Google Git
Sign in
weave / weave / libweave / 131b889d1874954196791ce1c380e4ee683d2e66^! / .
commit131b889d1874954196791ce1c380e4ee683d2e66[log] [tgz]
authorVitaly Buka <vitalybuka@google.com>Tue Dec 22 17:05:16 2015 -0800
committerVitaly Buka <vitalybuka@google.com>Wed Dec 23 01:54:30 2015 +0000
tree2dc1d21e3166117fd956e98674dd4ea960beca31
parent7a25a3d7aa44a385ae47e7b32c074b56a57fdb20 [diff]
Extract macaroon reading and verifying into separate functions

Change-Id: I3d5156b5bfebb330587090a8deb9d154b13bc7d8
Reviewed-on: https://weave-review.googlesource.com/2083
Reviewed-by: Vitaly Buka <vitalybuka@google.com>

diff --git a/src/privet/auth_manager.cc b/src/privet/auth_manager.cc
index bb4c3c4..7306e20 100644
--- a/src/privet/auth_manager.cc
+++ b/src/privet/auth_manager.cc

@@ -4,6 +4,8 @@
 
 #include "src/privet/auth_manager.h"
 
+#include <algorithm>
+
 #include <base/guid.h>
 #include <base/rand_util.h>
 #include <base/strings/string_number_conversions.h>
@@ -24,9 +26,9 @@
 namespace {
 
 const char kTokenDelimeter[] = ":";
-const size_t kCaveatBuffetSize = 32;
 const size_t kMaxMacaroonSize = 1024;
 const size_t kMaxPendingClaims = 10;
+const char kInvalidTokenError[] = "invalid_token";
 
 template <class T>
 void AppendToArray(T value, std::vector<uint8_t>* array) {
@@ -66,16 +68,25 @@
 
 class Caveat {
  public:
-  Caveat(UwMacaroonCaveatType type, uint32_t value) {
-    CHECK(uw_macaroon_caveat_create_with_uint_(type, value, buffer,
-                                               sizeof(buffer), &caveat));
+  // TODO(vitalybuka): Use _get_buffer_size_ when available.
+  Caveat(UwMacaroonCaveatType type, uint32_t value) : buffer(8) {
+    CHECK(uw_macaroon_caveat_create_with_uint_(type, value, buffer.data(),
+                                               buffer.size(), &caveat));
+  }
+
+  // TODO(vitalybuka): Use _get_buffer_size_ when available.
+  Caveat(UwMacaroonCaveatType type, const std::string& value)
+      : buffer(std::max<size_t>(value.size(), 32u) * 2) {
+    CHECK(uw_macaroon_caveat_create_with_str_(
+        type, reinterpret_cast<const uint8_t*>(value.data()), value.size(),
+        buffer.data(), buffer.size(), &caveat));
   }
 
   const UwMacaroonCaveat& GetCaveat() const { return caveat; }
 
  private:
   UwMacaroonCaveat caveat;
-  uint8_t buffer[kCaveatBuffetSize];
+  std::vector<uint8_t> buffer;
 
   DISALLOW_COPY_AND_ASSIGN(Caveat);
 };
@@ -106,6 +117,32 @@
   return token;
 }
 
+bool LoadMacaroon(const std::vector<uint8_t>& token,
+                  std::vector<uint8_t>* buffer,
+                  UwMacaroon* macaroon,
+                  ErrorPtr* error) {
+  buffer->resize(kMaxMacaroonSize);
+  if (!uw_macaroon_load_(token.data(), token.size(), buffer->data(),
+                         buffer->size(), macaroon)) {
+    Error::AddTo(error, FROM_HERE, errors::kDomain, kInvalidTokenError,
+                 "Invalid token format");
+    return false;
+  }
+  return true;
+}
+
+bool VerifyMacaroon(const std::vector<uint8_t>& secret,
+                    const UwMacaroon& macaroon,
+                    ErrorPtr* error) {
+  CHECK_EQ(kSha256OutputSize, secret.size());
+  if (!uw_macaroon_verify_(&macaroon, secret.data(), secret.size())) {
+    Error::AddTo(error, FROM_HERE, errors::kDomain, "invalid_signature",
+                 "Invalid token signature");
+    return false;
+  }
+  return true;
+}
+
 }  // namespace
 
 AuthManager::AuthManager(Config* config,
@@ -264,20 +301,12 @@
 
 bool AuthManager::IsValidAuthToken(const std::vector<uint8_t>& token,
                                    ErrorPtr* error) const {
-  std::vector<uint8_t> buffer(kMaxMacaroonSize);
+  std::vector<uint8_t> buffer;
   UwMacaroon macaroon{};
-  if (!uw_macaroon_load_(token.data(), token.size(), buffer.data(),
-                         buffer.size(), &macaroon)) {
+  if (!LoadMacaroon(token, &buffer, &macaroon, error) ||
+      !VerifyMacaroon(auth_secret_, macaroon, error)) {
     Error::AddTo(error, FROM_HERE, errors::kDomain, errors::kInvalidAuthCode,
-                 "Invalid token format");
-    return false;
-  }
-
-  CHECK_EQ(kSha256OutputSize, auth_secret_.size());
-  if (!uw_macaroon_verify_(&macaroon, auth_secret_.data(),
-                           auth_secret_.size())) {
-    Error::AddTo(error, FROM_HERE, errors::kDomain, errors::kInvalidAuthCode,
-                 "Invalid token signature");
+                 "Invalid token");
     return false;
   }
   return true;