| OLD | NEW |
|---|
| 1 // Copyright 2017 The LUCI Authors. All rights reserved. | 1 // Copyright 2017 The LUCI Authors. All rights reserved. |
| 2 // Use of this source code is governed under the Apache License, Version 2.0 | 2 // Use of this source code is governed under the Apache License, Version 2.0 |
| 3 // that can be found in the LICENSE file. | 3 // that can be found in the LICENSE file. |
| 4 | 4 |
| 5 package tokensigning | 5 package tokensigning |
| 6 | 6 |
| 7 import ( | 7 import ( |
| 8 "encoding/base64" | 8 "encoding/base64" |
| 9 | 9 |
| 10 "github.com/golang/protobuf/proto" | 10 "github.com/golang/protobuf/proto" |
| 11 "golang.org/x/net/context" | 11 "golang.org/x/net/context" |
| 12 | 12 |
| 13 » "github.com/luci/luci-go/common/errors" | 13 » "github.com/luci/luci-go/common/retry" |
| 14 "github.com/luci/luci-go/server/auth/signing" | 14 "github.com/luci/luci-go/server/auth/signing" |
| 15 ) | 15 ) |
| 16 | 16 |
| 17 // Signer knows how to sign protos and serialize/encode signed result. | 17 // Signer knows how to sign protos and serialize/encode signed result. |
| 18 type Signer struct { | 18 type Signer struct { |
| 19 // Signer is the actual signer: it knows how to sign blobs. | 19 // Signer is the actual signer: it knows how to sign blobs. |
| 20 Signer signing.Signer | 20 Signer signing.Signer |
| 21 | 21 |
| 22 // SigningContext is prepended to the token blob before it is signed. | 22 // SigningContext is prepended to the token blob before it is signed. |
| 23 // | 23 // |
| (...skipping 22 matching lines...) Expand all Loading... |
| 46 // token. | 46 // token. |
| 47 Wrap func(unwrapped *Unwrapped) proto.Message | 47 Wrap func(unwrapped *Unwrapped) proto.Message |
| 48 } | 48 } |
| 49 | 49 |
| 50 // SignToken serializes the body, signs it and returns serialized envelope. | 50 // SignToken serializes the body, signs it and returns serialized envelope. |
| 51 // | 51 // |
| 52 // Produces base64 URL-safe token or an error (possibly transient). | 52 // Produces base64 URL-safe token or an error (possibly transient). |
| 53 func (s *Signer) SignToken(c context.Context, body proto.Message) (string, error
) { | 53 func (s *Signer) SignToken(c context.Context, body proto.Message) (string, error
) { |
| 54 info, err := s.Signer.ServiceInfo(c) | 54 info, err := s.Signer.ServiceInfo(c) |
| 55 if err != nil { | 55 if err != nil { |
| 56 » » return "", errors.WrapTransient(err) | 56 » » return "", retry.Tag.Apply(err) |
| 57 } | 57 } |
| 58 blob, err := proto.Marshal(body) | 58 blob, err := proto.Marshal(body) |
| 59 if err != nil { | 59 if err != nil { |
| 60 return "", err | 60 return "", err |
| 61 } | 61 } |
| 62 withCtx := prependSigningContext(blob, s.SigningContext) | 62 withCtx := prependSigningContext(blob, s.SigningContext) |
| 63 keyID, sig, err := s.Signer.SignBytes(c, withCtx) | 63 keyID, sig, err := s.Signer.SignBytes(c, withCtx) |
| 64 if err != nil { | 64 if err != nil { |
| 65 » » return "", errors.WrapTransient(err) | 65 » » return "", retry.Tag.Apply(err) |
| 66 } | 66 } |
| 67 tok, err := proto.Marshal(s.Wrap(&Unwrapped{ | 67 tok, err := proto.Marshal(s.Wrap(&Unwrapped{ |
| 68 Body: blob, | 68 Body: blob, |
| 69 RsaSHA256Sig: sig, | 69 RsaSHA256Sig: sig, |
| 70 SignerID: info.ServiceAccountName, | 70 SignerID: info.ServiceAccountName, |
| 71 KeyID: keyID, | 71 KeyID: keyID, |
| 72 })) | 72 })) |
| 73 if err != nil { | 73 if err != nil { |
| 74 return "", err | 74 return "", err |
| 75 } | 75 } |
| 76 enc := s.Encoding | 76 enc := s.Encoding |
| 77 if enc == nil { | 77 if enc == nil { |
| 78 enc = base64.RawURLEncoding | 78 enc = base64.RawURLEncoding |
| 79 } | 79 } |
| 80 return enc.EncodeToString(tok), nil | 80 return enc.EncodeToString(tok), nil |
| 81 } | 81 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2951393002:
[errors] de-specialize Transient in favor of Tags. (Closed)
