2024-09-11 15:10:54 -04:00
|
|
|
package mdw
|
|
|
|
|
|
|
|
|
|
import (
|
2024-09-14 12:47:25 -04:00
|
|
|
"fmt"
|
2024-09-11 15:10:54 -04:00
|
|
|
"net/http"
|
2024-09-14 12:47:25 -04:00
|
|
|
"time"
|
2024-09-11 15:10:54 -04:00
|
|
|
|
|
|
|
|
"github.com/labstack/echo/v4"
|
|
|
|
|
"gopkg.in/macaroon.v2"
|
|
|
|
|
)
|
|
|
|
|
|
2024-09-14 12:47:25 -04:00
|
|
|
const (
|
|
|
|
|
OriginMacroonCaveat MacroonCaveat = "origin"
|
|
|
|
|
ScopesMacroonCaveat MacroonCaveat = "scopes"
|
|
|
|
|
SubjectMacroonCaveat MacroonCaveat = "subject"
|
|
|
|
|
ExpMacroonCaveat MacroonCaveat = "exp"
|
|
|
|
|
TokenMacroonCaveat MacroonCaveat = "token"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type MacroonCaveat string
|
2024-09-11 15:10:54 -04:00
|
|
|
|
2024-09-14 12:47:25 -04:00
|
|
|
func (c MacroonCaveat) Equal(other string) bool {
|
|
|
|
|
return string(c) == other
|
2024-09-11 15:10:54 -04:00
|
|
|
}
|
|
|
|
|
|
2024-09-14 12:47:25 -04:00
|
|
|
func (c MacroonCaveat) String() string {
|
|
|
|
|
return string(c)
|
2024-09-11 15:10:54 -04:00
|
|
|
}
|
|
|
|
|
|
2024-09-14 12:47:25 -04:00
|
|
|
func (c MacroonCaveat) Verify(value string) error {
|
|
|
|
|
switch c {
|
|
|
|
|
case OriginMacroonCaveat:
|
|
|
|
|
return nil
|
|
|
|
|
case ScopesMacroonCaveat:
|
|
|
|
|
return nil
|
|
|
|
|
case SubjectMacroonCaveat:
|
|
|
|
|
return nil
|
|
|
|
|
case ExpMacroonCaveat:
|
|
|
|
|
// Check if the expiration time is still valid
|
|
|
|
|
exp, err := time.Parse(time.RFC3339, value)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if time.Now().After(exp) {
|
|
|
|
|
return fmt.Errorf("expired")
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
case TokenMacroonCaveat:
|
|
|
|
|
return nil
|
|
|
|
|
default:
|
|
|
|
|
return fmt.Errorf("unknown caveat: %s", c)
|
|
|
|
|
}
|
2024-09-11 15:10:54 -04:00
|
|
|
}
|
|
|
|
|
|
2024-09-14 12:47:25 -04:00
|
|
|
var MacroonCaveats = []MacroonCaveat{OriginMacroonCaveat, ScopesMacroonCaveat, SubjectMacroonCaveat, ExpMacroonCaveat, TokenMacroonCaveat}
|
|
|
|
|
|
|
|
|
|
func MacaroonMiddleware(secretKeyStr string, location string) echo.MiddlewareFunc {
|
|
|
|
|
secretKey := []byte(secretKeyStr)
|
2024-09-11 15:10:54 -04:00
|
|
|
return func(next echo.HandlerFunc) echo.HandlerFunc {
|
|
|
|
|
return func(c echo.Context) error {
|
|
|
|
|
// Extract the macaroon from the Authorization header
|
|
|
|
|
auth := c.Request().Header.Get("Authorization")
|
|
|
|
|
if auth == "" {
|
|
|
|
|
return c.JSON(http.StatusUnauthorized, map[string]string{"error": "Missing Authorization header"})
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Decode the macaroon
|
|
|
|
|
mac, err := macaroon.Base64Decode([]byte(auth))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return c.JSON(http.StatusBadRequest, map[string]string{"error": "Invalid macaroon encoding"})
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
token, err := macaroon.New(secretKey, mac, location, macaroon.LatestVersion)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return c.JSON(http.StatusBadRequest, map[string]string{"error": "Invalid macaroon"})
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Verify the macaroon
|
|
|
|
|
err = token.Verify(secretKey, func(caveat string) error {
|
2024-09-14 12:47:25 -04:00
|
|
|
for _, c := range MacroonCaveats {
|
|
|
|
|
if c.String() == caveat {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
}
|
2024-09-11 15:10:54 -04:00
|
|
|
return nil // Return nil if the caveat is valid
|
|
|
|
|
}, nil)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return c.JSON(http.StatusUnauthorized, map[string]string{"error": "Invalid macaroon"})
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Macaroon is valid, proceed to the next handler
|
|
|
|
|
return next(c)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
