macaroons: expand doc strings and comments within package
This commit is contained in:
parent
69b3b96deb
commit
bb59a6e6e9
@ -23,13 +23,18 @@ func (m MacaroonCredential) RequireTransportSecurity() bool {
|
|||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetRequestMetadata implements the PerRPCCredentials interface.
|
// GetRequestMetadata implements the PerRPCCredentials interface. This method
|
||||||
|
// is required in order to pass the wrapped macaroon into the gRPC context.
|
||||||
|
// With this, the macaroon will be available within the request handling scope
|
||||||
|
// of the ultimate gRPC server implementation.
|
||||||
func (m MacaroonCredential) GetRequestMetadata(ctx context.Context,
|
func (m MacaroonCredential) GetRequestMetadata(ctx context.Context,
|
||||||
uri ...string) (map[string]string, error) {
|
uri ...string) (map[string]string, error) {
|
||||||
|
|
||||||
macBytes, err := m.MarshalBinary()
|
macBytes, err := m.MarshalBinary()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
md := make(map[string]string)
|
md := make(map[string]string)
|
||||||
md["macaroon"] = hex.EncodeToString(macBytes)
|
md["macaroon"] = hex.EncodeToString(macBytes)
|
||||||
return md, nil
|
return md, nil
|
||||||
@ -43,10 +48,15 @@ func NewMacaroonCredential(m *macaroon.Macaroon) MacaroonCredential {
|
|||||||
return ms
|
return ms
|
||||||
}
|
}
|
||||||
|
|
||||||
// ValidateMacaroon validates auth given a bakery service, context, and uri.
|
// ValidateMacaroon validates the capabilities of a given request given a
|
||||||
|
// bakery service, context, and uri. Within the passed context.Context, we
|
||||||
|
// expect a macaroon to be encoded as request metadata using the key
|
||||||
|
// "macaroon".
|
||||||
func ValidateMacaroon(ctx context.Context, method string,
|
func ValidateMacaroon(ctx context.Context, method string,
|
||||||
svc *bakery.Service) error {
|
svc *bakery.Service) error {
|
||||||
|
|
||||||
// Get macaroon bytes from context and unmarshal into macaroon.
|
// Get macaroon bytes from context and unmarshal into macaroon.
|
||||||
|
//
|
||||||
// TODO(aakselrod): use FromIncomingContext after grpc update in glide.
|
// TODO(aakselrod): use FromIncomingContext after grpc update in glide.
|
||||||
md, ok := metadata.FromContext(ctx)
|
md, ok := metadata.FromContext(ctx)
|
||||||
if !ok {
|
if !ok {
|
||||||
@ -56,6 +66,10 @@ func ValidateMacaroon(ctx context.Context, method string,
|
|||||||
return fmt.Errorf("expected 1 macaroon, got %d",
|
return fmt.Errorf("expected 1 macaroon, got %d",
|
||||||
len(md["macaroon"]))
|
len(md["macaroon"]))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// With the macaroon obtained, we'll now decode the hex-string
|
||||||
|
// encoding, then unmarshal it from binary into its concrete struct
|
||||||
|
// representation.
|
||||||
macBytes, err := hex.DecodeString(md["macaroon"][0])
|
macBytes, err := hex.DecodeString(md["macaroon"][0])
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
@ -66,8 +80,9 @@ func ValidateMacaroon(ctx context.Context, method string,
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check the method being called against the permitted operation and the
|
// Check the method being called against the permitted operation and
|
||||||
// expiration time and return the result.
|
// the expiration time and return the result.
|
||||||
|
//
|
||||||
// TODO(aakselrod): Add more checks as required.
|
// TODO(aakselrod): Add more checks as required.
|
||||||
return svc.Check(macaroon.Slice{mac}, checkers.New(
|
return svc.Check(macaroon.Slice{mac}, checkers.New(
|
||||||
checkers.OperationChecker(method),
|
checkers.OperationChecker(method),
|
||||||
|
@ -17,12 +17,14 @@ var (
|
|||||||
// NewService returns a service backed by the macaroon Bolt DB stored in the
|
// NewService returns a service backed by the macaroon Bolt DB stored in the
|
||||||
// passed directory.
|
// passed directory.
|
||||||
func NewService(dir string) (*bakery.Service, error) {
|
func NewService(dir string) (*bakery.Service, error) {
|
||||||
// Open the database.
|
// Open the database that we'll use to store the primary macaroon key,
|
||||||
|
// and all generated macaroons+caveats.
|
||||||
macaroonDB, err := bolt.Open(path.Join(dir, dbFilename), 0600,
|
macaroonDB, err := bolt.Open(path.Join(dir, dbFilename), 0600,
|
||||||
bolt.DefaultOptions)
|
bolt.DefaultOptions)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
rootKeyStore, err := NewRootKeyStorage(macaroonDB)
|
rootKeyStore, err := NewRootKeyStorage(macaroonDB)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
@ -31,6 +33,7 @@ func NewService(dir string) (*bakery.Service, error) {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
macaroonParams := bakery.NewServiceParams{
|
macaroonParams := bakery.NewServiceParams{
|
||||||
Location: "lnd",
|
Location: "lnd",
|
||||||
Store: macaroonStore,
|
Store: macaroonStore,
|
||||||
|
@ -19,6 +19,7 @@ var (
|
|||||||
|
|
||||||
// defaultRootKeyID is the ID of the default root key. The first is
|
// defaultRootKeyID is the ID of the default root key. The first is
|
||||||
// just 0, to emulate the memory storage that comes with bakery.
|
// just 0, to emulate the memory storage that comes with bakery.
|
||||||
|
//
|
||||||
// TODO(aakselrod): Add support for key rotation.
|
// TODO(aakselrod): Add support for key rotation.
|
||||||
defaultRootKeyID = "0"
|
defaultRootKeyID = "0"
|
||||||
|
|
||||||
@ -42,6 +43,7 @@ func NewRootKeyStorage(db *bolt.DB) (*RootKeyStorage, error) {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Return the DB wrapped in a RootKeyStorage object.
|
// Return the DB wrapped in a RootKeyStorage object.
|
||||||
return &RootKeyStorage{db}, nil
|
return &RootKeyStorage{db}, nil
|
||||||
}
|
}
|
||||||
@ -60,6 +62,7 @@ func (r *RootKeyStorage) Get(id string) ([]byte, error) {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
return rootKey, nil
|
return rootKey, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -88,6 +91,7 @@ func (r *RootKeyStorage) RootKey() ([]byte, string, error) {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, "", err
|
return nil, "", err
|
||||||
}
|
}
|
||||||
|
|
||||||
return rootKey, id, nil
|
return rootKey, id, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -97,6 +101,7 @@ type Storage struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// NewStorage creates a Storage instance.
|
// NewStorage creates a Storage instance.
|
||||||
|
//
|
||||||
// TODO(aakselrod): Add support for encryption of data with passphrase.
|
// TODO(aakselrod): Add support for encryption of data with passphrase.
|
||||||
func NewStorage(db *bolt.DB) (*Storage, error) {
|
func NewStorage(db *bolt.DB) (*Storage, error) {
|
||||||
// If the store's bucket doesn't exist, create it.
|
// If the store's bucket doesn't exist, create it.
|
||||||
@ -107,6 +112,7 @@ func NewStorage(db *bolt.DB) (*Storage, error) {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Return the DB wrapped in a Storage object.
|
// Return the DB wrapped in a Storage object.
|
||||||
return &Storage{db}, nil
|
return &Storage{db}, nil
|
||||||
}
|
}
|
||||||
@ -134,6 +140,7 @@ func (s *Storage) Get(location string) (string, error) {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
|
|
||||||
return item, nil
|
return item, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user