rust: fix macaroon expiry check

There were two bugs with this code: the expiry timestamps were getting enclosed in double-quotes (which caused parse bugs), and the actual caveat check itself was backwards (expires < now instead of expires > now). An underlying issue was that these caveats weren't actually getting checked in the tests. Should fix a bug where users don't get auth'd correctly when logging in via mechanisms other than tokens.
author: Bryan Newbold <bnewbold@robocracy.org> 2019-04-09 11:42:35 -0700
committer: Bryan Newbold <bnewbold@robocracy.org> 2019-04-09 11:42:38 -0700
commit: f3192742ec0b3e99155622ef505c55c260b3bdb0 (patch)
tree: f7b7278e0ae49cb88f40cda0e20f0fa6791ec3c0 /rust/src
parent: aaee1355c86479ea5612d4f14f4da4e5d063d14e (diff)
download: fatcat-f3192742ec0b3e99155622ef505c55c260b3bdb0.tar.gz
fatcat-f3192742ec0b3e99155622ef505c55c260b3bdb0.zip
1 files changed, 19 insertions, 10 deletions
diff --git a/rust/src/auth.rs b/rust/src/auth.rs
index 7e9b945a..a62c2f58 100644
--- a/rust/src/auth.rs
+++ b/rust/src/auth.rs
@@ -229,7 +229,7 @@ impl AuthConfectionary {
         if let Some(duration) = duration {
             let expires = now_utc + duration;
             mac.add_first_party_caveat(&format!(
-                "time < {:?}",
+                "time < {}",
                 &expires.to_rfc3339_opts(SecondsFormat::Secs, true)
             ));
         };
@@ -291,12 +291,15 @@ impl AuthConfectionary {
         let mut created: Option<DateTime<Utc>> = None;
         for caveat in mac.first_party_caveats() {
             if caveat.predicate().starts_with("time > ") {
-                created = Some(
+                let ts: chrono::ParseResult<DateTime<Utc>> =
                     DateTime::parse_from_rfc3339(caveat.predicate().get(7..).unwrap())
-                        .unwrap()
-                        .with_timezone(&Utc),
-                );
-                break;
+                        .map(|x| x.with_timezone(&Utc));
+                if let Ok(ts) = ts {
+                    created = Some(ts);
+                    break;
+                } else {
+                    info!("couldn't parse macaroon time constraint: {}", caveat.predicate());
+                }
             }
         }
         let created = match created {
@@ -337,10 +340,16 @@ impl AuthConfectionary {
         verifier.satisfy_general(|p: &str| -> bool {
             // not expired (based on time)
             if p.starts_with("time < ") {
-                let expires: DateTime<Utc> = DateTime::parse_from_rfc3339(p.get(7..).unwrap())
-                    .unwrap()
-                    .with_timezone(&Utc);
-                expires < Utc::now()
+                let expires: chrono::ParseResult<DateTime<Utc>> =
+                    DateTime::parse_from_rfc3339(p.get(7..).unwrap())
+                        .map(|x| x.with_timezone(&Utc));
+                if let Ok(when) = expires {
+                    //info!("checking time constraint: {} < {}", Utc::now(), when);
+                    Utc::now() < when
+                } else {
+                    info!("couldn't parse macaroon time constraint: {}", p);
+                    false
+                }
             } else {
                 false
             }
author	Bryan Newbold <bnewbold@robocracy.org>	2019-04-09 11:42:35 -0700
committer	Bryan Newbold <bnewbold@robocracy.org>	2019-04-09 11:42:38 -0700
commit	f3192742ec0b3e99155622ef505c55c260b3bdb0 (patch)
tree	f7b7278e0ae49cb88f40cda0e20f0fa6791ec3c0 /rust/src
parent	aaee1355c86479ea5612d4f14f4da4e5d063d14e (diff)
download	fatcat-f3192742ec0b3e99155622ef505c55c260b3bdb0.tar.gz fatcat-f3192742ec0b3e99155622ef505c55c260b3bdb0.zip