiceAccountToken RPC.

Index

Package Files

bigquery_log.go config.go config_validation.go doc.go rpc_import_project_owned_accounts_config.go rpc_mint_service_account_token.go

Variables

var GlobalMappingCache = NewMappingCache()

GlobalMappingCache is the process-wide mapping cache.

func FlushTokenLog Uses

func FlushTokenLog(ctx context.Context) error

FlushTokenLog sends all buffered logged tokens to BigQuery.

It is fine to call FlushTokenLog concurrently from multiple request handlers, if necessary (it will effectively parallelize the flush).

func LogToken Uses

func LogToken(ctx context.Context, i *MintedTokenInfo) error

LogToken records information about the token in the BigQuery.

The token itself is not logged. Only first 16 bytes of its SHA256 hash (aka 'fingerprint') is. It is used only to identify this particular token in logs.

On dev server, logs to the GAE log only, not to BigQuery (to avoid accidentally pushing fake data to real BigQuery dataset).

type ImportProjectOwnedAccountsConfigsRPC Uses

type ImportProjectOwnedAccountsConfigsRPC struct {
    MappingCache *MappingCache // usually GlobalMappingCache, but replaced in tests
}

ImportProjectOwnedAccountsConfigsRPC implements the corresponding method.

func (*ImportProjectOwnedAccountsConfigsRPC) ImportProjectOwnedAccountsConfigs Uses

func (r *ImportProjectOwnedAccountsConfigsRPC) ImportProjectOwnedAccountsConfigs(ctx context.Context, _ *empty.Empty) (*admin.ImportedConfigs, error)

ImportProjectOwnedAccountsConfigs fetches configs from luci-config right now.

func (*ImportProjectOwnedAccountsConfigsRPC) SetupConfigValidation Uses

func (r *ImportProjectOwnedAccountsConfigsRPC) SetupConfigValidation(rules *validation.RuleSet)

SetupConfigValidation registers the config validation rules.

type Mapping Uses

type Mapping struct {
    // contains filtered or unexported fields
}

Mapping is a queryable representation of project_owned_accounts.cfg.

func (*Mapping) CanProjectUseAccount Uses

func (m *Mapping) CanProjectUseAccount(project, account string) bool

CanProjectUseAccount returns true if the given project is allowed to mint tokens of the given service account.

The project name is extracted from a realm name and it can be "@internal" for internal realms.

func (*Mapping) ConfigRevision Uses

func (m *Mapping) ConfigRevision() string

ConfigRevision is part of policy.Queryable interface.

type MappingCache Uses

type MappingCache struct {
    // contains filtered or unexported fields
}

MappingCache is a stateful object with parsed project_owned_accounts.cfg.

It uses policy.Policy internally to manage datastore-cached copy of imported service accounts configs.

Use NewMappingCache() to create a new instance. Each instance owns its own in-memory cache, but uses the same shared datastore cache.

There's also a process global instance of MappingCache (GlobalMappingCache var) which is used by the main process. Unit tests don't use it though to avoid relying on shared state.

func NewMappingCache Uses

func NewMappingCache() *MappingCache

NewMappingCache properly initializes MappingCache instance.

func (*MappingCache) ImportConfigs Uses

func (mc *MappingCache) ImportConfigs(ctx context.Context) (rev string, err error)

ImportConfigs refetches project_owned_accounts.cfg and updates the datastore.

Called from cron.

func (*MappingCache) Mapping Uses

func (mc *MappingCache) Mapping(ctx context.Context) (*Mapping, error)

Mapping returns in-memory copy of the mapping, ready for querying.

func (*MappingCache) SetupConfigValidation Uses

func (mc *MappingCache) SetupConfigValidation(rules *validation.RuleSet)

SetupConfigValidation registers the config validation rules.

type MintServiceAccountTokenRPC Uses

type MintServiceAccountTokenRPC struct {
    // Signer is used only for its ServiceInfo.
    //
    // In prod it is gaesigner.Signer.
    Signer signing.Signer

    // Mapping returns project<->account mapping to use for the request.
    //
    // In prod it is GlobalMappingCache.Mapping.
    Mapping func(context.Context) (*Mapping, error)

    // MintAccessToken produces an OAuth token for a service account.
    //
    // In prod it is auth.MintAccessTokenForServiceAccount.
    MintAccessToken func(context.Context, auth.MintAccessTokenParams) (*auth.Token, error)

    // MintIDToken produces an ID token for a service account.
    //
    // In prod it is auth.MintIDTokenForServiceAccount.
    MintIDToken func(context.Context, auth.MintIDTokenParams) (*auth.Token, error)

    // LogToken is mocked in tests.
    //
    // In prod it is LogToken from bigquery_log.go.
    LogToken func(context.Context, *MintedTokenInfo) error
}

MintServiceAccountTokenRPC implements the corresponding method.

func (*MintServiceAccountTokenRPC) MintServiceAccountToken Uses

func (r *MintServiceAccountTokenRPC) MintServiceAccountToken(ctx context.Context, req *minter.MintServiceAccountTokenRequest) (*minter.MintServiceAccountTokenResponse, error)

MintServiceAccountToken mints an OAuth2 access token or OpenID ID token that belongs to some service account using LUCI Realms for authorization.

As an input it takes a service account email and a name of a LUCI Realm the caller is operating in. To authorize the call the token server checks the following conditions:

1. The caller has luci.serviceAccounts.mintToken permission in the
   realm, allowing them to "impersonate" all service accounts belonging
   to this realm.
2. The service account has luci.serviceAccounts.existInRealm permission
   in the realm. This makes the account "belong" to the realm.
3. Realm's LUCI project has the service account associated with it in
   the project_owned_accounts.cfg global config file. This makes sure
   different LUCI projects can't just arbitrary use each others accounts
   by adding them to their respective realms.cfg. See also comments for
   ServiceAccountsProjectMapping in api/admin/v1/config.proto.

type MintedTokenInfo Uses

type MintedTokenInfo struct {
    Request         *minter.MintServiceAccountTokenRequest  // RPC input, as is
    Response        *minter.MintServiceAccountTokenResponse // RPC output, as is
    RequestedAt     time.Time
    OAuthScopes     []string          // normalized list of requested OAuth scopes
    RequestIdentity identity.Identity // identity used in authorization
    PeerIdentity    identity.Identity // identity of the direct peer
    ConfigRev       string            // revision of the service config
    PeerIP          net.IP            // caller's IP
    RequestID       string            // GAE request ID that handles the RPC
    AuthDBRev       int64             // revision of the authorization database
}

MintedTokenInfo is passed to LogToken.

It carries all information about the token minting operation and the produced token.

Package serviceaccountsv2 imports 29 packages (graph) and is imported by 4 packages. Updated 2020-07-15. Refresh now. Tools for package owners.