Example #1
0
func (k *Kite) verifyAudience(kite *protocol.Kite, audience string) error {
	switch audience {
	case "/":
		// The root audience is like superuser - it has access to everything.
		return nil
	case "":
		return errors.New("invalid empty audience")
	}

	aud, err := protocol.KiteFromString(audience)
	if err != nil {
		return fmt.Errorf("invalid audience: %s (%s)", err, audience)
	}

	// We verify the Username / Environment / Name matches the kite.
	// Empty field (except username) is like wildcard - it matches all values.

	if kite.Username != aud.Username {
		return fmt.Errorf("audience: username %q not allowed (%s)", aud.Username, audience)
	}

	if kite.Environment != aud.Environment && aud.Environment != "" {
		return fmt.Errorf("audience: environment %q not allowed (%s)", aud.Environment, audience)
	}

	if kite.Name != aud.Name && aud.Name != "" {
		return fmt.Errorf("audience: kite %q not allowed (%s)", aud.Name, audience)
	}

	return nil
}
Example #2
0
// ConnectTimeout returns a new connected klient instance to the given
// queryString. The klient is ready to use. It's tries to connect for the given
// timeout duration
func ConnectTimeout(k *kite.Kite, queryString string, t time.Duration) (*Klient, error) {
	query, err := protocol.KiteFromString(queryString)
	if err != nil {
		return nil, err
	}

	k.Log.Debug("Connecting with timeout=%s to Klient: %s", t, queryString)

	kites, err := k.GetKites(query.Query())
	if err != nil {
		return nil, err
	}

	remoteKite := kites[0]
	remoteKite.ReadBufferSize = 512
	remoteKite.WriteBufferSize = 512

	err = remoteKite.DialTimeout(t)
	if err != nil {
		// If kite exists but dialing failed, we still return the *Klient
		// value, althought not connected, in order to allow the caller
		// inspect the URL and eventually recover.
		err = ErrDialingFailed
	}

	k.Log.Debug("Dialing %q (%s) kite failed: %s", queryString, remoteKite.URL, err)

	return &Klient{
		kite:     k,
		Client:   remoteKite,
		Username: remoteKite.Username,
	}, err
}
Example #3
0
func mustKiteID(queryString string) string {
	k, err := protocol.KiteFromString(queryString)
	if err != nil {
		panic("mustKiteID: " + err.Error())
	}

	return k.ID
}
Example #4
0
func verifyAudience(kite *kiteproto.Kite, audience string) error {
	switch audience {
	case "/":
		// The root audience is like superuser - it has access to everything.
		return nil
	case "":
		return errors.New("invalid empty audience")
	}

	aud, err := kiteproto.KiteFromString(audience)
	if err != nil {
		return fmt.Errorf("invalid audience: %s (%s)", err, audience)
	}

	if kite.Username != aud.Username {
		return fmt.Errorf("audience: username %q not allowed (%s)", aud.Username, audience)
	}

	// Verify environment - managed environment means production klient
	// running on a user's laptop; devmanaged is for development/sandobx
	// environments.
	//
	// TODO(rjeczalik): klient should always have development/production
	// values for the environment fields - the managed flag should be
	// set elsewhere; it'd also make the deployment process easier
	// (2 delivery channels instead of 4).
	switch {
	case aud.Environment == "":
		// ok - empty matches all
	case kite.Environment == aud.Environment:
		// ok - environment matches
	case match(prodEnvs, kite.Environment, aud.Environment):
		// ok - either remote or local is managed kite from development channel
	case match(devEnvs, kite.Environment, aud.Environment):
		// ok - either remote or local is managed kite from development channel
	default:
		return fmt.Errorf("audience: environment %q not allowed (%s)", aud.Environment, audience)
	}

	switch {
	case aud.Name == "":
		// ok - empty matches all
	case kite.Name == aud.Name:
	case match(kiteNames, kite.Name, aud.Name):
	default:
		return fmt.Errorf("audience: kite %q not allowed (%s)", aud.Name, audience)
	}

	return nil
}
Example #5
0
// Exists checks whether the given queryString exists in Kontrol or not
func Exists(k *kite.Kite, queryString string) error {
	query, err := protocol.KiteFromString(queryString)
	if err != nil {
		return err
	}

	k.Log.Debug("Checking whether %s exists in Kontrol", queryString)

	// an error indicates a non existing klient or another error.
	_, err = k.GetKites(query.Query())
	if err != nil {
		return err
	}

	return nil
}
Example #6
0
func checkAudience(kiteRepr, audience string) error {
	a, err := protocol.KiteFromString(audience)
	if err != nil {
		return err
	}

	// it doesn't make sense to return an error if the audience is fully empty
	if a.Username == "" {
		return nil
	}

	// this is good so our kites can also work behind load balancers
	threePart := fmt.Sprintf("/%s/%s/%s", a.Username, a.Environment, a.Name)

	// now check if the first three fields are matching our own fields
	if !strings.HasPrefix(kiteRepr, threePart) {
		return fmt.Errorf("Invalid audience in token. Have: '%s' Must be a part of: '%s'",
			audience, kiteRepr)
	}

	return nil
}