import (
"crypto/hmac"
"crypto/sha1"
+ "errors"
"fmt"
"regexp"
"strconv"
"time"
)
-// KeepError types.
-//
-type KeepError struct {
- HTTPCode int
- ErrMsg string
-}
-
var (
- PermissionError = &KeepError{403, "Forbidden"}
- ExpiredError = &KeepError{401, "Expired permission signature"}
+ ErrSignatureExpired = errors.New("Signature expired")
+ ErrSignatureInvalid = errors.New("Invalid signature")
+ ErrSignatureMalformed = errors.New("Malformed signature")
+ ErrSignatureMissing = errors.New("Missing signature")
)
-func (e *KeepError) Error() string {
- return e.ErrMsg
-}
-
// makePermSignature returns a string representing the signed permission
// hint for the blob identified by blobHash, apiToken, expiration timestamp, and permission secret.
//
matches := signedLocatorRe.FindStringSubmatch(signedLocator)
if matches == nil {
// Could not find a permission signature at all
- return PermissionError
+ return ErrSignatureMissing
}
blobHash := matches[1]
sigHex := matches[2]
expHex := matches[3]
if expTime, err := parseHexTimestamp(expHex); err != nil {
- return PermissionError
+ return ErrSignatureMalformed
} else if expTime.Before(time.Now()) {
- return ExpiredError
+ return ErrSignatureExpired
}
if sigHex != makePermSignature(blobHash, apiToken, expHex, permissionSecret) {
- return PermissionError
+ return ErrSignatureInvalid
}
return nil
}
-/*
-Permissions management on Arvados locator hashes.
-
-The permissions structure for Arvados is as follows (from
-https://arvados.org/issues/2328)
-
-A Keep locator string has the following format:
-
- [hash]+[size]+A[signature]@[timestamp]
-
-The "signature" string here is a cryptographic hash, expressed as a
-string of hexadecimal digits, and timestamp is a 32-bit Unix timestamp
-expressed as a hexadecimal number. e.g.:
-
- acbd18db4cc2f85cedef654fccc4a4d8+3+A257f3f5f5f0a4e4626a18fc74bd42ec34dcb228a@7fffffff
-
-The signature represents a guarantee that this locator was generated
-by either Keep or the API server for use with the supplied API token.
-If a request to Keep includes a locator with a valid signature and is
-accompanied by the proper API token, the user has permission to GET
-that object.
-
-The signature may be generated either by Keep (after the user writes a
-block) or by the API server (if the user has can_read permission on
-the specified object). Keep and API server share a secret that is used
-to generate signatures.
-
-To verify a permission hint, Keep generates a new hint for the
-requested object (using the locator string, the timestamp, the
-permission secret and the user's API token, which must appear in the
-request headers) and compares it against the hint included in the
-request. If the permissions do not match, or if the API token is not
-present, Keep returns a 401 error.
-*/
-
package main
import (
// SignLocator takes a blobLocator, an apiToken and an expiry time, and
// returns a signed locator string.
-func SignLocator(blobLocator string, apiToken string, expiry time.Time) string {
+func SignLocator(blobLocator, apiToken string, expiry time.Time) string {
return keepclient.SignLocator(blobLocator, apiToken, expiry, PermissionSecret)
}
// either ExpiredError (if the timestamp has expired, which is
// something the client could have figured out independently) or
// PermissionError.
-func VerifySignature(signedLocator string, apiToken string) error {
+func VerifySignature(signedLocator, apiToken string) error {
err := keepclient.VerifySignature(signedLocator, apiToken, PermissionSecret)
- if err != nil {
- if err == keepclient.PermissionError {
- return PermissionError
- } else if err == keepclient.ExpiredError {
- return ExpiredError
- }
+ if err == keepclient.ErrSignatureExpired {
+ return ExpiredError
+ } else if err != nil {
+ return PermissionError
}
- return err
+ return nil
}