auth

Documentation

Overview

Package auth provides authentication service.

Index

• Variables
• type Auth
  • func (a *Auth) Auth(ctx context.Context, req *http.Request) (context.Context, error)
  • func (a *Auth) Check(ctx context.Context, req *http.Request) (*enduser.EndUser, error)
• type LocalClient
  • func (c LocalClient) Auth(ctx context.Context, in *pb.AuthReq, opts ...grpc.CallOption) (*pb.AuthResp, error)
• type Service
  • func (s *Service) Auth(ctx context.Context, req *authpb.AuthReq) (*authpb.AuthResp, error)
• type TokenInfo

Variables

var (

	// DefaultViews are the default views provided by this package.
	// You need to register the view for data to actually be collected.
	DefaultViews = []*view.View{
		{
			Name:        "go.chromium.org/goma/server/auth.auth_by_account",
			Description: "auth request count by account",
			TagKeys: []tag.Key{
				accountKey,
				authErrKey,
			},
			Measure:     authRequests,
			Aggregation: view.Count(),
		},
	}
)

var ErrExpired = errors.New("expired")

ErrExpired represents expiration of access token.

var ErrInternal = errors.New("internal error")

ErrInternal represents internal error.

var ErrNoAuthHeader = errors.New("no Authorization header")

ErrNoAuthHeader represents authentication failure due to lack of Authorization header in an HTTP request.

var ErrOverQuota = errors.New("over quota")

ErrOverQuota represents the user used up the quota.

Types

type Auth

type Auth struct {
	Client authpb.AuthServiceClient
	Retry  rpc.Retry
	// contains filtered or unexported fields
}

func (*Auth) Auth

func (a *Auth) Auth(ctx context.Context, req *http.Request) (context.Context, error)

Auth authenticates the requests and returns new context with enduser info.

func (*Auth) Check

func (a *Auth) Check(ctx context.Context, req *http.Request) (*enduser.EndUser, error)

Check checks authorization header in an HTTP request. The function returns error if authentication failed. ErrNoAuthHeader is returned if no authorization header is in the request.

type LocalClient

type LocalClient struct {
	*Service
}

func (LocalClient) Auth

func (c LocalClient) Auth(ctx context.Context, in *pb.AuthReq, opts ...grpc.CallOption) (*pb.AuthResp, error)

type Service

type Service struct {
	authpb.UnimplementedAuthServiceServer
	// CheckToken optionally checks access token with token info.
	// If it is not set, all access will be rejected.
	// If it returns grpc's codes.PermissionDenied error,
	// error message will be used as ErrorDescription for user.
	CheckToken func(context.Context, *oauth2.Token, *TokenInfo) (string, *oauth2.Token, error)
	// contains filtered or unexported fields
}

Service implements goma auth service.

func (*Service) Auth

func (s *Service) Auth(ctx context.Context, req *authpb.AuthReq) (*authpb.AuthResp, error)

Auth checks authorization header of incoming request, and replies end user information.

TODO: find answers to following questions.

1. can auth server return expired token? (currently yes)
2. should auth server refresh expired token? (currently no)
3. should grpc status code represent status of request or access token?
4. how error description should be handled? currently, it is stored in cache but not used by anybody.
5. should auth server create go routine for each token to expire the entry? (currently yes)
6. how do we implement quota?
7. how do we integrate auth server with chrome-infra-auth?

type TokenInfo

type TokenInfo struct {
	// Email is email address associated with the access token.
	Email string

	// Audience is OAuth2 client_id of the access token.
	Audience string

	// ExpiresAt is expirary timestamp of the access token.
	ExpiresAt time.Time

	// Err represents error of access token.
	Err error
}

TokenInfo represents access token's info.