https://github.com/rogpeppe/macaroon-cmd

A command-line tool for manipulating macaroons
https://github.com/rogpeppe/macaroon-cmd

Last synced: about 2 months ago
JSON representation

A command-line tool for manipulating macaroons

• Host: GitHub
• URL: https://github.com/rogpeppe/macaroon-cmd
• Owner: rogpeppe
• License: bsd-3-clause
• Created: 2017-10-02T09:38:04.000Z (over 7 years ago)
• Default Branch: master
• Last Pushed: 2018-03-05T07:50:26.000Z (about 7 years ago)
• Last Synced: 2025-02-08T14:44:47.599Z (3 months ago)
• Language: Go
• Size: 37.1 KB
• Stars: 1
• Watchers: 2
• Forks: 0
• Open Issues: 2
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
macaroon command

-------

Note: *WORK IN PROGRESS*

This command implements command-line support for creating, discharging

and checking macaroons. It will usually rely on a macaroond daemon running

somewhere in the system. Use `macaroon login` to acquire an access token

to use this. The first time this runs, it will prompt for a password to use

to encrypt the root keys. The login command prints an environment variable

to set which provides access to the root key store.

To run macaroond, first install it (`go get github.com/rogpeppe/macaroon-cmd/cmd/macaroond`)

then run it as:

	macaroond /tmp/macaroonstoragedir

You can also run the macaroon command storing the root keys unencrypted in

a local file with:

	export MACAROON_ACCESS_TOKEN=localfile:/path/to/storage-directory

A "macaroons" argument to a command specifies a list of unbound macaroons,

with the first element being the primary, or root, macaroon and the rest

being discharges. A macaroons argument can be specified in one of the

following ways:

 - a JSON string containing a object in bakery.Macaroon or macaroon.Macaroon format.

 - a JSON string containing an array of macaroons in bakery.Macaroon format.

 - a base64-encoded string containing any of the above.

 - any of the above prefixed with "unbound:".

A macaroon list is printed as a base64-encoded

string holding a JSON array holding macaroons in bakery.Macaroon

format, prefixed with the string "unbound:".

The base64 encoding will not include terminating "=" padding

characters.

A format argument can be one of the following:

	json			- base64 JSON encoded

	binary		- base64 binary encoded

	rawjson		- JSON encoded

	rawbinary	- binary encoded

Binary formats can only be used with bound macaroons.

	macaroon login

	

Log into the local macaroon root key server. Prints:

	export MACAROON_ACCESS_TOKEN=xxxxx

All commands recognize that env var and use it

to talk to the server.

	macaroon new [--expiry duration] op...

Create new macaroon valid for the given operations,

which expires after the given duration from now.

	macaroon check [--any] op... [macaroons...]

Return status indicating whether macaroons are allowed to perform all given

operations. If --any flag is given, print allowed status of all operations.

All the macaroons should be bound (for example using the use command).

e.g. macaroon check read:/usr/bin/x dfvnmdsvflkfdjsnvldksnv dsakhjcsdhjcbsk

	macaroon discharge macaroon

Acquire any discharges needed for the undischarged macaroon

and print macaroon slice.

	macaroon use [--format format] macaroons

Use macaroons in a request. Takes the given macaroons, which

must have include all discharges, and prints it in the specified

format (default binary).

	macaroon caveat [-3 location] [--public-key xxxx] macaroon condition

Add caveat to macaroon, prints new macaroon.

looks up public key of location if not provided

(could use local cache)

	macaroon show [--format text|json|binary] macaroons

Show macaroons formatted with the given

format. If --raw is specified, binary output will not be base64-quoted.

UNIMPLEMENTED AS YET

	macaroon newkey

	

Generate a new public-private key pair and print it.

	macaroon discharger json-spec

	

Run 3rd party caveat discharge service

json spec maps caveat conditions to required operations.

you can discharge a caveat condition if the caveat condition

matches a pattern and the provided discharge token contains

a set of macaroons that allows the associated operations.

e.g.

	{

		condition: "answered-quiz ([a-z]+)",

		ops: ["answered:\1"],

	}

Encrypt macaroons at rest; use a server listening on a unix socket

to retrieve and create root keys. To obtain access to the server,

authenticate somehow (initially just a password, later perhaps user

too), which gives us a macaroon that will allow access to the rest

of the API.

Initially, just use a single root key, encrypted with the password.

Send password hashed with password-strong hash.