delegation

package

v0.0.0-...-a0a3655 Latest Latest Go to latest Published: Jun 28, 2019 License: Apache-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/asdfghjjklllllaaa/luci-go

Links

Open Source Insights

Documentation ¶

Overview ¶

Package delegation contains low-level API for working with delegation tokens.

Prefer the high-level API in server/auth package, in particular `MintDelegationToken` and `auth.GetRPCTransport(ctx, auth.AsUser)`.

Index ¶

Constants
Variables
func CheckToken(c context.Context, params CheckTokenParams) (identity.Identity, error)
type CertificatesProvider
type CheckTokenParams
type GroupsChecker
type Token

Constants ¶

View Source

const (
	// HTTPHeaderName is name of HTTP header that carries the token.
	HTTPHeaderName = "X-Delegation-Token-V1"
)

Variables ¶

View Source

var (
	// ErrMalformedDelegationToken is returned when delegation token cannot be
	// deserialized.
	ErrMalformedDelegationToken = errors.New("auth: malformed delegation token")

	// ErrUnsignedDelegationToken is returned if token's signature cannot be
	// verified.
	ErrUnsignedDelegationToken = errors.New("auth: unsigned delegation token")

	// ErrForbiddenDelegationToken is returned if token is structurally correct,
	// but some of its constraints prevents it from being used. For example, it is
	// already expired or it was minted for some other services, etc. See logs for
	// details.
	ErrForbiddenDelegationToken = errors.New("auth: forbidden delegation token")
)

Functions ¶

func CheckToken ¶

func CheckToken(c context.Context, params CheckTokenParams) (identity.Identity, error)

CheckToken verifies validity of a delegation token.

If the token is valid, it returns the delegated identity (embedded in the token).

May return transient errors.

Types ¶

type CertificatesProvider ¶

type CertificatesProvider interface {
	// GetCertificates returns a bundle with certificates of a trusted signer.
	//
	// Returns (nil, nil) if the given signer is not trusted.
	//
	// Returns errors (usually transient) if the bundle can't be fetched.
	GetCertificates(c context.Context, id identity.Identity) (*signing.PublicCertificates, error)
}

CertificatesProvider is used by 'CheckToken', it is implemented by authdb.DB.

It returns certificates of services trusted to sign tokens.

type CheckTokenParams ¶

type CheckTokenParams struct {
	Token                string               // the delegation token to check
	PeerID               identity.Identity    // identity of the caller, as extracted from its credentials
	CertificatesProvider CertificatesProvider // returns certificates with trusted keys
	GroupsChecker        GroupsChecker        // knows how to do group lookups
	OwnServiceIdentity   identity.Identity    // identity of the current service
}

CheckTokenParams is passed to CheckToken.

type GroupsChecker ¶

type GroupsChecker interface {
	// IsMember returns true if the given identity belongs to any of the groups.
	//
	// Unknown groups are considered empty. May return errors if underlying
	// datastore has issues.
	IsMember(c context.Context, id identity.Identity, groups []string) (bool, error)
}

GroupsChecker is accepted by 'CheckToken', it is implemented by authdb.DB.

type Token ¶

type Token struct {
	// base64-encoded URL-safe blob with the token
	Token string `json:"token,omitempty"`
	// UTC time when it expires
	Expiry jsontime.Time `json:"expiry,omitempty"`
}

Token represents serialized and signed delegation token.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
messages

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL