common/auth/internal/luci_ctx.go - Issue 2951553002: Extend LUCI_CONTEXT["local_auth"] protocol to understand accounts.

Side by Side Diff: common/auth/internal/luci_ctx.go

Issue 2951553002: Extend LUCI_CONTEXT["local_auth"] protocol to understand accounts. (Closed)

Patch Set: Created 3 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright 2017 The LUCI Authors. All rights reserved.	1 // Copyright 2017 The LUCI Authors. All rights reserved.

2 // Use of this source code is governed under the Apache License, Version 2.0	2 // Use of this source code is governed under the Apache License, Version 2.0

3 // that can be found in the LICENSE file.	3 // that can be found in the LICENSE file.

4	4

5 package internal	5 package internal

6	6

7 import (	7 import (

8 "bytes"	8 "bytes"

9 "crypto/sha1"	9 "crypto/sha1"

10 "encoding/hex"	10 "encoding/hex"

(...skipping 21 matching lines...) Expand all Loading...
32 cacheKey CacheKey // used only for in-memory cache	32 cacheKey CacheKey // used only for in-memory cache

33 }	33 }

34	34

35 // NewLUCIContextTokenProvider returns TokenProvider that knows how to use a	35 // NewLUCIContextTokenProvider returns TokenProvider that knows how to use a

36 // local auth server to mint tokens.	36 // local auth server to mint tokens.

37 //	37 //

38 // It requires LUCI_CONTEXT["local_auth"] to be present in the 'ctx'. It's a	38 // It requires LUCI_CONTEXT["local_auth"] to be present in the 'ctx'. It's a

39 // description of how to locate and contact the local auth server.	39 // description of how to locate and contact the local auth server.

40 //	40 //

41 // See common/auth/localauth package for the implementation of the server.	41 // See common/auth/localauth package for the implementation of the server.

	42 //

	43 // TODO(vadimsh): This method currently supports both "old" auth server that
	Vadim Sh. 2017/06/19 20:16:28 I think we currently run cipd in a LUCI_CONTEXT pr I think we currently run cipd in a LUCI_CONTEXT provided by Swarming (on some bots that use LUCI_CONTEXT already, eg Skia). So we need some backward compatibility here.
	44 // don't understand "account_id", and new servers that do. Remove support for

	45 // old servers once Swarming is updated to understand new protocol.

42 func NewLUCIContextTokenProvider(ctx context.Context, scopes []string, transport http.RoundTripper) (TokenProvider, error) {	46 func NewLUCIContextTokenProvider(ctx context.Context, scopes []string, transport http.RoundTripper) (TokenProvider, error) {

43 localAuth := lucictx.GetLocalAuth(ctx)	47 localAuth := lucictx.GetLocalAuth(ctx)

44 if localAuth == nil {	48 if localAuth == nil {

45 return nil, fmt.Errorf(`no "local_auth" in LUCI_CONTEXT`)	49 return nil, fmt.Errorf(`no "local_auth" in LUCI_CONTEXT`)

46 }	50 }

	51 if !localAuth.CanUseByDefault() {

	52 return nil, fmt.Errorf(`no "default_account_id" in LUCI_CONTEXT[ "local_auth"]`)
	iannucci 2017/06/19 20:31:28 IIUC, this would only happen if the server emits t IIUC, this would only happen if the server emits the new-style LUCI_CONTEXT blob, but has an empty/missing default_account_id field? Vadim Sh. 2017/06/19 20:41:36 Correct. Once old servers are removed, CanUseByDef Show quoted text On 2017/06/19 20:31:28, iannucci wrote: > IIUC, this would only happen if the server emits the new-style LUCI_CONTEXT > blob, but has an empty/missing default_account_id field? Correct. Once old servers are removed, CanUseByDefault will be just replaced with local_auth.default_account_id != ""
	53 }

47	54

48 // All authenticators share singleton in-process token cache, see	55 // All authenticators share singleton in-process token cache, see

49 // ProcTokenCache variable in proc_cache.go.	56 // ProcTokenCache variable in proc_cache.go.

50 //	57 //

51 // It is possible (though very unusual), for a single process to use mul tiple	58 // It is possible (though very unusual), for a single process to use mul tiple

52 // local auth servers (e.g if it enters a subcontext with another "local _auth"	59 // local auth servers (e.g if it enters a subcontext with another "local _auth"

53 // value).	60 // value).

54 //	61 //

55 // For these reasons we use a digest of localAuth parameters as a cache key.	62 // For these reasons we use a digest of localAuth parameters as a cache key.

56 // It is used only in the process-local cache, the token never ends up i n	63 // It is used only in the process-local cache, the token never ends up i n

(...skipping 26 matching lines...) Expand all Loading...
83	90

84 func (p luciContextTokenProvider) CacheKey(ctx context.Context) (CacheKey, err or) {	91 func (p luciContextTokenProvider) CacheKey(ctx context.Context) (CacheKey, err or) {

85 return &p.cacheKey, nil	92 return &p.cacheKey, nil

86 }	93 }

87	94

88 func (p luciContextTokenProvider) MintToken(ctx context.Context, base oauth2.T oken) (*oauth2.Token, error) {	95 func (p luciContextTokenProvider) MintToken(ctx context.Context, base oauth2.T oken) (*oauth2.Token, error) {

89 // Note: deadlines and retries are implemented by Authenticator. MintTok en	96 // Note: deadlines and retries are implemented by Authenticator. MintTok en

90 // should just make a single attempt, and mark an error as transient to	97 // should just make a single attempt, and mark an error as transient to

91 // trigger a retry, if necessary.	98 // trigger a retry, if necessary.

92 request := rpcs.GetOAuthTokenRequest{	99 request := rpcs.GetOAuthTokenRequest{

93 » » Scopes: p.scopes,	100 » » Scopes: p.scopes,

94 » » Secret: p.localAuth.Secret,	101 » » Secret: p.localAuth.Secret,

	102 » » AccountID: p.localAuth.DefaultAccountID, // note: this is "" for old servers

95 }	103 }

96 if err := request.Validate(); err != nil {	104 if err := request.Validate(); err != nil {

97 return nil, err // should not really happen	105 return nil, err // should not really happen

98 }	106 }

99 body, err := json.Marshal(&request)	107 body, err := json.Marshal(&request)

100 if err != nil {	108 if err != nil {

101 return nil, err	109 return nil, err

102 }	110 }

103	111

104 url := fmt.Sprintf("http://127.0.0.1:%d/rpc/LuciLocalAuthService.GetOAut hToken", p.localAuth.RPCPort)	112 url := fmt.Sprintf("http://127.0.0.1:%d/rpc/LuciLocalAuthService.GetOAut hToken", p.localAuth.RPCPort)

(...skipping 38 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
143 AccessToken: response.AccessToken,	151 AccessToken: response.AccessToken,

144 Expiry: time.Unix(response.Expiry, 0).UTC(),	152 Expiry: time.Unix(response.Expiry, 0).UTC(),

145 TokenType: "Bearer",	153 TokenType: "Bearer",

146 }, nil	154 }, nil

147 }	155 }

148	156

149 func (p luciContextTokenProvider) RefreshToken(ctx context.Context, prev, base oauth2.Token) (*oauth2.Token, error) {	157 func (p luciContextTokenProvider) RefreshToken(ctx context.Context, prev, base oauth2.Token) (*oauth2.Token, error) {

150 // Minting and refreshing is the same thing: a call to local auth server .	158 // Minting and refreshing is the same thing: a call to local auth server .

151 return p.MintToken(ctx, base)	159 return p.MintToken(ctx, base)

152 }	160 }

OLD	NEW

« client/authcli/authcli.go ('K') | « common/auth/auth.go ('k') | common/auth/internal/luci_ctx_test.go » ('j') | common/auth/localauth/rpcs/getoauthtoken.go » ('J')