macaroons: add IP lock macaroon constraint

This commit is contained in:
whythat 2017-09-02 03:46:27 +03:00 committed by Olaoluwa Osuntokun
parent a6b9155150
commit 679e86174f
2 changed files with 20 additions and 0 deletions

@ -85,6 +85,9 @@ func getClientConn(ctx *cli.Context) *grpc.ClientConn {
// TODO(aakselrod): add better anti-replay protection.
macaroons.TimeoutConstraint(ctx.GlobalInt64("macaroontimeout")),
// Lock macaroon down to a specific IP address.
macaroons.IPLockConstraint(ctx.GlobalString("macaroonip")),
// ... Add more constraints if needed.
}
@ -134,6 +137,10 @@ func main() {
Value: 60,
Usage: "anti-replay macaroon validity time in seconds",
},
cli.StringFlag{
Name: "macaroonip",
Usage: "if set, lock macaroon to specific IP address",
},
}
app.Commands = []cli.Command{
newAddressCommand,

@ -3,9 +3,11 @@ package macaroons
import (
"encoding/hex"
"fmt"
"net"
"golang.org/x/net/context"
"google.golang.org/grpc/metadata"
"google.golang.org/grpc/peer"
"gopkg.in/macaroon-bakery.v1/bakery"
"gopkg.in/macaroon-bakery.v1/bakery/checkers"
@ -67,6 +69,16 @@ func ValidateMacaroon(ctx context.Context, method string,
len(md["macaroon"]))
}
// Get peer info and extract IP address from it for macaroon check
pr, ok := peer.FromContext(ctx)
if !ok {
return fmt.Errorf("unable to get peer info from context")
}
peerAddr, _, err := net.SplitHostPort(pr.Addr.String())
if err != nil {
return fmt.Errorf("unable to parse peer address")
}
// With the macaroon obtained, we'll now decode the hex-string
// encoding, then unmarshal it from binary into its concrete struct
// representation.
@ -87,5 +99,6 @@ func ValidateMacaroon(ctx context.Context, method string,
return svc.Check(macaroon.Slice{mac}, checkers.New(
PermissionsChecker(method),
TimeoutChecker(),
IPLockChecker(peerAddr),
))
}