"core": Server authentication during VC handshake
Currently, during VC establishment, a client always shares all
its blessings that are tagged for the server irrespective of
any server-authentication checks specified for the call (e.g.,
ServerPublicKey, AllowedServersPolicy, etc). Thus clients end up
revealing their identity to unauthenticated servers.
This CL addresses the issue by enforcing all server authentication checks
during VC handshake. These checks are ones specified for the call that
initiated the handshake.
Furthermore, since clients specify their blessings during each flow, we
modify the VC handshake so that clients only shares a self-signed
blessing during the handshake. The purpose of this blessing is to reveal
the public key of the client to the server. The server ensures that
all blessings revealed during flows are bound to this public key.
Change-Id: Ib43b37867dbcce5db065a831621788403e74ad2c
diff --git a/runtimes/google/ipc/client.go b/runtimes/google/ipc/client.go
index f4a3b96..7951e75 100644
--- a/runtimes/google/ipc/client.go
+++ b/runtimes/google/ipc/client.go
@@ -50,6 +50,8 @@
errIncompatibleEndpoint = verror.Register(pkgPath+".invalidEndpoint", verror.RetryRefetch, "{3} is an incompatible endpoint")
+ errNewServerAuthorizer = verror.Register(pkgPath+".newServerAuthorizer", verror.NoRetry, "failed to create server authorizer{:3}")
+
errNotTrusted = verror.Register(pkgPath+".notTrusted", verror.NoRetry, "name {3} not trusted using blessings {4}{:5}")
errAuthError = verror.Register(pkgPath+".authError", verror.RetryRefetch, "authentication error from server {3}{:4}")
@@ -75,16 +77,7 @@
errRemainingStreamResults = verror.Register(pkgPath+".remaingStreamResults", verror.NoRetry, "stream closed with remaining stream results")
- errNoBlessings = verror.Register(pkgPath+".noBlessings", verror.NoRetry, "server has not presented any blessings")
-
- errAuthNoPatternMatch = verror.Register(pkgPath+".authNoPatternMatch",
- verror.NoRetry, "server blessings {3} do not match pattern {4}{:5}")
-
- errAuthServerNotAllowed = verror.Register(pkgPath+".authServerNotAllowed",
- verror.NoRetry, "set of allowed servers {3} not matched by server blessings {4}")
-
- errAuthServerKeyNotAllowed = verror.Register(pkgPath+".authServerKeyNotAllowed",
- verror.NoRetry, "remote public key {3} not matched by server key {4}")
+ errNoBlessingsForPeer = verror.Register(pkgPath+".noBlessingsForPeer", verror.NoRetry, "no blessings tagged for peer {3}{:4}")
errDefaultAuthDenied = verror.Register(pkgPath+".defaultAuthDenied", verror.NoRetry, "default authorization precludes talking to server with blessings{:3}")
@@ -93,9 +86,6 @@
errBlessingAdd = verror.Register(pkgPath+".blessingAddFailed", verror.NoRetry, "failed to add blessing granted to server {3}{:4}")
)
-// TODO(ribrdb): Flip this to true once everything is updated.
-const enableSecureServerAuth = false
-
type client struct {
streamMgr stream.Manager
ns ns.Namespace
@@ -152,7 +142,6 @@
c.preferredProtocols = v
}
}
- c.vcOpts = append(c.vcOpts, c.dc)
return c, nil
}
@@ -191,14 +180,6 @@
}
sm := c.streamMgr
c.vcMapMu.Unlock()
- // Include the context when Dial-ing. This is currently done via an
- // option, and for thread-safety reasons - cannot append directly to
- // vcOpts.
- // TODO(ashankar,mattr): Revisit the API in ipc/stream and explicitly
- // provide a context to Dial and other relevant operations.
- cpy := make([]stream.VCOpt, len(vcOpts)+1)
- cpy[copy(cpy, vcOpts)] = vc.DialContext{ctx}
- vcOpts = cpy
vc, err := sm.Dial(ep, vcOpts...)
c.vcMapMu.Lock()
if err != nil {
@@ -274,7 +255,7 @@
func shouldNotFetchDischarges(opts []ipc.CallOpt) bool {
for _, o := range opts {
- if _, ok := o.(vc.NoDischarges); ok {
+ if _, ok := o.(NoDischarges); ok {
return true
}
}
@@ -335,7 +316,9 @@
if !ctx.Initialized() {
return nil, verror.ExplicitNew(verror.ErrBadArg, i18n.NoLangID, "ipc.Client", "StartCall")
}
-
+ if err := canCreateServerAuthorizer(opts); err != nil {
+ return nil, verror.New(errNewServerAuthorizer, ctx, err)
+ }
ctx, span := vtrace.SetNewSpan(ctx, fmt.Sprintf("<client>%q.%s", name, method))
ctx = verror.ContextWithComponentName(ctx, "ipc.Client")
@@ -386,16 +369,22 @@
}
type serverStatus struct {
- index int
- suffix string
- flow stream.Flow
- err error
+ index int
+ suffix string
+ flow stream.Flow
+ blessings []string // authorized server blessings
+ rejectedBlessings []security.RejectedBlessing // rejected server blessings
+ err error
}
// tryCreateFlow attempts to establish a Flow to "server" (which must be a
// rooted name), over which a method invocation request could be sent.
+//
+// The server at the remote end of the flow is authorized using the provided
+// authorizer, both during creation of the VC underlying the flow and the
+// flow itself.
// TODO(cnicolaou): implement real, configurable load balancing.
-func (c *client) tryCreateFlow(ctx *context.T, index int, server string, ch chan<- *serverStatus, vcOpts []stream.VCOpt) {
+func (c *client) tryCreateFlow(ctx *context.T, index int, name, server, method string, auth security.Authorizer, ch chan<- *serverStatus, vcOpts []stream.VCOpt) {
status := &serverStatus{index: index}
var span vtrace.Span
ctx, span = vtrace.SetNewSpan(ctx, "<client>tryCreateFlow")
@@ -404,11 +393,14 @@
ch <- status
span.Finish()
}()
+
address, suffix := naming.SplitAddressName(server)
if len(address) == 0 {
status.err = verror.New(errNonRootedName, ctx, server)
return
}
+ status.suffix = suffix
+
ep, err := inaming.NewEndpoint(address)
if err != nil {
status.err = verror.New(errInvalidEndpoint, ctx, address)
@@ -418,11 +410,38 @@
status.err = verror.New(errIncompatibleEndpoint, ctx, ep)
return
}
- if status.flow, status.err = c.createFlow(ctx, ep, vcOpts); status.err != nil {
- vlog.VI(2).Infof("ipc: connect to %v: %v", server, status.err)
+ if status.flow, status.err = c.createFlow(ctx, ep, append(vcOpts, &vc.ServerAuthorizer{Suffix: status.suffix, Method: method, Policy: auth})); status.err != nil {
+ vlog.VI(2).Infof("ipc: Failed to create Flow with %v: %v", server, status.err)
return
}
- status.suffix = suffix
+
+ // Authorize the remote end of the flow using the provided authorizer.
+ if status.flow.LocalPrincipal() == nil {
+ // LocalPrincipal is nil which means we are operating under
+ // VCSecurityNone.
+ return
+ }
+
+ // TODO(ataly, bprosnitx, ashankar): Add 'ctx' to the security.Context created below
+ // otherwise any custom caveat validators (defined in ctx) cannot be used while validating
+ // caveats in this context. Also see: https://github.com/veyron/release-issues/issues/1230
+ secctx := security.NewContext(&security.ContextParams{
+ LocalPrincipal: status.flow.LocalPrincipal(),
+ LocalBlessings: status.flow.LocalBlessings(),
+ RemoteBlessings: status.flow.RemoteBlessings(),
+ LocalEndpoint: status.flow.LocalEndpoint(),
+ RemoteEndpoint: status.flow.RemoteEndpoint(),
+ RemoteDischarges: status.flow.RemoteDischarges(),
+ Method: method,
+ Suffix: status.suffix})
+ if err := auth.Authorize(secctx); err != nil {
+ status.err = verror.New(verror.ErrNotTrusted, ctx, name, status.flow.RemoteBlessings(), err)
+ vlog.VI(2).Infof("ipc: Failed to authorize Flow created with server %v: %s", server, status.err)
+ status.flow.Close()
+ status.flow = nil
+ return
+ }
+ status.blessings, status.rejectedBlessings = status.flow.RemoteBlessings().ForContext(secctx)
return
}
@@ -462,11 +481,14 @@
// So, if two respones come in at the same 'instant', we prefer the
// first in the resolved.Servers)
attempts := len(resolved.Servers)
+
responses := make([]*serverStatus, attempts)
ch := make(chan *serverStatus, attempts)
vcOpts := append(getVCOpts(opts), c.vcOpts...)
for i, server := range resolved.Names() {
- go c.tryCreateFlow(ctx, i, server, ch, vcOpts)
+ vcOptsCopy := make([]stream.VCOpt, len(vcOpts))
+ copy(vcOptsCopy, vcOpts)
+ go c.tryCreateFlow(ctx, i, name, server, method, newServerAuthorizer(ctx, bpatterns(resolved.Servers[i].BlessingPatterns), opts...), ch, vcOptsCopy)
}
var timeoutChan <-chan time.Time
@@ -498,9 +520,12 @@
return nil, verror.NoRetry, err
}
+ dc := c.dc
+ if shouldNotFetchDischarges(opts) {
+ dc = nil
+ }
// Process new responses, in priority order.
numResponses := 0
- noDischarges := shouldNotFetchDischarges(opts)
for _, r := range responses {
if r != nil {
numResponses++
@@ -512,24 +537,17 @@
doneChan := ctx.Done()
r.flow.SetDeadline(doneChan)
- var (
- serverB []string
- grantedB security.Blessings
- )
+ fc, err := newFlowClient(ctx, r.flow, r.blessings, dc)
+ if err != nil {
+ return nil, verror.NoRetry, err.(error)
+ }
- // LocalPrincipal is nil means that the client wanted to avoid
- // authentication, and thus wanted to skip authorization as well.
- if r.flow.LocalPrincipal() != nil {
- // Validate caveats on the server's identity for the context associated with this call.
- var err error
- patterns := resolved.Servers[r.index].BlessingPatterns
- if serverB, grantedB, err = c.authorizeServer(ctx, r.flow, name, method, patterns, opts); err != nil {
- r.err = verror.New(verror.ErrNotTrusted, ctx, name, r.flow.RemoteBlessings(), err)
- vlog.VI(2).Infof("ipc: err: %s", r.err)
- r.flow.Close()
- r.flow = nil
- continue
- }
+ if err := fc.prepareBlessingsAndDischarges(method, args, r.rejectedBlessings, opts); err != nil {
+ r.err = verror.New(verror.ErrNotTrusted, ctx, name, r.flow.RemoteBlessings(), err)
+ vlog.VI(2).Infof("ipc: err: %s", r.err)
+ r.flow.Close()
+ r.flow = nil
+ continue
}
// This is the 'point of no return'; once the RPC is started (fc.start
@@ -547,10 +565,6 @@
// responses on the server and then we can retry in-process
// RPCs.
go cleanupTryCall(r, responses, ch)
- fc, err := newFlowClient(ctx, serverB, r.flow, c.dc)
- if err != nil {
- return nil, verror.NoRetry, err.(error)
- }
if doneChan != nil {
go func() {
@@ -564,10 +578,7 @@
}
deadline, _ := ctx.Deadline()
- if noDischarges {
- fc.dc = nil
- }
- if verr := fc.start(r.suffix, method, args, deadline, grantedB); verr != nil {
+ if verr := fc.start(r.suffix, method, args, deadline); verr != nil {
return nil, verror.NoRetry, verr
}
return fc, verror.NoRetry, nil
@@ -639,70 +650,58 @@
}
}
-// authorizeServer validates that the server (remote end of flow) has the credentials to serve
-// the RPC name.method for the client (local end of the flow). It returns the blessings at the
-// server that are authorized for this purpose and any blessings that are to be granted to
-// the server (via ipc.Granter implementations in opts.)
-func (c *client) authorizeServer(ctx *context.T, flow stream.Flow, name, method string, serverPatterns []string, opts []ipc.CallOpt) (serverBlessings []string, grantedBlessings security.Blessings, err error) {
- if flow.RemoteBlessings().IsZero() {
- return nil, security.Blessings{}, verror.New(errNoBlessings, ctx)
+// prepareBlessingsAndDischarges prepares blessings and discharges for
+// the call.
+//
+// This includes: (1) preparing blessings that must be granted to the
+// server, (2) preparing blessings that the client authenticates with,
+// and, (3) preparing any discharges for third-party caveats on the client's
+// blessings.
+func (fc *flowClient) prepareBlessingsAndDischarges(method string, args []interface{}, rejectedServerBlessings []security.RejectedBlessing, opts []ipc.CallOpt) error {
+ // LocalPrincipal is nil which means we are operating under
+ // VCSecurityNone.
+ if fc.flow.LocalPrincipal() == nil {
+ return nil
}
- ctxt := security.NewContext(&security.ContextParams{
- LocalPrincipal: flow.LocalPrincipal(),
- LocalBlessings: flow.LocalBlessings(),
- RemoteBlessings: flow.RemoteBlessings(),
- LocalEndpoint: flow.LocalEndpoint(),
- RemoteEndpoint: flow.RemoteEndpoint(),
- RemoteDischarges: flow.RemoteDischarges(),
- Method: method,
- Suffix: name})
- var rejectedBlessings []security.RejectedBlessing
- serverBlessings, rejectedBlessings = flow.RemoteBlessings().ForContext(ctxt)
- var ignorePatterns bool
+
+ // Prepare blessings that must be granted to the server (using any
+ // ipc.Granter implementation in 'opts').
+ if err := fc.prepareGrantedBlessings(opts); err != nil {
+ return err
+ }
+
+ // Fetch blessings from the client's blessing store that are to be
+ // shared with the server.
+ if fc.blessings = fc.flow.LocalPrincipal().BlessingStore().ForPeer(fc.server...); fc.blessings.IsZero() {
+ // TODO(ataly, ashankar): We need not error out here and instead can just send the <nil> blessings
+ // to the server.
+ return verror.New(errNoBlessingsForPeer, fc.ctx, fc.server, rejectedServerBlessings)
+ }
+
+ // Fetch any discharges for third-party caveats on the client's blessings.
+ if !fc.blessings.IsZero() && fc.dc != nil {
+ impetus, err := mkDischargeImpetus(fc.server, method, args)
+ if err != nil {
+ // TODO(toddw): Fix up the internal error.
+ return verror.New(verror.ErrBadProtocol, fc.ctx, fmt.Errorf("couldn't make discharge impetus: %v", err))
+ }
+ fc.discharges = fc.dc.PrepareDischarges(fc.ctx, fc.blessings.ThirdPartyCaveats(), impetus)
+ }
+ return nil
+}
+
+func (fc *flowClient) prepareGrantedBlessings(opts []ipc.CallOpt) error {
for _, o := range opts {
switch v := o.(type) {
- case options.ServerPublicKey:
- if remoteKey, key := flow.RemoteBlessings().PublicKey(), v.PublicKey; !reflect.DeepEqual(remoteKey, key) {
- return nil, security.Blessings{}, verror.New(errAuthServerKeyNotAllowed, ctx, remoteKey, key)
- }
- case options.AllowedServersPolicy:
- allowed := false
- for _, p := range v {
- if p.MatchedBy(serverBlessings...) {
- allowed = true
- break
- }
- }
- if !allowed {
- return nil, security.Blessings{}, verror.New(errAuthServerNotAllowed, ctx, v, serverBlessings)
- }
- case options.SkipResolveAuthorization:
- ignorePatterns = true
case ipc.Granter:
- if b, err := v.Grant(flow.RemoteBlessings()); err != nil {
- return nil, security.Blessings{}, verror.New(errBlessingGrant, ctx, serverBlessings, err)
- } else if grantedBlessings, err = security.UnionOfBlessings(grantedBlessings, b); err != nil {
- return nil, security.Blessings{}, verror.New(errBlessingAdd, ctx, serverBlessings, err)
+ if b, err := v.Grant(fc.flow.RemoteBlessings()); err != nil {
+ return verror.New(errBlessingGrant, fc.ctx, fc.server, err)
+ } else if fc.grantedBlessings, err = security.UnionOfBlessings(fc.grantedBlessings, b); err != nil {
+ return verror.New(errBlessingAdd, fc.ctx, fc.server, err)
}
}
}
- if len(serverPatterns) > 0 && !ignorePatterns {
- matched := false
- for _, p := range serverPatterns {
- if security.BlessingPattern(p).MatchedBy(serverBlessings...) {
- matched = true
- break
- }
- }
- if !matched {
- return nil, security.Blessings{}, verror.New(errAuthNoPatternMatch, ctx, serverBlessings, serverPatterns, rejectedBlessings)
- }
- } else if enableSecureServerAuth && !ignorePatterns {
- if err := (defaultAuthorizer{}).Authorize(ctxt); err != nil {
- return nil, security.Blessings{}, verror.New(errDefaultAuthDenied, ctx, serverBlessings)
- }
- }
- return serverBlessings, grantedBlessings, nil
+ return nil
}
func (c *client) Close() {
@@ -728,7 +727,8 @@
discharges []security.Discharge // discharges used for this request
dc vc.DischargeClient // client-global discharge-client
- blessings security.Blessings // the local blessings for the current RPC.
+ blessings security.Blessings // the local blessings for the current RPC.
+ grantedBlessings security.Blessings // the blessings granted to the server.
sendClosedMu sync.Mutex
sendClosed bool // is the send side already closed? GUARDED_BY(sendClosedMu)
@@ -738,11 +738,11 @@
var _ ipc.Call = (*flowClient)(nil)
var _ ipc.Stream = (*flowClient)(nil)
-func newFlowClient(ctx *context.T, server []string, flow stream.Flow, dc vc.DischargeClient) (*flowClient, error) {
+func newFlowClient(ctx *context.T, flow stream.Flow, server []string, dc vc.DischargeClient) (*flowClient, error) {
fc := &flowClient{
ctx: ctx,
- server: server,
flow: flow,
+ server: server,
dc: dc,
}
var err error
@@ -783,24 +783,13 @@
return err
}
-func (fc *flowClient) start(suffix, method string, args []interface{}, deadline time.Time, blessings security.Blessings) error {
- // Fetch any discharges for third-party caveats on the client's blessings
- // if this client owns a discharge-client.
- if self := fc.flow.LocalBlessings(); fc.dc != nil {
- impetus, err := mkDischargeImpetus(fc.server, method, args)
- if err != nil {
- // TODO(toddw): Fix up the internal error.
- berr := verror.New(verror.ErrBadProtocol, fc.ctx, fmt.Errorf("couldn't make discharge impetus: %v", err))
- return fc.close(berr)
- }
- fc.discharges = fc.dc.PrepareDischarges(fc.ctx, self.ThirdPartyCaveats(), impetus)
- }
+func (fc *flowClient) start(suffix, method string, args []interface{}, deadline time.Time) error {
// Encode the Blessings information for the client to authorize the flow.
var blessingsRequest ipc.BlessingsRequest
if fc.flow.LocalPrincipal() != nil {
- fc.blessings = fc.flow.LocalPrincipal().BlessingStore().ForPeer(fc.server...)
blessingsRequest = clientEncodeBlessings(fc.flow.VCDataCache(), fc.blessings)
}
+
discharges := make([]security.WireDischarge, len(fc.discharges))
for i, d := range fc.discharges {
discharges[i] = security.MarshalDischarge(d)
@@ -810,7 +799,7 @@
Method: method,
NumPosArgs: uint64(len(args)),
Deadline: vtime.Deadline{deadline},
- GrantedBlessings: security.MarshalBlessings(blessings),
+ GrantedBlessings: security.MarshalBlessings(fc.grantedBlessings),
Blessings: blessingsRequest,
Discharges: discharges,
TraceRequest: ivtrace.Request(fc.ctx),
@@ -1006,3 +995,14 @@
func (fc *flowClient) RemoteBlessings() ([]string, security.Blessings) {
return fc.server, fc.flow.RemoteBlessings()
}
+
+func bpatterns(patterns []string) []security.BlessingPattern {
+ if patterns == nil {
+ return nil
+ }
+ bpatterns := make([]security.BlessingPattern, len(patterns))
+ for i, p := range patterns {
+ bpatterns[i] = security.BlessingPattern(p)
+ }
+ return bpatterns
+}
diff --git a/runtimes/google/ipc/default_authorizer_test.go b/runtimes/google/ipc/default_authorizer_test.go
index fba7c85..ba4ecb5 100644
--- a/runtimes/google/ipc/default_authorizer_test.go
+++ b/runtimes/google/ipc/default_authorizer_test.go
@@ -2,21 +2,17 @@
import (
"testing"
- "time"
- vsecurity "v.io/core/veyron/security"
+ tsecurity "v.io/core/veyron/lib/testutil/security"
"v.io/v23"
- "v.io/v23/context"
- "v.io/v23/naming"
"v.io/v23/security"
- "v.io/v23/vdl"
)
func TestDefaultAuthorizer(t *testing.T) {
var (
- pali, _ = vsecurity.NewPrincipal()
- pbob, _ = vsecurity.NewPrincipal()
- pche, _ = vsecurity.NewPrincipal()
+ pali = tsecurity.NewPrincipal()
+ pbob = tsecurity.NewPrincipal()
+ pche = tsecurity.NewPrincipal()
che, _ = pche.BlessSelf("che")
ali, _ = pali.BlessSelf("ali")
@@ -92,21 +88,3 @@
}
}
}
-
-type mockSecurityContext struct {
- p security.Principal
- l, r security.Blessings
- c *context.T
-}
-
-func (c *mockSecurityContext) Timestamp() (t time.Time) { return }
-func (c *mockSecurityContext) Method() string { return "" }
-func (c *mockSecurityContext) MethodTags() []*vdl.Value { return nil }
-func (c *mockSecurityContext) Suffix() string { return "" }
-func (c *mockSecurityContext) RemoteDischarges() map[string]security.Discharge { return nil }
-func (c *mockSecurityContext) LocalEndpoint() naming.Endpoint { return nil }
-func (c *mockSecurityContext) RemoteEndpoint() naming.Endpoint { return nil }
-func (c *mockSecurityContext) LocalPrincipal() security.Principal { return c.p }
-func (c *mockSecurityContext) LocalBlessings() security.Blessings { return c.l }
-func (c *mockSecurityContext) RemoteBlessings() security.Blessings { return c.r }
-func (c *mockSecurityContext) Context() *context.T { return c.c }
diff --git a/runtimes/google/ipc/discharges.go b/runtimes/google/ipc/discharges.go
index 0508986..feccfbd 100644
--- a/runtimes/google/ipc/discharges.go
+++ b/runtimes/google/ipc/discharges.go
@@ -13,6 +13,12 @@
"v.io/x/lib/vlog"
)
+// NoDischarges specifies that the RPC call should not fetch discharges.
+type NoDischarges struct{}
+
+func (NoDischarges) IPCCallOpt() {}
+func (NoDischarges) NSResolveOpt() {}
+
// discharger implements vc.DischargeClient.
type dischargeClient struct {
c ipc.Client
@@ -110,7 +116,7 @@
defer wg.Done()
tp := cav.ThirdPartyDetails()
vlog.VI(3).Infof("Fetching discharge for %v", tp)
- call, err := d.c.StartCall(ctx, tp.Location(), "Discharge", []interface{}{cav, filteredImpetus(tp.Requirements(), impetus)}, vc.NoDischarges{})
+ call, err := d.c.StartCall(ctx, tp.Location(), "Discharge", []interface{}{cav, filteredImpetus(tp.Requirements(), impetus)}, NoDischarges{})
if err != nil {
vlog.VI(3).Infof("Discharge fetch for %v failed: %v", tp, err)
return
diff --git a/runtimes/google/ipc/full_test.go b/runtimes/google/ipc/full_test.go
index f0ddf14..241bdf1 100644
--- a/runtimes/google/ipc/full_test.go
+++ b/runtimes/google/ipc/full_test.go
@@ -71,15 +71,6 @@
c.Unlock()
}
-// We need a special way to create contexts for tests. We
-// can't create a real runtime in the runtime implementation
-// so we use a fake one that panics if used. The runtime
-// implementation should not ever use the Runtime from a context.
-func testContext() *context.T {
- ctx, _ := context.WithTimeout(testContextWithoutDeadline(), 20*time.Second)
- return ctx
-}
-
func testContextWithoutDeadline() *context.T {
ctx, _ := context.RootContext()
ctx, err := ivtrace.Init(ctx, flags.VtraceFlags{})
@@ -432,9 +423,10 @@
func TestRPCServerAuthorization(t *testing.T) {
const (
- vcErr = "VC handshake failed"
- nameErr = "do not match pattern"
- allowedErr = "set of allowed servers"
+ publicKeyErr = "not matched by server key"
+ forPeerErr = "no blessings tagged for peer"
+ nameErr = "do not match pattern"
+ allowedErr = "do not match any allowed server patterns"
)
var (
pprovider, pclient, pserver = tsecurity.NewPrincipal("root"), tsecurity.NewPrincipal(), tsecurity.NewPrincipal()
@@ -456,11 +448,11 @@
mgr = imanager.InternalNew(naming.FixedRoutingID(0x1111111))
ns = tnaming.NewSimpleNamespace()
tests = []struct {
- server security.Blessings // blessings presented by the server to the client.
- name string // name provided by the client to StartCall
- allowed options.AllowedServersPolicy // option provided to StartCall.
- errID verror.IDAction
- err string
+ server security.Blessings // blessings presented by the server to the client.
+ name string // name provided by the client to StartCall
+ opt ipc.CallOpt // option provided to StartCall.
+ errID verror.IDAction
+ err string
}{
// Client accepts talking to the server only if the
// server's blessings match the provided pattern
@@ -480,18 +472,22 @@
// Client does not talk to a server that presents
// expired blessings (because the blessing store is
// configured to only talk to root).
- {bServerExpired, "[...]mountpoint/server", nil, verror.ErrNotTrusted, vcErr},
+ {bServerExpired, "[...]mountpoint/server", nil, verror.ErrNotTrusted, forPeerErr},
// Client does not talk to a server that fails to
// provide discharges for third-party caveats on the
// blessings presented by it.
- {bServerTPExpired, "[...]mountpoint/server", nil, verror.ErrNotTrusted, vcErr},
+ {bServerTPExpired, "[...]mountpoint/server", nil, verror.ErrNotTrusted, forPeerErr},
// Testing the AllowedServersPolicy option.
{bServer, "[...]mountpoint/server", options.AllowedServersPolicy{"otherroot"}, verror.ErrNotTrusted, allowedErr},
{bServer, "[root/server]mountpoint/server", options.AllowedServersPolicy{"otherroot"}, verror.ErrNotTrusted, allowedErr},
{bServer, "[otherroot/server]mountpoint/server", options.AllowedServersPolicy{"root/server"}, verror.ErrNotTrusted, nameErr},
{bServer, "[root/server]mountpoint/server", options.AllowedServersPolicy{"root"}, noErrID, ""},
+
+ // Test the ServerPublicKey option.
+ {bServer, "[...]mountpoint/server", options.ServerPublicKey{bServer.PublicKey()}, noErrID, ""},
+ {bServer, "[...]mountpoint/server", options.ServerPublicKey{tsecurity.NewPrincipal("irrelevant").PublicKey()}, verror.ErrNotTrusted, publicKeyErr},
// Server presents two blessings: One that satisfies
// the pattern provided to StartCall and one that
// satisfies the AllowedServersPolicy, so the server is
@@ -516,7 +512,7 @@
pclient.BlessingStore().Set(bless(pprovider, pclient, "client"), "root")
for i, test := range tests {
- name := fmt.Sprintf("(#%d: Name:%q, Server:%q, Allowed:%v)", i, test.name, test.server, test.allowed)
+ name := fmt.Sprintf("(#%d: Name:%q, Server:%q, opt:%v)", i, test.name, test.server, test.opt)
if err := pserver.BlessingStore().SetDefault(test.server); err != nil {
t.Fatalf("SetDefault failed on server's BlessingStore: %v", err)
}
@@ -530,11 +526,7 @@
continue
}
ctx, cancel := context.WithTimeout(testContextWithoutDeadline(), 10*time.Second)
- var opts []ipc.CallOpt
- if test.allowed != nil {
- opts = append(opts, test.allowed)
- }
- call, err := client.StartCall(ctx, test.name, "Method", nil, opts...)
+ call, err := client.StartCall(ctx, test.name, "Method", nil, test.opt)
if !matchesErrorPattern(err, test.errID, test.err) {
t.Errorf(`%s: client.StartCall: got error "%v", want to match "%v"`, name, err, test.err)
} else if call != nil {
@@ -930,7 +922,7 @@
},
}
- for testidx, test := range tests {
+ for _, test := range tests {
pclient := mkClient(test.Requirements)
client, err := InternalNewClient(sm, ns, pclient)
if err != nil {
@@ -945,20 +937,10 @@
continue
}
impetus, traceid := tester.Release()
- // There should have been 2 or 3 attempts to fetch a discharge
- // (since the discharge service doesn't actually issue a valid
- // discharge, there is no re-usable discharge between these attempts):
- // (1) When creating a VIF with the server hosting the remote object.
- // (This will happen only for the first test, where the stream.Manager
- // authenticates at the VIF level for the very first time).
- // (2) When creating a VC with the server hosting the remote object.
- // (3) When making the RPC to the remote object.
- num := 3
- if testidx > 0 {
- num = 2
- }
- if want := num; len(impetus) != want || len(traceid) != want {
- t.Errorf("Test %+v: Got (%d, %d) (#impetus, #traceid), wanted %d each", test.Requirements, len(impetus), len(traceid), want)
+ // There should have been exactly 1 attempt to fetch discharges when making
+ // the RPC to the remote object.
+ if len(impetus) != 1 || len(traceid) != 1 {
+ t.Errorf("Test %+v: Got (%d, %d) (#impetus, #traceid), wanted exactly one", test.Requirements, len(impetus), len(traceid))
continue
}
// VC creation does not have any "impetus", it is established without
@@ -1607,7 +1589,7 @@
defer client.Close()
var opts []ipc.CallOpt
if noDischarges {
- opts = append(opts, vc.NoDischarges{})
+ opts = append(opts, NoDischarges{})
}
if _, err = client.StartCall(testContext(), "mountpoint/testServer", "Closure", nil, opts...); err != nil {
t.Fatalf("failed to StartCall: %v", err)
diff --git a/runtimes/google/ipc/proxy_test.go b/runtimes/google/ipc/proxy_test.go
index 8ca2335..93b075c 100644
--- a/runtimes/google/ipc/proxy_test.go
+++ b/runtimes/google/ipc/proxy_test.go
@@ -122,16 +122,25 @@
}
func testProxy(t *testing.T, spec ipc.ListenSpec, args ...string) {
- sm := imanager.InternalNew(naming.FixedRoutingID(0x555555555))
- defer sm.Shutdown()
- ns := tnaming.NewSimpleNamespace()
- client, err := iipc.InternalNewClient(sm, ns, vc.LocalPrincipal{tsecurity.NewPrincipal("client")})
+ var (
+ pserver = tsecurity.NewPrincipal("server")
+ serverKey = pserver.PublicKey()
+ // We use different stream managers for the client and server
+ // to prevent VIF re-use (in other words, we want to test VIF
+ // creation from both the client and server end).
+ smserver = imanager.InternalNew(naming.FixedRoutingID(0x555555555))
+ smclient = imanager.InternalNew(naming.FixedRoutingID(0x444444444))
+ ns = tnaming.NewSimpleNamespace()
+ )
+ defer smserver.Shutdown()
+ defer smclient.Shutdown()
+ client, err := iipc.InternalNewClient(smserver, ns, vc.LocalPrincipal{tsecurity.NewPrincipal("client")})
if err != nil {
t.Fatal(err)
}
defer client.Close()
ctx := testContext()
- server, err := iipc.InternalNewServer(ctx, sm, ns, nil, vc.LocalPrincipal{tsecurity.NewPrincipal("server")})
+ server, err := iipc.InternalNewServer(ctx, smserver, ns, nil, vc.LocalPrincipal{pserver})
if err != nil {
t.Fatal(err)
}
@@ -263,11 +272,14 @@
t.Fatalf("failed to lookup proxy: addrs %v", addrs)
}
- // Proxied endpoint should be published and RPC should succeed (through proxy)
+ // Proxied endpoint should be published and RPC should succeed (through proxy).
+ // Additionally, any server authorizaton options must only apply to the end server
+ // and not the proxy.
const expected = `method:"Echo",suffix:"suffix",arg:"batman"`
- if result, err := makeCall(); result != expected || err != nil {
+ if result, err := makeCall(options.ServerPublicKey{serverKey}); result != expected || err != nil {
t.Fatalf("Got (%v, %v) want (%v, nil)", result, err, expected)
}
+
// Proxy dies, calls should fail and the name should be unmounted.
if err := proxy.Stop(ctx); err != nil {
t.Fatal(err)
diff --git a/runtimes/google/ipc/server_authorizer.go b/runtimes/google/ipc/server_authorizer.go
new file mode 100644
index 0000000..695b049
--- /dev/null
+++ b/runtimes/google/ipc/server_authorizer.go
@@ -0,0 +1,116 @@
+package ipc
+
+import (
+ "errors"
+ "reflect"
+
+ "v.io/v23/context"
+ "v.io/v23/ipc"
+ "v.io/v23/options"
+ "v.io/v23/security"
+ "v.io/v23/verror"
+)
+
+// TODO(ribrdb): Flip this to true once everything is updated and also update
+// the server authorizer tests.
+const enableSecureServerAuth = false
+
+var (
+ errNoBlessings = verror.Register(pkgPath+".noBlessings", verror.NoRetry, "server has not presented any blessings")
+
+ errAuthNoPatternMatch = verror.Register(pkgPath+".authNoPatternMatch",
+ verror.NoRetry, "server blessings {3} do not match pattern {4}{:5}")
+
+ errAuthServerNotAllowed = verror.Register(pkgPath+".authServerNotAllowed",
+ verror.NoRetry, "server blesssings {3} do not match any allowed server patterns {4}{:5}")
+
+ errAuthServerKeyNotAllowed = verror.Register(pkgPath+".authServerKeyNotAllowed",
+ verror.NoRetry, "remote public key {3} not matched by server key {4}")
+)
+
+// serverAuthorizer implements security.Authorizer.
+type serverAuthorizer struct {
+ patternsFromNameResolution []security.BlessingPattern
+ allowedServerPolicies [][]security.BlessingPattern
+ serverPublicKey security.PublicKey
+}
+
+// newServerAuthorizer returns a security.Authorizer for authorizing the server
+// during a flow. The authorization policy is based on enforcing any server
+// patterns obtained by resolving the server's name, and any server authorization
+// options supplied to the call that initiated the flow.
+//
+// This method assumes that canCreateServerAuthorizer(opts) is nil.
+func newServerAuthorizer(ctx *context.T, patternsFromNameResolution []security.BlessingPattern, opts ...ipc.CallOpt) security.Authorizer {
+ auth := &serverAuthorizer{
+ patternsFromNameResolution: patternsFromNameResolution,
+ }
+ for _, o := range opts {
+ // TODO(ataly, ashankar): Consider creating an authorizer for each of the
+ // options below and then take the intersection of the authorizers.
+ switch v := o.(type) {
+ case options.ServerPublicKey:
+ auth.serverPublicKey = v.PublicKey
+ case options.AllowedServersPolicy:
+ auth.allowedServerPolicies = append(auth.allowedServerPolicies, v)
+ case options.SkipResolveAuthorization:
+ auth.patternsFromNameResolution = []security.BlessingPattern{security.AllPrincipals}
+ }
+ }
+ return auth
+}
+
+func (a *serverAuthorizer) Authorize(ctx security.Context) error {
+ if ctx.RemoteBlessings().IsZero() {
+ return verror.New(errNoBlessings, ctx.Context())
+ }
+ serverBlessings, rejectedBlessings := ctx.RemoteBlessings().ForContext(ctx)
+
+ if !matchedBy(a.patternsFromNameResolution, serverBlessings) {
+ return verror.New(errAuthNoPatternMatch, ctx.Context(), serverBlessings, a.patternsFromNameResolution, rejectedBlessings)
+ } else if enableSecureServerAuth {
+ // No server patterns were obtained while resolving the name, authorize
+ // the server using the default authorization policy.
+ if err := (defaultAuthorizer{}).Authorize(ctx); err != nil {
+ return verror.New(errDefaultAuthDenied, ctx.Context(), serverBlessings)
+ }
+ }
+
+ for _, patterns := range a.allowedServerPolicies {
+ if !matchedBy(patterns, serverBlessings) {
+ return verror.New(errAuthServerNotAllowed, ctx.Context(), serverBlessings, patterns, rejectedBlessings)
+ }
+ }
+
+ if remoteKey, key := ctx.RemoteBlessings().PublicKey(), a.serverPublicKey; key != nil && !reflect.DeepEqual(remoteKey, key) {
+ return verror.New(errAuthServerKeyNotAllowed, ctx.Context(), remoteKey, key)
+ }
+
+ return nil
+}
+
+func matchedBy(patterns []security.BlessingPattern, blessings []string) bool {
+ if patterns == nil {
+ return true
+ }
+ for _, p := range patterns {
+ if p.MatchedBy(blessings...) {
+ return true
+ }
+ }
+ return false
+}
+
+func canCreateServerAuthorizer(opts []ipc.CallOpt) error {
+ var pkey security.PublicKey
+ for _, o := range opts {
+ switch v := o.(type) {
+ case options.ServerPublicKey:
+ if pkey != nil && !reflect.DeepEqual(pkey, v.PublicKey) {
+ return errors.New("multiple ServerPublicKey options supplied to call, at most one is allowed")
+ }
+ pkey = v.PublicKey
+ }
+ }
+ return nil
+}
diff --git a/runtimes/google/ipc/server_authorizer_test.go b/runtimes/google/ipc/server_authorizer_test.go
new file mode 100644
index 0000000..05c9d47
--- /dev/null
+++ b/runtimes/google/ipc/server_authorizer_test.go
@@ -0,0 +1,99 @@
+package ipc
+
+import (
+ "testing"
+
+ tsecurity "v.io/core/veyron/lib/testutil/security"
+
+ "v.io/v23/options"
+ "v.io/v23/security"
+)
+
+func TestServerAuthorizer(t *testing.T) {
+ var (
+ pclient = tsecurity.NewPrincipal()
+ pserver = tsecurity.NewPrincipal()
+ pother = tsecurity.NewPrincipal()
+
+ ali, _ = pserver.BlessSelf("ali")
+ bob, _ = pserver.BlessSelf("bob")
+ che, _ = pserver.BlessSelf("che")
+ otherAli, _ = pother.BlessSelf("ali")
+ zero = security.Blessings{}
+
+ ctx = testContext()
+
+ U = func(blessings ...security.Blessings) security.Blessings {
+ u, err := security.UnionOfBlessings(blessings...)
+ if err != nil {
+ t.Fatal(err)
+ }
+ return u
+ }
+ )
+ // Make client recognize ali, bob and otherAli blessings
+ for _, b := range []security.Blessings{ali, bob, otherAli} {
+ if err := pclient.AddToRoots(b); err != nil {
+ t.Fatal(err)
+ }
+ }
+ // All tests are run as if pclient is the client end and pserver is remote end.
+ tests := []struct {
+ auth security.Authorizer
+ authorizedServers []security.Blessings
+ unauthorizedServers []security.Blessings
+ }{
+ {
+ // All servers with a non-zero blessing are authorized
+ newServerAuthorizer(ctx, nil),
+ []security.Blessings{ali, otherAli, bob, che},
+ []security.Blessings{zero},
+ },
+ {
+ // Only ali, otherAli and bob are authorized
+ newServerAuthorizer(ctx, []security.BlessingPattern{"ali", "bob"}),
+ []security.Blessings{ali, otherAli, bob, U(ali, che), U(bob, che)},
+ []security.Blessings{che},
+ },
+ {
+ // Still only ali, otherAli and bob are authorized (che is not
+ // authorized since it is not recognized by the client)
+ newServerAuthorizer(ctx, []security.BlessingPattern{"ali", "bob", "che"}, nil),
+ []security.Blessings{ali, otherAli, bob, U(ali, che), U(bob, che)},
+ []security.Blessings{che},
+ },
+ {
+
+ // Only ali and otherAli are authorized (since there is an
+ // allowed-servers policy that does not allow "bob")
+ newServerAuthorizer(ctx, []security.BlessingPattern{"ali", "bob", "che"}, options.AllowedServersPolicy{"ali", "bob"}, options.AllowedServersPolicy{"ali"}),
+ []security.Blessings{ali, otherAli, U(ali, che), U(ali, bob)},
+ []security.Blessings{bob, che},
+ },
+ {
+ // Only otherAli is authorized (since only pother's public key is
+ // authorized)
+ newServerAuthorizer(ctx, nil, options.ServerPublicKey{pother.PublicKey()}),
+ []security.Blessings{otherAli},
+ []security.Blessings{ali, bob, che},
+ },
+ }
+ for _, test := range tests {
+ for _, s := range test.authorizedServers {
+ if err := test.auth.Authorize(&mockSecurityContext{
+ p: pclient,
+ r: s,
+ }); err != nil {
+ t.Errorf("serverAuthorizer: %#v failed to authorize server: %v", test.auth, s)
+ }
+ }
+ for _, s := range test.unauthorizedServers {
+ if err := test.auth.Authorize(&mockSecurityContext{
+ p: pclient,
+ r: s,
+ }); err == nil {
+ t.Errorf("serverAuthorizer: %#v authorized server: %v", test.auth, s)
+ }
+ }
+ }
+}
diff --git a/runtimes/google/ipc/stream/manager/listener.go b/runtimes/google/ipc/stream/manager/listener.go
index 7721bb3..1437061 100644
--- a/runtimes/google/ipc/stream/manager/listener.go
+++ b/runtimes/google/ipc/stream/manager/listener.go
@@ -154,7 +154,7 @@
func (ln *proxyListener) connect() (*vif.VIF, naming.Endpoint, error) {
vlog.VI(1).Infof("Connecting to proxy at %v", ln.proxyEP)
- // Requires dialing a VC to the proxy, need to extract options (like the identity)
+ // Requires dialing a VC to the proxy, need to extract options (like the principal)
// from ln.opts to do so.
var dialOpts []stream.VCOpt
for _, opt := range ln.opts {
diff --git a/runtimes/google/ipc/stream/manager/manager_test.go b/runtimes/google/ipc/stream/manager/manager_test.go
index 69c72bf..1a1442d 100644
--- a/runtimes/google/ipc/stream/manager/manager_test.go
+++ b/runtimes/google/ipc/stream/manager/manager_test.go
@@ -176,7 +176,7 @@
clientPrincipal = newPrincipal("client")
serverPrincipal = newPrincipal("server")
- clientBlessings = clientPrincipal.Principal.BlessingStore().Default()
+ clientKey = clientPrincipal.Principal.PublicKey()
serverBlessings = serverPrincipal.Principal.BlessingStore().Default()
)
// VCSecurityLevel is intentionally not provided to Listen - to test
@@ -188,11 +188,17 @@
errs := make(chan error)
- testAuth := func(tag string, flow stream.Flow, local, remote security.Blessings) {
- l := flow.LocalBlessings()
- r := flow.RemoteBlessings()
- if !reflect.DeepEqual(l, local) || !reflect.DeepEqual(r, remote) {
- errs <- fmt.Errorf("%s: LocalBlessings: Got %q, want %q. RemoteBlessings: Got %q, want %q", tag, l, local, r, remote)
+ testAuth := func(tag string, flow stream.Flow, wantServer security.Blessings, wantClientKey security.PublicKey) {
+ // Since the client's blessing is expected to be self-signed we only test
+ // its public key
+ gotServer := flow.RemoteBlessings()
+ gotClientKey := flow.LocalBlessings().PublicKey()
+ if tag == "server" {
+ gotServer = flow.LocalBlessings()
+ gotClientKey = flow.RemoteBlessings().PublicKey()
+ }
+ if !reflect.DeepEqual(gotServer, wantServer) || !reflect.DeepEqual(gotClientKey, wantClientKey) {
+ errs <- fmt.Errorf("%s: Server: Got Blessings %q, want %q. Server: Got Blessings %q, want %q", tag, gotServer, wantServer, gotClientKey, wantClientKey)
return
}
errs <- nil
@@ -205,7 +211,7 @@
return
}
defer flow.Close()
- testAuth("server", flow, serverBlessings, clientBlessings)
+ testAuth("server", flow, serverBlessings, clientKey)
}()
go func() {
@@ -222,7 +228,7 @@
return
}
defer flow.Close()
- testAuth("client", flow, clientBlessings, serverBlessings)
+ testAuth("client", flow, serverBlessings, clientKey)
}()
if err := <-errs; err != nil {
diff --git a/runtimes/google/ipc/stream/vc/auth.go b/runtimes/google/ipc/stream/vc/auth.go
index b8d8bfa..0c247a0 100644
--- a/runtimes/google/ipc/stream/vc/auth.go
+++ b/runtimes/google/ipc/stream/vc/auth.go
@@ -9,7 +9,6 @@
"v.io/core/veyron/runtimes/google/ipc/stream/crypto"
"v.io/core/veyron/runtimes/google/lib/iobuf"
- "v.io/v23/context"
"v.io/v23/ipc/version"
"v.io/v23/security"
"v.io/v23/vom"
@@ -31,10 +30,10 @@
// AuthenticateAsServer executes the authentication protocol at the server and
// returns the blessings used to authenticate the client.
-func AuthenticateAsServer(conn io.ReadWriteCloser, principal security.Principal, server security.Blessings, dc DischargeClient, crypter crypto.Crypter, v version.IPCVersion) (client security.Blessings, clientDischarges map[string]security.Discharge, err error) {
+func AuthenticateAsServer(conn io.ReadWriteCloser, principal security.Principal, server security.Blessings, dc DischargeClient, crypter crypto.Crypter, v version.IPCVersion) (client security.Blessings, err error) {
defer conn.Close()
if server.IsZero() {
- return security.Blessings{}, nil, errors.New("no blessings to present as a server")
+ return security.Blessings{}, errors.New("no blessings to present as a server")
}
var discharges []security.Discharge
if tpcavs := server.ThirdPartyCaveats(); len(tpcavs) > 0 && dc != nil {
@@ -43,7 +42,7 @@
if err = writeBlessings(conn, authServerContextTag, crypter, principal, server, discharges, v); err != nil {
return
}
- if client, clientDischarges, err = readBlessings(conn, authClientContextTag, crypter, v); err != nil {
+ if client, _, err = readBlessings(conn, authClientContextTag, crypter, v); err != nil {
return
}
return
@@ -52,39 +51,31 @@
// AuthenticateAsClient executes the authentication protocol at the client and
// returns the blessings used to authenticate both ends.
//
-// The client will only share its identity if its blessing store has one marked
-// for the server (who shares its blessings first).
-//
-// TODO(ashankar): Seems like there is no way the blessing store
-// can say that it does NOT want to share the default blessing with the server?
-func AuthenticateAsClient(ctx *context.T, conn io.ReadWriteCloser, principal security.Principal, dc DischargeClient, crypter crypto.Crypter, v version.IPCVersion) (server, client security.Blessings, serverDischarges map[string]security.Discharge, err error) {
+// The client will only share its blessings if the server (who shares its blessings first)
+// is authorized as per the authorizer for this RPC.
+func AuthenticateAsClient(conn io.ReadWriteCloser, crypter crypto.Crypter, params security.ContextParams, auth *ServerAuthorizer, v version.IPCVersion) (server, client security.Blessings, serverDischarges map[string]security.Discharge, err error) {
defer conn.Close()
if server, serverDischarges, err = readBlessings(conn, authServerContextTag, crypter, v); err != nil {
return
}
- serverB, invalidB := server.ForContext(security.NewContext(&security.ContextParams{
- LocalPrincipal: principal,
- RemoteBlessings: server,
- RemoteDischarges: serverDischarges,
- // TODO(ashankar): Get the local and remote endpoint here?
- // There is also a bootstrapping problem here. For example, let's say
- // (1) server has the blessing "provider/server" with a PeerIdentity caveat of "provider/client"
- // (2) Client has a blessing "provider/client" tagged for "provider/server" in its BlessingStore
- // How do we get that working?
- // One option is to have a UnionOfBlessings of all blessings of the client in the BlessingStore
- // made available to serverAuthContext.LocalBlessings for this call.
- Context: ctx,
- }))
- client = principal.BlessingStore().ForPeer(serverB...)
- if client.IsZero() {
- err = NewErrNoBlessingsForPeer(ctx, serverB, invalidB)
- return
+ // Authorize the server based on the provided authorizer.
+ if auth != nil {
+ params.RemoteBlessings = server
+ params.RemoteDischarges = serverDischarges
+ if err = auth.Authorize(params); err != nil {
+ return
+ }
}
- var discharges []security.Discharge
- if dc != nil {
- discharges = dc.PrepareDischarges(ctx, client.ThirdPartyCaveats(), security.DischargeImpetus{})
+
+ // The client shares its blessings at RPC time (as the blessings may vary across
+ // RPCs). During VC handshake, the client simply sends a self-signed blessing
+ // in order to reveal its public key to the server.
+ principal := params.LocalPrincipal
+ client, err = principal.BlessSelf("vcauth")
+ if err != nil {
+ return security.Blessings{}, security.Blessings{}, nil, fmt.Errorf("failed to created self blessing: %v", err)
}
- if err = writeBlessings(conn, authClientContextTag, crypter, principal, client, discharges, v); err != nil {
+ if err = writeBlessings(conn, authClientContextTag, crypter, principal, client, nil, v); err != nil {
return
}
return
diff --git a/runtimes/google/ipc/stream/vc/errors.vdl b/runtimes/google/ipc/stream/vc/errors.vdl
deleted file mode 100644
index 9f4814f..0000000
--- a/runtimes/google/ipc/stream/vc/errors.vdl
+++ /dev/null
@@ -1,9 +0,0 @@
-package vc
-
-import (
- "v.io/v23/security"
-)
-
-error (
- NoBlessingsForPeer(peer []string, rejected []security.RejectedBlessing) {"en":"no blessing tagged for peer {peer} in the BlessingStore. Rejected blessings: {rejected}"}
-)
diff --git a/runtimes/google/ipc/stream/vc/errors.vdl.go b/runtimes/google/ipc/stream/vc/errors.vdl.go
deleted file mode 100644
index a7de1e4..0000000
--- a/runtimes/google/ipc/stream/vc/errors.vdl.go
+++ /dev/null
@@ -1,27 +0,0 @@
-// This file was auto-generated by the veyron vdl tool.
-// Source: errors.vdl
-
-package vc
-
-import (
- // VDL system imports
- "v.io/v23/context"
- "v.io/v23/i18n"
- "v.io/v23/verror"
-
- // VDL user imports
- "v.io/v23/security"
-)
-
-var (
- ErrNoBlessingsForPeer = verror.Register("v.io/core/veyron/runtimes/google/ipc/stream/vc.NoBlessingsForPeer", verror.NoRetry, "{1:}{2:} no blessing tagged for peer {3} in the BlessingStore. Rejected blessings: {4}")
-)
-
-func init() {
- i18n.Cat().SetWithBase(i18n.LangID("en"), i18n.MsgID(ErrNoBlessingsForPeer.ID), "{1:}{2:} no blessing tagged for peer {3} in the BlessingStore. Rejected blessings: {4}")
-}
-
-// NewErrNoBlessingsForPeer returns an error with the ErrNoBlessingsForPeer ID.
-func NewErrNoBlessingsForPeer(ctx *context.T, peer []string, rejected []security.RejectedBlessing) error {
- return verror.New(ErrNoBlessingsForPeer, ctx, peer, rejected)
-}
diff --git a/runtimes/google/ipc/stream/vc/vc.go b/runtimes/google/ipc/stream/vc/vc.go
index fa33407..5df0022 100644
--- a/runtimes/google/ipc/stream/vc/vc.go
+++ b/runtimes/google/ipc/stream/vc/vc.go
@@ -23,7 +23,6 @@
"v.io/v23/naming"
"v.io/v23/options"
"v.io/v23/security"
- "v.io/v23/vtrace"
"v.io/x/lib/vlog"
)
@@ -65,12 +64,28 @@
dataCache *dataCache // dataCache contains information that can shared between Flows from this VC.
}
-// NoDischarges specifies that the RPC call should not fetch discharges.
-type NoDischarges struct{}
+// ServerAuthorizer encapsulates the policy used to authorize servers during VC
+// establishment.
+//
+// A client will first authorize a server before revealing any of its credentials
+// (public key, blessings etc.) to the server. Thus, if the authorization policy
+// calls for the server to be rejected, then the client will not have revealed
+// any of its credentials to the server.
+//
+// ServerAuthorizer in turn uses an authorization policy (security.Authorizer),
+// with the context matching the context of the RPC that caused the initiation
+// of the VC.
+type ServerAuthorizer struct {
+ Suffix, Method string
+ Policy security.Authorizer
+}
-func (NoDischarges) IPCCallOpt() {}
-func (NoDischarges) IPCStreamVCOpt() {}
-func (NoDischarges) NSResolveOpt() {}
+func (a *ServerAuthorizer) IPCStreamVCOpt() {}
+func (a *ServerAuthorizer) Authorize(params security.ContextParams) error {
+ params.Suffix = a.Suffix
+ params.Method = a.Method
+ return a.Policy.Authorize(security.NewContext(¶ms))
+}
var _ stream.VC = (*VC)(nil)
@@ -126,7 +141,6 @@
// for being returned by a subsequent PrepareDischarges call.
Invalidate(discharges ...security.Discharge)
IPCStreamListenerOpt()
- IPCStreamVCOpt()
}
// DialContext establishes the context under which a VC Dial was initiated.
@@ -377,35 +391,20 @@
principal security.Principal
tlsSessionCache crypto.TLSClientSessionCache
securityLevel options.VCSecurityLevel
- dischargeClient DischargeClient
- ctx *context.T
- noDischarges bool
+ auth *ServerAuthorizer
)
for _, o := range opts {
switch v := o.(type) {
- case DialContext:
- ctx = v.T
- case DischargeClient:
- dischargeClient = v
case LocalPrincipal:
principal = v.Principal
case options.VCSecurityLevel:
securityLevel = v
case crypto.TLSClientSessionCache:
tlsSessionCache = v
- case NoDischarges:
- noDischarges = true
+ case *ServerAuthorizer:
+ auth = v
}
}
- if ctx != nil {
- var span vtrace.Span
- ctx, span = vtrace.SetNewSpan(ctx, "vc.HandshakeDialedVC")
- defer span.Finish()
- }
- // If noDischarge is provided, disable the dischargeClient.
- if noDischarges {
- dischargeClient = nil
- }
switch securityLevel {
case options.VCSecurityConfidential:
if principal == nil {
@@ -442,7 +441,12 @@
if err != nil {
return vc.err(fmt.Errorf("failed to create a Flow for authentication: %v", err))
}
- rBlessings, lBlessings, rDischarges, err := AuthenticateAsClient(ctx, authConn, principal, dischargeClient, crypter, vc.version)
+ params := security.ContextParams{
+ LocalPrincipal: principal,
+ LocalEndpoint: vc.localEP,
+ RemoteEndpoint: vc.remoteEP,
+ }
+ rBlessings, lBlessings, rDischarges, err := AuthenticateAsClient(authConn, crypter, params, auth, vc.version)
if err != nil {
return vc.err(fmt.Errorf("authentication failed: %v", err))
}
@@ -556,9 +560,9 @@
vc.mu.Lock()
vc.authFID = vc.findFlowLocked(authConn)
vc.mu.Unlock()
- rBlessings, rDischarges, err := AuthenticateAsServer(authConn, principal, lBlessings, dischargeClient, crypter, vc.version)
+ rBlessings, err := AuthenticateAsServer(authConn, principal, lBlessings, dischargeClient, crypter, vc.version)
if err != nil {
- sendErr(fmt.Errorf("authentication failed %v", err))
+ sendErr(fmt.Errorf("authentication failed: %v", err))
return
}
@@ -567,7 +571,6 @@
vc.localPrincipal = principal
vc.localBlessings = lBlessings
vc.remoteBlessings = rBlessings
- vc.remoteDischarges = rDischarges
close(vc.acceptHandshakeDone)
vc.acceptHandshakeDone = nil
vc.mu.Unlock()
diff --git a/runtimes/google/ipc/stream/vc/vc_test.go b/runtimes/google/ipc/stream/vc/vc_test.go
index 5baf9d5..6aeceec 100644
--- a/runtimes/google/ipc/stream/vc/vc_test.go
+++ b/runtimes/google/ipc/stream/vc/vc_test.go
@@ -4,6 +4,7 @@
import (
"bytes"
+ "errors"
"fmt"
"io"
"net"
@@ -29,6 +30,11 @@
"v.io/v23/security"
)
+var (
+ clientEP = endpoint(naming.FixedRoutingID(0xcccccccccccccccc))
+ serverEP = endpoint(naming.FixedRoutingID(0x5555555555555555))
+)
+
//go:generate v23 test generate
const (
@@ -78,12 +84,15 @@
func TestHandshake(t *testing.T) {
// When SecurityNone is used, the blessings should not be sent over the wire.
var (
- client = tsecurity.NewPrincipal("client")
- server = tsecurity.NewPrincipal("server")
- h, vc = New(SecurityNone, LatestVersion, client, server)
- flow, err = vc.Connect()
+ client = tsecurity.NewPrincipal("client")
+ server = tsecurity.NewPrincipal("server")
)
+ h, vc, err := New(SecurityNone, LatestVersion, client, server, nil, nil)
+ if err != nil {
+ t.Fatal(err)
+ }
defer h.Close()
+ flow, err := vc.Connect()
if err != nil {
t.Fatal(err)
}
@@ -95,74 +104,58 @@
}
}
-func testFlowAuthN(flow stream.Flow, serverBlessings security.Blessings, serverDischarges map[string]security.Discharge, clientBlessings security.Blessings) error {
+func testFlowAuthN(flow stream.Flow, serverBlessings security.Blessings, serverDischarges map[string]security.Discharge, clientPublicKey security.PublicKey) error {
if got, want := flow.RemoteBlessings(), serverBlessings; !reflect.DeepEqual(got, want) {
- return fmt.Errorf("Got blessings %v from server, want %v", got, want)
+ return fmt.Errorf("Server shared blessings %v, want %v", got, want)
}
if got, want := flow.RemoteDischarges(), serverDischarges; !reflect.DeepEqual(got, want) {
- return fmt.Errorf("Got discharges %v from server, want %v", got, want)
+ return fmt.Errorf("Server shared discharges %v, want %v", got, want)
}
- if got, want := flow.LocalBlessings(), clientBlessings; !reflect.DeepEqual(got, want) {
- return fmt.Errorf("Client shared %v, wanted %v", got, want)
+ if got, want := flow.LocalBlessings().PublicKey(), clientPublicKey; !reflect.DeepEqual(got, want) {
+ return fmt.Errorf("Client shared %v, want %v", got, want)
}
return nil
}
-func addToRoots(principals []security.Principal, blessings []security.Blessings) error {
- for _, p := range principals {
- for _, b := range blessings {
- if err := p.AddToRoots(b); err != nil {
- return fmt.Errorf("%v.AddToRoots(%v): %v", p, b, err)
- }
- }
+// auth implements security.Authorizer.
+type auth struct {
+ localPrincipal security.Principal
+ remoteBlessings security.Blessings
+ remoteDischarges map[string]security.Discharge
+ suffix, method string
+ err error
+}
+
+// Authorize tests that the context passed to the authorizer is the expected one.
+func (a *auth) Authorize(ctx security.Context) error {
+ if a.err != nil {
+ return a.err
+ }
+ if got, want := ctx.LocalPrincipal(), a.localPrincipal; !reflect.DeepEqual(got, want) {
+ return fmt.Errorf("ctx.LocalPrincipal: got %v, want %v", got, want)
+ }
+ if got, want := ctx.RemoteBlessings(), a.remoteBlessings; !reflect.DeepEqual(got, want) {
+ return fmt.Errorf("ctx.RemoteBlessings: got %v, want %v", got, want)
+ }
+ if got, want := ctx.RemoteDischarges(), a.remoteDischarges; !reflect.DeepEqual(got, want) {
+ return fmt.Errorf("ctx.RemoteDischarges: got %v, want %v", got, want)
+ }
+ if got, want := ctx.LocalEndpoint(), clientEP; !reflect.DeepEqual(got, want) {
+ return fmt.Errorf("ctx.LocalEndpoint: got %v, want %v", got, want)
+ }
+ if got, want := ctx.RemoteEndpoint(), serverEP; !reflect.DeepEqual(got, want) {
+ return fmt.Errorf("ctx.RemoteEndpoint: got %v, want %v", got, want)
+ }
+ if got, want := ctx.Suffix(), a.suffix; got != want {
+ return fmt.Errorf("ctx.RemoteEndpoint: got %v, want %v", got, want)
+ }
+ if got, want := ctx.Method(), a.method; got != want {
+ return fmt.Errorf("ctx.RemoteEndpoint: got %v, want %v", got, want)
}
return nil
}
-func TestHandshakeTLS(t *testing.T) {
- var (
- client = tsecurity.NewPrincipal("client")
- server1 = tsecurity.NewPrincipal("server1")
- server2 = tsecurity.NewPrincipal("server2")
- )
- // Setup client so that is has a specific blessing for S2.
- forServer1 := client.BlessingStore().Default()
- forServer2, err := client.BlessSelf("forS2")
- if err != nil {
- t.Fatal(err)
- }
- client.BlessingStore().Set(security.Blessings{}, security.AllPrincipals)
- client.BlessingStore().Set(forServer1, security.BlessingPattern("server1"))
- client.BlessingStore().Set(forServer2, security.BlessingPattern("server2"))
-
- // Make the clients and servers recognize each other as valid root certificate providers.
- if err := addToRoots([]security.Principal{client, server1, server2}, []security.Blessings{server1.BlessingStore().Default(), server2.BlessingStore().Default(), client.BlessingStore().Default()}); err != nil {
- t.Fatal(err)
- }
-
- // Test handshake between client and server1
- h, vc := New(SecurityTLS, LatestVersion, client, server1)
- defer h.Close()
- flow, err := vc.Connect()
- if err != nil {
- t.Fatalf("Unable to create flow: %v", err)
- }
- if err := testFlowAuthN(flow, server1.BlessingStore().Default(), nil, forServer1); err != nil {
- t.Error(err)
- }
-
- // Test handshake between client and server2
- h, vc = New(SecurityTLS, LatestVersion, client, server2)
- defer h.Close()
- flow, err = vc.Connect()
- if err != nil {
- t.Fatalf("Unable to create flow: %v", err)
- }
- if err := testFlowAuthN(flow, server2.BlessingStore().Default(), nil, forServer2); err != nil {
- t.Error(err)
- }
-}
-
+// mockDischargeClient implements vc.DischargeClient.
type mockDischargeClient []security.Discharge
func (m mockDischargeClient) PrepareDischarges(_ *context.T, forcaveats []security.Caveat, impetus security.DischargeImpetus) []security.Discharge {
@@ -175,12 +168,21 @@
// Test that mockDischargeClient implements vc.DischargeClient.
var _ vc.DischargeClient = (mockDischargeClient)(nil)
-func TestHandshakeWithDischargesTLS(t *testing.T) {
+func TestHandshakeTLS(t *testing.T) {
+ matchesError := func(got error, want string) error {
+ if (got == nil) && len(want) == 0 {
+ return nil
+ }
+ if got == nil && !strings.Contains(got.Error(), want) {
+ return fmt.Errorf("got error %q, wanted to match %q", got, want)
+ }
+ return nil
+ }
var (
+ root = tsecurity.NewIDProvider("root")
discharger = tsecurity.NewPrincipal("discharger")
client = tsecurity.NewPrincipal()
server = tsecurity.NewPrincipal()
- root = tsecurity.NewIDProvider("root")
)
tpcav, err := security.NewPublicKeyCaveat(discharger.PublicKey(), "irrelevant", security.ThirdPartyRequirements{}, security.UnconstrainedUse())
if err != nil {
@@ -190,41 +192,86 @@
if err != nil {
t.Fatal(err)
}
-
- // Setup 'client' and 'server' so that they use a blessing from 'root' with a third-party caveat
- // during VC handshake.
- if err := root.Bless(client, "client", tpcav); err != nil {
+ // Root blesses the client
+ if err := root.Bless(client, "client"); err != nil {
t.Fatal(err)
}
+ // Root blesses the server with a third-party caveat
if err := root.Bless(server, "server", tpcav); err != nil {
t.Fatal(err)
}
- // Test handshake without Discharges
- h, vc := New(SecurityTLS, LatestVersion, client, server, mockDischargeClient(nil))
- defer h.Close()
- flow, err := vc.Connect()
- if err != nil {
- t.Fatalf("Unable to create flow: %v", err)
+ testdata := []struct {
+ dischargeClient vc.DischargeClient
+ auth *vc.ServerAuthorizer
+ dialErr string
+ flowRemoteBlessings security.Blessings
+ flowRemoteDischarges map[string]security.Discharge
+ }{
+ {
+ flowRemoteBlessings: server.BlessingStore().Default(),
+ },
+ {
+ dischargeClient: mockDischargeClient([]security.Discharge{dis}),
+ flowRemoteBlessings: server.BlessingStore().Default(),
+ flowRemoteDischarges: map[string]security.Discharge{dis.ID(): dis},
+ },
+ {
+ dischargeClient: mockDischargeClient([]security.Discharge{dis}),
+ auth: &vc.ServerAuthorizer{
+ Suffix: "suffix",
+ Method: "method",
+ Policy: &auth{
+ localPrincipal: client,
+ remoteBlessings: server.BlessingStore().Default(),
+ remoteDischarges: map[string]security.Discharge{dis.ID(): dis},
+ suffix: "suffix",
+ method: "method",
+ },
+ },
+ flowRemoteBlessings: server.BlessingStore().Default(),
+ flowRemoteDischarges: map[string]security.Discharge{dis.ID(): dis},
+ },
+ {
+ dischargeClient: mockDischargeClient([]security.Discharge{dis}),
+ auth: &vc.ServerAuthorizer{
+ Suffix: "suffix",
+ Method: "method",
+ Policy: &auth{
+ err: errors.New("authorization error"),
+ },
+ },
+ dialErr: "authorization error",
+ },
}
- if err := testFlowAuthN(flow, server.BlessingStore().Default(), nil, client.BlessingStore().Default()); err != nil {
- t.Error(err)
- }
-
- // Test handshake with Discharges
- h, vc = New(SecurityTLS, LatestVersion, client, server, mockDischargeClient([]security.Discharge{dis}))
- defer h.Close()
- flow, err = vc.Connect()
- if err != nil {
- t.Fatalf("Unable to create flow: %v", err)
- }
- if err := testFlowAuthN(flow, server.BlessingStore().Default(), map[string]security.Discharge{dis.ID(): dis}, client.BlessingStore().Default()); err != nil {
- t.Error(err)
+ for i, d := range testdata {
+ h, vc, err := New(SecurityTLS, LatestVersion, client, server, d.dischargeClient, d.auth)
+ if merr := matchesError(err, d.dialErr); merr != nil {
+ t.Errorf("Test #%d: HandshakeDialedVC with server authorizer %#v:: %v", i, d.auth.Policy, merr)
+ }
+ if err != nil {
+ continue
+ }
+ flow, err := vc.Connect()
+ if err != nil {
+ h.Close()
+ t.Errorf("Unable to create flow: %v", err)
+ continue
+ }
+ if err := testFlowAuthN(flow, d.flowRemoteBlessings, d.flowRemoteDischarges, client.PublicKey()); err != nil {
+ h.Close()
+ t.Error(err)
+ continue
+ }
+ h.Close()
}
}
func testConnect_Small(t *testing.T, security options.VCSecurityLevel) {
- h, vc := New(security, LatestVersion, tsecurity.NewPrincipal("client"), tsecurity.NewPrincipal("server"))
+ h, vc, err := New(security, LatestVersion, tsecurity.NewPrincipal("client"), tsecurity.NewPrincipal("server"), nil, nil)
+ if err != nil {
+ t.Fatal(err)
+ }
defer h.Close()
flow, err := vc.Connect()
if err != nil {
@@ -236,7 +283,10 @@
func TestConnect_SmallTLS(t *testing.T) { testConnect_Small(t, SecurityTLS) }
func testConnect(t *testing.T, security options.VCSecurityLevel) {
- h, vc := New(security, LatestVersion, tsecurity.NewPrincipal("client"), tsecurity.NewPrincipal("server"))
+ h, vc, err := New(security, LatestVersion, tsecurity.NewPrincipal("client"), tsecurity.NewPrincipal("server"), nil, nil)
+ if err != nil {
+ t.Fatal(err)
+ }
defer h.Close()
flow, err := vc.Connect()
if err != nil {
@@ -248,7 +298,10 @@
func TestConnectTLS(t *testing.T) { testConnect(t, SecurityTLS) }
func testConnect_Version7(t *testing.T, security options.VCSecurityLevel) {
- h, vc := New(security, version.IPCVersion7, tsecurity.NewPrincipal("client"), tsecurity.NewPrincipal("server"))
+ h, vc, err := New(security, version.IPCVersion7, tsecurity.NewPrincipal("client"), tsecurity.NewPrincipal("server"), nil, nil)
+ if err != nil {
+ t.Fatal(err)
+ }
defer h.Close()
flow, err := vc.Connect()
if err != nil {
@@ -265,7 +318,10 @@
func testConcurrentFlows(t *testing.T, security options.VCSecurityLevel, flows, gomaxprocs int) {
mp := runtime.GOMAXPROCS(gomaxprocs)
defer runtime.GOMAXPROCS(mp)
- h, vc := New(security, LatestVersion, tsecurity.NewPrincipal("client"), tsecurity.NewPrincipal("server"))
+ h, vc, err := New(security, LatestVersion, tsecurity.NewPrincipal("client"), tsecurity.NewPrincipal("server"), nil, nil)
+ if err != nil {
+ t.Fatal(err)
+ }
defer h.Close()
var wg sync.WaitGroup
@@ -292,7 +348,10 @@
func testListen(t *testing.T, security options.VCSecurityLevel) {
data := "the dark knight"
- h, vc := New(security, LatestVersion, tsecurity.NewPrincipal("client"), tsecurity.NewPrincipal("server"))
+ h, vc, err := New(security, LatestVersion, tsecurity.NewPrincipal("client"), tsecurity.NewPrincipal("server"), nil, nil)
+ if err != nil {
+ t.Fatal(err)
+ }
defer h.Close()
if err := h.VC.AcceptFlow(id.Flow(21)); err == nil {
t.Errorf("Expected AcceptFlow on a new flow to fail as Listen was not called")
@@ -339,7 +398,10 @@
func TestListenTLS(t *testing.T) { testListen(t, SecurityTLS) }
func testNewFlowAfterClose(t *testing.T, security options.VCSecurityLevel) {
- h, _ := New(security, LatestVersion, tsecurity.NewPrincipal("client"), tsecurity.NewPrincipal("server"))
+ h, _, err := New(security, LatestVersion, tsecurity.NewPrincipal("client"), tsecurity.NewPrincipal("server"), nil, nil)
+ if err != nil {
+ t.Fatal(err)
+ }
defer h.Close()
h.VC.Close("reason")
if err := h.VC.AcceptFlow(id.Flow(10)); err == nil {
@@ -350,7 +412,10 @@
func TestNewFlowAfterCloseTLS(t *testing.T) { testNewFlowAfterClose(t, SecurityTLS) }
func testConnectAfterClose(t *testing.T, security options.VCSecurityLevel) {
- h, vc := New(security, LatestVersion, tsecurity.NewPrincipal("client"), tsecurity.NewPrincipal("server"))
+ h, vc, err := New(security, LatestVersion, tsecurity.NewPrincipal("client"), tsecurity.NewPrincipal("server"), nil, nil)
+ if err != nil {
+ t.Fatal(err)
+ }
defer h.Close()
h.VC.Close("myerr")
if f, err := vc.Connect(); f != nil || err == nil || !strings.Contains(err.Error(), "myerr") {
@@ -372,15 +437,12 @@
// New creates both ends of a VC but returns only the "client" end (i.e., the
// one that initiated the VC). The "server" end (the one that "accepted" the VC)
// listens for flows and simply echoes data read.
-func New(security options.VCSecurityLevel, v version.IPCVersion, client, server security.Principal, dischargeClients ...vc.DischargeClient) (*helper, stream.VC) {
+func New(security options.VCSecurityLevel, v version.IPCVersion, client, server security.Principal, dischargeClient vc.DischargeClient, auth *vc.ServerAuthorizer) (*helper, stream.VC, error) {
clientH := &helper{bq: drrqueue.New(vc.MaxPayloadSizeBytes)}
serverH := &helper{bq: drrqueue.New(vc.MaxPayloadSizeBytes)}
clientH.otherEnd = serverH
serverH.otherEnd = clientH
- clientEP := endpoint(naming.FixedRoutingID(0xcccccccccccccccc))
- serverEP := endpoint(naming.FixedRoutingID(0x5555555555555555))
-
vci := id.VC(1234)
clientParams := vc.Params{
@@ -411,21 +473,24 @@
lopts := []stream.ListenerOpt{vc.LocalPrincipal{server}, security}
vcopts := []stream.VCOpt{vc.LocalPrincipal{client}, security}
- if len(dischargeClients) > 0 {
- lopts = append(lopts, dischargeClients[0])
- vcopts = append(vcopts, dischargeClients[0])
+ if dischargeClient != nil {
+ lopts = append(lopts, dischargeClient)
+ }
+ if auth != nil {
+ vcopts = append(vcopts, auth)
}
c := serverH.VC.HandshakeAcceptedVC(lopts...)
if err := clientH.VC.HandshakeDialedVC(vcopts...); err != nil {
- panic(err)
+ go func() { <-c }()
+ return nil, nil, err
}
hr := <-c
if hr.Error != nil {
- panic(hr.Error)
+ return nil, nil, hr.Error
}
go acceptLoop(hr.Listener)
- return clientH, clientH.VC
+ return clientH, clientH.VC, nil
}
// pipeLoop forwards slices written to h.bq to dst.
diff --git a/runtimes/google/ipc/stream/vif/auth.go b/runtimes/google/ipc/stream/vif/auth.go
index c280ebd..b2176cf 100644
--- a/runtimes/google/ipc/stream/vif/auth.go
+++ b/runtimes/google/ipc/stream/vif/auth.go
@@ -14,7 +14,6 @@
"v.io/core/veyron/runtimes/google/ipc/stream/vc"
"v.io/core/veyron/runtimes/google/ipc/version"
"v.io/core/veyron/runtimes/google/lib/iobuf"
- "v.io/v23/context"
ipcversion "v.io/v23/ipc/version"
"v.io/v23/options"
"v.io/v23/security"
@@ -60,11 +59,11 @@
// including a hash of the HopSetup message in the encrypted stream. It is
// likely that this will be addressed in subsequent protocol versions (or it may
// not be addressed at all if IPCVersion6 becomes the only supported version).
-func AuthenticateAsClient(ctx *context.T, writer io.Writer, reader *iobuf.Reader, versions *version.Range, principal security.Principal, dc vc.DischargeClient) (crypto.ControlCipher, error) {
+func AuthenticateAsClient(writer io.Writer, reader *iobuf.Reader, versions *version.Range, params security.ContextParams, auth *vc.ServerAuthorizer) (crypto.ControlCipher, error) {
if versions == nil {
versions = version.SupportedRange
}
- if principal == nil {
+ if params.LocalPrincipal == nil {
// If there is no principal, we do not support encryption/authentication.
var err error
versions, err = versions.Intersect(&version.Range{Min: 0, Max: ipcversion.IPCVersion5})
@@ -106,10 +105,10 @@
}
// Perform the authentication.
- return authenticateAsClient(ctx, writer, reader, principal, dc, &pvt, &pub, ppub, v)
+ return authenticateAsClient(writer, reader, params, auth, &pvt, &pub, ppub, v)
}
-func authenticateAsClient(ctx *context.T, writer io.Writer, reader *iobuf.Reader, principal security.Principal, dc vc.DischargeClient,
+func authenticateAsClient(writer io.Writer, reader *iobuf.Reader, params security.ContextParams, auth *vc.ServerAuthorizer,
pvt *privateData, pub, ppub *message.HopSetup, version ipcversion.IPCVersion) (crypto.ControlCipher, error) {
if version < ipcversion.IPCVersion6 {
return nil, errUnsupportedEncryptVersion
@@ -121,9 +120,9 @@
c := crypto.NewControlCipherIPC6(&pbox.PublicKey, &pvt.naclBoxPrivateKey, false)
sconn := newSetupConn(writer, reader, c)
// TODO(jyh): act upon the authentication results.
- _, _, _, err := vc.AuthenticateAsClient(ctx, sconn, principal, dc, crypto.NewNullCrypter(), version)
+ _, _, _, err := vc.AuthenticateAsClient(sconn, crypto.NewNullCrypter(), params, auth, version)
if err != nil {
- return nil, err
+ return nil, fmt.Errorf("authentication failed: %v", err)
}
return c, nil
}
@@ -181,9 +180,9 @@
c := crypto.NewControlCipherIPC6(&box.PublicKey, &pvt.naclBoxPrivateKey, true)
sconn := newSetupConn(writer, reader, c)
// TODO(jyh): act upon authentication results.
- _, _, err := vc.AuthenticateAsServer(sconn, principal, lBlessings, dc, crypto.NewNullCrypter(), version)
+ _, err := vc.AuthenticateAsServer(sconn, principal, lBlessings, dc, crypto.NewNullCrypter(), version)
if err != nil {
- return nil, err
+ return nil, fmt.Errorf("authentication failed: %v", err)
}
return c, nil
}
@@ -219,41 +218,6 @@
return
}
-// clientAuthOptions extracts the client authentication options from the options
-// list.
-func clientAuthOptions(lopts []stream.VCOpt) (ctx *context.T, principal security.Principal, dischargeClient vc.DischargeClient, err error) {
- var securityLevel options.VCSecurityLevel
- var noDischarges bool
- for _, o := range lopts {
- switch v := o.(type) {
- case vc.DialContext:
- ctx = v.T
- case vc.DischargeClient:
- dischargeClient = v
- case vc.LocalPrincipal:
- principal = v.Principal
- case options.VCSecurityLevel:
- securityLevel = v
- case vc.NoDischarges:
- noDischarges = true
- }
- }
- if noDischarges {
- dischargeClient = nil
- }
- switch securityLevel {
- case options.VCSecurityConfidential:
- if principal == nil {
- principal = vc.AnonymousPrincipal
- }
- case options.VCSecurityNone:
- principal = nil
- default:
- err = fmt.Errorf("unrecognized VC security level: %v", securityLevel)
- }
- return
-}
-
// makeHopSetup constructs the options that this process can support.
func makeHopSetup(versions *version.Range) (pvt privateData, pub message.HopSetup, err error) {
pub.Versions = *versions
diff --git a/runtimes/google/ipc/stream/vif/vif.go b/runtimes/google/ipc/stream/vif/vif.go
index e356600..44ae2d5 100644
--- a/runtimes/google/ipc/stream/vif/vif.go
+++ b/runtimes/google/ipc/stream/vif/vif.go
@@ -26,7 +26,10 @@
"v.io/core/veyron/runtimes/google/lib/pcqueue"
vsync "v.io/core/veyron/runtimes/google/lib/sync"
"v.io/core/veyron/runtimes/google/lib/upcqueue"
+ "v.io/v23/context"
"v.io/v23/naming"
+ "v.io/v23/options"
+ "v.io/v23/security"
"v.io/v23/verror"
"v.io/v23/vtrace"
"v.io/x/lib/vlog"
@@ -128,7 +131,7 @@
// placed inside veyron/runtimes/google. Code outside the
// veyron2/runtimes/google/* packages should never call this method.
func InternalNewDialedVIF(conn net.Conn, rid naming.RoutingID, versions *version.Range, opts ...stream.VCOpt) (*VIF, error) {
- ctx, principal, dc, err := clientAuthOptions(opts)
+ ctx, principal, err := clientAuthOptions(opts)
if err != nil {
return nil, err
}
@@ -140,7 +143,13 @@
}
pool := iobuf.NewPool(0)
reader := iobuf.NewReader(pool, conn)
- c, err := AuthenticateAsClient(ctx, conn, reader, versions, principal, dc)
+ params := security.ContextParams{LocalPrincipal: principal, LocalEndpoint: localEP(conn, rid, versions)}
+
+ // TODO(ataly, ashankar, suharshs): Figure out what authorization policy to use
+ // for authenticating the server during VIF establishment. Note that we cannot
+ // use the VC.ServerAuthorizer available in 'opts' as that applies to the end
+ // server and not the remote endpoint of the VIF.
+ c, err := AuthenticateAsClient(conn, reader, versions, params, nil)
if err != nil {
return nil, err
}
@@ -193,11 +202,6 @@
}
stopQ.Release(-1) // Disable flow control
- localAddr := conn.LocalAddr()
- ep := version.Endpoint(localAddr.Network(), localAddr.String(), rid)
- if versions != nil {
- ep = versions.Endpoint(localAddr.Network(), localAddr.String(), rid)
- }
vif := &VIF{
conn: conn,
pool: pool,
@@ -206,7 +210,7 @@
vcMap: newVCMap(),
acceptor: acceptor,
listenerOpts: listenerOpts,
- localEP: ep,
+ localEP: localEP(conn, rid, versions),
nextVCI: initialVCI,
outgoing: outgoing,
expressQ: expressQ,
@@ -924,3 +928,39 @@
b.Release()
}
}
+
+func localEP(conn net.Conn, rid naming.RoutingID, versions *version.Range) naming.Endpoint {
+ localAddr := conn.LocalAddr()
+ ep := version.Endpoint(localAddr.Network(), localAddr.String(), rid)
+ if versions != nil {
+ ep = versions.Endpoint(localAddr.Network(), localAddr.String(), rid)
+ }
+ return ep
+}
+
+// clientAuthOptions extracts the client authentication options from the options
+// list.
+func clientAuthOptions(lopts []stream.VCOpt) (ctx *context.T, principal security.Principal, err error) {
+ var securityLevel options.VCSecurityLevel
+ for _, o := range lopts {
+ switch v := o.(type) {
+ case vc.DialContext:
+ ctx = v.T
+ case vc.LocalPrincipal:
+ principal = v.Principal
+ case options.VCSecurityLevel:
+ securityLevel = v
+ }
+ }
+ switch securityLevel {
+ case options.VCSecurityConfidential:
+ if principal == nil {
+ principal = vc.AnonymousPrincipal
+ }
+ case options.VCSecurityNone:
+ principal = nil
+ default:
+ err = fmt.Errorf("unrecognized VC security level: %v", securityLevel)
+ }
+ return
+}
diff --git a/runtimes/google/ipc/stream/vif/vif_test.go b/runtimes/google/ipc/stream/vif/vif_test.go
index 738c416..1c12716 100644
--- a/runtimes/google/ipc/stream/vif/vif_test.go
+++ b/runtimes/google/ipc/stream/vif/vif_test.go
@@ -383,7 +383,7 @@
c1, c2 := pipe()
result := make(chan *vif.VIF)
go func() {
- client, err := vif.InternalNewDialedVIF(c1, naming.FixedRoutingID(0xc), nil, nil, nil)
+ client, err := vif.InternalNewDialedVIF(c1, naming.FixedRoutingID(0xc), nil)
if err != nil {
t.Fatal(err)
}
@@ -492,7 +492,7 @@
var cerr error
cl := make(chan *vif.VIF)
go func() {
- c, err := vif.InternalNewDialedVIF(c1, naming.FixedRoutingID(0xc), clientVersions, newPrincipal("client"), nil)
+ c, err := vif.InternalNewDialedVIF(c1, naming.FixedRoutingID(0xc), clientVersions, newPrincipal("client"))
if err != nil {
cerr = err
close(cl)
diff --git a/runtimes/google/ipc/testutil_test.go b/runtimes/google/ipc/testutil_test.go
index 4e3e4e8..5bff981 100644
--- a/runtimes/google/ipc/testutil_test.go
+++ b/runtimes/google/ipc/testutil_test.go
@@ -3,8 +3,12 @@
import (
"reflect"
"testing"
+ "time"
+ "v.io/v23/context"
+ "v.io/v23/naming"
"v.io/v23/security"
+ "v.io/v23/vdl"
"v.io/v23/verror"
)
@@ -63,3 +67,30 @@
}
return b
}
+
+// We need a special way to create contexts for tests. We
+// can't create a real runtime in the runtime implementation
+// so we use a fake one that panics if used. The runtime
+// implementation should not ever use the Runtime from a context.
+func testContext() *context.T {
+ ctx, _ := context.WithTimeout(testContextWithoutDeadline(), 20*time.Second)
+ return ctx
+}
+
+type mockSecurityContext struct {
+ p security.Principal
+ l, r security.Blessings
+ c *context.T
+}
+
+func (c *mockSecurityContext) Timestamp() (t time.Time) { return }
+func (c *mockSecurityContext) Method() string { return "" }
+func (c *mockSecurityContext) MethodTags() []*vdl.Value { return nil }
+func (c *mockSecurityContext) Suffix() string { return "" }
+func (c *mockSecurityContext) RemoteDischarges() map[string]security.Discharge { return nil }
+func (c *mockSecurityContext) LocalEndpoint() naming.Endpoint { return nil }
+func (c *mockSecurityContext) RemoteEndpoint() naming.Endpoint { return nil }
+func (c *mockSecurityContext) LocalPrincipal() security.Principal { return c.p }
+func (c *mockSecurityContext) LocalBlessings() security.Blessings { return c.l }
+func (c *mockSecurityContext) RemoteBlessings() security.Blessings { return c.r }
+func (c *mockSecurityContext) Context() *context.T { return c.c }
