storj/satellite/console/consolewasm/permission.go

// Copyright (C) 2020 Storj Labs, Inc.
// See LICENSE for copying information.

package consolewasm

import (
	"time"

	"github.com/zeebo/errs"

	"storj.io/common/macaroon"
)

// Permission defines what actions can be used to share.
//
// This struct has been taken from storj.io/uplink and duplicated to avoid
// pulling in that dependency.
type Permission struct {
	// AllowDownload gives permission to download the object's content. It
	// allows getting object metadata, but it does not allow listing buckets.
	AllowDownload bool
	// AllowUpload gives permission to create buckets and upload new objects.
	// It does not allow overwriting existing objects unless AllowDelete is
	// granted too.
	AllowUpload bool
	// AllowList gives permission to list buckets. It allows getting object
	// metadata, but it does not allow downloading the object's content.
	AllowList bool
	// AllowDelete gives permission to delete buckets and objects. Unless
	// either AllowDownload or AllowList is granted too, no object metadata and
	// no error info will be returned for deleted objects.
	AllowDelete bool
	// NotBefore restricts when the resulting access grant is valid for.
	// If set, the resulting access grant will not work if the Satellite
	// believes the time is before NotBefore.
	// If set, this value should always be before NotAfter.
	NotBefore time.Time
	// NotAfter restricts when the resulting access grant is valid for.
	// If set, the resulting access grant will not work if the Satellite
	// believes the time is after NotAfter.
	// If set, this value should always be after NotBefore.
	NotAfter time.Time
}

// SetPermission restricts the api key with the permissions and returns an api key with restricted permissions.
func SetPermission(key string, buckets []string, permission Permission) (*macaroon.APIKey, error) {
	if permission == (Permission{}) {
		return nil, errs.New("permission is empty")
	}

	var notBefore, notAfter *time.Time
	if !permission.NotBefore.IsZero() {
		notBefore = &permission.NotBefore
	}
	if !permission.NotAfter.IsZero() {
		notAfter = &permission.NotAfter
	}

	if notBefore != nil && notAfter != nil && notAfter.Before(*notBefore) {
		return nil, errs.New("invalid time range")
	}

	caveat := macaroon.WithNonce(macaroon.Caveat{
		DisallowReads:   !permission.AllowDownload,
		DisallowWrites:  !permission.AllowUpload,
		DisallowLists:   !permission.AllowList,
		DisallowDeletes: !permission.AllowDelete,
		NotBefore:       notBefore,
		NotAfter:        notAfter,
	})

	for _, b := range buckets {
		caveat.AllowedPaths = append(caveat.AllowedPaths, &macaroon.Caveat_Path{
			Bucket: []byte(b),
		})
	}

	apiKey, err := macaroon.ParseAPIKey(key)
	if err != nil {
		return nil, err
	}

	restrictedKey, err := apiKey.Restrict(caveat)
	if err != nil {
		return nil, err
	}

	return restrictedKey, nil
}
satellite/cosole: add tests for wasm access code Change-Id: I78f71b2f0bef03b6e87cd7d79ccaef5f45393b55 2020-11-11 13:45:03 +00:00			`// Copyright (C) 2020 Storj Labs, Inc.`
			`// See LICENSE for copying information.`

satellite/console/wasm: reduce size to <9MB Make changes so that we only import the necessary files from the console package so that the generated wasm code is as small as possible. This change gets the compiled wasm code down to 8.6MB uncompressed and 2MB when compressed with `gzip --best`. https://review.dev.storj.io/c/storj/storj/+/3396 Change-Id: Ifdd4be285810757b46bbbe43327c0d0139e5f8f7 2020-12-14 16:33:33 +00:00			`package consolewasm`
satellite/cosole: add tests for wasm access code Change-Id: I78f71b2f0bef03b6e87cd7d79ccaef5f45393b55 2020-11-11 13:45:03 +00:00
			`import (`
			`"time"`

			`"github.com/zeebo/errs"`

			`"storj.io/common/macaroon"`
			`)`

			`// Permission defines what actions can be used to share.`
			`//`
			`// This struct has been taken from storj.io/uplink and duplicated to avoid`
			`// pulling in that dependency.`
			`type Permission struct {`
			`// AllowDownload gives permission to download the object's content. It`
			`// allows getting object metadata, but it does not allow listing buckets.`
			`AllowDownload bool`
			`// AllowUpload gives permission to create buckets and upload new objects.`
			`// It does not allow overwriting existing objects unless AllowDelete is`
			`// granted too.`
			`AllowUpload bool`
			`// AllowList gives permission to list buckets. It allows getting object`
			`// metadata, but it does not allow downloading the object's content.`
			`AllowList bool`
			`// AllowDelete gives permission to delete buckets and objects. Unless`
			`// either AllowDownload or AllowList is granted too, no object metadata and`
			`// no error info will be returned for deleted objects.`
			`AllowDelete bool`
			`// NotBefore restricts when the resulting access grant is valid for.`
			`// If set, the resulting access grant will not work if the Satellite`
			`// believes the time is before NotBefore.`
			`// If set, this value should always be before NotAfter.`
			`NotBefore time.Time`
			`// NotAfter restricts when the resulting access grant is valid for.`
			`// If set, the resulting access grant will not work if the Satellite`
			`// believes the time is after NotAfter.`
			`// If set, this value should always be after NotBefore.`
			`NotAfter time.Time`
			`}`

			`// SetPermission restricts the api key with the permissions and returns an api key with restricted permissions.`
			`func SetPermission(key string, buckets []string, permission Permission) (*macaroon.APIKey, error) {`
			`if permission == (Permission{}) {`
			`return nil, errs.New("permission is empty")`
			`}`

			`var notBefore, notAfter *time.Time`
			`if !permission.NotBefore.IsZero() {`
			`notBefore = &permission.NotBefore`
			`}`
			`if !permission.NotAfter.IsZero() {`
			`notAfter = &permission.NotAfter`
			`}`

			`if notBefore != nil && notAfter != nil && notAfter.Before(*notBefore) {`
			`return nil, errs.New("invalid time range")`
			`}`

Use WithNonce when creating caveats This ensures the caveats are unique even when they contain the same permissions and will result in unique macaroons. This is important to ensure revocation doesn't impact more macaroons than intended. Change-Id: I6354edd0119f2d85eaf580f2d1926a3de9151b88 2021-02-02 10:57:52 +00:00			`caveat := macaroon.WithNonce(macaroon.Caveat{`
satellite/cosole: add tests for wasm access code Change-Id: I78f71b2f0bef03b6e87cd7d79ccaef5f45393b55 2020-11-11 13:45:03 +00:00			`DisallowReads: !permission.AllowDownload,`
			`DisallowWrites: !permission.AllowUpload,`
			`DisallowLists: !permission.AllowList,`
			`DisallowDeletes: !permission.AllowDelete,`
			`NotBefore: notBefore,`
			`NotAfter: notAfter,`
Use WithNonce when creating caveats This ensures the caveats are unique even when they contain the same permissions and will result in unique macaroons. This is important to ensure revocation doesn't impact more macaroons than intended. Change-Id: I6354edd0119f2d85eaf580f2d1926a3de9151b88 2021-02-02 10:57:52 +00:00			`})`
satellite/cosole: add tests for wasm access code Change-Id: I78f71b2f0bef03b6e87cd7d79ccaef5f45393b55 2020-11-11 13:45:03 +00:00
			`for _, b := range buckets {`
			`caveat.AllowedPaths = append(caveat.AllowedPaths, &macaroon.Caveat_Path{`
			`Bucket: []byte(b),`
			`})`
			`}`

			`apiKey, err := macaroon.ParseAPIKey(key)`
			`if err != nil {`
			`return nil, err`
			`}`

			`restrictedKey, err := apiKey.Restrict(caveat)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return restrictedKey, nil`
			`}`