mirrored from https://chromium.googlesource.com/infra/luci/luci-go
-
Notifications
You must be signed in to change notification settings - Fork 43
/
token.go
86 lines (78 loc) · 2.89 KB
/
token.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
// Copyright 2016 The LUCI Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package delegation
import (
"context"
"time"
"google.golang.org/protobuf/proto"
"go.chromium.org/luci/server/auth/delegation/messages"
"go.chromium.org/luci/server/auth/signing"
"go.chromium.org/luci/tokenserver/appengine/impl/utils/tokensigning"
)
// tokenSigningContext is used to make sure delegation token is not misused in
// place of some other token.
//
// See SigningContext in utils/tokensigning.Signer.
//
// TODO(vadimsh): Enable it. Requires some temporary hacks to accept old and
// new tokens at the same time.
const tokenSigningContext = ""
// SignToken signs and serializes the delegation subtoken.
//
// It doesn't do any validation. Assumes the prepared subtoken is valid.
//
// Produces base64 URL-safe token or a transient error.
func SignToken(c context.Context, signer signing.Signer, subtok *messages.Subtoken) (string, error) {
s := tokensigning.Signer{
Signer: signer,
SigningContext: tokenSigningContext,
Wrap: func(w *tokensigning.Unwrapped) proto.Message {
return &messages.DelegationToken{
SerializedSubtoken: w.Body,
Pkcs1Sha256Sig: w.RsaSHA256Sig,
SignerId: "user:" + w.SignerID,
SigningKeyId: w.KeyID,
}
},
}
return s.SignToken(c, subtok)
}
// InspectToken returns information about the delegation token.
//
// Inspection.Envelope is either nil or *messages.DelegationToken.
// Inspection.Body is either nil or *messages.Subtoken.
func InspectToken(c context.Context, certs tokensigning.CertificatesSupplier, tok string) (*tokensigning.Inspection, error) {
i := tokensigning.Inspector{
Certificates: certs,
SigningContext: tokenSigningContext,
Envelope: func() proto.Message { return &messages.DelegationToken{} },
Body: func() proto.Message { return &messages.Subtoken{} },
Unwrap: func(e proto.Message) tokensigning.Unwrapped {
env := e.(*messages.DelegationToken)
return tokensigning.Unwrapped{
Body: env.SerializedSubtoken,
RsaSHA256Sig: env.Pkcs1Sha256Sig,
KeyID: env.SigningKeyId,
}
},
Lifespan: func(b proto.Message) tokensigning.Lifespan {
body := b.(*messages.Subtoken)
return tokensigning.Lifespan{
NotBefore: time.Unix(body.CreationTime, 0),
NotAfter: time.Unix(body.CreationTime+int64(body.ValidityDuration), 0),
}
},
}
return i.InspectToken(c, tok)
}