vmtoken

package
v0.0.0-...-0e38fd1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 9, 2025 License: Apache-2.0 Imports: 14 Imported by: 9

Documentation

Overview

Package vmtoken implements parsing and verification of signed GCE VM metadata tokens.

See https://cloud.google.com/compute/docs/instances/verifying-instance-identity

Intended to be used from a server environment (e.g. from a GAE), since it depends on a bunch of luci/server packages that require a properly configured context.

Index

Constants

View Source
const Header = "X-Luci-Gce-Vm-Token"

Header is the name of the HTTP header where the GCE VM metadata token is expected.

Variables

This section is empty.

Functions

func Clear

func Clear(c context.Context) context.Context

Clear returns a new context without a GCE VM metadata token installed.

func CurrentIdentity

func CurrentIdentity(c context.Context) string

CurrentIdentity returns the identity of the VM stored in the current context.

func Has

func Has(c context.Context) bool

Has returns whether the current context contains a valid GCE VM metadata token.

func Hostname

func Hostname(c context.Context) string

Hostname returns the hostname of the VM stored in the current context.

func Matches

func Matches(c context.Context, host, zone, proj string) bool

Matches returns whether the current context contains a GCE VM metadata token matching the given identity.

func Middleware

func Middleware(c *router.Context, next router.Handler)

Middleware embeds a Payload in the context if the request contains a GCE VM metadata token.

Types

type Payload

type Payload struct {
	Project  string // GCE project name, e.g. "my-bots" or "domain.com:my-bots"
	Zone     string // GCE zone name where the VM is, e.g. "us-central1-b"
	Instance string // VM instance name, e.g. "my-instance-1"
	Audience string // 'aud' field inside the token, usually the server URL
}

Payload is extracted from a verified GCE VM metadata token.

It identifies a VM that produced the token and the target audience for the token (as it was supplied to the GCE metadata endpoint via 'audience' request parameter when generating the token).

func Verify

func Verify(c context.Context, jwt string) (*Payload, error)

Verify parses a GCE VM metadata token, verifies its signature and expiration time, and extracts interesting parts of it into Payload struct.

Does NOT verify the audience field. This is responsibility of the caller.

The token is in JWT form (three dot-separated base64-encoded strings). It is expected to be signed by Google OAuth2 backends using RS256 algo.

Directories

Path Synopsis
Package client implements client-side fetch and transmission of signed GCE VM metadata tokens.
Package client implements client-side fetch and transmission of signed GCE VM metadata tokens.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL