tokenserver

package
v0.0.0-...-a0a3655 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 28, 2019 License: Apache-2.0 Imports: 4 Imported by: 0

Documentation

Overview

Package tokenserver contains common protobuf messages for the token server.

Index

Constants

This section is empty.

Variables

View Source
var MachineTokenType_name = map[int32]string{
	0: "UNKNOWN_TYPE",
	2: "LUCI_MACHINE_TOKEN",
}
View Source
var MachineTokenType_value = map[string]int32{
	"UNKNOWN_TYPE":       0,
	"LUCI_MACHINE_TOKEN": 2,
}

Functions

This section is empty.

Types

type MachineTokenBody

type MachineTokenBody struct {
	// Machine identity this token conveys (machine FQDN).
	//
	// It is extracted from a Common Name of a certificate used as a basis for
	// the token.
	MachineFqdn string `protobuf:"bytes,1,opt,name=machine_fqdn,json=machineFqdn,proto3" json:"machine_fqdn,omitempty"`
	// Service account email that signed this token.
	//
	// When verifying the token backends will check that the issuer is in
	// "auth-token-servers" group.
	IssuedBy string `protobuf:"bytes,2,opt,name=issued_by,json=issuedBy,proto3" json:"issued_by,omitempty"`
	// Unix timestamp in seconds when this token was issued. Required.
	IssuedAt uint64 `protobuf:"varint,3,opt,name=issued_at,json=issuedAt,proto3" json:"issued_at,omitempty"`
	// Number of seconds the token is considered valid.
	//
	// Usually 3600. Set by the token server. Required.
	Lifetime uint64 `protobuf:"varint,4,opt,name=lifetime,proto3" json:"lifetime,omitempty"`
	// Id of a CA that issued machine certificate used to make this token.
	//
	// These IDs are defined in token server config (via unique_id field).
	CaId int64 `protobuf:"varint,5,opt,name=ca_id,json=caId,proto3" json:"ca_id,omitempty"`
	// Serial number of the machine certificate used to make this token.
	//
	// ca_id and cert_sn together uniquely identify the certificate, and can be
	// used to check for certificate revocation (by asking token server whether
	// the given certificate is in CRL). Revocation checks are optional, most
	// callers can rely on expiration checks only.
	CertSn               uint64   `protobuf:"varint,6,opt,name=cert_sn,json=certSn,proto3" json:"cert_sn,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

MachineTokenBody describes internal structure of the machine token.

The token will be put in HTTP headers and its body shouldn't be too large. For that reason we use unix timestamps instead of google.protobuf.Timestamp (no need for microsecond precision), and assume certificate serial numbers are smallish uint64 integers (not random blobs).

func (*MachineTokenBody) Descriptor

func (*MachineTokenBody) Descriptor() ([]byte, []int)

func (*MachineTokenBody) GetCaId

func (m *MachineTokenBody) GetCaId() int64

func (*MachineTokenBody) GetCertSn

func (m *MachineTokenBody) GetCertSn() uint64

func (*MachineTokenBody) GetIssuedAt

func (m *MachineTokenBody) GetIssuedAt() uint64

func (*MachineTokenBody) GetIssuedBy

func (m *MachineTokenBody) GetIssuedBy() string

func (*MachineTokenBody) GetLifetime

func (m *MachineTokenBody) GetLifetime() uint64

func (*MachineTokenBody) GetMachineFqdn

func (m *MachineTokenBody) GetMachineFqdn() string

func (*MachineTokenBody) ProtoMessage

func (*MachineTokenBody) ProtoMessage()

func (*MachineTokenBody) Reset

func (m *MachineTokenBody) Reset()

func (*MachineTokenBody) String

func (m *MachineTokenBody) String() string

func (*MachineTokenBody) XXX_DiscardUnknown

func (m *MachineTokenBody) XXX_DiscardUnknown()

func (*MachineTokenBody) XXX_Marshal

func (m *MachineTokenBody) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*MachineTokenBody) XXX_Merge

func (m *MachineTokenBody) XXX_Merge(src proto.Message)

func (*MachineTokenBody) XXX_Size

func (m *MachineTokenBody) XXX_Size() int

func (*MachineTokenBody) XXX_Unmarshal

func (m *MachineTokenBody) XXX_Unmarshal(b []byte) error

type MachineTokenEnvelope

type MachineTokenEnvelope struct {
	TokenBody            []byte   `protobuf:"bytes,1,opt,name=token_body,json=tokenBody,proto3" json:"token_body,omitempty"`
	KeyId                string   `protobuf:"bytes,2,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"`
	RsaSha256            []byte   `protobuf:"bytes,3,opt,name=rsa_sha256,json=rsaSha256,proto3" json:"rsa_sha256,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

MachineTokenEnvelope is what is actually being serialized and represented as a machine token (after being encoded using base64 standard raw encoding).

Resulting token (including base64 encoding) is usually ~500 bytes long.

func (*MachineTokenEnvelope) Descriptor

func (*MachineTokenEnvelope) Descriptor() ([]byte, []int)

func (*MachineTokenEnvelope) GetKeyId

func (m *MachineTokenEnvelope) GetKeyId() string

func (*MachineTokenEnvelope) GetRsaSha256

func (m *MachineTokenEnvelope) GetRsaSha256() []byte

func (*MachineTokenEnvelope) GetTokenBody

func (m *MachineTokenEnvelope) GetTokenBody() []byte

func (*MachineTokenEnvelope) ProtoMessage

func (*MachineTokenEnvelope) ProtoMessage()

func (*MachineTokenEnvelope) Reset

func (m *MachineTokenEnvelope) Reset()

func (*MachineTokenEnvelope) String

func (m *MachineTokenEnvelope) String() string

func (*MachineTokenEnvelope) XXX_DiscardUnknown

func (m *MachineTokenEnvelope) XXX_DiscardUnknown()

func (*MachineTokenEnvelope) XXX_Marshal

func (m *MachineTokenEnvelope) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*MachineTokenEnvelope) XXX_Merge

func (m *MachineTokenEnvelope) XXX_Merge(src proto.Message)

func (*MachineTokenEnvelope) XXX_Size

func (m *MachineTokenEnvelope) XXX_Size() int

func (*MachineTokenEnvelope) XXX_Unmarshal

func (m *MachineTokenEnvelope) XXX_Unmarshal(b []byte) error

type MachineTokenType

type MachineTokenType int32

The kinds of machine tokens the token server can mint.

Passed to MintMachineToken and InspectMachineToken.

Reserved: 1.

const (
	MachineTokenType_UNKNOWN_TYPE       MachineTokenType = 0
	MachineTokenType_LUCI_MACHINE_TOKEN MachineTokenType = 2
)

func (MachineTokenType) EnumDescriptor

func (MachineTokenType) EnumDescriptor() ([]byte, []int)

func (MachineTokenType) String

func (x MachineTokenType) String() string

type OAuthTokenGrantBody

type OAuthTokenGrantBody struct {
	// Identifier of this token as generated by the token server.
	//
	// Used for logging and tracking purposes.
	//
	// TODO(vadimsh): It may later be used for revocation purposes.
	TokenId int64 `protobuf:"varint,1,opt,name=token_id,json=tokenId,proto3" json:"token_id,omitempty"`
	// Service account email the end user wants to act as.
	ServiceAccount string `protobuf:"bytes,2,opt,name=service_account,json=serviceAccount,proto3" json:"service_account,omitempty"`
	// Who can pass this token to MintOAuthTokenViaGrant to get an OAuth token.
	//
	// A string of the form "user:<email>". On Swarming, this is Swarming's own
	// service account name.
	Proxy string `protobuf:"bytes,3,opt,name=proxy,proto3" json:"proxy,omitempty"`
	// An end user that wants to act as the service account (perhaps indirectly).
	//
	// A string of the form "user:<email>". On Swarming, this is an identity of
	// a user that posted the task.
	//
	// Used by MintOAuthTokenViaGrant to recheck that the access is still allowed.
	EndUser string `protobuf:"bytes,4,opt,name=end_user,json=endUser,proto3" json:"end_user,omitempty"`
	// When the token was generated (and when it becomes valid).
	IssuedAt *timestamp.Timestamp `protobuf:"bytes,5,opt,name=issued_at,json=issuedAt,proto3" json:"issued_at,omitempty"`
	// How long the token is considered valid (in seconds).
	//
	// It may become invalid sooner if the token server policy changes and the
	// new policy doesn't allow this token.
	ValidityDuration     int64    `protobuf:"varint,6,opt,name=validity_duration,json=validityDuration,proto3" json:"validity_duration,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

OAuthTokenGrantBody contains the internal guts of an oauth token grant.

It gets serialized, signed and stuffed into OAuthTokenGrantEnvelope, which then also gets serialized to get the final blob with the grant. This blob is then base64-encoded and returned to the caller of MintOAuthTokenGrant.

func (*OAuthTokenGrantBody) Descriptor

func (*OAuthTokenGrantBody) Descriptor() ([]byte, []int)

func (*OAuthTokenGrantBody) GetEndUser

func (m *OAuthTokenGrantBody) GetEndUser() string

func (*OAuthTokenGrantBody) GetIssuedAt

func (m *OAuthTokenGrantBody) GetIssuedAt() *timestamp.Timestamp

func (*OAuthTokenGrantBody) GetProxy

func (m *OAuthTokenGrantBody) GetProxy() string

func (*OAuthTokenGrantBody) GetServiceAccount

func (m *OAuthTokenGrantBody) GetServiceAccount() string

func (*OAuthTokenGrantBody) GetTokenId

func (m *OAuthTokenGrantBody) GetTokenId() int64

func (*OAuthTokenGrantBody) GetValidityDuration

func (m *OAuthTokenGrantBody) GetValidityDuration() int64

func (*OAuthTokenGrantBody) ProtoMessage

func (*OAuthTokenGrantBody) ProtoMessage()

func (*OAuthTokenGrantBody) Reset

func (m *OAuthTokenGrantBody) Reset()

func (*OAuthTokenGrantBody) String

func (m *OAuthTokenGrantBody) String() string

func (*OAuthTokenGrantBody) XXX_DiscardUnknown

func (m *OAuthTokenGrantBody) XXX_DiscardUnknown()

func (*OAuthTokenGrantBody) XXX_Marshal

func (m *OAuthTokenGrantBody) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*OAuthTokenGrantBody) XXX_Merge

func (m *OAuthTokenGrantBody) XXX_Merge(src proto.Message)

func (*OAuthTokenGrantBody) XXX_Size

func (m *OAuthTokenGrantBody) XXX_Size() int

func (*OAuthTokenGrantBody) XXX_Unmarshal

func (m *OAuthTokenGrantBody) XXX_Unmarshal(b []byte) error

type OAuthTokenGrantEnvelope

type OAuthTokenGrantEnvelope struct {
	TokenBody            []byte   `protobuf:"bytes,1,opt,name=token_body,json=tokenBody,proto3" json:"token_body,omitempty"`
	KeyId                string   `protobuf:"bytes,2,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"`
	Pkcs1Sha256Sig       []byte   `protobuf:"bytes,3,opt,name=pkcs1_sha256_sig,json=pkcs1Sha256Sig,proto3" json:"pkcs1_sha256_sig,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

OAuthTokenGrantEnvelope is what is actually being serialized and send to the callers of MintOAuthTokenGrant (after being encoded using base64 standard raw encoding).

func (*OAuthTokenGrantEnvelope) Descriptor

func (*OAuthTokenGrantEnvelope) Descriptor() ([]byte, []int)

func (*OAuthTokenGrantEnvelope) GetKeyId

func (m *OAuthTokenGrantEnvelope) GetKeyId() string

func (*OAuthTokenGrantEnvelope) GetPkcs1Sha256Sig

func (m *OAuthTokenGrantEnvelope) GetPkcs1Sha256Sig() []byte

func (*OAuthTokenGrantEnvelope) GetTokenBody

func (m *OAuthTokenGrantEnvelope) GetTokenBody() []byte

func (*OAuthTokenGrantEnvelope) ProtoMessage

func (*OAuthTokenGrantEnvelope) ProtoMessage()

func (*OAuthTokenGrantEnvelope) Reset

func (m *OAuthTokenGrantEnvelope) Reset()

func (*OAuthTokenGrantEnvelope) String

func (m *OAuthTokenGrantEnvelope) String() string

func (*OAuthTokenGrantEnvelope) XXX_DiscardUnknown

func (m *OAuthTokenGrantEnvelope) XXX_DiscardUnknown()

func (*OAuthTokenGrantEnvelope) XXX_Marshal

func (m *OAuthTokenGrantEnvelope) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*OAuthTokenGrantEnvelope) XXX_Merge

func (m *OAuthTokenGrantEnvelope) XXX_Merge(src proto.Message)

func (*OAuthTokenGrantEnvelope) XXX_Size

func (m *OAuthTokenGrantEnvelope) XXX_Size() int

func (*OAuthTokenGrantEnvelope) XXX_Unmarshal

func (m *OAuthTokenGrantEnvelope) XXX_Unmarshal(b []byte) error

type TokenFile

type TokenFile struct {
	// Google OAuth2 access token of a machine service account.
	AccessToken string `protobuf:"bytes,1,opt,name=access_token,proto3" json:"access_token,omitempty"`
	// OAuth2 access token type, usually "Bearer".
	TokenType string `protobuf:"bytes,2,opt,name=token_type,proto3" json:"token_type,omitempty"`
	// Machine token understood by LUCI backends (alternative to access_token).
	LuciMachineToken string `protobuf:"bytes,3,opt,name=luci_machine_token,proto3" json:"luci_machine_token,omitempty"`
	// Unix timestamp (in seconds) when this token expires.
	//
	// The token file is expected to be updated before the token expires, see
	// 'next_update' for next expected update time.
	Expiry int64 `protobuf:"varint,4,opt,name=expiry,proto3" json:"expiry,omitempty"`
	// Unix timestamp of when this file was updated the last time.
	LastUpdate int64 `protobuf:"varint,5,opt,name=last_update,proto3" json:"last_update,omitempty"`
	// Unix timestamp of when this file is expected to be updated next time.
	NextUpdate int64 `protobuf:"varint,6,opt,name=next_update,proto3" json:"next_update,omitempty"`
	// Email of the associated service account.
	ServiceAccountEmail string `protobuf:"bytes,7,opt,name=service_account_email,proto3" json:"service_account_email,omitempty"`
	// Unique stable ID of the associated service account.
	ServiceAccountUniqueId string `protobuf:"bytes,8,opt,name=service_account_unique_id,proto3" json:"service_account_unique_id,omitempty"`
	// Any information tokend daemon wishes to associate with the token.
	//
	// Consumers of the token file should ignore this field. It is used
	// exclusively by tokend daemon.
	TokendState          []byte   `protobuf:"bytes,50,opt,name=tokend_state,proto3" json:"tokend_state,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

TokenFile is representation of a token file on disk (serialized as JSON).

The token file is consumed by whoever wishes to use machine tokens. It is intentionally made as simple as possible (e.g. uses unix timestamps instead of fancy protobuf ones).

func (*TokenFile) Descriptor

func (*TokenFile) Descriptor() ([]byte, []int)

func (*TokenFile) GetAccessToken

func (m *TokenFile) GetAccessToken() string

func (*TokenFile) GetExpiry

func (m *TokenFile) GetExpiry() int64

func (*TokenFile) GetLastUpdate

func (m *TokenFile) GetLastUpdate() int64

func (*TokenFile) GetLuciMachineToken

func (m *TokenFile) GetLuciMachineToken() string

func (*TokenFile) GetNextUpdate

func (m *TokenFile) GetNextUpdate() int64

func (*TokenFile) GetServiceAccountEmail

func (m *TokenFile) GetServiceAccountEmail() string

func (*TokenFile) GetServiceAccountUniqueId

func (m *TokenFile) GetServiceAccountUniqueId() string

func (*TokenFile) GetTokenType

func (m *TokenFile) GetTokenType() string

func (*TokenFile) GetTokendState

func (m *TokenFile) GetTokendState() []byte

func (*TokenFile) ProtoMessage

func (*TokenFile) ProtoMessage()

func (*TokenFile) Reset

func (m *TokenFile) Reset()

func (*TokenFile) String

func (m *TokenFile) String() string

func (*TokenFile) XXX_DiscardUnknown

func (m *TokenFile) XXX_DiscardUnknown()

func (*TokenFile) XXX_Marshal

func (m *TokenFile) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*TokenFile) XXX_Merge

func (m *TokenFile) XXX_Merge(src proto.Message)

func (*TokenFile) XXX_Size

func (m *TokenFile) XXX_Size() int

func (*TokenFile) XXX_Unmarshal

func (m *TokenFile) XXX_Unmarshal(b []byte) error

Directories

Path Synopsis
admin
v1
Package admin contains The Token Server Administrative and Config API.
Package admin contains The Token Server Administrative and Config API.
Package bq contains BigQuery tables schemas.
Package bq contains BigQuery tables schemas.
minter
v1
Package minter contains the main API of the token server.
Package minter contains the main API of the token server.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL