general: add init version

Author: andrewshvv

.gitignore

@@ -0,0 +1,2 @@
+.idea
+vendor

Gopkg.lock

@@ -0,0 +1,54 @@
+# Gopkg.toml example
+#
+# Refer to https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md
+# for detailed Gopkg.toml documentation.
+#
+# required = ["github.com/user/thing/cmd/thing"]
+# ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"]
+#
+# [[constraint]]
+# name = "github.com/user/project"
+# version = "1.0.0"
+#
+# [[constraint]]
+# name = "github.com/user/project2"
+# branch = "dev"
+# source = "github.com/myfork/project2"
+#
+# [[override]]
+# name = "github.com/x/y"
+# version = "2.4.0"
+#
+# [prune]
+# non-go = false
+# go-tests = true
+# unused-packages = true
+
+
+[[constraint]]
+ name = "github.com/AndrewSamokhvalov/go-spew"
+ version = "1.1.0"
+
+[[constraint]]
+ branch = "master"
+ name = "github.com/bitlum/backend"
+
+[[constraint]]
+ name = "github.com/go-errors/errors"
+ version = "1.0.0"
+
+[[constraint]]
+ name = "gopkg.in/macaroon-bakery.v2"
+ version = "2.0.1"
+
+[[constraint]]
+ branch = "v1"
+ name = "gopkg.in/macaroon.v1"
+
+[[constraint]]
+ name = "gopkg.in/macaroon.v2"
+ version = "2.0.0"
+
+[prune]
+ go-tests = true
+ unused-packages = true

Gopkg.toml

@@ -0,0 +1,84 @@
+package auth
+
+import (
+"strconv"
+"encoding/binary"
+"gopkg.in/macaroon.v2"
+)
+
+const (
+UserPrefix = "user"
+NoncePrefix = "nonce"
+DisabledOperationPrefix = "disops"
+TimePrefix = "time"
+)
+
+// Auth is an application authenticator which implements the auth.
+// Auth and used for issuing and checking the validity of third-party tokens.
+// Third-party token usually is used by trading bots, and wallet applications,
+// they not have expiration time, but do have a set of permitted operations,
+// which might be or might be not restricted down to read operations,
+// or info operations. This type of token by default do not have a right to
+// issue another applications tokens.
+type Auth struct {
+rootKey []byte
+nonceDB NonceDB
+location string
+
+// TODO(andrew.shvv) Add token revocation.
+}
+
+// NewAuth creates new instance of application auth.
+func NewAuth(location string, nonceDB NonceDB) *Auth {
+return &Auth{
+nonceDB: nonceDB,
+location: location,
+// TODO(andrew.shvv) add root recycling.
+rootKey: []byte("2871tgylio"),
+}
+}
+
+// GenerateToken issues the token with the user id and operations
+// constraints, this token do not have a nonce and time by default,
+// so it could be used by client infinitely. Client in other hand is responsible
+// for adding the nonce and time constraints to ensure that even if token
+// will be intercepted by an attacker he/she couldn't use it for replay attack.
+// Token without nonce and time will be discarded during validation operation.
+func (a *Auth) GenerateToken(userID uint32,
+disabledOperations []string) (string, error) {
+
+// TODO(andrew.shvv) Use application id instead,
+// but that would require some form of database.
+var macaroonID [4]byte
+binary.BigEndian.PutUint32(macaroonID[:], userID)
+
+m, err := macaroon.New(a.rootKey, macaroonID[:], a.location,
+macaroon.LatestVersion)
+if err != nil {
+return "", err
+}
+
+if disabledOperations != nil {
+m, err = DisableOperations(m, disabledOperations)
+if err != nil {
+return "", err
+}
+}
+
+// Convert macaroon to check that it not contains any duplicate fields and
+// also in order to put the user id in it.
+md, err := NewMacaroonDictionary(m)
+if err != nil {
+return "", nil
+}
+
+// Put user id so that latter extract it from macaroon. As far as macaroon
+// is signed and later validated by us with our root key we treat user id
+// information as something which couldn't be changed.
+userIDStr := strconv.FormatUint(uint64(userID), 10)
+if err := md.Put(UserPrefix, userIDStr); err != nil {
+return "", err
+}
+
+return EncodeMacaroon(m)
+}

auth.go

@@ -0,0 +1,50 @@
+package auth
+
+import (
+"testing"
+)
+
+func TestMacaroon(t *testing.T) {
+auth := NewAuth("", InMemoryNonceDB{})
+
+// Emulate generation token on the server, with the user id taken from other
+// token, for example jwt.
+tokenStr, err := auth.GenerateToken(100, []string{"disabled"})
+if err != nil {
+t.Fatalf("unable to generate macaroon token: %v", err)
+}
+
+// Emulate that client received the token, and now want to make some
+// operation on the server, he has to add time and nonce constraints,
+// before making an operation, otherwise he/she under threat of replay-attack.
+m, err := DecodeMacaroon(tokenStr)
+if err != nil {
+t.Fatalf("unable to decode macaroon: %v", err)
+}
+
+m, err = AddNonce(m, 10)
+if err != nil {
+t.Fatalf("unable to add nonce: %v", err)
+}
+
+m, err = AddCurrentTime(m)
+if err != nil {
+t.Fatalf("unable to add current time: %v", err)
+}
+
+tokenStr, err = EncodeMacaroon(m)
+if err != nil {
+t.Fatalf("unable to encode macaroon")
+}
+
+// Emulate that server received the macaroon and validating it and also
+// check that operation is permitted.
+token, err := auth.ExtractToken(tokenStr)
+if err != nil {
+t.Fatalf("operation should be not allowed")
+}
+
+if err = token.IsAuthorized("disabled"); err != ErrOperNotAllowed {
+t.Fatalf("operation should be not allowed")
+}
+}

auth_test.go

@@ -0,0 +1,14 @@
+package auth
+
+import "github.com/go-errors/errors"
+
+var (
+ErrFieldNotFound = errors.Errorf("unable to find field")
+ErrFieldExist = errors.Errorf("field already exist")
+ErrRepeatedField = errors.Errorf("repeated conditions")
+
+ErrMacaroonExpired = errors.Errorf("macaroon expired")
+ErrNonceRepeated = errors.Errorf("nonce is used already")
+
+ErrOperNotAllowed = errors.Errorf("operation not allowed")
+)