buildgrid.server.auth.manager module

class buildgrid.server.auth.manager.JwtParser(secret: str | None = None, algorithm: AuthMetadataAlgorithm = AuthMetadataAlgorithm.UNSPECIFIED, jwks_url: str | None = None, audience: str | None = None, jwks_fetch_minutes: int = 60)

Bases: object

jwt_invalid_exceptions = (<class 'buildgrid.server.auth.exceptions.ExpiredTokenError'>, <class 'buildgrid.server.auth.exceptions.InvalidTokenError'>, <class 'buildgrid.server.auth.exceptions.UnboundedTokenError'>)

parse(token: str) → Dict[str, Any]

identity_from_token(token: str) → Tuple[str | None, str | None, str | None]

class buildgrid.server.auth.manager.AuthManager

Bases: ABC

abstract authorize(context: ServicerContext, instance_name: str, request_name: str) → bool

Determine whether or not a request is authorized.

This method takes a ServicerContext for an incoming gRPC request, along with the name of the request, and the name of the instance that the request is intended for. Information about the identity of the requester is extracted from the context, for example a JWT token.

This identity information is compared to the ACL configuration given to this class at construction time to determine authorization for the request.

Parameters:

• context (ServicerContext) – The context for the gRPC request to check the authz status of.

• instance_name (str) – The name of the instance that the gRPC request will be interacting with. This is used for per-instance ACLs.

• request_name (str) – The name of the request being authorized, for example Execute.

Returns:

Whether the request is authorized.

Return type:

bool

class buildgrid.server.auth.manager.JWTAuthManager(secret: str | None = None, algorithm: AuthMetadataAlgorithm = AuthMetadataAlgorithm.UNSPECIFIED, jwks_url: str | None = None, audience: str | None = None, jwks_fetch_minutes: int = 60, acls: Mapping[str, InstanceAuthorizationConfig] | None = None, allow_unauthorized_instances: Set[str] | None = None)

Bases: AuthManager

authorize(context: ServicerContext, instance_name: str, request_name: str) → bool

Determine whether or not a request is authorized.

This method takes a ServicerContext for an incoming gRPC request, along with the name of the request, and the name of the instance that the request is intended for. Information about the identity of the requester is extracted from the context, for example a JWT token.

This identity information is compared to the ACL configuration given to this class at construction time to determine authorization for the request.

Parameters:

• context (ServicerContext) – The context for the gRPC request to check the authz status of.

• instance_name (str) – The name of the instance that the gRPC request will be interacting with. This is used for per-instance ACLs.

• request_name (str) – The name of the request being authorized, for example Execute.

Returns:

Whether the request is authorized.

Return type:

bool

class buildgrid.server.auth.manager.HeadersAuthManager(acls: Mapping[str, InstanceAuthorizationConfig] | None = None, allow_unauthorized_instances: Set[str] | None = None)

Bases: AuthManager

authorize(context: ServicerContext, instance_name: str, request_name: str) → bool

Determine whether or not a request is authorized.

This method takes a ServicerContext for an incoming gRPC request, along with the name of the request, and the name of the instance that the request is intended for. Information about the identity of the requester is extracted from the context, for example a JWT token.

This identity information is compared to the ACL configuration given to this class at construction time to determine authorization for the request.

Parameters:

• context (ServicerContext) – The context for the gRPC request to check the authz status of.

• instance_name (str) – The name of the instance that the gRPC request will be interacting with. This is used for per-instance ACLs.

• request_name (str) – The name of the request being authorized, for example Execute.

Returns:

Whether the request is authorized.

Return type:

bool

buildgrid.server.auth.manager.set_auth_manager(manager: AuthManager | None) → None

buildgrid.server.auth.manager.get_auth_manager() → AuthManager | None

buildgrid.server.auth.manager.authorize_unary_unary(get_instance_name: Callable[[Any], str]) → Callable[[Func], Func]

buildgrid.server.auth.manager.authorize_unary_stream(get_instance_name: Callable[[Any], str]) → Callable[[Func], Func]

buildgrid.server.auth.manager.authorize_stream_unary(get_instance_name: Callable[[Any], str]) → Callable[[Func], Func]