216 lines
4.7 KiB
Go
216 lines
4.7 KiB
Go
|
// Copyright (C) 2019 Storj Labs, Inc.
|
||
|
// See LICENSE for copying information.
|
||
|
|
||
|
package macaroon
|
||
|
|
||
|
import (
|
||
|
"encoding/binary"
|
||
|
"errors"
|
||
|
)
|
||
|
|
||
|
type fieldType int
|
||
|
|
||
|
const (
|
||
|
fieldEOS fieldType = 0
|
||
|
fieldLocation fieldType = 1
|
||
|
fieldIdentifier fieldType = 2
|
||
|
fieldVerificationID fieldType = 4
|
||
|
fieldSignature fieldType = 6
|
||
|
)
|
||
|
|
||
|
const (
|
||
|
version byte = 2
|
||
|
)
|
||
|
|
||
|
type packet struct {
|
||
|
fieldType fieldType
|
||
|
data []byte
|
||
|
}
|
||
|
|
||
|
// Serialize converts macaroon to binary format
|
||
|
func (m *Macaroon) Serialize() (data []byte) {
|
||
|
// Start data from version int
|
||
|
data = append(data, version)
|
||
|
|
||
|
// Serilize Identity
|
||
|
data = serializePacket(data, packet{
|
||
|
fieldType: fieldIdentifier,
|
||
|
data: m.head,
|
||
|
})
|
||
|
data = append(data, 0)
|
||
|
|
||
|
// Serialize caveats
|
||
|
for _, cav := range m.caveats {
|
||
|
data = serializePacket(data, packet{
|
||
|
fieldType: fieldIdentifier,
|
||
|
data: cav,
|
||
|
})
|
||
|
data = append(data, 0)
|
||
|
}
|
||
|
|
||
|
data = append(data, 0)
|
||
|
|
||
|
// Serialize tail
|
||
|
data = serializePacket(data, packet{
|
||
|
fieldType: fieldSignature,
|
||
|
data: m.tail,
|
||
|
})
|
||
|
|
||
|
return data
|
||
|
}
|
||
|
|
||
|
// serializePacket converts packet to binary
|
||
|
func serializePacket(data []byte, p packet) []byte {
|
||
|
data = appendVarint(data, int(p.fieldType))
|
||
|
data = appendVarint(data, len(p.data))
|
||
|
data = append(data, p.data...)
|
||
|
|
||
|
return data
|
||
|
}
|
||
|
|
||
|
func appendVarint(data []byte, x int) []byte {
|
||
|
var buf [binary.MaxVarintLen32]byte
|
||
|
n := binary.PutUvarint(buf[:], uint64(x))
|
||
|
|
||
|
return append(data, buf[:n]...)
|
||
|
}
|
||
|
|
||
|
// ParseMacaroon converts binary to macaroon
|
||
|
func ParseMacaroon(data []byte) (_ *Macaroon, err error) {
|
||
|
if len(data) < 2 {
|
||
|
return nil, errors.New("empty macaroon")
|
||
|
}
|
||
|
if data[0] != version {
|
||
|
return nil, errors.New("invalid macaroon version")
|
||
|
}
|
||
|
// skip version
|
||
|
data = data[1:]
|
||
|
// Parse Location
|
||
|
data, section, err := parseSection(data)
|
||
|
if err != nil {
|
||
|
return nil, err
|
||
|
}
|
||
|
if len(section) > 0 && section[0].fieldType == fieldLocation {
|
||
|
section = section[1:]
|
||
|
}
|
||
|
if len(section) != 1 || section[0].fieldType != fieldIdentifier {
|
||
|
return nil, errors.New("invalid macaroon header")
|
||
|
}
|
||
|
|
||
|
mac := Macaroon{}
|
||
|
mac.head = section[0].data
|
||
|
for {
|
||
|
rest, section, err := parseSection(data)
|
||
|
if err != nil {
|
||
|
return nil, err
|
||
|
}
|
||
|
data = rest
|
||
|
if len(section) == 0 {
|
||
|
break
|
||
|
}
|
||
|
if len(section) > 0 && section[0].fieldType == fieldLocation {
|
||
|
section = section[1:]
|
||
|
}
|
||
|
if len(section) == 0 || section[0].fieldType != fieldIdentifier {
|
||
|
return nil, errors.New("no Identifier in caveat")
|
||
|
}
|
||
|
cav := append([]byte(nil), section[0].data...)
|
||
|
section = section[1:]
|
||
|
if len(section) == 0 {
|
||
|
// First party caveat.
|
||
|
//if cav.Location != "" {
|
||
|
// return nil, errors.New("location not allowed in first party caveat")
|
||
|
//}
|
||
|
mac.caveats = append(mac.caveats, cav)
|
||
|
continue
|
||
|
}
|
||
|
if len(section) != 1 {
|
||
|
return nil, errors.New("extra fields found in caveat")
|
||
|
}
|
||
|
if section[0].fieldType != fieldVerificationID {
|
||
|
return nil, errors.New("invalid field found in caveat")
|
||
|
}
|
||
|
//cav.VerificationId = section[0].data
|
||
|
mac.caveats = append(mac.caveats, cav)
|
||
|
}
|
||
|
_, sig, err := parsePacket(data)
|
||
|
if err != nil {
|
||
|
return nil, err
|
||
|
}
|
||
|
if sig.fieldType != fieldSignature {
|
||
|
return nil, errors.New("unexpected field found instead of signature")
|
||
|
}
|
||
|
if len(sig.data) != 32 {
|
||
|
return nil, errors.New("signature has unexpected length")
|
||
|
}
|
||
|
mac.tail = make([]byte, 32)
|
||
|
copy(mac.tail, sig.data)
|
||
|
//return data, nil
|
||
|
// Parse Identity
|
||
|
// Parse caveats
|
||
|
// Parse tail
|
||
|
return &mac, nil
|
||
|
}
|
||
|
|
||
|
// parseSection returns data leftover and packet array
|
||
|
func parseSection(data []byte) ([]byte, []packet, error) {
|
||
|
prevFieldType := fieldType(-1)
|
||
|
var packets []packet
|
||
|
for {
|
||
|
if len(data) == 0 {
|
||
|
return nil, nil, errors.New("section extends past end of buffer")
|
||
|
}
|
||
|
rest, p, err := parsePacket(data)
|
||
|
if err != nil {
|
||
|
return nil, nil, err
|
||
|
}
|
||
|
if p.fieldType == fieldEOS {
|
||
|
return rest, packets, nil
|
||
|
}
|
||
|
if p.fieldType <= prevFieldType {
|
||
|
return nil, nil, errors.New("fields out of order")
|
||
|
}
|
||
|
packets = append(packets, p)
|
||
|
prevFieldType = p.fieldType
|
||
|
data = rest
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// parsePacket returns data leftover and packet
|
||
|
func parsePacket(data []byte) ([]byte, packet, error) {
|
||
|
data, ft, err := parseVarint(data)
|
||
|
if err != nil {
|
||
|
return nil, packet{}, err
|
||
|
}
|
||
|
|
||
|
p := packet{fieldType: fieldType(ft)}
|
||
|
if p.fieldType == fieldEOS {
|
||
|
return data, p, nil
|
||
|
}
|
||
|
data, packLen, err := parseVarint(data)
|
||
|
if err != nil {
|
||
|
return nil, packet{}, err
|
||
|
}
|
||
|
|
||
|
if packLen > len(data) {
|
||
|
return nil, packet{}, errors.New("out of bounds")
|
||
|
}
|
||
|
if packLen == 0 {
|
||
|
p.data = nil
|
||
|
|
||
|
return data, p, nil
|
||
|
}
|
||
|
|
||
|
p.data = data[0:packLen]
|
||
|
|
||
|
return data[packLen:], p, nil
|
||
|
}
|
||
|
|
||
|
func parseVarint(data []byte) ([]byte, int, error) {
|
||
|
value, n := binary.Uvarint(data)
|
||
|
if n <= 0 || value > 0x7fffffff {
|
||
|
return nil, 0, errors.New("varint error")
|
||
|
}
|
||
|
return data[n:], int(value), nil
|
||
|
}
|