Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
IRMA
Github mirrors
irmago
Commits
c8f77178
Commit
c8f77178
authored
Jan 09, 2019
by
Sietse Ringers
Browse files
Simplify global requestor permissions
parent
84fc9018
Changes
4
Hide whitespace changes
Inline
Side-by-side
Gopkg.lock
View file @
c8f77178
...
...
@@ -324,12 +324,13 @@
version = "v1.0.0"
[[projects]]
digest = "1:de37e343c64582d7026bf8ab6ac5b22a72eac54f3a57020db31524affed9f423"
branch = "fix-isset"
digest = "1:f94a7aac3422a2ab6d6c86fd7e75ebf772784b2467c872e2d2ba0ce060ebf2ec"
name = "github.com/spf13/viper"
packages = ["."]
pruneopts = "UT"
revision = "6
d33b5a963d922d182c91e8a1c88d81fd150cfd
4"
version = "v1.3.1
"
revision = "6
c2a373fcd610e9ebefba8d50efb954706ec2f4
4"
source = "github.com/sietseringers/viper
"
[[projects]]
digest = "1:7e8d267900c7fa7f35129a2a37596e38ed0f11ca746d6d9ba727980ee138f9f6"
...
...
Gopkg.toml
View file @
c8f77178
...
...
@@ -48,6 +48,11 @@
name
=
"github.com/stretchr/testify"
version
=
"1.2.1"
[[constraint]]
name
=
"github.com/spf13/viper"
source
=
"github.com/sietseringers/viper"
branch
=
"fix-isset"
[[override]]
branch
=
"master"
name
=
"github.com/timshannon/bolthold"
...
...
@@ -55,7 +60,3 @@
[prune]
go-tests
=
true
unused-packages
=
true
[[constraint]]
name
=
"github.com/spf13/viper"
version
=
"1.3.1"
server/irmaserver/conf.go
View file @
c8f77178
...
...
@@ -18,6 +18,9 @@ import (
type
Configuration
struct
{
*
server
.
Configuration
`mapstructure:",squash"`
// Disclosing, signing or issuance permissions that apply to all requestors
Permissions
`mapstructure:",squash"`
// Whether or not incoming session requests should be authenticated. If false, anyone
// can submit session requests. If true, the request is first authenticated against the
// server configuration before the server accepts it.
...
...
@@ -47,10 +50,6 @@ type Configuration struct {
RequestorsString
string
`json:"-" mapstructure:"requestors"`
Requestors
map
[
string
]
Requestor
`json:"requestors"`
// Disclosing, signing or issuance permissions that apply to all requestors
GlobalPermissionsString
string
`json:"-" mapstructure:"permissions"`
GlobalPermissions
Permissions
`json:"permissions" mapstructure:"permissions"`
// Used in the "iss" field of result JWTs from /result-jwt and /getproof
JwtIssuer
string
`json:"jwtissuer" mapstructure:"jwtissuer"`
...
...
@@ -89,7 +88,7 @@ type Requestor struct {
// the identity provider is allowed to verify the attributes being verified; use CanVerifyOrSign
// for that).
func
(
conf
*
Configuration
)
CanIssue
(
requestor
string
,
creds
[]
*
irma
.
CredentialRequest
)
(
bool
,
string
)
{
permissions
:=
append
(
conf
.
Requestors
[
requestor
]
.
Issuing
,
conf
.
GlobalPermissions
.
Issuing
...
)
permissions
:=
append
(
conf
.
Requestors
[
requestor
]
.
Issuing
,
conf
.
Issuing
...
)
if
len
(
permissions
)
==
0
{
// requestor is not present in the permissions
return
false
,
""
}
...
...
@@ -115,11 +114,11 @@ func (conf *Configuration) CanVerifyOrSign(requestor string, action irma.Action,
var
permissions
[]
string
switch
action
{
case
irma
.
ActionDisclosing
:
permissions
=
append
(
conf
.
Requestors
[
requestor
]
.
Disclosing
,
conf
.
GlobalPermissions
.
Disclosing
...
)
permissions
=
append
(
conf
.
Requestors
[
requestor
]
.
Disclosing
,
conf
.
Disclosing
...
)
case
irma
.
ActionIssuing
:
permissions
=
append
(
conf
.
Requestors
[
requestor
]
.
Disclosing
,
conf
.
GlobalPermissions
.
Disclosing
...
)
permissions
=
append
(
conf
.
Requestors
[
requestor
]
.
Disclosing
,
conf
.
Disclosing
...
)
case
irma
.
ActionSigning
:
permissions
=
append
(
conf
.
Requestors
[
requestor
]
.
Signing
,
conf
.
GlobalPermissions
.
Signing
...
)
permissions
=
append
(
conf
.
Requestors
[
requestor
]
.
Signing
,
conf
.
Signing
...
)
}
if
len
(
permissions
)
==
0
{
// requestor is not present in the permissions
return
false
,
""
...
...
@@ -224,7 +223,7 @@ func (conf *Configuration) validatePermissions() error {
return
errors
.
New
(
"Requestors must not be configured when requestor authentication is disabled"
)
}
errs
:=
conf
.
validatePermissionSet
(
"Global"
,
conf
.
Global
Permissions
)
errs
:=
conf
.
validatePermissionSet
(
"Global"
,
conf
.
Permissions
)
for
name
,
requestor
:=
range
conf
.
Requestors
{
errs
=
append
(
errs
,
conf
.
validatePermissionSet
(
"Requestor "
+
name
,
requestor
.
Permissions
)
...
)
}
...
...
server/irmaserver/irmad/main.go
View file @
c8f77178
...
...
@@ -115,8 +115,8 @@ func setFlags(cmd *cobra.Command) error {
flags
.
Bool
(
"noauth"
,
false
,
"Whether or not to authenticate requestors"
)
flags
.
String
(
"requestors"
,
""
,
"Requestor configuration (in JSON)"
)
flags
.
StringSlice
(
"disclose"
,
nil
,
"Comma-separated list of attributes that all requestors may verify"
)
flags
.
StringSlice
(
"sign"
,
nil
,
"Comma-separated list of attributes that all requestors may request in signatures"
)
flags
.
StringSlice
(
"disclose"
,
nil
,
"Comma-separated list of attributes that all requestors may verify
(default *)
"
)
flags
.
StringSlice
(
"sign"
,
nil
,
"Comma-separated list of attributes that all requestors may request in signatures
(default *)
"
)
flags
.
StringSlice
(
"issue"
,
nil
,
"Comma-separated list of attributes that all requestors may issue"
)
flags
.
String
(
"tlscertificate"
,
""
,
"TLS certificate "
)
...
...
@@ -184,13 +184,17 @@ func configure(cmd *cobra.Command) error {
SchemeUpdateInterval
:
viper
.
GetInt
(
"schemeupdate"
),
Logger
:
logger
,
},
Permissions
:
irmaserver
.
Permissions
{
Disclosing
:
handlePermission
(
"disclose"
),
Signing
:
handlePermission
(
"sign"
),
Issuing
:
viper
.
GetStringSlice
(
"issue"
),
},
ListenAddress
:
viper
.
GetString
(
"listenaddr"
),
Port
:
viper
.
GetInt
(
"port"
),
ClientListenAddress
:
viper
.
GetString
(
"clientlistenaddr"
),
ClientPort
:
viper
.
GetInt
(
"clientport"
),
DisableRequestorAuthentication
:
viper
.
GetBool
(
"noauth"
),
Requestors
:
make
(
map
[
string
]
irmaserver
.
Requestor
),
GlobalPermissions
:
irmaserver
.
Permissions
{},
JwtIssuer
:
viper
.
GetString
(
"jwtissuer"
),
JwtPrivateKey
:
viper
.
GetString
(
"jwtprivatekey"
),
JwtPrivateKeyFile
:
viper
.
GetString
(
"jwtprivatekeyfile"
),
...
...
@@ -208,16 +212,6 @@ func configure(cmd *cobra.Command) error {
ClientTlsPrivateKeyFile
:
viper
.
GetString
(
"clienttlsprivatekeyfile"
),
}
// Handle global permissions
if
len
(
viper
.
GetStringMap
(
"permissions"
))
>
0
{
// First read config file
if
err
:=
viper
.
UnmarshalKey
(
"permissions"
,
&
conf
.
GlobalPermissions
);
err
!=
nil
{
return
errors
.
WrapPrefix
(
err
,
"Failed to unmarshal permissions from config file"
,
0
)
}
}
conf
.
GlobalPermissions
.
Disclosing
=
handlePermission
(
conf
.
GlobalPermissions
.
Disclosing
,
"disclose"
)
conf
.
GlobalPermissions
.
Signing
=
handlePermission
(
conf
.
GlobalPermissions
.
Signing
,
"sign"
)
conf
.
GlobalPermissions
.
Issuing
=
handlePermission
(
conf
.
GlobalPermissions
.
Issuing
,
"issue"
)
// Handle requestors
if
len
(
viper
.
GetStringMap
(
"requestors"
))
>
0
{
// First read config file
if
err
:=
viper
.
UnmarshalKey
(
"requestors"
,
&
conf
.
Requestors
);
err
!=
nil
{
...
...
@@ -236,16 +230,13 @@ func configure(cmd *cobra.Command) error {
return
nil
}
func
handlePermission
(
conf
[]
string
,
typ
string
)
[]
string
{
perms
:=
viper
.
GetStringSlice
(
typ
)
if
len
(
perms
)
==
0
{
return
conf
}
if
perms
[
0
]
==
""
{
perms
=
perms
[
1
:
]
func
handlePermission
(
typ
string
)
[]
string
{
if
!
viper
.
IsSet
(
typ
)
{
return
[]
string
{
"*"
}
}
if
perms
[
len
(
perms
)
-
1
]
==
""
{
perms
=
perms
[
:
len
(
perms
)
-
1
]
perms
:=
viper
.
GetStringSlice
(
typ
)
if
perms
==
nil
{
return
[]
string
{}
}
return
perms
}
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment