gitalyauth

package

v16.10.6 Latest Latest Go to latest Published: May 21, 2024 License: MIT Imports: 14 Imported by: 1

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

gitlab.com/gitlab-org/gitaly/v16

Links

Open Source Insights

README ¶

Gitaly authentication middleware for Go

This package contains code that plugs into github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/auth to provide client and server authentication middleware for Gitaly.

Gitaly has two authentication schemes.

V1 authentication (deprecated)

This scheme uses a shared secret. The shared secret is base64-encoded and passed by the client as a bearer token.

V2 authentication

This scheme uses a time limited token derived from a shared secret.

The client creates a timestamp and computes the SHA256 HMAC signature for that timestamp, treating the timestamp as the message. The shared secret is used as the key for the HMAC. The client then sends both the message and the signature to the server as a bearer token.

The server takes the message and computes the signature. If the client-provided signature matches the computed signature the message is accepted. Next, the server checks if its current time is no more than 30 seconds ahead or behind the timestamp. If the timestamp is too old or too new the request is denied. Otherwise it goes ahead.

Documentation ¶

Index ¶

func CheckToken(ctx context.Context, secret string, targetTime time.Time) error
func RPCCredentialsV2(sharedSecret string) credentials.PerRPCCredentials
func SetTokenValidityDuration(d time.Duration)
func TokenValidityDuration() time.Duration
type AuthInfo
- func ExtractAuthInfo(ctx context.Context) (*AuthInfo, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func CheckToken ¶

func CheckToken(ctx context.Context, secret string, targetTime time.Time) error

CheckToken checks the 'authentication' header of incoming gRPC metadata in ctx. It returns nil if and only if the token matches secret.

func RPCCredentialsV2 ¶

func RPCCredentialsV2(sharedSecret string) credentials.PerRPCCredentials

RPCCredentialsV2 can be used with grpc.WithPerRPCCredentials to create a grpc.DialOption that inserts an V2 (HMAC) token with the current timestamp for authentication with a Gitaly server. The shared secret must match the one used on the Gitaly server.

func SetTokenValidityDuration ¶

func SetTokenValidityDuration(d time.Duration)

SetTokenValidityDuration changes the duration for which any token will be valid. It only applies to newly created tokens.

func TokenValidityDuration ¶

func TokenValidityDuration() time.Duration

TokenValidityDuration returns the duration for which any token will be valid. This is currently only used by our testing infrastructure.

Types ¶

type AuthInfo ¶

type AuthInfo struct {
	Version       string
	SignedMessage []byte
	Message       string
}

AuthInfo contains the authentication information coming from a request

func ExtractAuthInfo ¶

func ExtractAuthInfo(ctx context.Context) (*AuthInfo, error)

ExtractAuthInfo returns an `AuthInfo` with the data extracted from `ctx`

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL