Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
IRMA
Github mirrors
irmago
Commits
ea876c59
Commit
ea876c59
authored
Dec 21, 2018
by
Sietse Ringers
Browse files
Improve default requestor permission handling
parent
0c6d5606
Changes
2
Hide whitespace changes
Inline
Side-by-side
server/irmaserver/cmd/main.go
View file @
ea876c59
...
...
@@ -82,12 +82,9 @@ func setFlags(cmd *cobra.Command) error {
flags
.
Bool
(
"noauth"
,
false
,
"Whether or not to authenticate requestors"
)
flags
.
String
(
"requestors"
,
""
,
"Requestor configuration (in JSON)"
)
flags
.
StringSlice
(
"disclosing"
,
nil
,
"Comma-separated list of attributes that all requestors may verify"
)
flags
.
StringSlice
(
"signing"
,
nil
,
"Comma-separated list of attributes that all requestors may request in signatures"
)
flags
.
StringSlice
(
"issuing"
,
nil
,
"Comma-separated list of attributes that all requestors may issue"
)
flags
.
Lookup
(
"disclosing"
)
.
NoOptDefVal
=
"*"
flags
.
Lookup
(
"signing"
)
.
NoOptDefVal
=
"*"
flags
.
Lookup
(
"issuing"
)
.
NoOptDefVal
=
"*"
flags
.
StringSlice
(
"disclose"
,
[]
string
{
"*"
},
"Comma-separated list of attributes that all requestors may verify"
)
flags
.
StringSlice
(
"sign"
,
[]
string
{
"*"
},
"Comma-separated list of attributes that all requestors may request in signatures"
)
flags
.
StringSlice
(
"issue"
,
nil
,
"Comma-separated list of attributes that all requestors may issue"
)
flags
.
CountP
(
"verbose"
,
"v"
,
"verbose (repeatable)"
)
flags
.
BoolP
(
"quiet"
,
"q"
,
false
,
"quiet"
)
...
...
@@ -166,9 +163,9 @@ func configure() error {
return
errors
.
WrapPrefix
(
err
,
"Failed to unmarshal permissions from config file"
,
0
)
}
}
handlePermission
(
&
conf
.
GlobalPermissions
.
Disclosing
,
"disclos
ing"
)
// Read flag or env var
handlePermission
(
&
conf
.
GlobalPermissions
.
Signing
,
"sign
ing
"
)
handlePermission
(
&
conf
.
GlobalPermissions
.
Issuing
,
"issu
ing
"
)
conf
.
GlobalPermissions
.
Disclosing
=
handlePermission
(
conf
.
GlobalPermissions
.
Disclosing
,
"disclos
e"
)
conf
.
GlobalPermissions
.
Signing
=
handlePermission
(
conf
.
GlobalPermissions
.
Signing
,
"sign"
)
conf
.
GlobalPermissions
.
Issuing
=
handlePermission
(
conf
.
GlobalPermissions
.
Issuing
,
"issu
e
"
)
// Handle requestors
if
len
(
viper
.
GetStringMap
(
"requestors"
))
>
0
{
// First read config file
...
...
@@ -190,14 +187,18 @@ func configure() error {
return
nil
}
func
handlePermission
(
conf
*
[]
string
,
typ
string
)
{
if
viper
.
GetString
(
typ
)
==
"*"
{
*
conf
=
[]
string
{
"*"
}
}
func
handlePermission
(
conf
[]
string
,
typ
string
)
[]
string
{
perms
:=
viper
.
GetStringSlice
(
typ
)
if
len
(
perms
)
>
0
{
*
conf
=
perms
if
len
(
perms
)
==
0
{
return
conf
}
if
perms
[
0
]
==
""
{
perms
=
perms
[
1
:
]
}
if
perms
[
len
(
perms
)
-
1
]
==
""
{
perms
=
perms
[
:
len
(
perms
)
-
1
]
}
return
perms
}
func
localIP
()
(
string
,
error
)
{
...
...
server/irmaserver/conf.go
View file @
ea876c59
...
...
@@ -26,7 +26,7 @@ type Configuration struct {
Requestors
map
[
string
]
Requestor
`json:"requestors"`
// Disclosing, signing or issuance permissions that apply to all requestors
GlobalPermissionsString
string
`json:"-" mapstructure:"permissions"`
GlobalPermissions
Permissions
`json:"permissions"`
GlobalPermissions
Permissions
`json:"permissions"
mapstructure:"permissions"
`
// Used in the "iss" field of result JWTs from /result-jwt and /getproof
JwtIssuer
string
`json:"jwtissuer" mapstructure:"jwtissuer"`
// Private key to sign result JWTs with. If absent, /result-jwt and /getproof are disabled.
...
...
@@ -40,9 +40,9 @@ type Configuration struct {
// Permissions specify which attributes or credential a requestor may verify or issue.
type
Permissions
struct
{
Disclosing
[]
string
`json:"disclos
ing
" mapstructure:"disclos
ing
"`
Signing
[]
string
`json:"sign
ing
" mapstructure:"sign
ing
"`
Issuing
[]
string
`json:"issu
ing
" mapstructure:"issu
ing
"`
Disclosing
[]
string
`json:"disclos
e
" mapstructure:"disclos
e
"`
Signing
[]
string
`json:"sign" mapstructure:"sign"`
Issuing
[]
string
`json:"issu
e
" mapstructure:"issu
e
"`
}
// Requestor contains all configuration (disclosure or verification permissions and authentication)
...
...
@@ -120,20 +120,6 @@ func (conf *Configuration) initialize() error {
if
conf
.
DisableRequestorAuthentication
{
conf
.
Logger
.
Warn
(
"Authentication of incoming session requests disabled"
)
authenticators
=
map
[
AuthenticationMethod
]
Authenticator
{
AuthenticationMethodNone
:
NilAuthenticator
{}}
// Leaving the global permission whitelists empty in this mode means enabling it for everyone
if
len
(
conf
.
GlobalPermissions
.
Disclosing
)
==
0
{
conf
.
Logger
.
Info
(
"No disclosing whitelist found: allowing verification of any attribute"
)
conf
.
GlobalPermissions
.
Disclosing
=
[]
string
{
"*"
}
}
if
len
(
conf
.
GlobalPermissions
.
Signing
)
==
0
{
conf
.
Logger
.
Info
(
"No signing whitelist found: allowing attribute-based signature sessions with any attribute"
)
conf
.
GlobalPermissions
.
Signing
=
[]
string
{
"*"
}
}
if
len
(
conf
.
GlobalPermissions
.
Issuing
)
==
0
{
conf
.
Logger
.
Info
(
"No issuance whitelist found: allowing issuance of any credential (for which private keys are installed)"
)
conf
.
GlobalPermissions
.
Issuing
=
[]
string
{
"*"
}
}
}
else
{
authenticators
=
map
[
AuthenticationMethod
]
Authenticator
{
AuthenticationMethodPublicKey
:
&
PublicKeyAuthenticator
{
publickeys
:
map
[
string
]
*
rsa
.
PublicKey
{}},
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment