tokenserver

package

v0.0.0-...-01cd1ea Latest Latest Go to latest Published: Nov 21, 2024 License: Apache-2.0 Imports: 4 Imported by: 21

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

chromium.googlesource.com/infra/luci/luci-go

Documentation ¶

Overview ¶

Package tokenserver contains common protobuf messages for the token server.

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	MachineTokenType_name = map[int32]string{
		0: "UNKNOWN_TYPE",
		2: "LUCI_MACHINE_TOKEN",
	}
	MachineTokenType_value = map[string]int32{
		"UNKNOWN_TYPE":       0,
		"LUCI_MACHINE_TOKEN": 2,
	}
)

Enum value maps for MachineTokenType.

View Source

var File_go_chromium_org_luci_tokenserver_api_machine_token_proto protoreflect.FileDescriptor

View Source

var File_go_chromium_org_luci_tokenserver_api_token_file_proto protoreflect.FileDescriptor

Functions ¶

This section is empty.

Types ¶

type MachineTokenBody ¶

type MachineTokenBody struct {

	// Machine identity this token conveys (machine FQDN).
	//
	// It is extracted from a Common Name of a certificate used as a basis for
	// the token.
	MachineFqdn string `protobuf:"bytes,1,opt,name=machine_fqdn,json=machineFqdn,proto3" json:"machine_fqdn,omitempty"`
	// Service account email that signed this token.
	//
	// When verifying the token backends will check that the issuer is in
	// "auth-token-servers" group.
	IssuedBy string `protobuf:"bytes,2,opt,name=issued_by,json=issuedBy,proto3" json:"issued_by,omitempty"`
	// Unix timestamp in seconds when this token was issued. Required.
	IssuedAt uint64 `protobuf:"varint,3,opt,name=issued_at,json=issuedAt,proto3" json:"issued_at,omitempty"`
	// Number of seconds the token is considered valid.
	//
	// Usually 3600. Set by the token server. Required.
	Lifetime uint64 `protobuf:"varint,4,opt,name=lifetime,proto3" json:"lifetime,omitempty"`
	// Id of a CA that issued machine certificate used to make this token.
	//
	// These IDs are defined in token server config (via unique_id field).
	CaId int64 `protobuf:"varint,5,opt,name=ca_id,json=caId,proto3" json:"ca_id,omitempty"`
	// Serial number of the machine certificate used to make this token.
	//
	// ca_id and cert_sn together uniquely identify the certificate, and can be
	// used to check for certificate revocation (by asking token server whether
	// the given certificate is in CRL). Revocation checks are optional, most
	// callers can rely on expiration checks only.
	CertSn []byte `protobuf:"bytes,7,opt,name=cert_sn,json=certSn,proto3" json:"cert_sn,omitempty"`
	// contains filtered or unexported fields
}

MachineTokenBody describes internal structure of the machine token.

The token will be put in HTTP headers and its body shouldn't be too large. For that reason we use unix timestamps instead of google.protobuf.Timestamp (no need for microsecond precision), and assume certificate serial numbers are smallish uint64 integers (not random blobs).

func (*MachineTokenBody) Descriptor deprecated

func (*MachineTokenBody) Descriptor() ([]byte, []int)

Deprecated: Use MachineTokenBody.ProtoReflect.Descriptor instead.

func (*MachineTokenBody) GetCaId ¶

func (x *MachineTokenBody) GetCaId() int64

func (*MachineTokenBody) GetCertSn ¶

func (x *MachineTokenBody) GetCertSn() []byte

func (*MachineTokenBody) GetIssuedAt ¶

func (x *MachineTokenBody) GetIssuedAt() uint64

func (*MachineTokenBody) GetIssuedBy ¶

func (x *MachineTokenBody) GetIssuedBy() string

func (*MachineTokenBody) GetLifetime ¶

func (x *MachineTokenBody) GetLifetime() uint64

func (*MachineTokenBody) GetMachineFqdn ¶

func (x *MachineTokenBody) GetMachineFqdn() string

func (*MachineTokenBody) ProtoMessage ¶

func (*MachineTokenBody) ProtoMessage()

func (*MachineTokenBody) ProtoReflect ¶

func (x *MachineTokenBody) ProtoReflect() protoreflect.Message

func (*MachineTokenBody) Reset ¶

func (x *MachineTokenBody) Reset()

func (*MachineTokenBody) String ¶

func (x *MachineTokenBody) String() string

type MachineTokenEnvelope ¶

type MachineTokenEnvelope struct {
	TokenBody []byte `protobuf:"bytes,1,opt,name=token_body,json=tokenBody,proto3" json:"token_body,omitempty"` // serialized MachineTokenBody
	KeyId     string `protobuf:"bytes,2,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"`             // id of a token server private key used for signing
	RsaSha256 []byte `protobuf:"bytes,3,opt,name=rsa_sha256,json=rsaSha256,proto3" json:"rsa_sha256,omitempty"` // signature of 'token_body'
	// contains filtered or unexported fields
}

MachineTokenEnvelope is what is actually being serialized and represented as a machine token (after being encoded using base64 standard raw encoding).

Resulting token (including base64 encoding) is usually ~500 bytes long.

func (*MachineTokenEnvelope) Descriptor deprecated

func (*MachineTokenEnvelope) Descriptor() ([]byte, []int)

Deprecated: Use MachineTokenEnvelope.ProtoReflect.Descriptor instead.

func (*MachineTokenEnvelope) GetKeyId ¶

func (x *MachineTokenEnvelope) GetKeyId() string

func (*MachineTokenEnvelope) GetRsaSha256 ¶

func (x *MachineTokenEnvelope) GetRsaSha256() []byte

func (*MachineTokenEnvelope) GetTokenBody ¶

func (x *MachineTokenEnvelope) GetTokenBody() []byte

func (*MachineTokenEnvelope) ProtoMessage ¶

func (*MachineTokenEnvelope) ProtoMessage()

func (*MachineTokenEnvelope) ProtoReflect ¶

func (x *MachineTokenEnvelope) ProtoReflect() protoreflect.Message

func (*MachineTokenEnvelope) Reset ¶

func (x *MachineTokenEnvelope) Reset()

func (*MachineTokenEnvelope) String ¶

func (x *MachineTokenEnvelope) String() string

type MachineTokenType ¶

type MachineTokenType int32

The kinds of machine tokens the token server can mint.

Passed to MintMachineToken and InspectMachineToken.

Reserved: 1.

const (
	MachineTokenType_UNKNOWN_TYPE       MachineTokenType = 0 // used if the field is not initialized
	MachineTokenType_LUCI_MACHINE_TOKEN MachineTokenType = 2 // matches serialized MachineTokenEnvelope
)

func (MachineTokenType) Descriptor ¶

func (MachineTokenType) Descriptor() protoreflect.EnumDescriptor

func (MachineTokenType) Enum ¶

func (x MachineTokenType) Enum() *MachineTokenType

func (MachineTokenType) EnumDescriptor deprecated

func (MachineTokenType) EnumDescriptor() ([]byte, []int)

Deprecated: Use MachineTokenType.Descriptor instead.

func (MachineTokenType) Number ¶

func (x MachineTokenType) Number() protoreflect.EnumNumber

func (MachineTokenType) String ¶

func (x MachineTokenType) String() string

func (MachineTokenType) Type ¶

func (MachineTokenType) Type() protoreflect.EnumType

type TokenFile ¶

type TokenFile struct {

	// Google OAuth2 access token of a machine service account.
	AccessToken string `protobuf:"bytes,1,opt,name=access_token,proto3" json:"access_token,omitempty"`
	// OAuth2 access token type, usually "Bearer".
	TokenType string `protobuf:"bytes,2,opt,name=token_type,proto3" json:"token_type,omitempty"`
	// Machine token understood by LUCI backends (alternative to access_token).
	LuciMachineToken string `protobuf:"bytes,3,opt,name=luci_machine_token,proto3" json:"luci_machine_token,omitempty"`
	// Unix timestamp (in seconds) when this token expires.
	//
	// The token file is expected to be updated before the token expires, see
	// 'next_update' for next expected update time.
	Expiry int64 `protobuf:"varint,4,opt,name=expiry,proto3" json:"expiry,omitempty"`
	// Unix timestamp of when this file was updated the last time.
	LastUpdate int64 `protobuf:"varint,5,opt,name=last_update,proto3" json:"last_update,omitempty"`
	// Unix timestamp of when this file is expected to be updated next time.
	NextUpdate int64 `protobuf:"varint,6,opt,name=next_update,proto3" json:"next_update,omitempty"`
	// Email of the associated service account.
	ServiceAccountEmail string `protobuf:"bytes,7,opt,name=service_account_email,proto3" json:"service_account_email,omitempty"`
	// Unique stable ID of the associated service account.
	ServiceAccountUniqueId string `protobuf:"bytes,8,opt,name=service_account_unique_id,proto3" json:"service_account_unique_id,omitempty"`
	// Any information tokend daemon wishes to associate with the token.
	//
	// Consumers of the token file should ignore this field. It is used
	// exclusively by tokend daemon.
	TokendState []byte `protobuf:"bytes,50,opt,name=tokend_state,proto3" json:"tokend_state,omitempty"`
	// contains filtered or unexported fields
}

TokenFile is representation of a token file on disk (serialized as JSON).

The token file is consumed by whoever wishes to use machine tokens. It is intentionally made as simple as possible (e.g. uses unix timestamps instead of fancy protobuf ones).

func (*TokenFile) Descriptor deprecated

func (*TokenFile) Descriptor() ([]byte, []int)

Deprecated: Use TokenFile.ProtoReflect.Descriptor instead.

func (*TokenFile) GetAccessToken ¶

func (x *TokenFile) GetAccessToken() string

func (*TokenFile) GetExpiry ¶

func (x *TokenFile) GetExpiry() int64

func (*TokenFile) GetLastUpdate ¶

func (x *TokenFile) GetLastUpdate() int64

func (*TokenFile) GetLuciMachineToken ¶

func (x *TokenFile) GetLuciMachineToken() string

func (*TokenFile) GetNextUpdate ¶

func (x *TokenFile) GetNextUpdate() int64

func (*TokenFile) GetServiceAccountEmail ¶

func (x *TokenFile) GetServiceAccountEmail() string

func (*TokenFile) GetServiceAccountUniqueId ¶

func (x *TokenFile) GetServiceAccountUniqueId() string

func (*TokenFile) GetTokenType ¶

func (x *TokenFile) GetTokenType() string

func (*TokenFile) GetTokendState ¶

func (x *TokenFile) GetTokendState() []byte

func (*TokenFile) ProtoMessage ¶

func (*TokenFile) ProtoMessage()

func (*TokenFile) ProtoReflect ¶

func (x *TokenFile) ProtoReflect() protoreflect.Message

func (*TokenFile) Reset ¶

func (x *TokenFile) Reset()

func (*TokenFile) String ¶

func (x *TokenFile) String() string

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
admin
v1 Package admin contains The Token Server Administrative and Config API.	Package admin contains The Token Server Administrative and Config API.
bq Package bq contains BigQuery tables schemas.	Package bq contains BigQuery tables schemas.
minter
v1 Package minter contains the main API of the token server.	Package minter contains the main API of the token server.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL