Merge "veyron/runtimes/google/ipc: Flush the relevant namespace cache entry if a startCall fails for a reason other than a resolution not finding anything. This is to try to more quickly survive server restarts that might end up with a different ip address, port, or routeid."
diff --git a/examples/bank/pbankd/main.go b/examples/bank/pbankd/main.go
index f0a77e2..acf9382 100644
--- a/examples/bank/pbankd/main.go
+++ b/examples/bank/pbankd/main.go
@@ -172,7 +172,7 @@
// fmt.Printf("ID: %d\n", randID)
// // Bless the user
-// pp := security.PrincipalPattern(context.LocalID().Names()[0])
+// pp := security.BlessingPattern(context.LocalID().Names()[0])
// pID, err := b.ID.Bless(
// context.RemoteID(),
// fmt.Sprintf("%d", randID),
@@ -443,7 +443,7 @@
// // Setup bank and account authorizers.
// bankAuth := vsecurity.NewACLAuthorizer(security.NewWhitelistACL(
- // map[security.PrincipalPattern]security.LabelSet{
+ // map[security.BlessingPattern]security.LabelSet{
// security.AllPrincipals: security.LabelSet(security.ReadLabel | security.WriteLabel),
// }))
// bankAccountAuth := AccountAuthorizer(runtime.Identity().PublicID().Names()[0] + SUFFIX_REGEXP)
diff --git a/examples/boxes/android/src/boxesp2p/main.go b/examples/boxes/android/src/boxesp2p/main.go
index 250d50d..c2dee7a 100644
--- a/examples/boxes/android/src/boxesp2p/main.go
+++ b/examples/boxes/android/src/boxesp2p/main.go
@@ -235,7 +235,7 @@
func (gs *goState) registerAsPeer(ctx context.T) {
auth := vsecurity.NewACLAuthorizer(vsecurity.NewWhitelistACL(
- map[security.PrincipalPattern]security.LabelSet{
+ map[security.BlessingPattern]security.LabelSet{
security.AllPrincipals: security.LabelSet(security.AdminLabel),
}))
gs.disp.drawAuth = auth
diff --git a/jni/runtimes/google/security/jni.go b/jni/runtimes/google/security/jni.go
index 0dc8a08..0852ec0 100644
--- a/jni/runtimes/google/security/jni.go
+++ b/jni/runtimes/google/security/jni.go
@@ -27,15 +27,15 @@
jCaveatClass C.jclass
// Global reference for com.veyron2.security.ServiceCaveat class.
jServiceCaveatClass C.jclass
- // Global reference for com.veyron2.security.PrincipalPattern class.
- jPrincipalPatternClass C.jclass
+ // Global reference for com.veyron2.security.BlessingPattern class.
+ jBlessingPatternClass C.jclass
// Global reference for org.joda.time.Duration class.
jDurationClass C.jclass
// Signature of the PublicID interface.
publicIDSign = util.ClassSign("com.veyron2.security.PublicID")
- // Signature of the PrincipalPattern class.
- principalPatternSign = util.ClassSign("com.veyron2.security.PrincipalPattern")
+ // Signature of the BlessingPattern class.
+ principalPatternSign = util.ClassSign("com.veyron2.security.BlessingPattern")
)
// Init initializes the JNI code with the given Java evironment. This method
@@ -53,7 +53,7 @@
jContextImplClass = C.jclass(util.JFindClassPtrOrDie(env, "com/veyron/runtimes/google/security/Context"))
jCaveatClass = C.jclass(util.JFindClassPtrOrDie(env, "com/veyron2/security/Caveat"))
jServiceCaveatClass = C.jclass(util.JFindClassPtrOrDie(env, "com/veyron2/security/ServiceCaveat"))
- jPrincipalPatternClass = C.jclass(util.JFindClassPtrOrDie(env, "com/veyron2/security/PrincipalPattern"))
+ jBlessingPatternClass = C.jclass(util.JFindClassPtrOrDie(env, "com/veyron2/security/BlessingPattern"))
jDurationClass = C.jclass(util.JFindClassPtrOrDie(env, "org/joda/time/Duration"))
}
@@ -82,7 +82,7 @@
func Java_com_veyron_runtimes_google_security_PublicIDStore_nativeAdd(env *C.JNIEnv, jPublicIDStore C.jobject, goPublicIDStorePtr C.jlong, jID C.jobject, jPeerPattern C.jstring) {
idPtr := util.CallLongMethodOrCatch(env, jID, "getNativePtr", nil)
id := (*(*security.PublicID)(util.Ptr(idPtr)))
- peerPattern := security.PrincipalPattern(util.GoString(env, jPeerPattern))
+ peerPattern := security.BlessingPattern(util.GoString(env, jPeerPattern))
if err := (*(*security.PublicIDStore)(util.Ptr(goPublicIDStorePtr))).Add(id, peerPattern); err != nil {
util.JThrowV(env, err)
return
@@ -113,10 +113,10 @@
return C.jlong(util.PtrValue(&id))
}
-//export Java_com_veyron_runtimes_google_security_PublicIDStore_nativeSetDefaultPrincipalPattern
-func Java_com_veyron_runtimes_google_security_PublicIDStore_nativeSetDefaultPrincipalPattern(env *C.JNIEnv, jPublicIDStore C.jobject, goPublicIDStorePtr C.jlong, jPattern C.jstring) {
- pattern := security.PrincipalPattern(util.GoString(env, jPattern))
- if err := (*(*security.PublicIDStore)(util.Ptr(goPublicIDStorePtr))).SetDefaultPrincipalPattern(pattern); err != nil {
+//export Java_com_veyron_runtimes_google_security_PublicIDStore_nativeSetDefaultBlessingPattern
+func Java_com_veyron_runtimes_google_security_PublicIDStore_nativeSetDefaultBlessingPattern(env *C.JNIEnv, jPublicIDStore C.jobject, goPublicIDStorePtr C.jlong, jPattern C.jstring) {
+ pattern := security.BlessingPattern(util.GoString(env, jPattern))
+ if err := (*(*security.PublicIDStore)(util.Ptr(goPublicIDStorePtr))).SetDefaultBlessingPattern(pattern); err != nil {
util.JThrowV(env, err)
return
}
diff --git a/jni/runtimes/google/security/publicid.go b/jni/runtimes/google/security/publicid.go
index 541779e..9ef816b 100644
--- a/jni/runtimes/google/security/publicid.go
+++ b/jni/runtimes/google/security/publicid.go
@@ -89,7 +89,7 @@
sCaveats := make([]security.ServiceCaveat, len(jServiceCaveats))
for i, jcaveat := range jServiceCaveats {
sCaveats[i] = security.ServiceCaveat{
- Service: security.PrincipalPattern(util.JStringField(env, C.jobject(jcaveat), "service")),
+ Service: security.BlessingPattern(util.JStringField(env, C.jobject(jcaveat), "service")),
Caveat: newCaveat(env, C.jobject(jcaveat)),
}
}
diff --git a/jni/runtimes/google/security/publicid_store.go b/jni/runtimes/google/security/publicid_store.go
index 2c5237b..04334f5 100644
--- a/jni/runtimes/google/security/publicid_store.go
+++ b/jni/runtimes/google/security/publicid_store.go
@@ -54,14 +54,14 @@
jPublicIDStore C.jobject
}
-func (s *publicIDStore) Add(id security.PublicID, peerPattern security.PrincipalPattern) error {
+func (s *publicIDStore) Add(id security.PublicID, peerPattern security.BlessingPattern) error {
envPtr, freeFunc := util.GetEnv(s.jVM)
env := (*C.JNIEnv)(envPtr)
defer freeFunc()
util.GoRef(&id) // Un-refed when the Java PublicID object created below is finalized.
jPublicID := C.jobject(util.NewObjectOrCatch(env, jPublicIDImplClass, []util.Sign{util.LongSign}, &id))
- jPrincipalPattern := C.jobject(util.NewObjectOrCatch(env, jPrincipalPatternClass, []util.Sign{util.StringSign}, string(peerPattern)))
- return util.CallVoidMethod(env, s.jPublicIDStore, "add", []util.Sign{publicIDSign, principalPatternSign}, jPublicID, jPrincipalPattern)
+ jBlessingPattern := C.jobject(util.NewObjectOrCatch(env, jBlessingPatternClass, []util.Sign{util.StringSign}, string(peerPattern)))
+ return util.CallVoidMethod(env, s.jPublicIDStore, "add", []util.Sign{publicIDSign, principalPatternSign}, jPublicID, jBlessingPattern)
}
func (s *publicIDStore) ForPeer(peer security.PublicID) (security.PublicID, error) {
@@ -90,10 +90,10 @@
return (*(*security.PublicID)(util.Ptr(publicIDPtr))), nil
}
-func (s *publicIDStore) SetDefaultPrincipalPattern(pattern security.PrincipalPattern) error {
+func (s *publicIDStore) SetDefaultBlessingPattern(pattern security.BlessingPattern) error {
envPtr, freeFunc := util.GetEnv(s.jVM)
env := (*C.JNIEnv)(envPtr)
defer freeFunc()
- jPattern := C.jobject(util.NewObjectOrCatch(env, jPrincipalPatternClass, []util.Sign{util.StringSign}, string(pattern)))
- return util.CallVoidMethod(env, s.jPublicIDStore, "setDefaultPrincipalPattern", []util.Sign{principalPatternSign}, jPattern)
+ jPattern := C.jobject(util.NewObjectOrCatch(env, jBlessingPatternClass, []util.Sign{util.StringSign}, string(pattern)))
+ return util.CallVoidMethod(env, s.jPublicIDStore, "setDefaultBlessingPattern", []util.Sign{principalPatternSign}, jPattern)
}
diff --git a/jni/runtimes/google/security/service_caveat.go b/jni/runtimes/google/security/service_caveat.go
index e4d8ff6..a6e599c 100644
--- a/jni/runtimes/google/security/service_caveat.go
+++ b/jni/runtimes/google/security/service_caveat.go
@@ -17,8 +17,8 @@
sCaveats := make([]security.ServiceCaveat, length)
for i := 0; i < length; i++ {
jServiceCaveat := C.GetObjectArrayElement(env, jServiceCaveats, C.jsize(i))
- jPrincipalPattern := C.jobject(util.CallObjectMethodOrCatch(env, jServiceCaveat, "getServices", nil, util.ClassSign("com.veyron2.security.PrincipalPattern")))
- services := util.CallStringMethodOrCatch(env, jPrincipalPattern, "getValue", nil)
+ jBlessingPattern := C.jobject(util.CallObjectMethodOrCatch(env, jServiceCaveat, "getServices", nil, util.ClassSign("com.veyron2.security.BlessingPattern")))
+ services := util.CallStringMethodOrCatch(env, jBlessingPattern, "getValue", nil)
jCaveat := C.jobject(util.CallObjectMethodOrCatch(env, jServiceCaveat, "getCaveat", nil, util.ClassSign("com.veyron2.security.Caveat")))
// TODO(spetrovic): we get native pointer for PublicID and it works because the plan is for
// PublicID to be an interface with only a few implementations in veyron2: folks aren't
@@ -30,7 +30,7 @@
caveatPtr := util.CallLongMethodOrCatch(env, jCaveat, "getNativePtr", nil)
caveat := (*(*security.Caveat)(util.Ptr(caveatPtr)))
sCaveats[i] = security.ServiceCaveat{
- Service: security.PrincipalPattern(services),
+ Service: security.BlessingPattern(services),
Caveat: caveat,
}
}
@@ -45,8 +45,8 @@
util.GoRef(&caveat) // Un-refed when the Java Caveat object is finalized.
jCaveat := C.jobject(util.NewObjectOrCatch(env, jCaveatImplClass, []util.Sign{util.LongSign}, &caveat))
services := string(sCaveat.Service)
- jPattern := C.jobject(util.NewObjectOrCatch(env, jPrincipalPatternClass, []util.Sign{util.StringSign}, services))
- patternSign := util.ClassSign("com.veyron2.security.PrincipalPattern")
+ jPattern := C.jobject(util.NewObjectOrCatch(env, jBlessingPatternClass, []util.Sign{util.StringSign}, services))
+ patternSign := util.ClassSign("com.veyron2.security.BlessingPattern")
caveatSign := util.ClassSign("com.veyron2.security.Caveat")
jServiceCaveat := C.jobject(util.NewObjectOrCatch(env, jServiceCaveatClass, []util.Sign{patternSign, caveatSign}, jPattern, jCaveat))
C.SetObjectArrayElement(env, jServiceCaveats, C.jsize(i), jServiceCaveat)
diff --git a/lib/testutil/security/util_test.go b/lib/testutil/security/util_test.go
index 856606b..3a2fd3a 100644
--- a/lib/testutil/security/util_test.go
+++ b/lib/testutil/security/util_test.go
@@ -51,12 +51,12 @@
}
defer r.Cleanup()
acl := security.ACL{}
- acl.In.Principals = map[security.PrincipalPattern]security.LabelSet{
+ acl.In.Principals = map[security.BlessingPattern]security.LabelSet{
"veyron/*": security.LabelSet(security.ReadLabel),
"veyron/alice": security.LabelSet(security.ReadLabel | security.WriteLabel),
"veyron/bob": security.LabelSet(security.AdminLabel),
}
- acl.NotIn.Principals = map[security.PrincipalPattern]security.LabelSet{
+ acl.NotIn.Principals = map[security.BlessingPattern]security.LabelSet{
"veyron/che": security.LabelSet(security.ReadLabel),
}
diff --git a/runtimes/google/ipc/client.go b/runtimes/google/ipc/client.go
index 1ccb51b..5bc53ce 100644
--- a/runtimes/google/ipc/client.go
+++ b/runtimes/google/ipc/client.go
@@ -197,7 +197,7 @@
for _, o := range opts {
switch v := o.(type) {
case veyron2.RemoteID:
- if !security.PrincipalPattern(v).MatchedBy(authID) {
+ if !security.BlessingPattern(v).MatchedBy(authID.Names()...) {
return nil, fmt.Errorf("server %q does not match the provided pattern %q", authID, v)
}
case ipc.Granter:
diff --git a/runtimes/google/ipc/discharges.go b/runtimes/google/ipc/discharges.go
index 5e72ea8..173ecd9 100644
--- a/runtimes/google/ipc/discharges.go
+++ b/runtimes/google/ipc/discharges.go
@@ -24,7 +24,7 @@
var caveats []security.ThirdPartyCaveat
for _, cav := range blessing.ThirdPartyCaveats() {
- if cav.Service.MatchedBy(server) {
+ if cav.Service.MatchedBy(server.Names()...) {
caveats = append(caveats, cav.Caveat.(security.ThirdPartyCaveat))
}
}
diff --git a/runtimes/google/ipc/full_test.go b/runtimes/google/ipc/full_test.go
index b1fdd33..9224834 100644
--- a/runtimes/google/ipc/full_test.go
+++ b/runtimes/google/ipc/full_test.go
@@ -162,7 +162,7 @@
case "aclAuth":
// Only authorize clients matching patterns "client" or "server/*".
authorizer = vsecurity.NewACLAuthorizer(vsecurity.NewWhitelistACL(
- map[security.PrincipalPattern]security.LabelSet{
+ map[security.BlessingPattern]security.LabelSet{
"server/*": security.LabelSet(security.AdminLabel),
"client": security.LabelSet(security.AdminLabel),
}))
@@ -471,7 +471,7 @@
tests := []struct {
clientID, serverID security.PrivateID
- pattern security.PrincipalPattern // pattern on the server identity expected by client.
+ pattern security.BlessingPattern // pattern on the server identity expected by client.
err string
}{
// Client accepts talking to server only if server's identity matches the
@@ -745,11 +745,11 @@
// a Discharge service as well.
dischargerID = serverID.PublicID()
cavTPValid = security.ServiceCaveat{
- Service: security.PrincipalPattern(serverID.PublicID().Names()[0]),
+ Service: security.BlessingPattern(serverID.PublicID().Names()[0]),
Caveat: mkThirdPartyCaveat(dischargerID, "mountpoint/server/discharger", &caveat.Expiry{ExpiryTime: now.Add(24 * time.Hour)}),
}
cavTPExpired = security.ServiceCaveat{
- Service: security.PrincipalPattern(serverID.PublicID().Names()[0]),
+ Service: security.BlessingPattern(serverID.PublicID().Names()[0]),
Caveat: mkThirdPartyCaveat(dischargerID, "mountpoint/server/discharger", &caveat.Expiry{IssueTime: now, ExpiryTime: now}),
}
diff --git a/runtimes/google/ipc/server.go b/runtimes/google/ipc/server.go
index 9208a74..dec40be 100644
--- a/runtimes/google/ipc/server.go
+++ b/runtimes/google/ipc/server.go
@@ -382,9 +382,9 @@
if id == nil {
return security.ACL{}
}
- in := map[security.PrincipalPattern]security.LabelSet{}
+ in := map[security.BlessingPattern]security.LabelSet{}
for _, n := range id.Names() {
- in[security.PrincipalPattern(n+security.ChainSeparator+security.AllPrincipals)] = security.AllLabels
+ in[security.BlessingPattern(n+security.ChainSeparator+string(security.AllPrincipals))] = security.AllLabels
}
return vsecurity.NewWhitelistACL(in)
}
diff --git a/runtimes/google/rt/ipc.go b/runtimes/google/rt/ipc.go
index d978865..ccd1319 100644
--- a/runtimes/google/rt/ipc.go
+++ b/runtimes/google/rt/ipc.go
@@ -23,7 +23,7 @@
id security.PublicID
}
-func (fixedPublicIDStore) Add(id security.PublicID, peerPattern security.PrincipalPattern) error {
+func (fixedPublicIDStore) Add(id security.PublicID, peerPattern security.BlessingPattern) error {
return errors.New("adding new PublicIDs is disallowed for this PublicIDStore")
}
@@ -35,8 +35,8 @@
return s.id, nil
}
-func (fixedPublicIDStore) SetDefaultPrincipalPattern(pattern security.PrincipalPattern) error {
- return errors.New("SetDefaultPrincipalPattern is disallowed on a fixed PublicIDStore")
+func (fixedPublicIDStore) SetDefaultBlessingPattern(pattern security.BlessingPattern) error {
+ return errors.New("SetDefaultBlessingPattern is disallowed on a fixed PublicIDStore")
}
// localID is an option for passing a PrivateID and PublicIDStore
diff --git a/runtimes/google/rt/ipc_test.go b/runtimes/google/rt/ipc_test.go
index d9938d8..f1499c5 100644
--- a/runtimes/google/rt/ipc_test.go
+++ b/runtimes/google/rt/ipc_test.go
@@ -42,7 +42,7 @@
return blessedID
}
-func add(store security.PublicIDStore, id security.PublicID, pattern security.PrincipalPattern) {
+func add(store security.PublicIDStore, id security.PublicID, pattern security.BlessingPattern) {
if err := store.Add(id, pattern); err != nil {
panic(err)
}
@@ -103,7 +103,7 @@
type testcase struct {
server, client security.PublicID
- defaultPattern security.PrincipalPattern
+ defaultPattern security.BlessingPattern
wantServerNames, wantClientNames []string
}
tests := []testcase{
@@ -146,8 +146,8 @@
return fmt.Sprintf("TestCase{clientPublicIDStore: %v, serverPublicIDStore: %v, client option: %v, server option: %v}", clientR.PublicIDStore(), serverR.PublicIDStore(), t.client, t.server)
}
for _, test := range tests {
- if err := serverR.PublicIDStore().SetDefaultPrincipalPattern(test.defaultPattern); err != nil {
- t.Errorf("serverR.PublicIDStore.SetDefaultPrincipalPattern failed: %s", err)
+ if err := serverR.PublicIDStore().SetDefaultBlessingPattern(test.defaultPattern); err != nil {
+ t.Errorf("serverR.PublicIDStore.SetDefaultBlessingPattern failed: %s", err)
continue
}
server, err := serverR.NewServer(veyron2.LocalID(test.server))
@@ -163,7 +163,7 @@
defer stopServer(server)
if err := server.Serve("", ipc.LeafDispatcher(&testService{},
vsecurity.NewACLAuthorizer(vsecurity.NewWhitelistACL(
- map[security.PrincipalPattern]security.LabelSet{
+ map[security.BlessingPattern]security.LabelSet{
security.AllPrincipals: security.AllLabels,
})))); err != nil {
t.Errorf("error serving service: ", err)
diff --git a/runtimes/google/security/identity_test.go b/runtimes/google/security/identity_test.go
index a9961a9..eef3e12 100644
--- a/runtimes/google/security/identity_test.go
+++ b/runtimes/google/security/identity_test.go
@@ -78,7 +78,7 @@
func TestMatch(t *testing.T) {
alice := newChain("alice")
type matchInstance struct {
- pattern security.PrincipalPattern
+ pattern security.BlessingPattern
want bool
}
testdata := []struct {
@@ -137,7 +137,7 @@
}
for _, d := range testdata {
for _, m := range d.matchData {
- if got := m.pattern.MatchedBy(d.id); got != m.want {
+ if got := m.pattern.MatchedBy(d.id.Names()...); got != m.want {
t.Errorf("%q.Match(%s), Got %t, want %t", d.id, m.pattern, got, m.want)
}
}
diff --git a/runtimes/google/security/publicid_store.go b/runtimes/google/security/publicid_store.go
index fd87035..4763555 100644
--- a/runtimes/google/security/publicid_store.go
+++ b/runtimes/google/security/publicid_store.go
@@ -34,16 +34,16 @@
return fmt.Errorf("could not save PublicIDStore: %s", err)
}
-type taggedIDStore map[security.PublicID][]security.PrincipalPattern
+type taggedIDStore map[security.PublicID][]security.BlessingPattern
type persistentState struct {
// Store contains a set of PublicIDs mapped to a set of (peer) patterns. The
// patterns indicate the set of peers against whom the PublicID can be used.
// All PublicIDs in the store must have the same public key.
Store taggedIDStore
- // DefaultPattern is the default PrincipalPattern to be used to select
+ // DefaultPattern is the default BlessingPattern to be used to select
// PublicIDs from the store in absence of any other search criterea.
- DefaultPattern security.PrincipalPattern
+ DefaultPattern security.BlessingPattern
}
// publicIDStore implements security.PublicIDStore.
@@ -54,7 +54,7 @@
mu sync.RWMutex
}
-func (s *publicIDStore) addTaggedID(id security.PublicID, peerPattern security.PrincipalPattern) ([]security.PublicID, error) {
+func (s *publicIDStore) addTaggedID(id security.PublicID, peerPattern security.BlessingPattern) ([]security.PublicID, error) {
var updatedIDs []security.PublicID
switch p := id.(type) {
case *setPublicID:
@@ -85,7 +85,7 @@
}
}
-func (s *publicIDStore) Add(id security.PublicID, peerPattern security.PrincipalPattern) error {
+func (s *publicIDStore) Add(id security.PublicID, peerPattern security.BlessingPattern) error {
s.mu.Lock()
defer s.mu.Unlock()
@@ -119,7 +119,7 @@
var matchingIDs []security.PublicID
for id, peerPatterns := range s.state.Store {
for _, peerPattern := range peerPatterns {
- if peerPattern.MatchedBy(peer) {
+ if peerPattern.MatchedBy(peer.Names()...) {
matchingIDs = append(matchingIDs, id)
break
}
@@ -140,7 +140,7 @@
defer s.mu.RUnlock()
var matchingIDs []security.PublicID
for id, _ := range s.state.Store {
- if s.state.DefaultPattern.MatchedBy(id) {
+ if s.state.DefaultPattern.MatchedBy(id.Names()...) {
matchingIDs = append(matchingIDs, id)
}
}
@@ -154,8 +154,8 @@
return id, nil
}
-func (s *publicIDStore) SetDefaultPrincipalPattern(pattern security.PrincipalPattern) error {
- if err := wire.ValidatePrincipalPattern(pattern); err != nil {
+func (s *publicIDStore) SetDefaultBlessingPattern(pattern security.BlessingPattern) error {
+ if err := wire.ValidateBlessingPattern(pattern); err != nil {
return err
}
s.mu.Lock()
diff --git a/runtimes/google/security/publicid_store_test.go b/runtimes/google/security/publicid_store_test.go
index 9598fde..394cb49 100644
--- a/runtimes/google/security/publicid_store_test.go
+++ b/runtimes/google/security/publicid_store_test.go
@@ -62,7 +62,7 @@
t.Fatalf("NewPublicIDStore failed: %s", err)
}
defaultPatterns := []struct {
- pattern security.PrincipalPattern
+ pattern security.BlessingPattern
success bool
}{
{"veyron", true},
@@ -77,14 +77,14 @@
{"veyron/*/alice", false},
}
for _, d := range defaultPatterns {
- if got := s.SetDefaultPrincipalPattern(d.pattern); d.success != (got == nil) {
+ if got := s.SetDefaultBlessingPattern(d.pattern); d.success != (got == nil) {
t.Errorf("%s.SetDefaultPattern(%q) returned: %v, expected it to succeed: %v", s, d.pattern, got, d.success)
}
}
}
func TestStoreGetters(t *testing.T) {
- add := func(s security.PublicIDStore, id security.PublicID, peers security.PrincipalPattern) {
+ add := func(s security.PublicIDStore, id security.PublicID, peers security.BlessingPattern) {
if err := s.Add(id, peers); err != nil {
t.Fatalf("%s.Add(%q, %q) failed unexpectedly: %s", s, id, peers, err)
}
@@ -151,9 +151,9 @@
t.Errorf("%s.DefaultPublicID(): got: %s, want PublicID with the exact set of names: %s", s, got, defaultNames)
}
- // Test SetDefaultPrincipalPattern.
- testDataByPrincipalPattern := []struct {
- defaultPattern security.PrincipalPattern
+ // Test SetDefaultBlessingPattern.
+ testDataByBlessingPattern := []struct {
+ defaultPattern security.BlessingPattern
defaultNames []string
}{
{"veyron", nil},
@@ -166,8 +166,8 @@
{"google/service/*", []string{"google/service/user-42"}},
{"bob", nil},
}
- for _, d := range testDataByPrincipalPattern {
- s.SetDefaultPrincipalPattern(d.defaultPattern)
+ for _, d := range testDataByBlessingPattern {
+ s.SetDefaultBlessingPattern(d.defaultPattern)
if got, err := s.DefaultPublicID(); !verifyNamesAndPublicKey(got, err, d.defaultNames, pkey) {
t.Errorf("%s.DefaultPublicID(): got: %s, want PublicID with the exact set of names: %s", s, got, d.defaultNames)
}
@@ -206,8 +206,8 @@
if err := s.Add(sAllAlice, "google/*"); err != nil {
t.Fatalf("%s.Add(%q, ...) failed unexpectedly: %s", s, sAllAlice, err)
}
- if err := s.SetDefaultPrincipalPattern("veyron/*"); err != nil {
- t.Fatalf("%s.SetDefaultPrincipalPattern failed: %s", s, err)
+ if err := s.SetDefaultBlessingPattern("veyron/*"); err != nil {
+ t.Fatalf("%s.SetDefaultBlessingPattern failed: %s", s, err)
}
// Test that all mutations are appropriately reflected in a PublicIDStore read from
diff --git a/runtimes/google/security/util_test.go b/runtimes/google/security/util_test.go
index 1cc0a29..7cfb9db 100644
--- a/runtimes/google/security/util_test.go
+++ b/runtimes/google/security/util_test.go
@@ -109,13 +109,13 @@
return nil
}
-func methodRestrictionCaveat(service security.PrincipalPattern, methods []string) []security.ServiceCaveat {
+func methodRestrictionCaveat(service security.BlessingPattern, methods []string) []security.ServiceCaveat {
return []security.ServiceCaveat{
{Service: service, Caveat: caveat.MethodRestriction(methods)},
}
}
-func peerIdentityCaveat(p security.PrincipalPattern) []security.ServiceCaveat {
+func peerIdentityCaveat(p security.BlessingPattern) []security.ServiceCaveat {
return []security.ServiceCaveat{caveat.UniversalCaveat(caveat.PeerIdentity{p})}
}
diff --git a/security/acl_authorizer.go b/security/acl_authorizer.go
index 9cda0e3..30f000d 100644
--- a/security/acl_authorizer.go
+++ b/security/acl_authorizer.go
@@ -62,7 +62,7 @@
// no requests are authorized.
//
// The JSON-encoding of a ACL is essentially a JSON object describing a map from
-// PrincipalPatterns to encoded LabelSets (see LabelSet.MarshalJSON).
+// BlessingPatterns to encoded LabelSets (see LabelSet.MarshalJSON).
// Examples:
// * `{"*" : "RW"}` encodes an ACL that allows all principals to access all methods with
// ReadLabel or WriteLabel.
diff --git a/security/acl_authorizer_test.go b/security/acl_authorizer_test.go
index 07da673..d71363f 100644
--- a/security/acl_authorizer_test.go
+++ b/security/acl_authorizer_test.go
@@ -187,7 +187,7 @@
// ACL for testing
acl := security.ACL{}
- acl.In.Principals = map[security.PrincipalPattern]security.LabelSet{
+ acl.In.Principals = map[security.BlessingPattern]security.LabelSet{
"*": LS(R),
"fake/veyron/alice/*": LS(W, R),
"fake/veyron/alice": LS(A, D, M),
@@ -195,7 +195,7 @@
"fake/veyron/che/*": LS(W, R),
"fake/veyron/che": LS(W, R),
}
- acl.NotIn.Principals = map[security.PrincipalPattern]security.LabelSet{
+ acl.NotIn.Principals = map[security.BlessingPattern]security.LabelSet{
"fake/veyron/che/friend": LS(W),
}
diff --git a/security/caveat/caveat.go b/security/caveat/caveat.go
index 6ad9f25..a008381 100644
--- a/security/caveat/caveat.go
+++ b/security/caveat/caveat.go
@@ -49,15 +49,15 @@
// PeerIdentity is a security.Caveat that restricts the bearer of a credential
// with this caveat from making or receiving RPCs to a limited set of peers -
-// those whose identities match one of the provided security.PrincipalPatterns.
+// those whose identities match one of the provided security.BlessingPatterns.
// An empty set indicates that no peers can be communicated with.
-type PeerIdentity []security.PrincipalPattern
+type PeerIdentity []security.BlessingPattern
// Validate checks that the identity of the peer is present on the set of services
-// identified by the PrincipalPatterns on the caveat.
+// identified by the BlessingPatterns on the caveat.
func (c PeerIdentity) Validate(ctx security.Context) error {
for _, p := range c {
- if ctx.LocalID() != nil && p.MatchedBy(ctx.LocalID()) {
+ if ctx.LocalID() != nil && p.MatchedBy(ctx.LocalID().Names()...) {
return nil
}
}
diff --git a/security/flag/flag_test.go b/security/flag/flag_test.go
index a52bf26..4bd60fe 100644
--- a/security/flag/flag_test.go
+++ b/security/flag/flag_test.go
@@ -30,7 +30,7 @@
}
var (
acl1 = security.ACL{}
- acl2 = vsecurity.NewWhitelistACL(map[security.PrincipalPattern]security.LabelSet{
+ acl2 = vsecurity.NewWhitelistACL(map[security.BlessingPattern]security.LabelSet{
"veyron/alice": security.LabelSet(security.ReadLabel | security.WriteLabel),
"veyron/bob": security.LabelSet(security.ReadLabel),
})
diff --git a/security/util.go b/security/util.go
index afdfd87..7755797 100644
--- a/security/util.go
+++ b/security/util.go
@@ -13,7 +13,7 @@
// NewWhitelistACL creates an ACL that grants access to only the provided
// principals.
-func NewWhitelistACL(principals map[security.PrincipalPattern]security.LabelSet) security.ACL {
+func NewWhitelistACL(principals map[security.BlessingPattern]security.LabelSet) security.ACL {
acl := security.ACL{}
acl.In.Principals = principals
return acl
diff --git a/security/util_test.go b/security/util_test.go
index 5fd6252..6c97fb6 100644
--- a/security/util_test.go
+++ b/security/util_test.go
@@ -27,12 +27,12 @@
func TestLoadSaveACL(t *testing.T) {
acl := security.ACL{}
- acl.In.Principals = map[security.PrincipalPattern]security.LabelSet{
+ acl.In.Principals = map[security.BlessingPattern]security.LabelSet{
"veyron/*": security.LabelSet(security.ReadLabel),
"veyron/alice": security.LabelSet(security.ReadLabel | security.WriteLabel),
"veyron/bob": security.LabelSet(security.AdminLabel),
}
- acl.NotIn.Principals = map[security.PrincipalPattern]security.LabelSet{
+ acl.NotIn.Principals = map[security.BlessingPattern]security.LabelSet{
"veyron/che": security.LabelSet(security.ReadLabel),
}
diff --git a/services/identity/identityd/main.go b/services/identity/identityd/main.go
index d440bf3..255d91f 100644
--- a/services/identity/identityd/main.go
+++ b/services/identity/identityd/main.go
@@ -134,7 +134,7 @@
if err != nil {
return nil, nil, fmt.Errorf("server.Listen(%q, %q) failed: %v", "tcp", *address, err)
}
- allowEveryoneACL := vsecurity.NewWhitelistACL(map[security.PrincipalPattern]security.LabelSet{
+ allowEveryoneACL := vsecurity.NewWhitelistACL(map[security.BlessingPattern]security.LabelSet{
security.AllPrincipals: security.AllLabels,
})
objectname := fmt.Sprintf("identity/%s/google", r.Identity().PublicID().Names()[0])
diff --git a/services/syncgroup/syncgroup.vdl.go b/services/syncgroup/syncgroup.vdl.go
index e38974f..962584c 100644
--- a/services/syncgroup/syncgroup.vdl.go
+++ b/services/syncgroup/syncgroup.vdl.go
@@ -496,7 +496,7 @@
}
result.TypeDefs = []_gen_vdlutil.Any{
- _gen_wiretype.NamedPrimitiveType{Type: 0x1, Name: "anydata", Tags: []string(nil)}, _gen_wiretype.MapType{Key: 0x3, Elem: 0x41, Name: "", Tags: []string(nil)}, _gen_wiretype.NamedPrimitiveType{Type: 0x3, Name: "veyron2/security.PrincipalPattern", Tags: []string(nil)}, _gen_wiretype.NamedPrimitiveType{Type: 0x34, Name: "veyron2/security.LabelSet", Tags: []string(nil)}, _gen_wiretype.MapType{Key: 0x43, Elem: 0x44, Name: "", Tags: []string(nil)}, _gen_wiretype.StructType{
+ _gen_wiretype.NamedPrimitiveType{Type: 0x1, Name: "anydata", Tags: []string(nil)}, _gen_wiretype.MapType{Key: 0x3, Elem: 0x41, Name: "", Tags: []string(nil)}, _gen_wiretype.NamedPrimitiveType{Type: 0x3, Name: "veyron2/security.BlessingPattern", Tags: []string(nil)}, _gen_wiretype.NamedPrimitiveType{Type: 0x34, Name: "veyron2/security.LabelSet", Tags: []string(nil)}, _gen_wiretype.MapType{Key: 0x43, Elem: 0x44, Name: "", Tags: []string(nil)}, _gen_wiretype.StructType{
[]_gen_wiretype.FieldType{
_gen_wiretype.FieldType{Type: 0x45, Name: "Principals"},
},
diff --git a/services/wsprd/identity/identity.go b/services/wsprd/identity/identity.go
index b947a21..b9a9c7b 100644
--- a/services/wsprd/identity/identity.go
+++ b/services/wsprd/identity/identity.go
@@ -132,12 +132,12 @@
}
// AccountsMatching returns a list of accounts that match the given pattern.
-func (i *IDManager) AccountsMatching(trustedRoot security.PrincipalPattern) []string {
+func (i *IDManager) AccountsMatching(trustedRoot security.BlessingPattern) []string {
i.mu.Lock()
defer i.mu.Unlock()
result := []string{}
for name, id := range i.state.Accounts {
- if trustedRoot.MatchedBy(id.PublicID()) {
+ if trustedRoot.MatchedBy(id.PublicID().Names()...) {
result = append(result, name)
}
}
diff --git a/services/wsprd/identity/identity_test.go b/services/wsprd/identity/identity_test.go
index 8ca77c4..0ea8f0e 100644
--- a/services/wsprd/identity/identity_test.go
+++ b/services/wsprd/identity/identity_test.go
@@ -79,7 +79,7 @@
manager.AddAccount(googleAccount2, createChain(r, googleAccount2))
manager.AddAccount(facebookAccount, createChain(r, facebookAccount))
- result := manager.AccountsMatching(security.PrincipalPattern(topLevelName + "/google/*"))
+ result := manager.AccountsMatching(security.BlessingPattern(topLevelName + "/google/*"))
sort.StringSlice(result).Sort()
expected := []string{googleAccount1, googleAccount2}
if !reflect.DeepEqual(result, expected) {
diff --git a/services/wsprd/ipc/server/server.go b/services/wsprd/ipc/server/server.go
index 989a053..f0e78b6 100644
--- a/services/wsprd/ipc/server/server.go
+++ b/services/wsprd/ipc/server/server.go
@@ -178,7 +178,7 @@
if s.dispatcher == nil {
s.dispatcher = newDispatcher(invoker,
vsecurity.NewACLAuthorizer(vsecurity.NewWhitelistACL(
- map[security.PrincipalPattern]security.LabelSet{
+ map[security.BlessingPattern]security.LabelSet{
security.AllPrincipals: security.AllLabels,
})))
}
diff --git a/services/wsprd/wspr/wspr_test.go b/services/wsprd/wspr/wspr_test.go
index 2677a54..9c3af33 100644
--- a/services/wsprd/wspr/wspr_test.go
+++ b/services/wsprd/wspr/wspr_test.go
@@ -98,7 +98,7 @@
// Verify that idManager has the new account
topLevelName := wspr.rt.Identity().PublicID().Names()[0]
expectedAccountName := topLevelName + "/mock-blessing-1"
- gotAccounts := wspr.idManager.AccountsMatching(security.PrincipalPattern(expectedAccountName))
+ gotAccounts := wspr.idManager.AccountsMatching(security.BlessingPattern(expectedAccountName))
if len(gotAccounts) != 1 {
t.Fatalf("Expected to have 1 account with name %v, but got %v: %v", expectedAccountName, len(gotAccounts), gotAccounts)
}
@@ -124,7 +124,7 @@
}
// Verify that idManager has both accounts
- gotAccounts = wspr.idManager.AccountsMatching(security.PrincipalPattern(topLevelName + "/*"))
+ gotAccounts = wspr.idManager.AccountsMatching(security.BlessingPattern(topLevelName + "/*"))
if len(gotAccounts) != 2 {
t.Fatalf("Expected to have 2 accounts, but got %v: %v", len(gotAccounts), gotAccounts)
}
