946ec201e2
What: we move api keys out of the grpc connection-level metadata on the client side and into the request protobufs directly. the server side still supports both mechanisms for backwards compatibility. Why: dRPC won't support connection-level metadata. the only thing we currently use connection-level metadata for is api keys. we need to move all information needed by a request into the request protobuf itself for drpc support. check out the .proto changes for the main details. One fun side-fact: Did you know that protobuf fields 1-15 are special and only use one byte for both the field number and type? Additionally did you know we don't use field 15 anywhere yet? So the new request header will use field 15, and should use field 15 on all protobufs going forward. Please describe the tests: all existing tests should pass Please describe the performance impact: none
221 lines
4.8 KiB
Go
221 lines
4.8 KiB
Go
// Copyright (C) 2019 Storj Labs, Inc.
|
|
// See LICENSE for copying information.
|
|
|
|
package macaroon
|
|
|
|
import (
|
|
"context"
|
|
"encoding/binary"
|
|
"errors"
|
|
)
|
|
|
|
type fieldType int
|
|
|
|
const (
|
|
fieldEOS fieldType = 0
|
|
fieldLocation fieldType = 1
|
|
fieldIdentifier fieldType = 2
|
|
fieldVerificationID fieldType = 4
|
|
fieldSignature fieldType = 6
|
|
)
|
|
|
|
const (
|
|
version byte = 2
|
|
)
|
|
|
|
type packet struct {
|
|
fieldType fieldType
|
|
data []byte
|
|
}
|
|
|
|
// Serialize converts macaroon to binary format
|
|
func (m *Macaroon) Serialize() (data []byte) {
|
|
ctx := context.TODO()
|
|
defer mon.Task()(&ctx)(nil)
|
|
// Start data from version int
|
|
data = append(data, version)
|
|
|
|
// Serilize Identity
|
|
data = serializePacket(data, packet{
|
|
fieldType: fieldIdentifier,
|
|
data: m.head,
|
|
})
|
|
data = append(data, 0)
|
|
|
|
// Serialize caveats
|
|
for _, cav := range m.caveats {
|
|
data = serializePacket(data, packet{
|
|
fieldType: fieldIdentifier,
|
|
data: cav,
|
|
})
|
|
data = append(data, 0)
|
|
}
|
|
|
|
data = append(data, 0)
|
|
|
|
// Serialize tail
|
|
data = serializePacket(data, packet{
|
|
fieldType: fieldSignature,
|
|
data: m.tail,
|
|
})
|
|
|
|
return data
|
|
}
|
|
|
|
// serializePacket converts packet to binary
|
|
func serializePacket(data []byte, p packet) []byte {
|
|
data = appendVarint(data, int(p.fieldType))
|
|
data = appendVarint(data, len(p.data))
|
|
data = append(data, p.data...)
|
|
|
|
return data
|
|
}
|
|
|
|
func appendVarint(data []byte, x int) []byte {
|
|
var buf [binary.MaxVarintLen32]byte
|
|
n := binary.PutUvarint(buf[:], uint64(x))
|
|
|
|
return append(data, buf[:n]...)
|
|
}
|
|
|
|
// ParseMacaroon converts binary to macaroon
|
|
func ParseMacaroon(data []byte) (_ *Macaroon, err error) {
|
|
ctx := context.TODO()
|
|
defer mon.Task()(&ctx)(&err)
|
|
if len(data) < 2 {
|
|
return nil, errors.New("empty macaroon")
|
|
}
|
|
if data[0] != version {
|
|
return nil, errors.New("invalid macaroon version")
|
|
}
|
|
// skip version
|
|
data = data[1:]
|
|
// Parse Location
|
|
data, section, err := parseSection(data)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if len(section) > 0 && section[0].fieldType == fieldLocation {
|
|
section = section[1:]
|
|
}
|
|
if len(section) != 1 || section[0].fieldType != fieldIdentifier {
|
|
return nil, errors.New("invalid macaroon header")
|
|
}
|
|
|
|
mac := Macaroon{}
|
|
mac.head = section[0].data
|
|
for {
|
|
rest, section, err := parseSection(data)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
data = rest
|
|
if len(section) == 0 {
|
|
break
|
|
}
|
|
if len(section) > 0 && section[0].fieldType == fieldLocation {
|
|
section = section[1:]
|
|
}
|
|
if len(section) == 0 || section[0].fieldType != fieldIdentifier {
|
|
return nil, errors.New("no Identifier in caveat")
|
|
}
|
|
cav := append([]byte(nil), section[0].data...)
|
|
section = section[1:]
|
|
if len(section) == 0 {
|
|
// First party caveat.
|
|
//if cav.Location != "" {
|
|
// return nil, errors.New("location not allowed in first party caveat")
|
|
//}
|
|
mac.caveats = append(mac.caveats, cav)
|
|
continue
|
|
}
|
|
if len(section) != 1 {
|
|
return nil, errors.New("extra fields found in caveat")
|
|
}
|
|
if section[0].fieldType != fieldVerificationID {
|
|
return nil, errors.New("invalid field found in caveat")
|
|
}
|
|
//cav.VerificationId = section[0].data
|
|
mac.caveats = append(mac.caveats, cav)
|
|
}
|
|
_, sig, err := parsePacket(data)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if sig.fieldType != fieldSignature {
|
|
return nil, errors.New("unexpected field found instead of signature")
|
|
}
|
|
if len(sig.data) != 32 {
|
|
return nil, errors.New("signature has unexpected length")
|
|
}
|
|
mac.tail = make([]byte, 32)
|
|
copy(mac.tail, sig.data)
|
|
//return data, nil
|
|
// Parse Identity
|
|
// Parse caveats
|
|
// Parse tail
|
|
return &mac, nil
|
|
}
|
|
|
|
// parseSection returns data leftover and packet array
|
|
func parseSection(data []byte) ([]byte, []packet, error) {
|
|
prevFieldType := fieldType(-1)
|
|
var packets []packet
|
|
for {
|
|
if len(data) == 0 {
|
|
return nil, nil, errors.New("section extends past end of buffer")
|
|
}
|
|
rest, p, err := parsePacket(data)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
if p.fieldType == fieldEOS {
|
|
return rest, packets, nil
|
|
}
|
|
if p.fieldType <= prevFieldType {
|
|
return nil, nil, errors.New("fields out of order")
|
|
}
|
|
packets = append(packets, p)
|
|
prevFieldType = p.fieldType
|
|
data = rest
|
|
}
|
|
}
|
|
|
|
// parsePacket returns data leftover and packet
|
|
func parsePacket(data []byte) ([]byte, packet, error) {
|
|
data, ft, err := parseVarint(data)
|
|
if err != nil {
|
|
return nil, packet{}, err
|
|
}
|
|
|
|
p := packet{fieldType: fieldType(ft)}
|
|
if p.fieldType == fieldEOS {
|
|
return data, p, nil
|
|
}
|
|
data, packLen, err := parseVarint(data)
|
|
if err != nil {
|
|
return nil, packet{}, err
|
|
}
|
|
|
|
if packLen > len(data) {
|
|
return nil, packet{}, errors.New("out of bounds")
|
|
}
|
|
if packLen == 0 {
|
|
p.data = nil
|
|
|
|
return data, p, nil
|
|
}
|
|
|
|
p.data = data[0:packLen]
|
|
|
|
return data[packLen:], p, nil
|
|
}
|
|
|
|
func parseVarint(data []byte) ([]byte, int, error) {
|
|
value, n := binary.Uvarint(data)
|
|
if n <= 0 || value > 0x7fffffff {
|
|
return nil, 0, errors.New("varint error")
|
|
}
|
|
return data[n:], int(value), nil
|
|
}
|