security: Use VDL's mechanism for wire <-> native conversions for
Blessings.
This commit is the counterpart to the API change in:
https://vanadium-review.googlesource.com/6290
Mostly simplifies, but there are some rough edges still left
which will be addressed in separate commits:
(1) At a few places, the caller wants to access the underlying
certificate chains of a security.Blessings object.
Have to work out this API, but for now they either use
security.MarshalBlessings or do a VOM-roundtrip (when
performance is a non-concern)
(2) The BlessingStore implementation can be simplified considerably
now, and should have a clear wire spec (.vdl file).
(3) The persistent store used by the mgmt code
(veyron/services/mgmt/lib/fs) is using GOB to write out
serialized forms. There is a plan to convert this to VOM
but in the mean time I had to do something ugly - translate
from application.Envelope (which is no longer GOBable) to
a different type. This will go away once the store is converted
to VOM.
MultiPart: 2/2
Change-Id: Iafb791afedf0a3ea4c9c1c766300213dace7d692
diff --git a/runtimes/google/ipc/blessings_cache.go b/runtimes/google/ipc/blessings_cache.go
index 204715a..06ec74b 100644
--- a/runtimes/google/ipc/blessings_cache.go
+++ b/runtimes/google/ipc/blessings_cache.go
@@ -109,8 +109,7 @@
return ipc.BlessingsRequest{Key: val.id}
}
// otherwise we still need to send both key and blessings, but we must ensure that we send the same key.
- wireBlessings := security.MarshalBlessings(blessings)
- return ipc.BlessingsRequest{val.id, &wireBlessings}
+ return ipc.BlessingsRequest{val.id, &blessings}
}
// nextIdLocked creates a new id for inserting blessings. It must be called after acquiring a writer lock.
@@ -153,10 +152,7 @@
stats.recordBlessingCache(false)
// Slowpath, might need to update the cache, or check that the received blessings are
// the same as what's in the cache.
- recv, err := security.NewBlessings(*req.Blessings)
- if err != nil {
- return security.Blessings{}, fmt.Errorf("ipc: create new client blessings failed: %v", err)
- }
+ recv := *req.Blessings
c.Lock()
defer c.Unlock()
if cached, exists := c.m[req.Key]; exists {
diff --git a/runtimes/google/ipc/client.go b/runtimes/google/ipc/client.go
index 2a9f92a..f9ced6b 100644
--- a/runtimes/google/ipc/client.go
+++ b/runtimes/google/ipc/client.go
@@ -799,7 +799,7 @@
Method: method,
NumPosArgs: uint64(len(args)),
Deadline: vtime.Deadline{deadline},
- GrantedBlessings: security.MarshalBlessings(fc.grantedBlessings),
+ GrantedBlessings: fc.grantedBlessings,
Blessings: blessingsRequest,
Discharges: discharges,
TraceRequest: ivtrace.Request(fc.ctx),
diff --git a/runtimes/google/ipc/server.go b/runtimes/google/ipc/server.go
index 3c7db7c..8340516 100644
--- a/runtimes/google/ipc/server.go
+++ b/runtimes/google/ipc/server.go
@@ -1149,11 +1149,6 @@
func (fs *flowServer) initSecurity(req *ipc.Request) error {
// If additional credentials are provided, make them available in the context
- blessings, err := security.NewBlessings(req.GrantedBlessings)
- if err != nil {
- return verror.New(verror.ErrBadProtocol, fs.T, newErrBadBlessings(fs.T, err))
- }
- fs.grantedBlessings = blessings
// Detect unusable blessings now, rather then discovering they are unusable on
// first use.
//
@@ -1161,11 +1156,12 @@
// the server's identity as the blessing. Figure out what we want to do about
// this - should servers be able to assume that a blessing is something that
// does not have the authorizations that the server's own identity has?
- if blessings.PublicKey() != nil && !reflect.DeepEqual(blessings.PublicKey(), fs.flow.LocalPrincipal().PublicKey()) {
- return verror.New(verror.ErrNoAccess, fs.T, fmt.Sprintf("blessing granted not bound to this server(%v vs %v)", blessings.PublicKey(), fs.flow.LocalPrincipal().PublicKey()))
+ if b := req.GrantedBlessings; b.PublicKey() != nil && !reflect.DeepEqual(b.PublicKey(), fs.flow.LocalPrincipal().PublicKey()) {
+ return verror.New(verror.ErrNoAccess, fs.T, fmt.Sprintf("blessing granted not bound to this server(%v vs %v)", b.PublicKey(), fs.flow.LocalPrincipal().PublicKey()))
}
- fs.clientBlessings, err = serverDecodeBlessings(fs.flow.VCDataCache(), req.Blessings, fs.server.stats)
- if err != nil {
+ fs.grantedBlessings = req.GrantedBlessings
+ var err error
+ if fs.clientBlessings, err = serverDecodeBlessings(fs.flow.VCDataCache(), req.Blessings, fs.server.stats); err != nil {
// When the server can't access the blessings cache, the client is not following
// protocol, so the server closes the VCs corresponding to the client endpoint.
// TODO(suharshs,toddw): Figure out a way to only shutdown the current VC, instead
diff --git a/runtimes/google/ipc/stream/vc/auth.go b/runtimes/google/ipc/stream/vc/auth.go
index b333b3a..43442b3 100644
--- a/runtimes/google/ipc/stream/vc/auth.go
+++ b/runtimes/google/ipc/stream/vc/auth.go
@@ -94,7 +94,7 @@
if err := enc.Encode(signature); err != nil {
return err
}
- if err := enc.Encode(security.MarshalBlessings(b)); err != nil {
+ if err := enc.Encode(b); err != nil {
return err
}
if v >= version.IPCVersion7 {
@@ -143,13 +143,13 @@
}
var (
- wireb security.WireBlessings
- sig security.Signature
+ blessings security.Blessings
+ sig security.Signature
)
if err = dec.Decode(&sig); err != nil {
return noBlessings, nil, err
}
- if err = dec.Decode(&wireb); err != nil {
+ if err = dec.Decode(&blessings); err != nil {
return noBlessings, nil, err
}
var discharges map[string]security.Discharge
@@ -177,10 +177,6 @@
}
}
}
- blessings, err := security.NewBlessings(wireb)
- if err != nil {
- return noBlessings, nil, err
- }
if !sig.Verify(blessings.PublicKey(), append(tag, crypter.ChannelBinding()...)) {
return noBlessings, nil, errInvalidSignatureInMessage
}
diff --git a/security/agent/client.go b/security/agent/client.go
index cb887b2..92a33ab 100644
--- a/security/agent/client.go
+++ b/security/agent/client.go
@@ -105,23 +105,19 @@
}
func (c *client) Bless(key security.PublicKey, with security.Blessings, extension string, caveat security.Caveat, additionalCaveats ...security.Caveat) (security.Blessings, error) {
- var blessings security.WireBlessings
+ var blessings security.Blessings
marshalledKey, err := key.MarshalBinary()
if err != nil {
return security.Blessings{}, err
}
- if err = c.caller.call("Bless", results(&blessings), marshalledKey, security.MarshalBlessings(with), extension, caveat, additionalCaveats); err != nil {
- return security.Blessings{}, err
- }
- return security.NewBlessings(blessings)
+ err = c.caller.call("Bless", results(&blessings), marshalledKey, with, extension, caveat, additionalCaveats)
+ return blessings, err
}
func (c *client) BlessSelf(name string, caveats ...security.Caveat) (security.Blessings, error) {
- var blessings security.WireBlessings
- if err := c.caller.call("BlessSelf", results(&blessings), name, caveats); err != nil {
- return security.Blessings{}, err
- }
- return security.NewBlessings(blessings)
+ var blessings security.Blessings
+ err := c.caller.call("BlessSelf", results(&blessings), name, caveats)
+ return blessings, err
}
func (c *client) Sign(message []byte) (sig security.Signature, err error) {
@@ -142,26 +138,17 @@
}
func (c *client) BlessingsByName(pattern security.BlessingPattern) []security.Blessings {
- var wbResults []security.WireBlessings
- err := c.caller.call("BlessingsByName", results(&wbResults), pattern)
- if err != nil {
+ var blessings []security.Blessings
+ if err := c.caller.call("BlessingsByName", results(&blessings), pattern); err != nil {
vlog.Errorf("error calling BlessingsByName: %v", err)
return nil
}
- blessings := make([]security.Blessings, len(wbResults))
- for i, wb := range wbResults {
- var err error
- blessings[i], err = security.NewBlessings(wb)
- if err != nil {
- vlog.Errorf("error creating Blessing from WireBlessings: %v", err)
- }
- }
return blessings
}
func (c *client) BlessingsInfo(blessings security.Blessings) map[string][]security.Caveat {
var bInfo map[string][]security.Caveat
- err := c.caller.call("BlessingsInfo", results(&bInfo), security.MarshalBlessings(blessings))
+ err := c.caller.call("BlessingsInfo", results(&bInfo), blessings)
if err != nil {
vlog.Errorf("error calling BlessingsInfo: %v", err)
return nil
@@ -177,7 +164,7 @@
}
func (c *client) AddToRoots(blessings security.Blessings) error {
- return c.caller.call("AddToRoots", results(), security.MarshalBlessings(blessings))
+ return c.caller.call("AddToRoots", results(), blessings)
}
type blessingStore struct {
@@ -186,43 +173,30 @@
}
func (b *blessingStore) Set(blessings security.Blessings, forPeers security.BlessingPattern) (security.Blessings, error) {
- var resultBlessings security.WireBlessings
- if err := b.caller.call("BlessingStoreSet", results(&resultBlessings), security.MarshalBlessings(blessings), forPeers); err != nil {
- return security.Blessings{}, err
- }
- return security.NewBlessings(resultBlessings)
+ var previous security.Blessings
+ err := b.caller.call("BlessingStoreSet", results(&previous), blessings, forPeers)
+ return previous, err
}
func (b *blessingStore) ForPeer(peerBlessings ...string) security.Blessings {
- var resultBlessings security.WireBlessings
- err := b.caller.call("BlessingStoreForPeer", results(&resultBlessings), peerBlessings)
- if err != nil {
- vlog.Errorf("error calling BlessingStoreForPeer: %v", err)
- return security.Blessings{}
- }
- blessings, err := security.NewBlessings(resultBlessings)
- if err != nil {
- vlog.Errorf("error creating Blessings from WireBlessings: %v", err)
- return security.Blessings{}
+ var blessings security.Blessings
+ if err := b.caller.call("BlessingStoreForPeer", results(&blessings), peerBlessings); err != nil {
+ vlog.Errorf("error calling BlessingStorePeerBlessings: %v", err)
}
return blessings
}
func (b *blessingStore) SetDefault(blessings security.Blessings) error {
- return b.caller.call("BlessingStoreSetDefault", results(), security.MarshalBlessings(blessings))
+ return b.caller.call("BlessingStoreSetDefault", results(), blessings)
}
func (b *blessingStore) Default() security.Blessings {
- var resultBlessings security.WireBlessings
- err := b.caller.call("BlessingStoreDefault", results(&resultBlessings))
+ var blessings security.Blessings
+ err := b.caller.call("BlessingStoreDefault", results(&blessings))
if err != nil {
vlog.Errorf("error calling BlessingStoreDefault: %v", err)
return security.Blessings{}
}
- blessings, err := security.NewBlessings(resultBlessings)
- if err != nil {
- vlog.Errorf("error creating Blessing from WireBlessings: %v", err)
- }
return blessings
}
@@ -231,22 +205,13 @@
}
func (b *blessingStore) PeerBlessings() map[security.BlessingPattern]security.Blessings {
- var wbMap map[security.BlessingPattern]security.WireBlessings
- err := b.caller.call("BlessingStorePeerBlessings", results(&wbMap))
+ var bmap map[security.BlessingPattern]security.Blessings
+ err := b.caller.call("BlessingStorePeerBlessings", results(&bmap))
if err != nil {
vlog.Errorf("error calling BlessingStorePeerBlessings: %v", err)
return nil
}
- bMap := make(map[security.BlessingPattern]security.Blessings)
- for pattern, wb := range wbMap {
- blessings, err := security.NewBlessings(wb)
- if err != nil {
- vlog.Errorf("error creating Blessing from WireBlessings: %v", err)
- return nil
- }
- bMap[pattern] = blessings
- }
- return bMap
+ return bmap
}
func (b *blessingStore) DebugString() (s string) {
diff --git a/security/agent/server/server.go b/security/agent/server/server.go
index d89b7a8..78e9ace 100644
--- a/security/agent/server/server.go
+++ b/security/agent/server/server.go
@@ -271,28 +271,16 @@
return nil
}
-func (a agentd) Bless(_ ipc.ServerCall, key []byte, with security.WireBlessings, extension string, caveat security.Caveat, additionalCaveats []security.Caveat) (security.WireBlessings, error) {
+func (a agentd) Bless(_ ipc.ServerCall, key []byte, with security.Blessings, extension string, caveat security.Caveat, additionalCaveats []security.Caveat) (security.Blessings, error) {
pkey, err := security.UnmarshalPublicKey(key)
if err != nil {
- return security.WireBlessings{}, err
+ return security.Blessings{}, err
}
- withBlessings, err := security.NewBlessings(with)
- if err != nil {
- return security.WireBlessings{}, err
- }
- blessings, err := a.principal.Bless(pkey, withBlessings, extension, caveat, additionalCaveats...)
- if err != nil {
- return security.WireBlessings{}, err
- }
- return security.MarshalBlessings(blessings), nil
+ return a.principal.Bless(pkey, with, extension, caveat, additionalCaveats...)
}
-func (a agentd) BlessSelf(_ ipc.ServerCall, name string, caveats []security.Caveat) (security.WireBlessings, error) {
- blessings, err := a.principal.BlessSelf(name, caveats...)
- if err != nil {
- return security.WireBlessings{}, err
- }
- return security.MarshalBlessings(blessings), nil
+func (a agentd) BlessSelf(_ ipc.ServerCall, name string, caveats []security.Caveat) (security.Blessings, error) {
+ return a.principal.BlessSelf(name, caveats...)
}
func (a agentd) Sign(_ ipc.ServerCall, message []byte) (security.Signature, error) {
@@ -362,76 +350,46 @@
return a.principal.PublicKey().MarshalBinary()
}
-func (a agentd) BlessingsByName(_ ipc.ServerCall, name security.BlessingPattern) ([]security.WireBlessings, error) {
+func (a agentd) BlessingsByName(_ ipc.ServerCall, name security.BlessingPattern) ([]security.Blessings, error) {
a.w.rlock()
defer a.w.runlock()
- blessings := a.principal.BlessingsByName(name)
- ret := make([]security.WireBlessings, len(blessings))
- for i, b := range blessings {
- ret[i] = security.MarshalBlessings(b)
- }
- return ret, nil
+ return a.principal.BlessingsByName(name), nil
}
-func (a agentd) BlessingsInfo(_ ipc.ServerCall, blessings security.WireBlessings) (map[string][]security.Caveat, error) {
- b, err := security.NewBlessings(blessings)
- if err != nil {
- return nil, err
- }
+func (a agentd) BlessingsInfo(_ ipc.ServerCall, blessings security.Blessings) (map[string][]security.Caveat, error) {
a.w.rlock()
defer a.w.runlock()
- return a.principal.BlessingsInfo(b), nil
+ return a.principal.BlessingsInfo(blessings), nil
}
-func (a agentd) AddToRoots(_ ipc.ServerCall, wireBlessings security.WireBlessings) error {
- blessings, err := security.NewBlessings(wireBlessings)
- if err != nil {
- return err
- }
+func (a agentd) AddToRoots(_ ipc.ServerCall, blessings security.Blessings) error {
a.w.lock()
defer a.w.unlock(a.id)
return a.principal.AddToRoots(blessings)
}
-func (a agentd) BlessingStoreSet(_ ipc.ServerCall, wireBlessings security.WireBlessings, forPeers security.BlessingPattern) (security.WireBlessings, error) {
- blessings, err := security.NewBlessings(wireBlessings)
- if err != nil {
- return security.WireBlessings{}, err
- }
+func (a agentd) BlessingStoreSet(_ ipc.ServerCall, blessings security.Blessings, forPeers security.BlessingPattern) (security.Blessings, error) {
a.w.lock()
- resultBlessings, err := a.principal.BlessingStore().Set(blessings, forPeers)
- a.w.unlock(a.id)
- if err != nil {
- return security.WireBlessings{}, err
- }
- return security.MarshalBlessings(resultBlessings), nil
+ defer a.w.unlock(a.id)
+ return a.principal.BlessingStore().Set(blessings, forPeers)
}
-func (a agentd) BlessingStoreForPeer(_ ipc.ServerCall, peerBlessings []string) (security.WireBlessings, error) {
+func (a agentd) BlessingStoreForPeer(_ ipc.ServerCall, peerBlessings []string) (security.Blessings, error) {
a.w.rlock()
defer a.w.runlock()
- return security.MarshalBlessings(a.principal.BlessingStore().ForPeer(peerBlessings...)), nil
+ return a.principal.BlessingStore().ForPeer(peerBlessings...), nil
}
-func (a agentd) BlessingStoreSetDefault(_ ipc.ServerCall, wireBlessings security.WireBlessings) error {
- blessings, err := security.NewBlessings(wireBlessings)
- if err != nil {
- return err
- }
+func (a agentd) BlessingStoreSetDefault(_ ipc.ServerCall, blessings security.Blessings) error {
a.w.lock()
defer a.w.unlock(a.id)
return a.principal.BlessingStore().SetDefault(blessings)
}
-func (a agentd) BlessingStorePeerBlessings(_ ipc.ServerCall) (map[security.BlessingPattern]security.WireBlessings, error) {
+func (a agentd) BlessingStorePeerBlessings(_ ipc.ServerCall) (map[security.BlessingPattern]security.Blessings, error) {
a.w.rlock()
- bMap := a.principal.BlessingStore().PeerBlessings()
- a.w.runlock()
- wbMap := make(map[security.BlessingPattern]security.WireBlessings, len(bMap))
- for p, b := range bMap {
- wbMap[p] = security.MarshalBlessings(b)
- }
- return wbMap, nil
+ defer a.w.runlock()
+ return a.principal.BlessingStore().PeerBlessings(), nil
}
func (a agentd) BlessingStoreDebugString(_ ipc.ServerCall) (string, error) {
@@ -440,10 +398,10 @@
return a.principal.BlessingStore().DebugString(), nil
}
-func (a agentd) BlessingStoreDefault(_ ipc.ServerCall) (security.WireBlessings, error) {
+func (a agentd) BlessingStoreDefault(_ ipc.ServerCall) (security.Blessings, error) {
a.w.rlock()
defer a.w.runlock()
- return security.MarshalBlessings(a.principal.BlessingStore().Default()), nil
+ return a.principal.BlessingStore().Default(), nil
}
func (a agentd) BlessingRootsAdd(_ ipc.ServerCall, root []byte, pattern security.BlessingPattern) error {
diff --git a/security/agent/server/wire.vdl.go b/security/agent/server/wire.vdl.go
index d02c82e..65f1fc2 100644
--- a/security/agent/server/wire.vdl.go
+++ b/security/agent/server/wire.vdl.go
@@ -17,19 +17,19 @@
// AgentClientMethods is the client interface
// containing Agent methods.
type AgentClientMethods interface {
- Bless(ctx *context.T, key []byte, wit security.WireBlessings, extension string, caveat security.Caveat, additionalCaveats []security.Caveat, opts ...ipc.CallOpt) (security.WireBlessings, error)
- BlessSelf(ctx *context.T, name string, caveats []security.Caveat, opts ...ipc.CallOpt) (security.WireBlessings, error)
+ Bless(ctx *context.T, key []byte, wit security.Blessings, extension string, caveat security.Caveat, additionalCaveats []security.Caveat, opts ...ipc.CallOpt) (security.Blessings, error)
+ BlessSelf(ctx *context.T, name string, caveats []security.Caveat, opts ...ipc.CallOpt) (security.Blessings, error)
Sign(ctx *context.T, message []byte, opts ...ipc.CallOpt) (security.Signature, error)
MintDischarge(ctx *context.T, forCaveat security.Caveat, caveatOnDischarge security.Caveat, additionalCaveatsOnDischarge []security.Caveat, opts ...ipc.CallOpt) (security.WireDischarge, error)
PublicKey(*context.T, ...ipc.CallOpt) ([]byte, error)
- BlessingsByName(ctx *context.T, name security.BlessingPattern, opts ...ipc.CallOpt) ([]security.WireBlessings, error)
- BlessingsInfo(ctx *context.T, blessings security.WireBlessings, opts ...ipc.CallOpt) (map[string][]security.Caveat, error)
- AddToRoots(ctx *context.T, blessing security.WireBlessings, opts ...ipc.CallOpt) error
- BlessingStoreSet(ctx *context.T, blessings security.WireBlessings, forPeers security.BlessingPattern, opts ...ipc.CallOpt) (security.WireBlessings, error)
- BlessingStoreForPeer(ctx *context.T, peerBlessings []string, opts ...ipc.CallOpt) (security.WireBlessings, error)
- BlessingStoreSetDefault(ctx *context.T, blessings security.WireBlessings, opts ...ipc.CallOpt) error
- BlessingStoreDefault(*context.T, ...ipc.CallOpt) (security.WireBlessings, error)
- BlessingStorePeerBlessings(*context.T, ...ipc.CallOpt) (map[security.BlessingPattern]security.WireBlessings, error)
+ BlessingsByName(ctx *context.T, name security.BlessingPattern, opts ...ipc.CallOpt) ([]security.Blessings, error)
+ BlessingsInfo(ctx *context.T, blessings security.Blessings, opts ...ipc.CallOpt) (map[string][]security.Caveat, error)
+ AddToRoots(ctx *context.T, blessing security.Blessings, opts ...ipc.CallOpt) error
+ BlessingStoreSet(ctx *context.T, blessings security.Blessings, forPeers security.BlessingPattern, opts ...ipc.CallOpt) (security.Blessings, error)
+ BlessingStoreForPeer(ctx *context.T, peerBlessings []string, opts ...ipc.CallOpt) (security.Blessings, error)
+ BlessingStoreSetDefault(ctx *context.T, blessings security.Blessings, opts ...ipc.CallOpt) error
+ BlessingStoreDefault(*context.T, ...ipc.CallOpt) (security.Blessings, error)
+ BlessingStorePeerBlessings(*context.T, ...ipc.CallOpt) (map[security.BlessingPattern]security.Blessings, error)
BlessingStoreDebugString(*context.T, ...ipc.CallOpt) (string, error)
BlessingRootsAdd(ctx *context.T, root []byte, pattern security.BlessingPattern, opts ...ipc.CallOpt) error
BlessingRootsRecognized(ctx *context.T, root []byte, blessing string, opts ...ipc.CallOpt) error
@@ -70,7 +70,7 @@
return v23.GetClient(ctx)
}
-func (c implAgentClientStub) Bless(ctx *context.T, i0 []byte, i1 security.WireBlessings, i2 string, i3 security.Caveat, i4 []security.Caveat, opts ...ipc.CallOpt) (o0 security.WireBlessings, err error) {
+func (c implAgentClientStub) Bless(ctx *context.T, i0 []byte, i1 security.Blessings, i2 string, i3 security.Caveat, i4 []security.Caveat, opts ...ipc.CallOpt) (o0 security.Blessings, err error) {
var call ipc.ClientCall
if call, err = c.c(ctx).StartCall(ctx, c.name, "Bless", []interface{}{i0, i1, i2, i3, i4}, opts...); err != nil {
return
@@ -79,7 +79,7 @@
return
}
-func (c implAgentClientStub) BlessSelf(ctx *context.T, i0 string, i1 []security.Caveat, opts ...ipc.CallOpt) (o0 security.WireBlessings, err error) {
+func (c implAgentClientStub) BlessSelf(ctx *context.T, i0 string, i1 []security.Caveat, opts ...ipc.CallOpt) (o0 security.Blessings, err error) {
var call ipc.ClientCall
if call, err = c.c(ctx).StartCall(ctx, c.name, "BlessSelf", []interface{}{i0, i1}, opts...); err != nil {
return
@@ -115,7 +115,7 @@
return
}
-func (c implAgentClientStub) BlessingsByName(ctx *context.T, i0 security.BlessingPattern, opts ...ipc.CallOpt) (o0 []security.WireBlessings, err error) {
+func (c implAgentClientStub) BlessingsByName(ctx *context.T, i0 security.BlessingPattern, opts ...ipc.CallOpt) (o0 []security.Blessings, err error) {
var call ipc.ClientCall
if call, err = c.c(ctx).StartCall(ctx, c.name, "BlessingsByName", []interface{}{i0}, opts...); err != nil {
return
@@ -124,7 +124,7 @@
return
}
-func (c implAgentClientStub) BlessingsInfo(ctx *context.T, i0 security.WireBlessings, opts ...ipc.CallOpt) (o0 map[string][]security.Caveat, err error) {
+func (c implAgentClientStub) BlessingsInfo(ctx *context.T, i0 security.Blessings, opts ...ipc.CallOpt) (o0 map[string][]security.Caveat, err error) {
var call ipc.ClientCall
if call, err = c.c(ctx).StartCall(ctx, c.name, "BlessingsInfo", []interface{}{i0}, opts...); err != nil {
return
@@ -133,7 +133,7 @@
return
}
-func (c implAgentClientStub) AddToRoots(ctx *context.T, i0 security.WireBlessings, opts ...ipc.CallOpt) (err error) {
+func (c implAgentClientStub) AddToRoots(ctx *context.T, i0 security.Blessings, opts ...ipc.CallOpt) (err error) {
var call ipc.ClientCall
if call, err = c.c(ctx).StartCall(ctx, c.name, "AddToRoots", []interface{}{i0}, opts...); err != nil {
return
@@ -142,7 +142,7 @@
return
}
-func (c implAgentClientStub) BlessingStoreSet(ctx *context.T, i0 security.WireBlessings, i1 security.BlessingPattern, opts ...ipc.CallOpt) (o0 security.WireBlessings, err error) {
+func (c implAgentClientStub) BlessingStoreSet(ctx *context.T, i0 security.Blessings, i1 security.BlessingPattern, opts ...ipc.CallOpt) (o0 security.Blessings, err error) {
var call ipc.ClientCall
if call, err = c.c(ctx).StartCall(ctx, c.name, "BlessingStoreSet", []interface{}{i0, i1}, opts...); err != nil {
return
@@ -151,7 +151,7 @@
return
}
-func (c implAgentClientStub) BlessingStoreForPeer(ctx *context.T, i0 []string, opts ...ipc.CallOpt) (o0 security.WireBlessings, err error) {
+func (c implAgentClientStub) BlessingStoreForPeer(ctx *context.T, i0 []string, opts ...ipc.CallOpt) (o0 security.Blessings, err error) {
var call ipc.ClientCall
if call, err = c.c(ctx).StartCall(ctx, c.name, "BlessingStoreForPeer", []interface{}{i0}, opts...); err != nil {
return
@@ -160,7 +160,7 @@
return
}
-func (c implAgentClientStub) BlessingStoreSetDefault(ctx *context.T, i0 security.WireBlessings, opts ...ipc.CallOpt) (err error) {
+func (c implAgentClientStub) BlessingStoreSetDefault(ctx *context.T, i0 security.Blessings, opts ...ipc.CallOpt) (err error) {
var call ipc.ClientCall
if call, err = c.c(ctx).StartCall(ctx, c.name, "BlessingStoreSetDefault", []interface{}{i0}, opts...); err != nil {
return
@@ -169,7 +169,7 @@
return
}
-func (c implAgentClientStub) BlessingStoreDefault(ctx *context.T, opts ...ipc.CallOpt) (o0 security.WireBlessings, err error) {
+func (c implAgentClientStub) BlessingStoreDefault(ctx *context.T, opts ...ipc.CallOpt) (o0 security.Blessings, err error) {
var call ipc.ClientCall
if call, err = c.c(ctx).StartCall(ctx, c.name, "BlessingStoreDefault", nil, opts...); err != nil {
return
@@ -178,7 +178,7 @@
return
}
-func (c implAgentClientStub) BlessingStorePeerBlessings(ctx *context.T, opts ...ipc.CallOpt) (o0 map[security.BlessingPattern]security.WireBlessings, err error) {
+func (c implAgentClientStub) BlessingStorePeerBlessings(ctx *context.T, opts ...ipc.CallOpt) (o0 map[security.BlessingPattern]security.Blessings, err error) {
var call ipc.ClientCall
if call, err = c.c(ctx).StartCall(ctx, c.name, "BlessingStorePeerBlessings", nil, opts...); err != nil {
return
@@ -303,19 +303,19 @@
// AgentServerMethods is the interface a server writer
// implements for Agent.
type AgentServerMethods interface {
- Bless(ctx ipc.ServerCall, key []byte, wit security.WireBlessings, extension string, caveat security.Caveat, additionalCaveats []security.Caveat) (security.WireBlessings, error)
- BlessSelf(ctx ipc.ServerCall, name string, caveats []security.Caveat) (security.WireBlessings, error)
+ Bless(ctx ipc.ServerCall, key []byte, wit security.Blessings, extension string, caveat security.Caveat, additionalCaveats []security.Caveat) (security.Blessings, error)
+ BlessSelf(ctx ipc.ServerCall, name string, caveats []security.Caveat) (security.Blessings, error)
Sign(ctx ipc.ServerCall, message []byte) (security.Signature, error)
MintDischarge(ctx ipc.ServerCall, forCaveat security.Caveat, caveatOnDischarge security.Caveat, additionalCaveatsOnDischarge []security.Caveat) (security.WireDischarge, error)
PublicKey(ipc.ServerCall) ([]byte, error)
- BlessingsByName(ctx ipc.ServerCall, name security.BlessingPattern) ([]security.WireBlessings, error)
- BlessingsInfo(ctx ipc.ServerCall, blessings security.WireBlessings) (map[string][]security.Caveat, error)
- AddToRoots(ctx ipc.ServerCall, blessing security.WireBlessings) error
- BlessingStoreSet(ctx ipc.ServerCall, blessings security.WireBlessings, forPeers security.BlessingPattern) (security.WireBlessings, error)
- BlessingStoreForPeer(ctx ipc.ServerCall, peerBlessings []string) (security.WireBlessings, error)
- BlessingStoreSetDefault(ctx ipc.ServerCall, blessings security.WireBlessings) error
- BlessingStoreDefault(ipc.ServerCall) (security.WireBlessings, error)
- BlessingStorePeerBlessings(ipc.ServerCall) (map[security.BlessingPattern]security.WireBlessings, error)
+ BlessingsByName(ctx ipc.ServerCall, name security.BlessingPattern) ([]security.Blessings, error)
+ BlessingsInfo(ctx ipc.ServerCall, blessings security.Blessings) (map[string][]security.Caveat, error)
+ AddToRoots(ctx ipc.ServerCall, blessing security.Blessings) error
+ BlessingStoreSet(ctx ipc.ServerCall, blessings security.Blessings, forPeers security.BlessingPattern) (security.Blessings, error)
+ BlessingStoreForPeer(ctx ipc.ServerCall, peerBlessings []string) (security.Blessings, error)
+ BlessingStoreSetDefault(ctx ipc.ServerCall, blessings security.Blessings) error
+ BlessingStoreDefault(ipc.ServerCall) (security.Blessings, error)
+ BlessingStorePeerBlessings(ipc.ServerCall) (map[security.BlessingPattern]security.Blessings, error)
BlessingStoreDebugString(ipc.ServerCall) (string, error)
BlessingRootsAdd(ctx ipc.ServerCall, root []byte, pattern security.BlessingPattern) error
BlessingRootsRecognized(ctx ipc.ServerCall, root []byte, blessing string) error
@@ -332,19 +332,19 @@
// The only difference between this interface and AgentServerMethods
// is the streaming methods.
type AgentServerStubMethods interface {
- Bless(ctx ipc.ServerCall, key []byte, wit security.WireBlessings, extension string, caveat security.Caveat, additionalCaveats []security.Caveat) (security.WireBlessings, error)
- BlessSelf(ctx ipc.ServerCall, name string, caveats []security.Caveat) (security.WireBlessings, error)
+ Bless(ctx ipc.ServerCall, key []byte, wit security.Blessings, extension string, caveat security.Caveat, additionalCaveats []security.Caveat) (security.Blessings, error)
+ BlessSelf(ctx ipc.ServerCall, name string, caveats []security.Caveat) (security.Blessings, error)
Sign(ctx ipc.ServerCall, message []byte) (security.Signature, error)
MintDischarge(ctx ipc.ServerCall, forCaveat security.Caveat, caveatOnDischarge security.Caveat, additionalCaveatsOnDischarge []security.Caveat) (security.WireDischarge, error)
PublicKey(ipc.ServerCall) ([]byte, error)
- BlessingsByName(ctx ipc.ServerCall, name security.BlessingPattern) ([]security.WireBlessings, error)
- BlessingsInfo(ctx ipc.ServerCall, blessings security.WireBlessings) (map[string][]security.Caveat, error)
- AddToRoots(ctx ipc.ServerCall, blessing security.WireBlessings) error
- BlessingStoreSet(ctx ipc.ServerCall, blessings security.WireBlessings, forPeers security.BlessingPattern) (security.WireBlessings, error)
- BlessingStoreForPeer(ctx ipc.ServerCall, peerBlessings []string) (security.WireBlessings, error)
- BlessingStoreSetDefault(ctx ipc.ServerCall, blessings security.WireBlessings) error
- BlessingStoreDefault(ipc.ServerCall) (security.WireBlessings, error)
- BlessingStorePeerBlessings(ipc.ServerCall) (map[security.BlessingPattern]security.WireBlessings, error)
+ BlessingsByName(ctx ipc.ServerCall, name security.BlessingPattern) ([]security.Blessings, error)
+ BlessingsInfo(ctx ipc.ServerCall, blessings security.Blessings) (map[string][]security.Caveat, error)
+ AddToRoots(ctx ipc.ServerCall, blessing security.Blessings) error
+ BlessingStoreSet(ctx ipc.ServerCall, blessings security.Blessings, forPeers security.BlessingPattern) (security.Blessings, error)
+ BlessingStoreForPeer(ctx ipc.ServerCall, peerBlessings []string) (security.Blessings, error)
+ BlessingStoreSetDefault(ctx ipc.ServerCall, blessings security.Blessings) error
+ BlessingStoreDefault(ipc.ServerCall) (security.Blessings, error)
+ BlessingStorePeerBlessings(ipc.ServerCall) (map[security.BlessingPattern]security.Blessings, error)
BlessingStoreDebugString(ipc.ServerCall) (string, error)
BlessingRootsAdd(ctx ipc.ServerCall, root []byte, pattern security.BlessingPattern) error
BlessingRootsRecognized(ctx ipc.ServerCall, root []byte, blessing string) error
@@ -385,11 +385,11 @@
gs *ipc.GlobState
}
-func (s implAgentServerStub) Bless(ctx ipc.ServerCall, i0 []byte, i1 security.WireBlessings, i2 string, i3 security.Caveat, i4 []security.Caveat) (security.WireBlessings, error) {
+func (s implAgentServerStub) Bless(ctx ipc.ServerCall, i0 []byte, i1 security.Blessings, i2 string, i3 security.Caveat, i4 []security.Caveat) (security.Blessings, error) {
return s.impl.Bless(ctx, i0, i1, i2, i3, i4)
}
-func (s implAgentServerStub) BlessSelf(ctx ipc.ServerCall, i0 string, i1 []security.Caveat) (security.WireBlessings, error) {
+func (s implAgentServerStub) BlessSelf(ctx ipc.ServerCall, i0 string, i1 []security.Caveat) (security.Blessings, error) {
return s.impl.BlessSelf(ctx, i0, i1)
}
@@ -405,35 +405,35 @@
return s.impl.PublicKey(ctx)
}
-func (s implAgentServerStub) BlessingsByName(ctx ipc.ServerCall, i0 security.BlessingPattern) ([]security.WireBlessings, error) {
+func (s implAgentServerStub) BlessingsByName(ctx ipc.ServerCall, i0 security.BlessingPattern) ([]security.Blessings, error) {
return s.impl.BlessingsByName(ctx, i0)
}
-func (s implAgentServerStub) BlessingsInfo(ctx ipc.ServerCall, i0 security.WireBlessings) (map[string][]security.Caveat, error) {
+func (s implAgentServerStub) BlessingsInfo(ctx ipc.ServerCall, i0 security.Blessings) (map[string][]security.Caveat, error) {
return s.impl.BlessingsInfo(ctx, i0)
}
-func (s implAgentServerStub) AddToRoots(ctx ipc.ServerCall, i0 security.WireBlessings) error {
+func (s implAgentServerStub) AddToRoots(ctx ipc.ServerCall, i0 security.Blessings) error {
return s.impl.AddToRoots(ctx, i0)
}
-func (s implAgentServerStub) BlessingStoreSet(ctx ipc.ServerCall, i0 security.WireBlessings, i1 security.BlessingPattern) (security.WireBlessings, error) {
+func (s implAgentServerStub) BlessingStoreSet(ctx ipc.ServerCall, i0 security.Blessings, i1 security.BlessingPattern) (security.Blessings, error) {
return s.impl.BlessingStoreSet(ctx, i0, i1)
}
-func (s implAgentServerStub) BlessingStoreForPeer(ctx ipc.ServerCall, i0 []string) (security.WireBlessings, error) {
+func (s implAgentServerStub) BlessingStoreForPeer(ctx ipc.ServerCall, i0 []string) (security.Blessings, error) {
return s.impl.BlessingStoreForPeer(ctx, i0)
}
-func (s implAgentServerStub) BlessingStoreSetDefault(ctx ipc.ServerCall, i0 security.WireBlessings) error {
+func (s implAgentServerStub) BlessingStoreSetDefault(ctx ipc.ServerCall, i0 security.Blessings) error {
return s.impl.BlessingStoreSetDefault(ctx, i0)
}
-func (s implAgentServerStub) BlessingStoreDefault(ctx ipc.ServerCall) (security.WireBlessings, error) {
+func (s implAgentServerStub) BlessingStoreDefault(ctx ipc.ServerCall) (security.Blessings, error) {
return s.impl.BlessingStoreDefault(ctx)
}
-func (s implAgentServerStub) BlessingStorePeerBlessings(ctx ipc.ServerCall) (map[security.BlessingPattern]security.WireBlessings, error) {
+func (s implAgentServerStub) BlessingStorePeerBlessings(ctx ipc.ServerCall) (map[security.BlessingPattern]security.Blessings, error) {
return s.impl.BlessingStorePeerBlessings(ctx)
}
@@ -477,13 +477,13 @@
Name: "Bless",
InArgs: []ipc.ArgDesc{
{"key", ``}, // []byte
- {"wit", ``}, // security.WireBlessings
+ {"wit", ``}, // security.Blessings
{"extension", ``}, // string
{"caveat", ``}, // security.Caveat
{"additionalCaveats", ``}, // []security.Caveat
},
OutArgs: []ipc.ArgDesc{
- {"", ``}, // security.WireBlessings
+ {"", ``}, // security.Blessings
},
},
{
@@ -493,7 +493,7 @@
{"caveats", ``}, // []security.Caveat
},
OutArgs: []ipc.ArgDesc{
- {"", ``}, // security.WireBlessings
+ {"", ``}, // security.Blessings
},
},
{
@@ -528,13 +528,13 @@
{"name", ``}, // security.BlessingPattern
},
OutArgs: []ipc.ArgDesc{
- {"", ``}, // []security.WireBlessings
+ {"", ``}, // []security.Blessings
},
},
{
Name: "BlessingsInfo",
InArgs: []ipc.ArgDesc{
- {"blessings", ``}, // security.WireBlessings
+ {"blessings", ``}, // security.Blessings
},
OutArgs: []ipc.ArgDesc{
{"", ``}, // map[string][]security.Caveat
@@ -543,17 +543,17 @@
{
Name: "AddToRoots",
InArgs: []ipc.ArgDesc{
- {"blessing", ``}, // security.WireBlessings
+ {"blessing", ``}, // security.Blessings
},
},
{
Name: "BlessingStoreSet",
InArgs: []ipc.ArgDesc{
- {"blessings", ``}, // security.WireBlessings
+ {"blessings", ``}, // security.Blessings
{"forPeers", ``}, // security.BlessingPattern
},
OutArgs: []ipc.ArgDesc{
- {"", ``}, // security.WireBlessings
+ {"", ``}, // security.Blessings
},
},
{
@@ -562,25 +562,25 @@
{"peerBlessings", ``}, // []string
},
OutArgs: []ipc.ArgDesc{
- {"", ``}, // security.WireBlessings
+ {"", ``}, // security.Blessings
},
},
{
Name: "BlessingStoreSetDefault",
InArgs: []ipc.ArgDesc{
- {"blessings", ``}, // security.WireBlessings
+ {"blessings", ``}, // security.Blessings
},
},
{
Name: "BlessingStoreDefault",
OutArgs: []ipc.ArgDesc{
- {"", ``}, // security.WireBlessings
+ {"", ``}, // security.Blessings
},
},
{
Name: "BlessingStorePeerBlessings",
OutArgs: []ipc.ArgDesc{
- {"", ``}, // map[security.BlessingPattern]security.WireBlessings
+ {"", ``}, // map[security.BlessingPattern]security.Blessings
},
},
{
diff --git a/security/blessingstore.go b/security/blessingstore.go
index be511fc..39cb079 100644
--- a/security/blessingstore.go
+++ b/security/blessingstore.go
@@ -1,5 +1,8 @@
package security
+// TODO(ashankar,ataly): This file is a bit of a mess!! Define a serialization
+// format for the blessing store and rewrite this file before release!
+
import (
"bytes"
"errors"
@@ -16,32 +19,22 @@
var errStoreAddMismatch = errors.New("blessing's public key does not match store's public key")
+// TODO(ashankar,ataly): The only reason that Value is encapsulated in a struct
+// is for backward compatibility. We should probably restore "oldState" and
+// get rid of this.
type blessings struct {
- Value security.WireBlessings
- unmarshaled *security.Blessings
+ Value security.Blessings
}
func (w *blessings) Blessings() security.Blessings {
if w == nil {
return security.Blessings{}
}
- return *w.unmarshaled
-}
-
-func (w *blessings) Verify() error {
- if w.unmarshaled != nil {
- return nil
- }
- b, err := security.NewBlessings(w.Value)
- if err != nil {
- return err
- }
- w.unmarshaled = &b
- return nil
+ return w.Value
}
func newWireBlessings(b security.Blessings) *blessings {
- return &blessings{Value: security.MarshalBlessings(b), unmarshaled: &b}
+ return &blessings{Value: b}
}
type state struct {
@@ -195,22 +188,24 @@
}
}
-// TODO(ataly, ashankar): Get rid of this struct once we have switched all credentials
-// directories to the new serialization format.
+// TODO(ataly, ashankar): Get rid of this struct once we have switched all
+// credentials directories to the new serialization format. Or maybe we should
+// restore this and get rid of "type state". Probably should define the
+// serialization format in VDL!
type oldState struct {
- Store map[security.BlessingPattern]security.WireBlessings
- Default security.WireBlessings
+ Store map[security.BlessingPattern]security.Blessings
+ Default security.Blessings
}
// TODO(ataly, ashankar): Get rid of this method once we have switched all
// credentials directories to the new serialization format.
func (bs *blessingStore) tryOldFormat() bool {
- var empty security.WireBlessings
+ var empty security.Blessings
if len(bs.state.Store) == 0 {
- return bs.state.Default == nil || reflect.DeepEqual(bs.state.Default.Value, empty)
+ return bs.state.Default.Value.IsZero() || reflect.DeepEqual(bs.state.Default.Value, empty)
}
for _, wb := range bs.state.Store {
- if len(wb.Value.CertificateChains) == 0 {
+ if wb.Value.IsZero() {
return true
}
}
@@ -219,9 +214,6 @@
func (bs *blessingStore) verifyState() error {
verifyBlessings := func(wb *blessings, key security.PublicKey) error {
- if err := wb.Verify(); err != nil {
- return err
- }
if b := wb.Blessings(); !reflect.DeepEqual(b.PublicKey(), key) {
return fmt.Errorf("read Blessings: %v that are not for provided PublicKey: %v", b, key)
}
diff --git a/services/identity/auditor/blessing_auditor.go b/services/identity/auditor/blessing_auditor.go
index 631fdbd..045f2bb 100644
--- a/services/identity/auditor/blessing_auditor.go
+++ b/services/identity/auditor/blessing_auditor.go
@@ -103,7 +103,7 @@
return d, fmt.Errorf("failed to extract result blessing")
}
var err error
- if d.blessings, err = vom.Encode(security.MarshalBlessings(blessings)); err != nil {
+ if d.blessings, err = vom.Encode(blessings); err != nil {
return d, err
}
if d.caveats, err = vom.Encode(caveats); err != nil {
@@ -120,15 +120,10 @@
Email: dbentry.email,
Timestamp: dbentry.timestamp,
}
- var wireBlessings security.WireBlessings
- var err error
- if err = vom.Decode(dbentry.blessings, &wireBlessings); err != nil {
+ if err := vom.Decode(dbentry.blessings, &b.Blessings); err != nil {
return BlessingEntry{DecodeError: fmt.Errorf("failed to decode blessings: %s", err)}
}
- if b.Blessings, err = security.NewBlessings(wireBlessings); err != nil {
- return BlessingEntry{DecodeError: fmt.Errorf("failed to construct blessings: %s", err)}
- }
- if err = vom.Decode(dbentry.caveats, &b.Caveats); err != nil {
+ if err := vom.Decode(dbentry.caveats, &b.Caveats); err != nil {
return BlessingEntry{DecodeError: fmt.Errorf("failed to decode caveats: %s", err)}
}
b.RevocationCaveatID = revocationCaveatID(b.Caveats)
diff --git a/services/identity/blesser/macaroon.go b/services/identity/blesser/macaroon.go
index 4974848..03773c4 100644
--- a/services/identity/blesser/macaroon.go
+++ b/services/identity/blesser/macaroon.go
@@ -23,8 +23,8 @@
return identity.MacaroonBlesserServer(&macaroonBlesser{key})
}
-func (b *macaroonBlesser) Bless(ctx ipc.ServerCall, macaroon string) (security.WireBlessings, error) {
- var empty security.WireBlessings
+func (b *macaroonBlesser) Bless(ctx ipc.ServerCall, macaroon string) (security.Blessings, error) {
+ var empty security.Blessings
inputs, err := util.Macaroon(macaroon).Decode(b.key)
if err != nil {
return empty, err
@@ -42,12 +42,5 @@
if len(m.Caveats) == 0 {
m.Caveats = []security.Caveat{security.UnconstrainedUse()}
}
- // TODO(ashankar,toddw): After the VDL configuration files have the
- // scheme to translate between "wire" types and "in-memory" types, this
- // should just become return ctx.LocalPrincipal().....
- blessings, err := ctx.LocalPrincipal().Bless(ctx.RemoteBlessings().PublicKey(), ctx.LocalBlessings(), m.Name, m.Caveats[0], m.Caveats[1:]...)
- if err != nil {
- return empty, err
- }
- return security.MarshalBlessings(blessings), nil
+ return ctx.LocalPrincipal().Bless(ctx.RemoteBlessings().PublicKey(), ctx.LocalBlessings(), m.Name, m.Caveats[0], m.Caveats[1:]...)
}
diff --git a/services/identity/blesser/macaroon_test.go b/services/identity/blesser/macaroon_test.go
index acbd53b..b0e4e0c 100644
--- a/services/identity/blesser/macaroon_test.go
+++ b/services/identity/blesser/macaroon_test.go
@@ -35,15 +35,11 @@
t.Errorf("Bless(...) failed with error: %v, want: %v", err, wantErr)
}
m = oauth.BlessingMacaroon{Creation: time.Now(), Name: "user", Caveats: []security.Caveat{cOnlyMethodFoo}}
- result, err := blesser.Bless(context, newMacaroon(t, key, m))
+ b, err := blesser.Bless(context, newMacaroon(t, key, m))
if err != nil {
t.Errorf("Bless failed: %v", err)
}
- b, err := security.NewBlessings(result)
- if err != nil {
- t.Fatalf("Unable to decode response into a security.Blessings object: %v", err)
- }
if !reflect.DeepEqual(b.PublicKey(), user.PublicKey()) {
t.Errorf("Received blessing for public key %v. Client:%v, Blesser:%v", b.PublicKey(), user.PublicKey(), provider.PublicKey())
}
diff --git a/services/identity/blesser/oauth.go b/services/identity/blesser/oauth.go
index 405ef59..c98ad62 100644
--- a/services/identity/blesser/oauth.go
+++ b/services/identity/blesser/oauth.go
@@ -58,8 +58,8 @@
})
}
-func (b *oauthBlesser) BlessUsingAccessToken(ctx ipc.ServerCall, accessToken string) (security.WireBlessings, string, error) {
- var noblessings security.WireBlessings
+func (b *oauthBlesser) BlessUsingAccessToken(ctx ipc.ServerCall, accessToken string) (security.Blessings, string, error) {
+ var noblessings security.Blessings
email, clientName, err := b.oauthProvider.GetEmailAndClientName(accessToken, b.accessTokenClients)
if err != nil {
return noblessings, "", err
@@ -67,8 +67,8 @@
return b.bless(ctx, email, clientName)
}
-func (b *oauthBlesser) bless(ctx ipc.ServerCall, email, clientName string) (security.WireBlessings, string, error) {
- var noblessings security.WireBlessings
+func (b *oauthBlesser) bless(ctx ipc.ServerCall, email, clientName string) (security.Blessings, string, error) {
+ var noblessings security.Blessings
self := ctx.LocalPrincipal()
if self == nil {
return noblessings, "", fmt.Errorf("server error: no authentication happened")
@@ -97,5 +97,5 @@
if err != nil {
return noblessings, "", err
}
- return security.MarshalBlessings(blessing), extension, nil
+ return blessing, extension, nil
}
diff --git a/services/identity/blesser/oauth_test.go b/services/identity/blesser/oauth_test.go
index 9add34d..c173d8e 100644
--- a/services/identity/blesser/oauth_test.go
+++ b/services/identity/blesser/oauth_test.go
@@ -24,7 +24,7 @@
BlessingDuration: time.Hour,
})
- result, extension, err := blesser.BlessUsingAccessToken(context, "test-access-token")
+ b, extension, err := blesser.BlessUsingAccessToken(context, "test-access-token")
if err != nil {
t.Errorf("BlessUsingAccessToken failed: %v", err)
}
@@ -34,10 +34,6 @@
t.Errorf("got extension: %s, want: %s", extension, wantExtension)
}
- b, err := security.NewBlessings(result)
- if err != nil {
- t.Fatalf("Unable to decode response into a security.Blessings object: %v", err)
- }
if !reflect.DeepEqual(b.PublicKey(), user.PublicKey()) {
t.Errorf("Received blessing for public key %v. Client:%v, Blesser:%v", b.PublicKey(), user.PublicKey(), provider.PublicKey())
}
diff --git a/services/identity/handlers/blessing_root.go b/services/identity/handlers/blessing_root.go
index 723818f..3853478 100644
--- a/services/identity/handlers/blessing_root.go
+++ b/services/identity/handlers/blessing_root.go
@@ -8,6 +8,7 @@
"v.io/core/veyron/services/identity/util"
"v.io/v23/security"
+ "v.io/v23/vom"
)
// BlessingRoot is an http.Handler implementation that renders the server's
@@ -56,7 +57,11 @@
//
// Once this issue is resolved, delete the following line and uncomment
// the block below it.
- der := security.MarshalBlessings(b.P.BlessingStore().Default()).CertificateChains[0][0].PublicKey
+ der, err := rootPublicKey(b.P.BlessingStore().Default())
+ if err != nil {
+ util.HTTPServerError(w, err)
+ return
+ }
//der, err := b.P.PublicKey().MarshalBinary()
//if err != nil {
// util.HTTPServerError(w, err)
@@ -81,3 +86,17 @@
w.Header().Set("Content-Type", "application/json")
w.Write(res)
}
+
+// Circuitious route to obtain the certificate chain because the use
+// of security.MarshalBlessings is discouraged.
+func rootPublicKey(b security.Blessings) ([]byte, error) {
+ data, err := vom.Encode(b)
+ if err != nil {
+ return nil, fmt.Errorf("malformed Blessings: %v", err)
+ }
+ var wire security.WireBlessings
+ if err := vom.Decode(data, &wire); err != nil {
+ return nil, fmt.Errorf("malformed WireBlessings: %v", err)
+ }
+ return wire.CertificateChains[0][0].PublicKey, nil
+}
diff --git a/services/identity/identity.vdl.go b/services/identity/identity.vdl.go
index 87d885c..3cca02f 100644
--- a/services/identity/identity.vdl.go
+++ b/services/identity/identity.vdl.go
@@ -33,7 +33,7 @@
type OAuthBlesserClientMethods interface {
// BlessUsingAccessToken uses the provided access token to obtain the email
// address and returns a blessing along with the email address.
- BlessUsingAccessToken(ctx *context.T, token string, opts ...ipc.CallOpt) (blessing security.WireBlessings, email string, err error)
+ BlessUsingAccessToken(ctx *context.T, token string, opts ...ipc.CallOpt) (blessing security.Blessings, email string, err error)
}
// OAuthBlesserClientStub adds universal methods to OAuthBlesserClientMethods.
@@ -65,7 +65,7 @@
return v23.GetClient(ctx)
}
-func (c implOAuthBlesserClientStub) BlessUsingAccessToken(ctx *context.T, i0 string, opts ...ipc.CallOpt) (o0 security.WireBlessings, o1 string, err error) {
+func (c implOAuthBlesserClientStub) BlessUsingAccessToken(ctx *context.T, i0 string, opts ...ipc.CallOpt) (o0 security.Blessings, o1 string, err error) {
var call ipc.ClientCall
if call, err = c.c(ctx).StartCall(ctx, c.name, "BlessUsingAccessToken", []interface{}{i0}, opts...); err != nil {
return
@@ -93,7 +93,7 @@
type OAuthBlesserServerMethods interface {
// BlessUsingAccessToken uses the provided access token to obtain the email
// address and returns a blessing along with the email address.
- BlessUsingAccessToken(ctx ipc.ServerCall, token string) (blessing security.WireBlessings, email string, err error)
+ BlessUsingAccessToken(ctx ipc.ServerCall, token string) (blessing security.Blessings, email string, err error)
}
// OAuthBlesserServerStubMethods is the server interface containing
@@ -131,7 +131,7 @@
gs *ipc.GlobState
}
-func (s implOAuthBlesserServerStub) BlessUsingAccessToken(ctx ipc.ServerCall, i0 string) (security.WireBlessings, string, error) {
+func (s implOAuthBlesserServerStub) BlessUsingAccessToken(ctx ipc.ServerCall, i0 string) (security.Blessings, string, error) {
return s.impl.BlessUsingAccessToken(ctx, i0)
}
@@ -159,7 +159,7 @@
{"token", ``}, // string
},
OutArgs: []ipc.ArgDesc{
- {"blessing", ``}, // security.WireBlessings
+ {"blessing", ``}, // security.Blessings
{"email", ``}, // string
},
},
@@ -173,7 +173,7 @@
type MacaroonBlesserClientMethods interface {
// Bless uses the provided macaroon (which contains email and caveats)
// to return a blessing for the client.
- Bless(ctx *context.T, macaroon string, opts ...ipc.CallOpt) (blessing security.WireBlessings, err error)
+ Bless(ctx *context.T, macaroon string, opts ...ipc.CallOpt) (blessing security.Blessings, err error)
}
// MacaroonBlesserClientStub adds universal methods to MacaroonBlesserClientMethods.
@@ -205,7 +205,7 @@
return v23.GetClient(ctx)
}
-func (c implMacaroonBlesserClientStub) Bless(ctx *context.T, i0 string, opts ...ipc.CallOpt) (o0 security.WireBlessings, err error) {
+func (c implMacaroonBlesserClientStub) Bless(ctx *context.T, i0 string, opts ...ipc.CallOpt) (o0 security.Blessings, err error) {
var call ipc.ClientCall
if call, err = c.c(ctx).StartCall(ctx, c.name, "Bless", []interface{}{i0}, opts...); err != nil {
return
@@ -221,7 +221,7 @@
type MacaroonBlesserServerMethods interface {
// Bless uses the provided macaroon (which contains email and caveats)
// to return a blessing for the client.
- Bless(ctx ipc.ServerCall, macaroon string) (blessing security.WireBlessings, err error)
+ Bless(ctx ipc.ServerCall, macaroon string) (blessing security.Blessings, err error)
}
// MacaroonBlesserServerStubMethods is the server interface containing
@@ -259,7 +259,7 @@
gs *ipc.GlobState
}
-func (s implMacaroonBlesserServerStub) Bless(ctx ipc.ServerCall, i0 string) (security.WireBlessings, error) {
+func (s implMacaroonBlesserServerStub) Bless(ctx ipc.ServerCall, i0 string) (security.Blessings, error) {
return s.impl.Bless(ctx, i0)
}
@@ -287,7 +287,7 @@
{"macaroon", ``}, // string
},
OutArgs: []ipc.ArgDesc{
- {"blessing", ``}, // security.WireBlessings
+ {"blessing", ``}, // security.Blessings
},
},
},
diff --git a/services/mgmt/application/impl/impl_test.go b/services/mgmt/application/impl/impl_test.go
index da555e6..54b734a 100644
--- a/services/mgmt/application/impl/impl_test.go
+++ b/services/mgmt/application/impl/impl_test.go
@@ -21,7 +21,7 @@
"v.io/core/veyron/services/mgmt/repository"
)
-func newPublisherSignature(t *testing.T, ctx *context.T, msg []byte) (security.WireBlessings, security.Signature) {
+func newPublisherSignature(t *testing.T, ctx *context.T, msg []byte) (security.Blessings, security.Signature) {
// Generate publisher blessings
p := v23.GetPrincipal(ctx)
b, err := p.BlessSelf("publisher")
@@ -32,7 +32,7 @@
if err != nil {
t.Fatal(err)
}
- return security.MarshalBlessings(b), sig
+ return b, sig
}
// TestInterface tests that the implementation correctly implements
diff --git a/services/mgmt/device/impl/app_service.go b/services/mgmt/device/impl/app_service.go
index 3653c4f..22eabb1 100644
--- a/services/mgmt/device/impl/app_service.go
+++ b/services/mgmt/device/impl/app_service.go
@@ -398,11 +398,7 @@
if err := mkdir(pkgDir); err != nil {
return "", verror.New(ErrOperationFailed, nil)
}
- publisher, err := security.NewBlessings(envelope.Publisher)
- if err != nil {
- vlog.Errorf("Failed to parse publisher blessings:%v", err)
- return versionDir, verror.New(ErrOperationFailed, nil)
- }
+ publisher := envelope.Publisher
// TODO(caprita): Share binaries if already existing locally.
if err := downloadBinary(ctx, publisher, &envelope.Binary, versionDir, "bin"); err != nil {
return versionDir, err
diff --git a/services/mgmt/device/impl/device_service.go b/services/mgmt/device/impl/device_service.go
index 25d5d32..1344bb8 100644
--- a/services/mgmt/device/impl/device_service.go
+++ b/services/mgmt/device/impl/device_service.go
@@ -453,12 +453,7 @@
return err
}
} else {
- publisher, err := security.NewBlessings(envelope.Publisher)
- if err != nil {
- vlog.Errorf("Failed to parse publisher blessings:%v", err)
- return verror.New(ErrOperationFailed, nil)
- }
- if err := downloadBinary(ctx, publisher, &envelope.Binary, workspace, "deviced"); err != nil {
+ if err := downloadBinary(ctx, envelope.Publisher, &envelope.Binary, workspace, "deviced"); err != nil {
return err
}
}
diff --git a/services/mgmt/device/impl/impl_test.go b/services/mgmt/device/impl/impl_test.go
index a8ff696..db91252 100644
--- a/services/mgmt/device/impl/impl_test.go
+++ b/services/mgmt/device/impl/impl_test.go
@@ -1675,7 +1675,7 @@
File: naming.Join(binaryVON, "testbinary"),
Signature: *sig,
},
- Publisher: security.MarshalBlessings(publisher),
+ Publisher: publisher,
Packages: map[string]application.SignedFile{
"pkg": application.SignedFile{
File: pkgVON,
diff --git a/services/mgmt/lib/fs/simplestore.go b/services/mgmt/lib/fs/simplestore.go
index a6be49a..a61b989 100644
--- a/services/mgmt/lib/fs/simplestore.go
+++ b/services/mgmt/lib/fs/simplestore.go
@@ -6,15 +6,18 @@
"fmt"
"io/ioutil"
"os"
+ "reflect"
"sort"
"strings"
"sync"
"v.io/core/veyron/services/mgmt/profile"
+ "v.io/v23/security"
"v.io/v23/services/mgmt/application"
"v.io/v23/services/security/access"
"v.io/v23/verror"
+ "v.io/v23/vom"
)
// TODO(rjkroege@google.com) Switch Memstore to the mid-August 2014
@@ -55,11 +58,79 @@
var keyExists = struct{}{}
+// TODO(ashankar,rjkroege): Once we switch from gob to vom, this hack won't be
+// necessary (will be able to Put/Get application.Envelope without translating
+// to this applicationEnvelope type). But in the mean time, required because
+// security.Blessings is not gob-encodeable (and gob doesn't have the ability
+// to convert between native and wire types like security.Blessings ->
+// security.WireBlessings)
+//
+// This mirrors application.Envelope with the type of "Publsher" changed to
+// security.WireBlessings.
+//
+// See https://vanadium-review.googlesource.com/6300
+type applicationEnvelope struct {
+ Title string
+ Args []string
+ Binary application.SignedFile
+ Publisher security.WireBlessings
+ Env []string
+ Packages application.Packages
+}
+
+func translateToGobEncodeable(in interface{}) interface{} {
+ env, ok := in.(application.Envelope)
+ if !ok {
+ return in
+ }
+ return applicationEnvelope{
+ Title: env.Title,
+ Args: env.Args,
+ Binary: env.Binary,
+ Publisher: security.MarshalBlessings(env.Publisher),
+ Env: env.Env,
+ Packages: env.Packages,
+ }
+}
+
+func translateFromGobEncodeable(in interface{}) (interface{}, error) {
+ env, ok := in.(applicationEnvelope)
+ if !ok {
+ return in, nil
+ }
+ // Have to roundtrip through vom to convert from WireBlessings to Blessings.
+ // This may seem silly, but this whole translation business is silly too :)
+ // and will go away once we switch this package to using 'vom' instead of 'gob'.
+ // So for now, live with the funkiness.
+ bytes, err := vom.Encode(env.Publisher)
+ if err != nil {
+ return nil, err
+ }
+ var publisher security.Blessings
+ if err := vom.Decode(bytes, &publisher); err != nil {
+ return nil, err
+ }
+ return application.Envelope{
+ Title: env.Title,
+ Args: env.Args,
+ Binary: env.Binary,
+ Publisher: publisher,
+ Env: env.Env,
+ Packages: env.Packages,
+ }, nil
+}
+
// The implementation of set requires gob instead of json.
func init() {
gob.Register(profile.Specification{})
- gob.Register(application.Envelope{})
+ gob.Register(applicationEnvelope{})
gob.Register(access.TaggedACLMap{})
+ // Ensure that no fields have been added to application.Envelope,
+ // because if so, then applicationEnvelope defined in this package
+ // needs to change
+ if n := reflect.TypeOf(application.Envelope{}).NumField(); n != 6 {
+ panic(fmt.Sprintf("It appears that fields have been added to or removed from application.Envelope before the hack in this file around gob-encodeability was removed. Please also update applicationEnvelope, translateToGobEncodeable and translateToGobDecodeable in this file"))
+ }
}
// NewMemstore persists the Memstore to os.TempDir() if no file is
@@ -311,6 +382,10 @@
} else {
o.Value = bv
}
+ var err error
+ if o.Value, err = translateFromGobEncodeable(o.Value); err != nil {
+ return nil, err
+ }
return o, nil
}
@@ -321,7 +396,10 @@
return nil, verror.New(ErrNotInMemStore, nil, o.path)
}
- o.Value = bv
+ var err error
+ if o.Value, err = translateFromGobEncodeable(bv); err != nil {
+ return nil, err
+ }
return o, nil
}
@@ -337,8 +415,9 @@
if !o.ms.locked {
return nil, verror.New(ErrWithoutTransaction, nil, "Put()")
}
+ envelope = translateToGobEncodeable(envelope)
switch v := envelope.(type) {
- case application.Envelope, profile.Specification, access.TaggedACLMap:
+ case applicationEnvelope, profile.Specification, access.TaggedACLMap:
o.ms.puts[o.path] = v
delete(o.ms.removes, o.path)
o.Value = o.path
diff --git a/services/wsprd/account/account.go b/services/wsprd/account/account.go
index d81fad2..35e50bf 100644
--- a/services/wsprd/account/account.go
+++ b/services/wsprd/account/account.go
@@ -15,14 +15,14 @@
)
type BlesserService interface {
- BlessUsingAccessToken(ctx *context.T, token string, opts ...ipc.CallOpt) (blessingObj security.WireBlessings, account string, err error)
+ BlessUsingAccessToken(ctx *context.T, token string, opts ...ipc.CallOpt) (blessingObj security.Blessings, account string, err error)
}
type bs struct {
name string
}
-func (s *bs) BlessUsingAccessToken(ctx *context.T, token string, opts ...ipc.CallOpt) (blessingObj security.WireBlessings, account string, err error) {
+func (s *bs) BlessUsingAccessToken(ctx *context.T, token string, opts ...ipc.CallOpt) (blessingObj security.Blessings, account string, err error) {
client := v23.GetClient(ctx)
var call ipc.ClientCall
if call, err = client.StartCall(ctx, s.name, "BlessUsingAccessToken", []interface{}{token}, opts...); err != nil {
@@ -30,7 +30,7 @@
}
var email string
if err := call.Finish(&blessingObj, &email); err != nil {
- return security.WireBlessings{}, "", err
+ return security.Blessings{}, "", err
}
serverBlessings, _ := call.RemoteBlessings()
return blessingObj, accountName(serverBlessings, email), nil
@@ -63,14 +63,9 @@
return "", fmt.Errorf("Error getting blessing for access token: %v", err)
}
- accountBlessings, err := security.NewBlessings(blessings)
- if err != nil {
- return "", fmt.Errorf("Error creating blessings from wire data: %v", err)
- }
-
- // Add accountBlessings to principalManager under the provided
+ // Add blessings to principalManager under the provided
// account.
- if err := am.principalManager.AddAccount(account, accountBlessings); err != nil {
+ if err := am.principalManager.AddAccount(account, blessings); err != nil {
return "", fmt.Errorf("Error adding account: %v", err)
}
diff --git a/services/wsprd/browspr/browspr_account_test.go b/services/wsprd/browspr/browspr_account_test.go
index e0d128c..8142fd2 100644
--- a/services/wsprd/browspr/browspr_account_test.go
+++ b/services/wsprd/browspr/browspr_account_test.go
@@ -28,15 +28,14 @@
}
}
-func (m *mockBlesserService) BlessUsingAccessToken(c *context.T, accessToken string, co ...ipc.CallOpt) (security.WireBlessings, string, error) {
- var empty security.WireBlessings
+func (m *mockBlesserService) BlessUsingAccessToken(c *context.T, accessToken string, co ...ipc.CallOpt) (security.Blessings, string, error) {
m.count++
name := fmt.Sprintf("%s%s%d", topLevelName, security.ChainSeparator, m.count)
blessing, err := m.p.BlessSelf(name)
if err != nil {
- return empty, "", err
+ return blessing, "", err
}
- return security.MarshalBlessings(blessing), name, nil
+ return blessing, name, nil
}
func setup(t *testing.T) (*Browspr, func()) {
diff --git a/services/wsprd/principal/principal.go b/services/wsprd/principal/principal.go
index cf46168..d26d42c 100644
--- a/services/wsprd/principal/principal.go
+++ b/services/wsprd/principal/principal.go
@@ -63,7 +63,7 @@
// A set of accounts that maps from an account name to the Blessings associated
// with the account.
- Accounts map[string]security.WireBlessings
+ Accounts map[string]security.Blessings
}
const pkgPath = "v.io/core/veyron/services/wsprd/principal"
@@ -139,7 +139,7 @@
result := &PrincipalManager{
state: persistentState{
Origins: map[string]permissions{},
- Accounts: map[string]security.WireBlessings{},
+ Accounts: map[string]security.Blessings{},
},
root: root,
serializer: serializer,
@@ -199,11 +199,11 @@
if !found {
return nil, verror.New(verror.ErrNoExist, nil, origin)
}
- wireBlessings, found := i.state.Accounts[perm.Account]
+ blessings, found := i.state.Accounts[perm.Account]
if !found {
return nil, verror.New(errUnknownAccount, nil, perm.Account)
}
- return i.createPrincipal(origin, wireBlessings, perm.Caveats)
+ return i.createPrincipal(origin, blessings, perm.Caveats)
}
// OriginHasAccount returns true iff the origin has been associated with
@@ -242,21 +242,20 @@
i.mu.Lock()
defer i.mu.Unlock()
- wireBlessings, found := i.state.Accounts[account]
+ blessings, found := i.state.Accounts[account]
if !found {
return security.Blessings{}, verror.New(errUnknownAccount, nil, account)
}
- return security.NewBlessings(wireBlessings)
+ return blessings, nil
}
// AddAccount associates the provided Blessing with the provided account.
func (i *PrincipalManager) AddAccount(account string, blessings security.Blessings) error {
- wireBlessings := security.MarshalBlessings(blessings)
i.mu.Lock()
defer i.mu.Unlock()
old, existed := i.state.Accounts[account]
- i.state.Accounts[account] = wireBlessings
+ i.state.Accounts[account] = blessings
if err := i.save(); err != nil {
delete(i.state.Accounts, account)
@@ -294,17 +293,12 @@
return nil
}
-func (i *PrincipalManager) createPrincipal(origin string, wireBlessings security.WireBlessings, caveats []security.Caveat) (security.Principal, error) {
+func (i *PrincipalManager) createPrincipal(origin string, withBlessings security.Blessings, caveats []security.Caveat) (security.Principal, error) {
ret, err := vsecurity.NewPrincipal()
if err != nil {
return nil, verror.New(errFailedToCreatePrincipal, nil, err)
}
- withBlessings, err := security.NewBlessings(wireBlessings)
- if err != nil {
- return nil, verror.New(errFailedToConstructBlessings, nil, err)
- }
-
if len(caveats) == 0 {
caveats = append(caveats, security.UnconstrainedUse())
}
diff --git a/services/wsprd/principal/principal_test.go b/services/wsprd/principal/principal_test.go
index 328e14f..3863f7f 100644
--- a/services/wsprd/principal/principal_test.go
+++ b/services/wsprd/principal/principal_test.go
@@ -67,21 +67,15 @@
return err
}
- if encoder.Encode(security.MarshalBlessings(bOrigin)); err != nil {
+ if encoder.Encode(bOrigin); err != nil {
return err
}
- var wire security.WireBlessings
decoder, err := vom.NewDecoder(buf)
-
if err != nil {
return err
}
-
- if err := decoder.Decode(&wire); err != nil {
- return err
- }
- decoded, err := security.NewBlessings(wire)
- if err != nil {
+ var decoded security.Blessings
+ if err := decoder.Decode(&decoded); err != nil {
return err
}
if !reflect.DeepEqual(decoded, bOrigin) {
diff --git a/tools/application/impl.go b/tools/application/impl.go
index 7c16597..5100c5b 100644
--- a/tools/application/impl.go
+++ b/tools/application/impl.go
@@ -8,15 +8,71 @@
"io/ioutil"
"os"
"os/exec"
+ "reflect"
"strings"
"time"
"v.io/core/veyron/services/mgmt/repository"
"v.io/v23/context"
+ "v.io/v23/security"
"v.io/v23/services/mgmt/application"
+ "v.io/v23/vom"
"v.io/x/lib/cmdline"
)
+// TODO(ashankar): application.Envelope is no longer JSON friendly
+// (after https://vanadium-review.googlesource.com/#/c/6300/).
+//
+// This mirrored structure is required in order to work around that
+// problem. Figure out what we want to do.
+type appenv struct {
+ Title string
+ Args []string
+ Binary application.SignedFile
+ Publisher security.WireBlessings
+ Env []string
+ Packages application.Packages
+}
+
+func (a *appenv) Load(env application.Envelope) {
+ a.Title = env.Title
+ a.Args = env.Args
+ a.Binary = env.Binary
+ a.Publisher = security.MarshalBlessings(env.Publisher)
+ a.Env = env.Env
+ a.Packages = env.Packages
+}
+
+func (a *appenv) Store() (application.Envelope, error) {
+ // Have to roundtrip through vom to convert from WireBlessings to Blessings.
+ // This may seem silly, but this whole appenv type is silly too :).
+ // Figure out how to get rid of it.
+ bytes, err := vom.Encode(a.Publisher)
+ if err != nil {
+ return application.Envelope{}, err
+ }
+ var publisher security.Blessings
+ if err := vom.Decode(bytes, &publisher); err != nil {
+ return application.Envelope{}, err
+ }
+ return application.Envelope{
+ Title: a.Title,
+ Args: a.Args,
+ Binary: a.Binary,
+ Publisher: publisher,
+ Env: a.Env,
+ Packages: a.Packages,
+ }, nil
+}
+
+func init() {
+ // Ensure that no fields have been added to application.Envelope,
+ // because if so, then appenv needs to change.
+ if n := reflect.TypeOf(application.Envelope{}).NumField(); n != 6 {
+ panic(fmt.Sprintf("It appears that fields have been added to or removed from application.Envelope before the hack in this file around json-encodeability was removed. Please also update appenv, appenv.Load and appenv.Store in this file"))
+ }
+}
+
func getEnvelopeJSON(app repository.ApplicationClientMethods, profiles string) ([]byte, error) {
ctx, cancel := context.WithTimeout(gctx, time.Minute)
defer cancel()
@@ -24,7 +80,9 @@
if err != nil {
return nil, err
}
- j, err := json.MarshalIndent(env, "", " ")
+ var appenv appenv
+ appenv.Load(env)
+ j, err := json.MarshalIndent(appenv, "", " ")
if err != nil {
return nil, fmt.Errorf("MarshalIndent(%v) failed: %v", env, err)
}
@@ -32,10 +90,14 @@
}
func putEnvelopeJSON(app repository.ApplicationClientMethods, profiles string, j []byte) error {
- var env application.Envelope
- if err := json.Unmarshal(j, &env); err != nil {
+ var appenv appenv
+ if err := json.Unmarshal(j, &appenv); err != nil {
return fmt.Errorf("Unmarshal(%v) failed: %v", string(j), err)
}
+ env, err := appenv.Store()
+ if err != nil {
+ return err
+ }
ctx, cancel := context.WithTimeout(gctx, time.Minute)
defer cancel()
if err := app.Put(ctx, strings.Split(profiles, ","), env); err != nil {
diff --git a/tools/mgmt/device/impl/local_install_test.go b/tools/mgmt/device/impl/local_install_test.go
index e713fae..4889e62 100644
--- a/tools/mgmt/device/impl/local_install_test.go
+++ b/tools/mgmt/device/impl/local_install_test.go
@@ -84,7 +84,7 @@
stderr.Reset()
}
emptySig := security.Signature{}
- emptyBlessings := security.WireBlessings{}
+ emptyBlessings := security.Blessings{}
cfg := device.Config{"someflag": "somevalue"}
testPackagesDir, err := ioutil.TempDir("", "testdir")
diff --git a/tools/principal/bless.go b/tools/principal/bless.go
index 4ef0f0b..64df2a9 100644
--- a/tools/principal/bless.go
+++ b/tools/principal/bless.go
@@ -30,18 +30,13 @@
ctx, cancel := context.WithTimeout(ctx, time.Minute)
defer cancel()
- var reply security.WireBlessings
// Authorize the server by its public key (obtained from macaroonChan).
// Must skip authorization during name resolution because the identity
// service is not a trusted root yet.
- reply, err = identity.MacaroonBlesserClient(service).Bless(ctx, macaroon, options.SkipResolveAuthorization{}, options.ServerPublicKey{rootKey})
+ blessings, err := identity.MacaroonBlesserClient(service).Bless(ctx, macaroon, options.SkipResolveAuthorization{}, options.ServerPublicKey{rootKey})
if err != nil {
return security.Blessings{}, fmt.Errorf("failed to get blessing from %q: %v", service, err)
}
- blessings, err := security.NewBlessings(reply)
- if err != nil {
- return security.Blessings{}, fmt.Errorf("failed to construct Blessings object from response: %v", err)
- }
return blessings, nil
}
diff --git a/tools/principal/main.go b/tools/principal/main.go
index 61561a4..f28f783 100644
--- a/tools/principal/main.go
+++ b/tools/principal/main.go
@@ -99,7 +99,10 @@
if err != nil {
return fmt.Errorf("failed to decode provided blessings: %v", err)
}
- wire := security.MarshalBlessings(blessings)
+ wire, err := blessings2wire(blessings)
+ if err != nil {
+ return fmt.Errorf("failed to decode certificate chains: %v", err)
+ }
fmt.Printf("Blessings : %v\n", blessings)
fmt.Printf("PublicKey : %v\n", blessings.PublicKey())
fmt.Printf("Certificate chains : %d\n", len(wire.CertificateChains))
@@ -744,18 +747,16 @@
}
func decodeBlessings(fname string) (security.Blessings, error) {
- var wire security.WireBlessings
- if err := decode(fname, &wire); err != nil {
- return security.Blessings{}, err
- }
- return security.NewBlessings(wire)
+ var b security.Blessings
+ err := decode(fname, &b)
+ return b, err
}
func dumpBlessings(blessings security.Blessings) error {
if blessings.IsZero() {
return fmt.Errorf("no blessings found")
}
- str, err := base64VomEncode(security.MarshalBlessings(blessings))
+ str, err := base64VomEncode(blessings)
if err != nil {
return fmt.Errorf("base64-VOM encoding failed: %v", err)
}
@@ -937,3 +938,16 @@
}
return caveats, nil
}
+
+// Circuitous route to get to the certificate chains.
+// See comments on why security.MarshalBlessings is discouraged.
+// Though, a better alternative is worth looking into.
+func blessings2wire(b security.Blessings) (security.WireBlessings, error) {
+ var wire security.WireBlessings
+ data, err := vom.Encode(b)
+ if err != nil {
+ return wire, err
+ }
+ err = vom.Decode(data, &wire)
+ return wire, err
+}