serviceaccounts

package
v0.0.0-...-d3da680 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 4, 2024 License: Apache-2.0 Imports: 28 Imported by: 9

Documentation

Overview

Package serviceaccounts implements MintServiceAccountToken RPC.

Index

Constants

This section is empty.

Variables

View Source
var GlobalMappingCache = NewMappingCache()

GlobalMappingCache is the process-wide mapping cache.

Functions

This section is empty.

Types

type ImportProjectOwnedAccountsConfigsRPC

type ImportProjectOwnedAccountsConfigsRPC struct {
	MappingCache *MappingCache // usually GlobalMappingCache, but replaced in tests
}

ImportProjectOwnedAccountsConfigsRPC implements the corresponding method.

func (*ImportProjectOwnedAccountsConfigsRPC) ImportProjectOwnedAccountsConfigs

func (r *ImportProjectOwnedAccountsConfigsRPC) ImportProjectOwnedAccountsConfigs(ctx context.Context, _ *emptypb.Empty) (*admin.ImportedConfigs, error)

ImportProjectOwnedAccountsConfigs fetches configs from luci-config right now.

func (*ImportProjectOwnedAccountsConfigsRPC) SetupConfigValidation

func (r *ImportProjectOwnedAccountsConfigsRPC) SetupConfigValidation(rules *validation.RuleSet)

SetupConfigValidation registers the config validation rules.

type Mapping

type Mapping struct {
	// contains filtered or unexported fields
}

Mapping is a queryable representation of project_owned_accounts.cfg.

func (*Mapping) CanProjectUseAccount

func (m *Mapping) CanProjectUseAccount(project, account string) bool

CanProjectUseAccount returns true if the given project is allowed to mint tokens of the given service account.

The project name is extracted from a realm name and it can be "@internal" for internal realms.

func (*Mapping) ConfigRevision

func (m *Mapping) ConfigRevision() string

ConfigRevision is part of policy.Queryable interface.

func (*Mapping) UseProjectScopedAccount

func (m *Mapping) UseProjectScopedAccount(project string) bool

UseProjectScopedAccount returns true if the token server should use project-scoped accounts when minting tokens in context of the given LUCI project.

type MappingCache

type MappingCache struct {
	// contains filtered or unexported fields
}

MappingCache is a stateful object with parsed project_owned_accounts.cfg.

It uses policy.Policy internally to manage datastore-cached copy of imported service accounts configs.

Use NewMappingCache() to create a new instance. Each instance owns its own in-memory cache, but uses the same shared datastore cache.

There's also a process global instance of MappingCache (GlobalMappingCache var) which is used by the main process. Unit tests don't use it though to avoid relying on shared state.

func NewMappingCache

func NewMappingCache() *MappingCache

NewMappingCache properly initializes MappingCache instance.

func (*MappingCache) ImportConfigs

func (mc *MappingCache) ImportConfigs(ctx context.Context) (rev string, err error)

ImportConfigs refetches project_owned_accounts.cfg and updates the datastore.

Called from cron.

func (*MappingCache) Mapping

func (mc *MappingCache) Mapping(ctx context.Context) (*Mapping, error)

Mapping returns in-memory copy of the mapping, ready for querying.

func (*MappingCache) SetupConfigValidation

func (mc *MappingCache) SetupConfigValidation(rules *validation.RuleSet)

SetupConfigValidation registers the config validation rules.

type MintServiceAccountTokenRPC

type MintServiceAccountTokenRPC struct {
	// Signer is used only for its ServiceInfo.
	//
	// In prod it is the default server signer that uses server's service account.
	Signer signing.Signer

	// Mapping returns project<->account mapping to use for the request.
	//
	// In prod it is GlobalMappingCache.Mapping.
	Mapping func(context.Context) (*Mapping, error)

	// ProjectIdentities manages project scoped identities.
	//
	// In prod it is projectidentity.ProjectIdentities.
	ProjectIdentities func(context.Context) projectidentity.Storage

	// MintAccessToken produces an OAuth token for a service account.
	//
	// In prod it is auth.MintAccessTokenForServiceAccount.
	MintAccessToken func(context.Context, auth.MintAccessTokenParams) (*auth.Token, error)

	// MintIDToken produces an ID token for a service account.
	//
	// In prod it is auth.MintIDTokenForServiceAccount.
	MintIDToken func(context.Context, auth.MintIDTokenParams) (*auth.Token, error)

	// LogToken is mocked in tests.
	//
	// In prod it is produced by NewTokenLogger.
	LogToken TokenLogger
}

MintServiceAccountTokenRPC implements the corresponding method.

func (*MintServiceAccountTokenRPC) MintServiceAccountToken

func (r *MintServiceAccountTokenRPC) MintServiceAccountToken(ctx context.Context, req *minter.MintServiceAccountTokenRequest) (*minter.MintServiceAccountTokenResponse, error)

MintServiceAccountToken mints an OAuth2 access token or OpenID ID token that belongs to some service account using LUCI Realms for authorization.

See proto docs for more details.

type MintedTokenInfo

type MintedTokenInfo struct {
	Request         *minter.MintServiceAccountTokenRequest  // RPC input, as is
	Response        *minter.MintServiceAccountTokenResponse // RPC output, as is
	RequestedAt     time.Time
	OAuthScopes     []string          // normalized list of requested OAuth scopes
	RequestIdentity identity.Identity // identity used in authorization
	PeerIdentity    identity.Identity // identity of the direct peer
	ConfigRev       string            // revision of the service config
	PeerIP          net.IP            // caller's IP
	RequestID       string            // GAE request ID that handles the RPC
	AuthDBRev       int64             // revision of the authorization database
}

MintedTokenInfo is passed to LogToken.

It carries all information about the token minting operation and the produced token.

type TokenLogger

type TokenLogger func(context.Context, *MintedTokenInfo) error

TokenLogger records info about the token to BigQuery.

func NewTokenLogger

func NewTokenLogger(dryRun bool) TokenLogger

NewTokenLogger returns a callback that records info about tokens to BigQuery.

Tokens themselves are not logged. Only first 16 bytes of their SHA256 hashes (aka 'fingerprint') are. They are used only to identify tokens in logs.

When dryRun is true, logs to the local text log only, not to BigQuery (to avoid accidentally pushing fake data to real BigQuery dataset).

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL