serviceaccounts

package

v0.0.0-...-678bb0e Latest Latest Go to latest Published: Aug 8, 2017 License: Apache-2.0 Imports: 25 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

chromium.googlesource.com/external/github.com/luci/luci-go

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func InspectGrant(c context.Context, certs tokensigning.CertificatesSupplier, tok string) (*tokensigning.Inspection, error)
func SignGrant(c context.Context, signer signing.Signer, tok *tokenserver.OAuthTokenGrantBody) (string, error)
type ImportServiceAccountsConfigsRPC
- func (r *ImportServiceAccountsConfigsRPC) ImportServiceAccountsConfigs(c context.Context, _ *empty.Empty) (*admin.ImportedConfigs, error)
type InspectOAuthTokenGrantRPC
- func (r *InspectOAuthTokenGrantRPC) InspectOAuthTokenGrant(c context.Context, req *admin.InspectOAuthTokenGrantRequest) (*admin.InspectOAuthTokenGrantResponse, error)
type MintOAuthTokenGrantRPC
- func (r *MintOAuthTokenGrantRPC) MintOAuthTokenGrant(c context.Context, req *minter.MintOAuthTokenGrantRequest) (*minter.MintOAuthTokenGrantResponse, error)
type MintOAuthTokenViaGrantRPC
- func (r *MintOAuthTokenViaGrantRPC) MintOAuthTokenViaGrant(c context.Context, req *minter.MintOAuthTokenViaGrantRequest) (*minter.MintOAuthTokenViaGrantResponse, error)
type Rule
type Rules
type RulesCache
- func NewRulesCache() *RulesCache
- func (rc *RulesCache) ImportConfigs(c context.Context) (rev string, err error)
- func (rc *RulesCache) Rules(c context.Context) (*Rules, error)
type RulesQuery

Constants ¶

This section is empty.

Variables ¶

View Source

var GlobalRulesCache = NewRulesCache()

GlobalRulesCache is the process-wide rules cache.

Functions ¶

func InspectGrant ¶

func InspectGrant(c context.Context, certs tokensigning.CertificatesSupplier, tok string) (*tokensigning.Inspection, error)

InspectGrant returns information about the OAuth grant.

Inspection.Envelope is either nil or *tokenserver.OAuthTokenGrantEnvelope. Inspection.Body is either nil or *tokenserver.OAuthTokenGrantBody.

func SignGrant ¶

func SignGrant(c context.Context, signer signing.Signer, tok *tokenserver.OAuthTokenGrantBody) (string, error)

SignGrant signs and serializes the OAuth grant.

It doesn't do any validation. Assumes the prepared body is valid.

Produces base64 URL-safe token or a transient error.

Types ¶

type ImportServiceAccountsConfigsRPC ¶

type ImportServiceAccountsConfigsRPC struct {
	RulesCache *RulesCache // usually GlobalRulesCache, but replaced in tests
}

ImportServiceAccountsConfigsRPC implements admin.ImportServiceAccountsConfigs method.

func (*ImportServiceAccountsConfigsRPC) ImportServiceAccountsConfigs ¶

func (r *ImportServiceAccountsConfigsRPC) ImportServiceAccountsConfigs(c context.Context, _ *empty.Empty) (*admin.ImportedConfigs, error)

ImportServiceAccountsConfigs fetches configs from from luci-config right now.

type InspectOAuthTokenGrantRPC ¶

type InspectOAuthTokenGrantRPC struct {
	// Signer is mocked in tests.
	//
	// In prod it is gaesigner.Signer.
	Signer signing.Signer

	// Rules returns service account rules to use for the request.
	//
	// In prod it is GlobalRulesCache.Rules.
	Rules func(context.Context) (*Rules, error)
}

InspectOAuthTokenGrantRPC implements admin.InspectOAuthTokenGrant method.

func (*InspectOAuthTokenGrantRPC) InspectOAuthTokenGrant ¶

func (r *InspectOAuthTokenGrantRPC) InspectOAuthTokenGrant(c context.Context, req *admin.InspectOAuthTokenGrantRequest) (*admin.InspectOAuthTokenGrantResponse, error)

InspectOAuthTokenGrant decodes the given OAuth token grant.

type MintOAuthTokenGrantRPC ¶

type MintOAuthTokenGrantRPC struct {
	// Signer is mocked in tests.
	//
	// In prod it is gaesigner.Signer.
	Signer signing.Signer

	// Rules returns service account rules to use for the request.
	//
	// In prod it is GlobalRulesCache.Rules.
	Rules func(context.Context) (*Rules, error)
	// contains filtered or unexported fields
}

MintOAuthTokenGrantRPC implements TokenMinter.MintOAuthTokenGrant method.

func (*MintOAuthTokenGrantRPC) MintOAuthTokenGrant ¶

func (r *MintOAuthTokenGrantRPC) MintOAuthTokenGrant(c context.Context, req *minter.MintOAuthTokenGrantRequest) (*minter.MintOAuthTokenGrantResponse, error)

MintOAuthTokenGrant produces new OAuth token grant.

type MintOAuthTokenViaGrantRPC ¶

type MintOAuthTokenViaGrantRPC struct {
}

MintOAuthTokenViaGrantRPC implements TokenMinter.MintOAuthTokenViaGrant method.

func (*MintOAuthTokenViaGrantRPC) MintOAuthTokenViaGrant ¶

func (r *MintOAuthTokenViaGrantRPC) MintOAuthTokenViaGrant(c context.Context, req *minter.MintOAuthTokenViaGrantRequest) (*minter.MintOAuthTokenViaGrantResponse, error)

MintOAuthTokenViaGrant produces new OAuth token given a grant.

type Rule ¶

type Rule struct {
	Rule          *admin.ServiceAccountRule // original proto with the rule
	AllowedScopes stringset.Set             // parsed 'allowed_scope'
	EndUsers      *identityset.Set          // parsed 'end_user'
	Proxies       *identityset.Set          // parsed 'proxy'
}

Rule is queriable in-memory representation of ServiceAccountRule.

It should be treated like read-only object. It is shared by many concurrent requests.

type Rules ¶

type Rules struct {
	// contains filtered or unexported fields
}

Rules is queryable representation of service_accounts.cfg rules.

func (*Rules) Check ¶

func (r *Rules) Check(c context.Context, query *RulesQuery) (*Rule, error)

Check checks that rules allow the requested usage.

Returns the corresponding rule on success, or gRPC error on failure. The returned rule can be consulted further to check additional restrictions, such as allowed OAuth scopes or validity duration.

It is supposed to be called as part of some RPC handler. It logs errors internally, so no need to log them outside.

func (*Rules) ConfigRevision ¶

func (r *Rules) ConfigRevision() string

ConfigRevision is part of policy.Queryable interface.

func (*Rules) Rule ¶

func (r *Rules) Rule(serviceAccount string) *Rule

Rule returns a rule governing the access to the given service account.

Returns nil if such service account is not specified in the config.

type RulesCache ¶

type RulesCache struct {
	// contains filtered or unexported fields
}

RulesCache is a stateful object with parsed service_accounts.cfg rules.

It uses policy.Policy internally to manage datastore-cached copy of imported service accounts configs.

Use NewRulesCache() to create a new instance. Each instance owns its own in-memory cache, but uses same shared datastore cache.

There's also a process global instance of RulesCache (GlobalRulesCache var) which is used by the main process. Unit tests don't use it though to avoid relying on shared state.

func NewRulesCache ¶

func NewRulesCache() *RulesCache

NewRulesCache properly initializes RulesCache instance.

func (*RulesCache) ImportConfigs ¶

func (rc *RulesCache) ImportConfigs(c context.Context) (rev string, err error)

ImportConfigs refetches service_accounts.cfg and updates the datastore copy.

Called from cron.

func (*RulesCache) Rules ¶

func (rc *RulesCache) Rules(c context.Context) (*Rules, error)

Rules returns in-memory copy of service accounts rules, ready for querying.

type RulesQuery ¶

type RulesQuery struct {
	ServiceAccount string            // email of an account being used
	Proxy          identity.Identity // who's calling the Token Server
	EndUser        identity.Identity // who initiates the usage of an account
}

RulesQuery describes circumstances of using some service account.

Passed to 'Check'.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL