Google Git
Sign in
vanadium / release.go.x.ref / 505710380ec904ad694a5dcf290f58144a1e1c2d / . / services / identity / internal / blesser / macaroon.go
blob: 1cada67935e9b0f2b32f1ae91a94d678374d1593 [file] [log] [blame]
Jiri Simsad7616c92015-03-24 23:44:30 -0700[diff] [blame]1// Copyright 2015 The Vanadium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
Suharsh Sivakumard308c7e2014-10-03 12:46:50 -0700[diff] [blame]5package blesser
6
7import (
Ankurcfccc8f2015-05-19 17:38:37 -0700[diff] [blame]8 "errors"
Suharsh Sivakumard308c7e2014-10-03 12:46:50 -0700[diff] [blame]9 "fmt"
Ankurcfccc8f2015-05-19 17:38:37 -0700[diff] [blame]10 "reflect"
Suharsh Sivakumard308c7e2014-10-03 12:46:50 -0700[diff] [blame]11 "time"
12
Jiri Simsaffceefa2015-02-28 11:03:34 -0800[diff] [blame]13 "v.io/x/ref/services/identity"
Suharsh Sivakumarc0048112015-03-19 11:48:28 -0700[diff] [blame]14 "v.io/x/ref/services/identity/internal/oauth"
15 "v.io/x/ref/services/identity/internal/util"
Suharsh Sivakumard308c7e2014-10-03 12:46:50 -0700[diff] [blame]16
Todd Wang54feabe2015-04-15 23:38:26 -0700[diff] [blame]17 "v.io/v23/context"
Matt Rosencrantz94502cf2015-03-18 09:43:44 -0700[diff] [blame]18 "v.io/v23/rpc"
Jiri Simsa6ac95222015-02-23 16:11:49 -0800[diff] [blame]19 "v.io/v23/security"
20 "v.io/v23/vom"
Suharsh Sivakumard308c7e2014-10-03 12:46:50 -0700[diff] [blame]21)
22
23type macaroonBlesser struct {
Suharsh Sivakumard308c7e2014-10-03 12:46:50 -0700[diff] [blame]24 key []byte
25}
26
Asim Shankarb18a44f2014-10-21 20:25:07 -0700[diff] [blame]27// NewMacaroonBlesserServer provides an identity.MacaroonBlesser Service that generates blessings
28// after unpacking a BlessingMacaroon.
Todd Wang702385a2014-11-07 01:54:08 -0800[diff] [blame]29func NewMacaroonBlesserServer(key []byte) identity.MacaroonBlesserServerStub {
30 return identity.MacaroonBlesserServer(&macaroonBlesser{key})
Suharsh Sivakumard308c7e2014-10-03 12:46:50 -0700[diff] [blame]31}
32
Todd Wang4264e4b2015-04-16 22:43:40 -0700[diff] [blame]33func (b *macaroonBlesser) Bless(ctx *context.T, call rpc.ServerCall, macaroon string) (security.Blessings, error) {
34 secCall := call.Security()
Asim Shankarb07ec692015-02-27 23:40:44 -0800[diff] [blame]35 var empty security.Blessings
Suharsh Sivakumard308c7e2014-10-03 12:46:50 -0700[diff] [blame]36 inputs, err := util.Macaroon(macaroon).Decode(b.key)
37 if err != nil {
Asim Shankarb3a82ba2014-10-29 11:41:27 -0700[diff] [blame]38 return empty, err
Suharsh Sivakumard308c7e2014-10-03 12:46:50 -0700[diff] [blame]39 }
Ankur123a5c72015-01-12 16:03:43 -0800[diff] [blame]40 var m oauth.BlessingMacaroon
Todd Wang3425a902015-01-21 18:43:59 -0800[diff] [blame]41 if err := vom.Decode(inputs, &m); err != nil {
Asim Shankarb3a82ba2014-10-29 11:41:27 -0700[diff] [blame]42 return empty, err
Suharsh Sivakumard308c7e2014-10-03 12:46:50 -0700[diff] [blame]43 }
44 if time.Now().After(m.Creation.Add(time.Minute * 5)) {
Asim Shankarb3a82ba2014-10-29 11:41:27 -0700[diff] [blame]45 return empty, fmt.Errorf("macaroon has expired")
Suharsh Sivakumard308c7e2014-10-03 12:46:50 -0700[diff] [blame]46 }
Matt Rosencrantz311378b2015-03-25 15:26:12 -0700[diff] [blame]47 if secCall.LocalPrincipal() == nil {
Asim Shankarb3a82ba2014-10-29 11:41:27 -0700[diff] [blame]48 return empty, fmt.Errorf("server misconfiguration: no authentication happened")
Suharsh Sivakumard308c7e2014-10-03 12:46:50 -0700[diff] [blame]49 }
Ankurcfccc8f2015-05-19 17:38:37 -0700[diff] [blame]50 macaroonPublicKey, err := security.UnmarshalPublicKey(m.PublicKey)
51 if err != nil {
52 return empty, fmt.Errorf("failed to unmarshal public key in macaroon: %v", err)
53 }
54 if !reflect.DeepEqual(secCall.RemoteBlessings().PublicKey(), macaroonPublicKey) {
55 return empty, errors.New("remote end's public key does not match public key in macaroon")
56 }
Asim Shankarf4225372014-10-04 08:34:39 -0700[diff] [blame]57 if len(m.Caveats) == 0 {
58 m.Caveats = []security.Caveat{security.UnconstrainedUse()}
59 }
Matt Rosencrantz311378b2015-03-25 15:26:12 -0700[diff] [blame]60 return secCall.LocalPrincipal().Bless(secCall.RemoteBlessings().PublicKey(),
Asim Shankar8e547062015-05-15 01:00:33 -0700[diff] [blame]61 secCall.LocalBlessings(), m.Name, m.Caveats[0], m.Caveats[1:]...)
Suharsh Sivakumard308c7e2014-10-03 12:46:50 -0700[diff] [blame]62}