| // Copyright 2015 The Vanadium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style |
| // license that can be found in the LICENSE file. |
| |
| // This file was auto-generated by the vanadium vdl tool. |
| // Package: security |
| |
| package security |
| |
| import ( |
| "fmt" |
| "time" |
| "v.io/v23/context" |
| "v.io/v23/i18n" |
| "v.io/v23/uniqueid" |
| "v.io/v23/vdl" |
| vdltime "v.io/v23/vdlroot/time" |
| "v.io/v23/verror" |
| "v.io/v23/vom" |
| ) |
| |
| var _ = __VDLInit() // Must be first; see __VDLInit comments for details. |
| |
| ////////////////////////////////////////////////// |
| // Type definitions |
| |
| type nonce [16]byte |
| |
| func (nonce) __VDLReflect(struct { |
| Name string `vdl:"v.io/v23/security.nonce"` |
| }) { |
| } |
| |
| func (x nonce) VDLIsZero() bool { |
| return x == nonce{} |
| } |
| |
| func (x nonce) VDLWrite(enc vdl.Encoder) error { |
| if err := enc.WriteValueBytes(__VDLType_array_1, x[:]); err != nil { |
| return err |
| } |
| return nil |
| } |
| |
| func (x *nonce) VDLRead(dec vdl.Decoder) error { |
| bytes := x[:] |
| if err := dec.ReadValueBytes(16, &bytes); err != nil { |
| return err |
| } |
| return nil |
| } |
| |
| // Caveat is a condition on the validity of a blessing/discharge. |
| // |
| // These conditions are provided when asking a principal to create |
| // a blessing/discharge and are verified when extracting blessings |
| // (Blessings.ForName in the Go API). |
| // |
| // Given a Hash, the message digest of a caveat is: |
| // Hash(Hash(Id), Hash(ParamVom)) |
| type Caveat struct { |
| Id uniqueid.Id // The identifier of the caveat validation function. |
| ParamVom []byte // VOM-encoded bytes of the parameters to be provided to the validation function. |
| } |
| |
| func (Caveat) __VDLReflect(struct { |
| Name string `vdl:"v.io/v23/security.Caveat"` |
| }) { |
| } |
| |
| func (x Caveat) VDLIsZero() bool { |
| if x.Id != (uniqueid.Id{}) { |
| return false |
| } |
| if len(x.ParamVom) != 0 { |
| return false |
| } |
| return true |
| } |
| |
| func (x Caveat) VDLWrite(enc vdl.Encoder) error { |
| if err := enc.StartValue(__VDLType_struct_2); err != nil { |
| return err |
| } |
| if x.Id != (uniqueid.Id{}) { |
| if err := enc.NextFieldValueBytes(0, __VDLType_array_3, x.Id[:]); err != nil { |
| return err |
| } |
| } |
| if len(x.ParamVom) != 0 { |
| if err := enc.NextFieldValueBytes(1, __VDLType_list_4, x.ParamVom); err != nil { |
| return err |
| } |
| } |
| if err := enc.NextField(-1); err != nil { |
| return err |
| } |
| return enc.FinishValue() |
| } |
| |
| func (x *Caveat) VDLRead(dec vdl.Decoder) error { |
| *x = Caveat{} |
| if err := dec.StartValue(__VDLType_struct_2); err != nil { |
| return err |
| } |
| decType := dec.Type() |
| for { |
| index, err := dec.NextField() |
| switch { |
| case err != nil: |
| return err |
| case index == -1: |
| return dec.FinishValue() |
| } |
| if decType != __VDLType_struct_2 { |
| index = __VDLType_struct_2.FieldIndexByName(decType.Field(index).Name) |
| if index == -1 { |
| if err := dec.SkipValue(); err != nil { |
| return err |
| } |
| continue |
| } |
| } |
| switch index { |
| case 0: |
| bytes := x.Id[:] |
| if err := dec.ReadValueBytes(16, &bytes); err != nil { |
| return err |
| } |
| case 1: |
| if err := dec.ReadValueBytes(-1, &x.ParamVom); err != nil { |
| return err |
| } |
| } |
| } |
| } |
| |
| // ThirdPartyRequirements specifies the information required by the third-party |
| // that will issue discharges for third-party caveats. |
| // |
| // These requirements are typically used to construct a DischargeImpetus, which |
| // will be sent to the third-party. |
| type ThirdPartyRequirements struct { |
| ReportServer bool // The blessings presented by the server of an IPC call. |
| ReportMethod bool // The name of the method being invoked. |
| ReportArguments bool // Arguments to the method being invoked. |
| } |
| |
| func (ThirdPartyRequirements) __VDLReflect(struct { |
| Name string `vdl:"v.io/v23/security.ThirdPartyRequirements"` |
| }) { |
| } |
| |
| func (x ThirdPartyRequirements) VDLIsZero() bool { |
| return x == ThirdPartyRequirements{} |
| } |
| |
| func (x ThirdPartyRequirements) VDLWrite(enc vdl.Encoder) error { |
| if err := enc.StartValue(__VDLType_struct_5); err != nil { |
| return err |
| } |
| if x.ReportServer { |
| if err := enc.NextFieldValueBool(0, vdl.BoolType, x.ReportServer); err != nil { |
| return err |
| } |
| } |
| if x.ReportMethod { |
| if err := enc.NextFieldValueBool(1, vdl.BoolType, x.ReportMethod); err != nil { |
| return err |
| } |
| } |
| if x.ReportArguments { |
| if err := enc.NextFieldValueBool(2, vdl.BoolType, x.ReportArguments); err != nil { |
| return err |
| } |
| } |
| if err := enc.NextField(-1); err != nil { |
| return err |
| } |
| return enc.FinishValue() |
| } |
| |
| func (x *ThirdPartyRequirements) VDLRead(dec vdl.Decoder) error { |
| *x = ThirdPartyRequirements{} |
| if err := dec.StartValue(__VDLType_struct_5); err != nil { |
| return err |
| } |
| decType := dec.Type() |
| for { |
| index, err := dec.NextField() |
| switch { |
| case err != nil: |
| return err |
| case index == -1: |
| return dec.FinishValue() |
| } |
| if decType != __VDLType_struct_5 { |
| index = __VDLType_struct_5.FieldIndexByName(decType.Field(index).Name) |
| if index == -1 { |
| if err := dec.SkipValue(); err != nil { |
| return err |
| } |
| continue |
| } |
| } |
| switch index { |
| case 0: |
| switch value, err := dec.ReadValueBool(); { |
| case err != nil: |
| return err |
| default: |
| x.ReportServer = value |
| } |
| case 1: |
| switch value, err := dec.ReadValueBool(); { |
| case err != nil: |
| return err |
| default: |
| x.ReportMethod = value |
| } |
| case 2: |
| switch value, err := dec.ReadValueBool(); { |
| case err != nil: |
| return err |
| default: |
| x.ReportArguments = value |
| } |
| } |
| } |
| } |
| |
| // publicKeyThirdPartyCaveatParam represents a third-party caveat that requires |
| // PublicKeyDischarge(s) to be issued by a principal identified by a public key. |
| // |
| // The Id of the caveat is base64-encoded: |
| // hash(hash(Nonce), hash(DischargerKey), hash(Caveats[0]), hash(Caveats[1]), ...) |
| // where hash is a cryptographic hash function with a security strength |
| // equivalent to that of the DischargerKey. For example, if DischargerKey |
| // represents an ECDSA public key with the P384 curve, then hash should be |
| // SHA384. |
| type publicKeyThirdPartyCaveatParam struct { |
| // Nonce specifies a cryptographically random nonce associated with an |
| // instance of the caveat. This prevents discharge replays, where |
| // discharges for ThirdPartyCaveats embedded in the certificates for |
| // one blessing can be used for another blessing. |
| // |
| // Whether discharge re-use is a desired or un-desired property is |
| // still under debate. Till the debate is settled, we err on the side |
| // of discouraging re-use. |
| Nonce nonce |
| // Caveats specifies the caveats that have to be validated |
| // before minting a discharge for a publicKeyCaveat. |
| Caveats []Caveat |
| // DER-encoded PKIX public key of the principal that can issue discharges. |
| DischargerKey []byte |
| // Object name where the third-party that can issue discharges can be found. |
| DischargerLocation string |
| // Information required by the third-party in order to issue a discharge. |
| DischargerRequirements ThirdPartyRequirements |
| } |
| |
| func (publicKeyThirdPartyCaveatParam) __VDLReflect(struct { |
| Name string `vdl:"v.io/v23/security.publicKeyThirdPartyCaveatParam"` |
| }) { |
| } |
| |
| func (x publicKeyThirdPartyCaveatParam) VDLIsZero() bool { |
| if x.Nonce != (nonce{}) { |
| return false |
| } |
| if len(x.Caveats) != 0 { |
| return false |
| } |
| if len(x.DischargerKey) != 0 { |
| return false |
| } |
| if x.DischargerLocation != "" { |
| return false |
| } |
| if x.DischargerRequirements != (ThirdPartyRequirements{}) { |
| return false |
| } |
| return true |
| } |
| |
| func (x publicKeyThirdPartyCaveatParam) VDLWrite(enc vdl.Encoder) error { |
| if err := enc.StartValue(__VDLType_struct_6); err != nil { |
| return err |
| } |
| if x.Nonce != (nonce{}) { |
| if err := enc.NextFieldValueBytes(0, __VDLType_array_1, x.Nonce[:]); err != nil { |
| return err |
| } |
| } |
| if len(x.Caveats) != 0 { |
| if err := enc.NextField(1); err != nil { |
| return err |
| } |
| if err := __VDLWriteAnon_list_1(enc, x.Caveats); err != nil { |
| return err |
| } |
| } |
| if len(x.DischargerKey) != 0 { |
| if err := enc.NextFieldValueBytes(2, __VDLType_list_4, x.DischargerKey); err != nil { |
| return err |
| } |
| } |
| if x.DischargerLocation != "" { |
| if err := enc.NextFieldValueString(3, vdl.StringType, x.DischargerLocation); err != nil { |
| return err |
| } |
| } |
| if x.DischargerRequirements != (ThirdPartyRequirements{}) { |
| if err := enc.NextField(4); err != nil { |
| return err |
| } |
| if err := x.DischargerRequirements.VDLWrite(enc); err != nil { |
| return err |
| } |
| } |
| if err := enc.NextField(-1); err != nil { |
| return err |
| } |
| return enc.FinishValue() |
| } |
| |
| func __VDLWriteAnon_list_1(enc vdl.Encoder, x []Caveat) error { |
| if err := enc.StartValue(__VDLType_list_7); err != nil { |
| return err |
| } |
| if err := enc.SetLenHint(len(x)); err != nil { |
| return err |
| } |
| for _, elem := range x { |
| if err := enc.NextEntry(false); err != nil { |
| return err |
| } |
| if err := elem.VDLWrite(enc); err != nil { |
| return err |
| } |
| } |
| if err := enc.NextEntry(true); err != nil { |
| return err |
| } |
| return enc.FinishValue() |
| } |
| |
| func (x *publicKeyThirdPartyCaveatParam) VDLRead(dec vdl.Decoder) error { |
| *x = publicKeyThirdPartyCaveatParam{} |
| if err := dec.StartValue(__VDLType_struct_6); err != nil { |
| return err |
| } |
| decType := dec.Type() |
| for { |
| index, err := dec.NextField() |
| switch { |
| case err != nil: |
| return err |
| case index == -1: |
| return dec.FinishValue() |
| } |
| if decType != __VDLType_struct_6 { |
| index = __VDLType_struct_6.FieldIndexByName(decType.Field(index).Name) |
| if index == -1 { |
| if err := dec.SkipValue(); err != nil { |
| return err |
| } |
| continue |
| } |
| } |
| switch index { |
| case 0: |
| bytes := x.Nonce[:] |
| if err := dec.ReadValueBytes(16, &bytes); err != nil { |
| return err |
| } |
| case 1: |
| if err := __VDLReadAnon_list_1(dec, &x.Caveats); err != nil { |
| return err |
| } |
| case 2: |
| if err := dec.ReadValueBytes(-1, &x.DischargerKey); err != nil { |
| return err |
| } |
| case 3: |
| switch value, err := dec.ReadValueString(); { |
| case err != nil: |
| return err |
| default: |
| x.DischargerLocation = value |
| } |
| case 4: |
| if err := x.DischargerRequirements.VDLRead(dec); err != nil { |
| return err |
| } |
| } |
| } |
| } |
| |
| func __VDLReadAnon_list_1(dec vdl.Decoder, x *[]Caveat) error { |
| if err := dec.StartValue(__VDLType_list_7); err != nil { |
| return err |
| } |
| if len := dec.LenHint(); len > 0 { |
| *x = make([]Caveat, 0, len) |
| } else { |
| *x = nil |
| } |
| for { |
| switch done, err := dec.NextEntry(); { |
| case err != nil: |
| return err |
| case done: |
| return dec.FinishValue() |
| default: |
| var elem Caveat |
| if err := elem.VDLRead(dec); err != nil { |
| return err |
| } |
| *x = append(*x, elem) |
| } |
| } |
| } |
| |
| // Hash identifies a cryptographic hash function approved for use in signature algorithms. |
| type Hash string |
| |
| func (Hash) __VDLReflect(struct { |
| Name string `vdl:"v.io/v23/security.Hash"` |
| }) { |
| } |
| |
| func (x Hash) VDLIsZero() bool { |
| return x == "" |
| } |
| |
| func (x Hash) VDLWrite(enc vdl.Encoder) error { |
| if err := enc.WriteValueString(__VDLType_string_8, string(x)); err != nil { |
| return err |
| } |
| return nil |
| } |
| |
| func (x *Hash) VDLRead(dec vdl.Decoder) error { |
| switch value, err := dec.ReadValueString(); { |
| case err != nil: |
| return err |
| default: |
| *x = Hash(value) |
| } |
| return nil |
| } |
| |
| // Signature represents a digital signature. |
| type Signature struct { |
| // Purpose of the signature. Can be used to prevent type attacks. |
| // (See Section 4.2 of http://www-users.cs.york.ac.uk/~jac/PublishedPapers/reviewV1_1997.pdf for example). |
| // The actual signature (R, S values for ECDSA keys) is produced by signing: Hash(Hash(message), Hash(Purpose)). |
| Purpose []byte |
| // Cryptographic hash function applied to the message before computing the signature. |
| Hash Hash |
| // Pair of integers that make up an ECDSA signature. |
| R []byte |
| S []byte |
| } |
| |
| func (Signature) __VDLReflect(struct { |
| Name string `vdl:"v.io/v23/security.Signature"` |
| }) { |
| } |
| |
| func (x Signature) VDLIsZero() bool { |
| if len(x.Purpose) != 0 { |
| return false |
| } |
| if x.Hash != "" { |
| return false |
| } |
| if len(x.R) != 0 { |
| return false |
| } |
| if len(x.S) != 0 { |
| return false |
| } |
| return true |
| } |
| |
| func (x Signature) VDLWrite(enc vdl.Encoder) error { |
| if err := enc.StartValue(__VDLType_struct_9); err != nil { |
| return err |
| } |
| if len(x.Purpose) != 0 { |
| if err := enc.NextFieldValueBytes(0, __VDLType_list_4, x.Purpose); err != nil { |
| return err |
| } |
| } |
| if x.Hash != "" { |
| if err := enc.NextFieldValueString(1, __VDLType_string_8, string(x.Hash)); err != nil { |
| return err |
| } |
| } |
| if len(x.R) != 0 { |
| if err := enc.NextFieldValueBytes(2, __VDLType_list_4, x.R); err != nil { |
| return err |
| } |
| } |
| if len(x.S) != 0 { |
| if err := enc.NextFieldValueBytes(3, __VDLType_list_4, x.S); err != nil { |
| return err |
| } |
| } |
| if err := enc.NextField(-1); err != nil { |
| return err |
| } |
| return enc.FinishValue() |
| } |
| |
| func (x *Signature) VDLRead(dec vdl.Decoder) error { |
| *x = Signature{} |
| if err := dec.StartValue(__VDLType_struct_9); err != nil { |
| return err |
| } |
| decType := dec.Type() |
| for { |
| index, err := dec.NextField() |
| switch { |
| case err != nil: |
| return err |
| case index == -1: |
| return dec.FinishValue() |
| } |
| if decType != __VDLType_struct_9 { |
| index = __VDLType_struct_9.FieldIndexByName(decType.Field(index).Name) |
| if index == -1 { |
| if err := dec.SkipValue(); err != nil { |
| return err |
| } |
| continue |
| } |
| } |
| switch index { |
| case 0: |
| if err := dec.ReadValueBytes(-1, &x.Purpose); err != nil { |
| return err |
| } |
| case 1: |
| switch value, err := dec.ReadValueString(); { |
| case err != nil: |
| return err |
| default: |
| x.Hash = Hash(value) |
| } |
| case 2: |
| if err := dec.ReadValueBytes(-1, &x.R); err != nil { |
| return err |
| } |
| case 3: |
| if err := dec.ReadValueBytes(-1, &x.S); err != nil { |
| return err |
| } |
| } |
| } |
| } |
| |
| // PublicKeyDischarge represents a discharge for third party caveats that |
| // require a signature from a third-party's public key. |
| // |
| // The message digest of this structure is computed as follows: |
| // hash(hash(ThirdPartyCaveatId), hash(Caveats[0]), hash(Caveats[1]), ...), |
| // where hash is a cryptographic hash function with a security strength |
| // equivalent to the strength of the public key of the principal issuing the |
| // discharge. |
| type PublicKeyDischarge struct { |
| ThirdPartyCaveatId string // Id of the third party caveat for which this discharge was issued. |
| Caveats []Caveat // Caveats on the use of this discharge. |
| Signature Signature // Signature of the content hash of this discharge by the discharger. |
| } |
| |
| func (PublicKeyDischarge) __VDLReflect(struct { |
| Name string `vdl:"v.io/v23/security.PublicKeyDischarge"` |
| }) { |
| } |
| |
| func (x PublicKeyDischarge) VDLIsZero() bool { |
| if x.ThirdPartyCaveatId != "" { |
| return false |
| } |
| if len(x.Caveats) != 0 { |
| return false |
| } |
| if !x.Signature.VDLIsZero() { |
| return false |
| } |
| return true |
| } |
| |
| func (x PublicKeyDischarge) VDLWrite(enc vdl.Encoder) error { |
| if err := enc.StartValue(__VDLType_struct_10); err != nil { |
| return err |
| } |
| if x.ThirdPartyCaveatId != "" { |
| if err := enc.NextFieldValueString(0, vdl.StringType, x.ThirdPartyCaveatId); err != nil { |
| return err |
| } |
| } |
| if len(x.Caveats) != 0 { |
| if err := enc.NextField(1); err != nil { |
| return err |
| } |
| if err := __VDLWriteAnon_list_1(enc, x.Caveats); err != nil { |
| return err |
| } |
| } |
| if !x.Signature.VDLIsZero() { |
| if err := enc.NextField(2); err != nil { |
| return err |
| } |
| if err := x.Signature.VDLWrite(enc); err != nil { |
| return err |
| } |
| } |
| if err := enc.NextField(-1); err != nil { |
| return err |
| } |
| return enc.FinishValue() |
| } |
| |
| func (x *PublicKeyDischarge) VDLRead(dec vdl.Decoder) error { |
| *x = PublicKeyDischarge{} |
| if err := dec.StartValue(__VDLType_struct_10); err != nil { |
| return err |
| } |
| decType := dec.Type() |
| for { |
| index, err := dec.NextField() |
| switch { |
| case err != nil: |
| return err |
| case index == -1: |
| return dec.FinishValue() |
| } |
| if decType != __VDLType_struct_10 { |
| index = __VDLType_struct_10.FieldIndexByName(decType.Field(index).Name) |
| if index == -1 { |
| if err := dec.SkipValue(); err != nil { |
| return err |
| } |
| continue |
| } |
| } |
| switch index { |
| case 0: |
| switch value, err := dec.ReadValueString(); { |
| case err != nil: |
| return err |
| default: |
| x.ThirdPartyCaveatId = value |
| } |
| case 1: |
| if err := __VDLReadAnon_list_1(dec, &x.Caveats); err != nil { |
| return err |
| } |
| case 2: |
| if err := x.Signature.VDLRead(dec); err != nil { |
| return err |
| } |
| } |
| } |
| } |
| |
| // BlessingPattern is a pattern that is matched by specific blessings. |
| // |
| // A pattern can either be a blessing (slash-separated human-readable string) |
| // or a blessing ending in "/$". A pattern ending in "/$" is matched exactly |
| // by the blessing specified by the pattern string with the "/$" suffix stripped |
| // out. For example, the pattern "a/b/c/$" is matched by exactly by the blessing |
| // "a/b/c". |
| // |
| // A pattern not ending in "/$" is more permissive, and is also matched by blessings |
| // that are extensions of the pattern (including the pattern itself). For example, the |
| // pattern "a/b/c" is matched by the blessings "a/b/c", "a/b/c/x", "a/b/c/x/y", etc. |
| // |
| // TODO(ataly, ashankar): Define a formal BNF grammar for blessings and blessing patterns. |
| type BlessingPattern string |
| |
| func (BlessingPattern) __VDLReflect(struct { |
| Name string `vdl:"v.io/v23/security.BlessingPattern"` |
| }) { |
| } |
| |
| func (x BlessingPattern) VDLIsZero() bool { |
| return x == "" |
| } |
| |
| func (x BlessingPattern) VDLWrite(enc vdl.Encoder) error { |
| if err := enc.WriteValueString(__VDLType_string_11, string(x)); err != nil { |
| return err |
| } |
| return nil |
| } |
| |
| func (x *BlessingPattern) VDLRead(dec vdl.Decoder) error { |
| switch value, err := dec.ReadValueString(); { |
| case err != nil: |
| return err |
| default: |
| *x = BlessingPattern(value) |
| } |
| return nil |
| } |
| |
| // DischargeImpetus encapsulates the motivation for a discharge being sought. |
| // |
| // These values are reported by a principal that is requesting a Discharge for |
| // a third-party caveat on one of its blessings. The third-party issues |
| // discharges cannot safely assume that all these values are provided, or that |
| // they are provided honestly. |
| // |
| // Implementations of services that issue discharges are encouraged to add |
| // caveats to the discharge that bind the discharge to the impetus, thereby |
| // rendering the discharge unsuable for any other purpose. |
| type DischargeImpetus struct { |
| Server []BlessingPattern // The client intends to use the discharge to communicate with a server that has a blessing matching one of the patterns in this set. |
| Method string // Name of the method being invoked by the client. |
| Arguments []*vom.RawBytes // Arguments to the method invocation. |
| } |
| |
| func (DischargeImpetus) __VDLReflect(struct { |
| Name string `vdl:"v.io/v23/security.DischargeImpetus"` |
| }) { |
| } |
| |
| func (x DischargeImpetus) VDLIsZero() bool { |
| if len(x.Server) != 0 { |
| return false |
| } |
| if x.Method != "" { |
| return false |
| } |
| if len(x.Arguments) != 0 { |
| return false |
| } |
| return true |
| } |
| |
| func (x DischargeImpetus) VDLWrite(enc vdl.Encoder) error { |
| if err := enc.StartValue(__VDLType_struct_12); err != nil { |
| return err |
| } |
| if len(x.Server) != 0 { |
| if err := enc.NextField(0); err != nil { |
| return err |
| } |
| if err := __VDLWriteAnon_list_2(enc, x.Server); err != nil { |
| return err |
| } |
| } |
| if x.Method != "" { |
| if err := enc.NextFieldValueString(1, vdl.StringType, x.Method); err != nil { |
| return err |
| } |
| } |
| if len(x.Arguments) != 0 { |
| if err := enc.NextField(2); err != nil { |
| return err |
| } |
| if err := __VDLWriteAnon_list_3(enc, x.Arguments); err != nil { |
| return err |
| } |
| } |
| if err := enc.NextField(-1); err != nil { |
| return err |
| } |
| return enc.FinishValue() |
| } |
| |
| func __VDLWriteAnon_list_2(enc vdl.Encoder, x []BlessingPattern) error { |
| if err := enc.StartValue(__VDLType_list_13); err != nil { |
| return err |
| } |
| if err := enc.SetLenHint(len(x)); err != nil { |
| return err |
| } |
| for _, elem := range x { |
| if err := enc.NextEntryValueString(__VDLType_string_11, string(elem)); err != nil { |
| return err |
| } |
| } |
| if err := enc.NextEntry(true); err != nil { |
| return err |
| } |
| return enc.FinishValue() |
| } |
| |
| func __VDLWriteAnon_list_3(enc vdl.Encoder, x []*vom.RawBytes) error { |
| if err := enc.StartValue(__VDLType_list_14); err != nil { |
| return err |
| } |
| if err := enc.SetLenHint(len(x)); err != nil { |
| return err |
| } |
| for _, elem := range x { |
| if err := enc.NextEntry(false); err != nil { |
| return err |
| } |
| if elem == nil { |
| if err := enc.NilValue(vdl.AnyType); err != nil { |
| return err |
| } |
| } else { |
| if err := elem.VDLWrite(enc); err != nil { |
| return err |
| } |
| } |
| } |
| if err := enc.NextEntry(true); err != nil { |
| return err |
| } |
| return enc.FinishValue() |
| } |
| |
| func (x *DischargeImpetus) VDLRead(dec vdl.Decoder) error { |
| *x = DischargeImpetus{} |
| if err := dec.StartValue(__VDLType_struct_12); err != nil { |
| return err |
| } |
| decType := dec.Type() |
| for { |
| index, err := dec.NextField() |
| switch { |
| case err != nil: |
| return err |
| case index == -1: |
| return dec.FinishValue() |
| } |
| if decType != __VDLType_struct_12 { |
| index = __VDLType_struct_12.FieldIndexByName(decType.Field(index).Name) |
| if index == -1 { |
| if err := dec.SkipValue(); err != nil { |
| return err |
| } |
| continue |
| } |
| } |
| switch index { |
| case 0: |
| if err := __VDLReadAnon_list_2(dec, &x.Server); err != nil { |
| return err |
| } |
| case 1: |
| switch value, err := dec.ReadValueString(); { |
| case err != nil: |
| return err |
| default: |
| x.Method = value |
| } |
| case 2: |
| if err := __VDLReadAnon_list_3(dec, &x.Arguments); err != nil { |
| return err |
| } |
| } |
| } |
| } |
| |
| func __VDLReadAnon_list_2(dec vdl.Decoder, x *[]BlessingPattern) error { |
| if err := dec.StartValue(__VDLType_list_13); err != nil { |
| return err |
| } |
| if len := dec.LenHint(); len > 0 { |
| *x = make([]BlessingPattern, 0, len) |
| } else { |
| *x = nil |
| } |
| for { |
| switch done, elem, err := dec.NextEntryValueString(); { |
| case err != nil: |
| return err |
| case done: |
| return dec.FinishValue() |
| default: |
| *x = append(*x, BlessingPattern(elem)) |
| } |
| } |
| } |
| |
| func __VDLReadAnon_list_3(dec vdl.Decoder, x *[]*vom.RawBytes) error { |
| if err := dec.StartValue(__VDLType_list_14); err != nil { |
| return err |
| } |
| if len := dec.LenHint(); len > 0 { |
| *x = make([]*vom.RawBytes, 0, len) |
| } else { |
| *x = nil |
| } |
| for { |
| switch done, err := dec.NextEntry(); { |
| case err != nil: |
| return err |
| case done: |
| return dec.FinishValue() |
| default: |
| var elem *vom.RawBytes |
| elem = new(vom.RawBytes) |
| if err := elem.VDLRead(dec); err != nil { |
| return err |
| } |
| *x = append(*x, elem) |
| } |
| } |
| } |
| |
| // Certificate represents the cryptographic proof of the binding of |
| // extensions of a blessing held by one principal to another (represented by |
| // a public key) under specific caveats. |
| // |
| // For example, if a principal P1 has a blessing "alice", then it can |
| // extend it with a Certificate to generate the blessing "alice/friend" for |
| // another principal P2. |
| type Certificate struct { |
| Extension string // Human-readable string extension bound to PublicKey. |
| PublicKey []byte // DER-encoded PKIX public key. |
| Caveats []Caveat // Caveats on the binding of Name to PublicKey. |
| Signature Signature // Signature by the blessing principal that binds the extension to the public key. |
| } |
| |
| func (Certificate) __VDLReflect(struct { |
| Name string `vdl:"v.io/v23/security.Certificate"` |
| }) { |
| } |
| |
| func (x Certificate) VDLIsZero() bool { |
| if x.Extension != "" { |
| return false |
| } |
| if len(x.PublicKey) != 0 { |
| return false |
| } |
| if len(x.Caveats) != 0 { |
| return false |
| } |
| if !x.Signature.VDLIsZero() { |
| return false |
| } |
| return true |
| } |
| |
| func (x Certificate) VDLWrite(enc vdl.Encoder) error { |
| if err := enc.StartValue(__VDLType_struct_15); err != nil { |
| return err |
| } |
| if x.Extension != "" { |
| if err := enc.NextFieldValueString(0, vdl.StringType, x.Extension); err != nil { |
| return err |
| } |
| } |
| if len(x.PublicKey) != 0 { |
| if err := enc.NextFieldValueBytes(1, __VDLType_list_4, x.PublicKey); err != nil { |
| return err |
| } |
| } |
| if len(x.Caveats) != 0 { |
| if err := enc.NextField(2); err != nil { |
| return err |
| } |
| if err := __VDLWriteAnon_list_1(enc, x.Caveats); err != nil { |
| return err |
| } |
| } |
| if !x.Signature.VDLIsZero() { |
| if err := enc.NextField(3); err != nil { |
| return err |
| } |
| if err := x.Signature.VDLWrite(enc); err != nil { |
| return err |
| } |
| } |
| if err := enc.NextField(-1); err != nil { |
| return err |
| } |
| return enc.FinishValue() |
| } |
| |
| func (x *Certificate) VDLRead(dec vdl.Decoder) error { |
| *x = Certificate{} |
| if err := dec.StartValue(__VDLType_struct_15); err != nil { |
| return err |
| } |
| decType := dec.Type() |
| for { |
| index, err := dec.NextField() |
| switch { |
| case err != nil: |
| return err |
| case index == -1: |
| return dec.FinishValue() |
| } |
| if decType != __VDLType_struct_15 { |
| index = __VDLType_struct_15.FieldIndexByName(decType.Field(index).Name) |
| if index == -1 { |
| if err := dec.SkipValue(); err != nil { |
| return err |
| } |
| continue |
| } |
| } |
| switch index { |
| case 0: |
| switch value, err := dec.ReadValueString(); { |
| case err != nil: |
| return err |
| default: |
| x.Extension = value |
| } |
| case 1: |
| if err := dec.ReadValueBytes(-1, &x.PublicKey); err != nil { |
| return err |
| } |
| case 2: |
| if err := __VDLReadAnon_list_1(dec, &x.Caveats); err != nil { |
| return err |
| } |
| case 3: |
| if err := x.Signature.VDLRead(dec); err != nil { |
| return err |
| } |
| } |
| } |
| } |
| |
| // CaveatDescriptor defines an association between a caveat validation function |
| // (addressed by globally unique identifier) and the data needed by the |
| // validation function. |
| // |
| // For a validator to be invoked, a validation function must be registered with |
| // the validator description in the language that the function is defined in. |
| type CaveatDescriptor struct { |
| Id uniqueid.Id // The identifier of the caveat validation function. |
| ParamType *vdl.Type // The type of the parameter expected by the validation function. |
| } |
| |
| func (CaveatDescriptor) __VDLReflect(struct { |
| Name string `vdl:"v.io/v23/security.CaveatDescriptor"` |
| }) { |
| } |
| |
| func (x CaveatDescriptor) VDLIsZero() bool { |
| if x.Id != (uniqueid.Id{}) { |
| return false |
| } |
| if x.ParamType != nil && x.ParamType != vdl.AnyType { |
| return false |
| } |
| return true |
| } |
| |
| func (x CaveatDescriptor) VDLWrite(enc vdl.Encoder) error { |
| if err := enc.StartValue(__VDLType_struct_16); err != nil { |
| return err |
| } |
| if x.Id != (uniqueid.Id{}) { |
| if err := enc.NextFieldValueBytes(0, __VDLType_array_3, x.Id[:]); err != nil { |
| return err |
| } |
| } |
| if x.ParamType != nil && x.ParamType != vdl.AnyType { |
| if err := enc.NextFieldValueTypeObject(1, x.ParamType); err != nil { |
| return err |
| } |
| } |
| if err := enc.NextField(-1); err != nil { |
| return err |
| } |
| return enc.FinishValue() |
| } |
| |
| func (x *CaveatDescriptor) VDLRead(dec vdl.Decoder) error { |
| *x = CaveatDescriptor{ |
| ParamType: vdl.AnyType, |
| } |
| if err := dec.StartValue(__VDLType_struct_16); err != nil { |
| return err |
| } |
| decType := dec.Type() |
| for { |
| index, err := dec.NextField() |
| switch { |
| case err != nil: |
| return err |
| case index == -1: |
| return dec.FinishValue() |
| } |
| if decType != __VDLType_struct_16 { |
| index = __VDLType_struct_16.FieldIndexByName(decType.Field(index).Name) |
| if index == -1 { |
| if err := dec.SkipValue(); err != nil { |
| return err |
| } |
| continue |
| } |
| } |
| switch index { |
| case 0: |
| bytes := x.Id[:] |
| if err := dec.ReadValueBytes(16, &bytes); err != nil { |
| return err |
| } |
| case 1: |
| switch value, err := dec.ReadValueTypeObject(); { |
| case err != nil: |
| return err |
| default: |
| x.ParamType = value |
| } |
| } |
| } |
| } |
| |
| // WireBlessings encapsulates wire format of a set of blessings and the |
| // corresponding cryptographic proof that binds them to a principal |
| // (identified by a public key). |
| // |
| // This structure is the "wire" format for sending and receiving blessings |
| // in RPCs or marshaling to persistent storage. Typically, languages will |
| // provide a factory function that converts this wire representation to |
| // a more usable object to inspect and manipulate these blessings. |
| type WireBlessings struct { |
| // CertificateChains is an array of chains of certificates that bind |
| // a blessing to the public key in the last certificate of the chain. |
| CertificateChains [][]Certificate |
| } |
| |
| func (WireBlessings) __VDLReflect(struct { |
| Name string `vdl:"v.io/v23/security.WireBlessings"` |
| }) { |
| } |
| |
| func (x WireBlessings) VDLIsZero() bool { |
| if len(x.CertificateChains) != 0 { |
| return false |
| } |
| return true |
| } |
| |
| func (x WireBlessings) VDLWrite(enc vdl.Encoder) error { |
| if err := enc.StartValue(__VDLType_struct_17); err != nil { |
| return err |
| } |
| if len(x.CertificateChains) != 0 { |
| if err := enc.NextField(0); err != nil { |
| return err |
| } |
| if err := __VDLWriteAnon_list_4(enc, x.CertificateChains); err != nil { |
| return err |
| } |
| } |
| if err := enc.NextField(-1); err != nil { |
| return err |
| } |
| return enc.FinishValue() |
| } |
| |
| func __VDLWriteAnon_list_4(enc vdl.Encoder, x [][]Certificate) error { |
| if err := enc.StartValue(__VDLType_list_18); err != nil { |
| return err |
| } |
| if err := enc.SetLenHint(len(x)); err != nil { |
| return err |
| } |
| for _, elem := range x { |
| if err := enc.NextEntry(false); err != nil { |
| return err |
| } |
| if err := __VDLWriteAnon_list_5(enc, elem); err != nil { |
| return err |
| } |
| } |
| if err := enc.NextEntry(true); err != nil { |
| return err |
| } |
| return enc.FinishValue() |
| } |
| |
| func __VDLWriteAnon_list_5(enc vdl.Encoder, x []Certificate) error { |
| if err := enc.StartValue(__VDLType_list_19); err != nil { |
| return err |
| } |
| if err := enc.SetLenHint(len(x)); err != nil { |
| return err |
| } |
| for _, elem := range x { |
| if err := enc.NextEntry(false); err != nil { |
| return err |
| } |
| if err := elem.VDLWrite(enc); err != nil { |
| return err |
| } |
| } |
| if err := enc.NextEntry(true); err != nil { |
| return err |
| } |
| return enc.FinishValue() |
| } |
| |
| func (x *WireBlessings) VDLRead(dec vdl.Decoder) error { |
| *x = WireBlessings{} |
| if err := dec.StartValue(__VDLType_struct_17); err != nil { |
| return err |
| } |
| decType := dec.Type() |
| for { |
| index, err := dec.NextField() |
| switch { |
| case err != nil: |
| return err |
| case index == -1: |
| return dec.FinishValue() |
| } |
| if decType != __VDLType_struct_17 { |
| index = __VDLType_struct_17.FieldIndexByName(decType.Field(index).Name) |
| if index == -1 { |
| if err := dec.SkipValue(); err != nil { |
| return err |
| } |
| continue |
| } |
| } |
| switch index { |
| case 0: |
| if err := __VDLReadAnon_list_4(dec, &x.CertificateChains); err != nil { |
| return err |
| } |
| } |
| } |
| } |
| |
| func __VDLReadAnon_list_4(dec vdl.Decoder, x *[][]Certificate) error { |
| if err := dec.StartValue(__VDLType_list_18); err != nil { |
| return err |
| } |
| if len := dec.LenHint(); len > 0 { |
| *x = make([][]Certificate, 0, len) |
| } else { |
| *x = nil |
| } |
| for { |
| switch done, err := dec.NextEntry(); { |
| case err != nil: |
| return err |
| case done: |
| return dec.FinishValue() |
| default: |
| var elem []Certificate |
| if err := __VDLReadAnon_list_5(dec, &elem); err != nil { |
| return err |
| } |
| *x = append(*x, elem) |
| } |
| } |
| } |
| |
| func __VDLReadAnon_list_5(dec vdl.Decoder, x *[]Certificate) error { |
| if err := dec.StartValue(__VDLType_list_19); err != nil { |
| return err |
| } |
| if len := dec.LenHint(); len > 0 { |
| *x = make([]Certificate, 0, len) |
| } else { |
| *x = nil |
| } |
| for { |
| switch done, err := dec.NextEntry(); { |
| case err != nil: |
| return err |
| case done: |
| return dec.FinishValue() |
| default: |
| var elem Certificate |
| if err := elem.VDLRead(dec); err != nil { |
| return err |
| } |
| *x = append(*x, elem) |
| } |
| } |
| } |
| |
| type ( |
| // WireDischarge represents any single field of the WireDischarge union type. |
| // |
| // WireDischarge encapsulates the wire format of a third-party caveat |
| // Discharge. |
| WireDischarge interface { |
| // Index returns the field index. |
| Index() int |
| // Interface returns the field value as an interface. |
| Interface() interface{} |
| // Name returns the field name. |
| Name() string |
| // __VDLReflect describes the WireDischarge union type. |
| __VDLReflect(__WireDischargeReflect) |
| VDLIsZero() bool |
| VDLWrite(vdl.Encoder) error |
| } |
| // WireDischargePublicKey represents field PublicKey of the WireDischarge union type. |
| WireDischargePublicKey struct{ Value PublicKeyDischarge } // Discharge for PublicKeyThirdPartyCaveat |
| // __WireDischargeReflect describes the WireDischarge union type. |
| __WireDischargeReflect struct { |
| Name string `vdl:"v.io/v23/security.WireDischarge"` |
| Type WireDischarge |
| Union struct { |
| PublicKey WireDischargePublicKey |
| } |
| } |
| ) |
| |
| func (x WireDischargePublicKey) Index() int { return 0 } |
| func (x WireDischargePublicKey) Interface() interface{} { return x.Value } |
| func (x WireDischargePublicKey) Name() string { return "PublicKey" } |
| func (x WireDischargePublicKey) __VDLReflect(__WireDischargeReflect) {} |
| |
| func (x WireDischargePublicKey) VDLIsZero() bool { |
| return x.Value.VDLIsZero() |
| } |
| |
| func (x WireDischargePublicKey) VDLWrite(enc vdl.Encoder) error { |
| if err := enc.StartValue(__VDLType_union_20); err != nil { |
| return err |
| } |
| if err := enc.NextField(0); err != nil { |
| return err |
| } |
| if err := x.Value.VDLWrite(enc); err != nil { |
| return err |
| } |
| if err := enc.NextField(-1); err != nil { |
| return err |
| } |
| return enc.FinishValue() |
| } |
| |
| func VDLReadWireDischarge(dec vdl.Decoder, x *WireDischarge) error { |
| if err := dec.StartValue(__VDLType_union_20); err != nil { |
| return err |
| } |
| decType := dec.Type() |
| index, err := dec.NextField() |
| switch { |
| case err != nil: |
| return err |
| case index == -1: |
| return fmt.Errorf("missing field in union %T, from %v", x, decType) |
| } |
| if decType != __VDLType_union_20 { |
| name := decType.Field(index).Name |
| index = __VDLType_union_20.FieldIndexByName(name) |
| if index == -1 { |
| return fmt.Errorf("field %q not in union %T, from %v", name, x, decType) |
| } |
| } |
| switch index { |
| case 0: |
| var field WireDischargePublicKey |
| if err := field.Value.VDLRead(dec); err != nil { |
| return err |
| } |
| *x = field |
| } |
| switch index, err := dec.NextField(); { |
| case err != nil: |
| return err |
| case index != -1: |
| return fmt.Errorf("extra field %d in union %T, from %v", index, x, dec.Type()) |
| } |
| return dec.FinishValue() |
| } |
| |
| // RejectedBlessing describes why a blessing failed validation. |
| type RejectedBlessing struct { |
| Blessing string |
| Err error |
| } |
| |
| func (RejectedBlessing) __VDLReflect(struct { |
| Name string `vdl:"v.io/v23/security.RejectedBlessing"` |
| }) { |
| } |
| |
| func (x RejectedBlessing) VDLIsZero() bool { |
| return x == RejectedBlessing{} |
| } |
| |
| func (x RejectedBlessing) VDLWrite(enc vdl.Encoder) error { |
| if err := enc.StartValue(__VDLType_struct_21); err != nil { |
| return err |
| } |
| if x.Blessing != "" { |
| if err := enc.NextFieldValueString(0, vdl.StringType, x.Blessing); err != nil { |
| return err |
| } |
| } |
| if x.Err != nil { |
| if err := enc.NextField(1); err != nil { |
| return err |
| } |
| if err := verror.VDLWrite(enc, x.Err); err != nil { |
| return err |
| } |
| } |
| if err := enc.NextField(-1); err != nil { |
| return err |
| } |
| return enc.FinishValue() |
| } |
| |
| func (x *RejectedBlessing) VDLRead(dec vdl.Decoder) error { |
| *x = RejectedBlessing{} |
| if err := dec.StartValue(__VDLType_struct_21); err != nil { |
| return err |
| } |
| decType := dec.Type() |
| for { |
| index, err := dec.NextField() |
| switch { |
| case err != nil: |
| return err |
| case index == -1: |
| return dec.FinishValue() |
| } |
| if decType != __VDLType_struct_21 { |
| index = __VDLType_struct_21.FieldIndexByName(decType.Field(index).Name) |
| if index == -1 { |
| if err := dec.SkipValue(); err != nil { |
| return err |
| } |
| continue |
| } |
| } |
| switch index { |
| case 0: |
| switch value, err := dec.ReadValueString(); { |
| case err != nil: |
| return err |
| default: |
| x.Blessing = value |
| } |
| case 1: |
| if err := verror.VDLRead(dec, &x.Err); err != nil { |
| return err |
| } |
| } |
| } |
| } |
| |
| // Type-check native conversion functions. |
| var ( |
| _ func(WireBlessings, *Blessings) error = WireBlessingsToNative |
| _ func(*WireBlessings, Blessings) error = WireBlessingsFromNative |
| _ func(WireDischarge, *Discharge) error = WireDischargeToNative |
| _ func(*WireDischarge, Discharge) error = WireDischargeFromNative |
| ) |
| |
| ////////////////////////////////////////////////// |
| // Const definitions |
| |
| // ConstCaveat represents a caveat that either always validates or never validates. |
| var ConstCaveat = CaveatDescriptor{ |
| ParamType: vdl.BoolType, |
| } |
| |
| // ExpiryCaveat represents a caveat that validates iff the current time is no later |
| // the specified time.Time. |
| var ExpiryCaveat = CaveatDescriptor{ |
| Id: uniqueid.Id{ |
| 166, |
| 76, |
| 45, |
| 1, |
| 25, |
| 251, |
| 163, |
| 52, |
| 128, |
| 113, |
| 254, |
| 235, |
| 47, |
| 48, |
| 128, |
| 0, |
| }, |
| ParamType: __VDLType_struct_22, |
| } |
| |
| // MethodCaveat represents a caveat that validates iff the method being |
| // invoked is included in this list. An empty list implies that the caveat is invalid. |
| var MethodCaveat = CaveatDescriptor{ |
| Id: uniqueid.Id{ |
| 84, |
| 166, |
| 118, |
| 57, |
| 129, |
| 55, |
| 24, |
| 126, |
| 205, |
| 178, |
| 109, |
| 45, |
| 105, |
| 186, |
| 0, |
| 3, |
| }, |
| ParamType: __VDLType_list_23, |
| } |
| var PublicKeyThirdPartyCaveat = CaveatDescriptor{ |
| Id: uniqueid.Id{ |
| 121, |
| 114, |
| 206, |
| 23, |
| 74, |
| 123, |
| 169, |
| 63, |
| 121, |
| 84, |
| 125, |
| 118, |
| 156, |
| 145, |
| 128, |
| 0, |
| }, |
| ParamType: __VDLType_struct_6, |
| } |
| |
| // PeerBlessingsCaveat represents a caveat that validates iff the peer being communicated |
| // with (local end of the call) has a blessing name matching at least one of the patterns |
| // in the list. An empty list implies that the caveat is invalid. |
| var PeerBlessingsCaveat = CaveatDescriptor{ |
| Id: uniqueid.Id{ |
| 5, |
| 119, |
| 248, |
| 86, |
| 76, |
| 142, |
| 95, |
| 254, |
| 255, |
| 142, |
| 43, |
| 31, |
| 77, |
| 109, |
| 128, |
| 0, |
| }, |
| ParamType: __VDLType_list_13, |
| } |
| |
| // NoExtension is an optional terminator for a blessing pattern indicating that the pattern |
| // cannot match any extensions of the blessing from that point onwards. |
| const NoExtension = BlessingPattern("$") |
| |
| // TODO(ataly, ashankar): The semantics of AllPrincipals breaks monotonicity in |
| // AccessLists with NotIn clauses. For instance, the AccessList "In: {AllPrincipals}, NotIn: {"foo"} |
| // matches the principal that presents no recognizable blessings ([]) however does not |
| // match the principal that presents "foo" as the only recognizable blessings (["foo"]) |
| // We need to sort this out. |
| const AllPrincipals = BlessingPattern("...") // Glob pattern that matches all blessings. |
| const ChainSeparator = ":" // ChainSeparator joins blessing names to form a blessing chain name. |
| const SHA1Hash = Hash("SHA1") // SHA1 cryptographic hash function defined in RFC3174. |
| const SHA256Hash = Hash("SHA256") // SHA256 cryptographic hash function defined in FIPS 180-4. |
| const SHA384Hash = Hash("SHA384") // SHA384 cryptographic hash function defined in FIPS 180-2. |
| const SHA512Hash = Hash("SHA512") // SHA512 cryptographic hash function defined in FIPS 180-2. |
| const SignatureForMessageSigning = "S1" // Signature.Purpose used by a Principal to sign arbitrary messages. |
| const SignatureForBlessingCertificates = "B1" // Signature.Purpose used by a Principal when signing Certificates for creating blessings. |
| const SignatureForDischarge = "D1" // Signature.Purpose used by a Principal when signing discharges for public-key based third-party caveats. |
| |
| ////////////////////////////////////////////////// |
| // Error definitions |
| |
| var ( |
| ErrCaveatNotRegistered = verror.Register("v.io/v23/security.CaveatNotRegistered", verror.NoRetry, "{1:}{2:} no validation function registered for caveat id {3}") |
| ErrCaveatParamAny = verror.Register("v.io/v23/security.CaveatParamAny", verror.NoRetry, "{1:}{2:} caveat {3} uses illegal param type any") |
| ErrCaveatParamTypeMismatch = verror.Register("v.io/v23/security.CaveatParamTypeMismatch", verror.NoRetry, "{1:}{2:} bad param type: caveat {3} got {4}, want {5}") |
| ErrCaveatParamCoding = verror.Register("v.io/v23/security.CaveatParamCoding", verror.NoRetry, "{1:}{2:} unable to encode/decode caveat param(type={4}) for caveat {3}: {5}") |
| ErrCaveatValidation = verror.Register("v.io/v23/security.CaveatValidation", verror.NoRetry, "{1:}{2:} caveat validation failed: {3}") |
| ErrConstCaveatValidation = verror.Register("v.io/v23/security.ConstCaveatValidation", verror.NoRetry, "{1:}{2:} false const caveat always fails validation") |
| ErrExpiryCaveatValidation = verror.Register("v.io/v23/security.ExpiryCaveatValidation", verror.NoRetry, "{1:}{2:} now({3}) is after expiry({4})") |
| ErrMethodCaveatValidation = verror.Register("v.io/v23/security.MethodCaveatValidation", verror.NoRetry, "{1:}{2:} method {3} not in list {4}") |
| ErrPeerBlessingsCaveatValidation = verror.Register("v.io/v23/security.PeerBlessingsCaveatValidation", verror.NoRetry, "{1:}{2:} patterns in peer blessings caveat {4} not matched by the peer {3}") |
| ErrUnrecognizedRoot = verror.Register("v.io/v23/security.UnrecognizedRoot", verror.NoRetry, "{1:}{2:} unrecognized public key {3} in root certificate{:4}") |
| ErrAuthorizationFailed = verror.Register("v.io/v23/security.AuthorizationFailed", verror.NoRetry, "{1:}{2:} principal with blessings {3} (rejected {4}) is not authorized by principal with blessings {5}") |
| ErrInvalidSigningBlessingCaveat = verror.Register("v.io/v23/security.InvalidSigningBlessingCaveat", verror.NoRetry, "{1:}{2:} blessing has caveat with UUID {3} which makes it unsuitable for signing -- please use blessings with just Expiry caveats") |
| ErrPublicKeyNotAllowed = verror.Register("v.io/v23/security.PublicKeyNotAllowed", verror.NoRetry, "{1:}{2:} peer has public key {3}, not the authorized public key {4}") |
| ErrEndpointAuthorizationFailed = verror.Register("v.io/v23/security.EndpointAuthorizationFailed", verror.NoRetry, "{1:}{2:} blessings in endpoint {3} not matched by blessings presented: {4} (rejected {5})") |
| ) |
| |
| // NewErrCaveatNotRegistered returns an error with the ErrCaveatNotRegistered ID. |
| func NewErrCaveatNotRegistered(ctx *context.T, id uniqueid.Id) error { |
| return verror.New(ErrCaveatNotRegistered, ctx, id) |
| } |
| |
| // NewErrCaveatParamAny returns an error with the ErrCaveatParamAny ID. |
| func NewErrCaveatParamAny(ctx *context.T, id uniqueid.Id) error { |
| return verror.New(ErrCaveatParamAny, ctx, id) |
| } |
| |
| // NewErrCaveatParamTypeMismatch returns an error with the ErrCaveatParamTypeMismatch ID. |
| func NewErrCaveatParamTypeMismatch(ctx *context.T, id uniqueid.Id, got *vdl.Type, want *vdl.Type) error { |
| return verror.New(ErrCaveatParamTypeMismatch, ctx, id, got, want) |
| } |
| |
| // NewErrCaveatParamCoding returns an error with the ErrCaveatParamCoding ID. |
| func NewErrCaveatParamCoding(ctx *context.T, id uniqueid.Id, typ *vdl.Type, err error) error { |
| return verror.New(ErrCaveatParamCoding, ctx, id, typ, err) |
| } |
| |
| // NewErrCaveatValidation returns an error with the ErrCaveatValidation ID. |
| func NewErrCaveatValidation(ctx *context.T, err error) error { |
| return verror.New(ErrCaveatValidation, ctx, err) |
| } |
| |
| // NewErrConstCaveatValidation returns an error with the ErrConstCaveatValidation ID. |
| func NewErrConstCaveatValidation(ctx *context.T) error { |
| return verror.New(ErrConstCaveatValidation, ctx) |
| } |
| |
| // NewErrExpiryCaveatValidation returns an error with the ErrExpiryCaveatValidation ID. |
| func NewErrExpiryCaveatValidation(ctx *context.T, currentTime time.Time, expiryTime time.Time) error { |
| return verror.New(ErrExpiryCaveatValidation, ctx, currentTime, expiryTime) |
| } |
| |
| // NewErrMethodCaveatValidation returns an error with the ErrMethodCaveatValidation ID. |
| func NewErrMethodCaveatValidation(ctx *context.T, invokedMethod string, permittedMethods []string) error { |
| return verror.New(ErrMethodCaveatValidation, ctx, invokedMethod, permittedMethods) |
| } |
| |
| // NewErrPeerBlessingsCaveatValidation returns an error with the ErrPeerBlessingsCaveatValidation ID. |
| func NewErrPeerBlessingsCaveatValidation(ctx *context.T, peerBlessings []string, permittedPatterns []BlessingPattern) error { |
| return verror.New(ErrPeerBlessingsCaveatValidation, ctx, peerBlessings, permittedPatterns) |
| } |
| |
| // NewErrUnrecognizedRoot returns an error with the ErrUnrecognizedRoot ID. |
| func NewErrUnrecognizedRoot(ctx *context.T, rootKey string, details error) error { |
| return verror.New(ErrUnrecognizedRoot, ctx, rootKey, details) |
| } |
| |
| // NewErrAuthorizationFailed returns an error with the ErrAuthorizationFailed ID. |
| func NewErrAuthorizationFailed(ctx *context.T, remote []string, remoteErr []RejectedBlessing, local []string) error { |
| return verror.New(ErrAuthorizationFailed, ctx, remote, remoteErr, local) |
| } |
| |
| // NewErrInvalidSigningBlessingCaveat returns an error with the ErrInvalidSigningBlessingCaveat ID. |
| func NewErrInvalidSigningBlessingCaveat(ctx *context.T, id uniqueid.Id) error { |
| return verror.New(ErrInvalidSigningBlessingCaveat, ctx, id) |
| } |
| |
| // NewErrPublicKeyNotAllowed returns an error with the ErrPublicKeyNotAllowed ID. |
| func NewErrPublicKeyNotAllowed(ctx *context.T, got string, want string) error { |
| return verror.New(ErrPublicKeyNotAllowed, ctx, got, want) |
| } |
| |
| // NewErrEndpointAuthorizationFailed returns an error with the ErrEndpointAuthorizationFailed ID. |
| func NewErrEndpointAuthorizationFailed(ctx *context.T, endpoint string, remote []string, rejected []RejectedBlessing) error { |
| return verror.New(ErrEndpointAuthorizationFailed, ctx, endpoint, remote, rejected) |
| } |
| |
| // Hold type definitions in package-level variables, for better performance. |
| var ( |
| __VDLType_array_1 *vdl.Type |
| __VDLType_struct_2 *vdl.Type |
| __VDLType_array_3 *vdl.Type |
| __VDLType_list_4 *vdl.Type |
| __VDLType_struct_5 *vdl.Type |
| __VDLType_struct_6 *vdl.Type |
| __VDLType_list_7 *vdl.Type |
| __VDLType_string_8 *vdl.Type |
| __VDLType_struct_9 *vdl.Type |
| __VDLType_struct_10 *vdl.Type |
| __VDLType_string_11 *vdl.Type |
| __VDLType_struct_12 *vdl.Type |
| __VDLType_list_13 *vdl.Type |
| __VDLType_list_14 *vdl.Type |
| __VDLType_struct_15 *vdl.Type |
| __VDLType_struct_16 *vdl.Type |
| __VDLType_struct_17 *vdl.Type |
| __VDLType_list_18 *vdl.Type |
| __VDLType_list_19 *vdl.Type |
| __VDLType_union_20 *vdl.Type |
| __VDLType_struct_21 *vdl.Type |
| __VDLType_struct_22 *vdl.Type |
| __VDLType_list_23 *vdl.Type |
| ) |
| |
| var __VDLInitCalled bool |
| |
| // __VDLInit performs vdl initialization. It is safe to call multiple times. |
| // If you have an init ordering issue, just insert the following line verbatim |
| // into your source files in this package, right after the "package foo" clause: |
| // |
| // var _ = __VDLInit() |
| // |
| // The purpose of this function is to ensure that vdl initialization occurs in |
| // the right order, and very early in the init sequence. In particular, vdl |
| // registration and package variable initialization needs to occur before |
| // functions like vdl.TypeOf will work properly. |
| // |
| // This function returns a dummy value, so that it can be used to initialize the |
| // first var in the file, to take advantage of Go's defined init order. |
| func __VDLInit() struct{} { |
| if __VDLInitCalled { |
| return struct{}{} |
| } |
| __VDLInitCalled = true |
| |
| // Register native type conversions first, so that vdl.TypeOf works. |
| vdl.RegisterNative(WireBlessingsToNative, WireBlessingsFromNative) |
| vdl.RegisterNative(WireDischargeToNative, WireDischargeFromNative) |
| |
| // Register types. |
| vdl.Register((*nonce)(nil)) |
| vdl.Register((*Caveat)(nil)) |
| vdl.Register((*ThirdPartyRequirements)(nil)) |
| vdl.Register((*publicKeyThirdPartyCaveatParam)(nil)) |
| vdl.Register((*Hash)(nil)) |
| vdl.Register((*Signature)(nil)) |
| vdl.Register((*PublicKeyDischarge)(nil)) |
| vdl.Register((*BlessingPattern)(nil)) |
| vdl.Register((*DischargeImpetus)(nil)) |
| vdl.Register((*Certificate)(nil)) |
| vdl.Register((*CaveatDescriptor)(nil)) |
| vdl.Register((*WireBlessings)(nil)) |
| vdl.Register((*WireDischarge)(nil)) |
| vdl.Register((*RejectedBlessing)(nil)) |
| |
| // Initialize type definitions. |
| __VDLType_array_1 = vdl.TypeOf((*nonce)(nil)) |
| __VDLType_struct_2 = vdl.TypeOf((*Caveat)(nil)).Elem() |
| __VDLType_array_3 = vdl.TypeOf((*uniqueid.Id)(nil)) |
| __VDLType_list_4 = vdl.TypeOf((*[]byte)(nil)) |
| __VDLType_struct_5 = vdl.TypeOf((*ThirdPartyRequirements)(nil)).Elem() |
| __VDLType_struct_6 = vdl.TypeOf((*publicKeyThirdPartyCaveatParam)(nil)).Elem() |
| __VDLType_list_7 = vdl.TypeOf((*[]Caveat)(nil)) |
| __VDLType_string_8 = vdl.TypeOf((*Hash)(nil)) |
| __VDLType_struct_9 = vdl.TypeOf((*Signature)(nil)).Elem() |
| __VDLType_struct_10 = vdl.TypeOf((*PublicKeyDischarge)(nil)).Elem() |
| __VDLType_string_11 = vdl.TypeOf((*BlessingPattern)(nil)) |
| __VDLType_struct_12 = vdl.TypeOf((*DischargeImpetus)(nil)).Elem() |
| __VDLType_list_13 = vdl.TypeOf((*[]BlessingPattern)(nil)) |
| __VDLType_list_14 = vdl.TypeOf((*[]*vom.RawBytes)(nil)) |
| __VDLType_struct_15 = vdl.TypeOf((*Certificate)(nil)).Elem() |
| __VDLType_struct_16 = vdl.TypeOf((*CaveatDescriptor)(nil)).Elem() |
| __VDLType_struct_17 = vdl.TypeOf((*WireBlessings)(nil)).Elem() |
| __VDLType_list_18 = vdl.TypeOf((*[][]Certificate)(nil)) |
| __VDLType_list_19 = vdl.TypeOf((*[]Certificate)(nil)) |
| __VDLType_union_20 = vdl.TypeOf((*WireDischarge)(nil)) |
| __VDLType_struct_21 = vdl.TypeOf((*RejectedBlessing)(nil)).Elem() |
| __VDLType_struct_22 = vdl.TypeOf((*vdltime.Time)(nil)).Elem() |
| __VDLType_list_23 = vdl.TypeOf((*[]string)(nil)) |
| |
| // Set error format strings. |
| i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrCaveatNotRegistered.ID), "{1:}{2:} no validation function registered for caveat id {3}") |
| i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrCaveatParamAny.ID), "{1:}{2:} caveat {3} uses illegal param type any") |
| i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrCaveatParamTypeMismatch.ID), "{1:}{2:} bad param type: caveat {3} got {4}, want {5}") |
| i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrCaveatParamCoding.ID), "{1:}{2:} unable to encode/decode caveat param(type={4}) for caveat {3}: {5}") |
| i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrCaveatValidation.ID), "{1:}{2:} caveat validation failed: {3}") |
| i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrConstCaveatValidation.ID), "{1:}{2:} false const caveat always fails validation") |
| i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrExpiryCaveatValidation.ID), "{1:}{2:} now({3}) is after expiry({4})") |
| i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrMethodCaveatValidation.ID), "{1:}{2:} method {3} not in list {4}") |
| i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrPeerBlessingsCaveatValidation.ID), "{1:}{2:} patterns in peer blessings caveat {4} not matched by the peer {3}") |
| i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrUnrecognizedRoot.ID), "{1:}{2:} unrecognized public key {3} in root certificate{:4}") |
| i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrAuthorizationFailed.ID), "{1:}{2:} principal with blessings {3} (rejected {4}) is not authorized by principal with blessings {5}") |
| i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrInvalidSigningBlessingCaveat.ID), "{1:}{2:} blessing has caveat with UUID {3} which makes it unsuitable for signing -- please use blessings with just Expiry caveats") |
| i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrPublicKeyNotAllowed.ID), "{1:}{2:} peer has public key {3}, not the authorized public key {4}") |
| i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrEndpointAuthorizationFailed.ID), "{1:}{2:} blessings in endpoint {3} not matched by blessings presented: {4} (rejected {5})") |
| |
| return struct{}{} |
| } |