/
identity.go
47 lines (38 loc) · 1.57 KB
/
identity.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
package candid
import (
"context"
"fmt"
"strings"
"github.com/go-macaroon-bakery/macaroon-bakery/v3/bakery/checkers"
"github.com/go-macaroon-bakery/macaroon-bakery/v3/bakery/identchecker"
"github.com/lxc/lxd/shared"
"github.com/lxc/lxd/shared/logger"
)
// IdentityClientWrapper is a wrapper around an IdentityClient.
type IdentityClientWrapper struct {
client identchecker.IdentityClient
ValidDomains []string
}
// IdentityFromContext returns the identity from the preovided context.
func (m *IdentityClientWrapper) IdentityFromContext(ctx context.Context) (identchecker.Identity, []checkers.Caveat, error) {
return m.client.IdentityFromContext(ctx)
}
// DeclaredIdentity performs a check of the Candid domain before returning the declared identity.
func (m *IdentityClientWrapper) DeclaredIdentity(ctx context.Context, declared map[string]string) (identchecker.Identity, error) {
// Extract the domain from the username
fields := strings.SplitN(declared["username"], "@", 2)
// Only validate domain if we have a list of valid domains
if len(m.ValidDomains) > 0 {
// If no domain was provided by candid, reject the request
if len(fields) < 2 {
logger.Warnf("Failed candid client authentication: no domain provided")
return nil, fmt.Errorf("Missing domain in candid reply")
}
// Check that it was a valid domain
if !shared.StringInSlice(fields[1], m.ValidDomains) {
logger.Warnf("Failed candid client authentication: untrusted domain \"%s\"", fields[1])
return nil, fmt.Errorf("Untrusted candid domain")
}
}
return m.client.DeclaredIdentity(ctx, declared)
}