veyron2/services/security/access: Update to the new ACL format.
Background:
https://drive.google.com/open?id=1DZUu2sGKrf-b4p9JFdIbN0ULhz9Loa8reuPNKsdMKD0&authuser=0
This commit is step 1 of (3 or 4) to remove the old format ACL
(security.ACL type), Labels and LabelSet types and switch everything to
the "tagged acl".
Specifically this change:
- Removes security.Label from security.Context
(a subsequent change will get rid of Label and LabelSet types
completely)
- Updates the access API to use the new format ACLs and tags.
- Updates all usage of the old format labels and ACLs in the core
repository to the new format
- Provides for backward compatibility - if flags/ACL files are lying
around in the old format, they will still work. Files will be
overwritten in place and at some point in the near future the
old format will be dropped completely.
- The "monitoring" label has no current equivalent. Can be added
later if needed, but so far its usage seemed to coincide with
"debug"
Change-Id: Ie665fdccd8c82c30273399fc17406cdc95be03ee
diff --git a/security/acl/acl.go b/security/acl/acl.go
deleted file mode 100644
index 3971530..0000000
--- a/security/acl/acl.go
+++ /dev/null
@@ -1,44 +0,0 @@
-package acl
-
-import (
- "encoding/json"
- "io"
-
- "veyron.io/veyron/veyron2/security"
-)
-
-// Includes returns true iff the ACL grants access to a principal
-// that presents blessings.
-func (acl ACL) Includes(blessings ...string) bool {
- blessings = pruneBlacklisted(acl.NotIn, blessings)
- for _, pattern := range acl.In {
- if pattern.MatchedBy(blessings...) {
- return true
- }
- }
- return false
-}
-
-// WriteTo writes the JSON-encoded representation of a TaggedACLMap to w.
-func (m TaggedACLMap) WriteTo(w io.Writer) error {
- return json.NewEncoder(w).Encode(m)
-}
-
-// ReadTaggedACLMap reads the JSON-encoded representation of a TaggedACLMap from r.
-func ReadTaggedACLMap(r io.Reader) (m TaggedACLMap, err error) {
- err = json.NewDecoder(r).Decode(&m)
- return
-}
-
-func pruneBlacklisted(blacklist, blessings []string) []string {
- if len(blacklist) == 0 {
- return blessings
- }
- var filtered []string
- for _, b := range blessings {
- if !security.BlessingPattern(b).MatchedBy(blacklist...) {
- filtered = append(filtered, b)
- }
- }
- return filtered
-}
diff --git a/security/acl/acl.vdl b/security/acl/acl.vdl
deleted file mode 100644
index 51bc01c..0000000
--- a/security/acl/acl.vdl
+++ /dev/null
@@ -1,38 +0,0 @@
-// Package acl defines types and methods to represent Access Control Lists and enforce authorization policies based on them.
-package acl
-
-import "veyron.io/veyron/veyron2/security"
-
-// ACL represents an Access Control List - a set of blessings that should be
-// granted access.
-type ACL struct {
- // In denotes the set of blessings (represented as BlessingPatterns) that
- // should be granted access, unless blacklisted by an entry in NotIn.
- //
- // For example:
- // In: {"alice/family/..."}
- // grants access to a principal that presents at least one of "alice",
- // "alice/family", "alice/family/friend" etc. as a blessing.
- In []security.BlessingPattern
-
- // NotIn denotes the set of blessings (and their delegates) that
- // have been explicitly blacklisted from the In set.
- //
- // For example:
- // In: {"alice/friend/..."}, NotIn: {"alice/friend/bob"}
- // grants access to principals that present "alice", "alice/friend",
- // "alice/friend/carol" etc. but NOT to a principal that presents
- // "alice/friend/bob" or "alice/friend/bob/spouse" etc.
- NotIn []string
-
- // TODO(ashankar,ataly): At some point, introduce group identifiers here?
-}
-
-// TaggedACLMap maps string tags to access control lists specifying the
-// blessings required to invoke methods with that tag.
-//
-// These tags are meant to add a layer of interposition between set of users
-// (blessings, specifically) and the set of methods, much like "Roles" do in
-// Role Based Access Control (RBAC).
-// (http://en.wikipedia.org/wiki/Role-based_access_control)
-type TaggedACLMap map[string]ACL
diff --git a/security/acl/acl.vdl.go b/security/acl/acl.vdl.go
deleted file mode 100644
index 4a658de..0000000
--- a/security/acl/acl.vdl.go
+++ /dev/null
@@ -1,40 +0,0 @@
-// This file was auto-generated by the veyron vdl tool.
-// Source: acl.vdl
-
-// Package acl defines types and methods to represent Access Control Lists and enforce authorization policies based on them.
-package acl
-
-import (
- "veyron.io/veyron/veyron2/security"
-)
-
-// ACL represents an Access Control List - a set of blessings that should be
-// granted access.
-type ACL struct {
- // In denotes the set of blessings (represented as BlessingPatterns) that
- // should be granted access, unless blacklisted by an entry in NotIn.
- //
- // For example:
- // In: {"alice/family/..."}
- // grants access to a principal that presents at least one of "alice",
- // "alice/family", "alice/family/friend" etc. as a blessing.
- In []security.BlessingPattern
- // NotIn denotes the set of blessings (and their delegates) that
- // have been explicitly blacklisted from the In set.
- //
- // For example:
- // In: {"alice/friend/..."}, NotIn: {"alice/friend/bob"}
- // grants access to principals that present "alice", "alice/friend",
- // "alice/friend/carol" etc. but NOT to a principal that presents
- // "alice/friend/bob" or "alice/friend/bob/spouse" etc.
- NotIn []string
-}
-
-// TaggedACLMap maps string tags to access control lists specifying the
-// blessings required to invoke methods with that tag.
-//
-// These tags are meant to add a layer of interposition between set of users
-// (blessings, specifically) and the set of methods, much like "Roles" do in
-// Role Based Access Control (RBAC).
-// (http://en.wikipedia.org/wiki/Role-based_access_control)
-type TaggedACLMap map[string]ACL
diff --git a/security/acl/acl_test.go b/security/acl/acl_test.go
deleted file mode 100644
index 4187b18..0000000
--- a/security/acl/acl_test.go
+++ /dev/null
@@ -1,86 +0,0 @@
-package acl
-
-import (
- "bytes"
- "reflect"
- "testing"
-
- "veyron.io/veyron/veyron2/security"
-)
-
-func TestInclude(t *testing.T) {
- acl := ACL{
- In: []security.BlessingPattern{"alice", "alice/friend/...", "bob/family/..."},
- NotIn: []string{"alice/friend/carol", "bob/family/mallory"},
- }
- type V []string // shorthand
- tests := []struct {
- Blessings []string
- Want bool
- }{
- {nil, false}, // No blessings presented, cannot access
- {V{}, false},
- {V{"alice"}, true},
- {V{"bob"}, true},
- {V{"carol"}, false},
- {V{"alice/colleague"}, false},
- {V{"alice", "carol/friend"}, true}, // Presenting one blessing that grants access is sufficient
- {V{"alice/friend/bob"}, true},
- {V{"alice/friend/carol"}, false}, // alice/friend/carol is blacklisted
- {V{"alice/friend/carol/family"}, false}, // alice/friend/carol is blacklisted, thus her delegates must be too.
- {V{"alice/friend/bob", "alice/friend/carol"}, true},
- {V{"bob/family/eve", "bob/family/mallory"}, true},
- {V{"bob/family/mallory", "alice/friend/carol"}, false},
- }
- for _, test := range tests {
- if got, want := acl.Includes(test.Blessings...), test.Want; got != want {
- t.Errorf("Includes(%v): Got %v, want %v", test.Blessings, got, want)
- }
- }
-}
-
-func TestOpenACL(t *testing.T) {
- acl := ACL{In: []security.BlessingPattern{security.AllPrincipals}}
- if !acl.Includes() {
- t.Errorf("OpenACL should allow principals that present no blessings")
- }
- if !acl.Includes("frank") {
- t.Errorf("OpenACL should allow principals that present any blessings")
- }
-}
-
-func TestTaggedACLMapSerialization(t *testing.T) {
- obj := TaggedACLMap{
- "R": ACL{
- In: []security.BlessingPattern{"foo/...", "bar/..."},
- NotIn: []string{"bar/baz"},
- },
- "W": ACL{
- In: []security.BlessingPattern{"foo/...", "bar"},
- NotIn: []string{"foo/bar", "foo/baz/boz"},
- },
- }
- txt := `
-{
- "R": {
- "In":["foo/...","bar/..."],
- "NotIn":["bar/baz"]
- },
- "W": {
- "In":["foo/...","bar"],
- "NotIn":["foo/bar","foo/baz/boz"]
- }
-}
-`
- if got, err := ReadTaggedACLMap(bytes.NewBufferString(txt)); err != nil || !reflect.DeepEqual(got, obj) {
- t.Errorf("Got error %v, TaggedACLMap: %v, want %v", err, got, obj)
- }
- // And round-trip (don't compare with 'txt' because indentation/spacing might differ).
- var buf bytes.Buffer
- if err := obj.WriteTo(&buf); err != nil {
- t.Fatal(err)
- }
- if got, err := ReadTaggedACLMap(&buf); err != nil || !reflect.DeepEqual(got, obj) {
- t.Errorf("Got error %v, TaggedACLMap: %v, want %v", err, got, obj)
- }
-}
diff --git a/security/acl/authorizer.go b/security/acl/authorizer.go
deleted file mode 100644
index f4d60c9..0000000
--- a/security/acl/authorizer.go
+++ /dev/null
@@ -1,150 +0,0 @@
-package acl
-
-import (
- "fmt"
- "os"
- "reflect"
-
- "veyron.io/veyron/veyron2/security"
-)
-
-// TaggedACLAuthorizer implements an authorization policy where access is
-// granted if the remote end presents blessings included in the Access Control
-// Lists (ACLs) associated with the set of relevant tags.
-//
-// The set of relevant tags is the subset of tags associated with the
-// method (security.Context.MethodTags) that have the same type as tagType.
-// Currently, tagType.Kind must be reflect.String, i.e., only tags that are
-// named string types are supported.
-//
-// If multiple tags of tagType are associated with the method, then access is
-// granted if the peer presents blessings that match the ACLs of each one of
-// those tags. If no tags of tagType are associated with the method, then
-// access is denied.
-//
-// If the TaggedACLMap provided is nil, then a nil authorizer is returned.
-//
-// Sample usage:
-//
-// (1) Attach tags to methods in the VDL (eg. myservice.vdl)
-// package myservice
-//
-// type MyTag string
-// const (
-// ReadAccess = MyTag("R")
-// WriteAccess = MyTag("W")
-// )
-//
-// type MyService interface {
-// Get() ([]string, error) {ReadAccess}
-// GetIndex(int) (string, error) {ReadAccess}
-//
-// Set([]string) error {WriteAccess}
-// SetIndex(int, string) error {WriteAccess}
-//
-// GetAndSet([]string) ([]string, error) {ReadAccess, WriteAccess}
-// }
-//
-// (2) Setup the ipc.Dispatcher to use the TaggedACLAuthorizer
-// import (
-// "reflect"
-// "veyron.io/veyron/veyron/security/acl"
-//
-// "veyron.io/veyron/veyron2/ipc"
-// "veyron.io/veyron/veyron2/security"
-// )
-//
-// type dispatcher struct{}
-// func (d dispatcher) Lookup(suffix, method) (ipc.Invoker, security.Authorizer, error) {
-// acl := acl.TaggedACLMap{
-// "R": acl.ACL{In: []security.BlessingPattern{"alice/friends/...", "alice/family/..."} },
-// "W": acl.ACL{In: []security.BlessingPattern{"alice/family/...", "alice/colleagues/..." } },
-// }
-// typ := reflect.TypeOf(ReadAccess) // equivalently, reflect.TypeOf(WriteAccess)
-// return newInvoker(), acl.TaggedACLAuthorizer(acl, typ), nil
-// }
-//
-// With the above dispatcher, the server will grant access to a peer with the blessing
-// "alice/friend/bob" access only to the "Get" and "GetIndex" methods. A peer presenting
-// the blessing "alice/colleague/carol" will get access only to the "Set" and "SetIndex"
-// methods. A peer presenting "alice/family/mom" will get access to all methods, even
-// GetAndSet - which requires that the blessing appear in the ACLs for both the
-// ReadAccess and WriteAccess tags.
-func TaggedACLAuthorizer(acls TaggedACLMap, tagType reflect.Type) (security.Authorizer, error) {
- if tagType.Kind() != reflect.String {
- return nil, fmt.Errorf("tag type(%v) must be backed by a string not %v", tagType, tagType.Kind())
- }
- return &authorizer{acls, tagType}, nil
-}
-
-// TaggedACLAuthorizerFromFile applies the same authorization policy as
-// TaggedACLAuthorizer, with the TaggedACLMap to be used sourced from a file named
-// filename.
-//
-// Changes to the file are monitored and affect subsequent calls to Authorize.
-// Currently, this is achieved by re-reading the file on every call to
-// Authorize.
-// TODO(ashankar,ataly): Use inotify or a similar mechanism to watch for
-// changes.
-func TaggedACLAuthorizerFromFile(filename string, tagType reflect.Type) (security.Authorizer, error) {
- if tagType.Kind() != reflect.String {
- return nil, fmt.Errorf("tag type(%v) must be backed by a string not %v", tagType, tagType.Kind())
- }
- return &fileAuthorizer{filename, tagType}, nil
-}
-
-type authorizer struct {
- acls TaggedACLMap
- tagType reflect.Type
-}
-
-func (a *authorizer) Authorize(ctx security.Context) error {
- // "Self-RPCs" are always authorized.
- if l, r := ctx.LocalBlessings(), ctx.RemoteBlessings(); l != nil && r != nil && reflect.DeepEqual(l.PublicKey(), r.PublicKey()) {
- return nil
- }
- var blessings []string
- if ctx.RemoteBlessings() != nil {
- blessings = ctx.RemoteBlessings().ForContext(ctx)
- }
- grant := false
- for _, tag := range ctx.MethodTags() {
- if v := reflect.ValueOf(tag); v.Type() == a.tagType {
- if acl, exists := a.acls[v.String()]; !exists || !acl.Includes(blessings...) {
- return errACLMatch(blessings)
- }
- grant = true
- }
- }
- if grant {
- return nil
- }
- return errACLMatch(blessings)
-}
-
-type fileAuthorizer struct {
- filename string
- tagType reflect.Type
-}
-
-func (a *fileAuthorizer) Authorize(ctx security.Context) error {
- acl, err := loadTaggedACLMapFromFile(a.filename)
- if err != nil {
- // TODO(ashankar): Information leak?
- return fmt.Errorf("failed to read ACL from file: %v", err)
- }
- return (&authorizer{acl, a.tagType}).Authorize(ctx)
-}
-
-func loadTaggedACLMapFromFile(filename string) (TaggedACLMap, error) {
- file, err := os.Open(filename)
- if err != nil {
- return nil, err
- }
- defer file.Close()
- return ReadTaggedACLMap(file)
-}
-
-func errACLMatch(blessings []string) error {
- return fmt.Errorf("%v does not match ACL", blessings)
-}
diff --git a/security/acl/authorizer_test.go b/security/acl/authorizer_test.go
deleted file mode 100644
index 27803f0..0000000
--- a/security/acl/authorizer_test.go
+++ /dev/null
@@ -1,224 +0,0 @@
-package acl
-
-import (
- "io/ioutil"
- "reflect"
- "testing"
-
- vsecurity "veyron.io/veyron/veyron/security"
- "veyron.io/veyron/veyron/security/acl/test"
- "veyron.io/veyron/veyron2/security"
-)
-
-// TestTaggedACLAuthorizer is both a test and a demonstration of the use of the
-// TaggedACLAuthorizer and interaction with interface specification in VDL.
-func TestTaggedACLAuthorizer(t *testing.T) {
- type P []security.BlessingPattern
- type S []string
- // TaggedACLMap to test against.
- acl := TaggedACLMap{
- "R": {
- In: P{"..."},
- },
- "W": {
- In: P{"ali/family/...", "bob/...", "che"},
- NotIn: S{"bob/acquaintances"},
- },
- "X": {
- In: P{"ali/family/boss", "superman"},
- },
- }
- type testcase struct {
- Method string
- Client security.Blessings
- }
- var (
- authorizer, _ = TaggedACLAuthorizer(acl, reflect.TypeOf(test.Read))
- // Two principals: The "server" and the "client"
- pserver, _ = vsecurity.NewPrincipal()
- pclient, _ = vsecurity.NewPrincipal()
- server, _ = pserver.BlessSelf("server")
-
- // B generates the provided blessings for the client and ensures
- // that the server will recognize them.
- B = func(names ...string) security.Blessings {
- var ret security.Blessings
- for _, name := range names {
- b, err := pclient.BlessSelf(name)
- if err != nil {
- t.Fatalf("%q: %v", name, err)
- }
- if err := pserver.AddToRoots(b); err != nil {
- t.Fatalf("%q: %v", name, err)
- }
- if ret, err = security.UnionOfBlessings(ret, b); err != nil {
- t.Fatal(err)
- }
- }
- return ret
- }
-
- run = func(test testcase) error {
- ctx := security.NewContext(&security.ContextParams{
- LocalPrincipal: pserver,
- LocalBlessings: server,
- RemoteBlessings: test.Client,
- Method: test.Method,
- MethodTags: methodTags(test.Method),
- })
- return authorizer.Authorize(ctx)
- }
- )
-
- // Test cases where access should be granted to methods with tags on
- // them.
- for _, test := range []testcase{
- {"Get", nil},
- {"Get", B("ali")},
- {"Get", B("bob/friend", "che/enemy")},
-
- {"Put", B("ali")},
- {"Put", B("ali/family/mom")},
- {"Put", B("bob/friends")},
- {"Put", B("bob/acquantainces/carol", "che")}, // Access granted because of "che"
-
- {"Resolve", B("ali")},
- {"Resolve", B("ali/family/boss")},
-
- {"AllTags", B("ali/family/boss")},
- } {
- if err := run(test); err != nil {
- t.Errorf("Access denied to method %q to %v: %v", test.Method, test.Client, err)
- }
- }
- // Test cases where access should be denied.
- for _, test := range []testcase{
- // Nobody is denied access to "Get"
- {"Put", B("bob/acquaintances/dave", "che/friend", "dave")},
- {"Resolve", B("ali/family/friend")},
- // Since there are no tags on the NoTags method, it has an
- // empty ACL. No client will have access.
- {"NoTags", B("ali", "ali/family/boss", "bob")},
- // On a method with multiple tags on it, all must be satisfied.
- {"AllTags", B("superman")}, // Only in the X ACL, not in R or W
- {"AllTags", B("superman", "clark")}, // In X and in R, but not W
- } {
- if err := run(test); err == nil {
- t.Errorf("Access to %q granted to %v", test.Method, test.Client)
- }
- }
-}
-
-func TestTaggedACLAuthorizerSelfRPCs(t *testing.T) {
- var (
- // Client and server are the same principal, though have
- // different blessings.
- p, _ = vsecurity.NewPrincipal()
- client, _ = p.BlessSelf("client")
- server, _ = p.BlessSelf("server")
- // Authorizer with a TaggedACLMap that grants read access to
- // anyone, write/execute access to noone.
- typ test.MyTag
- authorizer, _ = TaggedACLAuthorizer(TaggedACLMap{"R": {In: []security.BlessingPattern{"nobody"}}}, reflect.TypeOf(typ))
- )
- for _, test := range []string{"Put", "Get", "Resolve", "NoTags", "AllTags"} {
- ctx := security.NewContext(&security.ContextParams{
- LocalPrincipal: p,
- LocalBlessings: server,
- RemoteBlessings: client,
- Method: test,
- MethodTags: methodTags(test),
- })
- if err := authorizer.Authorize(ctx); err != nil {
- t.Errorf("Got error %v for method %q", err, test)
- }
- }
-}
-
-func TestTaggedACLAuthorizerWithNilACL(t *testing.T) {
- var (
- authorizer, _ = TaggedACLAuthorizer(nil, reflect.TypeOf(test.Read))
- pserver, _ = vsecurity.NewPrincipal()
- pclient, _ = vsecurity.NewPrincipal()
- server, _ = pserver.BlessSelf("server")
- client, _ = pclient.BlessSelf("client")
- )
- for _, test := range []string{"Put", "Get", "Resolve", "NoTags", "AllTags"} {
- ctx := security.NewContext(&security.ContextParams{
- LocalPrincipal: pserver,
- LocalBlessings: server,
- RemoteBlessings: client,
- Method: test,
- MethodTags: methodTags(test),
- })
- if err := authorizer.Authorize(ctx); err == nil {
- t.Errorf("nil TaggedACLMap authorized method %q", test)
- }
- }
-}
-
-func TestTaggedACLAuthorizerFromFile(t *testing.T) {
- file, err := ioutil.TempFile("", "TestTaggedACLAuthorizerFromFile")
- if err != nil {
- t.Fatal(err)
- }
- filename := file.Name()
- file.Close()
-
- var (
- authorizer, _ = TaggedACLAuthorizerFromFile(filename, reflect.TypeOf(test.Read))
- pserver, _ = vsecurity.NewPrincipal()
- pclient, _ = vsecurity.NewPrincipal()
- server, _ = pserver.BlessSelf("alice")
- alicefriend, _ = pserver.Bless(pclient.PublicKey(), server, "friend/bob", security.UnconstrainedUse())
- ctx = security.NewContext(&security.ContextParams{
- LocalPrincipal: pserver,
- LocalBlessings: server,
- RemoteBlessings: alicefriend,
- Method: "Get",
- MethodTags: methodTags("Get"),
- })
- )
- // Make pserver recognize itself as an authority on "alice/..." blessings.
- if err := pserver.AddToRoots(server); err != nil {
- t.Fatal(err)
- }
- // "alice/friend/bob" should not have access to test.Read methods like Get.
- if err := authorizer.Authorize(ctx); err == nil {
- t.Fatalf("Expected authorization error as %v is not on the ACL for Read operations", ctx.RemoteBlessings())
- }
- // Rewrite the file giving access
- if err := ioutil.WriteFile(filename, []byte(`{"R": { "In":["alice/friend/..."] }}`), 0600); err != nil {
- t.Fatal(err)
- }
- // Now should have access
- if err := authorizer.Authorize(ctx); err != nil {
- t.Fatal(err)
- }
-}
-
-func TestTagTypeMustBeString(t *testing.T) {
- type I int
- if auth, err := TaggedACLAuthorizer(TaggedACLMap{}, reflect.TypeOf(I(0))); err == nil || auth != nil {
- t.Errorf("Got (%v, %v), wanted error since tag type is not a string", auth, err)
- }
- if auth, err := TaggedACLAuthorizerFromFile("does_not_matter", reflect.TypeOf(I(0))); err == nil || auth != nil {
- t.Errorf("Got (%v, %v), wanted error since tag type is not a string", auth, err)
- }
-}
-
-func methodTags(name string) []interface{} {
- server := test.MyObjectServer(nil)
- for _, iface := range server.Describe__() {
- for _, method := range iface.Methods {
- if method.Name == name {
- tags := make([]interface{}, len(method.Tags))
- for index, tag := range method.Tags {
- tags[index] = tag
- }
- return tags
- }
- }
- }
- return nil
-}
diff --git a/security/acl/test/vdl.vdl b/security/acl/test/vdl.vdl
deleted file mode 100644
index fd3a73f..0000000
--- a/security/acl/test/vdl.vdl
+++ /dev/null
@@ -1,23 +0,0 @@
-// Package test provides a VDL specification for a service used in the unittest of the acl package.
-package test
-
-// Any package can define tags (of arbitrary types) to be attached to methods.
-// This type can be used to index into a TaggedACLMap.
-type MyTag string
-
-const (
- // For this example/unittest, there are three possible values of MyTag,
- // each represented by a single-character string.
- Read = MyTag("R")
- Write = MyTag("W")
- Execute = MyTag("X")
-)
-
-// MyObject demonstrates how tags are attached to methods.
-type MyObject interface {
- Get() error {Read}
- Put() error {Write}
- Resolve() error {Execute}
- NoTags() error // No tags attached to this.
- AllTags() error {Read, Write, Execute}
-}
diff --git a/security/acl/test/vdl.vdl.go b/security/acl/test/vdl.vdl.go
deleted file mode 100644
index 284a509..0000000
--- a/security/acl/test/vdl.vdl.go
+++ /dev/null
@@ -1,301 +0,0 @@
-// This file was auto-generated by the veyron vdl tool.
-// Source: vdl.vdl
-
-// Package test provides a VDL specification for a service used in the unittest of the acl package.
-package test
-
-import (
- // The non-user imports are prefixed with "__" to prevent collisions.
- __veyron2 "veyron.io/veyron/veyron2"
- __context "veyron.io/veyron/veyron2/context"
- __ipc "veyron.io/veyron/veyron2/ipc"
- __vdlutil "veyron.io/veyron/veyron2/vdl/vdlutil"
- __wiretype "veyron.io/veyron/veyron2/wiretype"
-)
-
-// TODO(toddw): Remove this line once the new signature support is done.
-// It corrects a bug where __wiretype is unused in VDL pacakges where only
-// bootstrap types are used on interfaces.
-const _ = __wiretype.TypeIDInvalid
-
-// Any package can define tags (of arbitrary types) to be attached to methods.
-// This type can be used to index into a TaggedACLMap.
-type MyTag string
-
-// For this example/unittest, there are three possible values of MyTag,
-// each represented by a single-character string.
-const Read = MyTag("R")
-
-const Write = MyTag("W")
-
-const Execute = MyTag("X")
-
-// MyObjectClientMethods is the client interface
-// containing MyObject methods.
-//
-// MyObject demonstrates how tags are attached to methods.
-type MyObjectClientMethods interface {
- Get(__context.T, ...__ipc.CallOpt) error
- Put(__context.T, ...__ipc.CallOpt) error
- Resolve(__context.T, ...__ipc.CallOpt) error
- NoTags(__context.T, ...__ipc.CallOpt) error // No tags attached to this.
- AllTags(__context.T, ...__ipc.CallOpt) error
-}
-
-// MyObjectClientStub adds universal methods to MyObjectClientMethods.
-type MyObjectClientStub interface {
- MyObjectClientMethods
- __ipc.UniversalServiceMethods
-}
-
-// MyObjectClient returns a client stub for MyObject.
-func MyObjectClient(name string, opts ...__ipc.BindOpt) MyObjectClientStub {
- var client __ipc.Client
- for _, opt := range opts {
- if clientOpt, ok := opt.(__ipc.Client); ok {
- client = clientOpt
- }
- }
- return implMyObjectClientStub{name, client}
-}
-
-type implMyObjectClientStub struct {
- name string
- client __ipc.Client
-}
-
-func (c implMyObjectClientStub) c(ctx __context.T) __ipc.Client {
- if c.client != nil {
- return c.client
- }
- return __veyron2.RuntimeFromContext(ctx).Client()
-}
-
-func (c implMyObjectClientStub) Get(ctx __context.T, opts ...__ipc.CallOpt) (err error) {
- var call __ipc.Call
- if call, err = c.c(ctx).StartCall(ctx, c.name, "Get", nil, opts...); err != nil {
- return
- }
- if ierr := call.Finish(&err); ierr != nil {
- err = ierr
- }
- return
-}
-
-func (c implMyObjectClientStub) Put(ctx __context.T, opts ...__ipc.CallOpt) (err error) {
- var call __ipc.Call
- if call, err = c.c(ctx).StartCall(ctx, c.name, "Put", nil, opts...); err != nil {
- return
- }
- if ierr := call.Finish(&err); ierr != nil {
- err = ierr
- }
- return
-}
-
-func (c implMyObjectClientStub) Resolve(ctx __context.T, opts ...__ipc.CallOpt) (err error) {
- var call __ipc.Call
- if call, err = c.c(ctx).StartCall(ctx, c.name, "Resolve", nil, opts...); err != nil {
- return
- }
- if ierr := call.Finish(&err); ierr != nil {
- err = ierr
- }
- return
-}
-
-func (c implMyObjectClientStub) NoTags(ctx __context.T, opts ...__ipc.CallOpt) (err error) {
- var call __ipc.Call
- if call, err = c.c(ctx).StartCall(ctx, c.name, "NoTags", nil, opts...); err != nil {
- return
- }
- if ierr := call.Finish(&err); ierr != nil {
- err = ierr
- }
- return
-}
-
-func (c implMyObjectClientStub) AllTags(ctx __context.T, opts ...__ipc.CallOpt) (err error) {
- var call __ipc.Call
- if call, err = c.c(ctx).StartCall(ctx, c.name, "AllTags", nil, opts...); err != nil {
- return
- }
- if ierr := call.Finish(&err); ierr != nil {
- err = ierr
- }
- return
-}
-
-func (c implMyObjectClientStub) Signature(ctx __context.T, opts ...__ipc.CallOpt) (o0 __ipc.ServiceSignature, err error) {
- var call __ipc.Call
- if call, err = c.c(ctx).StartCall(ctx, c.name, "Signature", nil, opts...); err != nil {
- return
- }
- if ierr := call.Finish(&o0, &err); ierr != nil {
- err = ierr
- }
- return
-}
-
-// MyObjectServerMethods is the interface a server writer
-// implements for MyObject.
-//
-// MyObject demonstrates how tags are attached to methods.
-type MyObjectServerMethods interface {
- Get(__ipc.ServerContext) error
- Put(__ipc.ServerContext) error
- Resolve(__ipc.ServerContext) error
- NoTags(__ipc.ServerContext) error // No tags attached to this.
- AllTags(__ipc.ServerContext) error
-}
-
-// MyObjectServerStubMethods is the server interface containing
-// MyObject methods, as expected by ipc.Server.
-// There is no difference between this interface and MyObjectServerMethods
-// since there are no streaming methods.
-type MyObjectServerStubMethods MyObjectServerMethods
-
-// MyObjectServerStub adds universal methods to MyObjectServerStubMethods.
-type MyObjectServerStub interface {
- MyObjectServerStubMethods
- // Describe the MyObject interfaces.
- Describe__() []__ipc.InterfaceDesc
- // Signature will be replaced with Describe__.
- Signature(ctx __ipc.ServerContext) (__ipc.ServiceSignature, error)
-}
-
-// MyObjectServer returns a server stub for MyObject.
-// It converts an implementation of MyObjectServerMethods into
-// an object that may be used by ipc.Server.
-func MyObjectServer(impl MyObjectServerMethods) MyObjectServerStub {
- stub := implMyObjectServerStub{
- impl: impl,
- }
- // Initialize GlobState; always check the stub itself first, to handle the
- // case where the user has the Glob method defined in their VDL source.
- if gs := __ipc.NewGlobState(stub); gs != nil {
- stub.gs = gs
- } else if gs := __ipc.NewGlobState(impl); gs != nil {
- stub.gs = gs
- }
- return stub
-}
-
-type implMyObjectServerStub struct {
- impl MyObjectServerMethods
- gs *__ipc.GlobState
-}
-
-func (s implMyObjectServerStub) Get(ctx __ipc.ServerContext) error {
- return s.impl.Get(ctx)
-}
-
-func (s implMyObjectServerStub) Put(ctx __ipc.ServerContext) error {
- return s.impl.Put(ctx)
-}
-
-func (s implMyObjectServerStub) Resolve(ctx __ipc.ServerContext) error {
- return s.impl.Resolve(ctx)
-}
-
-func (s implMyObjectServerStub) NoTags(ctx __ipc.ServerContext) error {
- return s.impl.NoTags(ctx)
-}
-
-func (s implMyObjectServerStub) AllTags(ctx __ipc.ServerContext) error {
- return s.impl.AllTags(ctx)
-}
-
-func (s implMyObjectServerStub) VGlob() *__ipc.GlobState {
- return s.gs
-}
-
-func (s implMyObjectServerStub) Describe__() []__ipc.InterfaceDesc {
- return []__ipc.InterfaceDesc{MyObjectDesc}
-}
-
-// MyObjectDesc describes the MyObject interface.
-var MyObjectDesc __ipc.InterfaceDesc = descMyObject
-
-// descMyObject hides the desc to keep godoc clean.
-var descMyObject = __ipc.InterfaceDesc{
- Name: "MyObject",
- PkgPath: "veyron.io/veyron/veyron/security/acl/test",
- Doc: "// MyObject demonstrates how tags are attached to methods.",
- Methods: []__ipc.MethodDesc{
- {
- Name: "Get",
- OutArgs: []__ipc.ArgDesc{
- {"", ``}, // error
- },
- Tags: []__vdlutil.Any{MyTag("R")},
- },
- {
- Name: "Put",
- OutArgs: []__ipc.ArgDesc{
- {"", ``}, // error
- },
- Tags: []__vdlutil.Any{MyTag("W")},
- },
- {
- Name: "Resolve",
- OutArgs: []__ipc.ArgDesc{
- {"", ``}, // error
- },
- Tags: []__vdlutil.Any{MyTag("X")},
- },
- {
- Name: "NoTags",
- OutArgs: []__ipc.ArgDesc{
- {"", ``}, // error
- },
- },
- {
- Name: "AllTags",
- OutArgs: []__ipc.ArgDesc{
- {"", ``}, // error
- },
- Tags: []__vdlutil.Any{MyTag("R"), MyTag("W"), MyTag("X")},
- },
- },
-}
-
-func (s implMyObjectServerStub) Signature(ctx __ipc.ServerContext) (__ipc.ServiceSignature, error) {
- // TODO(toddw): Replace with new Describe__ implementation.
- result := __ipc.ServiceSignature{Methods: make(map[string]__ipc.MethodSignature)}
- result.Methods["AllTags"] = __ipc.MethodSignature{
- InArgs: []__ipc.MethodArgument{},
- OutArgs: []__ipc.MethodArgument{
- {Name: "", Type: 65},
- },
- }
- result.Methods["Get"] = __ipc.MethodSignature{
- InArgs: []__ipc.MethodArgument{},
- OutArgs: []__ipc.MethodArgument{
- {Name: "", Type: 65},
- },
- }
- result.Methods["NoTags"] = __ipc.MethodSignature{
- InArgs: []__ipc.MethodArgument{},
- OutArgs: []__ipc.MethodArgument{
- {Name: "", Type: 65},
- },
- }
- result.Methods["Put"] = __ipc.MethodSignature{
- InArgs: []__ipc.MethodArgument{},
- OutArgs: []__ipc.MethodArgument{
- {Name: "", Type: 65},
- },
- }
- result.Methods["Resolve"] = __ipc.MethodSignature{
- InArgs: []__ipc.MethodArgument{},
- OutArgs: []__ipc.MethodArgument{
- {Name: "", Type: 65},
- },
- }
-
- result.TypeDefs = []__vdlutil.Any{
- __wiretype.NamedPrimitiveType{Type: 0x1, Name: "error", Tags: []string(nil)}}
-
- return result, nil
-}
diff --git a/security/acl_authorizer.go b/security/acl_authorizer.go
deleted file mode 100644
index 2adfa80..0000000
--- a/security/acl_authorizer.go
+++ /dev/null
@@ -1,104 +0,0 @@
-package security
-
-// This file provides an implementation of security.Authorizer.
-//
-// Definitions
-// * Self-RPC: An RPC request is said to be a "self-RPC" if the identities
-// at the local and remote ends are identical.
-
-import (
- "errors"
- "os"
- "reflect"
-
- "veyron.io/veyron/veyron2/security"
-)
-
-var (
- errACL = errors.New("no matching ACL entry found")
- errInvalidLabel = errors.New("label is invalid")
-)
-
-// aclAuthorizer implements Authorizer.
-type aclAuthorizer security.ACL
-
-// Authorize verifies a request iff the identity at the remote end has a name authorized by
-// the aclAuthorizer's ACL for the request's label, or the request corresponds to a self-RPC.
-func (a aclAuthorizer) Authorize(ctx security.Context) error {
- // Test if the request corresponds to a self-RPC.
- if ctx.LocalBlessings() != nil && ctx.RemoteBlessings() != nil && reflect.DeepEqual(ctx.LocalBlessings().PublicKey(), ctx.RemoteBlessings().PublicKey()) {
- return nil
- }
- var blessings []string
- if ctx.RemoteBlessings() != nil {
- blessings = ctx.RemoteBlessings().ForContext(ctx)
- }
- return matchesACL(blessings, ctx.Label(), security.ACL(a))
-}
-
-// NewACLAuthorizer creates an authorizer from the provided ACL. The
-// authorizer authorizes a request iff the identity at the remote end has a name
-// authorized by the provided ACL for the request's label, or the request
-// corresponds to a self-RPC.
-func NewACLAuthorizer(acl security.ACL) security.Authorizer { return aclAuthorizer(acl) }
-
-// fileACLAuthorizer implements Authorizer.
-type fileACLAuthorizer string
-
-// Authorize reads and decodes the fileACLAuthorizer's ACL file into a ACL and
-// then verifies the request according to an aclAuthorizer based on the ACL. If
-// reading or decoding the file fails then no requests are authorized.
-func (a fileACLAuthorizer) Authorize(ctx security.Context) error {
- acl, err := loadACLFromFile(string(a))
- if err != nil {
- return err
- }
- return aclAuthorizer(acl).Authorize(ctx)
-}
-
-// NewFileACLAuthorizer creates an authorizer from the provided path to a file
-// containing a JSON-encoded ACL. Each call to "Authorize" involves reading and
-// decoding a ACL from the file and then authorizing the request according to the
-// ACL. The authorizer monitors the file so out of band changes to the contents of
-// the file are reflected in the ACL. If reading or decoding the file fails then
-// no requests are authorized.
-//
-// The JSON-encoding of a ACL is essentially a JSON object describing a map from
-// BlessingPatterns to encoded LabelSets (see LabelSet.MarshalJSON).
-// Examples:
-// * `{"In": {"..." : "RW"}}` encodes an ACL that allows all principals to access all methods with
-// ReadLabel or WriteLabel.
-// * `{"In":{"veyron/alice": "RW", "veyron/bob/...": "R"}}` encodes an ACL that allows all principals
-// matched by "veyron/alice" to access methods with ReadLabel or WriteLabel, and all
-// principals matched by "veyron/bob/..." to access methods with ReadLabel.
-// * `{"In": {"...": "RW"}, "NotIn": {"veyron/alice": "W"}}` encodes an ACL that allows all principals
-// access to all ReadLabel or WriteLabel methods, EXCEPT that methods with a WriteLabel are not
-// accessible to veyron/alice and her delegates.
-// (Also see BlessingPattern.MatchedBy)
-//
-// TODO(ataly, ashankar): Instead of reading the file on each call we should use the "inotify"
-// mechanism to watch the file. Eventually we should also support ACLs stored in the Veyron
-// store.
-func NewFileACLAuthorizer(filePath string) security.Authorizer { return fileACLAuthorizer(filePath) }
-
-func matchesACL(blessings []string, label security.Label, acl security.ACL) error {
- if len(blessings) == 0 && acl.CanAccess("", label) {
- // No blessings, check if that satisfies the ACL (it will be if AllPrincipals appears in the ACL).
- return nil
- }
- for _, b := range blessings {
- if acl.CanAccess(b, label) {
- return nil
- }
- }
- return errACL
-}
-
-func loadACLFromFile(filePath string) (security.ACL, error) {
- f, err := os.Open(filePath)
- if err != nil {
- return nullACL, err
- }
- defer f.Close()
- return LoadACL(f)
-}
diff --git a/security/acl_authorizer_test.go b/security/acl_authorizer_test.go
deleted file mode 100644
index 98b0e2a..0000000
--- a/security/acl_authorizer_test.go
+++ /dev/null
@@ -1,238 +0,0 @@
-package security
-
-import (
- "io/ioutil"
- "os"
- "runtime"
- "testing"
-
- "veyron.io/veyron/veyron2/security"
-)
-
-func saveACLToTempFile(acl security.ACL) string {
- f, err := ioutil.TempFile("", "saved_acl")
- if err != nil {
- panic(err)
- }
- defer f.Close()
- if err := SaveACL(f, acl); err != nil {
- defer os.Remove(f.Name())
- panic(err)
- }
- return f.Name()
-}
-
-func updateACLInFile(fileName string, acl security.ACL) {
- f, err := os.OpenFile(fileName, os.O_WRONLY, 0600)
- if err != nil {
- panic(err)
- }
- defer f.Close()
- if err := SaveACL(f, acl); err != nil {
- panic(err)
- }
-}
-
-func testSelfRPCs(t *testing.T, authorizer security.Authorizer) {
- _, file, line, _ := runtime.Caller(1)
- var (
- pserver, server = newPrincipal("server")
- _, imposter = newPrincipal("server")
- palice, alice = newPrincipal("alice")
- aliceServer = bless(palice, pserver, alice, "server")
-
- ctxp = &security.ContextParams{LocalPrincipal: pserver, LocalBlessings: server}
- tests = []struct {
- remote security.Blessings
- isAuthorized bool
- }{
- {server, true},
- {imposter, false},
- // A principal talking to itself (even if with a different blessing) is authorized.
- // TODO(ashankar,ataly): Is this a desired property?
- {aliceServer, true},
- }
- )
- for _, test := range tests {
- ctxp.RemoteBlessings = test.remote
- ctx := security.NewContext(ctxp)
- if got, want := authorizer.Authorize(ctx), test.isAuthorized; (got == nil) != want {
- t.Errorf("%s:%d: %+v.Authorize(%v) returned error: %v, want error: %v", file, line, authorizer, ctx, got, !want)
- }
- }
-}
-
-func testNothingPermitted(t *testing.T, authorizer security.Authorizer) {
- _, file, line, _ := runtime.Caller(1)
- var (
- pserver, server = newPrincipal("server")
- palice, alice = newPrincipal("alice")
- pbob, bob = newPrincipal("random")
-
- serverAlice = bless(pserver, palice, server, "alice")
- serverAliceFriend = bless(palice, pbob, serverAlice, "friend")
- serverBob = bless(pserver, pbob, server, "bob")
-
- users = []security.Blessings{
- // blessings not recognized by "server" (since they are rooted at public
- // keys not recognized as roots by pserver)
- alice,
- bob,
- // blessings recognized by "server" (since they are its delegates)
- serverAlice,
- serverAliceFriend,
- serverBob,
- }
-
- invalidLabel = security.Label(3)
- )
- // No principal (other than the server itself - self-RPCs are allowed) should have access to any
- // valid or invalid label.
- for _, u := range users {
- for _, l := range security.ValidLabels {
- ctx := security.NewContext(&security.ContextParams{
- LocalPrincipal: pserver,
- LocalBlessings: server,
- RemoteBlessings: u,
- MethodTags: []interface{}{l},
- })
- if got := authorizer.Authorize(ctx); got == nil {
- t.Errorf("%s:%d: %+v.Authorize(%v) returns nil, want error", file, line, authorizer, ctx)
- }
- }
-
- ctx := security.NewContext(&security.ContextParams{
- LocalPrincipal: pserver,
- LocalBlessings: server,
- RemoteBlessings: u,
- MethodTags: []interface{}{invalidLabel},
- })
- if got := authorizer.Authorize(ctx); got == nil {
- t.Errorf("%s:%d: %+v.Authorize(%v) returns nil, want error", file, line, authorizer, ctx)
- }
- }
-}
-
-func TestACLAuthorizer(t *testing.T) {
- const (
- // Shorthands
- R = security.ReadLabel
- W = security.WriteLabel
- A = security.AdminLabel
- D = security.DebugLabel
- M = security.MonitoringLabel
- X = security.ResolveLabel
- )
- type Expectations map[security.Blessings]security.LabelSet
- // Principals to test
- var (
- // Principals
- pserver, server = newPrincipal("server")
- palice, alice = newPrincipal("alice")
- pbob, bob = newPrincipal("bob")
- pche, che = newPrincipal("che")
-
- // Blessings from the server
- serverAlice = bless(pserver, palice, server, "alice")
- serverBob = bless(pserver, pbob, server, "bob")
- serverChe = bless(pserver, pche, server, "che")
- serverAliceFriend = bless(palice, pbob, serverAlice, "friend")
- serverCheFriend = bless(pche, pbob, serverChe, "friend")
-
- authorizer security.Authorizer // the authorizer to test.
-
- runTests = func(expectations Expectations) {
- _, file, line, _ := runtime.Caller(1)
- for user, labels := range expectations {
- for _, l := range security.ValidLabels {
- ctx := security.NewContext(&security.ContextParams{
- LocalPrincipal: pserver,
- LocalBlessings: server,
- RemoteBlessings: user,
- MethodTags: []interface{}{l},
- })
- if got, want := authorizer.Authorize(ctx), labels.HasLabel(l); (got == nil) != want {
- t.Errorf("%s:%d: %+v.Authorize(%v) returned error: %v, want error: %v", file, line, authorizer, ctx, got, !want)
- }
- }
- }
- }
- )
- // Convenience function for combining Labels into a LabelSet.
- LS := func(labels ...security.Label) security.LabelSet {
- var ret security.LabelSet
- for _, l := range labels {
- ret = ret | security.LabelSet(l)
- }
- return ret
- }
-
- // ACL for testing
- acl := security.ACL{
- In: map[security.BlessingPattern]security.LabelSet{
- "...": LS(R),
- "server/alice/...": LS(W, R),
- "server/alice": LS(A, D, M),
- "server/bob": LS(D, M),
- "server/che/...": LS(W, R),
- "server/che": LS(W, R),
- },
- NotIn: map[string]security.LabelSet{
- "server/che/friend": LS(W),
- },
- }
-
- // Authorizations for the above ACL.
- expectations := Expectations{
- alice: LS(R), // "..." ACL entry.
- bob: LS(R), // "..." ACL entry.
- che: LS(R), // "..." ACL entry.
- server: security.AllLabels, // self RPC
- serverAlice: LS(R, W, A, D, M), // "server/alice/..." ACL entry
- serverBob: LS(R, D, M), // "..." and "server/bob" ACL entries
- serverAliceFriend: LS(W, R), // "server/alice/..." ACL entry.
- serverChe: LS(W, R), // "server/che" ACL entry.
- serverCheFriend: LS(R), // "server/che/..." ACL entry, with the "server/che/friend" NotIn exception.
- nil: LS(R), // No blessings presented, same authorizations as "..." ACL entry.
- }
- // Create an aclAuthorizer based on the ACL and verify the authorizations.
- authorizer = NewACLAuthorizer(acl)
- runTests(expectations)
- testSelfRPCs(t, authorizer)
-
- // Create a fileACLAuthorizer by saving the ACL in a file, and verify the
- // authorizations.
- fileName := saveACLToTempFile(acl)
- defer os.Remove(fileName)
- authorizer = NewFileACLAuthorizer(fileName)
- runTests(expectations)
- testSelfRPCs(t, authorizer)
-
- // Modify the ACL stored in the file and verify that the authorizations appropriately
- // change for the fileACLAuthorizer.
- acl.In["server/bob"] = LS(R, W, A, D, M)
- expectations[serverBob] = LS(R, W, A, D, M)
- updateACLInFile(fileName, acl)
- runTests(expectations)
- testSelfRPCs(t, authorizer)
-
- // Update the ACL file with invalid contents and verify that no requests are
- // authorized.
- f, err := os.OpenFile(fileName, os.O_WRONLY, 0600)
- if err != nil {
- panic(err)
- }
- f.Write([]byte("invalid ACL"))
- f.Close()
- testNothingPermitted(t, authorizer)
-}
-
-func TestFileACLAuthorizerOnNonExistentFile(t *testing.T) {
- testNothingPermitted(t, NewFileACLAuthorizer("fileDoesNotExist"))
-}
-
-func TestNilACLAuthorizer(t *testing.T) {
- authorizer := NewACLAuthorizer(nullACL)
- testNothingPermitted(t, authorizer)
- testSelfRPCs(t, authorizer)
-}
diff --git a/security/agent/pingpong/main.go b/security/agent/pingpong/main.go
index e09ef7b..dcc38d0 100644
--- a/security/agent/pingpong/main.go
+++ b/security/agent/pingpong/main.go
@@ -6,7 +6,6 @@
"veyron.io/veyron/veyron/lib/signals"
_ "veyron.io/veyron/veyron/profiles"
- vsecurity "veyron.io/veyron/veyron/security"
"veyron.io/veyron/veyron2/ipc"
"veyron.io/veyron/veyron2/rt"
@@ -51,10 +50,7 @@
log.Fatal("error listening to service: ", err)
}
- auth := vsecurity.NewACLAuthorizer(security.ACL{In: map[security.BlessingPattern]security.LabelSet{
- security.AllPrincipals: security.AllLabels,
- }})
- if err := s.Serve("pingpong", serverPong, auth); err != nil {
+ if err := s.Serve("pingpong", serverPong, allowEveryone{}); err != nil {
log.Fatal("error serving service: ", err)
}
@@ -62,6 +58,10 @@
<-signals.ShutdownOnSignals()
}
+type allowEveryone struct{}
+
+func (allowEveryone) Authorize(security.Context) error { return nil }
+
func main() {
flag.Parse()
if *runServer {
diff --git a/security/flag/flag.go b/security/flag/flag.go
index 91b54c2..cd1086e 100644
--- a/security/flag/flag.go
+++ b/security/flag/flag.go
@@ -7,14 +7,13 @@
"errors"
"flag"
- vsecurity "veyron.io/veyron/veyron/security"
-
"veyron.io/veyron/veyron2/security"
+ "veyron.io/veyron/veyron2/services/security/access"
)
var (
- acl = flag.String("acl", "", `acl is an optional JSON-encoded security.ACL that is used to construct a security.Authorizer. Example: {"In":{"veyron/alice/...":"RW"}} is a JSON-encoded ACL that allows all delegates of "veyron/alice" to access all methods with ReadLabel or WriteLabel. If this flag is provided then the \"--acl_file\" must be absent.`)
- aclFile = flag.String("acl_file", "", "acl_file is an optional path to a file containing a JSON-encoded security.ACL that is used to construct a security.Authorizer. If this flag is provided then the \"--acl_file\" flag must be absent.")
+ acl = flag.String("acl", "", `acl is an optional JSON-encoded access.TaggedACLMap that is used to construct a security.Authorizer using the tags defined in the access package. Example: {"Read": {"In": ["veyron/alice/..."]}} allows all delegates of "veyron/alice" to access all methods with the "Read" access tag on them. If this flag is set then the --acl_file flag must not be set.`)
+ aclFile = flag.String("acl_file", "", "acl_file is an optional path to a file containing a JSON-encoded access.TaggedACLMap that is used to construct a security.Authorizer (with the set of tags defined in the access package). If this flag is set then --acl must not be set")
)
// NewAuthorizerOrDie constructs an Authorizer based on the provided "--acl" or
@@ -28,12 +27,18 @@
if len(*acl) != 0 && len(*aclFile) != 0 {
panic(errors.New("only one of the flags \"--acl\" or \"--acl_file\" must be provided"))
}
+ var a security.Authorizer
+ var err error
if len(*aclFile) != 0 {
- return vsecurity.NewFileACLAuthorizer(*aclFile)
+ a, err = access.TaggedACLAuthorizerFromFile(*aclFile, access.TypicalTagType())
+ } else {
+ var tam access.TaggedACLMap
+ if tam, err = access.ReadTaggedACLMap(bytes.NewBufferString(*acl)); err == nil {
+ a, err = access.TaggedACLAuthorizer(tam, access.TypicalTagType())
+ }
}
- a, err := vsecurity.LoadACL(bytes.NewBufferString(*acl))
if err != nil {
panic(err)
}
- return vsecurity.NewACLAuthorizer(a)
+ return a
}
diff --git a/security/flag/flag_test.go b/security/flag/flag_test.go
index de56a92..0da0bde 100644
--- a/security/flag/flag_test.go
+++ b/security/flag/flag_test.go
@@ -7,9 +7,9 @@
"testing"
tsecurity "veyron.io/veyron/veyron/lib/testutil/security"
- vsecurity "veyron.io/veyron/veyron/security"
"veyron.io/veyron/veyron2/security"
+ "veyron.io/veyron/veyron2/services/security/access"
)
func TestNewAuthorizerOrDie(t *testing.T) {
@@ -29,11 +29,22 @@
flag.Set("acl_file", "")
}
var (
- acl1 = security.ACL{}
- acl2 = security.ACL{In: map[security.BlessingPattern]security.LabelSet{
- "veyron/alice": security.LabelSet(security.ReadLabel | security.WriteLabel),
- "veyron/bob": security.LabelSet(security.ReadLabel),
- }}
+ acl1 = access.TaggedACLMap{}
+ acl2 = access.TaggedACLMap{
+ string(access.Read): access.ACL{
+ In: []security.BlessingPattern{"veyron/alice", "veyron/bob"},
+ },
+ string(access.Write): access.ACL{
+ In: []security.BlessingPattern{"veyron/alice"},
+ },
+ }
+
+ auth = func(a security.Authorizer, err error) security.Authorizer {
+ if err != nil {
+ panic(err)
+ }
+ return a
+ }
)
acl2File := tsecurity.SaveACLToFile(acl2)
defer os.Remove(acl2File)
@@ -49,19 +60,19 @@
},
{
flags: flagValue{"acl": "{}"},
- wantAuth: vsecurity.NewACLAuthorizer(acl1),
+ wantAuth: auth(access.TaggedACLAuthorizer(acl1, access.TypicalTagType())),
},
{
flags: flagValue{"acl": `{"In":{"veyron/alice":"RW", "veyron/bob": "R"}}`},
- wantAuth: vsecurity.NewACLAuthorizer(acl2),
+ wantAuth: auth(access.TaggedACLAuthorizer(acl2, access.TypicalTagType())),
},
{
flags: flagValue{"acl": `{"In":{"veyron/bob":"R", "veyron/alice": "WR"}}`},
- wantAuth: vsecurity.NewACLAuthorizer(acl2),
+ wantAuth: auth(access.TaggedACLAuthorizer(acl2, access.TypicalTagType())),
},
{
flags: flagValue{"acl_file": acl2File},
- wantAuth: vsecurity.NewFileACLAuthorizer(acl2File),
+ wantAuth: auth(access.TaggedACLAuthorizerFromFile(acl2File, access.TypicalTagType())),
},
{
flags: flagValue{"acl_file": acl2File, "acl": `{"In":{"veyron/alice":"RW", "veyron/bob": "R"}}`},
diff --git a/security/testdata/blessingstore.sig b/security/testdata/blessingstore.sig
index 1040fb8..b06ba85 100644
--- a/security/testdata/blessingstore.sig
+++ b/security/testdata/blessingstore.sig
Binary files differ
diff --git a/security/util.go b/security/util.go
index ea9df1c..1ce53ef 100644
--- a/security/util.go
+++ b/security/util.go
@@ -6,7 +6,6 @@
"crypto/elliptic"
"crypto/rand"
"crypto/x509"
- "encoding/json"
"encoding/pem"
"errors"
"fmt"
@@ -19,15 +18,6 @@
const ecPrivateKeyPEMType = "EC PRIVATE KEY"
-var nullACL security.ACL
-
-// OpenACL creates an ACL that grants access to all principals.
-func OpenACL() security.ACL {
- acl := security.ACL{}
- acl.In = map[security.BlessingPattern]security.LabelSet{security.AllPrincipals: security.AllLabels}
- return acl
-}
-
var PassphraseErr = errors.New("passphrase incorrect for decrypting private key")
// NewPrincipalKey generates an ECDSA (public, private) key pair.
@@ -104,20 +94,6 @@
return pem.Encode(w, pemKey)
}
-// LoadACL reads an ACL from the provided Reader containing a JSON encoded ACL.
-func LoadACL(r io.Reader) (security.ACL, error) {
- var acl security.ACL
- if err := json.NewDecoder(r).Decode(&acl); err != nil {
- return nullACL, err
- }
- return acl, nil
-}
-
-// SaveACL encodes an ACL in JSON format and writes it to the provided Writer.
-func SaveACL(w io.Writer, acl security.ACL) error {
- return json.NewEncoder(w).Encode(acl)
-}
-
// ThirdPartyCaveats returns the set of security.ThirdPartyCaveats
// that could be successfully decoded from the provided caveat bytes.
func ThirdPartyCaveats(caveats ...security.Caveat) []security.ThirdPartyCaveat {
diff --git a/security/util_test.go b/security/util_test.go
index 2274a70..6d07a22 100644
--- a/security/util_test.go
+++ b/security/util_test.go
@@ -65,31 +65,6 @@
}
}
-func TestLoadSaveACL(t *testing.T) {
- acl := security.ACL{}
- acl.In = map[security.BlessingPattern]security.LabelSet{
- "veyron/...": security.LabelSet(security.ReadLabel),
- "veyron/alice": security.LabelSet(security.ReadLabel | security.WriteLabel),
- "veyron/bob": security.LabelSet(security.AdminLabel),
- }
- acl.NotIn = map[string]security.LabelSet{
- "veyron/che": security.LabelSet(security.ReadLabel),
- }
-
- var buf bytes.Buffer
- if err := SaveACL(&buf, acl); err != nil {
- t.Fatalf("Failed to save ACL %q: %v", acl, err)
- }
-
- loadedACL, err := LoadACL(&buf)
- if err != nil {
- t.Fatalf("Failed to load ACL: %v", err)
- }
- if !reflect.DeepEqual(loadedACL, acl) {
- t.Fatalf("Got ACL %v, but want %v", loadedACL, acl)
- }
-}
-
// fpCaveat implements security.CaveatValidator.
type fpCaveat struct{}
