// thirdPartyChecker is used to check third party caveats added by other
// services. The HTTP request is that of the client - it is attempting
// to gather a discharge macaroon.
//
// Note how this function can return additional first- and third-party
// caveats which will be added to the original macaroon's caveats.
func thirdPartyChecker(req *http.Request, cavId, condition string) ([]checkers.Caveat, error) {
if condition != "access-allowed" {
return nil, checkers.ErrCaveatNotRecognized
}
// TODO check that the HTTP request has cookies that prove
// something about the client.
return []checkers.Caveat{
httpbakery.SameClientIPAddrCaveat(req),
}, nil
}
caveat: "client-ip-addr 2001:4860:0:2001:0::68",
}, {
caveat: checkers.ClientIPAddrCaveat(net.ParseIP("2001:4860:0:2001::69")).Condition,
expectError: `caveat "client-ip-addr 2001:4860:0:2001::69" not satisfied: client IP address mismatch, got 2001:4860:0:2001::68`,
}, {
caveat: checkers.ClientIPAddrCaveat(net.ParseIP("127.0.0.1")).Condition,
expectError: `caveat "client-ip-addr 127.0.0.1" not satisfied: client IP address mismatch, got 2001:4860:0:2001::68`,
}},
}, {
about: "same client address, ipv4 request address",
checker: checkers.New(httpbakery.Checkers(&http.Request{
RemoteAddr: "127.0.0.1:1324",
})),
checks: []checkTest{{
caveat: httpbakery.SameClientIPAddrCaveat(&http.Request{
RemoteAddr: "127.0.0.1:1234",
}).Condition,
}, {
caveat: httpbakery.SameClientIPAddrCaveat(&http.Request{
RemoteAddr: "[::ffff:7f00:1]:1235",
}).Condition,
}, {
caveat: httpbakery.SameClientIPAddrCaveat(&http.Request{
RemoteAddr: "127.0.0.2:1234",
}).Condition,
expectError: `caveat "client-ip-addr 127.0.0.2" not satisfied: client IP address mismatch, got 127.0.0.1`,
}, {
caveat: httpbakery.SameClientIPAddrCaveat(&http.Request{
RemoteAddr: "[::ffff:7f00:2]:1235",
}).Condition,
expectError: `caveat "client-ip-addr 127.0.0.2" not satisfied: client IP address mismatch, got 127.0.0.1`,