machine

Documentation

Overview

Package machine implements authentication based on LUCI machine tokens.

Index

• Constants
• Variables
• type MachineTokenAuthMethod
  • func (m *MachineTokenAuthMethod) Authenticate(c context.Context, r *http.Request) (*auth.User, error)

Constants

const (
	// MachineTokenHeader is an HTTP header that carries the machine token.
	MachineTokenHeader = "X-Luci-Machine-Token"

	// TokenServersGroup is name of a group with trusted token servers.
	//
	// This group should contain service account emails of token servers we trust.
	TokenServersGroup = "auth-token-servers"
)

Variables

var (
	// ErrBadToken is returned if the supplied machine token is not valid.
	//
	// See app logs for more details.
	ErrBadToken = errors.New("bad machine token")
)

Types

type MachineTokenAuthMethod

type MachineTokenAuthMethod struct {
	// contains filtered or unexported fields
}

MachineTokenAuthMethod implements auth.Method by verifying machine tokens.

It looks at X-Luci-Machine-Token header and verifies that it contains a valid non-expired machine token issued by some trusted token server instance.

A list of trusted token servers is specified in 'auth-token-servers' group.

If the token is valid, the request will be authenticated as coming from 'bot:<machine_fqdn>', where <machine_fqdn> is extracted from the token. It is lowercase FQDN of a machine (as specified in the certificate used to mint the token).

func (*MachineTokenAuthMethod) Authenticate

func (m *MachineTokenAuthMethod) Authenticate(c context.Context, r *http.Request) (*auth.User, error)

Authenticate extracts peer's identity from the incoming request.

It logs detailed errors in log, but returns only generic "bad credential" error to the caller, to avoid leaking unnecessary information.