X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/5b80941723d6be1fd22589026635a43b33e6cf20..72900c01e197d602e79fda8d306b17fd1e32a3ea:/sdk/go/keepclient/perms.go diff --git a/sdk/go/keepclient/perms.go b/sdk/go/keepclient/perms.go index 7dc06e20af..d650f0d7ad 100644 --- a/sdk/go/keepclient/perms.go +++ b/sdk/go/keepclient/perms.go @@ -16,21 +16,28 @@ import ( ) var ( - ErrSignatureExpired = errors.New("Signature expired") - ErrSignatureInvalid = errors.New("Invalid signature") - ErrSignatureMalformed = errors.New("Malformed signature") - ErrSignatureMissing = errors.New("Missing signature") + // ErrSignatureExpired - a signature was rejected because the + // expiry time has passed. + ErrSignatureExpired = errors.New("Signature expired") + // ErrSignatureInvalid - a signature was rejected because it + // was badly formatted or did not match the given secret key. + ErrSignatureInvalid = errors.New("Invalid signature") + // ErrSignatureMissing - the given locator does not have a + // signature hint. + ErrSignatureMissing = errors.New("Missing signature") ) // makePermSignature generates a SHA-1 HMAC digest for the given blob, // token, expiry, and site secret. -func makePermSignature(blobHash, apiToken, expiry string, permissionSecret []byte) string { +func makePermSignature(blobHash, apiToken, expiry, blobSignatureTTL string, permissionSecret []byte) string { hmac := hmac.New(sha1.New, permissionSecret) hmac.Write([]byte(blobHash)) hmac.Write([]byte("@")) hmac.Write([]byte(apiToken)) hmac.Write([]byte("@")) hmac.Write([]byte(expiry)) + hmac.Write([]byte("@")) + hmac.Write([]byte(blobSignatureTTL)) digest := hmac.Sum(nil) return fmt.Sprintf("%x", digest) } @@ -41,15 +48,16 @@ func makePermSignature(blobHash, apiToken, expiry string, permissionSecret []byt // // This function is intended to be used by system components and admin // utilities: userland programs do not know the permissionSecret. -func SignLocator(blobLocator, apiToken string, expiry time.Time, permissionSecret []byte) string { +func SignLocator(blobLocator, apiToken string, expiry time.Time, blobSignatureTTL time.Duration, permissionSecret []byte) string { if len(permissionSecret) == 0 || apiToken == "" { return blobLocator } // Strip off all hints: only the hash is used to sign. blobHash := strings.Split(blobLocator, "+")[0] timestampHex := fmt.Sprintf("%08x", expiry.Unix()) + blobSignatureTTLHex := strconv.FormatInt(int64(blobSignatureTTL.Seconds()), 16) return blobLocator + - "+A" + makePermSignature(blobHash, apiToken, timestampHex, permissionSecret) + + "+A" + makePermSignature(blobHash, apiToken, timestampHex, blobSignatureTTLHex, permissionSecret) + "@" + timestampHex } @@ -57,26 +65,29 @@ var signedLocatorRe = regexp.MustCompile(`^([[:xdigit:]]{32}).*\+A([[:xdigit:]]{ // VerifySignature returns nil if the signature on the signedLocator // can be verified using the given apiToken. Otherwise it returns -// either ExpiredError (if the timestamp has expired, which is -// something the client could have figured out independently) or -// PermissionError. +// ErrSignatureExpired (if the signature's expiry time has passed, +// which is something the client could have figured out +// independently), ErrSignatureMissing (if there is no signature hint +// at all), or ErrSignatureInvalid (if the signature is present but +// badly formatted or incorrect). // // This function is intended to be used by system components and admin // utilities: userland programs do not know the permissionSecret. -func VerifySignature(signedLocator, apiToken string, permissionSecret []byte) error { +func VerifySignature(signedLocator, apiToken string, blobSignatureTTL time.Duration, permissionSecret []byte) error { matches := signedLocatorRe.FindStringSubmatch(signedLocator) if matches == nil { return ErrSignatureMissing } blobHash := matches[1] - sigHex := matches[2] - expHex := matches[3] - if expTime, err := parseHexTimestamp(expHex); err != nil { - return ErrSignatureMalformed - } else if expTime.Before(time.Now()) { + signatureHex := matches[2] + expiryHex := matches[3] + if expiryTime, err := parseHexTimestamp(expiryHex); err != nil { + return ErrSignatureInvalid + } else if expiryTime.Before(time.Now()) { return ErrSignatureExpired } - if sigHex != makePermSignature(blobHash, apiToken, expHex, permissionSecret) { + blobSignatureTTLHex := strconv.FormatInt(int64(blobSignatureTTL.Seconds()), 16) + if signatureHex != makePermSignature(blobHash, apiToken, expiryHex, blobSignatureTTLHex, permissionSecret) { return ErrSignatureInvalid } return nil