veyron/services/identity/blesser: Restore email domain restriction.
https://vanadium.googlesource.com/release.go.core/+/04403e974dce3d62aa9d60f2a470ae732fef424a
accidentally stopped respecting the --google_domain flag. This commit
restores respesct for the flag.
Change-Id: If3979549c64f5b7e31b4d81f43e43461042ffce3
diff --git a/services/identity/blesser/oauth.go b/services/identity/blesser/oauth.go
index 0fa09ae..9fba5e0 100644
--- a/services/identity/blesser/oauth.go
+++ b/services/identity/blesser/oauth.go
@@ -4,6 +4,7 @@
"encoding/json"
"fmt"
"net/http"
+ "strings"
"time"
"v.io/core/veyron/services/identity"
@@ -110,11 +111,15 @@
// this process do not have many caveats on them and typically have a large expiry duration,
// we append this suffix so that servers can explicitly distinguish these clients while
// specifying authorization policies (say, via ACLs).
- return b.bless(ctx, token.Email+security.ChainSeparator+client.Name)
+ return b.bless(ctx, token.Email, client.Name)
}
-func (b *googleOAuth) bless(ctx ipc.ServerContext, extension string) (security.WireBlessings, string, error) {
+func (b *googleOAuth) bless(ctx ipc.ServerContext, email, extension string) (security.WireBlessings, string, error) {
var noblessings security.WireBlessings
+ if len(b.domain) > 0 && strings.HasSuffix(email, "@"+b.domain) {
+ return noblessings, "", fmt.Errorf("domain restrictions preclude blessings for %q", email)
+ }
+ extension = email + security.ChainSeparator + extension
self := ctx.LocalPrincipal()
if self == nil {
return noblessings, "", fmt.Errorf("server error: no authentication happened")
