buildgrid.server.auth.manager module

class buildgrid.server.auth.manager.JwtParser(secret: str | None = None, algorithm: AuthMetadataAlgorithm = AuthMetadataAlgorithm.UNSPECIFIED, jwks_urls: list[str] | None = None, audiences: list[str] | None = None, jwks_fetch_minutes: int = 60)

Bases: object

parse(token: str) dict[str, Any]
identity_from_jwt_payload(payload: dict[str, Any]) ClientIdentity
Extract the relevant claims from the JWT

“aud” -> workflow “sub” -> subject “act” -> actor

If the “act” field is not set then the subject is considered the actor The audience for the identity is taken from the config if set If “aud” field is an array of strings then the first element is set as the audience’ :param payload: the decoded payload from the jwt

Returns:

A dictionary containing workflow, actor, subject

identity_from_token(token: str) ClientIdentity
class buildgrid.server.auth.manager.AuthManager

Bases: ABC

abstract authorize(context: ServicerContext, instance_name: str, request_name: str) bool

Determine whether or not a request is authorized.

This method takes a ServicerContext for an incoming gRPC request, along with the name of the request, and the name of the instance that the request is intended for. Information about the identity of the requester is extracted from the context, for example a JWT token.

This identity information is compared to the ACL configuration given to this class at construction time to determine authorization for the request.

Parameters:
  • context (ServicerContext) – The context for the gRPC request to check the authz status of.

  • instance_name (str) – The name of the instance that the gRPC request will be interacting with. This is used for per-instance ACLs.

  • request_name (str) – The name of the request being authorized, for example Execute.

Returns:

Whether the request is authorized.

Return type:

bool

class buildgrid.server.auth.manager.JWTAuthManager(secret: str | None = None, algorithm: AuthMetadataAlgorithm = AuthMetadataAlgorithm.UNSPECIFIED, jwks_urls: list[str] | None = None, audiences: list[str] | None = None, jwks_fetch_minutes: int = 60, acls: Mapping[str, InstanceAuthorizationConfig] | None = None, allow_unauthorized_instances: set[str] | None = None)

Bases: AuthManager

authorize(context: ServicerContext, instance_name: str, request_name: str) bool

Determine whether or not a request is authorized.

This method takes a ServicerContext for an incoming gRPC request, along with the name of the request, and the name of the instance that the request is intended for. Information about the identity of the requester is extracted from the context, for example a JWT token.

This identity information is compared to the ACL configuration given to this class at construction time to determine authorization for the request.

Parameters:
  • context (ServicerContext) – The context for the gRPC request to check the authz status of.

  • instance_name (str) – The name of the instance that the gRPC request will be interacting with. This is used for per-instance ACLs.

  • request_name (str) – The name of the request being authorized, for example Execute.

Returns:

Whether the request is authorized.

Return type:

bool

class buildgrid.server.auth.manager.HeadersAuthManager(acls: Mapping[str, InstanceAuthorizationConfig] | None = None, allow_unauthorized_instances: set[str] | None = None)

Bases: AuthManager

authorize(context: ServicerContext, instance_name: str, request_name: str) bool

Determine whether or not a request is authorized.

This method takes a ServicerContext for an incoming gRPC request, along with the name of the request, and the name of the instance that the request is intended for. Information about the identity of the requester is extracted from the context, for example a JWT token.

This identity information is compared to the ACL configuration given to this class at construction time to determine authorization for the request.

Parameters:
  • context (ServicerContext) – The context for the gRPC request to check the authz status of.

  • instance_name (str) – The name of the instance that the gRPC request will be interacting with. This is used for per-instance ACLs.

  • request_name (str) – The name of the request being authorized, for example Execute.

Returns:

Whether the request is authorized.

Return type:

bool

buildgrid.server.auth.manager.set_auth_manager(manager: AuthManager | None) None
buildgrid.server.auth.manager.get_auth_manager() AuthManager | None
buildgrid.server.auth.manager.authorize_request(request_context: ServicerContext, instance_name: str, request_name: str) None
buildgrid.server.auth.manager.set_context_client_identity(clientIdentity: ClientIdentity) None
buildgrid.server.auth.manager.get_context_client_identity() ClientIdentity | None