diff options
Diffstat (limited to 'macaroonbakery/discharge.py')
-rw-r--r-- | macaroonbakery/discharge.py | 55 |
1 files changed, 35 insertions, 20 deletions
diff --git a/macaroonbakery/discharge.py b/macaroonbakery/discharge.py index d4c0e5a..f54fc97 100644 --- a/macaroonbakery/discharge.py +++ b/macaroonbakery/discharge.py @@ -3,11 +3,13 @@ import abc from collections import namedtuple -import macaroonbakery +import macaroonbakery as bakery import macaroonbakery.checkers as checkers +emptyContext = checkers.AuthContext() -def discharge_all(ctx, m, get_discharge, local_key=None): + +def discharge_all(m, get_discharge, local_key=None): '''Gathers discharge macaroons for all the third party caveats in m (and any subsequent caveats required by those) using get_discharge to acquire each discharge macaroon. @@ -46,13 +48,14 @@ def discharge_all(ctx, m, get_discharge, local_key=None): need = need[1:] if local_key is not None and cav.cav.location == 'local': # TODO use a small caveat id. - dm = discharge(ctx=ctx, key=local_key, + dm = discharge(ctx=emptyContext, + key=local_key, checker=_LocalDischargeChecker(), caveat=cav.encrypted_caveat, id=cav.cav.caveat_id_bytes, locator=_EmptyLocator()) else: - dm = get_discharge(ctx, cav.cav, cav.encrypted_caveat) + dm = get_discharge(cav.cav, cav.encrypted_caveat) # It doesn't matter that we're invalidating dm here because we're # about to throw it away. discharge_m = dm.macaroon @@ -87,7 +90,7 @@ class ThirdPartyCaveatChecker(object): class _LocalDischargeChecker(ThirdPartyCaveatChecker): def check_third_party_caveat(self, ctx, info): if info.condition != 'true': - raise macaroonbakery.CaveatNotRecognizedError() + raise bakery.CaveatNotRecognizedError() return [] @@ -122,15 +125,24 @@ def discharge(ctx, id, caveat, key, checker, locator): # caveats are added, use that id as the prefix # for any more ids. caveat_id_prefix = id - cav_info = macaroonbakery.decode_caveat(key, caveat) - + cav_info = bakery.decode_caveat(key, caveat) + cav_info = bakery.ThirdPartyCaveatInfo( + condition=cav_info.condition, + first_party_public_key=cav_info.first_party_public_key, + third_party_key_pair=cav_info.third_party_key_pair, + root_key=cav_info.root_key, + caveat=cav_info.caveat, + version=cav_info.version, + id=id, + namespace=cav_info.namespace + ) # Note that we don't check the error - we allow the # third party checker to see even caveats that we can't # understand. try: cond, arg = checkers.parse_caveat(cav_info.condition) except ValueError as exc: - raise macaroonbakery.VerificationError(exc.args[0]) + raise bakery.VerificationError(exc.args[0]) if cond == checkers.COND_NEED_DECLARED: cav_info = cav_info._replace(condition=arg.encode('utf-8')) @@ -142,8 +154,13 @@ def discharge(ctx, id, caveat, key, checker, locator): # be stored persistently. Indeed, it would be a problem if # we did, because then the macaroon could potentially be used # for normal authorization with the third party. - m = macaroonbakery.Macaroon(cav_info.root_key, id, '', cav_info.version, - cav_info.namespace) + m = bakery.Macaroon( + cav_info.root_key, + id, + '', + cav_info.version, + cav_info.namespace, + ) m._caveat_id_prefix = caveat_id_prefix if caveats is not None: for cav in caveats: @@ -155,16 +172,15 @@ def _check_need_declared(ctx, cav_info, checker): arg = cav_info.condition.decode('utf-8') i = arg.find(' ') if i <= 0: - raise macaroonbakery.VerificationError( - 'need-declared caveat requires an argument, got %q'.format(arg)) + raise bakery.VerificationError( + 'need-declared caveat requires an argument, got %q'.format(arg), + ) need_declared = arg[0:i].split(',') for d in need_declared: if d == '': - raise macaroonbakery.VerificationError('need-declared caveat with ' - 'empty required attribute') + raise bakery.VerificationError('need-declared caveat with empty required attribute') if len(need_declared) == 0: - raise macaroonbakery.VerificationError('need-declared caveat with no ' - 'required attributes') + raise bakery.VerificationError('need-declared caveat with no required attributes') cav_info = cav_info._replace(condition=arg[i + 1:].encode('utf-8')) caveats = checker.check_third_party_caveat(ctx, cav_info) declared = {} @@ -181,8 +197,7 @@ def _check_need_declared(ctx, cav_info, checker): continue parts = arg.split() if len(parts) != 2: - raise macaroonbakery.VerificationError('declared caveat has no ' - 'value') + raise bakery.VerificationError('declared caveat has no value') declared[parts[0]] = True # Add empty declarations for everything mentioned in need-declared # that was not actually declared. @@ -192,7 +207,7 @@ def _check_need_declared(ctx, cav_info, checker): return caveats -class _EmptyLocator(macaroonbakery.ThirdPartyLocator): +class _EmptyLocator(bakery.ThirdPartyLocator): def third_party_info(self, loc): return None @@ -205,6 +220,6 @@ def local_third_party_caveat(key, version): ''' encoded_key = key.encode().decode('utf-8') loc = 'local {}'.format(encoded_key) - if version >= macaroonbakery.BAKERY_V2: + if version >= bakery.VERSION_2: loc = 'local {} {}'.format(version, encoded_key) return checkers.Caveat(location=loc, condition='') |