Google Git
Sign in
vanadium / release.go.x.ref / 15e10678837bf1cddb7d16fe9e6331f1dfc9014a^! / . / services / identity / revocation / bless.go
commit15e10678837bf1cddb7d16fe9e6331f1dfc9014a[log] [tgz]
authorSuharsh Sivakumar <suharshs@suharshs-macbookair.roam.corp.google.com>Mon Sep 22 22:27:01 2014 -0700
committerSuharsh Sivakumar <suharshs@suharshs-macbookair.roam.corp.google.com>Mon Sep 22 22:27:04 2014 -0700
tree9f01d69181efe31c9f81b4e29aed5e35a1a6f5bf
parent052483efc6df8351e3def84e674c47b2b5dd4dc2 [diff] [blame]
veyron/services/identity, veyron/tools/identity: Ability to add user
chosen caveats to blessings from identity server.

* Form now has a nice caveat selector input for define caveats.
Screenshot: https://screenshot.googleplex.com/bzV5FiUAax.png
* The selector is populated from the map in services/identity/blesser/caveats.go.

TODO:
* Change oauth flow from identity tool to open form to allow specified caveats.
This way caveats will only be input into the identity server directly so we
don't have to "trust" the identity tool.

FUTURE CLEANUP:
* Eventually should move all JS/CSS to a new assets directory in identity server and serve from
there instead of embedding into template.

Change-Id: I4eb86e2c06c01b7a31659b7b29535e0d21972f7a

diff --git a/services/identity/revocation/bless.go b/services/identity/revocation/bless.go
index 57dcb71..473bcd4 100644
--- a/services/identity/revocation/bless.go
+++ b/services/identity/revocation/bless.go

@@ -12,16 +12,18 @@
 
 // Bless creates a blessing on behalf of the identity server.
 func Bless(server security.PrivateID, blessee security.PublicID, email string, duration time.Duration, revocationCaveat security.ThirdPartyCaveat) (security.PublicID, error) {
+	// TODO(suharshs): Pass caveats to here when macaroon new oauth flow is complete.
+	var caveats []security.Caveat
 	if revocationCaveat != nil {
 		caveat, err := security.NewCaveat(revocationCaveat)
 		if err != nil {
 			return nil, err
 		}
-		// TODO(suharshs): Extend the duration for blessings with provided revocaionCaveats
-		return server.Bless(blessee, email, duration, []security.Caveat{caveat})
+		// revocationCaveat must be prepended because it is assumed to be first by ReadBlessAuditEntry.
+		caveats = append([]security.Caveat{caveat}, caveats...)
 	}
-	// return a blessing with a more limited duration, since there is no revocation caveat
-	return server.Bless(blessee, email, duration, nil)
+	// TODO(suharshs): Extend the duration for blessings with provided revocaionCaveats.
+	return server.Bless(blessee, email, duration, caveats)
 }
 
 type BlessingAuditEntry struct {