2017-08-18 04:50:15 +03:00
|
|
|
package macaroons
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/hex"
|
|
|
|
"fmt"
|
|
|
|
|
|
|
|
"google.golang.org/grpc/metadata"
|
|
|
|
|
2018-01-16 19:18:41 +03:00
|
|
|
"golang.org/x/net/context"
|
|
|
|
|
|
|
|
"gopkg.in/macaroon-bakery.v2/bakery"
|
|
|
|
macaroon "gopkg.in/macaroon.v2"
|
2017-08-18 04:50:15 +03:00
|
|
|
)
|
|
|
|
|
|
|
|
// MacaroonCredential wraps a macaroon to implement the
|
|
|
|
// credentials.PerRPCCredentials interface.
|
|
|
|
type MacaroonCredential struct {
|
|
|
|
*macaroon.Macaroon
|
|
|
|
}
|
|
|
|
|
|
|
|
// RequireTransportSecurity implements the PerRPCCredentials interface.
|
|
|
|
func (m MacaroonCredential) RequireTransportSecurity() bool {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
2017-08-22 09:18:19 +03:00
|
|
|
// GetRequestMetadata implements the PerRPCCredentials interface. This method
|
|
|
|
// is required in order to pass the wrapped macaroon into the gRPC context.
|
|
|
|
// With this, the macaroon will be available within the request handling scope
|
|
|
|
// of the ultimate gRPC server implementation.
|
2017-08-18 04:50:15 +03:00
|
|
|
func (m MacaroonCredential) GetRequestMetadata(ctx context.Context,
|
|
|
|
uri ...string) (map[string]string, error) {
|
2017-08-22 09:18:19 +03:00
|
|
|
|
2017-08-18 04:50:15 +03:00
|
|
|
macBytes, err := m.MarshalBinary()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2017-08-22 09:18:19 +03:00
|
|
|
|
2017-08-18 04:50:15 +03:00
|
|
|
md := make(map[string]string)
|
|
|
|
md["macaroon"] = hex.EncodeToString(macBytes)
|
|
|
|
return md, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewMacaroonCredential returns a copy of the passed macaroon wrapped in a
|
|
|
|
// MacaroonCredential struct which implements PerRPCCredentials.
|
|
|
|
func NewMacaroonCredential(m *macaroon.Macaroon) MacaroonCredential {
|
|
|
|
ms := MacaroonCredential{}
|
|
|
|
ms.Macaroon = m.Clone()
|
|
|
|
return ms
|
|
|
|
}
|
|
|
|
|
2017-08-22 09:18:19 +03:00
|
|
|
// ValidateMacaroon validates the capabilities of a given request given a
|
|
|
|
// bakery service, context, and uri. Within the passed context.Context, we
|
|
|
|
// expect a macaroon to be encoded as request metadata using the key
|
|
|
|
// "macaroon".
|
2018-01-16 19:18:41 +03:00
|
|
|
func ValidateMacaroon(ctx context.Context, requiredPermissions []bakery.Op,
|
|
|
|
svc *bakery.Bakery) error {
|
2017-08-22 09:18:19 +03:00
|
|
|
|
2017-08-18 04:50:15 +03:00
|
|
|
// Get macaroon bytes from context and unmarshal into macaroon.
|
2018-01-16 19:18:41 +03:00
|
|
|
md, ok := metadata.FromIncomingContext(ctx)
|
2017-08-18 04:50:15 +03:00
|
|
|
if !ok {
|
|
|
|
return fmt.Errorf("unable to get metadata from context")
|
|
|
|
}
|
|
|
|
if len(md["macaroon"]) != 1 {
|
|
|
|
return fmt.Errorf("expected 1 macaroon, got %d",
|
|
|
|
len(md["macaroon"]))
|
|
|
|
}
|
2017-08-22 09:18:19 +03:00
|
|
|
|
|
|
|
// With the macaroon obtained, we'll now decode the hex-string
|
|
|
|
// encoding, then unmarshal it from binary into its concrete struct
|
|
|
|
// representation.
|
2017-08-18 04:50:15 +03:00
|
|
|
macBytes, err := hex.DecodeString(md["macaroon"][0])
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
mac := &macaroon.Macaroon{}
|
|
|
|
err = mac.UnmarshalBinary(macBytes)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2017-08-22 09:18:19 +03:00
|
|
|
// Check the method being called against the permitted operation and
|
2018-01-16 19:18:41 +03:00
|
|
|
// the expiration time and IP address and return the result.
|
|
|
|
authChecker := svc.Checker.Auth(macaroon.Slice{mac})
|
|
|
|
_, err = authChecker.Allow(ctx, requiredPermissions...)
|
|
|
|
return err
|
2017-08-18 04:50:15 +03:00
|
|
|
}
|