blob: d3da71224ce515d49f213d3d4df248418ad1fb70 [file] [log] [blame]
// Package caveat provides common security.Caveat implementations.
package caveat
import (
"fmt"
"time"
"veyron2/security"
"veyron2/vom"
)
// Expiry is a security.Caveat that restricts the validity period of
// the credential bearing this caveat.
type Expiry struct {
IssueTime time.Time
ExpiryTime time.Time
}
func (c *Expiry) Validate(context security.Context) error {
now := time.Now()
if now.Before(c.IssueTime) || now.After(c.ExpiryTime) {
return fmt.Errorf("%#v forbids credential from being used at this time(%v)", c, now)
}
return nil
}
// MethodRestriction is a security.Caveat that restricts the set of
// methods that can be invoked by a credential bearing the caveat.
// An empty set indicates that no methods can be invoked.
type MethodRestriction []string
func (c MethodRestriction) Validate(ctx security.Context) error {
// If the context has an empty Method then the caveat validates.
if ctx.Method() == "" {
return nil
}
for _, m := range c {
if m == ctx.Method() {
return nil
}
}
return fmt.Errorf("%#v forbids invocation of method %s", c, ctx.Method())
}
// PeerIdentity is a security.Caveat that restricts the bearer of a credential
// with this caveat from making or receiving RPCs to a limited set of peers -
// those whose identities match one of the provided security.PrincipalPatterns.
// An empty set indicates that no peers can be communicated with.
type PeerIdentity []security.PrincipalPattern
// Validate checks that the identity of the peer is present on the set of services
// identified by the PrincipalPatterns on the caveat.
func (c PeerIdentity) Validate(ctx security.Context) error {
for _, p := range c {
if ctx.LocalID() != nil && security.Matches(ctx.LocalID(), p) {
return nil
}
}
return fmt.Errorf("%#v forbids RPCing with peer %s", c, ctx.LocalID())
}
// NetworkType is a security.Caveat that restricts communication with the
// remote process to a particular network ("tcp", "udp", "bluetooth" etc.)
type NetworkType string
func (cav NetworkType) Validate(ctx security.Context) error {
if ctx.RemoteEndpoint().Addr().Network() == string(cav) {
return nil
}
return fmt.Errorf("required network type %q, got %q", cav, ctx.RemoteEndpoint().Addr().Network())
}
func init() {
vom.Register(Expiry{})
vom.Register(MethodRestriction(nil))
vom.Register(PeerIdentity(nil))
vom.Register(NetworkType(""))
}