aboutsummaryrefslogtreecommitdiffstats
path: root/library/go/yandex/tvm/service_ticket.go
diff options
context:
space:
mode:
authorqrort <qrort@yandex-team.com>2022-11-30 23:47:12 +0300
committerqrort <qrort@yandex-team.com>2022-11-30 23:47:12 +0300
commit22f8ae0e3f5d68b92aecccdf96c1d841a0334311 (patch)
treebffa27765faf54126ad44bcafa89fadecb7a73d7 /library/go/yandex/tvm/service_ticket.go
parent332b99e2173f0425444abb759eebcb2fafaa9209 (diff)
downloadydb-22f8ae0e3f5d68b92aecccdf96c1d841a0334311.tar.gz
validate canons without yatest_common
Diffstat (limited to 'library/go/yandex/tvm/service_ticket.go')
-rw-r--r--library/go/yandex/tvm/service_ticket.go50
1 files changed, 50 insertions, 0 deletions
diff --git a/library/go/yandex/tvm/service_ticket.go b/library/go/yandex/tvm/service_ticket.go
new file mode 100644
index 0000000000..2341ba2b17
--- /dev/null
+++ b/library/go/yandex/tvm/service_ticket.go
@@ -0,0 +1,50 @@
+package tvm
+
+import (
+ "fmt"
+)
+
+// CheckedServiceTicket is service credential
+type CheckedServiceTicket struct {
+ // SrcID is ID of request source service. You should check SrcID by yourself with your ACL.
+ SrcID ClientID
+ // IssuerUID is UID of developer who is debuging something, so he(she) issued CheckedServiceTicket with his(her) ssh-sign:
+ // it is grant_type=sshkey in tvm-api
+ // https://wiki.yandex-team.ru/passport/tvm2/debug/#sxoditvapizakrytoeserviceticketami.
+ IssuerUID UID
+ // DbgInfo is human readable data for debug purposes
+ DbgInfo string
+ // LogInfo is safe for logging part of ticket - it can be parsed later with `tvmknife parse_ticket -t ...`
+ LogInfo string
+}
+
+func (t *CheckedServiceTicket) CheckSrcID(allowedSrcIDsMap map[uint32]struct{}) error {
+ if len(allowedSrcIDsMap) == 0 {
+ return nil
+ }
+ if _, allowed := allowedSrcIDsMap[uint32(t.SrcID)]; !allowed {
+ return &TicketError{
+ Status: TicketInvalidSrcID,
+ Msg: fmt.Sprintf("service ticket srcID is not in allowed srcIDs: %v (actual: %v)", allowedSrcIDsMap, t.SrcID),
+ }
+ }
+ return nil
+}
+
+func (t CheckedServiceTicket) String() string {
+ return fmt.Sprintf("%s (%s)", t.LogInfo, t.DbgInfo)
+}
+
+type ServiceTicketACL func(ticket *CheckedServiceTicket) error
+
+func AllowAllServiceTickets() ServiceTicketACL {
+ return func(ticket *CheckedServiceTicket) error {
+ return nil
+ }
+}
+
+func CheckServiceTicketSrcID(allowedSrcIDs map[uint32]struct{}) ServiceTicketACL {
+ return func(ticket *CheckedServiceTicket) error {
+ return ticket.CheckSrcID(allowedSrcIDs)
+ }
+}