// thirdPartyChecker is used to check third party caveats added by other // services. The HTTP request is that of the client - it is attempting // to gather a discharge macaroon. // // Note how this function can return additional first- and third-party // caveats which will be added to the original macaroon's caveats. func thirdPartyChecker(req *http.Request, cavId, condition string) ([]checkers.Caveat, error) { if condition != "access-allowed" { return nil, checkers.ErrCaveatNotRecognized } // TODO check that the HTTP request has cookies that prove // something about the client. return []checkers.Caveat{ httpbakery.SameClientIPAddrCaveat(req), }, nil }
caveat: "client-ip-addr 2001:4860:0:2001:0::68", }, { caveat: checkers.ClientIPAddrCaveat(net.ParseIP("2001:4860:0:2001::69")).Condition, expectError: `caveat "client-ip-addr 2001:4860:0:2001::69" not satisfied: client IP address mismatch, got 2001:4860:0:2001::68`, }, { caveat: checkers.ClientIPAddrCaveat(net.ParseIP("127.0.0.1")).Condition, expectError: `caveat "client-ip-addr 127.0.0.1" not satisfied: client IP address mismatch, got 2001:4860:0:2001::68`, }}, }, { about: "same client address, ipv4 request address", checker: checkers.New(httpbakery.Checkers(&http.Request{ RemoteAddr: "127.0.0.1:1324", })), checks: []checkTest{{ caveat: httpbakery.SameClientIPAddrCaveat(&http.Request{ RemoteAddr: "127.0.0.1:1234", }).Condition, }, { caveat: httpbakery.SameClientIPAddrCaveat(&http.Request{ RemoteAddr: "[::ffff:7f00:1]:1235", }).Condition, }, { caveat: httpbakery.SameClientIPAddrCaveat(&http.Request{ RemoteAddr: "127.0.0.2:1234", }).Condition, expectError: `caveat "client-ip-addr 127.0.0.2" not satisfied: client IP address mismatch, got 127.0.0.1`, }, { caveat: httpbakery.SameClientIPAddrCaveat(&http.Request{ RemoteAddr: "[::ffff:7f00:2]:1235", }).Condition, expectError: `caveat "client-ip-addr 127.0.0.2" not satisfied: client IP address mismatch, got 127.0.0.1`,