storj/mobile/apikey.go

// Copyright (C) 2019 Storj Labs, Inc.
// See LICENSE for copying information.

package mobile

import (
	"time"

	libuplink "storj.io/storj/lib/uplink"
	"storj.io/storj/pkg/macaroon"
)

// Caveat TODO
type Caveat struct {
	DisallowReads   bool
	DisallowWrites  bool
	DisallowLists   bool
	DisallowDeletes bool
	AllowedPaths    []*CaveatPath
	// if set, the validity time window
	NotAfter  int64
	NotBefore int64
	// nonce is set to some random bytes so that you can make arbitrarily
	// many restricted macaroons with the same (or no) restrictions.
	Nonce []byte
}

// CaveatPath If any entries exist, require all access to happen in at least
// one of them.
type CaveatPath struct {
	Bucket              []byte
	EncryptedPathPrefix []byte
}

// NewCaveat TODO
func NewCaveat() *Caveat {
	return &Caveat{
		AllowedPaths: make([]*CaveatPath, 0),
	}
}

// AddCaveatPath TODO
func (caveat Caveat) AddCaveatPath(path *CaveatPath) {
	caveat.AllowedPaths = append(caveat.AllowedPaths, path)
}

// APIKey represents an access credential to certain resources
type APIKey struct {
	lib *libuplink.APIKey
}

// Serialize serializes the API key to a string
func (a APIKey) Serialize() string {
	return a.lib.Serialize()
}

// IsZero returns if the api key is an uninitialized value
func (a *APIKey) IsZero() bool {
	return a.IsZero()
}

// ParseAPIKey parses an API key
func ParseAPIKey(val string) (*APIKey, error) {
	k, err := libuplink.ParseAPIKey(val)
	if err != nil {
		return nil, safeError(err)
	}
	return &APIKey{lib: &k}, nil
}

// Restrict generates a new APIKey with the provided Caveat attached.
func (a APIKey) Restrict(caveat *Caveat) (*APIKey, error) {
	paths := make([]*macaroon.Caveat_Path, 0)
	for _, path := range caveat.AllowedPaths {
		paths = append(paths, &macaroon.Caveat_Path{
			Bucket:              path.Bucket,
			EncryptedPathPrefix: path.EncryptedPathPrefix,
		})
	}
	libCaveat := macaroon.Caveat{
		DisallowReads:   caveat.DisallowReads,
		DisallowWrites:  caveat.DisallowWrites,
		DisallowLists:   caveat.DisallowLists,
		DisallowDeletes: caveat.DisallowDeletes,
		AllowedPaths:    paths,
		Nonce:           caveat.Nonce,
	}

	if caveat.NotAfter != 0 {
		notAfter := time.Unix(caveat.NotAfter, 0)
		libCaveat.NotAfter = &notAfter
	}
	if caveat.NotBefore != 0 {
		notBefore := time.Unix(caveat.NotBefore, 0)
		libCaveat.NotBefore = &notBefore
	}

	k, err := a.lib.Restrict(libCaveat)
	if err != nil {
		return nil, safeError(err)
	}
	return &APIKey{lib: &k}, nil
}
mobile: add a way to get an encryption access at some path root (#2519) * mobile: add a way to get an encryption access at some path root this exposes a way to have keys deeper than the bucket root * APIKey + Caveat exported * use safeError * return nil 2019-07-10 17:01:56 +01:00			`// Copyright (C) 2019 Storj Labs, Inc.`
			`// See LICENSE for copying information.`

			`package mobile`

			`import (`
			`"time"`

			`libuplink "storj.io/storj/lib/uplink"`
			`"storj.io/storj/pkg/macaroon"`
			`)`

			`// Caveat TODO`
			`type Caveat struct {`
			`DisallowReads bool`
			`DisallowWrites bool`
			`DisallowLists bool`
			`DisallowDeletes bool`
			`AllowedPaths []*CaveatPath`
			`// if set, the validity time window`
			`NotAfter int64`
			`NotBefore int64`
			`// nonce is set to some random bytes so that you can make arbitrarily`
			`// many restricted macaroons with the same (or no) restrictions.`
			`Nonce []byte`
			`}`

			`// CaveatPath If any entries exist, require all access to happen in at least`
			`// one of them.`
			`type CaveatPath struct {`
			`Bucket []byte`
			`EncryptedPathPrefix []byte`
			`}`

			`// NewCaveat TODO`
			`func NewCaveat() *Caveat {`
			`return &Caveat{`
			`AllowedPaths: make([]*CaveatPath, 0),`
			`}`
			`}`

			`// AddCaveatPath TODO`
			`func (caveat Caveat) AddCaveatPath(path *CaveatPath) {`
			`caveat.AllowedPaths = append(caveat.AllowedPaths, path)`
			`}`

			`// APIKey represents an access credential to certain resources`
			`type APIKey struct {`
			`lib *libuplink.APIKey`
			`}`

			`// Serialize serializes the API key to a string`
			`func (a APIKey) Serialize() string {`
			`return a.lib.Serialize()`
			`}`

			`// IsZero returns if the api key is an uninitialized value`
			`func (a *APIKey) IsZero() bool {`
			`return a.IsZero()`
			`}`

			`// ParseAPIKey parses an API key`
			`func ParseAPIKey(val string) (*APIKey, error) {`
			`k, err := libuplink.ParseAPIKey(val)`
			`if err != nil {`
			`return nil, safeError(err)`
			`}`
			`return &APIKey{lib: &k}, nil`
			`}`

			`// Restrict generates a new APIKey with the provided Caveat attached.`
			`func (a APIKey) Restrict(caveat Caveat) (APIKey, error) {`
			`paths := make([]*macaroon.Caveat_Path, 0)`
			`for _, path := range caveat.AllowedPaths {`
			`paths = append(paths, &macaroon.Caveat_Path{`
			`Bucket: path.Bucket,`
			`EncryptedPathPrefix: path.EncryptedPathPrefix,`
			`})`
			`}`
			`libCaveat := macaroon.Caveat{`
			`DisallowReads: caveat.DisallowReads,`
			`DisallowWrites: caveat.DisallowWrites,`
			`DisallowLists: caveat.DisallowLists,`
			`DisallowDeletes: caveat.DisallowDeletes,`
			`AllowedPaths: paths,`
			`Nonce: caveat.Nonce,`
			`}`

			`if caveat.NotAfter != 0 {`
			`notAfter := time.Unix(caveat.NotAfter, 0)`
			`libCaveat.NotAfter = &notAfter`
			`}`
			`if caveat.NotBefore != 0 {`
			`notBefore := time.Unix(caveat.NotBefore, 0)`
			`libCaveat.NotBefore = &notBefore`
			`}`

			`k, err := a.lib.Restrict(libCaveat)`
			`if err != nil {`
			`return nil, safeError(err)`
			`}`
			`return &APIKey{lib: &k}, nil`
			`}`