services/identity: Fix for the failing production services tests.
A recent change to the production setup causes identityd to issue
blessings of the form dev.v.io/root/... while some services like
applicationd and binaryd run with blessings of the form
dev.v.io/roles/... The root certificate in both cases (dev.v.io) has the
same public key.
The chrome extension and the prod-services-test bootstrap the set of
trusted roots via an HTTP GET to identityd. This GET does provide the
root certificate's public key, but the blessing name of identityd
(dev.v.io/root). Which means that the HTTP handler wouldn't help others
recognize the dev.v.io/role/... blessings.
For now, we change this handler to provide both the name and public key
of the root certificate.
Change-Id: I4e6868268fc110a5198d5b9f6621d99a0cf1b707
diff --git a/services/identity/internal/handlers/blessing_root.go b/services/identity/internal/handlers/blessing_root.go
index 9220b97..7a74b78 100644
--- a/services/identity/internal/handlers/blessing_root.go
+++ b/services/identity/internal/handlers/blessing_root.go
@@ -31,36 +31,17 @@
return
}
- // Get the blessing names of the local principal.
- var names []string
- for n, _ := range b.P.BlessingsInfo(b.P.BlessingStore().Default()) {
- names = append(names, n)
- }
- if len(names) == 0 {
- util.HTTPServerError(w, fmt.Errorf("Could not get default blessing name"))
- return
- }
-
- // TODO(nlacasse,ashankar,ataly): The following line is a HACK. It
- // marshals the public key of the *root* of the blessing chain, rather
- // than the public key of the principal itself.
+ // The identity service itself is blessed by a more protected key.
+ // Use the root certificate as the identity provider.
//
- // We do this because the identity server is expected to be
- // self-signed, and the javascript tests were breaking when the
- // identity server is run with a blessing like test/child.
- //
- // Once this issue is resolved, delete the following line and uncomment
- // the block below it.
- der, err := rootPublicKey(b.P.BlessingStore().Default())
+ // TODO(ashankar): This is making the assumption that the identity
+ // service has a single blessing, which may not be true in general.
+ // Revisit this.
+ name, der, err := rootCertificateDetails(b.P.BlessingStore().Default())
if err != nil {
util.HTTPServerError(w, err)
return
}
- //der, err := b.P.PublicKey().MarshalBinary()
- //if err != nil {
- // util.HTTPServerError(w, err)
- // return
- //}
str := base64.URLEncoding.EncodeToString(der)
// TODO(suharshs): Ideally this struct would be BlessingRootResponse but vdl does
@@ -70,7 +51,7 @@
Names []string `json:"names"`
PublicKey string `json:"publicKey"`
}{
- Names: names,
+ Names: []string{name},
PublicKey: str,
}
@@ -91,14 +72,15 @@
// Circuitious route to obtain the certificate chain because the use
// of security.MarshalBlessings is discouraged.
-func rootPublicKey(b security.Blessings) ([]byte, error) {
+func rootCertificateDetails(b security.Blessings) (string, []byte, error) {
data, err := vom.Encode(b)
if err != nil {
- return nil, fmt.Errorf("malformed Blessings: %v", err)
+ return "", nil, fmt.Errorf("malformed Blessings: %v", err)
}
var wire security.WireBlessings
if err := vom.Decode(data, &wire); err != nil {
- return nil, fmt.Errorf("malformed WireBlessings: %v", err)
+ return "", nil, fmt.Errorf("malformed WireBlessings: %v", err)
}
- return wire.CertificateChains[0][0].PublicKey, nil
+ cert := wire.CertificateChains[0][0]
+ return cert.Extension, cert.PublicKey, nil
}
diff --git a/services/identity/internal/handlers/handlers_test.go b/services/identity/internal/handlers/handlers_test.go
index d962e58..353c579 100644
--- a/services/identity/internal/handlers/handlers_test.go
+++ b/services/identity/internal/handlers/handlers_test.go
@@ -20,7 +20,8 @@
)
func TestBlessingRoot(t *testing.T) {
- blessingNames := []string{"test-blessing-name-1", "test-blessing-name-2"}
+ // TODO(ashankar,ataly): Handle multiple root names?
+ blessingNames := []string{"test-root"}
p := testutil.NewPrincipal(blessingNames...)
ts := httptest.NewServer(BlessingRoot{p})
