macaroon

package
v0.23.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 9, 2019 License: AGPL-3.0 Imports: 17 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// Error is a general API Key error
	Error = errs.Class("api key error")
	// ErrFormat means that the structural formatting of the API Key is invalid
	ErrFormat = errs.Class("api key format error")
	// ErrInvalid means that the API Key is improperly signed
	ErrInvalid = errs.Class("api key invalid error")
	// ErrUnauthorized means that the API key does not grant the requested permission
	ErrUnauthorized = errs.Class("api key unauthorized error")
	// ErrRevoked means the API key has been revoked
	ErrRevoked = errs.Class("api key revocation error")
)

Functions

func NewSecret

func NewSecret() (secret []byte, err error)

NewSecret generates cryptographically random 32 bytes

Types

type APIKey

type APIKey struct {
	// contains filtered or unexported fields
}

APIKey implements a Macaroon-backed Storj-v3 API key.

func NewAPIKey

func NewAPIKey(secret []byte) (*APIKey, error)

NewAPIKey generates a brand new unrestricted API key given the provided server project secret

func ParseAPIKey

func ParseAPIKey(key string) (*APIKey, error)

ParseAPIKey parses a given api key string and returns an APIKey if the APIKey was correctly formatted. It does not validate the key.

func ParseRawAPIKey added in v0.15.0

func ParseRawAPIKey(data []byte) (*APIKey, error)

ParseRawAPIKey parses raw api key data and returns an APIKey if the APIKey was correctly formatted. It does not validate the key.

func (*APIKey) Check

func (a *APIKey) Check(ctx context.Context, secret []byte, action Action, revoked [][]byte) (err error)

Check makes sure that the key authorizes the provided action given the root project secret and any possible revocations, returning an error if the action is not authorized. 'revoked' is a list of revoked heads.

func (*APIKey) GetAllowedBuckets added in v0.15.0

func (a *APIKey) GetAllowedBuckets(ctx context.Context, action Action) (allowed AllowedBuckets, err error)

GetAllowedBuckets returns a list of all the allowed bucket paths that match the Action operation

func (*APIKey) Head

func (a *APIKey) Head() []byte

Head returns the identifier for this macaroon's root ancestor.

func (*APIKey) Restrict

func (a *APIKey) Restrict(caveat Caveat) (*APIKey, error)

Restrict generates a new APIKey with the provided Caveat attached.

func (*APIKey) Serialize

func (a *APIKey) Serialize() string

Serialize serializes the API Key to a string

func (*APIKey) SerializeRaw added in v0.15.0

func (a *APIKey) SerializeRaw() []byte

SerializeRaw serialize the API Key to raw bytes

func (*APIKey) Tail

func (a *APIKey) Tail() []byte

Tail returns the identifier for this macaroon only.

type Action

type Action struct {
	Op            ActionType
	Bucket        []byte
	EncryptedPath []byte
	Time          time.Time
}

Action specifies the specific operation being performed that the Macaroon will validate

type ActionType

type ActionType int

ActionType specifies the operation type being performed that the Macaroon will validate

const (

	// ActionRead specifies a read operation
	ActionRead ActionType = 1
	// ActionWrite specifies a read operation
	ActionWrite ActionType = 2
	// ActionList specifies a read operation
	ActionList ActionType = 3
	// ActionDelete specifies a read operation
	ActionDelete ActionType = 4
	// ActionProjectInfo requests project-level information
	ActionProjectInfo ActionType = 5
)

type AllowedBuckets added in v0.15.0

type AllowedBuckets struct {
	All     bool
	Buckets map[string]struct{}
}

AllowedBuckets stores information about which buckets are allowed to be accessed, where `Buckets` stores names of buckets that are allowed and `All` is a bool that indicates if all buckets are allowed or not

type Caveat

type Caveat struct {
	// if any of these three are set, disallow that type of access
	DisallowReads   bool           `protobuf:"varint,1,opt,name=disallow_reads,json=disallowReads,proto3" json:"disallow_reads,omitempty"`
	DisallowWrites  bool           `protobuf:"varint,2,opt,name=disallow_writes,json=disallowWrites,proto3" json:"disallow_writes,omitempty"`
	DisallowLists   bool           `protobuf:"varint,3,opt,name=disallow_lists,json=disallowLists,proto3" json:"disallow_lists,omitempty"`
	DisallowDeletes bool           `protobuf:"varint,4,opt,name=disallow_deletes,json=disallowDeletes,proto3" json:"disallow_deletes,omitempty"`
	AllowedPaths    []*Caveat_Path `protobuf:"bytes,10,rep,name=allowed_paths,json=allowedPaths,proto3" json:"allowed_paths,omitempty"`
	// if set, the validity time window
	NotAfter  *time.Time `protobuf:"bytes,20,opt,name=not_after,json=notAfter,proto3,stdtime" json:"not_after,omitempty"`
	NotBefore *time.Time `protobuf:"bytes,21,opt,name=not_before,json=notBefore,proto3,stdtime" json:"not_before,omitempty"`
	// nonce is set to some random bytes so that you can make arbitrarily
	// many restricted macaroons with the same (or no) restrictions.
	Nonce                []byte   `protobuf:"bytes,30,opt,name=nonce,proto3" json:"nonce,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func NewCaveat added in v0.12.0

func NewCaveat() (Caveat, error)

NewCaveat returns a Caveat with a random generated nonce.

func (*Caveat) Allows

func (c *Caveat) Allows(action Action) bool

Allows returns true if the provided action is allowed by the caveat.

func (*Caveat) Descriptor

func (*Caveat) Descriptor() ([]byte, []int)

func (*Caveat) GetAllowedPaths added in v0.12.0

func (m *Caveat) GetAllowedPaths() []*Caveat_Path

func (*Caveat) GetDisallowDeletes

func (m *Caveat) GetDisallowDeletes() bool

func (*Caveat) GetDisallowLists

func (m *Caveat) GetDisallowLists() bool

func (*Caveat) GetDisallowReads

func (m *Caveat) GetDisallowReads() bool

func (*Caveat) GetDisallowWrites

func (m *Caveat) GetDisallowWrites() bool

func (*Caveat) GetNonce added in v0.12.0

func (m *Caveat) GetNonce() []byte

func (*Caveat) GetNotAfter

func (m *Caveat) GetNotAfter() *time.Time

func (*Caveat) GetNotBefore

func (m *Caveat) GetNotBefore() *time.Time

func (*Caveat) ProtoMessage

func (*Caveat) ProtoMessage()

func (*Caveat) Reset

func (m *Caveat) Reset()

func (*Caveat) String

func (m *Caveat) String() string

func (*Caveat) XXX_DiscardUnknown

func (m *Caveat) XXX_DiscardUnknown()

func (*Caveat) XXX_Marshal

func (m *Caveat) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*Caveat) XXX_Merge

func (m *Caveat) XXX_Merge(src proto.Message)

func (*Caveat) XXX_Size

func (m *Caveat) XXX_Size() int

func (*Caveat) XXX_Unmarshal

func (m *Caveat) XXX_Unmarshal(b []byte) error

type Caveat_Path added in v0.12.0

type Caveat_Path struct {
	Bucket               []byte   `protobuf:"bytes,1,opt,name=bucket,proto3" json:"bucket,omitempty"`
	EncryptedPathPrefix  []byte   `protobuf:"bytes,2,opt,name=encrypted_path_prefix,json=encryptedPathPrefix,proto3" json:"encrypted_path_prefix,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

If any entries exist, require all access to happen in at least one of them.

func (*Caveat_Path) Descriptor added in v0.12.0

func (*Caveat_Path) Descriptor() ([]byte, []int)

func (*Caveat_Path) GetBucket added in v0.12.0

func (m *Caveat_Path) GetBucket() []byte

func (*Caveat_Path) GetEncryptedPathPrefix added in v0.12.0

func (m *Caveat_Path) GetEncryptedPathPrefix() []byte

func (*Caveat_Path) ProtoMessage added in v0.12.0

func (*Caveat_Path) ProtoMessage()

func (*Caveat_Path) Reset added in v0.12.0

func (m *Caveat_Path) Reset()

func (*Caveat_Path) String added in v0.12.0

func (m *Caveat_Path) String() string

func (*Caveat_Path) XXX_DiscardUnknown added in v0.12.0

func (m *Caveat_Path) XXX_DiscardUnknown()

func (*Caveat_Path) XXX_Marshal added in v0.12.0

func (m *Caveat_Path) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*Caveat_Path) XXX_Merge added in v0.12.0

func (m *Caveat_Path) XXX_Merge(src proto.Message)

func (*Caveat_Path) XXX_Size added in v0.12.0

func (m *Caveat_Path) XXX_Size() int

func (*Caveat_Path) XXX_Unmarshal added in v0.12.0

func (m *Caveat_Path) XXX_Unmarshal(b []byte) error

type Macaroon

type Macaroon struct {
	// contains filtered or unexported fields
}

Macaroon is a struct that determine contextual caveats and authorization

func NewUnrestricted

func NewUnrestricted(secret []byte) (*Macaroon, error)

NewUnrestricted creates Macaroon with random Head and generated Tail

func ParseMacaroon

func ParseMacaroon(data []byte) (_ *Macaroon, err error)

ParseMacaroon converts binary to macaroon

func (*Macaroon) AddFirstPartyCaveat

func (m *Macaroon) AddFirstPartyCaveat(c []byte) (macaroon *Macaroon, err error)

AddFirstPartyCaveat creates signed macaroon with appended caveat

func (*Macaroon) CaveatLen

func (m *Macaroon) CaveatLen() int

CaveatLen returns the number of caveats this macaroon has

func (*Macaroon) Caveats

func (m *Macaroon) Caveats() (caveats [][]byte)

Caveats returns copy of macaroon caveats

func (*Macaroon) Copy

func (m *Macaroon) Copy() *Macaroon

Copy return copy of macaroon

func (*Macaroon) Head

func (m *Macaroon) Head() (head []byte)

Head returns copy of macaroon head

func (*Macaroon) Serialize

func (m *Macaroon) Serialize() (data []byte)

Serialize converts macaroon to binary format

func (*Macaroon) Tail

func (m *Macaroon) Tail() (tail []byte)

Tail returns copy of macaroon tail

func (*Macaroon) Tails

func (m *Macaroon) Tails(secret []byte) [][]byte

Tails returns all ancestor tails up to and including the current tail

func (*Macaroon) Validate

func (m *Macaroon) Validate(secret []byte) (ok bool)

Validate reconstructs with all caveats from the secret and compares tails, returning true if the tails match

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL