blob: 6065cbed047730aa541e1c629bef73876a7c7229 [file] [log] [blame]
// Copyright 2021 The LUCI Authors.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// See the License for the specific language governing permissions and
// limitations under the License.
package gerritauth
import (
luciflag ""
// ModuleName can be used to refer to this module when declaring dependencies.
var ModuleName = module.RegisterName("")
// ModuleOptions contain configuration of the gerritauth server module.
type ModuleOptions struct {
// Method is an instance of AuthMethod to configure.
// If nil, will configure the global Method instance.
Method *AuthMethod
// Header is a name of the request header to check for JWTs.
// Default is "X-Gerrit-Auth".
Header string
// SignerAccounts are emails of services account that sign Gerrit JWTs.
// If empty, authentication based on Gerrit JWTs will be disabled.
SignerAccounts []string
// Audience is an expected "aud" field of JWTs.
// Required if SignerAccount is not empty.
Audience string
// Register registers the command line flags.
func (o *ModuleOptions) Register(f *flag.FlagSet) {
if o.Header == "" {
o.Header = "X-Gerrit-Auth"
`Name of the request header to check for JWTs.`,
"Email of a Gerrit service account trusted to sign Gerrit JWT tokens. "+
"May be specified multiple times. If empty, authentication based on Gerrit JWTs will be disabled.",
`Expected "aud" field of the JWTs. Required if -gerrit-auth-signer-account is used.`,
// NewModule returns a server module that configures Gerrit auth method.
func NewModule(opts *ModuleOptions) module.Module {
if opts == nil {
opts = &ModuleOptions{}
return &serverModule{opts: opts}
// NewModuleFromFlags is a variant of NewModule that initializes options through
// command line flags.
// Calling this function registers flags in flag.CommandLine. They are usually
// parsed in server.Main(...).
func NewModuleFromFlags() module.Module {
opts := &ModuleOptions{}
return NewModule(opts)
// serverModule implements module.Module.
type serverModule struct {
opts *ModuleOptions
// Name is part of module.Module interface.
func (*serverModule) Name() module.Name {
return ModuleName
// Dependencies is part of module.Module interface.
func (*serverModule) Dependencies() []module.Dependency {
return nil
// Initialize is part of module.Module interface.
func (m *serverModule) Initialize(ctx context.Context, host module.Host, opts module.HostOptions) (context.Context, error) {
if len(m.opts.SignerAccounts) != 0 {
if m.opts.Audience == "" {
return nil, errors.Reason("-gerrit-auth-audience is required when -gerrit-auth-signer-account is used").Err()
} else if opts.Prod {
logging.Warningf(ctx, "Disabling Gerrit JWT auth: -gerrit-auth-signer-account is unset")
method := m.opts.Method
if method == nil {
method = &Method
method.Header = m.opts.Header
method.SignerAccounts = m.opts.SignerAccounts
method.Audience = m.opts.Audience
if method.isConfigured() {
warmup.Register("server/gerritauth", method.Warmup)
return ctx, nil