aboutsummaryrefslogtreecommitdiffstats
path: root/library/cpp/tvmauth/client/facade.h
blob: fa459a0b55d9b16574b1f3d45ab8017f00dfa478 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
#pragma once

#include "misc/async_updater.h"
#include "misc/api/settings.h"
#include "misc/tool/settings.h"

#include <library/cpp/tvmauth/checked_service_ticket.h>
#include <library/cpp/tvmauth/checked_user_ticket.h>

namespace NTvmAuth::NInternal {
    class TClientCaningKnife;
}

namespace NTvmAuth {
    class TDefaultUidChecker;
    class TServiceTicketGetter;
    class TServiceTicketChecker;
    class TSrcChecker;
    class TUserTicketChecker;

    /*!
     * Long lived thread-safe object for interacting with TVM.
     * In 99% cases TvmClient shoud be created at service startup and live for the whole process lifetime.
     */
    class TTvmClient {
    public:
        /*!
         * Uses local http-interface to get state: http://localhost/tvm/.
         * This interface can be provided with tvmtool (local daemon) or Qloud/YP (local http api in container).
         * See more: https://wiki.yandex-team.ru/passport/tvm2/tvm-daemon/.
         *
         * Starts thread for updating of in-memory cache in background
         * @param settings
         * @param logger is usefull for monitoring and debuging
         */
        TTvmClient(const NTvmTool::TClientSettings& settings, TLoggerPtr logger);

        /*!
         * Uses general way to get state: https://tvm-api.yandex.net.
         * It is not recomended for Qloud/YP.
         *
         * Starts thread for updating of in-memory cache in background
         * Reads cache from disk if specified
         * @param settings
         * @param logger is usefull for monitoring and debuging
         */
        TTvmClient(const NTvmApi::TClientSettings& settings, TLoggerPtr logger);

        /*!
         * Feel free to use custom updating logic in tests
         */
        TTvmClient(
            TAsyncUpdaterPtr updater,
            const TServiceContext::TCheckFlags& serviceTicketCheckFlags = {});

        TTvmClient(TTvmClient&&);
        ~TTvmClient();
        TTvmClient& operator=(TTvmClient&&);

        /*!
         * You should trigger your monitoring if status is not Ok.
         * It will be unable to operate if status is Error.
         * Description: https://a.yandex-team.ru/arc/trunk/arcadia/library/cpp/tvmauth/client/README.md#high-level-interface
         * @return Current status of client.
         */
        TClientStatus GetStatus() const;

        /*!
         * Some tools for monitoring
         */

        TInstant GetUpdateTimeOfPublicKeys() const;
        TInstant GetUpdateTimeOfServiceTickets() const;
        TInstant GetInvalidationTimeOfPublicKeys() const;
        TInstant GetInvalidationTimeOfServiceTickets() const;

        /*!
         * Requires fetchinig options (from TClientSettings or Qloud/YP/tvmtool settings)
         * Can throw exception if cache is invalid or wrong config
         *
         * Alias is local label for TvmID
         *  which can be used to avoid this number in every checking case in code.
         * @param dst
         */
        TString GetServiceTicketFor(const TClientSettings::TAlias& dst) const;
        TString GetServiceTicketFor(const TTvmId dst) const;

        /*!
         * For TTvmApi::TClientSettings: checking must be enabled in TClientSettings
         * Can throw exception if checking was not enabled in settings
         *
         * ServiceTicket contains src: you should check it by yourself with ACL
         * @param ticket
         */
        TCheckedServiceTicket CheckServiceTicket(TStringBuf ticket) const;

        /*!
         * Requires blackbox enviroment (from TClientSettings or Qloud/YP/tvmtool settings)
         * Can throw exception if checking was not enabled in settings
         * @param ticket
         * @param overrideEnv allowes you to override env from settings
         */
        TCheckedUserTicket CheckUserTicket(TStringBuf ticket, TMaybe<EBlackboxEnv> overrideEnv = {}) const;

        /*!
         * Under construction now. It is unusable.
         * PASSP-30283
         */
        NRoles::TRolesPtr GetRoles() const;

    private:
        TAsyncUpdaterPtr Updater_;

        TServiceContext::TCheckFlags ServiceTicketCheckFlags_;

        bool NeedService_ = false;
        bool NeedUser_ = false;
        bool NeedTickets_ = false;
        bool NeedSrcChecker_ = false;
        bool NeedDefaultUidChecker_ = false;

        friend class NInternal::TClientCaningKnife;
    };
}