Back to

Package machine

Latest Go to latest

The latest major version is .

Published: Aug 13, 2020 | License: Apache-2.0 | Module:


Package machine implements authentication based on LUCI machine tokens.



const (
	// MachineTokenHeader is an HTTP header that carries the machine token.
	MachineTokenHeader = "X-Luci-Machine-Token"

	// TokenServersGroup is name of a group with trusted token servers.
	// This group should contain service account emails of token servers we trust.
	TokenServersGroup = "auth-token-servers"


var (
	// ErrBadToken is returned if the supplied machine token is not valid.
	// See app logs for more details.
	ErrBadToken = errors.New("bad machine token")

type MachineTokenAuthMethod

type MachineTokenAuthMethod struct {
	// contains filtered or unexported fields

MachineTokenAuthMethod implements auth.Method by verifying machine tokens.

It looks at X-Luci-Machine-Token header and verifies that it contains a valid non-expired machine token issued by some trusted token server instance.

A list of trusted token servers is specified in 'auth-token-servers' group.

If the token is valid, the request will be authenticated as coming from 'bot:<machine_fqdn>', where <machine_fqdn> is extracted from the token. It is lowercase FQDN of a machine (as specified in the certificate used to mint the token).

func (*MachineTokenAuthMethod) Authenticate

func (m *MachineTokenAuthMethod) Authenticate(c context.Context, r *http.Request) (*auth.User, error)

Authenticate extracts peer's identity from the incoming request.

It logs detailed errors in log, but returns only generic "bad credential" error to the caller, to avoid leaking unnecessary information.

Package Files

Documentation was rendered with GOOS=linux and GOARCH=amd64.

Jump to identifier

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to identifier