macaroon

package

v0.28.2 Latest Latest Go to latest Published: Dec 18, 2019 License: AGPL-3.0 Imports: 17 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/storj/storj

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func NewSecret() (secret []byte, err error)
type APIKey
type Action
type ActionType
type AllowedBuckets
type Caveat
- func NewCaveat() (Caveat, error)
type Caveat_Path
type Macaroon
- func NewUnrestricted(secret []byte) (*Macaroon, error)
- func ParseMacaroon(data []byte) (_ *Macaroon, err error)

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// Error is a general API Key error
	Error = errs.Class("api key error")
	// ErrFormat means that the structural formatting of the API Key is invalid
	ErrFormat = errs.Class("api key format error")
	// ErrInvalid means that the API Key is improperly signed
	ErrInvalid = errs.Class("api key invalid error")
	// ErrUnauthorized means that the API key does not grant the requested permission
	ErrUnauthorized = errs.Class("api key unauthorized error")
	// ErrRevoked means the API key has been revoked
	ErrRevoked = errs.Class("api key revocation error")
)

Functions ¶

func NewSecret ¶

func NewSecret() (secret []byte, err error)

NewSecret generates cryptographically random 32 bytes

Types ¶

type APIKey ¶

type APIKey struct {
	// contains filtered or unexported fields
}

APIKey implements a Macaroon-backed Storj-v3 API key.

func NewAPIKey ¶

func NewAPIKey(secret []byte) (*APIKey, error)

NewAPIKey generates a brand new unrestricted API key given the provided server project secret

func ParseAPIKey ¶

func ParseAPIKey(key string) (*APIKey, error)

ParseAPIKey parses a given api key string and returns an APIKey if the APIKey was correctly formatted. It does not validate the key.

func ParseRawAPIKey ¶ added in v0.15.0

func ParseRawAPIKey(data []byte) (*APIKey, error)

ParseRawAPIKey parses raw api key data and returns an APIKey if the APIKey was correctly formatted. It does not validate the key.

func (*APIKey) Check ¶

func (a *APIKey) Check(ctx context.Context, secret []byte, action Action, revoked [][]byte) (err error)

Check makes sure that the key authorizes the provided action given the root project secret and any possible revocations, returning an error if the action is not authorized. 'revoked' is a list of revoked heads.

func (*APIKey) GetAllowedBuckets ¶ added in v0.15.0

func (a *APIKey) GetAllowedBuckets(ctx context.Context, action Action) (allowed AllowedBuckets, err error)

GetAllowedBuckets returns a list of all the allowed bucket paths that match the Action operation

func (*APIKey) Head ¶

func (a *APIKey) Head() []byte

Head returns the identifier for this macaroon's root ancestor.

func (*APIKey) Restrict ¶

func (a *APIKey) Restrict(caveat Caveat) (*APIKey, error)

Restrict generates a new APIKey with the provided Caveat attached.

func (*APIKey) Serialize ¶

func (a *APIKey) Serialize() string

Serialize serializes the API Key to a string

func (*APIKey) SerializeRaw ¶ added in v0.15.0

func (a *APIKey) SerializeRaw() []byte

SerializeRaw serialize the API Key to raw bytes

func (*APIKey) Tail ¶

func (a *APIKey) Tail() []byte

Tail returns the identifier for this macaroon only.

type Action ¶

type Action struct {
	Op            ActionType
	Bucket        []byte
	EncryptedPath []byte
	Time          time.Time
}

Action specifies the specific operation being performed that the Macaroon will validate

type ActionType ¶

type ActionType int

ActionType specifies the operation type being performed that the Macaroon will validate

const (

	// ActionRead specifies a read operation
	ActionRead ActionType = 1
	// ActionWrite specifies a read operation
	ActionWrite ActionType = 2
	// ActionList specifies a read operation
	ActionList ActionType = 3
	// ActionDelete specifies a read operation
	ActionDelete ActionType = 4
	// ActionProjectInfo requests project-level information
	ActionProjectInfo ActionType = 5
)

type AllowedBuckets ¶ added in v0.15.0

type AllowedBuckets struct {
	All     bool
	Buckets map[string]struct{}
}

AllowedBuckets stores information about which buckets are allowed to be accessed, where `Buckets` stores names of buckets that are allowed and `All` is a bool that indicates if all buckets are allowed or not

type Caveat ¶

type Caveat struct {
	// if any of these three are set, disallow that type of access
	DisallowReads   bool           `protobuf:"varint,1,opt,name=disallow_reads,json=disallowReads,proto3" json:"disallow_reads,omitempty"`
	DisallowWrites  bool           `protobuf:"varint,2,opt,name=disallow_writes,json=disallowWrites,proto3" json:"disallow_writes,omitempty"`
	DisallowLists   bool           `protobuf:"varint,3,opt,name=disallow_lists,json=disallowLists,proto3" json:"disallow_lists,omitempty"`
	DisallowDeletes bool           `protobuf:"varint,4,opt,name=disallow_deletes,json=disallowDeletes,proto3" json:"disallow_deletes,omitempty"`
	AllowedPaths    []*Caveat_Path `protobuf:"bytes,10,rep,name=allowed_paths,json=allowedPaths,proto3" json:"allowed_paths,omitempty"`
	// if set, the validity time window
	NotAfter  *time.Time `protobuf:"bytes,20,opt,name=not_after,json=notAfter,proto3,stdtime" json:"not_after,omitempty"`
	NotBefore *time.Time `protobuf:"bytes,21,opt,name=not_before,json=notBefore,proto3,stdtime" json:"not_before,omitempty"`
	// nonce is set to some random bytes so that you can make arbitrarily
	// many restricted macaroons with the same (or no) restrictions.
	Nonce                []byte   `protobuf:"bytes,30,opt,name=nonce,proto3" json:"nonce,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func NewCaveat ¶ added in v0.12.0

func NewCaveat() (Caveat, error)

NewCaveat returns a Caveat with a random generated nonce.

func (*Caveat) Allows ¶

func (c *Caveat) Allows(action Action) bool

Allows returns true if the provided action is allowed by the caveat.

func (*Caveat) Descriptor ¶

func (*Caveat) Descriptor() ([]byte, []int)

func (*Caveat) GetAllowedPaths ¶ added in v0.12.0

func (m *Caveat) GetAllowedPaths() []*Caveat_Path

func (*Caveat) GetDisallowDeletes ¶

func (m *Caveat) GetDisallowDeletes() bool

func (*Caveat) GetDisallowLists ¶

func (m *Caveat) GetDisallowLists() bool

func (*Caveat) GetDisallowReads ¶

func (m *Caveat) GetDisallowReads() bool

func (*Caveat) GetDisallowWrites ¶

func (m *Caveat) GetDisallowWrites() bool

func (*Caveat) GetNonce ¶ added in v0.12.0

func (m *Caveat) GetNonce() []byte

func (*Caveat) GetNotAfter ¶

func (m *Caveat) GetNotAfter() *time.Time

func (*Caveat) GetNotBefore ¶

func (m *Caveat) GetNotBefore() *time.Time

func (*Caveat) ProtoMessage ¶

func (*Caveat) ProtoMessage()

func (*Caveat) Reset ¶

func (m *Caveat) Reset()

func (*Caveat) String ¶

func (m *Caveat) String() string

func (*Caveat) XXX_DiscardUnknown ¶

func (m *Caveat) XXX_DiscardUnknown()

func (*Caveat) XXX_Marshal ¶

func (m *Caveat) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*Caveat) XXX_Merge ¶

func (m *Caveat) XXX_Merge(src proto.Message)

func (*Caveat) XXX_Size ¶

func (m *Caveat) XXX_Size() int

func (*Caveat) XXX_Unmarshal ¶

func (m *Caveat) XXX_Unmarshal(b []byte) error

type Caveat_Path ¶ added in v0.12.0

type Caveat_Path struct {
	Bucket               []byte   `protobuf:"bytes,1,opt,name=bucket,proto3" json:"bucket,omitempty"`
	EncryptedPathPrefix  []byte   `protobuf:"bytes,2,opt,name=encrypted_path_prefix,json=encryptedPathPrefix,proto3" json:"encrypted_path_prefix,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

If any entries exist, require all access to happen in at least one of them.

func (*Caveat_Path) Descriptor ¶ added in v0.12.0

func (*Caveat_Path) Descriptor() ([]byte, []int)

func (*Caveat_Path) GetBucket ¶ added in v0.12.0

func (m *Caveat_Path) GetBucket() []byte

func (*Caveat_Path) GetEncryptedPathPrefix ¶ added in v0.12.0

func (m *Caveat_Path) GetEncryptedPathPrefix() []byte

func (*Caveat_Path) ProtoMessage ¶ added in v0.12.0

func (*Caveat_Path) ProtoMessage()

func (*Caveat_Path) Reset ¶ added in v0.12.0

func (m *Caveat_Path) Reset()

func (*Caveat_Path) String ¶ added in v0.12.0

func (m *Caveat_Path) String() string

func (*Caveat_Path) XXX_DiscardUnknown ¶ added in v0.12.0

func (m *Caveat_Path) XXX_DiscardUnknown()

func (*Caveat_Path) XXX_Marshal ¶ added in v0.12.0

func (m *Caveat_Path) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*Caveat_Path) XXX_Merge ¶ added in v0.12.0

func (m *Caveat_Path) XXX_Merge(src proto.Message)

func (*Caveat_Path) XXX_Size ¶ added in v0.12.0

func (m *Caveat_Path) XXX_Size() int

func (*Caveat_Path) XXX_Unmarshal ¶ added in v0.12.0

func (m *Caveat_Path) XXX_Unmarshal(b []byte) error

type Macaroon ¶

type Macaroon struct {
	// contains filtered or unexported fields
}

Macaroon is a struct that determine contextual caveats and authorization

func NewUnrestricted ¶

func NewUnrestricted(secret []byte) (*Macaroon, error)

NewUnrestricted creates Macaroon with random Head and generated Tail

func ParseMacaroon ¶

func ParseMacaroon(data []byte) (_ *Macaroon, err error)

ParseMacaroon converts binary to macaroon

func (*Macaroon) AddFirstPartyCaveat ¶

func (m *Macaroon) AddFirstPartyCaveat(c []byte) (macaroon *Macaroon, err error)

AddFirstPartyCaveat creates signed macaroon with appended caveat

func (*Macaroon) CaveatLen ¶

func (m *Macaroon) CaveatLen() int

CaveatLen returns the number of caveats this macaroon has

func (*Macaroon) Caveats ¶

func (m *Macaroon) Caveats() (caveats [][]byte)

Caveats returns copy of macaroon caveats

func (*Macaroon) Copy ¶

func (m *Macaroon) Copy() *Macaroon

Copy return copy of macaroon

func (*Macaroon) Head ¶

func (m *Macaroon) Head() (head []byte)

Head returns copy of macaroon head

func (*Macaroon) Serialize ¶

func (m *Macaroon) Serialize() (data []byte)

Serialize converts macaroon to binary format

func (*Macaroon) Tail ¶

func (m *Macaroon) Tail() (tail []byte)

Tail returns copy of macaroon tail

func (*Macaroon) Tails ¶

func (m *Macaroon) Tails(secret []byte) [][]byte

Tails returns all ancestor tails up to and including the current tail

func (*Macaroon) Validate ¶

func (m *Macaroon) Validate(secret []byte) (ok bool)

Validate reconstructs with all caveats from the secret and compares tails, returning true if the tails match

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL