Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(491)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: server/auth/delegation/checker.go

Issue 2951393002: [errors] de-specialize Transient in favor of Tags. (Closed)
Patch Set: more refactor Created 3 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« grpc/grpcutil/errors.go ('K') | « server/auth/delegation.go ('k') | server/auth/internal/fetch.go » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2016 The LUCI Authors. All rights reserved. 1 // Copyright 2016 The LUCI Authors. All rights reserved.
2 // Use of this source code is governed under the Apache License, Version 2.0 2 // Use of this source code is governed under the Apache License, Version 2.0
3 // that can be found in the LICENSE file. 3 // that can be found in the LICENSE file.
4 4
5 package delegation 5 package delegation
6 6
7 import ( 7 import (
8 "encoding/base64" 8 "encoding/base64"
9 "fmt" 9 "fmt"
10 "strings" 10 "strings"
11 11
12 "github.com/golang/protobuf/proto" 12 "github.com/golang/protobuf/proto"
13 "golang.org/x/net/context" 13 "golang.org/x/net/context"
14 14
15 "github.com/luci/luci-go/common/clock" 15 "github.com/luci/luci-go/common/clock"
16 "github.com/luci/luci-go/common/errors" 16 "github.com/luci/luci-go/common/errors"
17 "github.com/luci/luci-go/common/logging" 17 "github.com/luci/luci-go/common/logging"
18 "github.com/luci/luci-go/common/retry/transient"
18 19
19 "github.com/luci/luci-go/server/auth/identity" 20 "github.com/luci/luci-go/server/auth/identity"
20 "github.com/luci/luci-go/server/auth/signing" 21 "github.com/luci/luci-go/server/auth/signing"
21 22
22 "github.com/luci/luci-go/server/auth/delegation/messages" 23 "github.com/luci/luci-go/server/auth/delegation/messages"
23 ) 24 )
24 25
25 const ( 26 const (
26 // maxTokenSize is upper bound for expected size of a token (after base6 4 27 // maxTokenSize is upper bound for expected size of a token (after base6 4
27 // decoding). Larger tokens will be ignored right away. 28 // decoding). Larger tokens will be ignored right away.
(...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after
88 // subtoken). 89 // subtoken).
89 tok, err := deserializeToken(params.Token) 90 tok, err := deserializeToken(params.Token)
90 if err != nil { 91 if err != nil {
91 logging.Warningf(c, "auth: Failed to deserialize delegation toke n - %s", err) 92 logging.Warningf(c, "auth: Failed to deserialize delegation toke n - %s", err)
92 return "", ErrMalformedDelegationToken 93 return "", ErrMalformedDelegationToken
93 } 94 }
94 95
95 // Signed serialized subtoken -> Subtoken proto. 96 // Signed serialized subtoken -> Subtoken proto.
96 subtoken, err := unsealToken(c, tok, params.CertificatesProvider) 97 subtoken, err := unsealToken(c, tok, params.CertificatesProvider)
97 if err != nil { 98 if err != nil {
98 » » if errors.IsTransient(err) { 99 » » if transient.Tag.In(err) {
99 logging.Warningf(c, "auth: Transient error when checking delegation token signature - %s", err) 100 logging.Warningf(c, "auth: Transient error when checking delegation token signature - %s", err)
100 return "", err 101 return "", err
101 } 102 }
102 logging.Warningf(c, "auth: Failed to check delegation token sign ature - %s", err) 103 logging.Warningf(c, "auth: Failed to check delegation token sign ature - %s", err)
103 return "", ErrUnsignedDelegationToken 104 return "", ErrUnsignedDelegationToken
104 } 105 }
105 106
106 // Validate all constrains encoded in the token and derive the delegated 107 // Validate all constrains encoded in the token and derive the delegated
107 // identity. 108 // identity.
108 return checkSubtoken(c, subtoken, &params) 109 return checkSubtoken(c, subtoken, &params)
(...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after
171 logging.Warningf(c, "auth: Bad delegation token expiration - %s" , err) 172 logging.Warningf(c, "auth: Bad delegation token expiration - %s" , err)
172 return "", ErrForbiddenDelegationToken 173 return "", ErrForbiddenDelegationToken
173 } 174 }
174 if err := checkSubtokenServices(subtoken, params.OwnServiceIdentity); er r != nil { 175 if err := checkSubtokenServices(subtoken, params.OwnServiceIdentity); er r != nil {
175 logging.Warningf(c, "auth: Forbidden delegation token - %s", err ) 176 logging.Warningf(c, "auth: Forbidden delegation token - %s", err )
176 return "", ErrForbiddenDelegationToken 177 return "", ErrForbiddenDelegationToken
177 } 178 }
178 179
179 // Do the audience check (may use group lookups). 180 // Do the audience check (may use group lookups).
180 if err := checkSubtokenAudience(c, subtoken, params.PeerID, params.Group sChecker); err != nil { 181 if err := checkSubtokenAudience(c, subtoken, params.PeerID, params.Group sChecker); err != nil {
181 » » if errors.IsTransient(err) { 182 » » if transient.Tag.In(err) {
182 logging.Warningf(c, "auth: Transient error when checking delegation token audience - %s", err) 183 logging.Warningf(c, "auth: Transient error when checking delegation token audience - %s", err)
183 return "", err 184 return "", err
184 } 185 }
185 logging.Warningf(c, "auth: Bad delegation token audience - %s", err) 186 logging.Warningf(c, "auth: Bad delegation token audience - %s", err)
186 return "", ErrForbiddenDelegationToken 187 return "", ErrForbiddenDelegationToken
187 } 188 }
188 189
189 // Grab delegated identity. 190 // Grab delegated identity.
190 ident, err := identity.MakeIdentity(subtoken.DelegatedIdentity) 191 ident, err := identity.MakeIdentity(subtoken.DelegatedIdentity)
191 if err != nil { 192 if err != nil {
(...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after
251 } 252 }
252 // Search through groups now. 253 // Search through groups now.
253 switch ok, err := checker.IsMember(c, ident, groups...); { 254 switch ok, err := checker.IsMember(c, ident, groups...); {
254 case err != nil: 255 case err != nil:
255 return err // transient error during group lookup 256 return err // transient error during group lookup
256 case ok: 257 case ok:
257 return nil // success, 'ident' is in the target audience 258 return nil // success, 'ident' is in the target audience
258 } 259 }
259 return fmt.Errorf("%s is not allowed to use the token", ident) 260 return fmt.Errorf("%s is not allowed to use the token", ident)
260 } 261 }
OLDNEW
« grpc/grpcutil/errors.go ('K') | « server/auth/delegation.go ('k') | server/auth/internal/fetch.go » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698