| OLD | NEW |
|---|
| 1 // Copyright 2016 The LUCI Authors. All rights reserved. | 1 // Copyright 2016 The LUCI Authors. All rights reserved. |
| 2 // Use of this source code is governed under the Apache License, Version 2.0 | 2 // Use of this source code is governed under the Apache License, Version 2.0 |
| 3 // that can be found in the LICENSE file. | 3 // that can be found in the LICENSE file. |
| 4 | 4 |
| 5 package authdb | 5 package authdb |
| 6 | 6 |
| 7 import ( | 7 import ( |
| 8 "net" | 8 "net" |
| 9 | 9 |
| 10 "golang.org/x/net/context" | 10 "golang.org/x/net/context" |
| 11 | 11 |
| 12 "github.com/luci/luci-go/server/auth/identity" | 12 "github.com/luci/luci-go/server/auth/identity" |
| 13 "github.com/luci/luci-go/server/auth/signing" |
| 13 "github.com/luci/luci-go/server/secrets" | 14 "github.com/luci/luci-go/server/secrets" |
| 14 ) | 15 ) |
| 15 | 16 |
| 16 // DB is interface to access a database of authorization related information. | 17 // DB is interface to access a database of authorization related information. |
| 17 // | 18 // |
| 18 // It is static read only object that represent snapshot of auth data at some | 19 // It is static read only object that represent snapshot of auth data at some |
| 19 // moment in time. | 20 // moment in time. |
| 20 type DB interface { | 21 type DB interface { |
| 21 // IsAllowedOAuthClientID returns true if given OAuth2 client_id can be
used | 22 // IsAllowedOAuthClientID returns true if given OAuth2 client_id can be
used |
| 22 // to authenticate access for given email. | 23 // to authenticate access for given email. |
| 23 IsAllowedOAuthClientID(c context.Context, email, clientID string) (bool,
error) | 24 IsAllowedOAuthClientID(c context.Context, email, clientID string) (bool,
error) |
| 24 | 25 |
| 25 // IsMember returns true if the given identity belongs to the given grou
p. | 26 // IsMember returns true if the given identity belongs to the given grou
p. |
| 26 // | 27 // |
| 27 // Unknown groups are considered empty. May return errors if underlying | 28 // Unknown groups are considered empty. May return errors if underlying |
| 28 // datastore has issues. | 29 // datastore has issues. |
| 29 IsMember(c context.Context, id identity.Identity, group string) (bool, e
rror) | 30 IsMember(c context.Context, id identity.Identity, group string) (bool, e
rror) |
| 30 | 31 |
| 31 // SharedSecrets is secrets.Store with secrets in Auth DB. | 32 // SharedSecrets is secrets.Store with secrets in Auth DB. |
| 32 // | 33 // |
| 33 // Such secrets are usually generated on central Auth Service and are kn
own | 34 // Such secrets are usually generated on central Auth Service and are kn
own |
| 34 // to all trusted services (so that they can use them to exchange data). | 35 // to all trusted services (so that they can use them to exchange data). |
| 35 SharedSecrets(c context.Context) (secrets.Store, error) | 36 SharedSecrets(c context.Context) (secrets.Store, error) |
| 36 | 37 |
| 38 // GetCertificates returns a bundle with certificates of a trusted signe
r. |
| 39 // |
| 40 // Returns (nil, nil) if the given signer is not trusted. |
| 41 // |
| 42 // Returns errors (usually transient) if the bundle can't be fetched. |
| 43 GetCertificates(c context.Context, id identity.Identity) (*signing.Publi
cCertificates, error) |
| 44 |
| 37 // GetWhitelistForIdentity returns name of the IP whitelist to use to ch
eck | 45 // GetWhitelistForIdentity returns name of the IP whitelist to use to ch
eck |
| 38 // IP of requests from given `ident`. | 46 // IP of requests from given `ident`. |
| 39 // | 47 // |
| 40 // It's used to restrict access for certain account to certain IP subnet
s. | 48 // It's used to restrict access for certain account to certain IP subnet
s. |
| 41 // | 49 // |
| 42 // Returns ("", nil) if `ident` is not IP restricted. | 50 // Returns ("", nil) if `ident` is not IP restricted. |
| 43 GetWhitelistForIdentity(c context.Context, ident identity.Identity) (str
ing, error) | 51 GetWhitelistForIdentity(c context.Context, ident identity.Identity) (str
ing, error) |
| 44 | 52 |
| 45 // IsInWhitelist returns true if IP address belongs to given named | 53 // IsInWhitelist returns true if IP address belongs to given named |
| 46 // IP whitelist. | 54 // IP whitelist. |
| 47 // | 55 // |
| 48 // IP whitelist is a set of IP subnets. Unknown IP whitelists are consid
ered | 56 // IP whitelist is a set of IP subnets. Unknown IP whitelists are consid
ered |
| 49 // empty. May return errors if underlying datastore has issues. | 57 // empty. May return errors if underlying datastore has issues. |
| 50 IsInWhitelist(c context.Context, ip net.IP, whitelist string) (bool, err
or) | 58 IsInWhitelist(c context.Context, ip net.IP, whitelist string) (bool, err
or) |
| 51 | 59 |
| 52 // GetAuthServiceURL returns root URL ("https://<host>") of the auth ser
vice. | 60 // GetAuthServiceURL returns root URL ("https://<host>") of the auth ser
vice. |
| 53 // | 61 // |
| 54 // Returns an error if the DB implementation is not using an auth servic
e. | 62 // Returns an error if the DB implementation is not using an auth servic
e. |
| 55 GetAuthServiceURL(c context.Context) (string, error) | 63 GetAuthServiceURL(c context.Context) (string, error) |
| 56 | 64 |
| 57 // GetTokenServiceURL returns root URL ("https://<host>") of the token s
erver. | 65 // GetTokenServiceURL returns root URL ("https://<host>") of the token s
erver. |
| 58 // | 66 // |
| 59 // Returns an error if the DB implementation doesn't know how to retriev
e it. | 67 // Returns an error if the DB implementation doesn't know how to retriev
e it. |
| 60 // | 68 // |
| 61 // Returns ("", nil) if the token server URL is not configured. | 69 // Returns ("", nil) if the token server URL is not configured. |
| 62 GetTokenServiceURL(c context.Context) (string, error) | 70 GetTokenServiceURL(c context.Context) (string, error) |
| 63 } | 71 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2386643003:
auth: Make luci-go services trust signatures produced by the token server. (Closed)
