services/security/roled/internal: Remove _role suffix from generated blessings
The blessings generated by roled when Extend=true include the _role
extension presented by the caller. This extension isn't useful in the
generated blessings. So, remove it in the most common case.
Change-Id: I213c9defcab9a8f0b400b7ed3490c0d5817e005a
diff --git a/services/security/roled/internal/role.go b/services/security/roled/internal/role.go
index 3941329..c3e8b24 100644
--- a/services/security/roled/internal/role.go
+++ b/services/security/roled/internal/role.go
@@ -5,6 +5,7 @@
package internal
import (
+ "strings"
"time"
"v.io/v23"
@@ -14,6 +15,8 @@
"v.io/v23/verror"
"v.io/x/lib/vlog"
+
+ isecurity "v.io/x/ref/services/security"
)
var (
@@ -71,6 +74,7 @@
}
var extensions []string
for _, b := range blessingNames {
+ b = strings.TrimSuffix(b, security.ChainSeparator+isecurity.RoleSuffix)
extensions = append(extensions, role+security.ChainSeparator+b)
}
return extensions
diff --git a/services/security/roled/internal/role_test.go b/services/security/roled/internal/role_test.go
index 3ced6b1..583bd98 100644
--- a/services/security/roled/internal/role_test.go
+++ b/services/security/roled/internal/role_test.go
@@ -89,9 +89,9 @@
{user3, "unknown", verror.ErrNoAccess.ID, nil},
{user1, "A", verror.ErrNoAccess.ID, nil},
- {user1R, "A", noErr, []string{"root/roles/A/root/users/user1/_role"}},
+ {user1R, "A", noErr, []string{"root/roles/A/root/users/user1"}},
{user2, "A", verror.ErrNoAccess.ID, nil},
- {user2R, "A", noErr, []string{"root/roles/A/root/users/user2/_role"}},
+ {user2R, "A", noErr, []string{"root/roles/A/root/users/user2"}},
{user3, "A", verror.ErrNoAccess.ID, nil},
{user3R, "A", noErr, []string{"root/roles/A/root/users/user3/_role/bar", "root/roles/A/root/users/user3/_role/foo"}},
