-
Notifications
You must be signed in to change notification settings - Fork 0
/
grant.go
84 lines (76 loc) · 2.9 KB
/
grant.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
// Copyright 2017 The LUCI Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package serviceaccounts
import (
"context"
"time"
"github.com/golang/protobuf/proto"
"github.com/TriggerMail/luci-go/common/proto/google"
"github.com/TriggerMail/luci-go/server/auth/signing"
"github.com/TriggerMail/luci-go/tokenserver/api"
"github.com/TriggerMail/luci-go/tokenserver/appengine/impl/utils/tokensigning"
)
// tokenSigningContext is used to make sure grant token is not misused in
// place of some other token.
//
// See SigningContext in utils/tokensigning.Signer.
const tokenSigningContext = "LUCI OAuthTokenGrant v1"
// SignGrant signs and serializes the OAuth grant.
//
// It doesn't do any validation. Assumes the prepared body is valid.
//
// Produces base64 URL-safe token or a transient error.
func SignGrant(c context.Context, signer signing.Signer, tok *tokenserver.OAuthTokenGrantBody) (string, error) {
s := tokensigning.Signer{
Signer: signer,
SigningContext: tokenSigningContext,
Wrap: func(w *tokensigning.Unwrapped) proto.Message {
return &tokenserver.OAuthTokenGrantEnvelope{
TokenBody: w.Body,
Pkcs1Sha256Sig: w.RsaSHA256Sig,
KeyId: w.KeyID,
}
},
}
return s.SignToken(c, tok)
}
// InspectGrant returns information about the OAuth grant.
//
// Inspection.Envelope is either nil or *tokenserver.OAuthTokenGrantEnvelope.
// Inspection.Body is either nil or *tokenserver.OAuthTokenGrantBody.
func InspectGrant(c context.Context, certs tokensigning.CertificatesSupplier, tok string) (*tokensigning.Inspection, error) {
i := tokensigning.Inspector{
Certificates: certs,
SigningContext: tokenSigningContext,
Envelope: func() proto.Message { return &tokenserver.OAuthTokenGrantEnvelope{} },
Body: func() proto.Message { return &tokenserver.OAuthTokenGrantBody{} },
Unwrap: func(e proto.Message) tokensigning.Unwrapped {
env := e.(*tokenserver.OAuthTokenGrantEnvelope)
return tokensigning.Unwrapped{
Body: env.TokenBody,
RsaSHA256Sig: env.Pkcs1Sha256Sig,
KeyID: env.KeyId,
}
},
Lifespan: func(b proto.Message) tokensigning.Lifespan {
body := b.(*tokenserver.OAuthTokenGrantBody)
issuedAt := google.TimeFromProto(body.IssuedAt)
return tokensigning.Lifespan{
NotBefore: issuedAt,
NotAfter: issuedAt.Add(time.Duration(body.ValidityDuration) * time.Second),
}
},
}
return i.InspectToken(c, tok)
}