auth/internal/luci_ctx.go - infra/luci/luci-go - Git at Google

 // Copyright 2017 The LUCI Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 package internal

 import (
 	"bytes"
 	"context"
 	"crypto/sha256"
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 	"strings"
 	"time"

 	"golang.org/x/net/context/ctxhttp"
 	"golang.org/x/oauth2"

 	"go.chromium.org/luci/auth/integration/localauth/rpcs"
 	"go.chromium.org/luci/common/logging"
 	"go.chromium.org/luci/common/retry/transient"
 	"go.chromium.org/luci/lucictx"
 )

 type luciContextTokenProvider struct {
 	localAuth *lucictx.LocalAuth
 	email     string // an email or NoEmail
 	scopes    []string
 	audience  string // not empty iff using ID tokens
 	transport http.RoundTripper
 	cacheKey  CacheKey // used only for in-memory cache
 }

 // NewLUCIContextTokenProvider returns TokenProvider that knows how to use a
 // local auth server to mint tokens.
 //
 // It requires LUCI_CONTEXT["local_auth"] to be present in the 'ctx'. It's a
 // description of how to locate and contact the local auth server.
 //
 // See auth/integration/localauth package for the implementation of the server.
 func NewLUCIContextTokenProvider(ctx context.Context, scopes []string, audience string, transport http.RoundTripper) (TokenProvider, error) {
 	localAuth := lucictx.GetLocalAuth(ctx)
 	switch {
 	case localAuth == nil:
 		return nil, fmt.Errorf(`no "local_auth" in LUCI_CONTEXT`)
 	case localAuth.DefaultAccountId == "":
 		return nil, fmt.Errorf(`no "default_account_id" in LUCI_CONTEXT["local_auth"]`)
 	}

 	// Grab an email associated with default account, if any.
 	email := NoEmail
 	for _, account := range localAuth.Accounts {
 		if account.Id == localAuth.DefaultAccountId {
 			// Previous protocol version didn't expose the email, so keep the value
 			// as NoEmail in this case. This should be rare.
 			if account.Email != "" {
 				email = account.Email
 			}
 			break
 		}
 	}

 	// All authenticators share singleton in-process token cache, see
 	// ProcTokenCache variable in proc_cache.go.
 	//
 	// It is possible (though very unusual), for a single process to use multiple
 	// local auth servers (e.g. if it enters a subcontext with another "local_auth"
 	// value).
 	//
 	// For these reasons we use a digest of localAuth parameters as a cache key.
 	// It is used only in the process-local cache, the token never ends up in
 	// the disk cache, as indicated by Lightweight() returning true (tokens from
 	// such providers aren't cached on disk by Authenticator).
 	blob, err := json.Marshal(localAuth)
 	if err != nil {
 		return nil, err
 	}
 	digest := sha256.Sum256(blob)

 	return &luciContextTokenProvider{
 		localAuth: localAuth,
 		email:     email,
 		scopes:    scopes,
 		audience:  audience,
 		transport: transport,
 		cacheKey: CacheKey{
 			Key:    fmt.Sprintf("luci_ctx/%s", hex.EncodeToString(digest[:])),
 			Scopes: scopes,
 		},
 	}, nil
 }

 func (p *luciContextTokenProvider) RequiresInteraction() bool {
 	return false
 }

 func (p *luciContextTokenProvider) Lightweight() bool {
 	return true
 }

 func (p *luciContextTokenProvider) Email() string {
 	return p.email
 }

 func (p *luciContextTokenProvider) CacheKey(ctx context.Context) (*CacheKey, error) {
 	return &p.cacheKey, nil
 }

 func (p *luciContextTokenProvider) MintToken(ctx context.Context, base *Token) (*Token, error) {
 	if p.audience == "" {
 		return p.mintOAuthToken(ctx)
 	}
 	return p.mintIDToken(ctx)
 }

 func (p *luciContextTokenProvider) mintOAuthToken(ctx context.Context) (*Token, error) {
 	request := &rpcs.GetOAuthTokenRequest{
 		BaseRequest: rpcs.BaseRequest{
 			Secret:    p.localAuth.Secret,
 			AccountID: p.localAuth.DefaultAccountId,
 		},
 		Scopes: p.scopes,
 	}
 	response := &rpcs.GetOAuthTokenResponse{}
 	if err := p.doRPC(ctx, "GetOAuthToken", request, response); err != nil {
 		return nil, err
 	}
 	if err := p.handleRPCErr(&response.BaseResponse); err != nil {
 		return nil, err
 	}
 	return &Token{
 		Token: oauth2.Token{
 			AccessToken: response.AccessToken,
 			Expiry:      time.Unix(response.Expiry, 0).UTC(),
 			TokenType:   "Bearer",
 		},
 		IDToken: NoIDToken,
 		Email:   p.Email(),
 	}, nil
 }

 func (p *luciContextTokenProvider) mintIDToken(ctx context.Context) (*Token, error) {
 	request := &rpcs.GetIDTokenRequest{
 		BaseRequest: rpcs.BaseRequest{
 			Secret:    p.localAuth.Secret,
 			AccountID: p.localAuth.DefaultAccountId,
 		},
 		Audience: p.audience,
 	}
 	response := &rpcs.GetIDTokenResponse{}
 	if err := p.doRPC(ctx, "GetIDToken", request, response); err != nil {
 		return nil, err
 	}
 	if err := p.handleRPCErr(&response.BaseResponse); err != nil {
 		return nil, err
 	}
 	return &Token{
 		Token: oauth2.Token{
 			AccessToken: NoAccessToken,
 			Expiry:      time.Unix(response.Expiry, 0).UTC(),
 			TokenType:   "Bearer",
 		},
 		IDToken: response.IDToken,
 		Email:   p.Email(),
 	}, nil
 }

 func (p *luciContextTokenProvider) RefreshToken(ctx context.Context, prev, base *Token) (*Token, error) {
 	// Minting and refreshing is the same thing: a call to a local auth server.
 	return p.MintToken(ctx, base)
 }

 // doRPC sends a request to the local auth server and parses the response.
 //
 // Note: deadlines and retries are implemented by Authenticator. doRPC should
 // just make a single attempt, and mark an error as transient to trigger a
 // retry, if necessary.
 func (p *luciContextTokenProvider) doRPC(ctx context.Context, method string, req, resp any) error {
 	body, err := json.Marshal(req)
 	if err != nil {
 		return err
 	}

 	url := fmt.Sprintf("http://127.0.0.1:%d/rpc/LuciLocalAuthService.%s", p.localAuth.RpcPort, method)
 	logging.Debugf(ctx, "POST %s", url)
 	httpReq, err := http.NewRequest("POST", url, bytes.NewReader(body))
 	if err != nil {
 		return err
 	}
 	httpReq.Header.Set("Content-Type", "application/json")

 	httpResp, err := ctxhttp.Do(ctx, &http.Client{Transport: p.transport}, httpReq)
 	if err != nil {
 		return transient.Tag.Apply(err)
 	}
 	defer httpResp.Body.Close()
 	respBody, err := io.ReadAll(httpResp.Body)
 	if err != nil {
 		return transient.Tag.Apply(err)
 	}

 	if httpResp.StatusCode != 200 {
 		err := fmt.Errorf("local auth - HTTP %d: %s", httpResp.StatusCode, strings.TrimSpace(string(respBody)))
 		if httpResp.StatusCode >= 500 {
 			return transient.Tag.Apply(err)
 		}
 		return err
 	}

 	return json.Unmarshal(respBody, resp)
 }

 // handleRPCErr handles `error_message` and `error_code` response fields.
 func (p *luciContextTokenProvider) handleRPCErr(resp *rpcs.BaseResponse) error {
 	if resp.ErrorMessage != "" || resp.ErrorCode != 0 {
 		msg := resp.ErrorMessage
 		if msg == "" {
 			msg = "unknown error"
 		}
 		return fmt.Errorf("local auth - RPC code %d: %s", resp.ErrorCode, msg)
 	}
 	return nil
 }
	// Copyright 2017 The LUCI Authors.
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	package internal

	import (
	"bytes"
	"context"
	"crypto/sha256"
	"encoding/hex"
	"encoding/json"
	"fmt"
	"io"
	"net/http"
	"strings"
	"time"

	"golang.org/x/net/context/ctxhttp"
	"golang.org/x/oauth2"

	"go.chromium.org/luci/auth/integration/localauth/rpcs"
	"go.chromium.org/luci/common/logging"
	"go.chromium.org/luci/common/retry/transient"
	"go.chromium.org/luci/lucictx"
	)

	type luciContextTokenProvider struct {
	localAuth *lucictx.LocalAuth
	email string // an email or NoEmail
	scopes []string
	audience string // not empty iff using ID tokens
	transport http.RoundTripper
	cacheKey CacheKey // used only for in-memory cache
	}

	// NewLUCIContextTokenProvider returns TokenProvider that knows how to use a
	// local auth server to mint tokens.
	//
	// It requires LUCI_CONTEXT["local_auth"] to be present in the 'ctx'. It's a
	// description of how to locate and contact the local auth server.
	//
	// See auth/integration/localauth package for the implementation of the server.
	func NewLUCIContextTokenProvider(ctx context.Context, scopes []string, audience string, transport http.RoundTripper) (TokenProvider, error) {
	localAuth := lucictx.GetLocalAuth(ctx)
	switch {
	case localAuth == nil:
	return nil, fmt.Errorf(`no "local_auth" in LUCI_CONTEXT`)
	case localAuth.DefaultAccountId == "":
	return nil, fmt.Errorf(`no "default_account_id" in LUCI_CONTEXT["local_auth"]`)
	}

	// Grab an email associated with default account, if any.
	email := NoEmail
	for _, account := range localAuth.Accounts {
	if account.Id == localAuth.DefaultAccountId {
	// Previous protocol version didn't expose the email, so keep the value
	// as NoEmail in this case. This should be rare.
	if account.Email != "" {
	email = account.Email
	}
	break
	}
	}

	// All authenticators share singleton in-process token cache, see
	// ProcTokenCache variable in proc_cache.go.
	//
	// It is possible (though very unusual), for a single process to use multiple
	// local auth servers (e.g. if it enters a subcontext with another "local_auth"
	// value).
	//
	// For these reasons we use a digest of localAuth parameters as a cache key.
	// It is used only in the process-local cache, the token never ends up in
	// the disk cache, as indicated by Lightweight() returning true (tokens from
	// such providers aren't cached on disk by Authenticator).
	blob, err := json.Marshal(localAuth)
	if err != nil {
	return nil, err
	}
	digest := sha256.Sum256(blob)

	return &luciContextTokenProvider{
	localAuth: localAuth,
	email: email,
	scopes: scopes,
	audience: audience,
	transport: transport,
	cacheKey: CacheKey{
	Key: fmt.Sprintf("luci_ctx/%s", hex.EncodeToString(digest[:])),
	Scopes: scopes,
	},
	}, nil
	}

	func (p *luciContextTokenProvider) RequiresInteraction() bool {
	return false
	}

	func (p *luciContextTokenProvider) Lightweight() bool {
	return true
	}

	func (p *luciContextTokenProvider) Email() string {
	return p.email
	}

	func (p luciContextTokenProvider) CacheKey(ctx context.Context) (CacheKey, error) {
	return &p.cacheKey, nil
	}

	func (p luciContextTokenProvider) MintToken(ctx context.Context, base Token) (*Token, error) {
	if p.audience == "" {
	return p.mintOAuthToken(ctx)
	}
	return p.mintIDToken(ctx)
	}

	func (p luciContextTokenProvider) mintOAuthToken(ctx context.Context) (Token, error) {
	request := &rpcs.GetOAuthTokenRequest{
	BaseRequest: rpcs.BaseRequest{
	Secret: p.localAuth.Secret,
	AccountID: p.localAuth.DefaultAccountId,
	},
	Scopes: p.scopes,
	}
	response := &rpcs.GetOAuthTokenResponse{}
	if err := p.doRPC(ctx, "GetOAuthToken", request, response); err != nil {
	return nil, err
	}
	if err := p.handleRPCErr(&response.BaseResponse); err != nil {
	return nil, err
	}
	return &Token{
	Token: oauth2.Token{
	AccessToken: response.AccessToken,
	Expiry: time.Unix(response.Expiry, 0).UTC(),
	TokenType: "Bearer",
	},
	IDToken: NoIDToken,
	Email: p.Email(),
	}, nil
	}

	func (p luciContextTokenProvider) mintIDToken(ctx context.Context) (Token, error) {
	request := &rpcs.GetIDTokenRequest{
	BaseRequest: rpcs.BaseRequest{
	Secret: p.localAuth.Secret,
	AccountID: p.localAuth.DefaultAccountId,
	},
	Audience: p.audience,
	}
	response := &rpcs.GetIDTokenResponse{}
	if err := p.doRPC(ctx, "GetIDToken", request, response); err != nil {
	return nil, err
	}
	if err := p.handleRPCErr(&response.BaseResponse); err != nil {
	return nil, err
	}
	return &Token{
	Token: oauth2.Token{
	AccessToken: NoAccessToken,
	Expiry: time.Unix(response.Expiry, 0).UTC(),
	TokenType: "Bearer",
	},
	IDToken: response.IDToken,
	Email: p.Email(),
	}, nil
	}

	func (p luciContextTokenProvider) RefreshToken(ctx context.Context, prev, base Token) (*Token, error) {
	// Minting and refreshing is the same thing: a call to a local auth server.
	return p.MintToken(ctx, base)
	}

	// doRPC sends a request to the local auth server and parses the response.
	//
	// Note: deadlines and retries are implemented by Authenticator. doRPC should
	// just make a single attempt, and mark an error as transient to trigger a
	// retry, if necessary.
	func (p *luciContextTokenProvider) doRPC(ctx context.Context, method string, req, resp any) error {
	body, err := json.Marshal(req)
	if err != nil {
	return err
	}

	url := fmt.Sprintf("http://127.0.0.1:%d/rpc/LuciLocalAuthService.%s", p.localAuth.RpcPort, method)
	logging.Debugf(ctx, "POST %s", url)
	httpReq, err := http.NewRequest("POST", url, bytes.NewReader(body))
	if err != nil {
	return err
	}
	httpReq.Header.Set("Content-Type", "application/json")

	httpResp, err := ctxhttp.Do(ctx, &http.Client{Transport: p.transport}, httpReq)
	if err != nil {
	return transient.Tag.Apply(err)
	}
	defer httpResp.Body.Close()
	respBody, err := io.ReadAll(httpResp.Body)
	if err != nil {
	return transient.Tag.Apply(err)
	}

	if httpResp.StatusCode != 200 {
	err := fmt.Errorf("local auth - HTTP %d: %s", httpResp.StatusCode, strings.TrimSpace(string(respBody)))
	if httpResp.StatusCode >= 500 {
	return transient.Tag.Apply(err)
	}
	return err
	}

	return json.Unmarshal(respBody, resp)
	}

	// handleRPCErr handles `error_message` and `error_code` response fields.
	func (p luciContextTokenProvider) handleRPCErr(resp rpcs.BaseResponse) error {
	if resp.ErrorMessage != "" \|\| resp.ErrorCode != 0 {
	msg := resp.ErrorMessage
	if msg == "" {
	msg = "unknown error"
	}
	return fmt.Errorf("local auth - RPC code %d: %s", resp.ErrorCode, msg)
	}
	return nil
	}