login

package

v0.0.0-...-26741f4 Latest Latest Go to latest Published: Apr 24, 2024 License: BSD-3-Clause Imports: 21 Imported by: 25

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

skia.googlesource.com/buildbot

Documentation ¶

Overview ¶

Package login handles logging in users.

Index ¶

Constants
Variables
func AuthenticateUser(w http.ResponseWriter, r *http.Request)
func AuthenticatedAs(r *http.Request) (string, error)
func Init(ctx context.Context, redirectURL string, opts ...InitOption) error
func InitVerifyOnly(ctx context.Context, redirectURL string, opts ...InitOption) error
func OAuth2CallbackHandler(w http.ResponseWriter, r *http.Request)
func TryLoadingFromAllSources(ctx context.Context) (string, string, string, error)
func UnauthenticateUser(w http.ResponseWriter, r *http.Request)
type DomainName
- func (d DomainName) Apply() error
type InitOption
type OAuthConfig
type Session
type SkipLoadingSecrets
- func (s SkipLoadingSecrets) Apply() error

Constants ¶

View Source

const (

	// DefaultOAuth2Callback is the default relative OAuth2 redirect URL.
	DefaultOAuth2Callback = "/oauth2callback/"

	// LoginPath is the path to use for login on the root domain.
	LoginPath = "/login/"

	// LogoutPath is the path to use for logout on the root domain.
	LogoutPath = "/logout/"
)

Variables ¶

View Source

var AllDomainNames = []DomainName{SkiaOrg, LuciApp}

AllDomainNames contains all the allowed domain names.

Functions ¶

func AuthenticateUser ¶

func AuthenticateUser(w http.ResponseWriter, r *http.Request)

AuthenticateUser kicks off the authentication flow.

func AuthenticatedAs ¶

func AuthenticatedAs(r *http.Request) (string, error)

AuthenticatedAs returns the user's email address, if they are logged in, and "" if they are not logged in. Note that if a user isn't logged in then the returned error will contain details on how the login failed.

func Init ¶

func Init(ctx context.Context, redirectURL string, opts ...InitOption) error

Init or InitVerifyOnly must be called before any other login methods.

The function first tries to load the cookie salt, client id, and client secret from a file provided by Kubernetes secrets. If that fails, it tries to load them from GCP secret manager, and if that also fails it looks for a "client_secret.json" file in the current directory to extract the client id and client secret from. If all three of those fail then it returns an error.

InitOptions include setting the DomainName to be used for authentication.

func InitVerifyOnly ¶

func InitVerifyOnly(ctx context.Context, redirectURL string, opts ...InitOption) error

InitVerifyOnly or Init must be called before any other login methods.

The function only loads the cookie salt. This use be used by auth-proxy instead of Init, since auth-proxy only needs the salt to decrypt the login Cookie, it doesn't need access to the Client ID or Client Secret since auth-proxy doesn't handle the login itself, it just redirects to an oauth2redirect instance that does the actual login.

func OAuth2CallbackHandler ¶

func OAuth2CallbackHandler(w http.ResponseWriter, r *http.Request)

OAuth2CallbackHandler must be attached at a handler that matches the callback URL registered in the APIs Console. In this case "/oauth2callback".

func TryLoadingFromAllSources ¶

func TryLoadingFromAllSources(ctx context.Context) (string, string, string, error)

TryLoadingFromAllSources tries to load the cookie salt, client id, and client secret from GCP secrets, and a local file. Returns an error if all of the above fail.

Returns salt, clientID, clientSecret.

func UnauthenticateUser ¶

func UnauthenticateUser(w http.ResponseWriter, r *http.Request)

UnauthenticateUser logs the user out by overwriting the cookie with a blank email address.

Note that this doesn't revoke the 'email' grant, so logging in later will still be fast. Users can always visit

https://security.google.com/settings/security/permissions

to revoke any grants they make.

Types ¶

type DomainName ¶

type DomainName string

DomainName represents a domain name that can be used for login.

const (
	// SkiaOrg selects the configuration for the skia.org domain.
	SkiaOrg DomainName = "skia.org"

	// LuciApp selects the configuration for the luci.app domain.
	LuciApp DomainName = "luci.app"
)

func (DomainName) Apply ¶

func (d DomainName) Apply() error

Apply implements InitOption for DomainName selection.

type InitOption ¶

type InitOption interface {
	Apply() error
}

InitOption are options passed to Init. Note that DomainName implements InitOption allowing the selection of the login domain.

type OAuthConfig ¶

type OAuthConfig interface {
	// See oauth2.Config.
	AuthCodeURL(state string, opts ...oauth2.AuthCodeOption) string

	// See oauth2.Config.
	Exchange(ctx context.Context, code string, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error)
}

OAuthConfig is an interface with the subset of the functionality we use of oauth2.Config, used for tests/mocking.

type Session ¶

type Session struct {
	Email     string
	ID        string
	AuthScope string
	Token     *oauth2.Token
}

Session is encrypted and serialized and stored in a user's cookie.

type SkipLoadingSecrets ¶

type SkipLoadingSecrets struct{}

SkipLoadingSecrets should only be used when calling Init during tests. It skips trying to load secrets.

func (SkipLoadingSecrets) Apply ¶

func (s SkipLoadingSecrets) Apply() error

Apply implements InitOption.

Source Files ¶

View all Source files

login.go

Directories ¶

Path	Synopsis
mocks

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL