Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(618)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: server/auth/auth.go

Issue 2386643003: auth: Make luci-go services trust signatures produced by the token server. (Closed)
Patch Set: Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« appengine/gaeauth/server/db.go ('K') | « appengine/gaeauth/server/db.go ('k') | server/auth/auth_test.go » ('j') | server/auth/auth_test.go » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 The LUCI Authors. All rights reserved. 1 // Copyright 2015 The LUCI Authors. All rights reserved.
2 // Use of this source code is governed under the Apache License, Version 2.0 2 // Use of this source code is governed under the Apache License, Version 2.0
3 // that can be found in the LICENSE file. 3 // that can be found in the LICENSE file.
4 4
5 package auth 5 package auth
6 6
7 import ( 7 import (
8 "fmt" 8 "fmt"
9 "net/http" 9 "net/http"
10 10
11 "golang.org/x/net/context" 11 "golang.org/x/net/context"
12 12
13 "github.com/luci/luci-go/common/errors" 13 "github.com/luci/luci-go/common/errors"
14 "github.com/luci/luci-go/common/logging" 14 "github.com/luci/luci-go/common/logging"
15 15
16 "github.com/luci/luci-go/server/auth/authdb"
17 "github.com/luci/luci-go/server/auth/delegation" 16 "github.com/luci/luci-go/server/auth/delegation"
18 "github.com/luci/luci-go/server/auth/identity" 17 "github.com/luci/luci-go/server/auth/identity"
19 "github.com/luci/luci-go/server/auth/signing" 18 "github.com/luci/luci-go/server/auth/signing"
20 ) 19 )
21 20
22 var ( 21 var (
23 // ErrNotConfigured is returned by Authenticate if auth library wasn't 22 // ErrNotConfigured is returned by Authenticate if auth library wasn't
24 // properly initialized (see SetConfig). 23 // properly initialized (see SetConfig).
25 ErrNotConfigured = errors.New("auth: the library is not properly configu red") 24 ErrNotConfigured = errors.New("auth: the library is not properly configu red")
26 25
(...skipping 153 matching lines...) Expand 10 before | Expand all | Expand 10 after
180 if delegationTok != "" { 179 if delegationTok != "" {
181 // Need to grab our own identity to verify that the delegation t oken is 180 // Need to grab our own identity to verify that the delegation t oken is
182 // minted for consumption by us and not some other service. 181 // minted for consumption by us and not some other service.
183 ownServiceIdentity, err := getOwnServiceIdentity(c, cfg.Signer) 182 ownServiceIdentity, err := getOwnServiceIdentity(c, cfg.Signer)
184 if err != nil { 183 if err != nil {
185 return nil, err 184 return nil, err
186 } 185 }
187 delegatedIdentity, err := delegation.CheckToken(c, delegation.Ch eckTokenParams{ 186 delegatedIdentity, err := delegation.CheckToken(c, delegation.Ch eckTokenParams{
188 Token: delegationTok, 187 Token: delegationTok,
189 PeerID: s.peerIdent, 188 PeerID: s.peerIdent,
190 » » » CertificatesProvider: certsProvider{s.db}, 189 » » » CertificatesProvider: s.db,
191 GroupsChecker: s.db, 190 GroupsChecker: s.db,
192 OwnServiceIdentity: ownServiceIdentity, 191 OwnServiceIdentity: ownServiceIdentity,
193 }) 192 })
194 if err != nil { 193 if err != nil {
195 return nil, err 194 return nil, err
196 } 195 }
197 // User profile information is not available when using delegati on, so just 196 // User profile information is not available when using delegati on, so just
198 // wipe it. 197 // wipe it.
199 s.user = &User{Identity: delegatedIdentity} 198 s.user = &User{Identity: delegatedIdentity}
200 } 199 }
(...skipping 26 matching lines...) Expand all
227 // then redirects the user to the URL specified by dest. 226 // then redirects the user to the URL specified by dest.
228 func (a Authenticator) LogoutURL(c context.Context, dest string) (string, error) { 227 func (a Authenticator) LogoutURL(c context.Context, dest string) (string, error) {
229 if api := a.usersAPI(); api != nil { 228 if api := a.usersAPI(); api != nil {
230 return api.LogoutURL(c, dest) 229 return api.LogoutURL(c, dest)
231 } 230 }
232 return "", ErrNoUsersAPI 231 return "", ErrNoUsersAPI
233 } 232 }
234 233
235 //// 234 ////
236 235
237 // certsProvider implements delegation.CertificatesProvider.
238 type certsProvider struct {
239 db authdb.DB
240 }
241
242 func (p certsProvider) GetAuthServiceCertificates(c context.Context) (*signing.P ublicCertificates, error) {
243 serviceURL, err := p.db.GetAuthServiceURL(c)
244 if err != nil {
245 return nil, err
246 }
247 return signing.FetchCertificatesFromLUCIService(c, serviceURL)
248 }
249
250 // getOwnServiceIdentity returns 'service:<appID>' identity of the current 236 // getOwnServiceIdentity returns 'service:<appID>' identity of the current
251 // service. 237 // service.
252 func getOwnServiceIdentity(c context.Context, signer signing.Signer) (identity.I dentity, error) { 238 func getOwnServiceIdentity(c context.Context, signer signing.Signer) (identity.I dentity, error) {
253 if signer == nil { 239 if signer == nil {
254 return "", ErrNotConfigured 240 return "", ErrNotConfigured
255 } 241 }
256 serviceInfo, err := signer.ServiceInfo(c) 242 serviceInfo, err := signer.ServiceInfo(c)
257 if err != nil { 243 if err != nil {
258 return "", err 244 return "", err
259 } 245 }
260 return identity.MakeIdentity("service:" + serviceInfo.AppID) 246 return identity.MakeIdentity("service:" + serviceInfo.AppID)
261 } 247 }
OLDNEW
« appengine/gaeauth/server/db.go ('K') | « appengine/gaeauth/server/db.go ('k') | server/auth/auth_test.go » ('j') | server/auth/auth_test.go » ('J')

Powered by Google App Engine
This is Rietveld 408576698