gerritauth

package
v0.0.0-...-51d3280 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 10, 2025 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Overview

Package gerritauth implements authentication using Gerrit JWTs.

It can be used to authenticate calls made from a Gerrit frontend plugin.

Index

Constants

This section is empty.

Variables

View Source
var ModuleName = module.RegisterName("go.chromium.org/luci/server/gerritauth")

ModuleName can be used to refer to this module when declaring dependencies.

Functions

func NewModule

func NewModule(opts *ModuleOptions) module.Module

NewModule returns a server module that configures Gerrit auth method.

func NewModuleFromFlags

func NewModuleFromFlags() module.Module

NewModuleFromFlags is a variant of NewModule that initializes options through command line flags.

Calling this function registers flags in flag.CommandLine. They are usually parsed in server.Main(...).

Types

type AssertedChange

type AssertedChange struct {
	Host         string `json:"host"`          // e.g. "chromium"
	Repository   string `json:"repository"`    // e.g. "infra/infra"
	ChangeNumber int64  `json:"change_number"` // e.g. 1254633
}

AssertedChange is part of the Gerrit JWT, it points to a Gerrit CL.

type AssertedInfo

type AssertedInfo struct {
	User   AssertedUser
	Change AssertedChange
}

AssertedInfo is information extracted from the JWT signed by Gerrit.

JWTs are usually obtained by Gerrit frontend plugins when they want to make an external call on behalf of the Gerrit user. Information contained in JWTs identifies the Gerrit end-user (including all their linked Gerrit accounts) and the CL the plugin was operating in.

Use GetAssertedInfo(ctx) to grab AssertedInfo from within a request handler.

func GetAssertedInfo

func GetAssertedInfo(ctx context.Context) *AssertedInfo

GetAssertedInfo returns Gerrit CL and user info as asserted in the JWT.

Works only from within a request handler and only if the call was authenticated via a Gerrit JWT. In all other cases (anonymous calls, calls authenticated via some other mechanism, etc.) returns nil.

type AssertedUser

type AssertedUser struct {
	AccountID      int64    `json:"account_id"`      // e.g. 1234, local to the Gerrit host
	Emails         []string `json:"emails"`          // list of all user emails
	PreferredEmail string   `json:"preferred_email"` // the email shown in the Gerrit UI
}

AssertedUser is part of the Gerrit JWT, it points to a Gerrit user.

type AuthMethod

type AuthMethod struct {
	// Header is a name of the request header to check for JWTs.
	Header string
	// SignerAccounts are emails of services account that sign Gerrit JWTs.
	SignerAccounts []string
	// Audience is an expected "aud" field of JWTs.
	Audience string
	// contains filtered or unexported fields
}

AuthMethod is an auth.Method implementation that checks Gerrit JWTs.

On success puts *AssertedInfo into User.Extra field. Use GetAssertedInfo to access it.

var Method AuthMethod

Method is the auth.Method instance that checks Gerrit JWTs.

It is initialized by the server module by default. Use it in your production code. In tests it is better to construct AuthMethod instances explicitly.

func (*AuthMethod) Authenticate

func (m *AuthMethod) Authenticate(ctx context.Context, r auth.RequestMetadata) (*auth.User, auth.Session, error)

Authenticate extracts user information from the incoming request.

It is part of auth.Method interface.

func (*AuthMethod) Warmup

func (m *AuthMethod) Warmup(ctx context.Context) error

Warmup may be called to precache the data needed by the method.

It is part of auth.Warmable interface.

type ModuleOptions

type ModuleOptions struct {
	// Method is an instance of AuthMethod to configure.
	//
	// If nil, will configure the global Method instance.
	Method *AuthMethod

	// Header is a name of the request header to check for JWTs.
	//
	// Default is "X-Gerrit-Auth".
	Header string

	// SignerAccounts are emails of services account that sign Gerrit JWTs.
	//
	// If empty, authentication based on Gerrit JWTs will be disabled.
	SignerAccounts []string

	// Audience is an expected "aud" field of JWTs.
	//
	// Required if SignerAccount is not empty.
	Audience string
}

ModuleOptions contain configuration of the gerritauth server module.

func (*ModuleOptions) Register

func (o *ModuleOptions) Register(f *flag.FlagSet)

Register registers the command line flags.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL