Merge "profiles/internal/rpc: Clean up server auth errors."
diff --git a/profiles/internal/rpc/client.go b/profiles/internal/rpc/client.go
index 728d527..4c15594 100644
--- a/profiles/internal/rpc/client.go
+++ b/profiles/internal/rpc/client.go
@@ -343,6 +343,15 @@
serverErr *verror.SubErr
}
+func suberrName(server, name, method string) string {
+ // In the case the client directly dialed an endpoint we want to avoid printing
+ // the endpoint twice.
+ if server == name {
+ return fmt.Sprintf("%s.%s", server, method)
+ }
+ return fmt.Sprintf("%s:%s.%s", server, name, method)
+}
+
// tryCreateFlow attempts to establish a Flow to "server" (which must be a
// rooted name), over which a method invocation request could be sent.
//
@@ -362,7 +371,7 @@
suberr := func(err error) *verror.SubErr {
return &verror.SubErr{
- Name: fmt.Sprintf("%s:%s.%s", server, name, method),
+ Name: suberrName(server, name, method),
Err: err,
Options: verror.Print,
}
@@ -385,7 +394,7 @@
return
}
if status.flow, status.serverErr = c.createFlow(ctx, principal, ep, append(vcOpts, &vc.ServerAuthorizer{Suffix: status.suffix, Method: method, Policy: auth})); status.serverErr != nil {
- status.serverErr.Name = fmt.Sprintf("%s:%s.%s", server, name, method)
+ status.serverErr.Name = suberrName(server, name, method)
vlog.VI(2).Infof("rpc: Failed to create Flow with %v: %v", server, status.serverErr.Err)
return
}
@@ -548,9 +557,8 @@
}
if err := fc.prepareBlessingsAndDischarges(ctx, method, r.suffix, args, r.rejectedBlessings, opts); err != nil {
- n := fmt.Sprintf("%s:%s.%s", r.server, name, method)
r.serverErr = &verror.SubErr{
- Name: n,
+ Name: suberrName(r.server, name, method),
Options: verror.Print,
Err: verror.New(verror.ErrNotTrusted, nil, verror.New(errPrepareBlessingsAndDischarges, ctx, r.flow.RemoteBlessings(), err)),
}
diff --git a/profiles/internal/rpc/server_authorizer.go b/profiles/internal/rpc/server_authorizer.go
index 2922824..99aad52 100644
--- a/profiles/internal/rpc/server_authorizer.go
+++ b/profiles/internal/rpc/server_authorizer.go
@@ -24,13 +24,13 @@
// strings to avoid repeating these n-times in the final error
// message visible to the user.
errNoBlessingsFromServer = reg(".errNoBlessingsFromServer", "server has not presented any blessings")
- errAuthPossibleManInTheMiddle = reg(".errAuthPossibleManInTheMiddle",
- "server blessings {3} do not match expectations set by endpoint {4}, possible man-in-the-middle or the server blessings are not accepted by the client? (endpoint: {5}, rejected blessings: {6})")
+ errAuthNoServerBlessingsMatch = reg(".errAuthNoServerBlessingsMatch",
+ "server blessings {3} do not match client expectations {4}, (rejected blessings: {5})")
errAuthServerNotAllowed = reg(".errAuthServerNotAllowed",
"server blessings {3} do not match any allowed server patterns {4}{:5}")
errAuthServerKeyNotAllowed = reg(".errAuthServerKeyNotAllowed",
"remote public key {3} not matched by server key {4}")
- errMultiplePublicKeys = reg(".errMultiplePublicKeyOptions", "multiple ServerPublicKey options supplied to call, at most one is allowed")
+ errMultiplePublicKeys = reg(".errMultiplePublicKeyOptions", "at most one ServerPublicKey options can be provided")
)
// serverAuthorizer implements security.Authorizer.
@@ -88,7 +88,7 @@
}
}
if !matched {
- return verror.New(errAuthPossibleManInTheMiddle, ctx, serverBlessings, epb, call.RemoteEndpoint(), rejectedBlessings)
+ return verror.New(errAuthNoServerBlessingsMatch, ctx, serverBlessings, epb, rejectedBlessings)
}
} else if enableSecureServerAuth && len(epb) == 0 {
// No blessings in the endpoint to set expectations on the
