macaroons: expand doc strings and comments within package

This commit is contained in:
Olaoluwa Osuntokun 2017-08-21 23:18:19 -07:00
parent 69b3b96deb
commit bb59a6e6e9
No known key found for this signature in database
GPG Key ID: 9CC5B105D03521A2
3 changed files with 30 additions and 5 deletions

@ -23,13 +23,18 @@ func (m MacaroonCredential) RequireTransportSecurity() bool {
return true return true
} }
// GetRequestMetadata implements the PerRPCCredentials interface. // GetRequestMetadata implements the PerRPCCredentials interface. This method
// is required in order to pass the wrapped macaroon into the gRPC context.
// With this, the macaroon will be available within the request handling scope
// of the ultimate gRPC server implementation.
func (m MacaroonCredential) GetRequestMetadata(ctx context.Context, func (m MacaroonCredential) GetRequestMetadata(ctx context.Context,
uri ...string) (map[string]string, error) { uri ...string) (map[string]string, error) {
macBytes, err := m.MarshalBinary() macBytes, err := m.MarshalBinary()
if err != nil { if err != nil {
return nil, err return nil, err
} }
md := make(map[string]string) md := make(map[string]string)
md["macaroon"] = hex.EncodeToString(macBytes) md["macaroon"] = hex.EncodeToString(macBytes)
return md, nil return md, nil
@ -43,10 +48,15 @@ func NewMacaroonCredential(m *macaroon.Macaroon) MacaroonCredential {
return ms return ms
} }
// ValidateMacaroon validates auth given a bakery service, context, and uri. // ValidateMacaroon validates the capabilities of a given request given a
// bakery service, context, and uri. Within the passed context.Context, we
// expect a macaroon to be encoded as request metadata using the key
// "macaroon".
func ValidateMacaroon(ctx context.Context, method string, func ValidateMacaroon(ctx context.Context, method string,
svc *bakery.Service) error { svc *bakery.Service) error {
// Get macaroon bytes from context and unmarshal into macaroon. // Get macaroon bytes from context and unmarshal into macaroon.
//
// TODO(aakselrod): use FromIncomingContext after grpc update in glide. // TODO(aakselrod): use FromIncomingContext after grpc update in glide.
md, ok := metadata.FromContext(ctx) md, ok := metadata.FromContext(ctx)
if !ok { if !ok {
@ -56,6 +66,10 @@ func ValidateMacaroon(ctx context.Context, method string,
return fmt.Errorf("expected 1 macaroon, got %d", return fmt.Errorf("expected 1 macaroon, got %d",
len(md["macaroon"])) len(md["macaroon"]))
} }
// With the macaroon obtained, we'll now decode the hex-string
// encoding, then unmarshal it from binary into its concrete struct
// representation.
macBytes, err := hex.DecodeString(md["macaroon"][0]) macBytes, err := hex.DecodeString(md["macaroon"][0])
if err != nil { if err != nil {
return err return err
@ -66,8 +80,9 @@ func ValidateMacaroon(ctx context.Context, method string,
return err return err
} }
// Check the method being called against the permitted operation and the // Check the method being called against the permitted operation and
// expiration time and return the result. // the expiration time and return the result.
//
// TODO(aakselrod): Add more checks as required. // TODO(aakselrod): Add more checks as required.
return svc.Check(macaroon.Slice{mac}, checkers.New( return svc.Check(macaroon.Slice{mac}, checkers.New(
checkers.OperationChecker(method), checkers.OperationChecker(method),

@ -17,12 +17,14 @@ var (
// NewService returns a service backed by the macaroon Bolt DB stored in the // NewService returns a service backed by the macaroon Bolt DB stored in the
// passed directory. // passed directory.
func NewService(dir string) (*bakery.Service, error) { func NewService(dir string) (*bakery.Service, error) {
// Open the database. // Open the database that we'll use to store the primary macaroon key,
// and all generated macaroons+caveats.
macaroonDB, err := bolt.Open(path.Join(dir, dbFilename), 0600, macaroonDB, err := bolt.Open(path.Join(dir, dbFilename), 0600,
bolt.DefaultOptions) bolt.DefaultOptions)
if err != nil { if err != nil {
return nil, err return nil, err
} }
rootKeyStore, err := NewRootKeyStorage(macaroonDB) rootKeyStore, err := NewRootKeyStorage(macaroonDB)
if err != nil { if err != nil {
return nil, err return nil, err
@ -31,6 +33,7 @@ func NewService(dir string) (*bakery.Service, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
macaroonParams := bakery.NewServiceParams{ macaroonParams := bakery.NewServiceParams{
Location: "lnd", Location: "lnd",
Store: macaroonStore, Store: macaroonStore,

@ -19,6 +19,7 @@ var (
// defaultRootKeyID is the ID of the default root key. The first is // defaultRootKeyID is the ID of the default root key. The first is
// just 0, to emulate the memory storage that comes with bakery. // just 0, to emulate the memory storage that comes with bakery.
//
// TODO(aakselrod): Add support for key rotation. // TODO(aakselrod): Add support for key rotation.
defaultRootKeyID = "0" defaultRootKeyID = "0"
@ -42,6 +43,7 @@ func NewRootKeyStorage(db *bolt.DB) (*RootKeyStorage, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
// Return the DB wrapped in a RootKeyStorage object. // Return the DB wrapped in a RootKeyStorage object.
return &RootKeyStorage{db}, nil return &RootKeyStorage{db}, nil
} }
@ -60,6 +62,7 @@ func (r *RootKeyStorage) Get(id string) ([]byte, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
return rootKey, nil return rootKey, nil
} }
@ -88,6 +91,7 @@ func (r *RootKeyStorage) RootKey() ([]byte, string, error) {
if err != nil { if err != nil {
return nil, "", err return nil, "", err
} }
return rootKey, id, nil return rootKey, id, nil
} }
@ -97,6 +101,7 @@ type Storage struct {
} }
// NewStorage creates a Storage instance. // NewStorage creates a Storage instance.
//
// TODO(aakselrod): Add support for encryption of data with passphrase. // TODO(aakselrod): Add support for encryption of data with passphrase.
func NewStorage(db *bolt.DB) (*Storage, error) { func NewStorage(db *bolt.DB) (*Storage, error) {
// If the store's bucket doesn't exist, create it. // If the store's bucket doesn't exist, create it.
@ -107,6 +112,7 @@ func NewStorage(db *bolt.DB) (*Storage, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
// Return the DB wrapped in a Storage object. // Return the DB wrapped in a Storage object.
return &Storage{db}, nil return &Storage{db}, nil
} }
@ -134,6 +140,7 @@ func (s *Storage) Get(location string) (string, error) {
if err != nil { if err != nil {
return "", err return "", err
} }
return item, nil return item, nil
} }