Version: v0.0.0-...-51f9457 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Jul 9, 2021 License: Apache-2.0 Imports: 20 Imported by: 0



Package client implements pRPC client for The Token Server.

It is a thin wrapper around regular pRPC client, that knows how to use private keys and certificates to properly prepare requests for the token server.



This section is empty.


This section is empty.


This section is empty.


type Client

type Client struct {
	// Client is interface to use for raw RPC calls to the token server.
	// Use minter.NewTokenMinterClient to create it. Note that transport-level
	// authentication is not needed.
	Client TokenMinterClient

	// Signer knows how to sign requests using some private key.
	Signer Signer

Client can make signed requests to the token server.

func New

func New(params Parameters) (*Client, error)

New returns new Client that uses PEM encoded keys and talks to the server via pRPC.

func (*Client) MintMachineToken

func (c *Client) MintMachineToken(ctx context.Context, req *minter.MachineTokenRequest, opts ...grpc.CallOption) (*minter.MachineTokenResponse, error)

MintMachineToken signs the request using the signer and sends it.

It will update in-place the following fields of the request:

  • Certificate will be set to ASN1 cert corresponding to the signer key.
  • SignatureAlgorithm will be set to the algorithm used to sign the request.
  • IssuedAt will be set to the current time.

The rest of the fields must be already populated by the caller and will be sent to the server as is.


  • TokenResponse on success.
  • Non-transient error on fatal errors.
  • Transient error on transient errors.

You can sniff error for RPCError type to grab more error details.

type Parameters

type Parameters struct {
	// PrivateKeyPath is a path to a file with a private key PEM file.
	// Required.
	PrivateKeyPath string

	// CertificatePath is a path to a file with a corresponding certificate.
	// Required. It must match the private key (this will be verified).
	CertificatePath string

	// Backend is a hostname of the token server to talk to.
	// Required.
	Backend string

	// Insecure is true to use 'http' protocol instead of 'https'.
	// Useful on localhost. Default is "secure".
	Insecure bool

	// Client is non-authenticating HTTP client to build pRPC transport on top of.
	// Default is http.DefaultClient.
	Client *http.Client

	// Retry defines how to retry RPC requests on transient errors.
	// Use retry.Default for default strategy. Default is "no retries".
	Retry retry.Factory

Parameters is passed to New.

type RPCError

type RPCError struct {
	GrpcCode       codes.Code       // grpc-level status code
	ErrorCode      minter.ErrorCode // protocol-level status code
	ServiceVersion string           // version of the backend, if known
	// contains filtered or unexported fields

RPCError is optionally returned for recognized RPC errors.

Use typecast to distinguish recognized and unrecognized errors.

type Signer

type Signer interface {
	// Algo returns an algorithm that the signer implements.
	Algo(ctx context.Context) (x509.SignatureAlgorithm, error)

	// Certificate returns ASN.1 DER blob with the certificate of the signer.
	Certificate(ctx context.Context) ([]byte, error)

	// Sign signs a blob using the private key.
	Sign(ctx context.Context, blob []byte) ([]byte, error)

Signer knows how to sign requests using some private key.

type TokenMinterClient

type TokenMinterClient interface {
	// MintMachineToken generates a new token for an authenticated machine.
	MintMachineToken(context.Context, *minter.MintMachineTokenRequest, ...grpc.CallOption) (*minter.MintMachineTokenResponse, error)

TokenMinterClient is subset of minter.TokenMinterClient this package uses.

type X509Signer

type X509Signer struct {
	// PrivateKeyPEM is PEM-encoded ASN.1 PKCS#1 private key.
	// See
	PrivateKeyPEM []byte

	// CertificatePEM is PEM-encoded ASN.1 x509 certificate.
	// It must contain a public key matching the private key specified by
	// PrivateKeyPEM (this will be verified).
	// See
	CertificatePEM []byte
	// contains filtered or unexported fields

X509Signer implements Signer interface by using a private key and a certificate specified in ANS.1 x509 PEM encoded structures.

It is fine to initialize this struct directly if you have loaded private key and certificate already. You can optionally use Validate() to make sure they are valid before making other calls (all calls do validation anyhow).

Use LoadX509Signer to load the key and certificate from files on disk.

func LoadX509Signer

func LoadX509Signer(privateKeyPath, certPath string) (*X509Signer, error)

LoadX509Signer parses and validates private key and certificate PEM files.

Returns X509Signer that is ready for work.

func (*X509Signer) Algo

Algo returns an algorithm that the signer implements.

func (*X509Signer) Certificate

func (s *X509Signer) Certificate(ctx context.Context) ([]byte, error)

Certificate returns ASN.1 DER blob with the certificate of the signer.

func (*X509Signer) Sign

func (s *X509Signer) Sign(ctx context.Context, blob []byte) ([]byte, error)

Sign signs a blob using the private key.

func (*X509Signer) Validate

func (s *X509Signer) Validate() error

Validate parses the private key and certificate file and verifies them.

It checks that the public portion of the key matches what's in the certificate.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL