// UserFromRequest extracts user information from request and return the respective user in state, if valid
// It requires the state to be locked
func UserFromRequest(st *state.State, req *http.Request) (*auth.UserState, error) {
// extract macaroons data from request
header := req.Header.Get("Authorization")
if header == "" {
return nil, auth.ErrInvalidAuth
}
authorizationData := strings.SplitN(header, " ", 2)
if len(authorizationData) != 2 || authorizationData[0] != "Macaroon" {
return nil, fmt.Errorf("authorization header misses Macaroon prefix")
}
var macaroon string
var discharges []string
for _, field := range strings.Split(authorizationData[1], ",") {
field := strings.TrimSpace(field)
if strings.HasPrefix(field, `root="`) {
macaroon = strings.TrimSuffix(field[6:], `"`)
}
if strings.HasPrefix(field, `discharge="`) {
discharges = append(discharges, strings.TrimSuffix(field[11:], `"`))
}
}
if macaroon == "" || len(discharges) == 0 {
return nil, fmt.Errorf("invalid authorization header")
}
user, err := auth.CheckMacaroon(st, macaroon, discharges)
return user, err
}
func (as *authSuite) TestCheckMacaroonNoAuthData(c *C) {
as.state.Lock()
user, err := auth.CheckMacaroon(as.state, "macaroon", []string{"discharge"})
as.state.Unlock()
c.Check(err, Equals, auth.ErrInvalidAuth)
c.Check(user, IsNil)
}
func (as *authSuite) TestCheckMacaroonInvalidAuth(c *C) {
as.state.Lock()
user, err := auth.CheckMacaroon(as.state, "other-macaroon", []string{"discharge"})
as.state.Unlock()
c.Check(err, Equals, auth.ErrInvalidAuth)
c.Check(user, IsNil)
as.state.Lock()
_, err = auth.NewUser(as.state, "username", "macaroon", []string{"discharge"})
as.state.Unlock()
c.Check(err, IsNil)
as.state.Lock()
user, err = auth.CheckMacaroon(as.state, "other-macaroon", []string{"discharge"})
as.state.Unlock()
c.Check(err, Equals, auth.ErrInvalidAuth)
c.Check(user, IsNil)
}
func (as *authSuite) TestCheckMacaroonValidUser(c *C) {
as.state.Lock()
expectedUser, err := auth.NewUser(as.state, "username", "macaroon", []string{"discharge"})
as.state.Unlock()
c.Check(err, IsNil)
as.state.Lock()
user, err := auth.CheckMacaroon(as.state, "macaroon", []string{"discharge"})
as.state.Unlock()
c.Check(err, IsNil)
c.Check(user, DeepEquals, expectedUser)
}
func (as *authSuite) TestCheckMacaroonInvalidAuthMalformedMacaroon(c *C) {
var authStateData auth.AuthState
as.state.Lock()
// create a new user to ensure there is a MacaroonKey setup
_, err := auth.NewUser(as.state, "username", "*****@*****.**", "macaroon", []string{"discharge"})
c.Check(err, IsNil)
// get AuthState to get signing MacaroonKey
err = as.state.Get("auth", &authStateData)
c.Check(err, IsNil)
as.state.Unlock()
// setup a macaroon for an invalid user
invalidMacaroon, err := macaroon.New(authStateData.MacaroonKey, "invalid", "snapd")
c.Check(err, IsNil)
serializedInvalidMacaroon, err := auth.MacaroonSerialize(invalidMacaroon)
c.Check(err, IsNil)
as.state.Lock()
user, err := auth.CheckMacaroon(as.state, serializedInvalidMacaroon, nil)
as.state.Unlock()
c.Check(err, Equals, auth.ErrInvalidAuth)
c.Check(user, IsNil)
}
func (as *authSuite) TestCheckMacaroonValidUserOldStyle(c *C) {
// create a fake store-deserializable macaroon
m, err := macaroon.New([]byte("secret"), "some-id", "location")
c.Check(err, IsNil)
serializedMacaroon, err := auth.MacaroonSerialize(m)
c.Check(err, IsNil)
as.state.Lock()
expectedUser, err := auth.NewUser(as.state, "username", "*****@*****.**", serializedMacaroon, []string{"discharge"})
c.Check(err, IsNil)
// set user local macaroons with store macaroons
expectedUser.Macaroon = expectedUser.StoreMacaroon
expectedUser.Discharges = expectedUser.StoreDischarges
err = auth.UpdateUser(as.state, expectedUser)
c.Check(err, IsNil)
as.state.Unlock()
as.state.Lock()
user, err := auth.CheckMacaroon(as.state, expectedUser.Macaroon, expectedUser.Discharges)
as.state.Unlock()
c.Check(err, IsNil)
c.Check(user, DeepEquals, expectedUser)
}
