// verifyIgnoringCaveats verifies the given macaroon and its discharges without
// checking any caveats. It returns all the caveats that should
// have been checked.
func verifyIgnoringCaveats(ms macaroon.Slice, rootKey []byte) ([]string, error) {
var caveats []string
if len(ms) == 0 {
return nil, errgo.New("no macaroons in slice")
}
if err := ms[0].Verify(rootKey, func(caveat string) error {
caveats = append(caveats, caveat)
return nil
}, ms[1:]); err != nil {
return nil, errgo.Mask(err)
}
return caveats, nil
}
// life span than other macaroons.
Ops []Op
// Caveats holds the caveats that must be added
// to macaroons that authorize the above operations.
Caveats []checkers.Caveat
}
func (e *DischargeRequiredError) Error() string {
return "macaroon discharge required: " + e.Message
}
func isDischargeRequiredError(err error) bool {
_, ok := err.(*DischargeRequiredError)
return ok
}
type verificationError struct {
error
}
func isVerificationError(err error) bool {
_, ok := err.(*verificationError)
return ok
}
var (
ErrNotFound = errgo.New("not found")
ErrCaveatResultUnknown = errgo.New("caveat result not known")
)
"gopkg.in/macaroon-bakery.v2-unstable/bakery"
"gopkg.in/macaroon-bakery.v2-unstable/bakery/checkers"
)
var logger = loggo.GetLogger("bakery.auth")
// TODO think about a consistent approach to error reporting for macaroons.
// TODO should we really pass in explicit expiry times on each call to Allow?
var LoginOp = Op{
Entity: "login",
Action: "login",
}
var ErrPermissionDenied = errgo.New("permission denied")
type ServiceParams struct {
// CaveatChecker is used to check first party caveats when authorizing.
CaveatChecker checkers.Checker
// UserChecker is used to check whether an authenticated user is
// allowed to perform operations.
//
// The identity parameter passed to UserChecker.Allow will
// always have been obtained from a call to
// IdentityService.DeclaredIdentity.
UserChecker UserChecker
// IdentityService is used for interactions with the external
// identity service used for authentication.
