diff options
author | Vitaly Buka <vitalybuka@google.com> | 2015-12-17 13:42:13 -0800 |
---|---|---|
committer | Vitaly Buka <vitalybuka@google.com> | 2015-12-17 22:05:45 +0000 |
commit | a0a813490ff37868827b65d7f9aeb554c996c17c (patch) | |
tree | 9a315aa0f47ca83030b76b8f8d71347f24a76e48 /src/privet/auth_manager.cc | |
parent | 483d5970e88b56442f19baea841f6af75b5a0006 (diff) | |
download | libweave-a0a813490ff37868827b65d7f9aeb554c996c17c.tar.gz |
Changed AuthManager::CreateAccessToken and AuthManager::ParseAccessToken
With this API we can handle expiration checks inside of AuthManager
BUG=25768507
Change-Id: I2fa5d428be6f0772d8b2656eb2bee71824f0d308
Reviewed-on: https://weave-review.googlesource.com/2030
Reviewed-by: Vitaly Buka <vitalybuka@google.com>
Diffstat (limited to 'src/privet/auth_manager.cc')
-rw-r--r-- | src/privet/auth_manager.cc | 50 |
1 files changed, 39 insertions, 11 deletions
diff --git a/src/privet/auth_manager.cc b/src/privet/auth_manager.cc index 51d7592..27a5e7e 100644 --- a/src/privet/auth_manager.cc +++ b/src/privet/auth_manager.cc @@ -135,25 +135,53 @@ void AuthManager::SetSecret(const std::vector<uint8_t>& secret, AuthManager::~AuthManager() {} -// Returns "[hmac]scope:id:time". -std::vector<uint8_t> AuthManager::CreateAccessToken(const UserInfo& user_info) { - std::string data_str{CreateTokenData(user_info, Now())}; +// Returns "[hmac]scope:id:expiration_time". +std::vector<uint8_t> AuthManager::CreateAccessToken(const UserInfo& user_info, + base::TimeDelta ttl) const { + std::string data_str{CreateTokenData(user_info, Now() + ttl)}; std::vector<uint8_t> data{data_str.begin(), data_str.end()}; std::vector<uint8_t> hash{HmacSha256(secret_, data)}; hash.insert(hash.end(), data.begin(), data.end()); return hash; } -// Parses "base64([hmac]scope:id:time)". -UserInfo AuthManager::ParseAccessToken(const std::vector<uint8_t>& token, - base::Time* time) const { - if (token.size() <= kSha256OutputSize) - return UserInfo{}; +// TODO(vitalybuka): Switch to Macaroon? +// Parses "base64([hmac]scope:id:expriration_time)". +bool AuthManager::ParseAccessToken(const std::vector<uint8_t>& token, + UserInfo* user_info, + ErrorPtr* error) const { + if (token.size() <= kSha256OutputSize) { + Error::AddToPrintf(error, FROM_HERE, errors::kDomain, + errors::kInvalidAuthorization, "Invalid token size: %zu", + token.size()); + return false; + } std::vector<uint8_t> hash(token.begin(), token.begin() + kSha256OutputSize); std::vector<uint8_t> data(token.begin() + kSha256OutputSize, token.end()); - if (hash != HmacSha256(secret_, data)) - return UserInfo{}; - return SplitTokenData(std::string(data.begin(), data.end()), time); + if (hash != HmacSha256(secret_, data)) { + Error::AddTo(error, FROM_HERE, errors::kDomain, + errors::kInvalidAuthorization, "Invalid signature"); + return false; + } + + base::Time time; + UserInfo info = SplitTokenData(std::string(data.begin(), data.end()), &time); + if (info.scope() == AuthScope::kNone) { + Error::AddTo(error, FROM_HERE, errors::kDomain, + errors::kInvalidAuthorization, "Invalid token data"); + return false; + } + + if (time < clock_->Now()) { + Error::AddTo(error, FROM_HERE, errors::kDomain, + errors::kAuthorizationExpired, "Token is expired"); + return false; + } + + if (user_info) + *user_info = info; + + return true; } std::vector<uint8_t> AuthManager::ClaimRootClientAuthToken( |