macaroons: add IP lock macaroon constraint
This commit is contained in:
parent
a6b9155150
commit
679e86174f
@ -85,6 +85,9 @@ func getClientConn(ctx *cli.Context) *grpc.ClientConn {
|
||||
// TODO(aakselrod): add better anti-replay protection.
|
||||
macaroons.TimeoutConstraint(ctx.GlobalInt64("macaroontimeout")),
|
||||
|
||||
// Lock macaroon down to a specific IP address.
|
||||
macaroons.IPLockConstraint(ctx.GlobalString("macaroonip")),
|
||||
|
||||
// ... Add more constraints if needed.
|
||||
}
|
||||
|
||||
@ -134,6 +137,10 @@ func main() {
|
||||
Value: 60,
|
||||
Usage: "anti-replay macaroon validity time in seconds",
|
||||
},
|
||||
cli.StringFlag{
|
||||
Name: "macaroonip",
|
||||
Usage: "if set, lock macaroon to specific IP address",
|
||||
},
|
||||
}
|
||||
app.Commands = []cli.Command{
|
||||
newAddressCommand,
|
||||
|
@ -3,9 +3,11 @@ package macaroons
|
||||
import (
|
||||
"encoding/hex"
|
||||
"fmt"
|
||||
"net"
|
||||
|
||||
"golang.org/x/net/context"
|
||||
"google.golang.org/grpc/metadata"
|
||||
"google.golang.org/grpc/peer"
|
||||
|
||||
"gopkg.in/macaroon-bakery.v1/bakery"
|
||||
"gopkg.in/macaroon-bakery.v1/bakery/checkers"
|
||||
@ -67,6 +69,16 @@ func ValidateMacaroon(ctx context.Context, method string,
|
||||
len(md["macaroon"]))
|
||||
}
|
||||
|
||||
// Get peer info and extract IP address from it for macaroon check
|
||||
pr, ok := peer.FromContext(ctx)
|
||||
if !ok {
|
||||
return fmt.Errorf("unable to get peer info from context")
|
||||
}
|
||||
peerAddr, _, err := net.SplitHostPort(pr.Addr.String())
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to parse peer address")
|
||||
}
|
||||
|
||||
// With the macaroon obtained, we'll now decode the hex-string
|
||||
// encoding, then unmarshal it from binary into its concrete struct
|
||||
// representation.
|
||||
@ -87,5 +99,6 @@ func ValidateMacaroon(ctx context.Context, method string,
|
||||
return svc.Check(macaroon.Slice{mac}, checkers.New(
|
||||
PermissionsChecker(method),
|
||||
TimeoutChecker(),
|
||||
IPLockChecker(peerAddr),
|
||||
))
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user