An Over-Engineering Disaster with Macaroons Tess Rinearson, Chain A U G U S T 2 0 1 8 Macaroons: maybe not? Tess Rinearson, Chain A U G U S T 2 0 1 8 Authentication and authorization 3 π― who are you? what can you do? // Authenticate returns the request with added tokens in the context func (a *API) Authenticate (req *http.Request) (*http.Request, error) { ctx := req. Context () user, pw, ok := req. BasicAuth () if !ok { return "" , errors. New ( "no token" ) } err = a. checkTokenAuthn (ctx, user , pw) if err != nil { return "" , errors. New ( "unauthenticated" ) } if user != "" { // if request was successfully authnβd, pass the user along ctx = newContextWithUser (ctx, user ) } return req. WithContext (ctx), nil } // Authenticate returns the request with added tokens in the context func (a *API) Authenticate (req *http.Request) (*http.Request, error) { ctx := req. Context () user, pw, ok := req. BasicAuth () if !ok { return "" , errors. New ( "no token" ) } err = a. checkTokenAuthn (ctx, user , pw) if err != nil { return "" , errors. New ( "unauthenticated" ) } if user != "" { // if request was successfully authnβd, pass the user along ctx = newContextWithUser (ctx, user ) } return req. WithContext (ctx), nil } // Authenticate returns the request with added tokens in the context func (a *API) Authenticate (req *http.Request) (*http.Request, error) { ctx := req. Context () user, pw, ok := req. BasicAuth () if !ok { return "" , errors. New ( "no token" ) } err = a. checkTokenAuthn (ctx, user , pw) if err != nil { return "" , errors. New ( "unauthenticated" ) } if user != "" { // if request was successfully authnβd, pass the user along ctx = newContextWithUser (ctx, user ) } return req. WithContext (ctx), nil } // Authenticate returns the request with added tokens in the context func (a *API) Authenticate (req *http.Request) (*http.Request, error) { ctx := req. Context () user, pw, ok := req. BasicAuth () if !ok { return "" , errors. New ( "no token" ) } err = a. checkTokenAuthn (ctx, user , pw) if err != nil { return "" , errors. New ( "unauthenticated" ) } if user != "" { // if request was successfully authnβd, pass the user along ctx = newContextWithUser (ctx, user ) } return req. WithContext (ctx), nil } 5 func (a *Authorizer) Authorize (req *http.Request) error { policies := a.policyByRoute[req.RequestURI] if policies == nil { return errors. New ( "missing policy on this route" ) } grants, err := a. grantsByPolicies (policies) if err != nil { return errors. Wrap (err) } for _, g := range grants { if accessTokenData (g) == authn. Token (ctx) { return nil } } return ErrNotAuthorized } 5 func (a *Authorizer) Authorize (req *http.Request) error { policies := a.policyByRoute[req.RequestURI] if policies == nil { return errors. New ( "missing policy on this route" ) } grants, err := a. grantsByPolicies (policies) if err != nil { return errors. Wrap (err) } for _, g := range grants { if accessTokenData (g) == authn. Token (ctx) { return nil } } return ErrNotAuthorized } 5 func (a *Authorizer) Authorize (req *http.Request) error { policies := a.policyByRoute[req.RequestURI] if policies == nil { return errors. New ( "missing policy on this route" ) } grants, err := a. grantsByPolicies (policies) if err != nil { return errors. Wrap (err) } for _, g := range grants { if accessTokenData (g) == authn. Token (ctx) { return nil } } return ErrNotAuthorized } 5 func (a *Authorizer) Authorize (req *http.Request) error { policies := a.policyByRoute[req.RequestURI] if policies == nil { return errors. New ( "missing policy on this route" ) } grants, err := a. grantsByPolicies (policies) if err != nil { return errors. Wrap (err) } for _, g := range grants { if accessTokenData (g) == authn. Token (ctx) { return nil } } return ErrNotAuthorized } Capability vs Identity 6 Capability vs. Identity 7 π Capability vs. Identity 7 π π Capability vs. Identity 7 π π (a capability!) Capability vs. Identity 8 π % Capability vs. Identity 8 π % who the heck are you? Capability vs. Identity 8 π % π who the heck are you? Capability vs. Identity 8 π % π π who the heck are you? Capability vs. Identity 8 π % π π yeah ok I guess who the heck are you?