veyron2/security: Simplify the ACL structure and use the glob characters in PrincipalPattern.
ACLs serialized to disk before this commit will not be compatible with
binaries created after this commit.
A couple of ACL related changes:
(1) ACL.In is now just a map from PrincipalPattern to labels.
The "Entries" type is no longer needed.
BEFORE: In: {Principals: {"foo": "RW"}}
AFTER: In: {"foo":"RW"}
The Entries struct was motivated by keeping both "groups" and "blessings"
in the "In"/"NotIn" set. The Groups API is not defined yet, furthermore
there is concerns around using NotIn with groups. My thinking is now
that when group support is added, it is added as a field in the ACL struct
(e.g. ACL.Groups) instead of as a field in ACL.In.Entries.
(2) PrincipalPattern now uses characters consistent with other pattern
matching (e.g., namespace glob, or the query API), where "..." and
not "*" denotes "recursive" matches.
(3) ACL.NotIn is a map from string to LabelSet (instead of PrincipalPattern
to label set) to emphasize that NotIn need not contain "glob" patterns
(i.e., those that end in ...)
While at it, also:
* Updated commentary for labels in security/types.vdl
* Updated commentary for ACLs in security/types.vdl
* Removed NewWhitelistACL: With the simplified ACL structure,
this helper function is no longer needed.
Change-Id: I5be5bccdf1eb949436248c26d27f888e16df8ea0
diff --git a/examples/bank/pbankd/main.go b/examples/bank/pbankd/main.go
index acf9382..46caabf 100644
--- a/examples/bank/pbankd/main.go
+++ b/examples/bank/pbankd/main.go
@@ -442,10 +442,10 @@
// bankAccountServer := bank.NewServerBankAccount(pbankd)
// // Setup bank and account authorizers.
- // bankAuth := vsecurity.NewACLAuthorizer(security.NewWhitelistACL(
+ // bankAuth := vsecurity.NewACLAuthorizer(security.ACL{In:
// map[security.BlessingPattern]security.LabelSet{
// security.AllPrincipals: security.LabelSet(security.ReadLabel | security.WriteLabel),
- // }))
+ // }})
// bankAccountAuth := AccountAuthorizer(runtime.Identity().PublicID().Names()[0] + SUFFIX_REGEXP)
// dispatcher := newBankDispatcher(bankServer, bankAccountServer, bankAuth, bankAccountAuth)
diff --git a/examples/boxes/android/src/boxesp2p/main.go b/examples/boxes/android/src/boxesp2p/main.go
index c2dee7a..738bc95 100644
--- a/examples/boxes/android/src/boxesp2p/main.go
+++ b/examples/boxes/android/src/boxesp2p/main.go
@@ -234,10 +234,9 @@
}
func (gs *goState) registerAsPeer(ctx context.T) {
- auth := vsecurity.NewACLAuthorizer(vsecurity.NewWhitelistACL(
- map[security.BlessingPattern]security.LabelSet{
- security.AllPrincipals: security.LabelSet(security.AdminLabel),
- }))
+ auth := vsecurity.NewACLAuthorizer(security.ACL{In: map[security.BlessingPattern]security.LabelSet{
+ security.AllPrincipals: security.LabelSet(security.AdminLabel),
+ }})
gs.disp.drawAuth = auth
gs.disp.drawServer = ipc.ReflectInvoker(boxes.NewServerDrawInterface(gs))
endPt, err := gs.ipc.Listen("tcp", gs.myIPAddr+drawServicePort)
diff --git a/lib/testutil/security/util_test.go b/lib/testutil/security/util_test.go
index 3a2fd3a..9586f57 100644
--- a/lib/testutil/security/util_test.go
+++ b/lib/testutil/security/util_test.go
@@ -51,12 +51,12 @@
}
defer r.Cleanup()
acl := security.ACL{}
- acl.In.Principals = map[security.BlessingPattern]security.LabelSet{
- "veyron/*": security.LabelSet(security.ReadLabel),
+ acl.In = map[security.BlessingPattern]security.LabelSet{
+ "veyron/...": security.LabelSet(security.ReadLabel),
"veyron/alice": security.LabelSet(security.ReadLabel | security.WriteLabel),
"veyron/bob": security.LabelSet(security.AdminLabel),
}
- acl.NotIn.Principals = map[security.BlessingPattern]security.LabelSet{
+ acl.NotIn = map[string]security.LabelSet{
"veyron/che": security.LabelSet(security.ReadLabel),
}
diff --git a/runtimes/google/ipc/full_test.go b/runtimes/google/ipc/full_test.go
index 9224834..765c990 100644
--- a/runtimes/google/ipc/full_test.go
+++ b/runtimes/google/ipc/full_test.go
@@ -160,12 +160,11 @@
case "nilAuth":
authorizer = nil
case "aclAuth":
- // Only authorize clients matching patterns "client" or "server/*".
- authorizer = vsecurity.NewACLAuthorizer(vsecurity.NewWhitelistACL(
- map[security.BlessingPattern]security.LabelSet{
- "server/*": security.LabelSet(security.AdminLabel),
- "client": security.LabelSet(security.AdminLabel),
- }))
+ // Only authorize clients matching patterns "client" or "server/...".
+ authorizer = vsecurity.NewACLAuthorizer(security.ACL{In: map[security.BlessingPattern]security.LabelSet{
+ "server/...": security.LabelSet(security.AdminLabel),
+ "client": security.LabelSet(security.AdminLabel),
+ }})
default:
authorizer = testServerAuthorizer{}
}
diff --git a/runtimes/google/ipc/server.go b/runtimes/google/ipc/server.go
index dec40be..4fa5f62 100644
--- a/runtimes/google/ipc/server.go
+++ b/runtimes/google/ipc/server.go
@@ -386,7 +386,7 @@
for _, n := range id.Names() {
in[security.BlessingPattern(n+security.ChainSeparator+string(security.AllPrincipals))] = security.AllLabels
}
- return vsecurity.NewWhitelistACL(in)
+ return security.ACL{In: in}
}
func (fs *flowServer) serve() error {
diff --git a/runtimes/google/rt/ipc_test.go b/runtimes/google/rt/ipc_test.go
index f1499c5..d02406b 100644
--- a/runtimes/google/rt/ipc_test.go
+++ b/runtimes/google/rt/ipc_test.go
@@ -98,7 +98,7 @@
add(serverR.PublicIDStore(), googleYoutubeService, "")
// Add PublicIDs for communicating the "google/gmail" and "google/youtube" services
// to the clientR's PublicIDStore.
- add(clientR.PublicIDStore(), googleGmailClient, "google/*")
+ add(clientR.PublicIDStore(), googleGmailClient, "google/...")
add(clientR.PublicIDStore(), googleYoutubeClient, "google/youtube")
type testcase struct {
@@ -162,10 +162,9 @@
}
defer stopServer(server)
if err := server.Serve("", ipc.LeafDispatcher(&testService{},
- vsecurity.NewACLAuthorizer(vsecurity.NewWhitelistACL(
- map[security.BlessingPattern]security.LabelSet{
- security.AllPrincipals: security.AllLabels,
- })))); err != nil {
+ vsecurity.NewACLAuthorizer(security.ACL{In: map[security.BlessingPattern]security.LabelSet{
+ security.AllPrincipals: security.AllLabels,
+ }}))); err != nil {
t.Errorf("error serving service: ", err)
continue
}
diff --git a/runtimes/google/security/identity_test.go b/runtimes/google/security/identity_test.go
index eef3e12..95184c4 100644
--- a/runtimes/google/security/identity_test.go
+++ b/runtimes/google/security/identity_test.go
@@ -86,22 +86,22 @@
matchData []matchInstance
}{
{
- // self-signed alice chain, not a trusted identity provider so should only match "*"
+ // self-signed alice chain, not a trusted identity provider so should only match "..."
id: alice.PublicID(),
matchData: []matchInstance{
- {pattern: "*", want: true},
+ {pattern: "...", want: true},
{pattern: "alice", want: false},
- {pattern: "alice/*", want: false},
+ {pattern: "alice/...", want: false},
},
},
{
// veyron/alice: rooted in the trusted "veyron" identity provider
id: bless(newChain("immaterial").PublicID(), veyronChain, "alice", nil),
matchData: []matchInstance{
- {pattern: "*", want: true},
- {pattern: "veyron/*", want: true},
+ {pattern: "...", want: true},
+ {pattern: "veyron/...", want: true},
{pattern: "veyron/alice", want: true},
- {pattern: "veyron/alice/*", want: true},
+ {pattern: "veyron/alice/...", want: true},
{pattern: "veyron/alice/TV", want: true},
{pattern: "veyron", want: false},
{pattern: "veyron/ali", want: false},
@@ -114,15 +114,15 @@
// alice#veyron/alice#google/alice: two trusted identity providers
id: newSetPublicID(alice.PublicID(), bless(alice.PublicID(), veyronChain, "alice", nil), bless(alice.PublicID(), googleChain, "alice", nil)),
matchData: []matchInstance{
- {pattern: "*", want: true},
+ {pattern: "...", want: true},
// Since alice is not a trusted identity provider, the self-blessed identity
- // should not match "alice/*"
+ // should not match "alice/..."
{pattern: "alice", want: false},
- {pattern: "alice/*", want: false},
- {pattern: "veyron/*", want: true},
+ {pattern: "alice/...", want: false},
+ {pattern: "veyron/...", want: true},
{pattern: "veyron/alice", want: true},
{pattern: "veyron/alice/TV", want: true},
- {pattern: "veyron/alice/*", want: true},
+ {pattern: "veyron/alice/...", want: true},
{pattern: "ali", want: false},
{pattern: "aliced", want: false},
{pattern: "veyron", want: false},
@@ -131,7 +131,7 @@
{pattern: "veyron/bob", want: false},
{pattern: "google/alice", want: true},
{pattern: "google/alice/TV", want: true},
- {pattern: "google/alice/*", want: true},
+ {pattern: "google/alice/...", want: true},
},
},
}
@@ -308,8 +308,8 @@
cavOnlyPlayAtGoogle = methodRestrictionCaveat("google", S{"Play"})
// Can only talk to the "Google" service
cavOnlyGoogle = peerIdentityCaveat("google")
- // Can only call the PublicProfile method on veyron/alice/*
- cavOnlyPublicProfile = methodRestrictionCaveat("veyron/alice/*", S{"PublicProfile"})
+ // Can only call the PublicProfile method on veyron/alice/...
+ cavOnlyPublicProfile = methodRestrictionCaveat("veyron/alice/...", S{"PublicProfile"})
)
type rpc struct {
diff --git a/runtimes/google/security/publicid_store_test.go b/runtimes/google/security/publicid_store_test.go
index 394cb49..a60ada0 100644
--- a/runtimes/google/security/publicid_store_test.go
+++ b/runtimes/google/security/publicid_store_test.go
@@ -41,17 +41,17 @@
t.Fatalf("NewPublicIDStore failed: %s", err)
}
// First Add should succeed for any PublicID (cAlice.PublicID() below)
- if err := s.Add(cAlice.PublicID(), "alice/*"); err != nil {
+ if err := s.Add(cAlice.PublicID(), "alice/..."); err != nil {
t.Fatalf("%s.Add(%q, ...) failed unexpectedly: %s", s, cAlice.PublicID(), err)
}
// Subsequent Adds must succeed only for PublicIDs with cAlice's public key.
- if err := s.Add(cVeyronAlice.PublicID(), "*"); err != nil {
+ if err := s.Add(cVeyronAlice.PublicID(), "..."); err != nil {
t.Fatalf("%s.Add(%q, ...) failed unexpectedly: %s", s, cVeyronAlice.PublicID(), err)
}
- if err := s.Add(sAlice, "alice/*"); err != nil {
+ if err := s.Add(sAlice, "alice/..."); err != nil {
t.Fatalf("%s.Add(%q, ...) failed unexpectedly: %s", s, sAlice, err)
}
- if got, want := s.Add(cBob.PublicID(), "bob/*"), errStoreAddMismatch; got != want {
+ if got, want := s.Add(cBob.PublicID(), "bob/..."), errStoreAddMismatch; got != want {
t.Fatalf("%s.Add(%q, ...): got: %s, want: %s", s, cBob, got, want)
}
}
@@ -68,13 +68,13 @@
{"veyron", true},
{"veyron/alice@google", true},
{"veyron/alice@google/bob", true},
- {"veyron/alice@google/*", true},
+ {"veyron/alice@google/...", true},
{"", false},
- {"veyron*", false},
- {"*veyron", false},
+ {"veyron...", false},
+ {"...veyron", false},
{"/veyron", false},
{"veyron/", false},
- {"veyron/*/alice", false},
+ {"veyron/.../alice", false},
}
for _, d := range defaultPatterns {
if got := s.SetDefaultBlessingPattern(d.pattern); d.success != (got == nil) {
@@ -115,14 +115,14 @@
if err != nil {
t.Fatalf("NewPublicIDStore failed: %s", err)
}
- add(s, cGoogleAlice, "google") // use cGoogleAlice against all peers matching "google/*"
- add(s, cGoogleAlice, "veyron") // use cGoogleAlice against all peers matching "veyron/*" as well
- add(s, cVeyronAlice, "veyron/*") // use cVeyronAlice against peers matching "veyron/*"
- add(s, cVeyronAlice, "google") // use cVeyronAlice against peers matching "veyron/*"
- add(s, cVeyronServiceAlice, "veyron/service/*") // use cVeyronAlice against peers matching "veyron/service*"
- add(s, cGoogleServiceAlice, "google/service/*") // use cGoogleServiceAlice against peers matching "google/service/*"
- add(s, sGoogleAlice, "google/service") // use any PublicID from sGoogleAlice against peers matching "google/service"
- add(s, sAllAlice, "veyron") // use any PublicID from sAllAlice against peers matching "veyron"
+ add(s, cGoogleAlice, "google") // use cGoogleAlice against all peers matching "google/..."
+ add(s, cGoogleAlice, "veyron") // use cGoogleAlice against all peers matching "veyron/..." as well
+ add(s, cVeyronAlice, "veyron/...") // use cVeyronAlice against peers matching "veyron/..."
+ add(s, cVeyronAlice, "google") // use cVeyronAlice against peers matching "veyron/..."
+ add(s, cVeyronServiceAlice, "veyron/service/...") // use cVeyronAlice against peers matching "veyron/service/..."
+ add(s, cGoogleServiceAlice, "google/service/...") // use cGoogleServiceAlice against peers matching "google/service/..."
+ add(s, sGoogleAlice, "google/service") // use any PublicID from sGoogleAlice against peers matching "google/service"
+ add(s, sAllAlice, "veyron") // use any PublicID from sAllAlice against peers matching "veyron"
pkey := cAlice.PublicID().PublicKey()
@@ -157,13 +157,13 @@
defaultNames []string
}{
{"veyron", nil},
- {"veyron/*", []string{"veyron/alice", "veyron/service/user-24"}},
+ {"veyron/...", []string{"veyron/alice", "veyron/service/user-24"}},
{"veyron/alice", []string{"veyron/alice"}},
- {"veyron/service/*", []string{"veyron/service/user-24"}},
+ {"veyron/service/...", []string{"veyron/service/user-24"}},
{"google", nil},
- {"google/*", []string{"google/alice", "google/service/user-42"}},
+ {"google/...", []string{"google/alice", "google/service/user-42"}},
{"google/alice", []string{"google/alice"}},
- {"google/service/*", []string{"google/service/user-42"}},
+ {"google/service/...", []string{"google/service/user-42"}},
{"bob", nil},
}
for _, d := range testDataByBlessingPattern {
@@ -203,10 +203,10 @@
if err != nil {
t.Fatalf("NewPublicIDStore failed: %s", err)
}
- if err := s.Add(sAllAlice, "google/*"); err != nil {
+ if err := s.Add(sAllAlice, "google/..."); err != nil {
t.Fatalf("%s.Add(%q, ...) failed unexpectedly: %s", s, sAllAlice, err)
}
- if err := s.SetDefaultBlessingPattern("veyron/*"); err != nil {
+ if err := s.SetDefaultBlessingPattern("veyron/..."); err != nil {
t.Fatalf("%s.SetDefaultBlessingPattern failed: %s", s, err)
}
diff --git a/security/acl_authorizer_test.go b/security/acl_authorizer_test.go
index d71363f..1d04e89 100644
--- a/security/acl_authorizer_test.go
+++ b/security/acl_authorizer_test.go
@@ -187,35 +187,35 @@
// ACL for testing
acl := security.ACL{}
- acl.In.Principals = map[security.BlessingPattern]security.LabelSet{
- "*": LS(R),
- "fake/veyron/alice/*": LS(W, R),
- "fake/veyron/alice": LS(A, D, M),
- "fake/veyron/bob": LS(D, M),
- "fake/veyron/che/*": LS(W, R),
- "fake/veyron/che": LS(W, R),
+ acl.In = map[security.BlessingPattern]security.LabelSet{
+ "...": LS(R),
+ "fake/veyron/alice/...": LS(W, R),
+ "fake/veyron/alice": LS(A, D, M),
+ "fake/veyron/bob": LS(D, M),
+ "fake/veyron/che/...": LS(W, R),
+ "fake/veyron/che": LS(W, R),
}
- acl.NotIn.Principals = map[security.BlessingPattern]security.LabelSet{
+ acl.NotIn = map[string]security.LabelSet{
"fake/veyron/che/friend": LS(W),
}
// Authorizations for the above ACL.
authorizations := authMap{
- // alice and bob have only what "*" has.
+ // alice and bob have only what "..." has.
alice: LS(R),
bob: LS(R),
che: LS(R),
// veyron and veyronAlice have R, W, A, D, M from the "veyron/alice" and
- // "veyron/alice/*" ACL entries.
+ // "veyron/alice/..." ACL entries.
veyron: LS(R, W, A, D, M),
veyronAlice: LS(R, W, A, D, M),
- // veyronBob has R, D, M from "*" and "veyron/bob" ACL entries.
+ // veyronBob has R, D, M from "..." and "veyron/bob" ACL entries.
veyronBob: LS(R, D, M),
- // veyronAliceFriend has W, R from the "veyron/alice/*" ACL entry.
+ // veyronAliceFriend has W, R from the "veyron/alice/..." ACL entry.
veyronAliceFriend: LS(W, R),
// veyronChe has W, R from the "veyron/che" entry.
veyronChe: LS(W, R),
- // veyronCheFriend has W, R from the "veyron/che/*" entry, but loses W
+ // veyronCheFriend has W, R from the "veyron/che/..." entry, but loses W
// from the blacklist entry "veyron/che/friend".
veyronCheFriend: LS(R),
// nil PublicIDs are not authorized.
@@ -236,7 +236,7 @@
// Modify the ACL stored in the file and verify that the authorizations appropriately
// change for the fileACLAuthorizer.
- acl.In.Principals["fake/veyron/bob"] = LS(R, W, A, D, M)
+ acl.In["fake/veyron/bob"] = LS(R, W, A, D, M)
updateACLInFile(fileName, acl)
authorizations[veyronBob] = LS(R, W, A, D, M)
diff --git a/security/flag/flag_test.go b/security/flag/flag_test.go
index 4bd60fe..ffa8d93 100644
--- a/security/flag/flag_test.go
+++ b/security/flag/flag_test.go
@@ -30,10 +30,10 @@
}
var (
acl1 = security.ACL{}
- acl2 = vsecurity.NewWhitelistACL(map[security.BlessingPattern]security.LabelSet{
+ acl2 = security.ACL{In: map[security.BlessingPattern]security.LabelSet{
"veyron/alice": security.LabelSet(security.ReadLabel | security.WriteLabel),
"veyron/bob": security.LabelSet(security.ReadLabel),
- })
+ }}
)
acl2File := tsecurity.SaveACLToFile(acl2)
defer os.Remove(acl2File)
@@ -52,11 +52,11 @@
wantAuth: vsecurity.NewACLAuthorizer(acl1),
},
{
- flags: flagValue{"acl": "{\"In\":{\"Principals\":{\"veyron/alice\":\"RW\", \"veyron/bob\": \"R\"}}}"},
+ flags: flagValue{"acl": `{"In":{"veyron/alice":"RW", "veyron/bob": "R"}}`},
wantAuth: vsecurity.NewACLAuthorizer(acl2),
},
{
- flags: flagValue{"acl": "{\"In\":{\"Principals\":{\"veyron/bob\":\"R\", \"veyron/alice\": \"WR\"}}}"},
+ flags: flagValue{"acl": `{"In":{"veyron/bob":"R", "veyron/alice": "WR"}}`},
wantAuth: vsecurity.NewACLAuthorizer(acl2),
},
{
@@ -64,7 +64,7 @@
wantAuth: vsecurity.NewFileACLAuthorizer(acl2File),
},
{
- flags: flagValue{"acl_file": acl2File, "acl": "{\"In\":{\"Principals\":{\"veyron/alice\":\"RW\", \"veyron/bob\": \"R\"}}}"},
+ flags: flagValue{"acl_file": acl2File, "acl": `{"In":{"veyron/alice":"RW", "veyron/bob": "R"}}`},
wantPanic: true,
},
}
diff --git a/security/util.go b/security/util.go
index 7755797..541aa90 100644
--- a/security/util.go
+++ b/security/util.go
@@ -11,14 +11,6 @@
var nullACL security.ACL
-// NewWhitelistACL creates an ACL that grants access to only the provided
-// principals.
-func NewWhitelistACL(principals map[security.BlessingPattern]security.LabelSet) security.ACL {
- acl := security.ACL{}
- acl.In.Principals = principals
- return acl
-}
-
// LoadIdentity reads a PrivateID from r, assuming that it was written using
// SaveIdentity.
func LoadIdentity(r io.Reader) (security.PrivateID, error) {
diff --git a/security/util_test.go b/security/util_test.go
index 6c97fb6..d535039 100644
--- a/security/util_test.go
+++ b/security/util_test.go
@@ -27,12 +27,12 @@
func TestLoadSaveACL(t *testing.T) {
acl := security.ACL{}
- acl.In.Principals = map[security.BlessingPattern]security.LabelSet{
- "veyron/*": security.LabelSet(security.ReadLabel),
+ acl.In = map[security.BlessingPattern]security.LabelSet{
+ "veyron/...": security.LabelSet(security.ReadLabel),
"veyron/alice": security.LabelSet(security.ReadLabel | security.WriteLabel),
"veyron/bob": security.LabelSet(security.AdminLabel),
}
- acl.NotIn.Principals = map[security.BlessingPattern]security.LabelSet{
+ acl.NotIn = map[string]security.LabelSet{
"veyron/che": security.LabelSet(security.ReadLabel),
}
diff --git a/services/identity/identityd/main.go b/services/identity/identityd/main.go
index 48ba659..68cebb2 100644
--- a/services/identity/identityd/main.go
+++ b/services/identity/identityd/main.go
@@ -138,9 +138,9 @@
func newDispatcher(params blesser.GoogleParams) ipc.Dispatcher {
blessingService := ipc.ReflectInvoker(blesser.NewGoogleOAuthBlesserServer(params))
dischargerService := ipc.ReflectInvoker(services.NewServerDischarger(discharger.NewDischarger(params.R.Identity())))
- allowEveryoneACLAuth := vsecurity.NewACLAuthorizer(vsecurity.NewWhitelistACL(map[security.BlessingPattern]security.LabelSet{
+ allowEveryoneACLAuth := vsecurity.NewACLAuthorizer(security.ACL{In: map[security.BlessingPattern]security.LabelSet{
security.AllPrincipals: security.AllLabels,
- }))
+ }})
return &dispatcher{blessingService, dischargerService, allowEveryoneACLAuth}
}
diff --git a/services/mounttable/lib/testdata/test.acl b/services/mounttable/lib/testdata/test.acl
index b65c35b..9ffe006 100644
--- a/services/mounttable/lib/testdata/test.acl
+++ b/services/mounttable/lib/testdata/test.acl
@@ -1,5 +1,5 @@
{
-"/": {"In": {"Principals": {"fake/root": "RW", "*": "R"}}},
-"/stuff": {"In": {"Principals": {"fake/root": "RW", "fake/bob": "R"}}},
-"/a": {"In": {"Principals": {"fake/root": "RW", "fake/alice": "R"}}}
+"/": {"In": {"fake/root": "RW", "...": "R"}},
+"/stuff": {"In": {"fake/root": "RW", "fake/bob": "R"}},
+"/a": {"In": {"fake/root": "RW", "fake/alice": "R"}}
}
\ No newline at end of file
diff --git a/services/syncgroup/syncgroup.vdl.go b/services/syncgroup/syncgroup.vdl.go
index 962584c..78c38c5 100644
--- a/services/syncgroup/syncgroup.vdl.go
+++ b/services/syncgroup/syncgroup.vdl.go
@@ -496,14 +496,9 @@
}
result.TypeDefs = []_gen_vdlutil.Any{
- _gen_wiretype.NamedPrimitiveType{Type: 0x1, Name: "anydata", Tags: []string(nil)}, _gen_wiretype.MapType{Key: 0x3, Elem: 0x41, Name: "", Tags: []string(nil)}, _gen_wiretype.NamedPrimitiveType{Type: 0x3, Name: "veyron2/security.BlessingPattern", Tags: []string(nil)}, _gen_wiretype.NamedPrimitiveType{Type: 0x34, Name: "veyron2/security.LabelSet", Tags: []string(nil)}, _gen_wiretype.MapType{Key: 0x43, Elem: 0x44, Name: "", Tags: []string(nil)}, _gen_wiretype.StructType{
+ _gen_wiretype.NamedPrimitiveType{Type: 0x1, Name: "anydata", Tags: []string(nil)}, _gen_wiretype.MapType{Key: 0x3, Elem: 0x41, Name: "", Tags: []string(nil)}, _gen_wiretype.NamedPrimitiveType{Type: 0x3, Name: "veyron2/security.BlessingPattern", Tags: []string(nil)}, _gen_wiretype.NamedPrimitiveType{Type: 0x34, Name: "veyron2/security.LabelSet", Tags: []string(nil)}, _gen_wiretype.MapType{Key: 0x43, Elem: 0x44, Name: "", Tags: []string(nil)}, _gen_wiretype.MapType{Key: 0x3, Elem: 0x44, Name: "", Tags: []string(nil)}, _gen_wiretype.StructType{
[]_gen_wiretype.FieldType{
- _gen_wiretype.FieldType{Type: 0x45, Name: "Principals"},
- },
- "veyron2/security.Entries", []string(nil)},
- _gen_wiretype.StructType{
- []_gen_wiretype.FieldType{
- _gen_wiretype.FieldType{Type: 0x46, Name: "In"},
+ _gen_wiretype.FieldType{Type: 0x45, Name: "In"},
_gen_wiretype.FieldType{Type: 0x46, Name: "NotIn"},
},
"veyron2/security.ACL", []string(nil)},
diff --git a/services/wsprd/identity/identity_test.go b/services/wsprd/identity/identity_test.go
index 0ea8f0e..f1205a7 100644
--- a/services/wsprd/identity/identity_test.go
+++ b/services/wsprd/identity/identity_test.go
@@ -79,7 +79,7 @@
manager.AddAccount(googleAccount2, createChain(r, googleAccount2))
manager.AddAccount(facebookAccount, createChain(r, facebookAccount))
- result := manager.AccountsMatching(security.BlessingPattern(topLevelName + "/google/*"))
+ result := manager.AccountsMatching(security.BlessingPattern(topLevelName + "/google/..."))
sort.StringSlice(result).Sort()
expected := []string{googleAccount1, googleAccount2}
if !reflect.DeepEqual(result, expected) {
diff --git a/services/wsprd/ipc/server/server.go b/services/wsprd/ipc/server/server.go
index f0e78b6..b63f5e7 100644
--- a/services/wsprd/ipc/server/server.go
+++ b/services/wsprd/ipc/server/server.go
@@ -177,10 +177,9 @@
if s.dispatcher == nil {
s.dispatcher = newDispatcher(invoker,
- vsecurity.NewACLAuthorizer(vsecurity.NewWhitelistACL(
- map[security.BlessingPattern]security.LabelSet{
- security.AllPrincipals: security.AllLabels,
- })))
+ vsecurity.NewACLAuthorizer(security.ACL{In: map[security.BlessingPattern]security.LabelSet{
+ security.AllPrincipals: security.AllLabels,
+ }}))
}
if s.endpoint == "" {
diff --git a/services/wsprd/wspr/wspr_test.go b/services/wsprd/wspr/wspr_test.go
index 9c3af33..e84b1f6 100644
--- a/services/wsprd/wspr/wspr_test.go
+++ b/services/wsprd/wspr/wspr_test.go
@@ -124,7 +124,7 @@
}
// Verify that idManager has both accounts
- gotAccounts = wspr.idManager.AccountsMatching(security.BlessingPattern(topLevelName + "/*"))
+ gotAccounts = wspr.idManager.AccountsMatching(security.BlessingPattern(fmt.Sprintf("%s%s%v", topLevelName, security.ChainSeparator, security.AllPrincipals)))
if len(gotAccounts) != 2 {
t.Fatalf("Expected to have 2 accounts, but got %v: %v", len(gotAccounts), gotAccounts)
}
