blob: fa459a0b55d9b16574b1f3d45ab8017f00dfa478 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
#pragma once
#include "misc/async_updater.h"
#include "misc/api/settings.h"
#include "misc/tool/settings.h"
#include <library/cpp/tvmauth/checked_service_ticket.h>
#include <library/cpp/tvmauth/checked_user_ticket.h>
namespace NTvmAuth::NInternal {
class TClientCaningKnife;
}
namespace NTvmAuth {
class TDefaultUidChecker;
class TServiceTicketGetter;
class TServiceTicketChecker;
class TSrcChecker;
class TUserTicketChecker;
/*!
* Long lived thread-safe object for interacting with TVM.
* In 99% cases TvmClient shoud be created at service startup and live for the whole process lifetime.
*/
class TTvmClient {
public:
/*!
* Uses local http-interface to get state: http://localhost/tvm/.
* This interface can be provided with tvmtool (local daemon) or Qloud/YP (local http api in container).
* See more: https://wiki.yandex-team.ru/passport/tvm2/tvm-daemon/.
*
* Starts thread for updating of in-memory cache in background
* @param settings
* @param logger is usefull for monitoring and debuging
*/
TTvmClient(const NTvmTool::TClientSettings& settings, TLoggerPtr logger);
/*!
* Uses general way to get state: https://tvm-api.yandex.net.
* It is not recomended for Qloud/YP.
*
* Starts thread for updating of in-memory cache in background
* Reads cache from disk if specified
* @param settings
* @param logger is usefull for monitoring and debuging
*/
TTvmClient(const NTvmApi::TClientSettings& settings, TLoggerPtr logger);
/*!
* Feel free to use custom updating logic in tests
*/
TTvmClient(
TAsyncUpdaterPtr updater,
const TServiceContext::TCheckFlags& serviceTicketCheckFlags = {});
TTvmClient(TTvmClient&&);
~TTvmClient();
TTvmClient& operator=(TTvmClient&&);
/*!
* You should trigger your monitoring if status is not Ok.
* It will be unable to operate if status is Error.
* Description: https://a.yandex-team.ru/arc/trunk/arcadia/library/cpp/tvmauth/client/README.md#high-level-interface
* @return Current status of client.
*/
TClientStatus GetStatus() const;
/*!
* Some tools for monitoring
*/
TInstant GetUpdateTimeOfPublicKeys() const;
TInstant GetUpdateTimeOfServiceTickets() const;
TInstant GetInvalidationTimeOfPublicKeys() const;
TInstant GetInvalidationTimeOfServiceTickets() const;
/*!
* Requires fetchinig options (from TClientSettings or Qloud/YP/tvmtool settings)
* Can throw exception if cache is invalid or wrong config
*
* Alias is local label for TvmID
* which can be used to avoid this number in every checking case in code.
* @param dst
*/
TString GetServiceTicketFor(const TClientSettings::TAlias& dst) const;
TString GetServiceTicketFor(const TTvmId dst) const;
/*!
* For TTvmApi::TClientSettings: checking must be enabled in TClientSettings
* Can throw exception if checking was not enabled in settings
*
* ServiceTicket contains src: you should check it by yourself with ACL
* @param ticket
*/
TCheckedServiceTicket CheckServiceTicket(TStringBuf ticket) const;
/*!
* Requires blackbox enviroment (from TClientSettings or Qloud/YP/tvmtool settings)
* Can throw exception if checking was not enabled in settings
* @param ticket
* @param overrideEnv allowes you to override env from settings
*/
TCheckedUserTicket CheckUserTicket(TStringBuf ticket, TMaybe<EBlackboxEnv> overrideEnv = {}) const;
/*!
* Under construction now. It is unusable.
* PASSP-30283
*/
NRoles::TRolesPtr GetRoles() const;
private:
TAsyncUpdaterPtr Updater_;
TServiceContext::TCheckFlags ServiceTicketCheckFlags_;
bool NeedService_ = false;
bool NeedUser_ = false;
bool NeedTickets_ = false;
bool NeedSrcChecker_ = false;
bool NeedDefaultUidChecker_ = false;
friend class NInternal::TClientCaningKnife;
};
}
|