| // Copyright 2015 The Vanadium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style |
| // license that can be found in the LICENSE file. |
| |
| // This file was auto-generated by the vanadium vdl tool. |
| // Source: caveat.vdl |
| |
| package security |
| |
| import ( |
| // VDL system imports |
| "v.io/v23/context" |
| "v.io/v23/i18n" |
| "v.io/v23/vdl" |
| "v.io/v23/verror" |
| |
| // VDL user imports |
| "time" |
| "v.io/v23/uniqueid" |
| _ "v.io/v23/vdlroot/time" |
| ) |
| |
| type nonce [16]byte |
| |
| func (nonce) __VDLReflect(struct { |
| Name string `vdl:"v.io/v23/security.nonce"` |
| }) { |
| } |
| |
| // publicKeyThirdPartyCaveatParam represents a third-party caveat that requires |
| // discharges to be issued by a principal identified by a public key. |
| // |
| // The Id of the caveat is base64-encoded: |
| // hash(hash(Nonce), hash(DischargerKey), hash(Caveats[0]), hash(Caveats[1]), ...) |
| // where hash is a cryptographic hash function with a security strength |
| // equivalent to that of the DischargerKey. For example, if DischargerKey |
| // represents an ECDSA public key with the P384 curve, then hash should be |
| // SHA384. |
| type publicKeyThirdPartyCaveatParam struct { |
| // Nonce specifies a cryptographically random nonce associated with an |
| // instance of the caveat. This prevents discharge replays, where |
| // discharges for ThirdPartyCaveats embedded in the certificates for |
| // one blessing can be used for another blessing. |
| // |
| // Whether discharge re-use is a desired or un-desired property is |
| // still under debate. Till the debate is settled, we err on the side |
| // of discouraging re-use. |
| Nonce nonce |
| // Caveats specifies the caveats that have to be validated |
| // before minting a discharge for a publicKeyCaveat. |
| Caveats []Caveat |
| // DER-encoded PKIX public key of the principal that can issue discharges. |
| DischargerKey []byte |
| // Object name where the third-party that can issue discharges can be found. |
| DischargerLocation string |
| // Information required by the third-party in order to issue a discharge. |
| DischargerRequirements ThirdPartyRequirements |
| } |
| |
| func (publicKeyThirdPartyCaveatParam) __VDLReflect(struct { |
| Name string `vdl:"v.io/v23/security.publicKeyThirdPartyCaveatParam"` |
| }) { |
| } |
| |
| // publicKeyDischarge represents the discharge issued for publicKeyThirdPartyCaveatParams. |
| // |
| // The message digest of this structure is computed as follows: |
| // hash(hash(ThirdPartyCaveatId), hash(Caveats[0]), hash(Caveats[1]), ...), |
| // where hash is a cryptographic hash function with a security strength equivalent to the |
| // strength of the public key of the principal issuing the discharge. |
| type publicKeyDischarge struct { |
| ThirdPartyCaveatId string // Id of the third party caveat for which this discharge was issued. |
| Caveats []Caveat // Caveats on the use of this discharge. |
| Signature Signature // Signature of the content hash of this discharge by the discharger. |
| } |
| |
| func (publicKeyDischarge) __VDLReflect(struct { |
| Name string `vdl:"v.io/v23/security.publicKeyDischarge"` |
| }) { |
| } |
| |
| func init() { |
| vdl.Register((*nonce)(nil)) |
| vdl.Register((*publicKeyThirdPartyCaveatParam)(nil)) |
| vdl.Register((*publicKeyDischarge)(nil)) |
| } |
| |
| // ConstCaveat represents a caveat that either always validates or never validates. |
| var ConstCaveat = CaveatDescriptor{ |
| ParamType: vdl.TypeOf(false), |
| } |
| |
| // ExpiryCaveat represents a caveat that validates iff the current time is no later |
| // the specified time.Time. |
| var ExpiryCaveat = CaveatDescriptor{ |
| Id: uniqueid.Id{ |
| 166, |
| 76, |
| 45, |
| 1, |
| 25, |
| 251, |
| 163, |
| 52, |
| 128, |
| 113, |
| 254, |
| 235, |
| 47, |
| 48, |
| 128, |
| 0, |
| }, |
| ParamType: vdl.TypeOf(time.Time{}), |
| } |
| |
| // MethodCaveat represents a caveat that validates iff the method being |
| // invoked is included in this list. An empty list implies that the caveat is invalid. |
| var MethodCaveat = CaveatDescriptor{ |
| Id: uniqueid.Id{ |
| 84, |
| 166, |
| 118, |
| 57, |
| 129, |
| 55, |
| 24, |
| 126, |
| 205, |
| 178, |
| 109, |
| 45, |
| 105, |
| 186, |
| 0, |
| 3, |
| }, |
| ParamType: vdl.TypeOf([]string(nil)), |
| } |
| |
| var PublicKeyThirdPartyCaveat = CaveatDescriptor{ |
| Id: uniqueid.Id{ |
| 121, |
| 114, |
| 206, |
| 23, |
| 74, |
| 123, |
| 169, |
| 63, |
| 121, |
| 84, |
| 125, |
| 118, |
| 156, |
| 145, |
| 128, |
| 0, |
| }, |
| ParamType: vdl.TypeOf(publicKeyThirdPartyCaveatParam{}), |
| } |
| |
| // PeerBlessingsCaveat represents a caveat that validates iff the peer being communicated |
| // with (local end of the call) has a blessing name matching at least one of the patterns |
| // in the list. An empty list implies that the caveat is invalid. |
| var PeerBlessingsCaveat = CaveatDescriptor{ |
| Id: uniqueid.Id{ |
| 5, |
| 119, |
| 248, |
| 86, |
| 76, |
| 142, |
| 95, |
| 254, |
| 255, |
| 142, |
| 43, |
| 31, |
| 77, |
| 109, |
| 128, |
| 0, |
| }, |
| ParamType: vdl.TypeOf([]BlessingPattern(nil)), |
| } |
| |
| var ( |
| ErrCaveatNotRegistered = verror.Register("v.io/v23/security.CaveatNotRegistered", verror.NoRetry, "{1:}{2:} no validation function registered for caveat id {3}") |
| ErrCaveatParamAny = verror.Register("v.io/v23/security.CaveatParamAny", verror.NoRetry, "{1:}{2:} caveat {3} uses illegal param type any") |
| ErrCaveatParamTypeMismatch = verror.Register("v.io/v23/security.CaveatParamTypeMismatch", verror.NoRetry, "{1:}{2:} bad param type: caveat {3} got {4}, want {5}") |
| ErrCaveatParamCoding = verror.Register("v.io/v23/security.CaveatParamCoding", verror.NoRetry, "{1:}{2:} unable to encode/decode caveat param(type={4}) for caveat {3}: {5}") |
| ErrCaveatValidation = verror.Register("v.io/v23/security.CaveatValidation", verror.NoRetry, "{1:}{2:} caveat validation failed: {3}") |
| ErrConstCaveatValidation = verror.Register("v.io/v23/security.ConstCaveatValidation", verror.NoRetry, "{1:}{2:} false const caveat always fails validation") |
| ErrExpiryCaveatValidation = verror.Register("v.io/v23/security.ExpiryCaveatValidation", verror.NoRetry, "{1:}{2:} now({3}) is after expiry({4})") |
| ErrMethodCaveatValidation = verror.Register("v.io/v23/security.MethodCaveatValidation", verror.NoRetry, "{1:}{2:} method {3} not in list {4}") |
| ErrPeerBlessingsCaveatValidation = verror.Register("v.io/v23/security.PeerBlessingsCaveatValidation", verror.NoRetry, "{1:}{2:} patterns in peer blessings caveat {4} not matched by the peer {3}") |
| ) |
| |
| func init() { |
| i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrCaveatNotRegistered.ID), "{1:}{2:} no validation function registered for caveat id {3}") |
| i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrCaveatParamAny.ID), "{1:}{2:} caveat {3} uses illegal param type any") |
| i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrCaveatParamTypeMismatch.ID), "{1:}{2:} bad param type: caveat {3} got {4}, want {5}") |
| i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrCaveatParamCoding.ID), "{1:}{2:} unable to encode/decode caveat param(type={4}) for caveat {3}: {5}") |
| i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrCaveatValidation.ID), "{1:}{2:} caveat validation failed: {3}") |
| i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrConstCaveatValidation.ID), "{1:}{2:} false const caveat always fails validation") |
| i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrExpiryCaveatValidation.ID), "{1:}{2:} now({3}) is after expiry({4})") |
| i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrMethodCaveatValidation.ID), "{1:}{2:} method {3} not in list {4}") |
| i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrPeerBlessingsCaveatValidation.ID), "{1:}{2:} patterns in peer blessings caveat {4} not matched by the peer {3}") |
| } |
| |
| // NewErrCaveatNotRegistered returns an error with the ErrCaveatNotRegistered ID. |
| func NewErrCaveatNotRegistered(ctx *context.T, id uniqueid.Id) error { |
| return verror.New(ErrCaveatNotRegistered, ctx, id) |
| } |
| |
| // NewErrCaveatParamAny returns an error with the ErrCaveatParamAny ID. |
| func NewErrCaveatParamAny(ctx *context.T, id uniqueid.Id) error { |
| return verror.New(ErrCaveatParamAny, ctx, id) |
| } |
| |
| // NewErrCaveatParamTypeMismatch returns an error with the ErrCaveatParamTypeMismatch ID. |
| func NewErrCaveatParamTypeMismatch(ctx *context.T, id uniqueid.Id, got *vdl.Type, want *vdl.Type) error { |
| return verror.New(ErrCaveatParamTypeMismatch, ctx, id, got, want) |
| } |
| |
| // NewErrCaveatParamCoding returns an error with the ErrCaveatParamCoding ID. |
| func NewErrCaveatParamCoding(ctx *context.T, id uniqueid.Id, typ *vdl.Type, err error) error { |
| return verror.New(ErrCaveatParamCoding, ctx, id, typ, err) |
| } |
| |
| // NewErrCaveatValidation returns an error with the ErrCaveatValidation ID. |
| func NewErrCaveatValidation(ctx *context.T, err error) error { |
| return verror.New(ErrCaveatValidation, ctx, err) |
| } |
| |
| // NewErrConstCaveatValidation returns an error with the ErrConstCaveatValidation ID. |
| func NewErrConstCaveatValidation(ctx *context.T) error { |
| return verror.New(ErrConstCaveatValidation, ctx) |
| } |
| |
| // NewErrExpiryCaveatValidation returns an error with the ErrExpiryCaveatValidation ID. |
| func NewErrExpiryCaveatValidation(ctx *context.T, currentTime time.Time, expiryTime time.Time) error { |
| return verror.New(ErrExpiryCaveatValidation, ctx, currentTime, expiryTime) |
| } |
| |
| // NewErrMethodCaveatValidation returns an error with the ErrMethodCaveatValidation ID. |
| func NewErrMethodCaveatValidation(ctx *context.T, invokedMethod string, permittedMethods []string) error { |
| return verror.New(ErrMethodCaveatValidation, ctx, invokedMethod, permittedMethods) |
| } |
| |
| // NewErrPeerBlessingsCaveatValidation returns an error with the ErrPeerBlessingsCaveatValidation ID. |
| func NewErrPeerBlessingsCaveatValidation(ctx *context.T, peerBlessings []string, permittedPatterns []BlessingPattern) error { |
| return verror.New(ErrPeerBlessingsCaveatValidation, ctx, peerBlessings, permittedPatterns) |
| } |