tokenserver/appengine/impl/machinetoken/rpc_inspect_machine_token.go - infra/luci/luci-go - Git at Google

 // Copyright 2016 The LUCI Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 package machinetoken

 import (
 	"context"
 	"fmt"
 	"math/big"

 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"

 	"go.chromium.org/luci/common/retry/transient"
 	"go.chromium.org/luci/server/auth/signing"

 	tokenserver "go.chromium.org/luci/tokenserver/api"
 	admin "go.chromium.org/luci/tokenserver/api/admin/v1"

 	"go.chromium.org/luci/tokenserver/appengine/impl/certchecker"
 	"go.chromium.org/luci/tokenserver/appengine/impl/certconfig"
 )

 // InspectMachineTokenRPC implements Admin.InspectMachineToken API method.
 //
 // It assumes authorization has happened already.
 type InspectMachineTokenRPC struct {
 	// Signer is mocked in tests.
 	//
 	// In prod it is gaesigner.Signer.
 	Signer signing.Signer
 }

 // InspectMachineToken decodes a machine token and verifies it is valid.
 func (r *InspectMachineTokenRPC) InspectMachineToken(c context.Context, req *admin.InspectMachineTokenRequest) (*admin.InspectMachineTokenResponse, error) {
 	// Defaults.
 	if req.TokenType == 0 {
 		req.TokenType = tokenserver.MachineTokenType_LUCI_MACHINE_TOKEN
 	}

 	// Only LUCI_MACHINE_TOKEN is supported currently.
 	switch req.TokenType {
 	case tokenserver.MachineTokenType_LUCI_MACHINE_TOKEN:
 		// supported
 	default:
 		return nil, status.Errorf(codes.InvalidArgument, "unsupported token type %s", req.TokenType)
 	}

 	// Deserialize the token, check its signature.
 	inspection, err := InspectToken(c, r.Signer, req.Token)
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, err.Error())
 	}
 	resp := &admin.InspectMachineTokenResponse{
 		Signed:           inspection.Signed,
 		NonExpired:       inspection.NonExpired,
 		InvalidityReason: inspection.InvalidityReason,
 	}

 	// Grab the signing key from the envelope, if managed to deserialize it.
 	if env, _ := inspection.Envelope.(*tokenserver.MachineTokenEnvelope); env != nil {
 		resp.SigningKeyId = env.KeyId
 	}

 	// If we could not deserialize the body, that's all checks we could do.
 	body, _ := inspection.Body.(*tokenserver.MachineTokenBody)
 	if body == nil {
 		return resp, nil
 	}
 	resp.TokenType = &admin.InspectMachineTokenResponse_LuciMachineToken{
 		LuciMachineToken: body,
 	}

 	addReason := func(r string) {
 		if resp.InvalidityReason == "" {
 			resp.InvalidityReason = r
 		} else {
 			resp.InvalidityReason += "; " + r
 		}
 	}

 	// Check revocation status. Find CA name that signed the certificate used when
 	// minting the token.
 	caName, err := certconfig.GetCAByUniqueID(c, body.CaId)
 	switch {
 	case err != nil:
 		return nil, status.Errorf(codes.Internal, "can't resolve ca_id to CA name - %s", err)
 	case caName == "":
 		addReason("no CA with given ID")
 		return resp, nil
 	}
 	resp.CertCaName = caName

 	// Grab CertChecker for this CA. It has CRL cached.
 	certChecker, err := certchecker.GetCertChecker(c, caName)
 	switch {
 	case transient.Tag.In(err):
 		return nil, status.Errorf(codes.Internal, "can't fetch CRL - %s", err)
 	case err != nil:
 		addReason(fmt.Sprintf("can't fetch CRL - %s", err))
 		return resp, nil
 	}

 	// Check that certificate SN is not in the revocation list.
 	sn := big.NewInt(0).SetUint64(body.CertSn)
 	revoked, err := certChecker.CRL.IsRevokedSN(c, sn)
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "can't check CRL - %s", err)
 	}
 	resp.NonRevoked = !revoked

 	// Note: if Signed or NonExpired is false, InvalidityReason is already set.
 	if resp.Signed && resp.NonExpired {
 		if resp.NonRevoked {
 			resp.Valid = true
 		} else {
 			addReason("corresponding cert was revoked")
 		}
 	}

 	return resp, nil
 }
	// Copyright 2016 The LUCI Authors.
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	package machinetoken

	import (
	"context"
	"fmt"
	"math/big"

	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/status"

	"go.chromium.org/luci/common/retry/transient"
	"go.chromium.org/luci/server/auth/signing"

	tokenserver "go.chromium.org/luci/tokenserver/api"
	admin "go.chromium.org/luci/tokenserver/api/admin/v1"

	"go.chromium.org/luci/tokenserver/appengine/impl/certchecker"
	"go.chromium.org/luci/tokenserver/appengine/impl/certconfig"
	)

	// InspectMachineTokenRPC implements Admin.InspectMachineToken API method.
	//
	// It assumes authorization has happened already.
	type InspectMachineTokenRPC struct {
	// Signer is mocked in tests.
	//
	// In prod it is gaesigner.Signer.
	Signer signing.Signer
	}

	// InspectMachineToken decodes a machine token and verifies it is valid.
	func (r InspectMachineTokenRPC) InspectMachineToken(c context.Context, req admin.InspectMachineTokenRequest) (*admin.InspectMachineTokenResponse, error) {
	// Defaults.
	if req.TokenType == 0 {
	req.TokenType = tokenserver.MachineTokenType_LUCI_MACHINE_TOKEN
	}

	// Only LUCI_MACHINE_TOKEN is supported currently.
	switch req.TokenType {
	case tokenserver.MachineTokenType_LUCI_MACHINE_TOKEN:
	// supported
	default:
	return nil, status.Errorf(codes.InvalidArgument, "unsupported token type %s", req.TokenType)
	}

	// Deserialize the token, check its signature.
	inspection, err := InspectToken(c, r.Signer, req.Token)
	if err != nil {
	return nil, status.Errorf(codes.Internal, err.Error())
	}
	resp := &admin.InspectMachineTokenResponse{
	Signed: inspection.Signed,
	NonExpired: inspection.NonExpired,
	InvalidityReason: inspection.InvalidityReason,
	}

	// Grab the signing key from the envelope, if managed to deserialize it.
	if env, _ := inspection.Envelope.(*tokenserver.MachineTokenEnvelope); env != nil {
	resp.SigningKeyId = env.KeyId
	}

	// If we could not deserialize the body, that's all checks we could do.
	body, _ := inspection.Body.(*tokenserver.MachineTokenBody)
	if body == nil {
	return resp, nil
	}
	resp.TokenType = &admin.InspectMachineTokenResponse_LuciMachineToken{
	LuciMachineToken: body,
	}

	addReason := func(r string) {
	if resp.InvalidityReason == "" {
	resp.InvalidityReason = r
	} else {
	resp.InvalidityReason += "; " + r
	}
	}

	// Check revocation status. Find CA name that signed the certificate used when
	// minting the token.
	caName, err := certconfig.GetCAByUniqueID(c, body.CaId)
	switch {
	case err != nil:
	return nil, status.Errorf(codes.Internal, "can't resolve ca_id to CA name - %s", err)
	case caName == "":
	addReason("no CA with given ID")
	return resp, nil
	}
	resp.CertCaName = caName

	// Grab CertChecker for this CA. It has CRL cached.
	certChecker, err := certchecker.GetCertChecker(c, caName)
	switch {
	case transient.Tag.In(err):
	return nil, status.Errorf(codes.Internal, "can't fetch CRL - %s", err)
	case err != nil:
	addReason(fmt.Sprintf("can't fetch CRL - %s", err))
	return resp, nil
	}

	// Check that certificate SN is not in the revocation list.
	sn := big.NewInt(0).SetUint64(body.CertSn)
	revoked, err := certChecker.CRL.IsRevokedSN(c, sn)
	if err != nil {
	return nil, status.Errorf(codes.Internal, "can't check CRL - %s", err)
	}
	resp.NonRevoked = !revoked

	// Note: if Signed or NonExpired is false, InvalidityReason is already set.
	if resp.Signed && resp.NonExpired {
	if resp.NonRevoked {
	resp.Valid = true
	} else {
	addReason("corresponding cert was revoked")
	}
	}

	return resp, nil
	}