commit a5457f065f30322c556826dbabaedbc4b7e0b9ff
author Asim Shankar <ashankar@google.com> Fri Oct 24 23:23:07 2014 -0700
committer Asim Shankar <ashankar@google.com> Fri Oct 24 23:23:10 2014 -0700
tree e2f5bb8aef092cb026930587253c60a515c71fba
parent d9b442b245c7d8a5d0ee3adbc3a4c9ab3f080078

veyron/runtimes/google/ipc: Refactor authorization error messages.

Change-Id: Ic04d14664bd3b72bbc2ae1349859280426775ea8

runtimes/google/ipc/server.go

diff --git a/runtimes/google/ipc/server.go b/runtimes/google/ipc/server.go
index a0d207d..514377f 100644
--- a/runtimes/google/ipc/server.go
+++ b/runtimes/google/ipc/server.go
@@ -37,10 +37,6 @@
 	errServerStopped = verror.Abortedf("ipc: server is stopped")
 )
 
-func errNotAuthorized(err error) verror.E {
-	return verror.NoAccessf("ipc: not authorized(%v)", err)
-}
-
 type server struct {
 	sync.Mutex
 	ctx              context.T                         // context used by the server to make internal RPCs.
@@ -850,21 +846,20 @@
 	}
 	if remoteID := fs.flow.RemoteID(); remoteID != nil {
 		// TODO(ashankar): This whole check goes away once the old security model is ripped out.
-		if fs.authorizedRemoteID, err = remoteID.Authorize(isecurity.NewContext(
-			isecurity.ContextArgs{
-				LocalID:    fs.flow.LocalID(),
-				RemoteID:   fs.flow.RemoteID(),
-				Method:     fs.method,
-				Suffix:     fs.suffix,
-				Discharges: fs.discharges,
-				Label:      fs.label})); err != nil {
-			return nil, errNotAuthorized(err)
+		if fs.authorizedRemoteID, err = remoteID.Authorize(isecurity.NewContext(isecurity.ContextArgs{
+			LocalID:    fs.flow.LocalID(),
+			RemoteID:   fs.flow.RemoteID(),
+			Method:     fs.method,
+			Suffix:     fs.suffix,
+			Discharges: fs.discharges,
+			Label:      fs.label,
+		})); err != nil {
+			return nil, verror.NoAccessf("%v is not authorized to call %q.%q (%v)", fs.RemoteID(), fs.Name(), fs.Method(), err)
 		}
 	}
 	// Check application's authorization policy and invoke the method.
 	if err := fs.authorize(auth); err != nil {
-		// TODO(ataly, ashankar): For privacy reasons, should we hide the authorizer error (err)?
-		return nil, errNotAuthorized(fmt.Errorf("%v (PublicID:%v) not authorized for  %q.%q: %v", fs.RemoteBlessings(), fs.RemoteID(), fs.Name(), fs.Method(), err))
+		return nil, err
 	}
 	// Check if the caller is permitted to view debug information.
 	fs.allowDebug = fs.authorizeForDebug(auth) == nil
@@ -955,7 +950,7 @@
 		return verror.Makef(verror.ErrorID(err), "%s", err)
 	}
 	if err := i.fs.authorize(auth); err != nil {
-		return errNotAuthorized(fmt.Errorf("%q not authorized for method %q: %v", i.fs.RemoteID(), i.fs.Method(), err))
+		return err
 	}
 	leafCall := &localServerCall{call, prefix}
 	argptrs[0] = &pattern
@@ -997,11 +992,18 @@
 	return c.ServerCall.Send(me)
 }
 
-func (fs *flowServer) authorize(auth security.Authorizer) error {
+func (fs *flowServer) authorize(auth security.Authorizer) verror.E {
 	if auth == nil {
 		auth = defaultAuthorizer(fs)
 	}
-	return auth.Authorize(fs)
+	if err := auth.Authorize(fs); err != nil {
+		// TODO(ataly, ashankar): For privacy reasons, should we hide the authorizer error?
+		if fs.RemoteBlessings() != nil {
+			return verror.NoAccessf("ipc: %v not authorized to call %q.%q (%v)", fs.RemoteBlessings(), fs.Name(), fs.Method(), err)
+		}
+		return verror.NoAccessf("ipc: %v (deprecated security model) is not authorized to call %q.%q (%v)", fs.RemoteID(), fs.Name(), fs.Method(), err)
+	}
+	return nil
 }
 
 // debugContext is a context which wraps another context but always returns