veyron/services/identity: Remove support for the old security model.
And with it, also remove the "identity" tool.
Change-Id: I85a390c1af0f3874be68dfb7e46fb6fdc8ceb567
diff --git a/tools/identity/bless.go b/tools/identity/bless.go
deleted file mode 100644
index 05d5546..0000000
--- a/tools/identity/bless.go
+++ /dev/null
@@ -1,134 +0,0 @@
-package main
-
-import (
- "crypto/rand"
- "encoding/base64"
- "fmt"
- "html/template"
- "net"
- "net/http"
- "net/url"
- "os"
- "os/exec"
- "strings"
-
- "veyron.io/veyron/veyron/services/identity/googleoauth"
- "veyron.io/veyron/veyron2/vlog"
-)
-
-func getMacaroonForBlessRPC(blessServerURL string, blessedChan <-chan string) (<-chan string, error) {
- // Setup a HTTP server to recieve a blessing macaroon from the identity server.
- // Steps:
- // 1. Generate a state token to be included in the HTTP request
- // (though, arguably, the random port assigment for the HTTP server is enough
- // for XSRF protection)
- // 2. Setup a HTTP server which will receive the final blessing macaroon from the id server.
- // 3. Print out the link (to start the auth flow) for the user to click.
- // 4. Return the macaroon and the rpc object name(where to make the MacaroonBlesser.Bless RPC call)
- // in the "result" channel.
- var stateBuf [32]byte
- if _, err := rand.Read(stateBuf[:]); err != nil {
- return nil, fmt.Errorf("failed to generate state token for OAuth: %v", err)
- }
- state := base64.URLEncoding.EncodeToString(stateBuf[:])
-
- ln, err := net.Listen("tcp", "127.0.0.1:0")
- if err != nil {
- return nil, fmt.Errorf("failed to setup authorization code interception server: %v", err)
- }
- result := make(chan string)
-
- redirectURL := fmt.Sprintf("http://%s/macaroon", ln.Addr())
- http.HandleFunc("/macaroon", func(w http.ResponseWriter, r *http.Request) {
- w.Header().Set("Content-Type", "text/html")
- tmplArgs := struct {
- Blessing, ErrShort, ErrLong string
- }{}
- defer func() {
- if len(tmplArgs.ErrShort) > 0 {
- w.WriteHeader(http.StatusBadRequest)
- }
- if err := tmpl.Execute(w, tmplArgs); err != nil {
- vlog.Info("Failed to render template:", err)
- }
- }()
-
- toolState := r.FormValue("state")
- if toolState != state {
- tmplArgs.ErrShort = "Unexpected request"
- tmplArgs.ErrLong = "Mismatched state parameter. Possible cross-site-request-forging?"
- return
- }
- result <- r.FormValue("macaroon")
- result <- r.FormValue("object_name")
- defer close(result)
- blessed, ok := <-blessedChan
- if !ok {
- tmplArgs.ErrShort = "No blessing received"
- tmplArgs.ErrLong = "Unable to obtain blessing from the Veyron service"
- return
- }
- tmplArgs.Blessing = blessed
- ln.Close()
- })
- go http.Serve(ln, nil)
-
- // Print the link to start the flow.
- url, err := seekBlessingURL(blessServerURL, redirectURL, state)
- if err != nil {
- return nil, fmt.Errorf("failed to create seekBlessingURL: %s", err)
- }
- fmt.Fprintln(os.Stderr, "Please visit the following URL to complete the blessing creation:")
- fmt.Fprintln(os.Stderr, url)
- // Make an attempt to start the browser as a convenience.
- // If it fails, doesn't matter - the client can see the URL printed above.
- // Use exec.Command().Start instead of exec.Command().Run since there is no
- // need to wait for the command to return (and indeed on some window managers,
- // the command will not exit until the browser is closed).
- exec.Command(openCommand, url).Start()
- return result, nil
-}
-
-func seekBlessingURL(blessServerURL, redirectURL, state string) (string, error) {
- baseURL, err := url.Parse(joinURL(blessServerURL, googleoauth.SeekBlessingsRoute))
- if err != nil {
- return "", fmt.Errorf("failed to parse url: %v", err)
- }
- params := url.Values{}
- params.Add("redirect_url", redirectURL)
- params.Add("state", state)
- baseURL.RawQuery = params.Encode()
- return baseURL.String(), nil
-}
-
-func joinURL(baseURL, suffix string) string {
- if !strings.HasSuffix(baseURL, "/") {
- baseURL += "/"
- }
- return baseURL + suffix
-}
-
-var tmpl = template.Must(template.New("name").Parse(`<!doctype html>
-<html>
-<head>
-<meta charset="UTF-8">
-<title>Veyron Identity: Google</title>
-<meta name="viewport" content="width=device-width, initial-scale=1.0">
-<link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/3.2.0/css/bootstrap.min.css">
-{{if .Blessing}}
-<!--Attempt to close the window. Though this script does not work on many browser configurations-->
-<script type="text/javascript">window.close();</script>
-{{end}}
-</head>
-<body>
-<div class="container">
-{{if .ErrShort}}
-<h1><span class="label label-danger">error</span>{{.ErrShort}}</h1>
-<div class="well">{{.ErrLong}}</div>
-{{else}}
-<h3>Received blessing: <tt>{{.Blessing}}</tt></h3>
-<div class="well">If the name is prefixed with "unknown/", ignore that. You can close this window, the command line tool has retrieved the blessing</div>
-{{end}}
-</div>
-</body>
-</html>`))
diff --git a/tools/identity/doc.go b/tools/identity/doc.go
deleted file mode 100644
index ed0b8e2..0000000
--- a/tools/identity/doc.go
+++ /dev/null
@@ -1,119 +0,0 @@
-// This file was auto-generated via go generate.
-// DO NOT UPDATE MANUALLY
-
-/*
-The identity tool helps create and manage keys and blessings that are used for
-identification in veyron.
-
-Usage:
- identity <command>
-
-The identity commands are:
- print Print out information about the provided identity
- generate Generate an identity with a newly minted private key
- bless Bless another identity with your own
- seekblessing Seek a blessing from the default veyron identity provider
- help Display help for commands or topics
-Run "identity help [command]" for command usage.
-
-The global flags are:
- -alsologtostderr=true: log to standard error as well as files
- -log_backtrace_at=:0: when logging hits line file:N, emit a stack trace
- -log_dir=: if non-empty, write log files to this directory
- -logtostderr=false: log to standard error instead of files
- -max_stack_buf_size=4292608: max size in bytes of the buffer to use for logging stack traces
- -stderrthreshold=2: logs at or above this threshold go to stderr
- -v=0: log level for V logs
- -vmodule=: comma-separated list of pattern=N settings for file-filtered logging
- -vv=0: log level for V logs
-
-Identity Print
-
-Print dumps out information about the identity encoded in the provided file,
-or if no filename is provided, then the identity that would be used by binaries
-started in the same environment.
-
-Usage:
- identity print [<file>]
-
-<file> is the path to a file containing a base64-encoded, VOM encoded identity,
-typically obtained from this tool. - is used for STDIN and an empty string
-implies the identity encoded in the environment.
-
-Identity Generate
-
-Generate a new private key and create an identity that binds <name> to
-this key.
-
-Since the generated identity has a newly minted key, it will be typically
-unusable at other veyron services as those services have placed no trust
-in this key. In such cases, you likely want to seek a blessing for this
-generated identity using the 'bless' command.
-
-Usage:
- identity generate [<name>]
-
-<name> is the name to bind the newly minted private key to. If not specified,
-a name will be generated based on the hostname of the machine and the name of
-the user running this command.
-
-Identity Bless
-
-Bless uses the identity of the tool (either from an environment variable or
-explicitly specified using --with) to bless another identity encoded in a
-file (or STDIN). No caveats are applied to this blessing other than expiration,
-which is specified with --for.
-
-The output consists of a base64-vom encoded security.PrivateID or security.PublicID,
-depending on what was provided as input.
-
-For example, if the tool has an identity veyron/user/device, then
-bless /tmp/blessee batman
-will generate a blessing with the name veyron/user/device/batman
-
-The identity of the tool can be specified with the --with flag:
-bless --with /tmp/id /tmp/blessee batman
-
-Usage:
- identity bless [flags] <file> <name>
-
-<file> is the name of the file containing a base64-vom encoded security.PublicID
-or security.PrivateID
-
-<name> is the name to use for the blessing.
-
-The bless flags are:
- -for=8760h0m0s: Expiry time of blessing (defaults to 1 year)
- -with=: Path to file containing identity to bless with (or - for STDIN)
-
-Identity Seekblessing
-
-Seeks a blessing from a default, hardcoded Veyron identity provider which
-requires the caller to first authenticate with Google using OAuth. Simply
-run the command to see what happens.
-
-The blessing is sought for the identity that this tool is using. An alternative
-can be provided with the --for flag.
-
-Usage:
- identity seekblessing [flags]
-
-The seekblessing flags are:
- -for=: Path to file containing identity to bless (or - for STDIN)
- -from=https://proxy.envyor.com:8125/google: URL to use to begin the seek blessings process
-
-Identity Help
-
-Help with no args displays the usage of the parent command.
-Help with args displays the usage of the specified sub-command or help topic.
-"help ..." recursively displays help for all commands and topics.
-
-Usage:
- identity help [flags] [command/topic ...]
-
-[command/topic ...] optionally identifies a specific sub-command or help topic.
-
-The help flags are:
- -style=text: The formatting style for help output, either "text" or "godoc".
-*/
-package main
diff --git a/tools/identity/main.go b/tools/identity/main.go
deleted file mode 100644
index eae874c..0000000
--- a/tools/identity/main.go
+++ /dev/null
@@ -1,320 +0,0 @@
-// The following enables go generate to generate the doc.go file.
-// Things to look out for:
-// 1) go:generate evaluates double-quoted strings into a single argument.
-// 2) go:generate performs $NAME expansion, so the bash cmd can't contain '$'.
-// 3) We generate into a *.tmp file first, otherwise "go run" will pick up the
-// initially empty *.go file, and fail.
-// 4) Since "go run" ignores build directives, we must manually filter out
-// main_*.go for different platforms.
-//
-//go:generate bash -c "{ echo -e '// This file was auto-generated via go generate.\n// DO NOT UPDATE MANUALLY\n\n/*' && veyron go run `echo *.go | tr ' ' '\n' | grep -v main_darwin.go` help -style=godoc ... && echo -e '*/\npackage main'; } > ./doc.go.tmp && mv ./doc.go.tmp ./doc.go"
-
-package main
-
-import (
- "bytes"
- "fmt"
- "io"
- "os"
- "os/user"
- "time"
-
- "veyron.io/veyron/veyron2/options"
- "veyron.io/veyron/veyron2/rt"
- "veyron.io/veyron/veyron2/security"
- "veyron.io/veyron/veyron2/vdl/vdlutil"
- "veyron.io/veyron/veyron2/vlog"
-
- "veyron.io/veyron/veyron/lib/cmdline"
- _ "veyron.io/veyron/veyron/profiles"
- "veyron.io/veyron/veyron/services/identity"
- "veyron.io/veyron/veyron/services/identity/util"
-)
-
-var (
- // Flags for the "bless" command
- flagBlessWith string
- flagBlessFor time.Duration
-
- // Flags for the "seekblessing" command
- flagSeekBlessingFor string
- flagSeekBlessingOAuthClientID string
- flagSeekBlessingFrom string
-
- cmdPrint = &cmdline.Command{
- Name: "print",
- Short: "Print out information about the provided identity",
- Long: `
-Print dumps out information about the identity encoded in the provided file,
-or if no filename is provided, then the identity that would be used by binaries
-started in the same environment.
-`,
- ArgsName: "[<file>]",
- ArgsLong: `
-<file> is the path to a file containing a base64-encoded, VOM encoded identity,
-typically obtained from this tool. - is used for STDIN and an empty string
-implies the identity encoded in the environment.
-`,
- Run: func(cmd *cmdline.Command, args []string) error {
- if len(args) > 1 {
- return fmt.Errorf("require at most one argument, <file>, provided %d", len(args))
- }
- id := rt.R().Identity()
- if len(args) == 1 {
- if err := decode(args[0], &id); err != nil {
- return err
- }
- }
- fmt.Println("Name : ", id.PublicID())
- fmt.Printf("Go Type : %T\n", id)
- fmt.Printf("PublicKey: %v\n", id.PublicID().PublicKey())
- fmt.Println("Any caveats in the identity are not printed")
- return nil
- },
- }
-
- cmdGenerate = &cmdline.Command{
- Name: "generate",
- Short: "Generate an identity with a newly minted private key",
- Long: `
-Generate a new private key and create an identity that binds <name> to
-this key.
-
-Since the generated identity has a newly minted key, it will be typically
-unusable at other veyron services as those services have placed no trust
-in this key. In such cases, you likely want to seek a blessing for this
-generated identity using the 'bless' command.
-`,
- ArgsName: "[<name>]",
- ArgsLong: `
-<name> is the name to bind the newly minted private key to. If not specified,
-a name will be generated based on the hostname of the machine and the name of
-the user running this command.
-`,
- Run: func(cmd *cmdline.Command, args []string) error {
- r := rt.R()
- var name string
- switch len(args) {
- case 0:
- name = defaultIdentityName()
- case 1:
- name = args[0]
- default:
- return fmt.Errorf("require at most one argument, provided %d", len(args))
- }
- id, err := r.NewIdentity(name)
- if err != nil {
- return fmt.Errorf("NewIdentity(%q) failed: %v", name, err)
- }
- output, err := util.Base64VomEncode(id)
- if err != nil {
- return fmt.Errorf("failed to encode identity: %v", err)
- }
- fmt.Println(output)
- return nil
- },
- }
-
- cmdBless = &cmdline.Command{
- Name: "bless",
- Short: "Bless another identity with your own",
- Long: `
-Bless uses the identity of the tool (either from an environment variable or
-explicitly specified using --with) to bless another identity encoded in a
-file (or STDIN). No caveats are applied to this blessing other than expiration,
-which is specified with --for.
-
-The output consists of a base64-vom encoded security.PrivateID or security.PublicID,
-depending on what was provided as input.
-
-For example, if the tool has an identity veyron/user/device, then
-bless /tmp/blessee batman
-will generate a blessing with the name veyron/user/device/batman
-
-The identity of the tool can be specified with the --with flag:
-bless --with /tmp/id /tmp/blessee batman
-`,
- ArgsName: "<file> <name>",
- ArgsLong: `
-<file> is the name of the file containing a base64-vom encoded security.PublicID
-or security.PrivateID
-
-<name> is the name to use for the blessing.
-`,
- Run: func(cmd *cmdline.Command, args []string) error {
- if len(args) != 2 {
- return fmt.Errorf("expected exactly two arguments (<file> and <name>), got %d", len(args))
- }
- blesser := rt.R().Identity()
- if len(flagBlessWith) > 0 {
- if err := decode(flagBlessWith, &blesser); err != nil {
- return err
- }
- }
- name := args[1]
- var blessee security.PublicID
- var private security.PrivateID
- encoded, err := read(args[0])
- if err != nil {
- return err
- }
- if util.Base64VomDecode(encoded, &blessee); err != nil || blessee == nil {
- if err := util.Base64VomDecode(encoded, &private); err != nil || private == nil {
- return fmt.Errorf("failed to extract security.PublicID or security.PrivateID: (%v, %v)", private, err)
- }
- blessee = private.PublicID()
- }
- blessed, err := blesser.Bless(blessee, name, flagBlessFor, nil)
- if err != nil {
- return err
- }
- var object interface{} = blessed
- if private != nil {
- object, err = private.Derive(blessed)
- if err != nil {
- return err
- }
- }
- output, err := util.Base64VomEncode(object)
- if err != nil {
- return err
- }
- fmt.Println(output)
- return nil
- },
- }
-
- cmdSeekBlessing = &cmdline.Command{
- Name: "seekblessing",
- Short: "Seek a blessing from the default veyron identity provider",
- Long: `
-Seeks a blessing from a default, hardcoded Veyron identity provider which
-requires the caller to first authenticate with Google using OAuth. Simply
-run the command to see what happens.
-
-The blessing is sought for the identity that this tool is using. An alternative
-can be provided with the --for flag.
-`,
- Run: func(cmd *cmdline.Command, args []string) error {
- r := rt.R()
- id := r.Identity()
-
- if len(flagSeekBlessingFor) > 0 {
- if err := decode(flagSeekBlessingFor, &id); err != nil {
- return err
- }
- var err error
- if r, err = rt.New(options.RuntimeID{id}); err != nil {
- return err
- }
- }
-
- blessedChan := make(chan string)
- defer close(blessedChan)
- macaroonChan, err := getMacaroonForBlessRPC(flagSeekBlessingFrom, blessedChan)
- if err != nil {
- return fmt.Errorf("failed to get authorization code from Google: %v", err)
- }
- macaroon := <-macaroonChan
- service := <-macaroonChan
-
- ctx, cancel := r.NewContext().WithTimeout(time.Minute)
- defer cancel()
-
- wait := time.Second
- const maxWait = 20 * time.Second
- var reply vdlutil.Any
- for {
- blesser, err := identity.BindMacaroonBlesser(service, r.Client())
- if err == nil {
- reply, err = blesser.Bless(ctx, macaroon)
- }
- if err != nil {
- vlog.Infof("Failed to get blessing from %q: %v, will try again in %v", service, err, wait)
- time.Sleep(wait)
- if wait = wait + 2*time.Second; wait > maxWait {
- wait = maxWait
- }
- continue
- }
- blessed, ok := reply.(security.PublicID)
- if !ok {
- return fmt.Errorf("received %T, want security.PublicID", reply)
- }
- if id, err = id.Derive(blessed); err != nil {
- return fmt.Errorf("received incompatible blessing from %q: %v", service, err)
- }
- output, err := util.Base64VomEncode(id)
- if err != nil {
- return fmt.Errorf("failed to encode blessing: %v", err)
- }
- fmt.Println(output)
- blessedChan <- fmt.Sprint(blessed)
- // Wait for getTokenForBlessRPC to clean up:
- <-macaroonChan
- return nil
- }
- },
- }
-)
-
-func main() {
- rt.Init()
- cmdBless.Flags.StringVar(&flagBlessWith, "with", "", "Path to file containing identity to bless with (or - for STDIN)")
- cmdBless.Flags.DurationVar(&flagBlessFor, "for", 365*24*time.Hour, "Expiry time of blessing (defaults to 1 year)")
- cmdSeekBlessing.Flags.StringVar(&flagSeekBlessingFor, "for", "", "Path to file containing identity to bless (or - for STDIN)")
- cmdSeekBlessing.Flags.StringVar(&flagSeekBlessingFrom, "from", "https://proxy.envyor.com:8125/google", "URL to use to begin the seek blessings process")
-
- (&cmdline.Command{
- Name: "identity",
- Short: "Create and manage veyron identities",
- Long: `
-The identity tool helps create and manage keys and blessings that are used for
-identification in veyron.
-`,
- Children: []*cmdline.Command{cmdPrint, cmdGenerate, cmdBless, cmdSeekBlessing},
- }).Main()
-}
-
-func read(fname string) (string, error) {
- if len(fname) == 0 {
- return "", nil
- }
- f := os.Stdin
- if fname != "-" {
- var err error
- if f, err = os.Open(fname); err != nil {
- return "", fmt.Errorf("failed to open %q: %v", fname, err)
- }
- }
- defer f.Close()
- var buf bytes.Buffer
- if _, err := io.Copy(&buf, f); err != nil {
- return "", fmt.Errorf("failed to read %q: %v", fname, err)
- }
- return buf.String(), nil
-}
-
-func decode(fname string, val interface{}) error {
- str, err := read(fname)
- if err != nil {
- return err
- }
- if err := util.Base64VomDecode(str, val); err != nil || val == nil {
- return fmt.Errorf("failed to decode %q: %v", fname, err)
- }
- return nil
-}
-
-func defaultIdentityName() string {
- var name string
- if user, _ := user.Current(); user != nil && len(user.Username) > 0 {
- name = user.Username
- } else {
- name = "anonymous"
- }
- if host, _ := os.Hostname(); len(host) > 0 {
- name = name + "@" + host
- }
- return name
-}
diff --git a/tools/identity/main_darwin.go b/tools/identity/main_darwin.go
deleted file mode 100644
index bceafd2..0000000
--- a/tools/identity/main_darwin.go
+++ /dev/null
@@ -1,5 +0,0 @@
-// +build darwin
-
-package main
-
-const openCommand = "open"
diff --git a/tools/identity/main_linux.go b/tools/identity/main_linux.go
deleted file mode 100644
index cb73c65..0000000
--- a/tools/identity/main_linux.go
+++ /dev/null
@@ -1,5 +0,0 @@
-// +build linux
-
-package main
-
-const openCommand = "xdg-open"
diff --git a/tools/identity/main_nacl.go b/tools/identity/main_nacl.go
deleted file mode 100644
index 2de5f27..0000000
--- a/tools/identity/main_nacl.go
+++ /dev/null
@@ -1,3 +0,0 @@
-package main
-
-const openCommand = "not-implemented"
diff --git a/tools/identity/test.sh b/tools/identity/test.sh
deleted file mode 100755
index 53a8263..0000000
--- a/tools/identity/test.sh
+++ /dev/null
@@ -1,62 +0,0 @@
-#!/bin/bash
-
-# Test the identity command-line tool.
-#
-# This tests most operations of the identity command-line tool.
-# Not the "seekblessing" command yet, since that requires
-# starting a separate server.
-
-source "${VEYRON_ROOT}/scripts/lib/shell_test.sh"
-
-readonly WORKDIR="${shell_test_WORK_DIR}"
-
-build() {
- IDENTITY_BIN="$(shell_test::build_go_binary 'veyron.io/veyron/veyron/tools/identity')"
-}
-
-main() {
- local GOT
- local WANT
-
- cd "${WORKDIR}"
- build
-
- "${IDENTITY_BIN}" print >/dev/null || shell_test::fail "line ${LINENO}: print failed"
- "${IDENTITY_BIN}" generate >/dev/null || shell_test::fail "line ${LINENO}: generate failed"
- "${IDENTITY_BIN}" generate root >root || shell_test::fail "line ${LINENO}: generate root failed"
-
- export VEYRON_IDENTITY="root"
-
- # Generate an identity and get it blessed by root using "identity bless"
- GOT=$("${IDENTITY_BIN}" generate ignoreme | "${IDENTITY_BIN}" bless - child | "${IDENTITY_BIN}" print - | awk '/Name/ {print $3}') \
- || shell_test::fail "line ${LINENO}: failed to run identity"
- WANT="root/child"
- shell_test::assert_eq "${GOT}" "${WANT}" "${LINENO}"
-
- # Generate an identity and get it blessed by root using "identity bless --with"
- "${IDENTITY_BIN}" generate other >other || shell_test::fail
- GOT=$("${IDENTITY_BIN}" generate ignoreme | "${IDENTITY_BIN}" bless --with=other - child | "${IDENTITY_BIN}" print - | awk '/Name/ {print $3}') \
- || shell_test::fail "line ${LINENO}: failed to run identity"
- WANT="unknown/other/child"
- shell_test::assert_eq "${GOT}" "${WANT}" "${LINENO}"
-
- # Test that previously generated identities can be interpreted
- # (i.e., any changes to the Certificate or Signature scheme are backward compatible).
- # To regenerate testdata:
- # identity generate "root" >testdata/root.id
- # identity generate "other" | VEYRON_IDENTITY=testdata/root.id identity bless - "blessed" >testdata/blessed.id
- local -r TESTDATA_DIR="${VEYRON_ROOT}/veyron/go/src/veyron.io/veyron/veyron/tools/identity/testdata"
- GOT=$(VEYRON_IDENTITY="${TESTDATA_DIR}/root.id" "${IDENTITY_BIN}" print | awk '/Name/ {print $3}') \
- || shell_test::fail "line ${LINENO}: failed to run identity"
- WANT="root"
- shell_test::assert_eq "${GOT}" "${WANT}" "${LINENO}"
-
- GOT=$(VEYRON_IDENTITY="${TESTDATA_DIR}/root.id" "${IDENTITY_BIN}" print "${TESTDATA_DIR}/blessed.id" | awk '/Name/ {print $3}') \
- || shell_test::fail "line ${LINENO}: failed to run identity"
- WANT="root/blessed"
- shell_test::assert_eq "${GOT}" "${WANT}" "${LINENO}"
-
- shell_test::pass
-}
-
-main "$@"
diff --git a/tools/identity/testdata/blessed.id b/tools/identity/testdata/blessed.id
deleted file mode 100644
index e37f92c..0000000
--- a/tools/identity/testdata/blessed.id
+++ /dev/null
@@ -1 +0,0 @@
-_4EEGgFCAP-DNBoBQwEudmV5cm9uL3J1bnRpbWVzL2dvb2dsZS9zZWN1cml0eS5jaGFpblByaXZhdGVJRAD_hUIYAQIBRAEIUHVibGljSUQAAQQBBlNlY3JldAABJHZleXJvbjIvc2VjdXJpdHkvd2lyZS5DaGFpblByaXZhdGVJRAD_hzoYAQEBRQEMQ2VydGlmaWNhdGVzAAEjdmV5cm9uMi9zZWN1cml0eS93aXJlLkNoYWluUHVibGljSUQA_4kEEgFGAP-LWBgBBAEDAQROYW1lAAFHAQlQdWJsaWNLZXkAAUgBB0NhdmVhdHMAAUkBCVNpZ25hdHVyZQABIXZleXJvbjIvc2VjdXJpdHkvd2lyZS5DZXJ0aWZpY2F0ZQD_jTYYAQIBSgEFQ3VydmUAAQQBAlhZAAEfdmV5cm9uMi9zZWN1cml0eS93aXJlLlB1YmxpY0tleQD_kyQQATIBHnZleXJvbjIvc2VjdXJpdHkvd2lyZS5LZXlDdXJ2ZQD_jwQSAUsA_5U4GAECAUwBB1NlcnZpY2UAAQQBBUJ5dGVzAAEcdmV5cm9uMi9zZWN1cml0eS93aXJlLkNhdmVhdAD_lyYQAQMBIHZleXJvbjIvc2VjdXJpdHkuQmxlc3NpbmdQYXR0ZXJuAP-RQRgBBAEEAQdQdXJwb3NlAAFNAQRIYXNoAAEEAQFSAAEEAQFTAAEadmV5cm9uMi9zZWN1cml0eS5TaWduYXR1cmUA_5kbEAEDARV2ZXlyb24yL3NlY3VyaXR5Lkhhc2gA_4L-AekBAwEBAgEEcm9vdAECQQR1ZDEzHjN7tLOdEM6Z2MqpkDhyZQRk5CcSKajBCznOMEXs5pZuk9XkdS6V3TPiXzfj6EOxSKZ1isDBr11IMOPDAAICBlNIQTI1NgEg1j2u99QNeGA15m6eI_hxuntQWdaysi-HS4NTfnMRZegBII7DHvLbX9tRjwSUzPCvqF_NFdw196t1mGqQdJ5E9kv1AAABB2JsZXNzZWQBAkEELeeHug1HT4I5FA8j0NdeBUm9hafcqhH9QM68PgbKTBe03M1wYWPHCc8McWoXSa3hlK-zClpWWiJGJXInXUhqiAABAQL_g_-BBBoBQgD_g0AYAQIBQwEJSXNzdWVUaW1lAAFDAQpFeHBpcnlUaW1lAAEddmV5cm9uL3NlY3VyaXR5L2NhdmVhdC5FeHBpcnkA_4UPEAEEAQl0aW1lLlRpbWUA_4IkAQEPAQAAAA7LqYJWEdyEcP5cAQ8BAAAADs2KtdYR3IRw_lwAAAECBlNIQTI1NgEgY9Nbw2giydxwd7MdhSvZifMIaIq70nCzxixK08v8IAIBIEvNvg76cd7EEkhj0Gjvnk5cEmBj6d8_cHf7jO-CyII1AAAAASD2pal-EypcX-8GsTuRKHLFw4B70UHrIxjGyw65Ai76bgA=
diff --git a/tools/identity/testdata/root.id b/tools/identity/testdata/root.id
deleted file mode 100644
index 237e17c..0000000
--- a/tools/identity/testdata/root.id
+++ /dev/null
@@ -1 +0,0 @@
-_4EEGgFCAP-DNBoBQwEudmV5cm9uL3J1bnRpbWVzL2dvb2dsZS9zZWN1cml0eS5jaGFpblByaXZhdGVJRAD_hUIYAQIBRAEIUHVibGljSUQAAQQBBlNlY3JldAABJHZleXJvbjIvc2VjdXJpdHkvd2lyZS5DaGFpblByaXZhdGVJRAD_hzoYAQEBRQEMQ2VydGlmaWNhdGVzAAEjdmV5cm9uMi9zZWN1cml0eS93aXJlLkNoYWluUHVibGljSUQA_4kEEgFGAP-LWBgBBAEDAQROYW1lAAFHAQlQdWJsaWNLZXkAAUgBB0NhdmVhdHMAAUkBCVNpZ25hdHVyZQABIXZleXJvbjIvc2VjdXJpdHkvd2lyZS5DZXJ0aWZpY2F0ZQD_jTYYAQIBSgEFQ3VydmUAAQQBAlhZAAEfdmV5cm9uMi9zZWN1cml0eS93aXJlLlB1YmxpY0tleQD_kyQQATIBHnZleXJvbjIvc2VjdXJpdHkvd2lyZS5LZXlDdXJ2ZQD_jwQSAUsA_5U4GAECAUwBB1NlcnZpY2UAAQQBBUJ5dGVzAAEcdmV5cm9uMi9zZWN1cml0eS93aXJlLkNhdmVhdAD_lyYQAQMBIHZleXJvbjIvc2VjdXJpdHkuQmxlc3NpbmdQYXR0ZXJuAP-RQRgBBAEEAQdQdXJwb3NlAAFNAQRIYXNoAAEEAQFSAAEEAQFTAAEadmV5cm9uMi9zZWN1cml0eS5TaWduYXR1cmUA_5kbEAEDARV2ZXlyb24yL3NlY3VyaXR5Lkhhc2gA_4L_wwEDAQEBAQRyb290AQJBBHVkMTMeM3u0s50QzpnYyqmQOHJlBGTkJxIpqMELOc4wRezmlm6T1eR1LpXdM-JfN-PoQ7FIpnWKwMGvXUgw48MAAgIGU0hBMjU2ASDWPa731A14YDXmbp4j-HG6e1BZ1rKyL4dLg1N-cxFl6AEgjsMe8ttf21GPBJTM8K-oX80V3DX3q3WYapB0nkT2S_UAAAABIIBtNdBzbjSsLeHz96Cq1Dl1DmrsEESSQHJ5hSF5plXKAA==
diff --git a/tools/principal/main.go b/tools/principal/main.go
index d2bebca..bfdd4aa 100644
--- a/tools/principal/main.go
+++ b/tools/principal/main.go
@@ -2,6 +2,7 @@
import (
"bytes"
+ "encoding/base64"
"errors"
"fmt"
"io"
@@ -12,13 +13,12 @@
"veyron.io/veyron/veyron2"
"veyron.io/veyron/veyron2/rt"
"veyron.io/veyron/veyron2/security"
- "veyron.io/veyron/veyron2/vdl/vdlutil"
+ "veyron.io/veyron/veyron2/vom"
"veyron.io/veyron/veyron/lib/cmdline"
_ "veyron.io/veyron/veyron/profiles"
vsecurity "veyron.io/veyron/veyron/security"
"veyron.io/veyron/veyron/services/identity"
- "veyron.io/veyron/veyron/services/identity/util"
)
const VEYRON_CREDENTIALS = "VEYRON_CREDENTIALS"
@@ -442,7 +442,7 @@
ctx, cancel := r.NewContext().WithTimeout(time.Minute)
defer cancel()
- var reply vdlutil.Any
+ var reply security.WireBlessings
blesser, err := identity.BindMacaroonBlesser(service)
if err == nil {
reply, err = blesser.Bless(ctx, macaroon)
@@ -450,13 +450,9 @@
if err != nil {
return fmt.Errorf("failed to get blessing from %q: %v", service, err)
}
- wire, ok := reply.(security.WireBlessings)
- if !ok {
- return fmt.Errorf("received %T, want security.WireBlessings", reply)
- }
- blessings, err := security.NewBlessings(wire)
+ blessings, err := security.NewBlessings(reply)
if err != nil {
- return fmt.Errorf("failed to construct Blessings object from wire data: %v", err)
+ return fmt.Errorf("failed to construct Blessings object from response: %v", err)
}
blessedChan <- fmt.Sprint(blessings)
// Wait for getTokenForBlessRPC to clean up:
@@ -545,7 +541,7 @@
if blessings == nil {
return errors.New("no blessings found")
}
- str, err := util.Base64VomEncode(blessings)
+ str, err := base64VomEncode(blessings)
if err != nil {
return fmt.Errorf("base64-VOM encoding failed: %v", err)
}
@@ -577,7 +573,7 @@
if err != nil {
return err
}
- if err := util.Base64VomDecode(str, val); err != nil || val == nil {
+ if err := base64VomDecode(str, val); err != nil || val == nil {
return fmt.Errorf("failed to decode %q: %v", fname, err)
}
return nil
@@ -606,3 +602,25 @@
}
return fmt.Sprintf("%v", key)
}
+
+func base64VomEncode(i interface{}) (string, error) {
+ buf := &bytes.Buffer{}
+ closer := base64.NewEncoder(base64.URLEncoding, buf)
+ if err := vom.NewEncoder(closer).Encode(i); err != nil {
+ return "", err
+ }
+ // Must close the base64 encoder to flush out any partially written
+ // blocks.
+ if err := closer.Close(); err != nil {
+ return "", err
+ }
+ return buf.String(), nil
+}
+
+func base64VomDecode(s string, i interface{}) error {
+ b, err := base64.URLEncoding.DecodeString(s)
+ if err != nil {
+ return err
+ }
+ return vom.NewDecoder(bytes.NewBuffer(b)).Decode(i)
+}
