security: Reduce usage of ValidatorVOM outside the veyron2/security
This will help with the change to start using CaveatDescriptor
and registration of validation functions (instead of relying on
the package path of types encoded in ValidatorVOM).
General philosophy is to reduce the need of client code to
poke into the details of the Caveat type encoded "on the wire"
(i.e., defined in VDL).
Change-Id: I27a8aa617211adccdda67b2a3c041b9f686acc76
diff --git a/security/util.go b/security/util.go
index 75e5757..f7cff3f 100644
--- a/security/util.go
+++ b/security/util.go
@@ -12,7 +12,6 @@
"io/ioutil"
"v.io/core/veyron2/security"
- "v.io/core/veyron2/vom"
)
const ecPrivateKeyPEMType = "EC PRIVATE KEY"
@@ -92,17 +91,3 @@
return pem.Encode(w, pemKey)
}
-
-// ThirdPartyCaveats returns the set of security.ThirdPartyCaveats
-// that could be successfully decoded from the provided caveat bytes.
-func ThirdPartyCaveats(caveats ...security.Caveat) []security.ThirdPartyCaveat {
- var tpCaveats []security.ThirdPartyCaveat
- for _, c := range caveats {
- var t security.ThirdPartyCaveat
- if err := vom.Decode(c.ValidatorVOM, &t); err != nil {
- continue
- }
- tpCaveats = append(tpCaveats, t)
- }
- return tpCaveats
-}
diff --git a/security/util_test.go b/security/util_test.go
index e39e356..c04e384 100644
--- a/security/util_test.go
+++ b/security/util_test.go
@@ -7,9 +7,6 @@
"crypto/rand"
"reflect"
"testing"
-
- "v.io/core/veyron2/security"
- "v.io/core/veyron2/vdl"
)
func TestLoadSavePEMKey(t *testing.T) {
@@ -64,63 +61,3 @@
t.Fatalf("expected(nil, PassphraseError), instead got (%v, %v)", loadedKey, err)
}
}
-
-// fpCaveat implements security.CaveatValidator.
-type fpCaveat struct{}
-
-func (fpCaveat) Validate(security.Context) error { return nil }
-
-// tpCaveat implements security.ThirdPartyCaveat.
-type tpCaveat struct{}
-
-func (tpCaveat) Validate(security.Context) (err error) { return }
-func (tpCaveat) ID() (id string) { return }
-func (tpCaveat) Location() (loc string) { return }
-func (tpCaveat) Requirements() (r security.ThirdPartyRequirements) { return }
-func (tpCaveat) Dischargeable(security.Context) (err error) { return }
-
-func TestCaveatUtil(t *testing.T) {
- type C []security.Caveat
- type V []security.CaveatValidator
- type TP []security.ThirdPartyCaveat
-
- newCaveat := func(v security.CaveatValidator) security.Caveat {
- c, err := security.NewCaveat(v)
- if err != nil {
- t.Fatalf("failed to create Caveat from validator %T: %v", v, c)
- }
- return c
- }
-
- var (
- fp fpCaveat
- tp tpCaveat
- invalid = security.Caveat{ValidatorVOM: []byte("invalid")}
- )
- testdata := []struct {
- caveats []security.Caveat
- validators []security.CaveatValidator
- tpCaveats []security.ThirdPartyCaveat
- }{
- {nil, nil, nil},
- {C{newCaveat(fp)}, V{fp}, nil},
- {C{newCaveat(tp)}, V{tp}, TP{tp}},
- {C{newCaveat(fp), newCaveat(tp)}, V{fp, tp}, TP{tp}},
- }
- for _, d := range testdata {
- // Test ThirdPartyCaveats.
- if got := ThirdPartyCaveats(d.caveats...); !reflect.DeepEqual(got, d.tpCaveats) {
- t.Errorf("ThirdPartyCaveats(%v): got: %#v, want: %#v", d.caveats, got, d.tpCaveats)
- continue
- }
- if got := ThirdPartyCaveats(append(d.caveats, invalid)...); !reflect.DeepEqual(got, d.tpCaveats) {
- t.Errorf("ThirdPartyCaveats(%v, invalid): got: %#v, want: %#v", d.caveats, got, d.tpCaveats)
- continue
- }
- }
-}
-
-func init() {
- vdl.Register(&fpCaveat{})
- vdl.Register(&tpCaveat{})
-}
diff --git a/services/identity/auditor/blessing_auditor.go b/services/identity/auditor/blessing_auditor.go
index 071ca25..cd540e9 100644
--- a/services/identity/auditor/blessing_auditor.go
+++ b/services/identity/auditor/blessing_auditor.go
@@ -6,7 +6,6 @@
"strings"
"time"
- vsecurity "v.io/core/veyron/security"
"v.io/core/veyron/security/audit"
"v.io/core/veyron2/security"
"v.io/core/veyron2/vom"
@@ -126,8 +125,10 @@
}
func revocationCaveatID(caveats []security.Caveat) string {
- for _, tpcav := range vsecurity.ThirdPartyCaveats(caveats...) {
- return tpcav.ID()
+ for _, cav := range caveats {
+ if tp := cav.ThirdPartyDetails(); tp != nil {
+ return tp.ID()
+ }
}
return ""
}
diff --git a/services/identity/revocation/revocation_test.go b/services/identity/revocation/revocation_test.go
index 3f6e357..4dd214d 100644
--- a/services/identity/revocation/revocation_test.go
+++ b/services/identity/revocation/revocation_test.go
@@ -11,7 +11,6 @@
"v.io/core/veyron2"
"v.io/core/veyron2/context"
"v.io/core/veyron2/security"
- "v.io/core/veyron2/vom"
)
func revokerSetup(t *testing.T, ctx *context.T) (dischargerKey security.PublicKey, dischargerEndpoint string, revoker RevocationManager, closeFunc func()) {
@@ -48,26 +47,25 @@
if err != nil {
t.Fatalf("failed to create revocation caveat: %s", err)
}
- var cav security.ThirdPartyCaveat
- if err := vom.Decode(caveat.ValidatorVOM, &cav); err != nil {
- t.Fatalf("failed to create decode tp caveat: %s", err)
+ tp := caveat.ThirdPartyDetails()
+ if tp == nil {
+ t.Fatalf("failed to extract third party details from caveat %v", caveat)
}
var impetus security.DischargeImpetus
-
- if _, err = discharger.Discharge(ctx, cav, impetus); err != nil {
+ if _, err = discharger.Discharge(ctx, tp, impetus); err != nil {
t.Fatalf("failed to get discharge: %s", err)
}
- if err = revoker.Revoke(cav.ID()); err != nil {
+ if err = revoker.Revoke(tp.ID()); err != nil {
t.Fatalf("failed to revoke: %s", err)
}
- if discharge, err := discharger.Discharge(ctx, cav, impetus); err == nil || discharge != nil {
+ if discharge, err := discharger.Discharge(ctx, tp, impetus); err == nil || discharge != nil {
t.Fatalf("got a discharge for a revoked caveat: %s", err)
}
- if err = revoker.Revoke(cav.ID()); err != nil {
+ if err = revoker.Revoke(tp.ID()); err != nil {
t.Fatalf("failed to revoke again: %s", err)
}
- if discharge, err := discharger.Discharge(ctx, cav, impetus); err == nil || discharge != nil {
+ if discharge, err := discharger.Discharge(ctx, tp, impetus); err == nil || discharge != nil {
t.Fatalf("got a discharge for a doubly revoked caveat: %s", err)
}
}
