// Copyright (C) 2019 Storj Labs, Inc. // See LICENSE for copying information. package macaroon import ( "bytes" "context" "time" "github.com/btcsuite/btcutil/base58" "github.com/spacemonkeygo/monkit/v3" "github.com/zeebo/errs" "storj.io/common/pb" ) var ( // Error is a general API Key error Error = errs.Class("api key error") // ErrFormat means that the structural formatting of the API Key is invalid ErrFormat = errs.Class("api key format error") // ErrInvalid means that the API Key is improperly signed ErrInvalid = errs.Class("api key invalid error") // ErrUnauthorized means that the API key does not grant the requested permission ErrUnauthorized = errs.Class("api key unauthorized error") // ErrRevoked means the API key has been revoked ErrRevoked = errs.Class("api key revocation error") mon = monkit.Package() ) // ActionType specifies the operation type being performed that the Macaroon will validate type ActionType int const ( // not using iota because these values are persisted in macaroons _ ActionType = 0 // ActionRead specifies a read operation ActionRead ActionType = 1 // ActionWrite specifies a read operation ActionWrite ActionType = 2 // ActionList specifies a read operation ActionList ActionType = 3 // ActionDelete specifies a read operation ActionDelete ActionType = 4 // ActionProjectInfo requests project-level information ActionProjectInfo ActionType = 5 ) // Action specifies the specific operation being performed that the Macaroon will validate type Action struct { Op ActionType Bucket []byte EncryptedPath []byte Time time.Time } // APIKey implements a Macaroon-backed Storj-v3 API key. type APIKey struct { mac *Macaroon } // ParseAPIKey parses a given api key string and returns an APIKey if the // APIKey was correctly formatted. It does not validate the key. func ParseAPIKey(key string) (*APIKey, error) { data, version, err := base58.CheckDecode(key) if err != nil || version != 0 { return nil, ErrFormat.New("invalid api key format") } mac, err := ParseMacaroon(data) if err != nil { return nil, ErrFormat.Wrap(err) } return &APIKey{mac: mac}, nil } // ParseRawAPIKey parses raw api key data and returns an APIKey if the APIKey // was correctly formatted. It does not validate the key. func ParseRawAPIKey(data []byte) (*APIKey, error) { mac, err := ParseMacaroon(data) if err != nil { return nil, ErrFormat.Wrap(err) } return &APIKey{mac: mac}, nil } // NewAPIKey generates a brand new unrestricted API key given the provided // server project secret func NewAPIKey(secret []byte) (*APIKey, error) { mac, err := NewUnrestricted(secret) if err != nil { return nil, Error.Wrap(err) } return &APIKey{mac: mac}, nil } // Check makes sure that the key authorizes the provided action given the root // project secret and any possible revocations, returning an error if the action // is not authorized. 'revoked' is a list of revoked heads. func (a *APIKey) Check(ctx context.Context, secret []byte, action Action, revoked [][]byte) (err error) { defer mon.Task()(&ctx)(&err) if !a.mac.Validate(secret) { return ErrInvalid.New("macaroon unauthorized") } // a timestamp is always required on an action if action.Time.IsZero() { return Error.New("no timestamp provided") } caveats := a.mac.Caveats() for _, cavbuf := range caveats { var cav Caveat err := pb.Unmarshal(cavbuf, &cav) if err != nil { return ErrFormat.New("invalid caveat format") } if !cav.Allows(action) { return ErrUnauthorized.New("action disallowed") } } head := a.mac.Head() for _, revokedID := range revoked { if bytes.Equal(revokedID, head) { return ErrRevoked.New("macaroon head revoked") } } return nil } // AllowedBuckets stores information about which buckets are // allowed to be accessed, where `Buckets` stores names of buckets that are // allowed and `All` is a bool that indicates if all buckets are allowed or not type AllowedBuckets struct { All bool Buckets map[string]struct{} } // GetAllowedBuckets returns a list of all the allowed bucket paths that match the Action operation func (a *APIKey) GetAllowedBuckets(ctx context.Context, action Action) (allowed AllowedBuckets, err error) { defer mon.Task()(&ctx)(&err) // Every bucket is allowed until we find a caveat that restricts some paths. allowed.All = true // every caveat that includes a list of allowed paths must include the bucket for // the bucket to be allowed. in other words, the set of allowed buckets is the // intersection of all of the buckets in the allowed paths. for _, cavbuf := range a.mac.Caveats() { var cav Caveat err := pb.Unmarshal(cavbuf, &cav) if err != nil { return AllowedBuckets{}, ErrFormat.New("invalid caveat format: %v", err) } if !cav.Allows(action) { return AllowedBuckets{}, ErrUnauthorized.New("action disallowed") } // If the caveat does not include any allowed paths, then it is not restricting it. if len(cav.AllowedPaths) == 0 { continue } // Since we found some path restrictions, it's definitely the case that not every // bucket is allowed. allowed.All = false caveatBuckets := map[string]struct{}{} for _, caveatPath := range cav.AllowedPaths { caveatBuckets[string(caveatPath.Bucket)] = struct{}{} } if allowed.Buckets == nil { allowed.Buckets = caveatBuckets } else { for bucket := range allowed.Buckets { if _, ok := caveatBuckets[bucket]; !ok { delete(allowed.Buckets, bucket) } } } } return allowed, err } // Restrict generates a new APIKey with the provided Caveat attached. func (a *APIKey) Restrict(caveat Caveat) (*APIKey, error) { buf, err := pb.Marshal(&caveat) if err != nil { return nil, Error.Wrap(err) } mac, err := a.mac.AddFirstPartyCaveat(buf) if err != nil { return nil, Error.Wrap(err) } return &APIKey{mac: mac}, nil } // Head returns the identifier for this macaroon's root ancestor. func (a *APIKey) Head() []byte { return a.mac.Head() } // Tail returns the identifier for this macaroon only. func (a *APIKey) Tail() []byte { return a.mac.Tail() } // Serialize serializes the API Key to a string func (a *APIKey) Serialize() string { return base58.CheckEncode(a.mac.Serialize(), 0) } // SerializeRaw serialize the API Key to raw bytes func (a *APIKey) SerializeRaw() []byte { return a.mac.Serialize() } // Allows returns true if the provided action is allowed by the caveat. func (c *Caveat) Allows(action Action) bool { // if the action is after the caveat's "not after" field, then it is invalid if c.NotAfter != nil && action.Time.After(*c.NotAfter) { return false } // if the caveat's "not before" field is *after* the action, then the action // is before the "not before" field and it is invalid if c.NotBefore != nil && c.NotBefore.After(action.Time) { return false } // we want to always allow reads for bucket metadata, perhaps filtered by the // buckets in the allowed paths. if action.Op == ActionRead && len(action.EncryptedPath) == 0 { if len(c.AllowedPaths) == 0 { return true } if len(action.Bucket) == 0 { // if no action.bucket name is provided, then this call is checking that // we can list all buckets. In that case, return true here and we will // filter out buckets that aren't allowed later with `GetAllowedBuckets()` return true } for _, path := range c.AllowedPaths { if bytes.Equal(path.Bucket, action.Bucket) { return true } } return false } switch action.Op { case ActionRead: if c.DisallowReads { return false } case ActionWrite: if c.DisallowWrites { return false } case ActionList: if c.DisallowLists { return false } case ActionDelete: if c.DisallowDeletes { return false } case ActionProjectInfo: // allow default: return false } if len(c.AllowedPaths) > 0 && action.Op != ActionProjectInfo { found := false for _, path := range c.AllowedPaths { if bytes.Equal(action.Bucket, path.Bucket) && bytes.HasPrefix(action.EncryptedPath, path.EncryptedPathPrefix) { found = true break } } if !found { return false } } return true }