logdog/client/butler/output/logdog/auth.go - infra/luci/luci-go - Git at Google

 // Copyright 2021 The LUCI Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 package logdog

 import (
 	"context"

 	"go.chromium.org/luci/auth"
 	"go.chromium.org/luci/common/errors"
 	"go.chromium.org/luci/lucictx"
 )

 // Auth incapsulates an authentication scheme to use.
 //
 // Construct it using either LegacyAuth() or RealmsAwareAuth().
 type Auth interface {
 	// Project is the current project taken from LUCI_CONTEXT (or "").
 	Project() string
 	// Realm is the current realm taken from LUCI_CONTEXT (or "").
 	Realm() string
 	// RPC returns an authenticator to use for RegisterPrefix RPC call.
 	RPC() *auth.Authenticator
 	// PubSub returns an authenticator to use for PubSub calls.
 	PubSub() *auth.Authenticator
 }

 // LegacyAuth returns an authentication scheme with pre-realms logic.
 //
 // Will be eventually removed once all call sites are aware of realms.
 func LegacyAuth(a *auth.Authenticator) Auth {
 	return legacyAuth{a}
 }

 type legacyAuth struct {
 	a *auth.Authenticator
 }

 func (la legacyAuth) Project() string             { return "" }
 func (la legacyAuth) Realm() string               { return "" }
 func (la legacyAuth) RPC() *auth.Authenticator    { return la.a }
 func (la legacyAuth) PubSub() *auth.Authenticator { return la.a }

 // RealmsAwareAuth returns an authentication scheme with realms-aware logic.
 //
 // The given context will be used to:
 //  1. Grab the current realm name from LUCI_CONTEXT.
 //  2. Construct a transport that uses the default account for auth (thus the
 //     context should have the default task account selected in it).
 //  3. Switch into "system" local account and construct a transport that uses
 //     this account for PubSub calls.
 //
 // If there's no realm in the context, degrades to LegacyAuth using the "system"
 // local account for all calls, as was the way before the realms mode.
 func RealmsAwareAuth(ctx context.Context) (Auth, error) {
 	sysCtx, err := lucictx.SwitchLocalAccount(ctx, "system")
 	if err != nil {
 		return nil, errors.Annotate(err, "could not switch to 'system' account in LUCI_CONTEXT").Err()
 	}
 	sysAuth := auth.NewAuthenticator(sysCtx, auth.SilentLogin, auth.Options{
 		Scopes: []string{
 			auth.OAuthScopeEmail,
 			"https://www.googleapis.com/auth/cloud-platform",
 		},
 		MonitorAs: "logdog/system",
 	})

 	project, realm := lucictx.CurrentRealm(ctx)
 	if realm == "" {
 		return LegacyAuth(sysAuth), nil
 	}

 	return &realmsAuth{
 		project: project,
 		realm:   realm,
 		rpc: auth.NewAuthenticator(ctx, auth.SilentLogin, auth.Options{
 			Scopes:    []string{auth.OAuthScopeEmail},
 			MonitorAs: "logdog/rpc",
 		}),
 		pubSub: sysAuth,
 	}, nil
 }

 type realmsAuth struct {
 	project string
 	realm   string
 	rpc     *auth.Authenticator
 	pubSub  *auth.Authenticator
 }

 func (ra *realmsAuth) Project() string             { return ra.project }
 func (ra *realmsAuth) Realm() string               { return ra.realm }
 func (ra *realmsAuth) RPC() *auth.Authenticator    { return ra.rpc }
 func (ra *realmsAuth) PubSub() *auth.Authenticator { return ra.pubSub }
	// Copyright 2021 The LUCI Authors.
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	package logdog

	import (
	"context"

	"go.chromium.org/luci/auth"
	"go.chromium.org/luci/common/errors"
	"go.chromium.org/luci/lucictx"
	)

	// Auth incapsulates an authentication scheme to use.
	//
	// Construct it using either LegacyAuth() or RealmsAwareAuth().
	type Auth interface {
	// Project is the current project taken from LUCI_CONTEXT (or "").
	Project() string
	// Realm is the current realm taken from LUCI_CONTEXT (or "").
	Realm() string
	// RPC returns an authenticator to use for RegisterPrefix RPC call.
	RPC() *auth.Authenticator
	// PubSub returns an authenticator to use for PubSub calls.
	PubSub() *auth.Authenticator
	}

	// LegacyAuth returns an authentication scheme with pre-realms logic.
	//
	// Will be eventually removed once all call sites are aware of realms.
	func LegacyAuth(a *auth.Authenticator) Auth {
	return legacyAuth{a}
	}

	type legacyAuth struct {
	a *auth.Authenticator
	}

	func (la legacyAuth) Project() string { return "" }
	func (la legacyAuth) Realm() string { return "" }
	func (la legacyAuth) RPC() *auth.Authenticator { return la.a }
	func (la legacyAuth) PubSub() *auth.Authenticator { return la.a }

	// RealmsAwareAuth returns an authentication scheme with realms-aware logic.
	//
	// The given context will be used to:
	// 1. Grab the current realm name from LUCI_CONTEXT.
	// 2. Construct a transport that uses the default account for auth (thus the
	// context should have the default task account selected in it).
	// 3. Switch into "system" local account and construct a transport that uses
	// this account for PubSub calls.
	//
	// If there's no realm in the context, degrades to LegacyAuth using the "system"
	// local account for all calls, as was the way before the realms mode.
	func RealmsAwareAuth(ctx context.Context) (Auth, error) {
	sysCtx, err := lucictx.SwitchLocalAccount(ctx, "system")
	if err != nil {
	return nil, errors.Annotate(err, "could not switch to 'system' account in LUCI_CONTEXT").Err()
	}
	sysAuth := auth.NewAuthenticator(sysCtx, auth.SilentLogin, auth.Options{
	Scopes: []string{
	auth.OAuthScopeEmail,
	"https://www.googleapis.com/auth/cloud-platform",
	},
	MonitorAs: "logdog/system",
	})

	project, realm := lucictx.CurrentRealm(ctx)
	if realm == "" {
	return LegacyAuth(sysAuth), nil
	}

	return &realmsAuth{
	project: project,
	realm: realm,
	rpc: auth.NewAuthenticator(ctx, auth.SilentLogin, auth.Options{
	Scopes: []string{auth.OAuthScopeEmail},
	MonitorAs: "logdog/rpc",
	}),
	pubSub: sysAuth,
	}, nil
	}

	type realmsAuth struct {
	project string
	realm string
	rpc *auth.Authenticator
	pubSub *auth.Authenticator
	}

	func (ra *realmsAuth) Project() string { return ra.project }
	func (ra *realmsAuth) Realm() string { return ra.realm }
	func (ra realmsAuth) RPC() auth.Authenticator { return ra.rpc }
	func (ra realmsAuth) PubSub() auth.Authenticator { return ra.pubSub }