Back to

Package projectscope

Latest Go to latest

The latest major version is .

Published: Oct 16, 2020 | License: Apache-2.0 | Module:


func FlushTokenLog

func FlushTokenLog(c context.Context) error

FlushTokenLog sends all buffered logged tokens to BigQuery.

It is fine to call FlushTokenLog concurrently from multiple request handlers, if necessary (it will effectively parallelize the flush).

func ImportConfigs

func ImportConfigs(c context.Context) (string, error)

ImportConfigs fetches projects.cfg and updates datastore copy of it.

Called from cron.

func LogToken

func LogToken(c context.Context, i *MintedTokenInfo) error

LogToken records information about the token in the BigQuery.

The signed token itself is not logged. Only first 16 bytes of its SHA256 hash (aka 'fingerprint') is. It is used only to identify this particular token in logs.

On dev server, logs to the GAE log only, not to BigQuery (to avoid accidentally pushing fake data to real BigQuery dataset).

func SetupConfigValidation

func SetupConfigValidation(rules *validation.RuleSet)

SetupConfigValidation registers the tokenserver custom projects.cfg validator.

type ImportProjectIdentityConfigsRPC

type ImportProjectIdentityConfigsRPC struct {

ImportProjectIdentityConfigsRPC implements Admin.ImportProjectIdentityConfigs method.

func (*ImportProjectIdentityConfigsRPC) ImportProjectIdentityConfigs

func (r *ImportProjectIdentityConfigsRPC) ImportProjectIdentityConfigs(c context.Context, _ *empty.Empty) (*admin.ImportedConfigs, error)

ImportProjectIdentityConfigs fetches configs from from luci-config right now.

func (*ImportProjectIdentityConfigsRPC) SetupConfigValidation

func (r *ImportProjectIdentityConfigsRPC) SetupConfigValidation(rules *validation.RuleSet)

SetupConfigValidation registers the config validation rules.

type MintProjectTokenRPC

type MintProjectTokenRPC struct {
	// Signer is mocked in tests.
	// In prod it is gaesigner.Signer.
	Signer signing.Signer

	// MintAccessToken produces an OAuth token for a service account.
	// In prod it is auth.MintAccessTokenForServiceAccount.
	MintAccessToken func(context.Context, auth.MintAccessTokenParams) (*auth.Token, error)

	// ProjectIdentities manages project scoped identities.
	// In prod it is projectidentity.ProjectIdentities.
	ProjectIdentities func(context.Context) projectidentity.Storage

	// LogToken is mocked in tests.
	LogToken func(context.Context, *MintedTokenInfo) error

MintProjectTokenRPC implements TokenMinter.MintProjectToken. method.

func (*MintProjectTokenRPC) MintProjectToken

func (r *MintProjectTokenRPC) MintProjectToken(c context.Context, req *minter.MintProjectTokenRequest) (*minter.MintProjectTokenResponse, error)

MintProjectToken mints a project-scoped service account OAuth2 token.

Project-scoped service accounts are identities tied to an individual LUCI project. Therefore they provide a way to safely interact with LUCI APIs and prevent accidental cross-project operations.

func (*MintProjectTokenRPC) Name

func (r *MintProjectTokenRPC) Name() string

Name implements utils.RPC interface.

type MintedTokenInfo

type MintedTokenInfo struct {
	Request      *minter.MintProjectTokenRequest  // RPC input, as is
	Response     *minter.MintProjectTokenResponse // RPC output, as is
	RequestedAt  *timestamp.Timestamp
	Expiration   *timestamp.Timestamp
	PeerIdentity identity.Identity // caller identity
	PeerIP       net.IP            // caller IP address
	RequestID    string            // GAE request ID that handled the RPC
	AuthDBRev    int64             // revision of groups database (or 0 if unknown)

MintedTokenInfo is passed to LogToken.

It carries all information about the token minting operation and the produced token.

Package Files

Documentation was rendered with GOOS=linux and GOARCH=amd64.

Jump to identifier

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to identifier