Google Git
Sign in
weave / weave / libweave / 08be74de678930e6823f9fe7e460c35bb58040f9^! / . / third_party
commit08be74de678930e6823f9fe7e460c35bb58040f9[log] [tgz]
authorVitaly Buka <vitalybuka@google.com>Tue Feb 02 15:25:09 2016 -0800
committerVitaly Buka <vitalybuka@google.com>Thu Feb 04 00:28:37 2016 +0000
tree0be4471413d73a9463b3cd70212f85a0855faa08
parent4efdf4637d19d6fd6c1725820fd07a5702e71a56 [diff]
Update libuweave/macaroon code

Added delegation time stamp into access token to match changed
validation logic of macaroons.

BUG: 26728665
Change-Id: I131b92b0e0b1b2274d80bdc0b5790a8c05071ec5
Reviewed-on: https://weave-review.googlesource.com/2467
Reviewed-by: Vitaly Buka <vitalybuka@google.com>

diff --git a/third_party/libuweave/src/macaroon.c b/third_party/libuweave/src/macaroon.c
index 80e5933..c823804 100644
--- a/third_party/libuweave/src/macaroon.c
+++ b/third_party/libuweave/src/macaroon.c

@@ -124,29 +124,32 @@
 
 static void init_validation_result(UwMacaroonValidationResult* result) {
   // Start from the largest scope
-  result->granted_scope = kUwMacaroonCaveatScopeTypeOwner;
-  result->expiration_time = UINT32_MAX;
-  result->weave_app_restricted = false;
-  result->lan_session_id = NULL;
-  result->lan_session_id_len = 0;
-  result->num_delegatees = 0;
+  *result = (UwMacaroonValidationResult){
+      .granted_scope = kUwMacaroonCaveatScopeTypeOwner,
+      .expiration_time = UINT32_MAX,
+  };
 }
 
 /** Reset the result object to the lowest scope when encountering errors */
 static void reset_validation_result(UwMacaroonValidationResult* result) {
-  // Start from the largest scope or highest privilege
-  result->granted_scope = 0;
-  result->expiration_time = 0;
-  result->weave_app_restricted = true;
-  result->lan_session_id = NULL;
-  result->lan_session_id_len = 0;
+  *result = (UwMacaroonValidationResult){
+      .weave_app_restricted = true,
+      .granted_scope = UW_MACAROON_CAVEAT_SCOPE_LOWEST_POSSIBLE};
+}
 
-  result->num_delegatees = 0;
-  for (size_t i = 0; i < MAX_NUM_DELEGATEES; i++) {
-    result->delegatees[i].id = NULL;
-    result->delegatees[i].id_len = 0;
-    result->delegatees[i].type = kUwMacaroonDelegateeTypeNone;
+/** Get the next closest scope (to the narrower side). */
+static UwMacaroonCaveatScopeType get_closest_scope(
+    UwMacaroonCaveatScopeType scope) {
+  if (scope <= kUwMacaroonCaveatScopeTypeOwner) {
+    return kUwMacaroonCaveatScopeTypeOwner;
+  } else if (scope <= kUwMacaroonCaveatScopeTypeManager) {
+    return kUwMacaroonCaveatScopeTypeManager;
+  } else if (scope <= kUwMacaroonCaveatScopeTypeUser) {
+    return kUwMacaroonCaveatScopeTypeUser;
+  } else if (scope <= kUwMacaroonCaveatScopeTypeViewer) {
+    return kUwMacaroonCaveatScopeTypeViewer;
   }
+  return scope;
 }
 
 bool uw_macaroon_validate_(const UwMacaroon* macaroon,
@@ -178,6 +181,7 @@
     }
   }
 
+  result->granted_scope = get_closest_scope(result->granted_scope);
   return true;
 }
 

diff --git a/third_party/libuweave/src/macaroon.h b/third_party/libuweave/src/macaroon.h
index c93bbb2..c739bca 100644
--- a/third_party/libuweave/src/macaroon.h
+++ b/third_party/libuweave/src/macaroon.h

@@ -36,6 +36,7 @@
   const uint8_t* id;
   size_t id_len;
   UwMacaroonDelegateeType type;
+  uint32_t timestamp;
 } UwMacaroonDelegateeInfo;
 
 #define MAX_NUM_DELEGATEES 10
@@ -67,7 +68,8 @@
 
 /**
  * Verify and validate the Macaroon, and put relevant information into the
- * result object.
+ * result object. Note that the resulting granted_scope will be the closest
+ * valid scope type (to the narrower side) defined in macaroon_caveat.h.
  */
 bool uw_macaroon_validate_(
     const UwMacaroon* macaroon,

diff --git a/third_party/libuweave/src/macaroon_caveat.c b/third_party/libuweave/src/macaroon_caveat.c
index 85d8bbb..dc4ee3b 100644
--- a/third_party/libuweave/src/macaroon_caveat.c
+++ b/third_party/libuweave/src/macaroon_caveat.c

@@ -12,9 +12,6 @@
 #include "src/macaroon_context.h"
 #include "src/macaroon_encoding.h"
 
-// For security sanity checks
-#define UW_MACAROON_CAVEAT_SCOPE_LOWEST_POSSIBLE 127
-
 static bool is_valid_caveat_type_(UwMacaroonCaveatType type) {
   switch (type) {
     case kUwMacaroonCaveatTypeNonce:
@@ -403,8 +400,9 @@
 
 static bool update_delegatee_list(UwMacaroonCaveatType caveat_type,
                                   const UwMacaroonCaveat* caveat,
+                                  uint32_t issued_time,
                                   UwMacaroonValidationResult* result) {
-  if (result->num_delegatees >= MAX_NUM_DELEGATEES) {
+  if (result->num_delegatees >= MAX_NUM_DELEGATEES || issued_time == 0) {
     return false;
   }
 
@@ -441,6 +439,7 @@
     return false;
   }
   result->delegatees[result->num_delegatees].type = delegatee_type;
+  result->delegatees[result->num_delegatees].timestamp = issued_time;
   result->num_delegatees++;
   return true;
 }
@@ -471,22 +470,22 @@
       return true;
 
     case kUwMacaroonCaveatTypeDelegationTimestamp:
-      state->has_issued_time = true;
-      if (!uw_macaroon_caveat_get_value_uint_(caveat, &issued_time)) {
+      if (!uw_macaroon_caveat_get_value_uint_(caveat, &issued_time) ||
+          issued_time < state->issued_time) {
         return false;
       }
       state->issued_time = issued_time;
       return true;
 
     case kUwMacaroonCaveatTypeTTL1Hour:
-      if (!(state->has_issued_time)) {
+      if (state->issued_time == 0) {
         return false;
       }
       return update_and_check_expiration_time(
           context->current_time, state->issued_time + 60 * 60, result);
 
     case kUwMacaroonCaveatTypeTTL24Hour:
-      if (!(state->has_issued_time)) {
+      if (state->issued_time == 0) {
         return false;
       }
       return update_and_check_expiration_time(
@@ -496,7 +495,8 @@
     case kUwMacaroonCaveatTypeDelegateeUser:
     case kUwMacaroonCaveatTypeDelegateeApp:
     case kUwMacaroonCaveatTypeDelegateeService:
-      return update_delegatee_list(caveat_type, caveat, result);
+      return update_delegatee_list(caveat_type, caveat, state->issued_time,
+                                   result);
 
     // Time related caveats
     case kUwMacaroonCaveatTypeExpirationAbsolute:
@@ -596,7 +596,6 @@
     return false;
   }
 
-  state->has_issued_time = false;
   state->issued_time = 0;
   return true;
 }

diff --git a/third_party/libuweave/src/macaroon_caveat.h b/third_party/libuweave/src/macaroon_caveat.h
index 33f9d24..4905667 100644
--- a/third_party/libuweave/src/macaroon_caveat.h
+++ b/third_party/libuweave/src/macaroon_caveat.h

@@ -40,6 +40,9 @@
   kUwMacaroonCaveatScopeTypeViewer = 20,
 } UwMacaroonCaveatScopeType;
 
+// For security sanity checks
+#define UW_MACAROON_CAVEAT_SCOPE_LOWEST_POSSIBLE 127
+
 /** Compute the buffer sizes that are enough for caveat creation functions. */
 size_t uw_macaroon_caveat_creation_get_buffsize_(UwMacaroonCaveatType type,
                                                  size_t str_len);

diff --git a/third_party/libuweave/src/macaroon_caveat_internal.h b/third_party/libuweave/src/macaroon_caveat_internal.h
index 46a72fb..d6e7b07 100644
--- a/third_party/libuweave/src/macaroon_caveat_internal.h
+++ b/third_party/libuweave/src/macaroon_caveat_internal.h

@@ -20,8 +20,7 @@
                               size_t mac_tag_size);
 
 typedef struct {
-  bool has_issued_time;
-  uint32_t issued_time;
+  uint32_t issued_time;  // 0 when invalid or not set.
 } UwMacaroonValidationState;
 
 bool uw_macaroon_caveat_init_validation_state_(