| 08be74de678930e6823f9fe7e460c35bb58040f9 |
|
03-Feb-2016 |
Vitaly Buka <vitalybuka@google.com> |
Update libuweave/macaroon code
Added delegation time stamp into access token to match changed
validation logic of macaroons.
BUG: 26728665
Change-Id: I131b92b0e0b1b2274d80bdc0b5790a8c05071ec5
Reviewed-on: https://weave-review.googlesource.com/2467
Reviewed-by: Vitaly Buka <vitalybuka@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| 4fe71e314157576d2bdfe54cc6f8ce5df38c571d |
|
29-Jan-2016 |
Vitaly Buka <vitalybuka@google.com> |
Make App ID a part of User ID
In addition to user ID, auth tokens could be bound to specific app ID.
So internal libweave User ID, named UserAppId, from now will consist of
auth type, user ID and optional app ID. If operation was called with
token containing only user ID, libweave will grant access to all
commands for every app for the given user ID.
To distinguish between user authorized with local, pairing or anonymous
tokens libweave uses UserAppId::type field. As macaroons have no caveats
for this kind of information, current implementation will just append
the type to the user ID caveat of the access token.
BUG: 26292014
Change-Id: I528c2717c95c5daed74bb769b3569fac823761f2
Reviewed-on: https://weave-review.googlesource.com/2394
Reviewed-by: Alex Vakulenko <avakulenko@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| 3cbb6869edd05975fc876844bfff52d12ac32f66 |
|
29-Jan-2016 |
Vitaly Buka <vitalybuka@google.com> |
Update macaroon lib with version supporting empty strings
Use "" for delegation to the device owner.
Change-Id: Ibb4a1da07817eebcbe8b0675381f98af3fdbe947
Reviewed-on: https://weave-review.googlesource.com/2391
Reviewed-by: Vitaly Buka <vitalybuka@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| 8585d300b0859dc452151df0d5c9e06652fedab1 |
|
29-Jan-2016 |
Vitaly Buka <vitalybuka@google.com> |
Remove unused line
Change-Id: Ic4742430320e29b7f70f124c20cf9e515678f007
Reviewed-on: https://weave-review.googlesource.com/2390
Reviewed-by: Vitaly Buka <vitalybuka@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| 70c8642747634743cecac1944b3fdfe746fd9e1a |
|
28-Jan-2016 |
Vitaly Buka <vitalybuka@google.com> |
Add kUwMacaroonDelegateeTypeService caveat
BUG: 26292014
Change-Id: I4edc9fea58265d8345010023c88208155772e6f9
Reviewed-on: https://weave-review.googlesource.com/2382
Reviewed-by: Alex Vakulenko <avakulenko@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| d5f7aabc2a7e414c63dc5a20a294c71a54111910 |
|
28-Jan-2016 |
Vitaly Buka <vitalybuka@google.com> |
Add session ID validation
BUG: 26292014
Change-Id: I2a71dbf3dbc4b422c8f9bedd806f459d2bc35333
Reviewed-on: https://weave-review.googlesource.com/2380
Reviewed-by: Alex Vakulenko <avakulenko@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| a821f2ec61873d1ad9eb207d7b760b3aaf21248e |
|
27-Jan-2016 |
Vitaly Buka <vitalybuka@google.com> |
Integrate new macaroon library
Implement validation of auth tokens (no session id check yet).
BUG: 26292014
Change-Id: I55c9c8249f6355132486b2be8628c3538d504c5d
Reviewed-on: https://weave-review.googlesource.com/2375
Reviewed-by: Alex Vakulenko <avakulenko@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| 0dbbf605efb8f72b3c2c15c14e613323fc2ac0a2 |
|
22-Jan-2016 |
Vitaly Buka <vitalybuka@google.com> |
AddTo will return AddToTypeProxy for convenience
Change-Id: If86496af0c68af31a3e0c618b0fae861975a4ebf
Reviewed-on: https://weave-review.googlesource.com/2321
Reviewed-by: Vitaly Buka <vitalybuka@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| 48a8669ddc2e8d785aad9ad18a5abbf8f1224fde |
|
22-Jan-2016 |
Vitaly Buka <vitalybuka@google.com> |
Remove domain from weave::Error
We don't filter out errors by domain in libweave.
BUG:26071451
Change-Id: I2114450aca1c8ede71cc45f19bd8e71d3464cb73
Reviewed-on: https://weave-review.googlesource.com/2289
Reviewed-by: Alex Vakulenko <avakulenko@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| e0df73aab852fc7ea6f9f2620bed0d596a77c1b8 |
|
23-Dec-2015 |
Vitaly Buka <vitalybuka@google.com> |
Switch to macaroon library to generate and parse access tokens
We need access tokens to store signed time, user id and scope.
Macaroon library provides exactly this functionality. So we can reuse
that and remove some of our generating/parsing code.
Access token is not expected to be parsed by clients. Client can't
remove caveats from macaroon. Adding new caveats is possible, but code
will reject such extended tokens because number of caveat was changed.
Change-Id: I3f3a4a972cad061fe6ac75eb906a5b299e75d13d
Reviewed-on: https://weave-review.googlesource.com/2084
Reviewed-by: Vitaly Buka <vitalybuka@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| 131b889d1874954196791ce1c380e4ee683d2e66 |
|
23-Dec-2015 |
Vitaly Buka <vitalybuka@google.com> |
Extract macaroon reading and verifying into separate functions
Change-Id: I3d5156b5bfebb330587090a8deb9d154b13bc7d8
Reviewed-on: https://weave-review.googlesource.com/2083
Reviewed-by: Vitaly Buka <vitalybuka@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| 7a25a3d7aa44a385ae47e7b32c074b56a57fdb20 |
|
23-Dec-2015 |
Vitaly Buka <vitalybuka@google.com> |
Extracted function to create token from secret and caveats
Change-Id: I9c9d2c6ee69b395091c4d17527439ed80279cf88
Reviewed-on: https://weave-review.googlesource.com/2082
Reviewed-by: Alex Vakulenko <avakulenko@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| 20896ab5bdbddbac8f67f12fc8198330e5dafdfc |
|
23-Dec-2015 |
Vitaly Buka <vitalybuka@google.com> |
Replace several members of SecurityManager with pointers to Settings
Change-Id: I408bd5750879bb948cc8b8f6feac30e82e5446a9
Reviewed-on: https://weave-review.googlesource.com/2081
Reviewed-by: Vitaly Buka <vitalybuka@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| 66a01e0cd687c1e078b9166b61bf9112c70c1615 |
|
21-Dec-2015 |
Vitaly Buka <vitalybuka@google.com> |
Add AuthManager::CreateAccessTokenFromAuth
In case of local auth client passes Macaroon token and device exchanges
that for access token.
BUG=25768507
Change-Id: Ibf126d9ef470cf7843deed6b0b954c99aa64e78d
Reviewed-on: https://weave-review.googlesource.com/2065
Reviewed-by: Vitaly Buka <vitalybuka@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| ee7322fc7ed7cf06635a01010d10aedd9714e0ea |
|
19-Dec-2015 |
Vitaly Buka <vitalybuka@google.com> |
Get list of auth modes from AuthManger
BUG=25768507
Change-Id: I6694f961fab045ef9dcd1b6cfbe8a2b2d82861c5
Reviewed-on: https://weave-review.googlesource.com/2064
Reviewed-by: Alex Vakulenko <avakulenko@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| 66f46b8468354ee964a150df05d08b31a2c7121a |
|
19-Dec-2015 |
Vitaly Buka <vitalybuka@google.com> |
Change user_id into string
Cloud users are going to be represented by strings, probably email
address. Integer prefix is used to avoid collisions between
pairing/anonymous and local users.
BUG=25768507
Change-Id: I27249c0b98f919e9527498be74ddaa82218b4041
Reviewed-on: https://weave-review.googlesource.com/2063
Reviewed-by: Alex Vakulenko <avakulenko@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| 0bc02ede1d7ac6b0ed264b8891844d15bdb4733e |
|
18-Dec-2015 |
Vitaly Buka <vitalybuka@google.com> |
Use different secret for auth and access tokens
Temporarily secret guaranties invalidation of access tokens on device
reboot. Without that when device updates, we can have tokens signed
with valid key, but with invalid format, or user_id collision.
Change-Id: I0a6dbd782165715d781501456a4fd29bb060ffdd
Reviewed-on: https://weave-review.googlesource.com/2062
Reviewed-by: Alex Vakulenko <avakulenko@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| a0a813490ff37868827b65d7f9aeb554c996c17c |
|
17-Dec-2015 |
Vitaly Buka <vitalybuka@google.com> |
Changed AuthManager::CreateAccessToken and AuthManager::ParseAccessToken
With this API we can handle expiration checks inside of AuthManager
BUG=25768507
Change-Id: I2fa5d428be6f0772d8b2656eb2bee71824f0d308
Reviewed-on: https://weave-review.googlesource.com/2030
Reviewed-by: Vitaly Buka <vitalybuka@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| 483d5970e88b56442f19baea841f6af75b5a0006 |
|
16-Dec-2015 |
Vitaly Buka <vitalybuka@google.com> |
Add 'sessionId' into privet/info
Current implementation is a Unix timestamp plus counter.
BUG=26140026
Change-Id: Idfe0aa81c49e6dab5d638cbedfbeb460b70b5864
Reviewed-on: https://weave-review.googlesource.com/2010
Reviewed-by: Alex Vakulenko <avakulenko@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| 305ab613de85f6640f300010a17cb6ea22be2081 |
|
15-Dec-2015 |
Vitaly Buka <vitalybuka@google.com> |
Rename ConfirmAuthToken -> ConfirmClientAuthToken
Change-Id: If7ecdb3cfd168a7054300fd229bd1e8dc534469a
Reviewed-on: https://weave-review.googlesource.com/1965
Reviewed-by: Alex Vakulenko <avakulenko@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| c3bc82a29cdff05d67d3b583ca0bc25df96ab382 |
|
15-Dec-2015 |
Vitaly Buka <vitalybuka@google.com> |
Check if device already claimed
Client can claim only unclaimed device.
Cloud can claim any device.
Claim with kNone is not allowed.
BUG=25766815, 26143922
Change-Id: Id92168b7f7c290509e672a659f09b7d06af37b76
Reviewed-on: https://weave-review.googlesource.com/1960
Reviewed-by: Vitaly Buka <vitalybuka@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| 4ab500249f346a9fcfe084ee1619a39259f7471c |
|
15-Dec-2015 |
Vitaly Buka <vitalybuka@google.com> |
Change interface of ClaimRootClientAuthToken and ConfirmAuthToken
Add RootClientTokenOwner argument to check if this owner can claim
device.
Add ErrorPtr to return error in privet response.
BUG=25766815
Change-Id: I508c934e23092514e37b1f4790f0f1e693583ae1
Reviewed-on: https://weave-review.googlesource.com/1939
Reviewed-by: Alex Vakulenko <avakulenko@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| a10ab1ce7c4cd8e8a6c3c6c9a2b0bc8a5d013f56 |
|
15-Dec-2015 |
Vitaly Buka <vitalybuka@google.com> |
Provide RootClientTokenOwner into ClaimRootClientAuthToken
ClaimRootClientAuthToken will check if token is already claimed and
block claim if needed.
BUG=25766815
Change-Id: I8d12578c99307830afccd280c322d2240234e435
Reviewed-on: https://weave-review.googlesource.com/1934
Reviewed-by: Alex Vakulenko <avakulenko@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| 229113e837328b53f6fcf1c82790cdb2c013a0dc |
|
14-Dec-2015 |
Vitaly Buka <vitalybuka@google.com> |
Pass Config pointer into AuthManager
AuthManager needs to have logic for re-claming devices. This requires
persistent storage for secret and owner. It's going to be easier to
handle logic there than outside.
BUG=25766815
Change-Id: Icc417f23715b48461098503fd241cee534d2225c
Reviewed-on: https://weave-review.googlesource.com/1949
Reviewed-by: Vitaly Buka <vitalybuka@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| 29bc59330bec58e43df1050bee279819b54e7c6e |
|
14-Dec-2015 |
Vitaly Buka <vitalybuka@google.com> |
Use ClaimRootClientAuthToken instead of GetRootClientAuthToken
Change-Id: Ied590ebc9c5166df2156b91900a565ec2e8ed755
Reviewed-on: https://weave-review.googlesource.com/1948
Reviewed-by: Vitaly Buka <vitalybuka@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| cc77fad1d950349c0973e8140e225f2c6db8ce6d |
|
14-Dec-2015 |
Vitaly Buka <vitalybuka@google.com> |
Add ClaimRootClientAuthToken and ConfirmRootClientAuthToken
Claim* call will create temporarily secret and set that as primary after
Confirm* is called.
Local client needs to be able to claim control of unclaimed device.
Device should be claimed no more than once, so if Claim was called and
client didn't not get response, we will have locked account. Confirm* is
used as that confirmation.
BUG=25766815
Change-Id: Id744f98788abe70a42b32c4a6d796e7ff74c3936
Reviewed-on: https://weave-review.googlesource.com/1947
Reviewed-by: Alex Vakulenko <avakulenko@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| e08c7c6a8bbe0326e5f9c067863a3256c8e5562b |
|
14-Dec-2015 |
Vitaly Buka <vitalybuka@google.com> |
Add macaroon auth token verification
Change-Id: I600116c238a495c7c1ba44267cdc44eb97d181d8
Reviewed-on: https://weave-review.googlesource.com/1946
Reviewed-by: Alex Vakulenko <avakulenko@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| 0de42f5abc87364a681a0d8f40c06f2ec1516059 |
|
14-Dec-2015 |
Vitaly Buka <vitalybuka@google.com> |
Add test to verify that token from different secret is not accepted
Token is generated by one AuthManager and passed into another for
parsing. As AuthManager have different secrets, parsing should fail.
Change-Id: I5d83cf579690eeafc6745f516c3ccb2702423039
Reviewed-on: https://weave-review.googlesource.com/1945
Reviewed-by: Alex Vakulenko <avakulenko@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| 47743a36101db8e377c45c9ef469d09d4ad874bb |
|
10-Dec-2015 |
Vitaly Buka <vitalybuka@google.com> |
Fixed name of the function to match design docs.
This is called there as Root Client Authorization Token (RCAT).
Change-Id: I906a6d887506369d3deb028636e2b630ef325b81
Reviewed-on: https://weave-review.googlesource.com/1884
Reviewed-by: Alex Vakulenko <avakulenko@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| 41aa8090265b73876da7b99b5d246b4a64fe0474 |
|
10-Dec-2015 |
Vitaly Buka <vitalybuka@google.com> |
Use base::Clock in AuthManager for better testing
Change-Id: Ifbb23e4da565a1c86ff728803d2e07e3f8c3b1f4
Reviewed-on: https://weave-review.googlesource.com/1873
Reviewed-by: Alex Vakulenko <avakulenko@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| a37056ebbe5ee0b22476d4965d43f75406eff5d4 |
|
09-Dec-2015 |
Vitaly Buka <vitalybuka@google.com> |
Generate Root Client Authorization Token
BUG=25934385
Change-Id: Ic7d421f2c0152c7580014229c28495520d8c9981
Reviewed-on: https://weave-review.googlesource.com/1868
Reviewed-by: Vitaly Buka <vitalybuka@google.com>
/external/libweave/src/privet/auth_manager.cc
|
| f08caeb9070257bb2ab0769f328eb8632f1778dc |
|
02-Dec-2015 |
Vitaly Buka <vitalybuka@google.com> |
Extract privet::AuthManager from privet::SecurityManager
BUG:25934385
Change-Id: I45fb7c79053a6009330b4debae1065266d1ce972
Reviewed-on: https://weave-review.googlesource.com/1735
Reviewed-by: Alex Vakulenko <avakulenko@google.com>
/external/libweave/src/privet/auth_manager.cc
|