Commit c8f77178 authored by Sietse Ringers's avatar Sietse Ringers
Browse files

Simplify global requestor permissions

parent 84fc9018
......@@ -324,12 +324,13 @@
version = "v1.0.0"
[[projects]]
digest = "1:de37e343c64582d7026bf8ab6ac5b22a72eac54f3a57020db31524affed9f423"
branch = "fix-isset"
digest = "1:f94a7aac3422a2ab6d6c86fd7e75ebf772784b2467c872e2d2ba0ce060ebf2ec"
name = "github.com/spf13/viper"
packages = ["."]
pruneopts = "UT"
revision = "6d33b5a963d922d182c91e8a1c88d81fd150cfd4"
version = "v1.3.1"
revision = "6c2a373fcd610e9ebefba8d50efb954706ec2f44"
source = "github.com/sietseringers/viper"
[[projects]]
digest = "1:7e8d267900c7fa7f35129a2a37596e38ed0f11ca746d6d9ba727980ee138f9f6"
......
......@@ -48,6 +48,11 @@
name = "github.com/stretchr/testify"
version = "1.2.1"
[[constraint]]
name = "github.com/spf13/viper"
source = "github.com/sietseringers/viper"
branch = "fix-isset"
[[override]]
branch = "master"
name = "github.com/timshannon/bolthold"
......@@ -55,7 +60,3 @@
[prune]
go-tests = true
unused-packages = true
[[constraint]]
name = "github.com/spf13/viper"
version = "1.3.1"
......@@ -18,6 +18,9 @@ import (
type Configuration struct {
*server.Configuration `mapstructure:",squash"`
// Disclosing, signing or issuance permissions that apply to all requestors
Permissions `mapstructure:",squash"`
// Whether or not incoming session requests should be authenticated. If false, anyone
// can submit session requests. If true, the request is first authenticated against the
// server configuration before the server accepts it.
......@@ -47,10 +50,6 @@ type Configuration struct {
RequestorsString string `json:"-" mapstructure:"requestors"`
Requestors map[string]Requestor `json:"requestors"`
// Disclosing, signing or issuance permissions that apply to all requestors
GlobalPermissionsString string `json:"-" mapstructure:"permissions"`
GlobalPermissions Permissions `json:"permissions" mapstructure:"permissions"`
// Used in the "iss" field of result JWTs from /result-jwt and /getproof
JwtIssuer string `json:"jwtissuer" mapstructure:"jwtissuer"`
......@@ -89,7 +88,7 @@ type Requestor struct {
// the identity provider is allowed to verify the attributes being verified; use CanVerifyOrSign
// for that).
func (conf *Configuration) CanIssue(requestor string, creds []*irma.CredentialRequest) (bool, string) {
permissions := append(conf.Requestors[requestor].Issuing, conf.GlobalPermissions.Issuing...)
permissions := append(conf.Requestors[requestor].Issuing, conf.Issuing...)
if len(permissions) == 0 { // requestor is not present in the permissions
return false, ""
}
......@@ -115,11 +114,11 @@ func (conf *Configuration) CanVerifyOrSign(requestor string, action irma.Action,
var permissions []string
switch action {
case irma.ActionDisclosing:
permissions = append(conf.Requestors[requestor].Disclosing, conf.GlobalPermissions.Disclosing...)
permissions = append(conf.Requestors[requestor].Disclosing, conf.Disclosing...)
case irma.ActionIssuing:
permissions = append(conf.Requestors[requestor].Disclosing, conf.GlobalPermissions.Disclosing...)
permissions = append(conf.Requestors[requestor].Disclosing, conf.Disclosing...)
case irma.ActionSigning:
permissions = append(conf.Requestors[requestor].Signing, conf.GlobalPermissions.Signing...)
permissions = append(conf.Requestors[requestor].Signing, conf.Signing...)
}
if len(permissions) == 0 { // requestor is not present in the permissions
return false, ""
......@@ -224,7 +223,7 @@ func (conf *Configuration) validatePermissions() error {
return errors.New("Requestors must not be configured when requestor authentication is disabled")
}
errs := conf.validatePermissionSet("Global", conf.GlobalPermissions)
errs := conf.validatePermissionSet("Global", conf.Permissions)
for name, requestor := range conf.Requestors {
errs = append(errs, conf.validatePermissionSet("Requestor "+name, requestor.Permissions)...)
}
......
......@@ -115,8 +115,8 @@ func setFlags(cmd *cobra.Command) error {
flags.Bool("noauth", false, "Whether or not to authenticate requestors")
flags.String("requestors", "", "Requestor configuration (in JSON)")
flags.StringSlice("disclose", nil, "Comma-separated list of attributes that all requestors may verify")
flags.StringSlice("sign", nil, "Comma-separated list of attributes that all requestors may request in signatures")
flags.StringSlice("disclose", nil, "Comma-separated list of attributes that all requestors may verify (default *)")
flags.StringSlice("sign", nil, "Comma-separated list of attributes that all requestors may request in signatures (default *)")
flags.StringSlice("issue", nil, "Comma-separated list of attributes that all requestors may issue")
flags.String("tlscertificate", "", "TLS certificate ")
......@@ -184,13 +184,17 @@ func configure(cmd *cobra.Command) error {
SchemeUpdateInterval: viper.GetInt("schemeupdate"),
Logger: logger,
},
Permissions: irmaserver.Permissions{
Disclosing: handlePermission("disclose"),
Signing: handlePermission("sign"),
Issuing: viper.GetStringSlice("issue"),
},
ListenAddress: viper.GetString("listenaddr"),
Port: viper.GetInt("port"),
ClientListenAddress: viper.GetString("clientlistenaddr"),
ClientPort: viper.GetInt("clientport"),
DisableRequestorAuthentication: viper.GetBool("noauth"),
Requestors: make(map[string]irmaserver.Requestor),
GlobalPermissions: irmaserver.Permissions{},
JwtIssuer: viper.GetString("jwtissuer"),
JwtPrivateKey: viper.GetString("jwtprivatekey"),
JwtPrivateKeyFile: viper.GetString("jwtprivatekeyfile"),
......@@ -208,16 +212,6 @@ func configure(cmd *cobra.Command) error {
ClientTlsPrivateKeyFile: viper.GetString("clienttlsprivatekeyfile"),
}
// Handle global permissions
if len(viper.GetStringMap("permissions")) > 0 { // First read config file
if err := viper.UnmarshalKey("permissions", &conf.GlobalPermissions); err != nil {
return errors.WrapPrefix(err, "Failed to unmarshal permissions from config file", 0)
}
}
conf.GlobalPermissions.Disclosing = handlePermission(conf.GlobalPermissions.Disclosing, "disclose")
conf.GlobalPermissions.Signing = handlePermission(conf.GlobalPermissions.Signing, "sign")
conf.GlobalPermissions.Issuing = handlePermission(conf.GlobalPermissions.Issuing, "issue")
// Handle requestors
if len(viper.GetStringMap("requestors")) > 0 { // First read config file
if err := viper.UnmarshalKey("requestors", &conf.Requestors); err != nil {
......@@ -236,16 +230,13 @@ func configure(cmd *cobra.Command) error {
return nil
}
func handlePermission(conf []string, typ string) []string {
perms := viper.GetStringSlice(typ)
if len(perms) == 0 {
return conf
}
if perms[0] == "" {
perms = perms[1:]
func handlePermission(typ string) []string {
if !viper.IsSet(typ) {
return []string{"*"}
}
if perms[len(perms)-1] == "" {
perms = perms[:len(perms)-1]
perms := viper.GetStringSlice(typ)
if perms == nil {
return []string{}
}
return perms
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment