tcauth

package
v20.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 15, 2019 License: MPL-2.0 Imports: 5 Imported by: 0

Documentation

Overview

Authentication related API end-points for Taskcluster and related services. These API end-points are of interest if you wish to:

  • Authorize a request signed with Taskcluster credentials,
  • Manage clients and roles,
  • Inspect or audit clients and roles,
  • Gain access to various services guarded by this API.

See:

How to use this package

First create an Auth object: 

auth := tcauth.New(nil)

and then call one or more of auth's methods, e.g.: 

err := auth.Ping(.....)

handling any errors... 

if err != nil {
	// handle error...
}

Taskcluster Schema

The source code of this go package was auto-generated from the API definition at <rootUrl>/references/auth/v1/api.json together with the input and output schemas it references,

Example (Scopes) 
package main

import (
	"fmt"
	"log"

	tcclient "github.com/taskcluster/taskcluster/clients/client-go/v20"
	"github.com/taskcluster/taskcluster/clients/client-go/v20/tcauth"
)

func main() {

	// Note: the API call we will make doesn't need credentials as it supplies public information.
	// However, for the purpose of demonstrating the general case, this is how you can provide
	// credentials for API calls that require them.
	myAuth := tcauth.New(
		&tcclient.Credentials{
			ClientID:    "SOME-CLIENT-ID",
			AccessToken: "SOME-WELL-FORMED-ACCESS-TOKEN",
		},
		"https://taskcluster.net",
	)

	// Look up client details for client id "project/taskcluster/tc-client-go/tests"...
	resp, err := myAuth.Client("project/taskcluster/tc-client-go/tests")

	// Handle any errors...
	if err != nil {
		log.Printf("Error occurred: %s", err)
		return
	}

	// Report results...
	fmt.Printf("Client ID:  %v\n", resp.ClientID)
	fmt.Printf("Expires:    %v\n", resp.Expires)
	// Could also print expanded scopes, for example:
	//   fmt.Printf("Expanded Scopes:  %v\n", resp.ExpandedScopes)

}

Output:

Client ID:  project/taskcluster/tc-client-go/tests
Expires:    3017-02-01T05:00:00.000Z
Example (UpdateClient) 
package main

import (
	"fmt"
	"log"
	"time"

	tcclient "github.com/taskcluster/taskcluster/clients/client-go/v20"
	"github.com/taskcluster/taskcluster/clients/client-go/v20/tcauth"
)

func main() {

	// In this example we will connect to a local auth server running on
	// localhost:8080 with authentication disabled. This could be, for
	// example, a locally deployed taskcluster-proxy instance.
	myAuth := tcauth.New(nil, "http://localhost:8080")

	// Set target url to localhost url...
	myAuth.BaseURL = "http://localhost:60024/v1"

	// Update client id "b2g-power-tests" with new description and expiry...
	client, err := myAuth.UpdateClient(
		"b2g-power-tests",
		&tcauth.CreateClientRequest{
			Description: "Grant access to download artifacts for `flame-kk-eng`",
			Expires:     tcclient.Time(time.Now().AddDate(1, 0, 0)),
		},
	)

	// Handle any errors...
	if err != nil {
		log.Printf("Error occurred: %s", err)
		return
	}

	// Report results...
	fmt.Printf("Client Id:        %v\n", client.ClientID)
	fmt.Printf("Created:          %v\n", client.Created)
	fmt.Printf("Description:      %v\n", client.Description)
	fmt.Printf("Expanded Scopes:  %v\n", client.ExpandedScopes)
	fmt.Printf("Expires:          %v\n", client.Expires)
	fmt.Printf("Last Date Used:   %v\n", client.LastDateUsed)
	fmt.Printf("Last Modified:    %v\n", client.LastModified)
	fmt.Printf("Last Rotated:     %v\n", client.LastRotated)
}

Output:

Index

Examples

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AWSS3CredentialsResponse 

type AWSS3CredentialsResponse struct {

	// Temporary STS credentials for use when operating on S3
	Credentials TemporarySecurityCredentials `json:"credentials"`

	// Date and time of when the temporary credentials expires.
	Expires tcclient.Time `json:"expires"`
}

Response for a request to get access to an S3 bucket.

type Auth 

type Auth tcclient.Client

func New 

func New(credentials *tcclient.Credentials, rootURL string) *Auth

New returns an Auth client, configured to run against production. Pass in nil credentials to create a client without authentication. The returned client is mutable, so returned settings can be altered. 

auth := tcauth.New(
    nil,                                      // client without authentication
    "http://localhost:1234/my/taskcluster",   // taskcluster hosted at this root URL on local machine
)
err := auth.Ping(.....)                       // for example, call the Ping(.....) API endpoint (described further down)...
if err != nil {
	// handle errors...
}

func NewFromEnv 

func NewFromEnv() *Auth

NewFromEnv returns an *Auth configured from environment variables.

The root URL is taken from TASKCLUSTER_PROXY_URL if set to a non-empty string, otherwise from TASKCLUSTER_ROOT_URL if set, otherwise the empty string.

The credentials are taken from environment variables: 

TASKCLUSTER_CLIENT_ID
TASKCLUSTER_ACCESS_TOKEN
TASKCLUSTER_CERTIFICATE

If TASKCLUSTER_CLIENT_ID is empty/unset, authentication will be disabled.

func (*Auth) AuthenticateHawk 

func (auth *Auth) AuthenticateHawk(payload *HawkSignatureAuthenticationRequest) (*HawkSignatureAuthenticationResponse, error)

Validate the request signature given on input and return list of scopes that the authenticating client has.

This method is used by other services that wish rely on Taskcluster credentials for authentication. This way we can use Hawk without having the secret credentials leave this service.

See #authenticateHawk

func (*Auth) AwsS3Credentials 

func (auth *Auth) AwsS3Credentials(level, bucket, prefix, format string) (*AWSS3CredentialsResponse, error)

Get temporary AWS credentials for `read-write` or `read-only` access to a given `bucket` and `prefix` within that bucket. The `level` parameter can be `read-write` or `read-only` and determines which type of credentials are returned. Please note that the `level` parameter is required in the scope guarding access. The bucket name must not contain `.`, as recommended by Amazon.

This method can only allow access to a whitelisted set of buckets. To add a bucket to that whitelist, contact the Taskcluster team, who will add it to the appropriate IAM policy. If the bucket is in a different AWS account, you will also need to add a bucket policy allowing access from the Taskcluster account. That policy should look like this:

```js 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "allow-taskcluster-auth-to-delegate-access",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::692406183521:root"
      },
      "Action": [
        "s3:ListBucket",
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::<bucket>",
        "arn:aws:s3:::<bucket>/*"
      ]
    }
  ]
}

```

The credentials are set to expire after an hour, but this behavior is subject to change. Hence, you should always read the `expires` property from the response, if you intend to maintain active credentials in your application.

Please note that your `prefix` may not start with slash `/`. Such a prefix is allowed on S3, but we forbid it here to discourage bad behavior.

Also note that if your `prefix` doesn't end in a slash `/`, the STS credentials may allow access to unexpected keys, as S3 does not treat slashes specially. For example, a prefix of `my-folder` will allow access to `my-folder/file.txt` as expected, but also to `my-folder.txt`, which may not be intended.

Finally, note that the `PutObjectAcl` call is not allowed. Passing a canned ACL other than `private` to `PutObject` is treated as a `PutObjectAcl` call, and will result in an access-denied error from AWS. This limitation is due to a security flaw in Amazon S3 which might otherwise allow indefinite access to uploaded objects.

**EC2 metadata compatibility**, if the querystring parameter `?format=iam-role-compat` is given, the response will be compatible with the JSON exposed by the EC2 metadata service. This aims to ease compatibility for libraries and tools built to auto-refresh credentials. For details on the format returned by EC2 metadata service see: [EC2 User Guide](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials).

Required scopes: 

If levelIsReadOnly:
  Any of:
  - auth:aws-s3:read-only:<bucket>/<prefix>
  - auth:aws-s3:read-write:<bucket>/<prefix>

See #awsS3Credentials

func (*Auth) AwsS3Credentials_SignedURL 

func (auth *Auth) AwsS3Credentials_SignedURL(level, bucket, prefix, format string, duration time.Duration) (*url.URL, error)

Returns a signed URL for AwsS3Credentials, valid for the specified duration.

Required scopes: 

If levelIsReadOnly:
  Any of:
  - auth:aws-s3:read-only:<bucket>/<prefix>
  - auth:aws-s3:read-write:<bucket>/<prefix>

See AwsS3Credentials for more details.

func (*Auth) AzureAccounts 

func (auth *Auth) AzureAccounts() (*AzureListAccountResponse, error)

Retrieve a list of all Azure accounts managed by Taskcluster Auth.

Required scopes: 

auth:azure-table:list-accounts

See #azureAccounts

func (*Auth) AzureAccounts_SignedURL 

func (auth *Auth) AzureAccounts_SignedURL(duration time.Duration) (*url.URL, error)

Returns a signed URL for AzureAccounts, valid for the specified duration.

Required scopes: 

auth:azure-table:list-accounts

See AzureAccounts for more details.

func (*Auth) AzureContainerSAS 

func (auth *Auth) AzureContainerSAS(account, container, level string) (*AzureBlobSharedAccessSignature, error)

Get a shared access signature (SAS) string for use with a specific Azure Blob Storage container.

The `level` parameter can be `read-write` or `read-only` and determines which type of credentials are returned. If level is read-write, it will create the container if it doesn't already exist.

Required scopes: 

If levelIsReadOnly:
  Any of:
  - auth:azure-container:read-only:<account>/<container>
  - auth:azure-container:read-write:<account>/<container>

See #azureContainerSAS

func (*Auth) AzureContainerSAS_SignedURL 

func (auth *Auth) AzureContainerSAS_SignedURL(account, container, level string, duration time.Duration) (*url.URL, error)

Returns a signed URL for AzureContainerSAS, valid for the specified duration.

Required scopes: 

If levelIsReadOnly:
  Any of:
  - auth:azure-container:read-only:<account>/<container>
  - auth:azure-container:read-write:<account>/<container>

See AzureContainerSAS for more details.

func (*Auth) AzureContainers 

func (auth *Auth) AzureContainers(account, continuationToken string) (*AzureListContainersResponse, error)

Retrieve a list of all containers in an account.

Required scopes: 

auth:azure-container:list-containers:<account>

See #azureContainers

func (*Auth) AzureContainers_SignedURL 

func (auth *Auth) AzureContainers_SignedURL(account, continuationToken string, duration time.Duration) (*url.URL, error)

Returns a signed URL for AzureContainers, valid for the specified duration.

Required scopes: 

auth:azure-container:list-containers:<account>

See AzureContainers for more details.

func (*Auth) AzureTableSAS 

func (auth *Auth) AzureTableSAS(account, table, level string) (*AzureTableSharedAccessSignature, error)

Get a shared access signature (SAS) string for use with a specific Azure Table Storage table.

The `level` parameter can be `read-write` or `read-only` and determines which type of credentials are returned. If level is read-write, it will create the table if it doesn't already exist.

Required scopes: 

If levelIsReadOnly:
  Any of:
  - auth:azure-table:read-only:<account>/<table>
  - auth:azure-table:read-write:<account>/<table>

See #azureTableSAS

func (*Auth) AzureTableSAS_SignedURL 

func (auth *Auth) AzureTableSAS_SignedURL(account, table, level string, duration time.Duration) (*url.URL, error)

Returns a signed URL for AzureTableSAS, valid for the specified duration.

Required scopes: 

If levelIsReadOnly:
  Any of:
  - auth:azure-table:read-only:<account>/<table>
  - auth:azure-table:read-write:<account>/<table>

See AzureTableSAS for more details.

func (*Auth) AzureTables 

func (auth *Auth) AzureTables(account, continuationToken string) (*AzureListTableResponse, error)

Retrieve a list of all tables in an account.

Required scopes: 

auth:azure-table:list-tables:<account>

See #azureTables

func (*Auth) AzureTables_SignedURL 

func (auth *Auth) AzureTables_SignedURL(account, continuationToken string, duration time.Duration) (*url.URL, error)

Returns a signed URL for AzureTables, valid for the specified duration.

Required scopes: 

auth:azure-table:list-tables:<account>

See AzureTables for more details.

func (*Auth) Client 

func (auth *Auth) Client(clientId string) (*GetClientResponse, error)

Get information about a single client.

See #client

func (*Auth) CreateClient 

func (auth *Auth) CreateClient(clientId string, payload *CreateClientRequest) (*CreateClientResponse, error)

Create a new client and get the `accessToken` for this client. You should store the `accessToken` from this API call as there is no other way to retrieve it.

If you loose the `accessToken` you can call `resetAccessToken` to reset it, and a new `accessToken` will be returned, but you cannot retrieve the current `accessToken`.

If a client with the same `clientId` already exists this operation will fail. Use `updateClient` if you wish to update an existing client.

The caller's scopes must satisfy `scopes`.

Required scopes: 

All of:
* auth:create-client:<clientId>
* For scope in scopes each <scope>

See #createClient

func (*Auth) CreateRole 

func (auth *Auth) CreateRole(roleId string, payload *CreateRoleRequest) (*GetRoleResponse, error)

Create a new role.

The caller's scopes must satisfy the new role's scopes.

If there already exists a role with the same `roleId` this operation will fail. Use `updateRole` to modify an existing role.

Creation of a role that will generate an infinite expansion will result in an error response.

Required scopes: 

All of:
* auth:create-role:<roleId>
* For scope in scopes each <scope>

See #createRole

func (*Auth) CurrentScopes 

func (auth *Auth) CurrentScopes() (*SetOfScopes, error)

Return the expanded scopes available in the request, taking into account all sources of scopes and scope restrictions (temporary credentials, assumeScopes, client scopes, and roles).

See #currentScopes

func (*Auth) DeleteClient 

func (auth *Auth) DeleteClient(clientId string) error

Delete a client, please note that any roles related to this client must be deleted independently.

Required scopes: 

auth:delete-client:<clientId>

See #deleteClient

func (*Auth) DeleteRole 

func (auth *Auth) DeleteRole(roleId string) error

Delete a role. This operation will succeed regardless of whether or not the role exists.

Required scopes: 

auth:delete-role:<roleId>

See #deleteRole

func (*Auth) DisableClient 

func (auth *Auth) DisableClient(clientId string) (*GetClientResponse, error)

Disable a client. If the client is already disabled, this does nothing.

This is typically used by identity providers to disable clients when the corresponding identity's scopes no longer satisfy the client's scopes.

Required scopes: 

auth:disable-client:<clientId>

See #disableClient

func (*Auth) EnableClient 

func (auth *Auth) EnableClient(clientId string) (*GetClientResponse, error)

Enable a client that was disabled with `disableClient`. If the client is already enabled, this does nothing.

This is typically used by identity providers to re-enable clients that had been disabled when the corresponding identity's scopes changed.

Required scopes: 

auth:enable-client:<clientId>

See #enableClient

func (*Auth) ExpandScopes 

func (auth *Auth) ExpandScopes(payload *SetOfScopes) (*SetOfScopes, error)

Return an expanded copy of the given scopeset, with scopes implied by any roles included.

See #expandScopes

func (*Auth) GcpCredentials 

func (auth *Auth) GcpCredentials(projectId, serviceAccount string) (*GCPCredentialsResponse, error)

Get temporary GCP credentials for the given serviceAccount in the given project.

Only preconfigured projects are allowed. Any serviceAccount in that project may be used.

The call adds the necessary policy if the serviceAccount doesn't have it. The credentials are set to expire after an hour, but this behavior is subject to change. Hence, you should always read the `expires` property from the response, if you intend to maintain active credentials in your application.

Required scopes: 

auth:gcp:access-token:<projectId>/<serviceAccount>

See #gcpCredentials

func (*Auth) GcpCredentials_SignedURL 

func (auth *Auth) GcpCredentials_SignedURL(projectId, serviceAccount string, duration time.Duration) (*url.URL, error)

Returns a signed URL for GcpCredentials, valid for the specified duration.

Required scopes: 

auth:gcp:access-token:<projectId>/<serviceAccount>

See GcpCredentials for more details.

func (*Auth) ListClients 

func (auth *Auth) ListClients(continuationToken, limit, prefix string) (*ListClientResponse, error)

Get a list of all clients. With `prefix`, only clients for which it is a prefix of the clientId are returned.

By default this end-point will try to return up to 1000 clients in one request. But it **may return less, even none**. It may also return a `continuationToken` even though there are no more results. However, you can only be sure to have seen all results if you keep calling `listClients` with the last `continuationToken` until you get a result without a `continuationToken`.

See #listClients

func (*Auth) ListRoleIds 

func (auth *Auth) ListRoleIds(continuationToken, limit string) (*GetRoleIdsResponse, error)

Get a list of all role IDs.

If no limit is given, the roleIds of all roles are returned. Since this list may become long, callers can use the `limit` and `continuationToken` query arguments to page through the responses.

See #listRoleIds

func (*Auth) ListRoles 

func (auth *Auth) ListRoles() (*GetAllRolesNoPagination, error)

Get a list of all roles. Each role object also includes the list of scopes it expands to. This always returns all roles in a single HTTP request.

To get paginated results, use `listRoles2`.

See #listRoles

func (*Auth) ListRoles2 

func (auth *Auth) ListRoles2(continuationToken, limit string) (*GetAllRolesResponse, error)

Get a list of all roles. Each role object also includes the list of scopes it expands to. This is similar to `listRoles` but differs in the format of the response.

If no limit is given, all roles are returned. Since this list may become long, callers can use the `limit` and `continuationToken` query arguments to page through the responses.

See #listRoles2

func (*Auth) Ping 

func (auth *Auth) Ping() error

Respond without doing anything. This endpoint is used to check that the service is up.

See #ping

func (*Auth) ResetAccessToken 

func (auth *Auth) ResetAccessToken(clientId string) (*CreateClientResponse, error)

Reset a clients `accessToken`, this will revoke the existing `accessToken`, generate a new `accessToken` and return it from this call.

There is no way to retrieve an existing `accessToken`, so if you loose it you must reset the accessToken to acquire it again.

Required scopes: 

auth:reset-access-token:<clientId>

See #resetAccessToken

func (*Auth) Role 

func (auth *Auth) Role(roleId string) (*GetRoleResponse, error)

Get information about a single role, including the set of scopes that the role expands to.

See #role

func (*Auth) SentryDSN 

func (auth *Auth) SentryDSN(project string) (*SentryDSNResponse, error)

Stability: *** DEPRECATED ***

Get temporary DSN (access credentials) for a sentry project. The credentials returned can be used with any Sentry client for up to 24 hours, after which the credentials will be automatically disabled.

If the project doesn't exist it will be created, and assigned to the initial team configured for this component. Contact a Sentry admin to have the project transferred to a team you have access to if needed

Required scopes: 

auth:sentry:<project>

See #sentryDSN

func (*Auth) SentryDSN_SignedURL 

func (auth *Auth) SentryDSN_SignedURL(project string, duration time.Duration) (*url.URL, error)

Returns a signed URL for SentryDSN, valid for the specified duration.

Required scopes: 

auth:sentry:<project>

See SentryDSN for more details.

func (*Auth) StatsumToken 

func (auth *Auth) StatsumToken(project string) (*StatsumTokenResponse, error)

Get temporary `token` and `baseUrl` for sending metrics to statsum.

The token is valid for 24 hours, clients should refresh after expiration.

Required scopes: 

auth:statsum:<project>

See #statsumToken

func (*Auth) StatsumToken_SignedURL 

func (auth *Auth) StatsumToken_SignedURL(project string, duration time.Duration) (*url.URL, error)

Returns a signed URL for StatsumToken, valid for the specified duration.

Required scopes: 

auth:statsum:<project>

See StatsumToken for more details.

func (*Auth) TestAuthenticate 

func (auth *Auth) TestAuthenticate(payload *TestAuthenticateRequest) (*TestAuthenticateResponse, error)

Utility method to test client implementations of Taskcluster authentication.

Rather than using real credentials, this endpoint accepts requests with clientId `tester` and accessToken `no-secret`. That client's scopes are based on `clientScopes` in the request body.

The request is validated, with any certificate, authorizedScopes, etc. applied, and the resulting scopes are checked against `requiredScopes` from the request body. On success, the response contains the clientId and scopes as seen by the API method.

See #testAuthenticate

func (*Auth) TestAuthenticateGet 

func (auth *Auth) TestAuthenticateGet() (*TestAuthenticateResponse, error)

Utility method similar to `testAuthenticate`, but with the GET method, so it can be used with signed URLs (bewits).

Rather than using real credentials, this endpoint accepts requests with clientId `tester` and accessToken `no-secret`. That client's scopes are `['test:*', 'auth:create-client:test:*']`. The call fails if the `test:authenticate-get` scope is not available.

The request is validated, with any certificate, authorizedScopes, etc. applied, and the resulting scopes are checked, just like any API call. On success, the response contains the clientId and scopes as seen by the API method.

This method may later be extended to allow specification of client and required scopes via query arguments.

See #testAuthenticateGet

func (*Auth) UpdateClient 

func (auth *Auth) UpdateClient(clientId string, payload *CreateClientRequest) (*GetClientResponse, error)

Update an exisiting client. The `clientId` and `accessToken` cannot be updated, but `scopes` can be modified. The caller's scopes must satisfy all scopes being added to the client in the update operation. If no scopes are given in the request, the client's scopes remain unchanged

Required scopes: 

All of:
* auth:update-client:<clientId>
* For scope in scopesAdded each <scope>

See #updateClient

func (*Auth) UpdateRole 

func (auth *Auth) UpdateRole(roleId string, payload *CreateRoleRequest) (*GetRoleResponse, error)

Update an existing role.

The caller's scopes must satisfy all of the new scopes being added, but need not satisfy all of the role's existing scopes.

An update of a role that will generate an infinite expansion will result in an error response.

Required scopes: 

All of:
* auth:update-role:<roleId>
* For scope in scopesAdded each <scope>

See #updateRole

func (*Auth) WebsocktunnelToken 

func (auth *Auth) WebsocktunnelToken(wstAudience, wstClient string) (*WebsocktunnelTokenResponse, error)

Get a temporary token suitable for use connecting to a [websocktunnel](https://github.com/taskcluster/websocktunnel) server.

The resulting token will only be accepted by servers with a matching audience value. Reaching such a server is the callers responsibility. In general, a server URL or set of URLs should be provided to the caller as configuration along with the audience value.

The token is valid for a limited time (on the scale of hours). Callers should refresh it before expiration.

Required scopes: 

auth:websocktunnel-token:<wstAudience>/<wstClient>

See #websocktunnelToken

func (*Auth) WebsocktunnelToken_SignedURL 

func (auth *Auth) WebsocktunnelToken_SignedURL(wstAudience, wstClient string, duration time.Duration) (*url.URL, error)

Returns a signed URL for WebsocktunnelToken, valid for the specified duration.

Required scopes: 

auth:websocktunnel-token:<wstAudience>/<wstClient>

See WebsocktunnelToken for more details.

type AuthenticationFailedResponse 

type AuthenticationFailedResponse struct {

	// Message saying why the authentication failed.
	Message string `json:"message"`

	// The kind of response, `auth-failed` or `auth-success`.
	//
	// Possible values:
	//   * "auth-failed"
	Status string `json:"status"`
}

Response from a request to authenticate a hawk request.

type AuthenticationSuccessfulResponse 

type AuthenticationSuccessfulResponse struct {

	// The `clientId` that made this request.  This may be the `id` supplied in
	// the Authorization header, or in the case of a named temporary credential
	// may be embedded in the payload.  In any case, this clientId can be used
	// for logging, auditing, and identifying the credential but **must** not be
	// used for access control.  That's what scopes are for.
	//
	// Syntax:     ^[A-Za-z0-9!@/:.+|_-]+$
	ClientID string `json:"clientId"`

	// The expiration time for the credentials used to make this request.
	// This should be treated as the latest time at which the authorization
	// is valid.  For most cases, where the access being authorized occurs
	// immediately, this field can be ignored, as the value will always be
	// in the future if the status is `auth-success`.
	Expires tcclient.Time `json:"expires"`

	// Payload as extracted from `Authentication` header. This property is
	// only present if a hash is available. You are not required to validate
	// this hash, but if you do, please check `scheme` to ensure that it's
	// on a scheme you support.
	Hash json.RawMessage `json:"hash,omitempty"`

	// Authentication scheme the client used. Generally, you don't need to
	// read this property unless `hash` is provided and you want to validate
	// the payload hash. Additional values may be added in the future.
	//
	// Possible values:
	//   * "hawk"
	Scheme string `json:"scheme"`

	// List of scopes the client is authorized to access.  Scopes must be
	// composed of printable ASCII characters and spaces.
	//
	// Array items:
	// Syntax:     ^[ -~]*$
	Scopes []string `json:"scopes"`

	// The kind of response, `auth-failed` or `auth-success`.
	//
	// Possible values:
	//   * "auth-success"
	Status string `json:"status"`
}

Response from a request to authenticate a hawk request.

type AzureBlobSharedAccessSignature 

type AzureBlobSharedAccessSignature struct {

	// Date and time of when the Shared-Access-Signature expires.
	Expiry tcclient.Time `json:"expiry"`

	// Shared-Access-Signature string. This is the querystring parameters to
	// be appened after `?` or `&` depending on whether or not a querystring is
	// already present in the URL.
	Sas string `json:"sas"`
}

Response to a request for an Shared-Access-Signature to access an Azure Blob Storage container.

type AzureListAccountResponse 

type AzureListAccountResponse struct {

	// A list of accountIds that are managed by auth. These are
	// the accounts that can have SAS credentials fetched for tables
	// within them.
	//
	// Array items:
	Accounts []string `json:"accounts"`
}

A list of Azure accounts managed by taskcluster-auth

type AzureListContainersResponse 

type AzureListContainersResponse struct {

	// A list of containers that are in an account.  Credentials are available for
	// these containers from the `azureBlobSAS` method.
	//
	// Array items:
	Containers []string `json:"containers"`

	// Opaque `continuationToken` to be given as query-string option to get the
	// next set of containers.
	// This property is only present if another request is necessary to fetch all
	// results. In practice the next request with a `continuationToken` may not
	// return additional results, but it can. Thus, you can only be sure to have
	// all the results if you've called this method with `continuationToken`
	// until you get a result without a `continuationToken`.
	ContinuationToken string `json:"continuationToken,omitempty"`
}

A list of Azure containers in an account

type AzureListTableResponse 

type AzureListTableResponse struct {

	// Opaque `continuationToken` to be given as query-string option to get the
	// next set of tables.
	// This property is only present if another request is necessary to fetch all
	// results. In practice the next request with a `continuationToken` may not
	// return additional results, but it can. Thus, you can only be sure to have
	// all the results if you've called `azureAccountTables` with `continuationToken`
	// until you get a result without a `continuationToken`.
	ContinuationToken string `json:"continuationToken,omitempty"`

	// A list of tables that are in an account. These are
	// the tables that can have SAS credentials fetched for them.
	//
	// Array items:
	Tables []string `json:"tables"`
}

A list of Azure tables in an account

type AzureTableSharedAccessSignature 

type AzureTableSharedAccessSignature struct {

	// Date and time of when the Shared-Access-Signature expires.
	Expiry tcclient.Time `json:"expiry"`

	// Shared-Access-Signature string. This is the querystring parameters to
	// be appened after `?` or `&` depending on whether or not a querystring is
	// already present in the URL.
	Sas string `json:"sas"`
}

Response to a request for an Shared-Access-Signature to access and Azure Table Storage table.

type CreateClientRequest 

type CreateClientRequest struct {

	// If `true`, the service may delete this client after it has expired.  If
	// `false` (the default), the client will remain after expiration, although
	// it cannot be used for authentication in that state.
	//
	// Default:    false
	DeleteOnExpiration bool `json:"deleteOnExpiration,omitempty"`

	// Description of what these credentials are used for in markdown.
	// Should include who is the owner, point of contact.
	//
	// Max length: 10240
	Description string `json:"description"`

	// Date and time where the clients access is set to expire
	Expires tcclient.Time `json:"expires"`

	// List of scopes the client has (unexpanded).
	//
	// Array items:
	// A single scope. A scope must be composed of
	// printable ASCII characters and spaces.  Scopes ending in more than
	// one `*` character are forbidden.
	//
	// Syntax:     ^[ -~]*$
	Scopes []string `json:"scopes,omitempty"`
}

Properties to create a client.

type CreateClientResponse 

type CreateClientResponse struct {

	// AccessToken used for authenticating requests, you should store this
	// you won't be able to retrive it again!
	//
	// Syntax:     ^[a-zA-Z0-9_-]{22,66}$
	AccessToken string `json:"accessToken"`

	// ClientId of the client
	//
	// Syntax:     ^[A-Za-z0-9!@/:.+|_-]+$
	ClientID string `json:"clientId"`

	// Date and time when this client was created
	Created tcclient.Time `json:"created"`

	// If `true`, the service may delete this client after it has expired.  If
	// `false`, the client will remain after expiration, although it cannot be
	// used for authentication in that state.
	DeleteOnExpiration bool `json:"deleteOnExpiration"`

	// Description of what these credentials are used for in markdown.
	// Should include who is the owner, point of contact.
	//
	// Max length: 10240
	Description string `json:"description"`

	// If true, this client is disabled and cannot be used.  This usually occurs when the
	// scopes available to the user owning the client no longer satisfy the client.
	Disabled bool `json:"disabled"`

	// List of scopes granted to this client by matching roles, including the
	// client's scopes and the implicit role `client-id:<clientId>`.
	//
	// Array items:
	// A single scope. A scope must be composed of
	// printable ASCII characters and spaces.  Scopes ending in more than
	// one `*` character are forbidden.
	//
	// Syntax:     ^[ -~]*$
	ExpandedScopes []string `json:"expandedScopes"`

	// Date and time where the clients access is set to expire
	Expires tcclient.Time `json:"expires"`

	// Date of last time this client was used. Will only be updated every 6 hours
	// or so this may be off by up-to 6 hours. But it still gives a solid hint
	// as to whether or not this client is in use.
	LastDateUsed tcclient.Time `json:"lastDateUsed"`

	// Date and time of last modification
	LastModified tcclient.Time `json:"lastModified"`

	// Date and time of when the `accessToken` was reset last time.
	LastRotated tcclient.Time `json:"lastRotated"`

	// List of scopes the client has (unexpanded).
	//
	// Default:    []
	//
	// Array items:
	// A single scope. A scope must be composed of
	// printable ASCII characters and spaces.  Scopes ending in more than
	// one `*` character are forbidden.
	//
	// Syntax:     ^[ -~]*$
	Scopes []string `json:"scopes"`
}

All details about a client including the `accessToken`

type CreateRoleRequest 

type CreateRoleRequest struct {

	// Description of what this role is used for in markdown.
	// Should include who is the owner, point of contact.
	//
	// Max length: 10240
	Description string `json:"description"`

	// List of scopes the role grants access to.  Scopes must be composed of
	// printable ASCII characters and spaces.
	//
	// Array items:
	// A single scope. A scope must be composed of
	// printable ASCII characters and spaces.  Scopes ending in more than
	// one `*` character are forbidden.
	//
	// Syntax:     ^[ -~]*$
	Scopes []string `json:"scopes"`
}

Data to create or update a role.

type Dsn 

type Dsn struct {

	// Access credential and URL for public error reports.
	// These credentials can be used for up-to 24 hours.
	// This is for use in client-side applications only.
	Public string `json:"public"`

	// Access credential and URL for private error reports.
	// These credentials can be used for up-to 24 hours.
	// This is for use in serser-side applications and should **not** be
	// leaked.
	Secret string `json:"secret"`
}

Access credentials and urls for the Sentry project. Credentials will expire in 24-48 hours, you should refresh them within 24 hours.

type GCPCredentialsResponse 

type GCPCredentialsResponse struct {

	// Temporary oauth2 access token to access the given service account
	AccessToken string `json:"accessToken"`

	// The access token expire time
	ExpireTime tcclient.Time `json:"expireTime"`
}

Response for a request to get a GCP temporary credential.

type GetAllRolesNoPagination 

type GetAllRolesNoPagination []GetRoleResponse

List of roles

type GetAllRolesResponse 

type GetAllRolesResponse struct {

	// A continuation token is returned if there are more results than listed
	// here. You can optionally provide the token in the request payload to
	// load the additional results.
	ContinuationToken string `json:"continuationToken,omitempty"`

	// A list of requested roles
	Roles []GetRoleResponse `json:"roles"`
}

If no limit is given, all roles are returned. Since this list may become long, callers can use the `limit` and `continuationToken` query arguments to page through the responses.

type GetClientResponse 

type GetClientResponse struct {

	// ClientId of the client scopes is requested about
	//
	// Syntax:     ^[A-Za-z0-9!@/:.+|_-]+$
	ClientID string `json:"clientId"`

	// Date and time when this client was created
	Created tcclient.Time `json:"created"`

	// If `true`, the service may delete this client after it has expired.  If
	// `false`, the client will remain after expiration, although it cannot be
	// used for authentication in that state.
	DeleteOnExpiration bool `json:"deleteOnExpiration"`

	// Description of what these credentials are used for in markdown.
	// Should include who is the owner, point of contact.
	//
	// Max length: 10240
	Description string `json:"description"`

	// If true, this client is disabled and cannot be used.  This usually occurs when the
	// scopes available to the user owning the client no longer satisfy the client.
	Disabled bool `json:"disabled"`

	// List of scopes granted to this client by matching roles.  Scopes must be
	// composed of printable ASCII characters and spaces.
	//
	// Array items:
	// Scope that client is granted by a role
	//
	// Syntax:     ^[ -~]*$
	ExpandedScopes []string `json:"expandedScopes"`

	// Date and time where the clients access is set to expire
	Expires tcclient.Time `json:"expires"`

	// Date of last time this client was used. Will only be updated every 6 hours
	// or so this may be off by up-to 6 hours. But it still gives a solid hint
	// as to whether or not this client is in use.
	LastDateUsed tcclient.Time `json:"lastDateUsed"`

	// Date and time of last modification
	LastModified tcclient.Time `json:"lastModified"`

	// Date and time of when the `accessToken` was reset last time.
	LastRotated tcclient.Time `json:"lastRotated"`

	// List of scopes the client has (unexpanded).  Scopes must be composed of
	// printable ASCII characters and spaces.
	//
	// Default:    []
	//
	// Array items:
	// Scope
	//
	// Syntax:     ^[ -~]*$
	Scopes []string `json:"scopes"`
}

Get all details about a client, useful for tools modifying a client

type GetRoleIdsResponse 

type GetRoleIdsResponse struct {

	// A continuation token is returned if there are more results than listed
	// here. You can optionally provide the token in the request payload to
	// load the additional results.
	ContinuationToken string `json:"continuationToken,omitempty"`

	// A list of requested roleIds
	//
	// Array items:
	RoleIds []string `json:"roleIds"`
}

If no limit is given, the roleIds of all roles are returned. Since this list may become long, callers can use the `limit` and `continuationToken` query arguments to page through the responses.

type GetRoleResponse 

type GetRoleResponse struct {

	// Date and time when this role was created
	Created tcclient.Time `json:"created"`

	// Description of what this role is used for in markdown.
	// Should include who is the owner, point of contact.
	//
	// Max length: 10240
	Description string `json:"description"`

	// List of scopes granted anyone who assumes this role, including anything
	// granted by roles that can be assumed when you have this role.
	// Hence, this includes any scopes in-directly granted as well.
	//
	// Array items:
	// A single scope. A scope must be composed of
	// printable ASCII characters and spaces.  Scopes ending in more than
	// one `*` character are forbidden.
	//
	// Syntax:     ^[ -~]*$
	ExpandedScopes []string `json:"expandedScopes"`

	// Date and time of last modification
	LastModified tcclient.Time `json:"lastModified"`

	// roleId of the role requested
	//
	// Syntax:     ^[\x20-\x7e]+$
	RoleID string `json:"roleId"`

	// List of scopes the role grants access to.  Scopes must be composed of
	// printable ASCII characters and spaces.
	//
	// Array items:
	// A single scope. A scope must be composed of
	// printable ASCII characters and spaces.  Scopes ending in more than
	// one `*` character are forbidden.
	//
	// Syntax:     ^[ -~]*$
	Scopes []string `json:"scopes"`
}

Get all details about a role

type HawkSignatureAuthenticationRequest 

type HawkSignatureAuthenticationRequest struct {

	// Authorization header, **must** only be specified if request being
	// authenticated has a `Authorization` header.
	Authorization string `json:"authorization,omitempty"`

	// Host for which the request came in, this is typically the `Host` header
	// excluding the port if any.
	Host string `json:"host"`

	// HTTP method of the request being authenticated.
	//
	// Possible values:
	//   * "get"
	//   * "post"
	//   * "put"
	//   * "head"
	//   * "delete"
	//   * "options"
	//   * "trace"
	//   * "copy"
	//   * "lock"
	//   * "mkcol"
	//   * "move"
	//   * "purge"
	//   * "propfind"
	//   * "proppatch"
	//   * "unlock"
	//   * "report"
	//   * "mkactivity"
	//   * "checkout"
	//   * "merge"
	//   * "m-search"
	//   * "notify"
	//   * "subscribe"
	//   * "unsubscribe"
	//   * "patch"
	//   * "search"
	//   * "connect"
	Method string `json:"method"`

	// Port on which the request came in, this is typically `80` or `443`.
	// If you are running behind a reverse proxy look for the `x-forwarded-port`
	// header.
	//
	// Mininum:    0
	// Maximum:    65535
	Port int64 `json:"port"`

	// Resource the request operates on including querystring. This is the
	// string that follows the HTTP method.
	// **Note,** order of querystring elements is important.
	Resource string `json:"resource"`

	// Source IP of the authentication request or request that requires
	// authentication. This is only used for audit logging.
	//
	// One of:
	//   * SourceIP
	//   * SourceIP1
	SourceIP string `json:"sourceIp,omitempty"`
}

Request to authenticate a hawk request.

type HawkSignatureAuthenticationResponse 

type HawkSignatureAuthenticationResponse json.RawMessage

Response from a request to authenticate a hawk request.

One of:

  • AuthenticationSuccessfulResponse
  • AuthenticationFailedResponse

func (*HawkSignatureAuthenticationResponse) MarshalJSON 

func (this *HawkSignatureAuthenticationResponse) MarshalJSON() ([]byte, error)

MarshalJSON calls json.RawMessage method of the same name. Required since HawkSignatureAuthenticationResponse is of type json.RawMessage...

func (*HawkSignatureAuthenticationResponse) UnmarshalJSON 

func (this *HawkSignatureAuthenticationResponse) UnmarshalJSON(data []byte) error

UnmarshalJSON is a copy of the json.RawMessage implementation.

type ListClientResponse 

type ListClientResponse struct {
	Clients []GetClientResponse `json:"clients"`

	// A continuation token is returned if there are more results than listed
	// here. You can optionally provide the token in the request payload to
	// load the additional results.
	ContinuationToken string `json:"continuationToken,omitempty"`
}

List of clients

type SentryDSNResponse 

type SentryDSNResponse struct {

	// Access credentials and urls for the Sentry project.
	// Credentials will expire in 24-48 hours, you should refresh them within
	// 24 hours.
	Dsn Dsn `json:"dsn"`

	// Expiration time for the credentials. The credentials should not be used
	// after this time. They might not be revoked immediately, but will be at
	// some arbitrary point after this date-time.
	Expires tcclient.Time `json:"expires"`

	// Project name that the DSN grants access to.
	Project string `json:"project"`
}

Sentry DSN for submitting errors.

type SetOfScopes 

type SetOfScopes struct {

	// List of scopes.  Scopes must be composed of printable ASCII characters and spaces.
	//
	// Array items:
	// Scope
	//
	// Syntax:     ^[ -~]*$
	Scopes []string `json:"scopes"`
}

A set of scopes

type SourceIP 

type SourceIP string

Source IP of the authentication request or request that requires authentication. This is only used for audit logging.

type SourceIP1 

type SourceIP1 string

Source IP of the authentication request or request that requires authentication. This is only used for audit logging.

type StatsumTokenResponse 

type StatsumTokenResponse struct {

	// Base URL for the statsum server this project is allocated on.
	BaseURL string `json:"baseUrl"`

	// Time at which the token expires and should not be used anymore.
	Expires tcclient.Time `json:"expires"`

	// Project name that the token grants access to.
	Project string `json:"project"`

	// JWT token to be used as `Bearer <token>` when submitting data to statsum.
	Token string `json:"token"`
}

Token for submitting statistics to statsum.

type TemporarySecurityCredentials 

type TemporarySecurityCredentials struct {

	// Access key identifier that identifies the temporary security
	// credentials.
	AccessKeyID string `json:"accessKeyId"`

	// Secret access key used to sign requests
	SecretAccessKey string `json:"secretAccessKey"`

	// A token that must passed with request to use the temporary
	// security credentials.
	SessionToken string `json:"sessionToken"`
}

Temporary STS credentials for use when operating on S3

type TestAuthenticateRequest 

type TestAuthenticateRequest struct {

	// List of scopes that should be client used should be given.
	//
	// Default:    []
	//
	// Array items:
	// Scope
	//
	// Syntax:     ^[ -~]*$
	ClientScopes []string `json:"clientScopes"`

	// List of scopes the request should require.
	//
	// Default:    []
	//
	// Array items:
	// Scope
	//
	// Syntax:     ^[ -~]*$
	RequiredScopes []string `json:"requiredScopes"`
}

Details on how the test request should be authenticated.

type TestAuthenticateResponse 

type TestAuthenticateResponse struct {

	// ClientId from the request as it will be logged
	//
	// Syntax:     ^[A-Za-z0-9!@/:.+|_-]+$
	ClientID string `json:"clientId"`

	// List of scopes the request was authorized.
	//
	// Default:    []
	//
	// Array items:
	// Scope
	//
	// Syntax:     ^[ -~]*$
	Scopes []string `json:"scopes"`
}

Details on how the test request was authenticated.

type WebsocktunnelTokenResponse 

type WebsocktunnelTokenResponse struct {

	// The time at which the JWT will expire.
	Expires tcclient.Time `json:"expires"`

	// The JWT to be used as `Bearer <token>` when connecting to the service.
	Token string `json:"token"`

	// Audience identifying the websocktunnel servers that will honor this token; this will be the
	// same as the requested `wstAudience`.
	//
	// Syntax:     ^[a-zA-Z0-9_-]{1,38}$
	WstAudience string `json:"wstAudience"`

	// Id for the websocktunnel client connection; this will be the same as the requested `wstClient`.
	//
	// Syntax:     ^[a-zA-Z0-9_~.%-]+$
	WstClient string `json:"wstClient"`
}

Token for connecting a worker to websocktunnel proxy

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.