Package delegation contains low-level API for working with delegation tokens.

    Prefer the high-level API in server/auth package, in particular `MintDelegationToken` and `auth.GetRPCTransport(ctx, auth.AsUser)`.



    View Source
    const (
    	// HTTPHeaderName is name of HTTP header that carries the token.
    	HTTPHeaderName = "X-Delegation-Token-V1"


    View Source
    var (
    	// ErrMalformedDelegationToken is returned when delegation token cannot be
    	// deserialized.
    	ErrMalformedDelegationToken = errors.New("auth: malformed delegation token")
    	// ErrUnsignedDelegationToken is returned if token's signature cannot be
    	// verified.
    	ErrUnsignedDelegationToken = errors.New("auth: unsigned delegation token")
    	// ErrForbiddenDelegationToken is returned if token is structurally correct,
    	// but some of its constraints prevents it from being used. For example, it is
    	// already expired or it was minted for some other services, etc. See logs for
    	// details.
    	ErrForbiddenDelegationToken = errors.New("auth: forbidden delegation token")


    func CheckToken

    func CheckToken(c context.Context, params CheckTokenParams) (_ identity.Identity, err error)

      CheckToken verifies validity of a delegation token.

      If the token is valid, it returns the delegated identity (embedded in the token).

      May return transient errors.


      type CertificatesProvider

      type CertificatesProvider interface {
      	// GetCertificates returns a bundle with certificates of a trusted signer.
      	// Returns (nil, nil) if the given signer is not trusted.
      	// Returns errors (usually transient) if the bundle can't be fetched.
      	GetCertificates(c context.Context, id identity.Identity) (*signing.PublicCertificates, error)

        CertificatesProvider is used by 'CheckToken', it is implemented by authdb.DB.

        It returns certificates of services trusted to sign tokens.

        type CheckTokenParams

        type CheckTokenParams struct {
        	Token                string               // the delegation token to check
        	PeerID               identity.Identity    // identity of the caller, as extracted from its credentials
        	CertificatesProvider CertificatesProvider // returns certificates with trusted keys
        	GroupsChecker        GroupsChecker        // knows how to do group lookups
        	OwnServiceIdentity   identity.Identity    // identity of the current service

          CheckTokenParams is passed to CheckToken.

          type GroupsChecker

          type GroupsChecker interface {
          	// IsMember returns true if the given identity belongs to any of the groups.
          	// Unknown groups are considered empty. May return errors if underlying
          	// datastore has issues.
          	IsMember(c context.Context, id identity.Identity, groups []string) (bool, error)

            GroupsChecker is accepted by 'CheckToken', it is implemented by authdb.DB.

            Source Files


            Path Synopsis