Documentation ¶
Index ¶
- Constants
- Variables
- func AddConstraints(mac *macaroon.Macaroon, cs ...Constraint) (*macaroon.Macaroon, error)
- func IPLockChecker() (string, checkers.Func)
- func IPLockConstraint(ipAddr string) func(*macaroon.Macaroon) error
- func TimeoutConstraint(seconds int64) func(*macaroon.Macaroon) error
- type Checker
- type Constraint
- type MacaroonCredential
- type RootKeyStorage
- type Service
- func (svc *Service) Close() error
- func (svc *Service) CreateUnlock(password *[]byte) error
- func (svc *Service) StreamServerInterceptor(permissionMap map[string][]bakery.Op) grpc.StreamServerInterceptor
- func (svc *Service) UnaryServerInterceptor(permissionMap map[string][]bakery.Op) grpc.UnaryServerInterceptor
- func (svc *Service) ValidateMacaroon(ctx context.Context, requiredPermissions []bakery.Op) error
Constants ¶
const (
// RootKeyLen is the length of a root key.
RootKeyLen = 32
)
Variables ¶
var ( // ErrAlreadyUnlocked specifies that the store has already been // unlocked. ErrAlreadyUnlocked = fmt.Errorf("macaroon store already unlocked") // ErrStoreLocked specifies that the store needs to be unlocked with // a password. ErrStoreLocked = fmt.Errorf("macaroon store is locked") // ErrPasswordRequired specifies that a nil password has been passed. ErrPasswordRequired = fmt.Errorf("a non-nil password is required") )
Functions ¶
func AddConstraints ¶
AddConstraints returns new derived macaroon by applying every passed constraint and tightening its restrictions.
func IPLockChecker ¶
IPLockChecker accepts client IP from the validation context and compares it with IP locked in the macaroon. It is of the `Checker` type.
func IPLockConstraint ¶
IPLockConstraint locks macaroon to a specific IP address. If address is an empty string, this constraint does nothing to accommodate default value's desired behavior.
Types ¶
type Checker ¶
Checker type adds a layer of indirection over macaroon checkers. A Checker returns the name of the checker and the checker function; these are used to register the function with the bakery service's compound checker.
type Constraint ¶
Constraint type adds a layer of indirection over macaroon caveats.
type MacaroonCredential ¶
MacaroonCredential wraps a macaroon to implement the credentials.PerRPCCredentials interface.
func NewMacaroonCredential ¶
func NewMacaroonCredential(m *macaroon.Macaroon) MacaroonCredential
NewMacaroonCredential returns a copy of the passed macaroon wrapped in a MacaroonCredential struct which implements PerRPCCredentials.
func (MacaroonCredential) GetRequestMetadata ¶
func (m MacaroonCredential) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error)
GetRequestMetadata implements the PerRPCCredentials interface. This method is required in order to pass the wrapped macaroon into the gRPC context. With this, the macaroon will be available within the request handling scope of the ultimate gRPC server implementation.
func (MacaroonCredential) RequireTransportSecurity ¶
func (m MacaroonCredential) RequireTransportSecurity() bool
RequireTransportSecurity implements the PerRPCCredentials interface.
type RootKeyStorage ¶
type RootKeyStorage struct { *bolt.DB // contains filtered or unexported fields }
RootKeyStorage implements the bakery.RootKeyStorage interface.
func NewRootKeyStorage ¶
func NewRootKeyStorage(db *bolt.DB) (*RootKeyStorage, error)
NewRootKeyStorage creates a RootKeyStorage instance. TODO(aakselrod): Add support for encryption of data with passphrase.
func (*RootKeyStorage) Close ¶
func (r *RootKeyStorage) Close() error
Close closes the underlying database and zeroes the encryption key stored in memory.
func (*RootKeyStorage) CreateUnlock ¶
func (r *RootKeyStorage) CreateUnlock(password *[]byte) error
CreateUnlock sets an encryption key if one is not already set, otherwise it checks if the password is correct for the stored encryption key.
type Service ¶
Service encapsulates bakery.Bakery and adds a Close() method that zeroes the root key service encryption keys, as well as utility methods to validate a macaroon against the bakery and gRPC middleware for macaroon-based auth.
func NewService ¶
NewService returns a service backed by the macaroon Bolt DB stored in the passed directory. The `checks` argument can be any of the `Checker` type functions defined in this package, or a custom checker if desired. This constructor prevents double-registration of checkers to prevent panics, so listing the same checker more than once is not harmful. Default checkers, such as those for `allow`, `time-before`, `declared`, and `error` caveats are registered automatically and don't need to be added.
func (*Service) Close ¶
Close closes the database that underlies the RootKeyStore and zeroes the encryption keys.
func (*Service) CreateUnlock ¶
CreateUnlock calls the underlying root key store's CreateUnlock and returns the result.
func (*Service) StreamServerInterceptor ¶
func (svc *Service) StreamServerInterceptor( permissionMap map[string][]bakery.Op) grpc.StreamServerInterceptor
StreamServerInterceptor is a GRPC interceptor that checks whether the request is authorized by the included macaroons.
func (*Service) UnaryServerInterceptor ¶
func (svc *Service) UnaryServerInterceptor( permissionMap map[string][]bakery.Op) grpc.UnaryServerInterceptor
UnaryServerInterceptor is a GRPC interceptor that checks whether the request is authorized by the included macaroons.
func (*Service) ValidateMacaroon ¶
ValidateMacaroon validates the capabilities of a given request given a bakery service, context, and uri. Within the passed context.Context, we expect a macaroon to be encoded as request metadata using the key "macaroon".