Documentation
¶
Overview ¶
Package gerritauth implements authentication using Gerrit JWTs.
It can be used to authenticate calls made from a Gerrit frontend plugin.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ModuleName = module.RegisterName("go.chromium.org/luci/server/gerritauth")
ModuleName can be used to refer to this module when declaring dependencies.
Functions ¶
func NewModule ¶
func NewModule(opts *ModuleOptions) module.Module
NewModule returns a server module that configures Gerrit auth method.
func NewModuleFromFlags ¶
NewModuleFromFlags is a variant of NewModule that initializes options through command line flags.
Calling this function registers flags in flag.CommandLine. They are usually parsed in server.Main(...).
Types ¶
type AssertedChange ¶
type AssertedChange struct {
Host string `json:"host"` // e.g. "chromium"
Repository string `json:"repository"` // e.g. "infra/infra"
ChangeNumber int64 `json:"change_number"` // e.g. 1254633
}
AssertedChange is part of the Gerrit JWT, it points to a Gerrit CL.
type AssertedInfo ¶
type AssertedInfo struct {
User AssertedUser
Change AssertedChange
}
AssertedInfo is information extracted from the JWT signed by Gerrit.
JWTs are usually obtained by Gerrit frontend plugins when they want to make an external call on behalf of the Gerrit user. Information contained in JWTs identifies the Gerrit end-user (including all their linked Gerrit accounts) and the CL the plugin was operating in.
Use GetAssertedInfo(ctx) to grab AssertedInfo from within a request handler.
func GetAssertedInfo ¶
func GetAssertedInfo(ctx context.Context) *AssertedInfo
GetAssertedInfo returns Gerrit CL and user info as asserted in the JWT.
Works only from within a request handler and only if the call was authenticated via a Gerrit JWT. In all other cases (anonymous calls, calls authenticated via some other mechanism, etc.) returns nil.
type AssertedUser ¶
type AssertedUser struct {
AccountID int64 `json:"account_id"` // e.g. 1234, local to the Gerrit host
Emails []string `json:"emails"` // list of all user emails
PreferredEmail string `json:"preferred_email"` // the email shown in the Gerrit UI
}
AssertedUser is part of the Gerrit JWT, it points to a Gerrit user.
type AuthMethod ¶
type AuthMethod struct {
// Header is a name of the request header to check for JWTs.
Header string
// SignerAccounts are emails of services account that sign Gerrit JWTs.
SignerAccounts []string
// Audience is an expected "aud" field of JWTs.
Audience string
// contains filtered or unexported fields
}
AuthMethod is an auth.Method implementation that checks Gerrit JWTs.
On success puts *AssertedInfo into User.Extra field. Use GetAssertedInfo to access it.
var Method AuthMethod
Method is the auth.Method instance that checks Gerrit JWTs.
It is initialized by the server module by default. Use it in your production code. In tests it is better to construct AuthMethod instances explicitly.
func (*AuthMethod) Authenticate ¶
func (m *AuthMethod) Authenticate(ctx context.Context, r auth.RequestMetadata) (*auth.User, auth.Session, error)
Authenticate extracts user information from the incoming request.
It is part of auth.Method interface.
type ModuleOptions ¶
type ModuleOptions struct {
// Method is an instance of AuthMethod to configure.
//
// If nil, will configure the global Method instance.
Method *AuthMethod
// Header is a name of the request header to check for JWTs.
//
// Default is "X-Gerrit-Auth".
Header string
// SignerAccounts are emails of services account that sign Gerrit JWTs.
//
// If empty, authentication based on Gerrit JWTs will be disabled.
SignerAccounts []string
// Audience is an expected "aud" field of JWTs.
//
// Required if SignerAccount is not empty.
Audience string
}
ModuleOptions contain configuration of the gerritauth server module.
func (*ModuleOptions) Register ¶
func (o *ModuleOptions) Register(f *flag.FlagSet)
Register registers the command line flags.
Source Files