X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/14f6c56b96fb8b7ccd104951f9e8374540f16fa5..59b414ff7a625ad3d6e92659b20bdabc6d89e7d4:/services/keepstore/perms.go diff --git a/services/keepstore/perms.go b/services/keepstore/perms.go index 143815576b..65160b1868 100644 --- a/services/keepstore/perms.go +++ b/services/keepstore/perms.go @@ -80,23 +80,31 @@ func SignLocator(blob_locator string, api_token string, expiry time.Time) string "@" + timestamp_hex } -// VerifySignature returns true if the signature on the signed_locator -// can be verified using the given api_token. -func VerifySignature(signed_locator string, api_token string) bool { - if re, err := regexp.Compile(`^([a-f0-9]{32}(\+[0-9]+)?).*\+A[[:xdigit:]]+@([[:xdigit:]]{8})`); err == nil { - if matches := re.FindStringSubmatch(signed_locator); matches != nil { - blob_locator := matches[1] - timestamp_hex := matches[3] - if expire_ts, err := ParseHexTimestamp(timestamp_hex); err == nil { - // Fail signatures with expired timestamps. - if expire_ts.Before(time.Now()) { - return false - } - return signed_locator == SignLocator(blob_locator, api_token, expire_ts) - } - } +var signedLocatorRe = regexp.MustCompile(`^([[:xdigit:]]{32}).*\+A([[:xdigit:]]{40})@([[:xdigit:]]{8})`) + +// VerifySignature returns nil if the signature on the signed_locator +// can be verified using the given api_token. Otherwise it returns +// either ExpiredError (if the timestamp has expired, which is +// something the client could have figured out independently) or +// PermissionError. +func VerifySignature(signed_locator string, api_token string) error { + matches := signedLocatorRe.FindStringSubmatch(signed_locator) + if matches == nil { + // Could not find a permission signature at all + return PermissionError + } + blob_hash := matches[1] + sig_hex := matches[2] + exp_hex := matches[3] + if exp_time, err := ParseHexTimestamp(exp_hex); err != nil { + return PermissionError + } else if exp_time.Before(time.Now()) { + return ExpiredError + } + if sig_hex != MakePermSignature(blob_hash, api_token, exp_hex) { + return PermissionError } - return false + return nil } func ParseHexTimestamp(timestamp_hex string) (ts time.Time, err error) {