gitalyauth

package
v16.8.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 17, 2024 License: MIT Imports: 14 Imported by: 1

README

Gitaly authentication middleware for Go

This package contains code that plugs into github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/auth to provide client and server authentication middleware for Gitaly.

Gitaly has two authentication schemes.

V1 authentication (deprecated)

This scheme uses a shared secret. The shared secret is base64-encoded and passed by the client as a bearer token.

V2 authentication

This scheme uses a time limited token derived from a shared secret.

The client creates a timestamp and computes the SHA256 HMAC signature for that timestamp, treating the timestamp as the message. The shared secret is used as the key for the HMAC. The client then sends both the message and the signature to the server as a bearer token.

The server takes the message and computes the signature. If the client-provided signature matches the computed signature the message is accepted. Next, the server checks if its current time is no more than 30 seconds ahead or behind the timestamp. If the timestamp is too old or too new the request is denied. Otherwise it goes ahead.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CheckToken

func CheckToken(ctx context.Context, secret string, targetTime time.Time) error

CheckToken checks the 'authentication' header of incoming gRPC metadata in ctx. It returns nil if and only if the token matches secret.

func RPCCredentialsV2

func RPCCredentialsV2(sharedSecret string) credentials.PerRPCCredentials

RPCCredentialsV2 can be used with grpc.WithPerRPCCredentials to create a grpc.DialOption that inserts an V2 (HMAC) token with the current timestamp for authentication with a Gitaly server. The shared secret must match the one used on the Gitaly server.

func SetTokenValidityDuration

func SetTokenValidityDuration(d time.Duration)

SetTokenValidityDuration changes the duration for which any token will be valid. It only applies to newly created tokens.

func TokenValidityDuration

func TokenValidityDuration() time.Duration

TokenValidityDuration returns the duration for which any token will be valid. This is currently only used by our testing infrastructure.

Types

type AuthInfo

type AuthInfo struct {
	Version       string
	SignedMessage []byte
	Message       string
}

AuthInfo contains the authentication information coming from a request

func ExtractAuthInfo

func ExtractAuthInfo(ctx context.Context) (*AuthInfo, error)

ExtractAuthInfo returns an `AuthInfo` with the data extracted from `ctx`

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL