Generate Root Client Authorization Token
BUG=25934385
Change-Id: Ic7d421f2c0152c7580014229c28495520d8c9981
Reviewed-on: https://weave-review.googlesource.com/1868
Reviewed-by: Vitaly Buka <vitalybuka@google.com>
diff --git a/src/privet/auth_manager.cc b/src/privet/auth_manager.cc
index 0864242..be7e971 100644
--- a/src/privet/auth_manager.cc
+++ b/src/privet/auth_manager.cc
@@ -11,12 +11,18 @@
#include "src/privet/openssl_utils.h"
#include "src/string_utils.h"
+extern "C" {
+#include "third_party/libuweave/src/macaroon.h"
+}
+
namespace weave {
namespace privet {
namespace {
const char kTokenDelimeter[] = ":";
+const size_t kCaveatBuffetSize = 32;
+const size_t kMaxMacaroonSize = 1024;
// Returns "scope:id:time".
std::string CreateTokenData(const UserInfo& user_info, const base::Time& time) {
@@ -49,6 +55,22 @@
return UserInfo{static_cast<AuthScope>(scope), id};
}
+class Caveat {
+ public:
+ Caveat(UwMacaroonCaveatType type, uint32_t value) {
+ CHECK(uw_macaroon_caveat_create_with_uint_(type, value, buffer,
+ sizeof(buffer), &caveat));
+ }
+
+ const UwMacaroonCaveat& GetCaveat() const { return caveat; }
+
+ private:
+ UwMacaroonCaveat caveat;
+ uint8_t buffer[kCaveatBuffetSize];
+
+ DISALLOW_COPY_AND_ASSIGN(Caveat);
+};
+
} // namespace
AuthManager::AuthManager(const std::vector<uint8_t>& secret,
@@ -84,5 +106,26 @@
return SplitTokenData(std::string(data.begin(), data.end()), time);
}
+std::vector<uint8_t> AuthManager::GetRootDeviceToken(
+ const base::Time& time) const {
+ Caveat scope{kUwMacaroonCaveatTypeScope, kUwMacaroonCaveatScopeTypeOwner};
+ Caveat issued{kUwMacaroonCaveatTypeIssued,
+ static_cast<uint32_t>(time.ToTimeT())};
+
+ UwMacaroonCaveat caveats[] = {
+ scope.GetCaveat(), issued.GetCaveat(),
+ };
+
+ UwMacaroon macaroon{};
+ CHECK(uw_macaroon_new_from_root_key_(
+ &macaroon, secret_.data(), secret_.size(), caveats, arraysize(caveats)));
+
+ std::vector<uint8_t> token(kMaxMacaroonSize);
+ size_t len = 0;
+ CHECK(uw_macaroon_dump_(&macaroon, token.data(), token.size(), &len));
+ token.resize(len);
+ return token;
+}
+
} // namespace privet
} // namespace weave
diff --git a/src/privet/auth_manager.h b/src/privet/auth_manager.h
index 607b820..8dd6a36 100644
--- a/src/privet/auth_manager.h
+++ b/src/privet/auth_manager.h
@@ -31,6 +31,7 @@
const std::vector<uint8_t>& GetCertificateFingerprint() const {
return certificate_fingerprint_;
}
+ std::vector<uint8_t> GetRootDeviceToken(const base::Time& time) const;
private:
std::vector<uint8_t> secret_;
diff --git a/src/privet/auth_manager_unittest.cc b/src/privet/auth_manager_unittest.cc
index c3c4ddf..a022538 100644
--- a/src/privet/auth_manager_unittest.cc
+++ b/src/privet/auth_manager_unittest.cc
@@ -25,6 +25,9 @@
const std::vector<uint8_t> kSecret{69, 53, 17, 37, 80, 73, 2, 5, 79, 64, 41,
57, 12, 54, 65, 63, 72, 74, 93, 81, 20, 95,
89, 3, 94, 92, 27, 21, 49, 90, 36, 6};
+ const std::vector<uint8_t> kSecret2{
+ 78, 40, 39, 68, 29, 19, 70, 86, 38, 61, 13, 55, 33, 32, 51, 52,
+ 34, 43, 97, 48, 8, 56, 11, 99, 50, 59, 24, 26, 31, 71, 76, 28};
const std::vector<uint8_t> kFingerprint{
22, 47, 23, 77, 42, 98, 96, 25, 83, 16, 9, 14, 91, 44, 15, 75,
60, 62, 10, 18, 82, 35, 88, 100, 30, 45, 7, 46, 67, 84, 58, 85};
@@ -37,7 +40,7 @@
}
TEST_F(AuthManagerTest, DifferentSecret) {
- AuthManager auth{{}, {}};
+ AuthManager auth{kSecret2, {}};
EXPECT_GE(auth.GetSecret().size(), 32u);
EXPECT_NE(auth_.GetSecret(), auth.GetSecret());
}
@@ -104,5 +107,22 @@
}
}
+TEST_F(AuthManagerTest, GetRootDeviceToken) {
+ EXPECT_EQ("UJdl3l856QHDzlohsiGpxseCQgEARgMaVArkgA==",
+ Base64Encode(auth_.GetRootDeviceToken(time_)));
+}
+
+TEST_F(AuthManagerTest, GetRootDeviceTokenDifferentTime) {
+ EXPECT_EQ("UHwWhChuQzQ+yb8gRGURu3GCQgEARgMaVB6rAA==",
+ Base64Encode(auth_.GetRootDeviceToken(
+ time_ + base::TimeDelta::FromDays(15))));
+}
+
+TEST_F(AuthManagerTest, GetRootDeviceTokenDifferentSecret) {
+ AuthManager auth{kSecret2, {}};
+ EXPECT_EQ("UJW4F3R0YMeRctcu8aC6VpyCQgEARgMaVArkgA==",
+ Base64Encode(auth.GetRootDeviceToken(time_)));
+}
+
} // namespace privet
} // namespace weave
diff --git a/third_party/libuweave/src/macaroon_caveat.c b/third_party/libuweave/src/macaroon_caveat.c
index a04c30d..594f9de 100644
--- a/third_party/libuweave/src/macaroon_caveat.c
+++ b/third_party/libuweave/src/macaroon_caveat.c
@@ -12,7 +12,7 @@
// TODO(bozhu): Find a better way to pre-allocate memory for HMACc computations?
// Are C99 variable-length arrays allowed on embedded devices?
-#define HMAC_STATE_BUFFER_SIZE 300
+#define HMAC_STATE_BUFFER_SIZE 1024
static bool create_caveat_(UwMacaroonCaveatType type, const void* value,
size_t value_len, uint8_t* buffer,
diff --git a/third_party/libuweave/src/macaroon_caveat.h b/third_party/libuweave/src/macaroon_caveat.h
index 5f2c384..78373c8 100644
--- a/third_party/libuweave/src/macaroon_caveat.h
+++ b/third_party/libuweave/src/macaroon_caveat.h
@@ -24,6 +24,13 @@
kUwMacaroonCaveatTypeSessionIdentifier = 16
} UwMacaroonCaveatType;
+typedef enum {
+ kUwMacaroonCaveatScopeTypeOwner = 0,
+ kUwMacaroonCaveatScopeTypeManager = 1,
+ kUwMacaroonCaveatScopeTypeUser = 2,
+ kUwMacaroonCaveatScopeTypeViewer = 3,
+} UwMacaroonCaveatScopeType;
+
bool uw_macaroon_caveat_create_without_value_(UwMacaroonCaveatType type,
uint8_t* buffer,
size_t buffer_size,
