Indicate if token is an anonymous token

earthly · Apr 19, 2024 · 594835b · 594835b
1 parent 422af49
commit 594835b
Show file tree

Hide file tree

Showing 3 changed files with 118 additions and 69 deletions.
diff --git a/session/auth/auth.pb.go b/session/auth/auth.pb.go
diff --git a/session/auth/auth.proto b/session/auth/auth.proto
@@ -4,51 +4,49 @@ package moby.filesync.v1;
 
 option go_package = "auth";
 
-service Auth{
-	rpc Credentials(CredentialsRequest) returns (CredentialsResponse);
-	rpc FetchToken(FetchTokenRequest) returns (FetchTokenResponse);
-	rpc GetTokenAuthority(GetTokenAuthorityRequest) returns (GetTokenAuthorityResponse);
-	rpc VerifyTokenAuthority(VerifyTokenAuthorityRequest) returns (VerifyTokenAuthorityResponse);
+service Auth {
+  rpc Credentials(CredentialsRequest) returns (CredentialsResponse);
+  rpc FetchToken(FetchTokenRequest) returns (FetchTokenResponse);
+  rpc GetTokenAuthority(GetTokenAuthorityRequest)
+      returns (GetTokenAuthorityResponse);
+  rpc VerifyTokenAuthority(VerifyTokenAuthorityRequest)
+      returns (VerifyTokenAuthorityResponse);
 }
 
-message CredentialsRequest {
-	string Host = 1;
-}
+message CredentialsRequest { string Host = 1; }
 
 message CredentialsResponse {
-	string Username = 1;
-	string Secret = 2;
+  string Username = 1;
+  string Secret = 2;
 }
 
 message FetchTokenRequest {
-	string ClientID = 1;
-	string Host = 2;
-	string Realm = 3;
-	string Service = 4;
-	repeated string Scopes = 5;
+  string ClientID = 1;
+  string Host = 2;
+  string Realm = 3;
+  string Service = 4;
+  repeated string Scopes = 5;
 }
 
 message FetchTokenResponse {
-	string Token = 1;
-	int64 ExpiresIn = 2; // seconds
-	int64 IssuedAt = 3; // timestamp
+  string Token = 1;
+  int64 ExpiresIn = 2; // seconds
+  int64 IssuedAt = 3;  // timestamp
+
+  bool Anonymous = 99; // earthly-specific
 }
 
 message GetTokenAuthorityRequest {
-	string Host = 1;
-	bytes Salt = 2;
+  string Host = 1;
+  bytes Salt = 2;
 }
 
-message GetTokenAuthorityResponse {
-	bytes PublicKey = 1;
-}
+message GetTokenAuthorityResponse { bytes PublicKey = 1; }
 
 message VerifyTokenAuthorityRequest {
-	string Host = 1;
-	bytes Payload = 2;
-	bytes Salt = 3;
+  string Host = 1;
+  bytes Payload = 2;
+  bytes Salt = 3;
 }
 
-message VerifyTokenAuthorityResponse {
-	bytes Signed = 1;
-}
+message VerifyTokenAuthorityResponse { bytes Signed = 1; }
diff --git a/session/auth/authprovider/authprovider.go b/session/auth/authprovider/authprovider.go
@@ -78,7 +78,7 @@ func (ap *authProvider) FetchToken(ctx context.Context, req *auth.FetchTokenRequ
 
 	// check for statically configured bearer token
 	if ac.RegistryToken != "" {
-		return toTokenResponse(ac.RegistryToken, time.Time{}, 0), nil
+		return toTokenResponse(ac.RegistryToken, time.Time{}, 0, false), nil
 	}
 
 	creds, err := ap.credentials(req.Host)
@@ -127,19 +127,20 @@ func (ap *authProvider) FetchToken(ctx context.Context, req *auth.FetchTokenRequ
 					if err != nil {
 						return nil, err
 					}
-					return toTokenResponse(resp.Token, resp.IssuedAt, resp.ExpiresIn), nil
+					return toTokenResponse(resp.Token, resp.IssuedAt, resp.ExpiresIn, false), nil
 				}
 			}
 			return nil, err
 		}
-		return toTokenResponse(resp.AccessToken, resp.IssuedAt, resp.ExpiresIn), nil
+		return toTokenResponse(resp.AccessToken, resp.IssuedAt, resp.ExpiresIn, false), nil
 	}
 	// do request anonymously
 	resp, err := authutil.FetchToken(ctx, httpClient, nil, to)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to fetch anonymous token")
 	}
-	return toTokenResponse(resp.Token, resp.IssuedAt, resp.ExpiresIn), nil
+
+	return toTokenResponse(resp.Token, resp.IssuedAt, resp.ExpiresIn, true), nil
 }
 
 func (ap *authProvider) tlsConfig(host string) (*tls.Config, error) {
@@ -276,13 +277,14 @@ func (ap *authProvider) getAuthorityKey(host string, salt []byte) (ed25519.Priva
 	return ed25519.NewKeyFromSeed(sum[:ed25519.SeedSize]), nil
 }
 
-func toTokenResponse(token string, issuedAt time.Time, expires int) *auth.FetchTokenResponse {
+func toTokenResponse(token string, issuedAt time.Time, expires int, anonymous bool) *auth.FetchTokenResponse {
 	if expires == 0 {
 		expires = defaultExpiration
 	}
 	resp := &auth.FetchTokenResponse{
 		Token:     token,
 		ExpiresIn: int64(expires),
+		Anonymous: anonymous, // earthly-specific
 	}
 	if !issuedAt.IsZero() {
 		resp.IssuedAt = issuedAt.Unix()