README
The Token Server
This directory contains an implementation of a service that generates and validates various tokens used in LUCI authentication protocol.
In particular, this service implements so called "machine tokens" used for authenticating Swarming bots:
- Each bot has a TLS private key and a certificate, signed by some trusted CA.
luci_machine_tokend
executable periodically runs and uses the private key and certificate when callingMintMachineToken
gRPC method of the token server.- The server verifies that the certificate is signed by a trusted CA, that it is not expired or revoked, and that the request was signed by the corresponding private key. If everything checks out, the server generates a short lived (1h by default) stateless machine token (basically, certificate Common Name and some additional data signed by the token server's own private key).
- The bot uses this token when sending requests to Swarming (by putting it
into
X-Luci-Machine-Token
header). - Swarming checks the signature of the token (using only local crypto) when authenticating requests from bots.
Layout
api
: gRPC protocol definition and autogenerated Go code.appengine
: server implementation (runs on Standard GAE).auth/machine
: implementation of the token checking logic that can be used by backends that want to use machine tokens. Swarming service uses same logic (implemented in Python).client
: library that wrapsTokenMinter
gRPC API into a usable form. It implements logic for reading and using TLS certificate and private keys.cmd/luci_machine_tokend
: executable deployed on all bots. It knows how to generate machine tokens given a TLS certificate and private key.testing
: local integration test that checks interaction ofluci_machine_tokend
with the server (and some other things, such as certificate revocation list updates).
Directories
Path | Synopsis |
---|---|
Package tokenserver contains common protobuf messages for the token server.
|
Package tokenserver contains common protobuf messages for the token server. |
admin/v1
Package admin contains The Token Server Administrative and Config API.
|
Package admin contains The Token Server Administrative and Config API. |
bq
Package bq contains BigQuery tables schemas.
|
Package bq contains BigQuery tables schemas. |
minter/v1
Package minter contains the main API of the token server.
|
Package minter contains the main API of the token server. |
appengine
|
|
backend
Binary backend implements HTTP server that handles requests to 'backend' module.
|
Binary backend implements HTTP server that handles requests to 'backend' module. |
frontend
Binary frontend implements HTTP server that handles requests to 'default' module.
|
Binary frontend implements HTTP server that handles requests to 'default' module. |
impl
Package impl holds code to initialize the server environment.
|
Package impl holds code to initialize the server environment. |
impl/certchecker
Package certchecker contains implementation of CertChecker.
|
Package certchecker contains implementation of CertChecker. |
impl/certconfig
Package certconfig contains code to work with imported CAs and their CRLs.
|
Package certconfig contains code to work with imported CAs and their CRLs. |
impl/machinetoken
Package machinetoken implements generation of LUCI machine tokens.
|
Package machinetoken implements generation of LUCI machine tokens. |
impl/serviceaccountsv2
Package serviceaccountsv2 implements MintServiceAccountToken RPC.
|
Package serviceaccountsv2 implements MintServiceAccountToken RPC. |
impl/services/admin/adminsrv
Package adminsrv implements Admin API.
|
Package adminsrv implements Admin API. |
impl/services/admin/certauthorities
Package certauthorities implements CertificateAuthorities API.
|
Package certauthorities implements CertificateAuthorities API. |
impl/services/minter/tokenminter
Package tokenminter implements TokenMinter API.
|
Package tokenminter implements TokenMinter API. |
impl/utils
Package utils contains a variety of small utility functions used by other tokenserver packages.
|
Package utils contains a variety of small utility functions used by other tokenserver packages. |
impl/utils/bq
Package bq contains helpers for uploading rows to BigQuery.
|
Package bq contains helpers for uploading rows to BigQuery. |
impl/utils/identityset
Package identityset implements a set-like structure for identity.Identity.
|
Package identityset implements a set-like structure for identity.Identity. |
impl/utils/policy
Package policy contains implementation of Policy parsing and querying.
|
Package policy contains implementation of Policy parsing and querying. |
impl/utils/revocation
Package revocation contains utilities for implementing token revocation.
|
Package revocation contains utilities for implementing token revocation. |
impl/utils/shards
Package shards provides a low level support for implementing sharded set of []byte blobs.
|
Package shards provides a low level support for implementing sharded set of []byte blobs. |
impl/utils/tokensigning
Package tokensigning implements utilities for RSA-signing of proto messages.
|
Package tokensigning implements utilities for RSA-signing of proto messages. |
auth
|
|
machine
Package machine implements authentication based on LUCI machine tokens.
|
Package machine implements authentication based on LUCI machine tokens. |
Package client implements pRPC client for The Token Server.
|
Package client implements pRPC client for The Token Server. |
cmd
|
|
luci_machine_tokend
Command luci_machine_tokend runs on all machines via cron.
|
Command luci_machine_tokend runs on all machines via cron. |