luci: go.chromium.org/luci/tokenserver/client Index | Files

package client

import "go.chromium.org/luci/tokenserver/client"

Package client implements pRPC client for The Token Server.

It is a thin wrapper around regular pRPC client, that knows how to use private keys and certificates to properly prepare requests for the token server.

Index

Package Files

default.go doc.go tokenclient.go x509signer.go

type Client Uses

type Client struct {
    // Client is interface to use for raw RPC calls to the token server.
    //
    // Use minter.NewTokenMinterClient (or NewTokenMinterPRPCClient) to
    // create it. Note that transport-level authentication is not needed.
    Client TokenMinterClient

    // Signer knows how to sign requests using some private key.
    Signer Signer
}

Client can make signed requests to the token server.

func New Uses

func New(params Parameters) (*Client, error)

New returns new Client that uses PEM encoded keys and talks to the server via pRPC.

func (*Client) MintMachineToken Uses

func (c *Client) MintMachineToken(ctx context.Context, req *minter.MachineTokenRequest, opts ...grpc.CallOption) (*minter.MachineTokenResponse, error)

MintMachineToken signs the request using the signer and sends it.

It will update in-place the following fields of the request:

* Certificate will be set to ASN1 cert corresponding to the signer key.
* SignatureAlgorithm will be set to the algorithm used to sign the request.
* IssuedAt will be set to the current time.

The rest of the fields must be already populated by the caller and will be sent to the server as is.

Returns:

* TokenResponse on success.
* Non-transient error on fatal errors.
* Transient error on transient errors.

You can sniff error for RPCError type to grab more error details.

type Parameters Uses

type Parameters struct {
    // PrivateKeyPath is a path to a file with a private key PEM file.
    //
    // Required.
    PrivateKeyPath string

    // CertificatePath is a path to a file with a corresponding certificate.
    //
    // Required. It must match the private key (this will be verified).
    CertificatePath string

    // Backend is a hostname of the token server to talk to.
    //
    // Required.
    Backend string

    // Insecure is true to use 'http' protocol instead of 'https'.
    //
    // Useful on localhost. Default is "secure".
    Insecure bool

    // Client is non-authenticating HTTP client to build pRPC transport on top of.
    //
    // Default is http.DefaultClient.
    Client *http.Client

    // Retry defines how to retry RPC requests on transient errors.
    //
    // Use retry.Default for default strategy. Default is "no retries".
    Retry retry.Factory
}

Parameters is passed to New.

type RPCError Uses

type RPCError struct {
    GrpcCode       codes.Code       // grpc-level status code
    ErrorCode      minter.ErrorCode // protocol-level status code
    ServiceVersion string           // version of the backend, if known
    // contains filtered or unexported fields
}

RPCError is optionally returned for recognized RPC errors.

Use typecast to distinguish recognized and unrecognized errors.

type Signer Uses

type Signer interface {
    // Algo returns an algorithm that the signer implements.
    Algo(ctx context.Context) (x509.SignatureAlgorithm, error)

    // Certificate returns ASN.1 DER blob with the certificate of the signer.
    Certificate(ctx context.Context) ([]byte, error)

    // Sign signs a blob using the private key.
    Sign(ctx context.Context, blob []byte) ([]byte, error)
}

Signer knows how to sign requests using some private key.

type TokenMinterClient Uses

type TokenMinterClient interface {
    // MintMachineToken generates a new token for an authenticated machine.
    MintMachineToken(context.Context, *minter.MintMachineTokenRequest, ...grpc.CallOption) (*minter.MintMachineTokenResponse, error)
}

TokenMinterClient is subset of minter.TokenMinterClient this package uses.

type X509Signer Uses

type X509Signer struct {
    // PrivateKeyPEM is PEM-encoded ASN.1 PKCS#1 private key.
    //
    // See https://openssl.org/docs/manmaster/apps/rsa.html.
    PrivateKeyPEM []byte

    // CertificatePEM is PEM-encoded ASN.1 x509 certificate.
    //
    // It must contain a public key matching the private key specified by
    // PrivateKeyPEM (this will be verified).
    //
    // See https://openssl.org/docs/manmaster/apps/x509.html.
    CertificatePEM []byte
    // contains filtered or unexported fields
}

X509Signer implements Signer interface by using a private key and a certificate specified in ANS.1 x509 PEM encoded structures.

It is fine to initialize this struct directly if you have loaded private key and certificate already. You can optionally use Validate() to make sure they are valid before making other calls (all calls do validation anyhow).

Use LoadX509Signer to load the key and certificate from files on disk.

func LoadX509Signer Uses

func LoadX509Signer(privateKeyPath, certPath string) (*X509Signer, error)

LoadX509Signer parses and validates private key and certificate PEM files.

Returns X509Signer that is ready for work.

func (*X509Signer) Algo Uses

func (s *X509Signer) Algo(ctx context.Context) (x509.SignatureAlgorithm, error)

Algo returns an algorithm that the signer implements.

func (*X509Signer) Certificate Uses

func (s *X509Signer) Certificate(ctx context.Context) ([]byte, error)

Certificate returns ASN.1 DER blob with the certificate of the signer.

func (*X509Signer) Sign Uses

func (s *X509Signer) Sign(ctx context.Context, blob []byte) ([]byte, error)

Sign signs a blob using the private key.

func (*X509Signer) Validate Uses

func (s *X509Signer) Validate() error

Validate parses the private key and certificate file and verifies them.

It checks that the public portion of the key matches what's in the certificate.

Package client imports 20 packages (graph). Updated 2018-10-21. Refresh now. Tools for package owners.