This section is empty.


This section is empty.


func ImportConfigs

func ImportConfigs(c context.Context) (string, error)

    ImportConfigs fetches projects.cfg and updates datastore copy of it.

    Called from cron.

    func SetupConfigValidation

    func SetupConfigValidation(rules *validation.RuleSet)

      SetupConfigValidation registers the tokenserver custom projects.cfg validator.


      type ImportProjectIdentityConfigsRPC

      type ImportProjectIdentityConfigsRPC struct {

        ImportProjectIdentityConfigsRPC implements Admin.ImportProjectIdentityConfigs method.

        func (*ImportProjectIdentityConfigsRPC) ImportProjectIdentityConfigs

        func (r *ImportProjectIdentityConfigsRPC) ImportProjectIdentityConfigs(c context.Context, _ *emptypb.Empty) (*admin.ImportedConfigs, error)

          ImportProjectIdentityConfigs fetches configs from from luci-config right now.

          func (*ImportProjectIdentityConfigsRPC) SetupConfigValidation

          func (r *ImportProjectIdentityConfigsRPC) SetupConfigValidation(rules *validation.RuleSet)

            SetupConfigValidation registers the config validation rules.

            type MintProjectTokenRPC

            type MintProjectTokenRPC struct {
            	// Signer is mocked in tests.
            	// In prod it is the default server signer that uses server's service account.
            	Signer signing.Signer
            	// MintAccessToken produces an OAuth token for a service account.
            	// In prod it is auth.MintAccessTokenForServiceAccount.
            	MintAccessToken func(context.Context, auth.MintAccessTokenParams) (*auth.Token, error)
            	// ProjectIdentities manages project scoped identities.
            	// In prod it is projectidentity.ProjectIdentities.
            	ProjectIdentities func(context.Context) projectidentity.Storage
            	// LogToken is mocked in tests.
            	// In prod it is produced by NewTokenLogger.
            	LogToken TokenLogger

              MintProjectTokenRPC implements TokenMinter.MintProjectToken. method.

              func (*MintProjectTokenRPC) MintProjectToken

              func (r *MintProjectTokenRPC) MintProjectToken(c context.Context, req *minter.MintProjectTokenRequest) (*minter.MintProjectTokenResponse, error)

                MintProjectToken mints a project-scoped service account OAuth2 token.

                Project-scoped service accounts are identities tied to an individual LUCI project. Therefore they provide a way to safely interact with LUCI APIs and prevent accidental cross-project operations.

                func (*MintProjectTokenRPC) Name

                func (r *MintProjectTokenRPC) Name() string

                  Name implements utils.RPC interface.

                  type MintedTokenInfo

                  type MintedTokenInfo struct {
                  	Request      *minter.MintProjectTokenRequest  // RPC input, as is
                  	Response     *minter.MintProjectTokenResponse // RPC output, as is
                  	RequestedAt  *timestamppb.Timestamp
                  	Expiration   *timestamppb.Timestamp
                  	PeerIdentity identity.Identity // caller identity
                  	PeerIP       net.IP            // caller IP address
                  	RequestID    string            // GAE request ID that handled the RPC
                  	AuthDBRev    int64             // revision of groups database (or 0 if unknown)

                    MintedTokenInfo is passed to LogToken.

                    It carries all information about the token minting operation and the produced token.

                    type TokenLogger

                    type TokenLogger func(context.Context, *MintedTokenInfo) error

                      TokenLogger records info about the token to BigQuery.

                      func NewTokenLogger

                      func NewTokenLogger(dryRun bool) TokenLogger

                        NewTokenLogger returns a callback that records info about tokens to BigQuery.

                        Tokens themselves are not logged. Only first 16 bytes of their SHA256 hashes (aka 'fingerprint') are. They are used only to identify tokens in logs.

                        When dryRun is true, logs to the local text log only, not to BigQuery (to avoid accidentally pushing fake data to real BigQuery dataset).