Google Git
Sign in
vanadium / release.go.v23 / f08fb01d852add04446d671ca7def9b00be71afe / . / security / caveat.vdl.go
blob: 513faa69e75b9c0accc67c25c333b5f87435e945 [file] [log] [blame]
// Copyright 2015 The Vanadium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// This file was auto-generated by the vanadium vdl tool.
// Source: caveat.vdl
package security
import (
// VDL system imports
"v.io/v23/context"
"v.io/v23/i18n"
"v.io/v23/vdl"
"v.io/v23/verror"
// VDL user imports
"time"
"v.io/v23/uniqueid"
_ "v.io/v23/vdlroot/time"
)
type nonce [16]byte
func (nonce) __VDLReflect(struct {
Name string `vdl:"v.io/v23/security.nonce"`
}) {
}
// publicKeyThirdPartyCaveatParam represents a third-party caveat that requires
// discharges to be issued by a principal identified by a public key.
//
// The Id of the caveat is base64-encoded:
// hash(hash(Nonce), hash(DischargerKey), hash(Caveats[0]), hash(Caveats[1]), ...)
// where hash is a cryptographic hash function with a security strength
// equivalent to that of the DischargerKey. For example, if DischargerKey
// represents an ECDSA public key with the P384 curve, then hash should be
// SHA384.
type publicKeyThirdPartyCaveatParam struct {
// Nonce specifies a cryptographically random nonce associated with an
// instance of the caveat. This prevents discharge replays, where
// discharges for ThirdPartyCaveats embedded in the certificates for
// one blessing can be used for another blessing.
//
// Whether discharge re-use is a desired or un-desired property is
// still under debate. Till the debate is settled, we err on the side
// of discouraging re-use.
Nonce nonce
// Caveats specifies the caveats that have to be validated
// before minting a discharge for a publicKeyCaveat.
Caveats []Caveat
// DER-encoded PKIX public key of the principal that can issue discharges.
DischargerKey []byte
// Object name where the third-party that can issue discharges can be found.
DischargerLocation string
// Information required by the third-party in order to issue a discharge.
DischargerRequirements ThirdPartyRequirements
}
func (publicKeyThirdPartyCaveatParam) __VDLReflect(struct {
Name string `vdl:"v.io/v23/security.publicKeyThirdPartyCaveatParam"`
}) {
}
// publicKeyDischarge represents the discharge issued for publicKeyThirdPartyCaveatParams.
//
// The message digest of this structure is computed as follows:
// hash(hash(ThirdPartyCaveatId), hash(Caveats[0]), hash(Caveats[1]), ...),
// where hash is a cryptographic hash function with a security strength equivalent to the
// strength of the public key of the principal issuing the discharge.
type publicKeyDischarge struct {
ThirdPartyCaveatId string // Id of the third party caveat for which this discharge was issued.
Caveats []Caveat // Caveats on the use of this discharge.
Signature Signature // Signature of the content hash of this discharge by the discharger.
}
func (publicKeyDischarge) __VDLReflect(struct {
Name string `vdl:"v.io/v23/security.publicKeyDischarge"`
}) {
}
func init() {
vdl.Register((*nonce)(nil))
vdl.Register((*publicKeyThirdPartyCaveatParam)(nil))
vdl.Register((*publicKeyDischarge)(nil))
}
// ConstCaveat represents a caveat that either always validates or never validates.
var ConstCaveat = CaveatDescriptor{
ParamType: vdl.TypeOf(false),
}
// ExpiryCaveat represents a caveat that validates iff the current time is no later
// the specified time.Time.
var ExpiryCaveat = CaveatDescriptor{
Id: uniqueid.Id{
166,
76,
45,
1,
25,
251,
163,
52,
128,
113,
254,
235,
47,
48,
128,
0,
},
ParamType: vdl.TypeOf(time.Time{}),
}
// MethodCaveat represents a caveat that validates iff the method being
// invoked is included in this list. An empty list implies that the caveat is invalid.
var MethodCaveat = CaveatDescriptor{
Id: uniqueid.Id{
84,
166,
118,
57,
129,
55,
24,
126,
205,
178,
109,
45,
105,
186,
0,
3,
},
ParamType: vdl.TypeOf([]string(nil)),
}
var PublicKeyThirdPartyCaveat = CaveatDescriptor{
Id: uniqueid.Id{
121,
114,
206,
23,
74,
123,
169,
63,
121,
84,
125,
118,
156,
145,
128,
0,
},
ParamType: vdl.TypeOf(publicKeyThirdPartyCaveatParam{}),
}
// PeerBlessingsCaveat represents a caveat that validates iff the peer being communicated
// with (local end of the call) has a blessing name matching at least one of the patterns
// in the list. An empty list implies that the caveat is invalid.
var PeerBlessingsCaveat = CaveatDescriptor{
Id: uniqueid.Id{
5,
119,
248,
86,
76,
142,
95,
254,
255,
142,
43,
31,
77,
109,
128,
0,
},
ParamType: vdl.TypeOf([]BlessingPattern(nil)),
}
var (
ErrCaveatNotRegistered = verror.Register("v.io/v23/security.CaveatNotRegistered", verror.NoRetry, "{1:}{2:} no validation function registered for caveat id {3}")
ErrCaveatParamAny = verror.Register("v.io/v23/security.CaveatParamAny", verror.NoRetry, "{1:}{2:} caveat {3} uses illegal param type any")
ErrCaveatParamTypeMismatch = verror.Register("v.io/v23/security.CaveatParamTypeMismatch", verror.NoRetry, "{1:}{2:} bad param type: caveat {3} got {4}, want {5}")
ErrCaveatParamCoding = verror.Register("v.io/v23/security.CaveatParamCoding", verror.NoRetry, "{1:}{2:} unable to encode/decode caveat param(type={4}) for caveat {3}: {5}")
ErrCaveatValidation = verror.Register("v.io/v23/security.CaveatValidation", verror.NoRetry, "{1:}{2:} caveat validation failed: {3}")
ErrConstCaveatValidation = verror.Register("v.io/v23/security.ConstCaveatValidation", verror.NoRetry, "{1:}{2:} false const caveat always fails validation")
ErrExpiryCaveatValidation = verror.Register("v.io/v23/security.ExpiryCaveatValidation", verror.NoRetry, "{1:}{2:} now({3}) is after expiry({4})")
ErrMethodCaveatValidation = verror.Register("v.io/v23/security.MethodCaveatValidation", verror.NoRetry, "{1:}{2:} method {3} not in list {4}")
ErrPeerBlessingsCaveatValidation = verror.Register("v.io/v23/security.PeerBlessingsCaveatValidation", verror.NoRetry, "{1:}{2:} patterns in peer blessings caveat {4} not matched by the peer {3}")
)
func init() {
i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrCaveatNotRegistered.ID), "{1:}{2:} no validation function registered for caveat id {3}")
i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrCaveatParamAny.ID), "{1:}{2:} caveat {3} uses illegal param type any")
i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrCaveatParamTypeMismatch.ID), "{1:}{2:} bad param type: caveat {3} got {4}, want {5}")
i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrCaveatParamCoding.ID), "{1:}{2:} unable to encode/decode caveat param(type={4}) for caveat {3}: {5}")
i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrCaveatValidation.ID), "{1:}{2:} caveat validation failed: {3}")
i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrConstCaveatValidation.ID), "{1:}{2:} false const caveat always fails validation")
i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrExpiryCaveatValidation.ID), "{1:}{2:} now({3}) is after expiry({4})")
i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrMethodCaveatValidation.ID), "{1:}{2:} method {3} not in list {4}")
i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrPeerBlessingsCaveatValidation.ID), "{1:}{2:} patterns in peer blessings caveat {4} not matched by the peer {3}")
}
// NewErrCaveatNotRegistered returns an error with the ErrCaveatNotRegistered ID.
func NewErrCaveatNotRegistered(ctx *context.T, id uniqueid.Id) error {
return verror.New(ErrCaveatNotRegistered, ctx, id)
}
// NewErrCaveatParamAny returns an error with the ErrCaveatParamAny ID.
func NewErrCaveatParamAny(ctx *context.T, id uniqueid.Id) error {
return verror.New(ErrCaveatParamAny, ctx, id)
}
// NewErrCaveatParamTypeMismatch returns an error with the ErrCaveatParamTypeMismatch ID.
func NewErrCaveatParamTypeMismatch(ctx *context.T, id uniqueid.Id, got *vdl.Type, want *vdl.Type) error {
return verror.New(ErrCaveatParamTypeMismatch, ctx, id, got, want)
}
// NewErrCaveatParamCoding returns an error with the ErrCaveatParamCoding ID.
func NewErrCaveatParamCoding(ctx *context.T, id uniqueid.Id, typ *vdl.Type, err error) error {
return verror.New(ErrCaveatParamCoding, ctx, id, typ, err)
}
// NewErrCaveatValidation returns an error with the ErrCaveatValidation ID.
func NewErrCaveatValidation(ctx *context.T, err error) error {
return verror.New(ErrCaveatValidation, ctx, err)
}
// NewErrConstCaveatValidation returns an error with the ErrConstCaveatValidation ID.
func NewErrConstCaveatValidation(ctx *context.T) error {
return verror.New(ErrConstCaveatValidation, ctx)
}
// NewErrExpiryCaveatValidation returns an error with the ErrExpiryCaveatValidation ID.
func NewErrExpiryCaveatValidation(ctx *context.T, currentTime time.Time, expiryTime time.Time) error {
return verror.New(ErrExpiryCaveatValidation, ctx, currentTime, expiryTime)
}
// NewErrMethodCaveatValidation returns an error with the ErrMethodCaveatValidation ID.
func NewErrMethodCaveatValidation(ctx *context.T, invokedMethod string, permittedMethods []string) error {
return verror.New(ErrMethodCaveatValidation, ctx, invokedMethod, permittedMethods)
}
// NewErrPeerBlessingsCaveatValidation returns an error with the ErrPeerBlessingsCaveatValidation ID.
func NewErrPeerBlessingsCaveatValidation(ctx *context.T, peerBlessings []string, permittedPatterns []BlessingPattern) error {
return verror.New(ErrPeerBlessingsCaveatValidation, ctx, peerBlessings, permittedPatterns)
}