Google Git
Sign in
vanadium / release.go.x.ref / 483a5f06d9bd822d7a5920a7084a04d2ed02aed1 / . / security / blessingroots.go
blob: ed4fc0a4df2573b58939c479b67e7cf6f5802e82 [file] [log] [blame]
Jiri Simsad7616c92015-03-24 23:44:30 -0700[diff] [blame]1// Copyright 2015 The Vanadium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
Asim Shankarae8d4c52014-10-08 13:03:31 -0700[diff] [blame]5package security
Ankur100eb272014-09-15 16:48:12 -0700[diff] [blame]6
7import (
Ankur1615a7d2014-10-09 11:58:02 -0700[diff] [blame]8 "bytes"
Ankur100eb272014-09-15 16:48:12 -0700[diff] [blame]9 "errors"
Ankur1615a7d2014-10-09 11:58:02 -0700[diff] [blame]10 "fmt"
Asim Shankarf11b1bc2014-11-12 17:18:45 -0800[diff] [blame]11 "sort"
Ankur100eb272014-09-15 16:48:12 -0700[diff] [blame]12 "sync"
13
Jiri Simsaffceefa2015-02-28 11:03:34 -0800[diff] [blame]14 "v.io/x/ref/security/serialization"
Ankur100eb272014-09-15 16:48:12 -0700[diff] [blame]15
Jiri Simsa6ac95222015-02-23 16:11:49 -0800[diff] [blame]16 "v.io/v23/security"
Ankur100eb272014-09-15 16:48:12 -0700[diff] [blame]17)
18
Ankur100eb272014-09-15 16:48:12 -0700[diff] [blame]19// blessingRoots implements security.BlessingRoots.
20type blessingRoots struct {
gauthamt1e313bc2014-11-10 15:45:56 -0800[diff] [blame]21 persistedData SerializerReaderWriter
22 signer serialization.Signer
23 mu sync.RWMutex
24 store map[string][]security.BlessingPattern // GUARDED_BY(mu)
Ankur100eb272014-09-15 16:48:12 -0700[diff] [blame]25}
26
27func storeMapKey(root security.PublicKey) (string, error) {
28 rootBytes, err := root.MarshalBinary()
29 if err != nil {
30 return "", err
31 }
Ankur1615a7d2014-10-09 11:58:02 -0700[diff] [blame]32 return string(rootBytes), nil
Ankur100eb272014-09-15 16:48:12 -0700[diff] [blame]33}
34
35func (br *blessingRoots) Add(root security.PublicKey, pattern security.BlessingPattern) error {
36 key, err := storeMapKey(root)
37 if err != nil {
38 return err
39 }
40
41 br.mu.Lock()
42 defer br.mu.Unlock()
43 patterns := br.store[key]
44 for _, p := range patterns {
45 if p == pattern {
46 return nil
47 }
48 }
49 br.store[key] = append(patterns, pattern)
50
51 if err := br.save(); err != nil {
52 br.store[key] = patterns[:len(patterns)-1]
53 return err
54 }
55 return nil
56}
57
58func (br *blessingRoots) Recognized(root security.PublicKey, blessing string) error {
59 key, err := storeMapKey(root)
60 if err != nil {
61 return err
62 }
63
64 br.mu.RLock()
65 defer br.mu.RUnlock()
66 for _, p := range br.store[key] {
67 if p.MatchedBy(blessing) {
68 return nil
69 }
70 }
Asim Shankar3c134af2015-03-23 19:41:31 -0700[diff] [blame]71 return security.NewErrUnrecognizedRoot(nil, root.String(), nil)
Ankur100eb272014-09-15 16:48:12 -0700[diff] [blame]72}
73
Ankur1615a7d2014-10-09 11:58:02 -0700[diff] [blame]74// DebugString return a human-readable string encoding of the roots
75// DebugString encodes all roots into a string in the following
76// format
77//
78// Public key : Pattern
Asim Shankarf11b1bc2014-11-12 17:18:45 -0800[diff] [blame]79// <public key> : <patterns>
Ankur1615a7d2014-10-09 11:58:02 -0700[diff] [blame]80// ...
Asim Shankarf11b1bc2014-11-12 17:18:45 -0800[diff] [blame]81// <public key> : <patterns>
Ankur1615a7d2014-10-09 11:58:02 -0700[diff] [blame]82func (br *blessingRoots) DebugString() string {
83 const format = "%-47s : %s\n"
84 b := bytes.NewBufferString(fmt.Sprintf(format, "Public key", "Pattern"))
Asim Shankarf11b1bc2014-11-12 17:18:45 -0800[diff] [blame]85 var s rootSorter
86 for keyBytes, patterns := range br.store {
Ankur1615a7d2014-10-09 11:58:02 -0700[diff] [blame]87 key, err := security.UnmarshalPublicKey([]byte(keyBytes))
88 if err != nil {
89 return fmt.Sprintf("failed to decode public key: %v", err)
90 }
Asim Shankarf11b1bc2014-11-12 17:18:45 -0800[diff] [blame]91 s = append(s, &root{key, fmt.Sprintf("%v", patterns)})
92 }
93 sort.Sort(s)
94 for _, r := range s {
95 b.WriteString(fmt.Sprintf(format, r.key, r.patterns))
Ankur1615a7d2014-10-09 11:58:02 -0700[diff] [blame]96 }
97 return b.String()
98}
99
Asim Shankarf11b1bc2014-11-12 17:18:45 -0800[diff] [blame]100type root struct {
101 key security.PublicKey
102 patterns string
103}
104
105type rootSorter []*root
106
107func (s rootSorter) Len() int { return len(s) }
108func (s rootSorter) Less(i, j int) bool { return s[i].patterns < s[j].patterns }
109func (s rootSorter) Swap(i, j int) { s[i], s[j] = s[j], s[i] }
110
Ankur100eb272014-09-15 16:48:12 -0700[diff] [blame]111func (br *blessingRoots) save() error {
gauthamt1e313bc2014-11-10 15:45:56 -0800[diff] [blame]112 if (br.signer == nil) && (br.persistedData == nil) {
Ankur100eb272014-09-15 16:48:12 -0700[diff] [blame]113 return nil
114 }
gauthamt1e313bc2014-11-10 15:45:56 -0800[diff] [blame]115 data, signature, err := br.persistedData.Writers()
116 if err != nil {
117 return err
118 }
119 return encodeAndStore(br.store, data, signature, br.signer)
Ankur100eb272014-09-15 16:48:12 -0700[diff] [blame]120}
121
Ankur7c890592014-10-02 11:36:28 -0700[diff] [blame]122// newInMemoryBlessingRoots returns an in-memory security.BlessingRoots.
Ankur100eb272014-09-15 16:48:12 -0700[diff] [blame]123//
124// The returned BlessingRoots is initialized with an empty set of keys.
Ankur7c890592014-10-02 11:36:28 -0700[diff] [blame]125func newInMemoryBlessingRoots() security.BlessingRoots {
Ankur100eb272014-09-15 16:48:12 -0700[diff] [blame]126 return &blessingRoots{
127 store: make(map[string][]security.BlessingPattern),
128 }
129}
130
gauthamt1e313bc2014-11-10 15:45:56 -0800[diff] [blame]131// newPersistingBlessingRoots returns a security.BlessingRoots for a principal
132// that is initialized with the persisted data. The returned security.BlessingRoots
133// also persists any updates to its state.
134func newPersistingBlessingRoots(persistedData SerializerReaderWriter, signer serialization.Signer) (security.BlessingRoots, error) {
135 if persistedData == nil || signer == nil {
136 return nil, errors.New("persisted data or signer is not specified")
Ankur100eb272014-09-15 16:48:12 -0700[diff] [blame]137 }
138 br := &blessingRoots{
gauthamt1e313bc2014-11-10 15:45:56 -0800[diff] [blame]139 store: make(map[string][]security.BlessingPattern),
140 persistedData: persistedData,
141 signer: signer,
Ankur100eb272014-09-15 16:48:12 -0700[diff] [blame]142 }
gauthamt1e313bc2014-11-10 15:45:56 -0800[diff] [blame]143 data, signature, err := br.persistedData.Readers()
144 if err != nil {
Ankur100eb272014-09-15 16:48:12 -0700[diff] [blame]145 return nil, err
146 }
gauthamt1e313bc2014-11-10 15:45:56 -0800[diff] [blame]147 if (data != nil) && (signature != nil) {
148 if err := decodeFromStorage(&br.store, data, signature, br.signer.PublicKey()); err != nil {
149 return nil, err
150 }
151 }
Ankur100eb272014-09-15 16:48:12 -0700[diff] [blame]152 return br, nil
153}