-
Notifications
You must be signed in to change notification settings - Fork 0
/
client.go
143 lines (125 loc) · 4.34 KB
/
client.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
// Copyright 2015 The LUCI Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Package client implements OAuth2 authentication for outbound connections
// from Appengine using the application services account.
package client
import (
"context"
"fmt"
"sort"
"strings"
"time"
"golang.org/x/oauth2"
"go.chromium.org/gae/service/info"
"github.com/TriggerMail/luci-go/auth"
"github.com/TriggerMail/luci-go/common/clock"
"github.com/TriggerMail/luci-go/common/data/rand/mathrand"
"github.com/TriggerMail/luci-go/common/data/stringset"
"github.com/TriggerMail/luci-go/common/logging"
"github.com/TriggerMail/luci-go/common/retry/transient"
"github.com/TriggerMail/luci-go/server/caching"
)
// GetAccessToken returns an OAuth access token representing app's service
// account.
//
// If scopes is empty, uses auth.OAuthScopeEmail scope.
//
// Implements a caching layer on top of GAE's GetAccessToken RPC. May return
// transient errors.
func GetAccessToken(c context.Context, scopes []string) (*oauth2.Token, error) {
scopes, cacheKey := normalizeScopes(scopes)
// Try to find the token in the local memory first. If it expires soon,
// refresh it earlier with some probability. That avoids a situation when
// parallel requests that use access tokens suddenly see the cache expired
// and rush to refresh the token all at once.
lru := tokensCache.LRU(c)
if tokIface, ok := lru.Get(c, cacheKey); ok {
tok := tokIface.(*oauth2.Token)
if !closeToExpRandomized(c, tok.Expiry) {
return tok, nil
}
}
tokIface, err := lru.Create(c, cacheKey, func() (interface{}, time.Duration, error) {
// The token needs to be refreshed.
logging.Debugf(c, "Getting an access token for scopes %q", strings.Join(scopes, ", "))
accessToken, exp, err := info.AccessToken(c, scopes...)
if err != nil {
return nil, 0, transient.Tag.Apply(err)
}
now := clock.Now(c)
logging.Debugf(c, "The token expires in %s", exp.Sub(now))
// Prematurely expire it to guarantee all returned token live for at least
// 'expirationMinLifetime'.
tok := &oauth2.Token{
AccessToken: accessToken,
Expiry: exp.Add(-expirationMinLifetime),
TokenType: "Bearer",
}
return tok, now.Sub(tok.Expiry), nil
})
if err != nil {
return nil, err
}
return tokIface.(*oauth2.Token), nil
}
// NewTokenSource makes oauth2.TokenSource implemented on top of GetAccessToken.
//
// It is bound to the given context.
func NewTokenSource(ctx context.Context, scopes []string) oauth2.TokenSource {
return &tokenSource{ctx, scopes}
}
type tokenSource struct {
ctx context.Context
scopes []string
}
func (ts *tokenSource) Token() (*oauth2.Token, error) {
return GetAccessToken(ts.ctx, ts.scopes)
}
//// Internal stuff.
// normalized scopes string => *oauth2.Token.
var tokensCache = caching.RegisterLRUCache(100)
const (
// expirationMinLifetime is minimal possible lifetime of a returned token.
expirationMinLifetime = 2 * time.Minute
// expirationRandomization defines how much to randomize expiration time.
expirationRandomization = 3 * time.Minute
)
func normalizeScopes(scopes []string) (normalized []string, cacheKey string) {
if len(scopes) == 0 {
scopes = []string{auth.OAuthScopeEmail}
} else {
set := stringset.New(len(scopes))
for _, s := range scopes {
if strings.ContainsRune(s, '\n') {
panic(fmt.Errorf("invalid scope %q", s))
}
set.Add(s)
}
scopes = set.ToSlice()
sort.Strings(scopes)
}
return scopes, strings.Join(scopes, "\n")
}
func closeToExpRandomized(c context.Context, exp time.Time) bool {
switch now := clock.Now(c); {
case now.After(exp):
return true // expired already
case now.Add(expirationRandomization).Before(exp):
return false // far from expiration
default:
// The expiration is close enough. Do the randomization.
rnd := time.Duration(mathrand.Int63n(c, int64(expirationRandomization)))
return now.Add(rnd).After(exp)
}
}