// newExternalMacaroonAuth returns an authenticator that can authenticate
// macaroon-based logins for external users. This is just a helper function
// for authCtxt.macaroonAuth.
func newExternalMacaroonAuth(st *state.State) (*authentication.ExternalMacaroonAuthenticator, error) {
envCfg, err := st.ModelConfig()
if err != nil {
return nil, errors.Annotate(err, "cannot get model config")
}
idURL := envCfg.IdentityURL()
if idURL == "" {
return nil, errMacaroonAuthNotConfigured
}
// The identity server has been configured,
// so configure the bakery service appropriately.
idPK := envCfg.IdentityPublicKey()
if idPK == nil {
// No public key supplied - retrieve it from the identity manager.
idPK, err = httpbakery.PublicKeyForLocation(http.DefaultClient, idURL)
if err != nil {
return nil, errors.Annotate(err, "cannot get identity public key")
}
}
svc, err := newBakeryService(st, bakery.PublicKeyLocatorMap{
idURL: idPK,
})
if err != nil {
return nil, errors.Annotate(err, "cannot make bakery service")
}
var auth authentication.ExternalMacaroonAuthenticator
auth.Service = svc
auth.Macaroon, err = svc.NewMacaroon("api-login", nil, nil)
if err != nil {
return nil, errors.Annotate(err, "cannot make macaroon")
}
auth.IdentityLocation = idURL
return &auth, nil
}
// newExternalMacaroonAuth returns an authenticator that can authenticate
// macaroon-based logins for external users. This is just a helper function
// for authCtxt.macaroonAuth.
func newExternalMacaroonAuth(st *state.State) (*authentication.ExternalMacaroonAuthenticator, error) {
envCfg, err := st.ModelConfig()
if err != nil {
return nil, errors.Annotate(err, "cannot get model config")
}
idURL := envCfg.IdentityURL()
if idURL == "" {
return nil, errMacaroonAuthNotConfigured
}
// The identity server has been configured,
// so configure the bakery service appropriately.
idPK := envCfg.IdentityPublicKey()
if idPK == nil {
// No public key supplied - retrieve it from the identity manager.
idPK, err = httpbakery.PublicKeyForLocation(http.DefaultClient, idURL)
if err != nil {
return nil, errors.Annotate(err, "cannot get identity public key")
}
}
// We pass in nil for the storage, which leads to in-memory storage
// being used. We only use in-memory storage for now, since we never
// expire the keys, and don't want garbage to accumulate.
//
// TODO(axw) we should store the key in mongo, so that multiple servers
// can authenticate. That will require that we encode the server's ID
// in the macaroon ID so that servers don't overwrite each others' keys.
svc, _, err := newBakeryService(st, nil, bakery.PublicKeyLocatorMap{idURL: idPK})
if err != nil {
return nil, errors.Annotate(err, "cannot make bakery service")
}
var auth authentication.ExternalMacaroonAuthenticator
auth.Service = svc
auth.Macaroon, err = svc.NewMacaroon("api-login", nil, nil)
if err != nil {
return nil, errors.Annotate(err, "cannot make macaroon")
}
auth.IdentityLocation = idURL
return &auth, nil
}