"veyron/security/flag": Methods for processing Auth flags
This CL adds methods for parsing "--acl", "--acl_file" flags
and constructing an Authorizer from them.
Change-Id: I36fba5954bddf99b8348cbf5c26507952ed0eeeb
diff --git a/security/flag/flag.go b/security/flag/flag.go
new file mode 100644
index 0000000..fa032b8
--- /dev/null
+++ b/security/flag/flag.go
@@ -0,0 +1,37 @@
+// Package flag defines a method for parsing ACL flags and constructing
+// a security.Authorizer based on them.
+package flag
+
+import (
+ "bytes"
+ "errors"
+ "flag"
+
+ "veyron2/security"
+)
+
+var (
+ acl = flag.String("acl", "", "acl is an optional JSON-encoded security.ACL that is used to construct a security.Authorizer. Example: \"{\"veyron/alice\":\"RW\"}\" is a JSON-encoded ACL that allows all principals matching \"veyron/alice\" to access all methods with ReadLabel or WriteLabel. If this flag is provided then the \"--acl_file\" must be absent.")
+ aclFile = flag.String("acl_file", "", "acl_file is an optional path to a file containing a JSON-encoded security.ACL that is used to construct a security.Authorizer. If this flag is provided then the \"--acl_file\" flag must be absent.")
+)
+
+// NewAuthorizerOrDie constructs an Authorizer based on the provided "--acl" or
+// "--acl_file" flags. If both flags are provided the function panics, and if
+// neither flag is provided a nil Authorizer is returned (Note that services with
+// nil Authorizers are provided with default authorization by the framework.)
+func NewAuthorizerOrDie() security.Authorizer {
+ if len(*acl) == 0 && len(*aclFile) == 0 {
+ return nil
+ }
+ if len(*acl) != 0 && len(*aclFile) != 0 {
+ panic(errors.New("only one of the flags \"--acl\" or \"--acl_file\" must be provided"))
+ }
+ if len(*aclFile) != 0 {
+ return security.NewFileACLAuthorizer(*aclFile)
+ }
+ a, err := security.LoadACL(bytes.NewBufferString(*acl))
+ if err != nil {
+ return nil
+ }
+ return security.NewACLAuthorizer(a)
+}
