| Suharsh Sivakumar | fb5cbb7 | 2014-08-27 13:14:22 -0700 | [diff] [blame] | 1 | package revocation |
| 2 | |
| 3 | import ( |
| 4 | "fmt" |
| 5 | "time" |
| 6 | |
| Jiri Simsa | 519c507 | 2014-09-17 21:37:57 -0700 | [diff] [blame] | 7 | vsecurity "veyron.io/veyron/veyron/security" |
| 8 | "veyron.io/veyron/veyron/security/audit" |
| Suharsh Sivakumar | fb5cbb7 | 2014-08-27 13:14:22 -0700 | [diff] [blame] | 9 | |
| Jiri Simsa | 519c507 | 2014-09-17 21:37:57 -0700 | [diff] [blame] | 10 | "veyron.io/veyron/veyron2/security" |
| Suharsh Sivakumar | fb5cbb7 | 2014-08-27 13:14:22 -0700 | [diff] [blame] | 11 | ) |
| 12 | |
| 13 | // Bless creates a blessing on behalf of the identity server. |
| Suharsh Sivakumar | d308c7e | 2014-10-03 12:46:50 -0700 | [diff] [blame^] | 14 | func Bless(server security.PrivateID, blessee security.PublicID, email string, duration time.Duration, caveats []security.Caveat, revocationCaveat security.ThirdPartyCaveat) (security.PublicID, error) { |
| Suharsh Sivakumar | fb5cbb7 | 2014-08-27 13:14:22 -0700 | [diff] [blame] | 15 | if revocationCaveat != nil { |
| Ankur | f044a8d | 2014-09-05 17:05:24 -0700 | [diff] [blame] | 16 | caveat, err := security.NewCaveat(revocationCaveat) |
| 17 | if err != nil { |
| 18 | return nil, err |
| 19 | } |
| Suharsh Sivakumar | 15e1067 | 2014-09-22 22:27:01 -0700 | [diff] [blame] | 20 | // revocationCaveat must be prepended because it is assumed to be first by ReadBlessAuditEntry. |
| 21 | caveats = append([]security.Caveat{caveat}, caveats...) |
| Suharsh Sivakumar | fb5cbb7 | 2014-08-27 13:14:22 -0700 | [diff] [blame] | 22 | } |
| Suharsh Sivakumar | 15e1067 | 2014-09-22 22:27:01 -0700 | [diff] [blame] | 23 | // TODO(suharshs): Extend the duration for blessings with provided revocaionCaveats. |
| 24 | return server.Bless(blessee, email, duration, caveats) |
| Suharsh Sivakumar | fb5cbb7 | 2014-08-27 13:14:22 -0700 | [diff] [blame] | 25 | } |
| 26 | |
| 27 | type BlessingAuditEntry struct { |
| 28 | Blessee, Blessed security.PublicID |
| 29 | Start, End time.Time |
| 30 | RevocationCaveat security.ThirdPartyCaveat |
| 31 | } |
| 32 | |
| 33 | // ReadBlessAuditEntry is for use in the googleauth.handler to parse the arguments to the Bless call in util.Bless. |
| 34 | func ReadBlessAuditEntry(entry audit.Entry) (BlessingAuditEntry, error) { |
| 35 | var blessEntry BlessingAuditEntry |
| 36 | |
| 37 | if len(entry.Arguments) < 4 || len(entry.Results) < 1 { |
| 38 | return blessEntry, fmt.Errorf("entry is invalid format") |
| 39 | } |
| 40 | |
| 41 | blessEntry.Blessee, _ = entry.Arguments[0].(security.PublicID) |
| 42 | blessEntry.Start = entry.Timestamp |
| 43 | if duration, ok := entry.Arguments[2].(int64); ok { |
| 44 | blessEntry.End = blessEntry.Start.Add(time.Duration(duration)) |
| 45 | } |
| 46 | blessEntry.Blessed, _ = entry.Results[0].(security.PublicID) |
| Ankur | f044a8d | 2014-09-05 17:05:24 -0700 | [diff] [blame] | 47 | caveats, _ := entry.Arguments[3].([]security.Caveat) |
| Suharsh Sivakumar | fb5cbb7 | 2014-08-27 13:14:22 -0700 | [diff] [blame] | 48 | if len(caveats) > 0 { |
| Asim Shankar | bb0f0c1 | 2014-09-09 13:32:28 -0700 | [diff] [blame] | 49 | revocationCaveat, err := vsecurity.CaveatValidators(caveats[0]) |
| Ankur | f044a8d | 2014-09-05 17:05:24 -0700 | [diff] [blame] | 50 | if err != nil { |
| 51 | return blessEntry, err |
| 52 | } |
| 53 | blessEntry.RevocationCaveat, _ = revocationCaveat[0].(security.ThirdPartyCaveat) |
| Suharsh Sivakumar | fb5cbb7 | 2014-08-27 13:14:22 -0700 | [diff] [blame] | 54 | } |
| 55 | return blessEntry, nil |
| 56 | } |
