def discharge(ctx, id, caveat, key, checker, locator):
''' Creates a macaroon to discharge a third party caveat.
The given parameters specify the caveat and how it should be checked.
The condition implicit in the caveat is checked for validity using checker.
If it is valid, a new macaroon is returned which discharges the caveat.
The macaroon is created with a version derived from the version that was
used to encode the id.
:param id: (bytes) holds the id to give to the discharge macaroon.
If Caveat is empty, then the id also holds the encrypted third party
caveat.
:param caveat: (bytes) holds the encrypted third party caveat.
If this is None, id will be used.
:param key: holds the key to use to decrypt the third party caveat
information and to encrypt any additional third party caveats returned by
the caveat checker.
:param checker: used to check the third party caveat, and may also return
further caveats to be added to the discharge macaroon.
:param locator: used to information on third parties referred to by third
party caveats returned by the Checker.
'''
caveat_id_prefix = []
if caveat is None:
# The caveat information is encoded in the id itself.
caveat = id
else:
# We've been given an explicit id, so when extra third party
# caveats are added, use that id as the prefix
# for any more ids.
caveat_id_prefix = id
cav_info = macaroonbakery.decode_caveat(key, caveat)
# Note that we don't check the error - we allow the
# third party checker to see even caveats that we can't
# understand.
try:
cond, arg = checkers.parse_caveat(cav_info.condition)
except ValueError as exc:
raise macaroonbakery.VerificationError(exc.args[0])
if cond == checkers.COND_NEED_DECLARED:
cav_info = cav_info._replace(condition=arg.encode('utf-8'))
caveats = _check_need_declared(ctx, cav_info, checker)
else:
caveats = checker.check_third_party_caveat(ctx, cav_info)
# Note that the discharge macaroon does not need to
# be stored persistently. Indeed, it would be a problem if
# we did, because then the macaroon could potentially be used
# for normal authorization with the third party.
m = macaroonbakery.Macaroon(cav_info.root_key, id, '', cav_info.version,
cav_info.namespace)
m._caveat_id_prefix = caveat_id_prefix
if caveats is not None:
for cav in caveats:
m.add_caveat(cav, key, locator)
return m
def _add(self, cond):
try:
cond, args = checkers.parse_caveat(cond)
except ValueError:
# Be safe - if we can't parse the caveat, just leave it there.
return True
if cond == checkers.COND_TIME_BEFORE:
try:
et = pyrfc3339.parse(args, utc=True).replace(tzinfo=None)
except ValueError:
# Again, if it doesn't seem valid, leave it alone.
return True
if self._expiry is None or et <= self._expiry:
self._expiry = et
return False
elif cond in [checkers.COND_ALLOW,
checkers.COND_DENY, checkers.COND_DECLARED]:
return False
return True
def _add(self, cond):
try:
cond, args = checkers.parse_caveat(cond)
except ValueError:
# Be safe - if we can't parse the caveat, just leave it there.
return True
if cond == checkers.COND_TIME_BEFORE:
try:
et = pyrfc3339.parse(args)
except ValueError:
# Again, if it doesn't seem valid, leave it alone.
return True
if self._expiry is None or et <= self._expiry:
self._expiry = et
return False
elif cond in [checkers.COND_ALLOW,
checkers.COND_DENY, checkers.COND_DECLARED]:
return False
return True
def _check_need_declared(ctx, cav_info, checker):
arg = cav_info.condition.decode('utf-8')
i = arg.find(' ')
if i <= 0:
raise macaroonbakery.VerificationError(
'need-declared caveat requires an argument, got %q'.format(arg))
need_declared = arg[0:i].split(',')
for d in need_declared:
if d == '':
raise macaroonbakery.VerificationError('need-declared caveat with '
'empty required attribute')
if len(need_declared) == 0:
raise macaroonbakery.VerificationError('need-declared caveat with no '
'required attributes')
cav_info = cav_info._replace(condition=arg[i + 1:].encode('utf-8'))
caveats = checker.check_third_party_caveat(ctx, cav_info)
declared = {}
for cav in caveats:
if cav.location is not None and cav.location != '':
continue
# Note that we ignore the error. We allow the service to
# generate caveats that we don't understand here.
try:
cond, arg = checkers.parse_caveat(cav.condition)
except ValueError:
continue
if cond != checkers.COND_DECLARED:
continue
parts = arg.split()
if len(parts) != 2:
raise macaroonbakery.VerificationError('declared caveat has no '
'value')
declared[parts[0]] = True
# Add empty declarations for everything mentioned in need-declared
# that was not actually declared.
for d in need_declared:
if not declared.get(d, False):
caveats.append(checkers.declared_caveat(d, ''))
return caveats
def _check_need_declared(ctx, cav_info, checker):
arg = cav_info.condition.decode('utf-8')
i = arg.find(' ')
if i <= 0:
raise bakery.VerificationError(
'need-declared caveat requires an argument, got %q'.format(arg),
)
need_declared = arg[0:i].split(',')
for d in need_declared:
if d == '':
raise bakery.VerificationError('need-declared caveat with empty required attribute')
if len(need_declared) == 0:
raise bakery.VerificationError('need-declared caveat with no required attributes')
cav_info = cav_info._replace(condition=arg[i + 1:].encode('utf-8'))
caveats = checker.check_third_party_caveat(ctx, cav_info)
declared = {}
for cav in caveats:
if cav.location is not None and cav.location != '':
continue
# Note that we ignore the error. We allow the service to
# generate caveats that we don't understand here.
try:
cond, arg = checkers.parse_caveat(cav.condition)
except ValueError:
continue
if cond != checkers.COND_DECLARED:
continue
parts = arg.split()
if len(parts) != 2:
raise bakery.VerificationError('declared caveat has no value')
declared[parts[0]] = True
# Add empty declarations for everything mentioned in need-declared
# that was not actually declared.
for d in need_declared:
if not declared.get(d, False):
caveats.append(checkers.declared_caveat(d, ''))
return caveats
def check_third_party_caveat(self, ctx, info):
cond, arg = checkers.parse_caveat(info.condition)
return self._check(cond, arg)
def check_third_party_caveat(self, ctx, info):
cond, arg = checkers.parse_caveat(info.condition)
return self._check(cond, arg)
def discharge(ctx, id, caveat, key, checker, locator):
''' Creates a macaroon to discharge a third party caveat.
The given parameters specify the caveat and how it should be checked.
The condition implicit in the caveat is checked for validity using checker.
If it is valid, a new macaroon is returned which discharges the caveat.
The macaroon is created with a version derived from the version that was
used to encode the id.
:param id: (bytes) holds the id to give to the discharge macaroon.
If Caveat is empty, then the id also holds the encrypted third party
caveat.
:param caveat: (bytes) holds the encrypted third party caveat.
If this is None, id will be used.
:param key: holds the key to use to decrypt the third party caveat
information and to encrypt any additional third party caveats returned by
the caveat checker.
:param checker: used to check the third party caveat, and may also return
further caveats to be added to the discharge macaroon.
:param locator: used to information on third parties referred to by third
party caveats returned by the Checker.
'''
caveat_id_prefix = []
if caveat is None:
# The caveat information is encoded in the id itself.
caveat = id
else:
# We've been given an explicit id, so when extra third party
# caveats are added, use that id as the prefix
# for any more ids.
caveat_id_prefix = id
cav_info = bakery.decode_caveat(key, caveat)
cav_info = bakery.ThirdPartyCaveatInfo(
condition=cav_info.condition,
first_party_public_key=cav_info.first_party_public_key,
third_party_key_pair=cav_info.third_party_key_pair,
root_key=cav_info.root_key,
caveat=cav_info.caveat,
version=cav_info.version,
id=id,
namespace=cav_info.namespace
)
# Note that we don't check the error - we allow the
# third party checker to see even caveats that we can't
# understand.
try:
cond, arg = checkers.parse_caveat(cav_info.condition)
except ValueError as exc:
raise bakery.VerificationError(exc.args[0])
if cond == checkers.COND_NEED_DECLARED:
cav_info = cav_info._replace(condition=arg.encode('utf-8'))
caveats = _check_need_declared(ctx, cav_info, checker)
else:
caveats = checker.check_third_party_caveat(ctx, cav_info)
# Note that the discharge macaroon does not need to
# be stored persistently. Indeed, it would be a problem if
# we did, because then the macaroon could potentially be used
# for normal authorization with the third party.
m = bakery.Macaroon(
cav_info.root_key,
id,
'',
cav_info.version,
cav_info.namespace,
)
m._caveat_id_prefix = caveat_id_prefix
if caveats is not None:
for cav in caveats:
m.add_caveat(cav, key, locator)
return m