Simplify global requestor permissions

c8f77178 · Sietse Ringers · 84fc9018 · c8f77178 · c8f77178 · c8f77178
Commit c8f77178 authored Jan 09, 2019 by Sietse Ringers
--- a/Gopkg.lock
+++ b/Gopkg.lock
@@ -324,12 +324,13 @@
  version = "v1.0.0"

 [[projects]]
-  digest = "1:de37e343c64582d7026bf8ab6ac5b22a72eac54f3a57020db31524affed9f423"
+  branch = "fix-isset"
+  digest = "1:f94a7aac3422a2ab6d6c86fd7e75ebf772784b2467c872e2d2ba0ce060ebf2ec"
  name = "github.com/spf13/viper"
  packages = ["."]
  pruneopts = "UT"
-  revision = "6d33b5a963d922d182c91e8a1c88d81fd150cfd4"
-  version = "v1.3.1"
+  revision = "6c2a373fcd610e9ebefba8d50efb954706ec2f44"
+  source = "github.com/sietseringers/viper"

 [[projects]]
  digest = "1:7e8d267900c7fa7f35129a2a37596e38ed0f11ca746d6d9ba727980ee138f9f6"

--- a/Gopkg.toml
+++ b/Gopkg.toml
@@ -48,6 +48,11 @@
  name = "github.com/stretchr/testify"
  version = "1.2.1"

+[[constraint]]
+  name = "github.com/spf13/viper"
+  source = "github.com/sietseringers/viper"
+  branch = "fix-isset"
+
 [[override]]
  branch = "master"
  name = "github.com/timshannon/bolthold"
@@ -55,7 +60,3 @@
 [prune]
  go-tests = true
  unused-packages = true
-
-[[constraint]]
-  name = "github.com/spf13/viper"
-  version = "1.3.1"
--- a/server/irmaserver/conf.go
+++ b/server/irmaserver/conf.go
@@ -18,6 +18,9 @@ import (
 type Configuration struct {
 	*server.Configuration `mapstructure:",squash"`

+	// Disclosing, signing or issuance permissions that apply to all requestors
+	Permissions `mapstructure:",squash"`
+
 	// Whether or not incoming session requests should be authenticated. If false, anyone
 	// can submit session requests. If true, the request is first authenticated against the
 	// server configuration before the server accepts it.
@@ -47,10 +50,6 @@ type Configuration struct {
 	RequestorsString string               `json:"-" mapstructure:"requestors"`
 	Requestors       map[string]Requestor `json:"requestors"`

-	// Disclosing, signing or issuance permissions that apply to all requestors
-	GlobalPermissionsString string      `json:"-" mapstructure:"permissions"`
-	GlobalPermissions       Permissions `json:"permissions" mapstructure:"permissions"`
-
 	// Used in the "iss" field of result JWTs from /result-jwt and /getproof
 	JwtIssuer string `json:"jwtissuer" mapstructure:"jwtissuer"`

@@ -89,7 +88,7 @@ type Requestor struct {
 // the identity provider is allowed to verify the attributes being verified; use CanVerifyOrSign
 // for that).
 func (conf *Configuration) CanIssue(requestor string, creds []*irma.CredentialRequest) (bool, string) {
-	permissions := append(conf.Requestors[requestor].Issuing, conf.GlobalPermissions.Issuing...)
+	permissions := append(conf.Requestors[requestor].Issuing, conf.Issuing...)
 	if len(permissions) == 0 { // requestor is not present in the permissions
 		return false, ""
 	}
@@ -115,11 +114,11 @@ func (conf *Configuration) CanVerifyOrSign(requestor string, action irma.Action,
 	var permissions []string
 	switch action {
 	case irma.ActionDisclosing:
-		permissions = append(conf.Requestors[requestor].Disclosing, conf.GlobalPermissions.Disclosing...)
+		permissions = append(conf.Requestors[requestor].Disclosing, conf.Disclosing...)
 	case irma.ActionIssuing:
-		permissions = append(conf.Requestors[requestor].Disclosing, conf.GlobalPermissions.Disclosing...)
+		permissions = append(conf.Requestors[requestor].Disclosing, conf.Disclosing...)
 	case irma.ActionSigning:
-		permissions = append(conf.Requestors[requestor].Signing, conf.GlobalPermissions.Signing...)
+		permissions = append(conf.Requestors[requestor].Signing, conf.Signing...)
 	}
 	if len(permissions) == 0 { // requestor is not present in the permissions
 		return false, ""
@@ -224,7 +223,7 @@ func (conf *Configuration) validatePermissions() error {
 		return errors.New("Requestors must not be configured when requestor authentication is disabled")
 	}

-	errs := conf.validatePermissionSet("Global", conf.GlobalPermissions)
+	errs := conf.validatePermissionSet("Global", conf.Permissions)
 	for name, requestor := range conf.Requestors {
 		errs = append(errs, conf.validatePermissionSet("Requestor "+name, requestor.Permissions)...)
 	}

--- a/server/irmaserver/irmad/main.go
+++ b/server/irmaserver/irmad/main.go
@@ -115,8 +115,8 @@ func setFlags(cmd *cobra.Command) error {
 	flags.Bool("noauth", false, "Whether or not to authenticate requestors")
 	flags.String("requestors", "", "Requestor configuration (in JSON)")

-	flags.StringSlice("disclose", nil, "Comma-separated list of attributes that all requestors may verify")
-	flags.StringSlice("sign", nil, "Comma-separated list of attributes that all requestors may request in signatures")
+	flags.StringSlice("disclose", nil, "Comma-separated list of attributes that all requestors may verify (default *)")
+	flags.StringSlice("sign", nil, "Comma-separated list of attributes that all requestors may request in signatures (default *)")
 	flags.StringSlice("issue", nil, "Comma-separated list of attributes that all requestors may issue")

 	flags.String("tlscertificate", "", "TLS certificate ")
@@ -184,13 +184,17 @@ func configure(cmd *cobra.Command) error {
 			SchemeUpdateInterval:  viper.GetInt("schemeupdate"),
 			Logger:                logger,
 		},
+		Permissions: irmaserver.Permissions{
+			Disclosing: handlePermission("disclose"),
+			Signing:    handlePermission("sign"),
+			Issuing:    viper.GetStringSlice("issue"),
+		},
 		ListenAddress:                  viper.GetString("listenaddr"),
 		Port:                           viper.GetInt("port"),
 		ClientListenAddress:            viper.GetString("clientlistenaddr"),
 		ClientPort:                     viper.GetInt("clientport"),
 		DisableRequestorAuthentication: viper.GetBool("noauth"),
 		Requestors:                     make(map[string]irmaserver.Requestor),
-		GlobalPermissions:              irmaserver.Permissions{},
 		JwtIssuer:                      viper.GetString("jwtissuer"),
 		JwtPrivateKey:                  viper.GetString("jwtprivatekey"),
 		JwtPrivateKeyFile:              viper.GetString("jwtprivatekeyfile"),
@@ -208,16 +212,6 @@ func configure(cmd *cobra.Command) error {
 		ClientTlsPrivateKeyFile:  viper.GetString("clienttlsprivatekeyfile"),
 	}

-	// Handle global permissions
-	if len(viper.GetStringMap("permissions")) > 0 { // First read config file
-		if err := viper.UnmarshalKey("permissions", &conf.GlobalPermissions); err != nil {
-			return errors.WrapPrefix(err, "Failed to unmarshal permissions from config file", 0)
-		}
-	}
-	conf.GlobalPermissions.Disclosing = handlePermission(conf.GlobalPermissions.Disclosing, "disclose")
-	conf.GlobalPermissions.Signing = handlePermission(conf.GlobalPermissions.Signing, "sign")
-	conf.GlobalPermissions.Issuing = handlePermission(conf.GlobalPermissions.Issuing, "issue")
-
 	// Handle requestors
 	if len(viper.GetStringMap("requestors")) > 0 { // First read config file
 		if err := viper.UnmarshalKey("requestors", &conf.Requestors); err != nil {
@@ -236,16 +230,13 @@ func configure(cmd *cobra.Command) error {
 	return nil
 }

-func handlePermission(conf []string, typ string) []string {
-	perms := viper.GetStringSlice(typ)
-	if len(perms) == 0 {
-		return conf
-	}
-	if perms[0] == "" {
-		perms = perms[1:]
+func handlePermission(typ string) []string {
+	if !viper.IsSet(typ) {
+		return []string{"*"}
 	}
-	if perms[len(perms)-1] == "" {
-		perms = perms[:len(perms)-1]
+	perms := viper.GetStringSlice(typ)
+	if perms == nil {
+		return []string{}
 	}
 	return perms
 }