Exemplo n.º 1
0
// verifyIgnoringCaveats verifies the given macaroon and its discharges without
// checking any caveats. It returns all the caveats that should
// have been checked.
func verifyIgnoringCaveats(ms macaroon.Slice, rootKey []byte) ([]string, error) {
	var caveats []string
	if len(ms) == 0 {
		return nil, errgo.New("no macaroons in slice")
	}
	if err := ms[0].Verify(rootKey, func(caveat string) error {
		caveats = append(caveats, caveat)
		return nil
	}, ms[1:]); err != nil {
		return nil, errgo.Mask(err)
	}
	return caveats, nil
}
Exemplo n.º 2
0
	// life span than other macaroons.
	Ops []Op

	// Caveats holds the caveats that must be added
	// to macaroons that authorize the above operations.
	Caveats []checkers.Caveat
}

func (e *DischargeRequiredError) Error() string {
	return "macaroon discharge required: " + e.Message
}

func isDischargeRequiredError(err error) bool {
	_, ok := err.(*DischargeRequiredError)
	return ok
}

type verificationError struct {
	error
}

func isVerificationError(err error) bool {
	_, ok := err.(*verificationError)
	return ok
}

var (
	ErrNotFound            = errgo.New("not found")
	ErrCaveatResultUnknown = errgo.New("caveat result not known")
)
Exemplo n.º 3
0
	"gopkg.in/macaroon-bakery.v2-unstable/bakery"
	"gopkg.in/macaroon-bakery.v2-unstable/bakery/checkers"
)

var logger = loggo.GetLogger("bakery.auth")

// TODO think about a consistent approach to error reporting for macaroons.

// TODO should we really pass in explicit expiry times on each call to Allow?

var LoginOp = Op{
	Entity: "login",
	Action: "login",
}

var ErrPermissionDenied = errgo.New("permission denied")

type ServiceParams struct {
	// CaveatChecker is used to check first party caveats when authorizing.
	CaveatChecker checkers.Checker

	// UserChecker is used to check whether an authenticated user is
	// allowed to perform operations.
	//
	// The identity parameter passed to UserChecker.Allow will
	// always have been obtained from a call to
	// IdentityService.DeclaredIdentity.
	UserChecker UserChecker

	// IdentityService is used for interactions with the external
	// identity service used for authentication.