miniroon

Simplistic macaroon-based authorization for Unix systems
git clone https://ccx.te2000.cz/git/miniroon
Log | Files | Refs
commit 1694cf880abe6171a7af21e2ab4c6fa5424362b6
parent abde2042f286c7506cf807b12b64a13c1a68ce3a
Author: Jan Pobrislo <ccx@te2000.cz>
Date:   Fri, 14 Feb 2025 21:48:45 +0000

Flexible miniroon generation from Python

Diffstat:

Msrc/errors.c | 2+-


Msrc/gen-miniroon.py | 40++++++++++++++++++++++++++++++++--------


Atest/ccx_once.json | 9+++++++++


Atest/invalid_version.miniroon | 2++


4 files changed, 44 insertions(+), 9 deletions(-)

diff --git a/src/errors.c b/src/errors.c
@@ -2,7 +2,7 @@
 
 #include "errors.h"
 
-miniroon_error miniroon_current_error = 0;
+miniroon_error miniroon_current_error = MINIROON_OK;
 char const *miniroon_errmsg[8] = {NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL};
 unsigned char miniroon_errmsg_count = 0;
 
diff --git a/src/gen-miniroon.py b/src/gen-miniroon.py
@@ -1,6 +1,10 @@
 #!/usr/bin/env python3
-import sys
+import argparse
+import base64
 import hmac
+import json
+import os
+import sys
 
 
 class NetString(bytes):
@@ -27,25 +31,25 @@ def to_ns_list(data):
 
 
 def miniroon_hmac(key, msg):
+    assert len(key) == 32
     print('miniroon_hmac%r' % ((key, msg),), file=sys.stderr)
     #return hmac.digest(key, msg, 'blake2s')
     return hmac.digest(key, msg, 'sha256')
 
 
-def make_miniroon(name, action='invoke-once', secret=b'\0'*32, caveats=(), version='capv0'):
+def make_miniroon(name, action='invoke-once', secret=b'\0'*32, caveats=(), version='capv0', unwrap=False):
     hdr = b''.join(NetString.from_any(i) for i in (version, name, action))
     caveats_ns = [to_ns_list(c) for c in caveats]
     sig = miniroon_hmac(secret, hdr)
     for c in caveats_ns:
         sig = miniroon_hmac(sig, c)
-    return NetString.from_any([
-        hdr,
-        caveats_ns,
-        sig,
-    ])
+    if unwrap:
+        return b''.join(map(NetString.from_any, (hdr, caveats_ns, sig)))
+    else:
+        return NetString.from_any([hdr, caveats_ns, sig])
 
 
-if __name__ == '__main__':
+def main_old():
     import os
     # os.write(1, make_miniroon(name='ccx'))
     os.write(1, make_miniroon(name='ccx', caveats=[
@@ -55,3 +59,23 @@ if __name__ == '__main__':
         # ('x-glob', 'var3', '_*'),
         ('env-is', 'var3', '_hello'),
     ]))
+
+
+argument_parser = argparse.ArgumentParser()
+argument_parser.add_argument('--unwrap', action='store_true', default=False)
+argument_parser.add_argument('json_in', type=argparse.FileType(mode='r'), nargs="?", default=sys.stdin)
+
+
+def main():
+    args = argument_parser.parse_args()
+    data = json.load(args.json_in)
+    data['unwrap'] = args.unwrap
+    assert isinstance(data, dict)
+    if 'secret_b64' in data:
+        assert 'secret' not in data
+        data['secret'] = base64.b64decode(data['secret_b64'])
+    os.write(1, make_miniroon(**data))
+
+
+if __name__ == '__main__':
+    main()
diff --git a/test/ccx_once.json b/test/ccx_once.json
@@ -0,0 +1,9 @@
+{
+	"name": "ccx",
+	"caveats": [
+		["env-is", "var1", "hello"],
+		["env-absent", "var2"],
+		["env-glob", "var3", "_*"],
+		["env-is", "var3", "_hello"]
+	]
+}
diff --git a/test/invalid_version.miniroon b/test/invalid_version.miniroon
@@ -0,0 +1 @@
+181:27:3:yay,3:ccx,11:invoke-once,,109:24:6:env-is,4:var1,5:hello,,21:10:env-absent,4:var2,,23:8:env-glob,4:var3,2:_*,,25:6:env-is,4:var3,6:_hello,,,32:À)3–ŠMŒøXEÝ~û$ÒAž@Öfc˜;öü@•Õ†,,+
\ No newline at end of file