go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/server/auth/authdb/internal/certs/certs.go

go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/server/auth/authdb/internal/certs/certs.go (about)

     1  // Copyright 2019 The LUCI Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // Package certs knows how to fetch certificate bundles of trusted services.
    16  package certs
    17  
    18  import (
    19  	"context"
    20  	"time"
    21  
    22  	"go.chromium.org/luci/auth/identity"
    23  	"go.chromium.org/luci/common/data/caching/lazyslot"
    24  	"go.chromium.org/luci/common/errors"
    25  
    26  	"go.chromium.org/luci/server/auth/signing"
    27  )
    28  
    29  // Bundle is a lazy-loaded cert bundle of some LUCI service.
    30  type Bundle struct {
    31  	ServiceURL string        // root URL of the service to fetch the bundle from
    32  	certs      lazyslot.Slot // stores fetchedBundle with the lazily fetched bundle
    33  }
    34  
    35  type fetchedBundle struct {
    36  	id    identity.Identity
    37  	certs *signing.PublicCertificates
    38  }
    39  
    40  // GetCerts fetches (perhaps from cache) cert bundles of the service.
    41  //
    42  // Returns the service identity as well.
    43  func (b *Bundle) GetCerts(ctx context.Context) (identity.Identity, *signing.PublicCertificates, error) {
    44  	fetched, err := b.certs.Get(ctx, func(any) (any, time.Duration, error) {
    45  		fetched, err := b.fetch(ctx)
    46  		return fetched, time.Hour, err
    47  	})
    48  	if err != nil {
    49  		return "", nil, err
    50  	}
    51  	fetchedBundle := fetched.(*fetchedBundle)
    52  	return fetchedBundle.id, fetchedBundle.certs, nil
    53  }
    54  
    55  // fetch actually fetches the cert bundle.
    56  func (b *Bundle) fetch(ctx context.Context) (*fetchedBundle, error) {
    57  	certs, err := signing.FetchCertificatesFromLUCIService(ctx, b.ServiceURL)
    58  	if err != nil {
    59  		return nil, errors.Annotate(err, "failed to fetch certs from %s", b.ServiceURL).Err()
    60  	}
    61  	if certs.ServiceAccountName == "" {
    62  		return nil, errors.Reason("service %s didn't provide its service account name", b.ServiceURL).Err()
    63  	}
    64  	id, err := identity.MakeIdentity("user:" + certs.ServiceAccountName)
    65  	if err != nil {
    66  		return nil, errors.Reason("invalid service_account_name %q in certificates bundle from %s", certs.ServiceAccountName, b.ServiceURL).Err()
    67  	}
    68  	return &fetchedBundle{id, certs}, nil
    69  }