go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/buildbucket/appengine/internal/buildtoken/buildtoken.go (about)

     1  // Copyright 2022 The LUCI Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // Package buildtoken provide related functions for dealing with build tokens.
    16  package buildtoken
    17  
    18  import (
    19  	"context"
    20  	"encoding/base64"
    21  
    22  	"github.com/google/tink/go/subtle/random"
    23  	"google.golang.org/protobuf/proto"
    24  
    25  	"go.chromium.org/luci/common/errors"
    26  	"go.chromium.org/luci/common/logging"
    27  	"go.chromium.org/luci/grpc/grpcutil"
    28  	"go.chromium.org/luci/server/secrets"
    29  
    30  	pb "go.chromium.org/luci/buildbucket/proto"
    31  )
    32  
    33  const (
    34  	// Sanity length limitation for build tokens to allow us to quickly reject
    35  	// potentially abusive inputs.
    36  	buildTokenMaxLength = 200
    37  )
    38  
    39  // additionalData gives additional context to an encrypted secret, to prevent
    40  // the cyphertext from being used in contexts other than this buildtoken
    41  // package.
    42  var additionalData = []byte("buildtoken")
    43  
    44  // GenerateToken generates base64 encoded byte string token for a build.
    45  func GenerateToken(ctx context.Context, buildID int64, purpose pb.TokenBody_Purpose) (string, error) {
    46  	return generateEncryptedToken(ctx, buildID, purpose)
    47  }
    48  
    49  func generateEncryptedToken(ctx context.Context, buildID int64, purpose pb.TokenBody_Purpose) (string, error) {
    50  	tkBody := &pb.TokenBody{
    51  		BuildId: buildID,
    52  		Purpose: purpose,
    53  		State:   random.GetRandomBytes(16),
    54  	}
    55  
    56  	tkBytes, err := proto.Marshal(tkBody)
    57  	if err != nil {
    58  		return "", err
    59  	}
    60  	encBytes, err := secrets.Encrypt(ctx, tkBytes, additionalData)
    61  	if err != nil {
    62  		return "", err
    63  	}
    64  	tkEnvelop := &pb.TokenEnvelope{
    65  		Version: pb.TokenEnvelope_ENCRYPTED,
    66  		Payload: encBytes,
    67  	}
    68  	tkeBytes, err := proto.Marshal(tkEnvelop)
    69  	if err != nil {
    70  		return "", err
    71  	}
    72  	token := base64.RawURLEncoding.EncodeToString(tkeBytes)
    73  	return token, nil
    74  }
    75  
    76  // ErrBadToken is the only error returned by ParseToTokenBody.
    77  //
    78  // This includes a codes.Unauthenticated tag.
    79  var ErrBadToken = errors.New("invalid token", grpcutil.UnauthenticatedTag)
    80  
    81  // ParseToTokenBody deserializes the build token and returns the token body.
    82  //
    83  // buildID will be asserted to match the token's contents.
    84  // If buildID is 0, this will skip the buildID check.
    85  //
    86  // Additionally, the token contents must match one of the values provided in
    87  // `purposes`. If `purposes` is empty, a token of any purpose will be returned
    88  // without error.
    89  //
    90  // All parsing errors are logged and this function returns ErrBadToken which is
    91  // tagged with codes.Unauthenticated.
    92  func ParseToTokenBody(ctx context.Context, bldTok string, buildID int64, purposes ...pb.TokenBody_Purpose) (*pb.TokenBody, error) {
    93  	tok, err := parseToTokenBodyImpl(ctx, bldTok, buildID, purposes...)
    94  	if err != nil {
    95  		logging.Warningf(ctx, "ParseToTokenBody ERROR: %s", err)
    96  		return nil, ErrBadToken
    97  	}
    98  	return tok, nil
    99  }
   100  
   101  func parseToTokenBodyImpl(ctx context.Context, bldTok string, buildID int64, purposes ...pb.TokenBody_Purpose) (*pb.TokenBody, error) {
   102  	if len(bldTok) > buildTokenMaxLength {
   103  		return nil, errors.Reason("build token is too long: %d > %d", len(bldTok), buildTokenMaxLength).Err()
   104  	}
   105  	tokBytes, err := base64.RawURLEncoding.DecodeString(bldTok)
   106  	if err != nil {
   107  		return nil, errors.Annotate(err, "error decoding token").Err()
   108  	}
   109  
   110  	msg := &pb.TokenEnvelope{}
   111  	if err = proto.Unmarshal(tokBytes, msg); err != nil {
   112  		return nil, errors.Annotate(err, "error unmarshalling token").Err()
   113  	}
   114  
   115  	var payload []byte
   116  
   117  	switch msg.Version {
   118  	case pb.TokenEnvelope_ENCRYPTED:
   119  		if payload, err = secrets.Decrypt(ctx, msg.Payload, additionalData); err != nil {
   120  			return nil, errors.Annotate(err, "error decrypting token").Err()
   121  		}
   122  
   123  	default:
   124  		return nil, errors.Reason("token with version %d is not supported", msg.Version).Err()
   125  	}
   126  
   127  	tb := &pb.TokenBody{}
   128  	if err = proto.Unmarshal(payload, tb); err != nil {
   129  		return nil, errors.Annotate(err, "error unmarshalling token payload").Err()
   130  	}
   131  
   132  	if buildID != 0 && buildID != tb.BuildId {
   133  		return nil, errors.Reason("token is for build %d, but expected %d", tb.BuildId, buildID).Err()
   134  	}
   135  
   136  	if len(purposes) > 0 {
   137  		ok := false
   138  		for _, purpose := range purposes {
   139  			if purpose == tb.Purpose {
   140  				ok = true
   141  				break
   142  			}
   143  		}
   144  		if !ok {
   145  			return nil, errors.Reason("token is for purpose %s, but expected %s", tb.Purpose, purposes).Err()
   146  		}
   147  	}
   148  
   149  	return tb, nil
   150  }