commit f044a8d49217d4553406dc8a541b0e704bd3743e
author Ankur <ataly@google.com> Fri Sep 05 17:05:24 2014 -0700
committer Ankur <ataly@google.com> Fri Sep 05 17:05:29 2014 -0700
tree b9b731411dc5c699e3ac950d844b53bdfb5d0c47
parent 1c5b94a539f751b9e5b1b0641a1008b821cc3b00

"veyron2/security": Caveat and CaveatValidator

In accordance with the plan in
https://veyron-review.googlesource.com/#/c/4102/ this CL makes the
following changes:
1) Removes the ServiceCaveat type
2) Renames the Caveat type to CaveatValidator
3) Adds new Caveat and ThirdPartyCaveat types
4) Minor method renames in security.Context

Notes:
* CaveatValidator is an interface with a method Validate. All
concrete caveat implemenations must implement this interface.

* A Caveat is a serialized caveat implementation obtained using
the security.NewCaveat(CaveatValidator) factory function.

* A ThirPartyCaveat is an interface that embeds CaveatValidator along
with other methods for obtaining the ID, Location and requirements of
a third-party caveat.

* Bless and MintDischarge methods now directly take Caveat objects and
embed them in the PublicID and Discharge respectively. The caller of
Bless and MintDischarge need not have the CaveatValidator implementation
from which the Caveat objects were obtained.

* While validating a PublicID or a Discharge, any Caveats that fail to
decode to a CaveatValidator are considered invalid, in other words, all
caveats are universally enforced.

Change-Id: I9430bb90af3267d1b6f235be9056175c30f4d2da

security/util.go

diff --git a/security/util.go b/security/util.go
index b709c31..31987a0 100644
--- a/security/util.go
+++ b/security/util.go
@@ -1,8 +1,10 @@
 package security
 
 import (
+	"bytes"
 	"encoding/base64"
 	"encoding/json"
+	"fmt"
 	"io"
 
 	"veyron2/security"
@@ -55,3 +57,46 @@
 func SaveACL(w io.Writer, acl security.ACL) error {
 	return json.NewEncoder(w).Encode(acl)
 }
+
+// CaveatBytes returns a slice containing the Bytes of the provided 'caveats'.
+func CaveatBytes(caveats ...security.Caveat) [][]byte {
+	b := make([][]byte, len(caveats))
+	for i, c := range caveats {
+		b[i] = c.Bytes()
+	}
+	return b
+}
+
+// CaveatValidators returns the set of security.CaveatValidators
+// obtained by decoding the provided caveat bytes.
+//
+// It is an error if any of the provided caveat bytes cannot
+// be decoded into a security.CaveatValidator.
+func CaveatValidators(caveats ...[]byte) ([]security.CaveatValidator, error) {
+	if len(caveats) == 0 {
+		return nil, nil
+	}
+	validators := make([]security.CaveatValidator, len(caveats))
+	for i, c := range caveats {
+		var v security.CaveatValidator
+		if err := vom.NewDecoder(bytes.NewReader(c)).Decode(&v); err != nil {
+			return nil, fmt.Errorf("caveat bytes could not be VOM-decoded: %s", err)
+		}
+		validators[i] = v
+	}
+	return validators, nil
+}
+
+// ThirdPartyCaveats returns the set of security.ThirdPartyCaveats
+// that could be successfully decoded from the provided caveat bytes.
+func ThirdPartyCaveats(caveats ...[]byte) []security.ThirdPartyCaveat {
+	var tpCaveats []security.ThirdPartyCaveat
+	for _, c := range caveats {
+		var t security.ThirdPartyCaveat
+		if err := vom.NewDecoder(bytes.NewReader(c)).Decode(&t); err != nil {
+			continue
+		}
+		tpCaveats = append(tpCaveats, t)
+	}
+	return tpCaveats
+}