Documentation ¶
Overview ¶
Package machine implements authentication based on LUCI machine tokens.
Index ¶
Constants ¶
const ( // MachineTokenHeader is an HTTP header that carries the machine token. MachineTokenHeader = "X-Luci-Machine-Token" // TokenServersGroup is name of a group with trusted token servers. // // This group should contain service account emails of token servers we trust. TokenServersGroup = "auth-token-servers" )
Variables ¶
Functions ¶
This section is empty.
Types ¶
type MachineTokenAuthMethod ¶
type MachineTokenAuthMethod struct {
// contains filtered or unexported fields
}
MachineTokenAuthMethod implements auth.Method by verifying machine tokens.
It looks at X-Luci-Machine-Token header and verifies that it contains a valid non-expired machine token issued by some trusted token server instance.
A list of trusted token servers is specified in 'auth-token-servers' group.
If the token is valid, the request will be authenticated as coming from 'bot:<machine_fqdn>', where <machine_fqdn> is extracted from the token. It is lowercase FQDN of a machine (as specified in the certificate used to mint the token).
func (*MachineTokenAuthMethod) Authenticate ¶
func (m *MachineTokenAuthMethod) Authenticate(c context.Context, r *http.Request) (*auth.User, error)
Authenticate extracts peer's identity from the incoming request.
It logs detailed errors in log, but returns only generic "bad credential" error to the caller, to avoid leaking unnecessary information.