Commit ea876c59 authored by Sietse Ringers's avatar Sietse Ringers
Browse files

Improve default requestor permission handling

parent 0c6d5606
......@@ -82,12 +82,9 @@ func setFlags(cmd *cobra.Command) error {
flags.Bool("noauth", false, "Whether or not to authenticate requestors")
flags.String("requestors", "", "Requestor configuration (in JSON)")
flags.StringSlice("disclosing", nil, "Comma-separated list of attributes that all requestors may verify")
flags.StringSlice("signing", nil, "Comma-separated list of attributes that all requestors may request in signatures")
flags.StringSlice("issuing", nil, "Comma-separated list of attributes that all requestors may issue")
flags.Lookup("disclosing").NoOptDefVal = "*"
flags.Lookup("signing").NoOptDefVal = "*"
flags.Lookup("issuing").NoOptDefVal = "*"
flags.StringSlice("disclose", []string{"*"}, "Comma-separated list of attributes that all requestors may verify")
flags.StringSlice("sign", []string{"*"}, "Comma-separated list of attributes that all requestors may request in signatures")
flags.StringSlice("issue", nil, "Comma-separated list of attributes that all requestors may issue")
flags.CountP("verbose", "v", "verbose (repeatable)")
flags.BoolP("quiet", "q", false, "quiet")
......@@ -166,9 +163,9 @@ func configure() error {
return errors.WrapPrefix(err, "Failed to unmarshal permissions from config file", 0)
}
}
handlePermission(&conf.GlobalPermissions.Disclosing, "disclosing") // Read flag or env var
handlePermission(&conf.GlobalPermissions.Signing, "signing")
handlePermission(&conf.GlobalPermissions.Issuing, "issuing")
conf.GlobalPermissions.Disclosing = handlePermission(conf.GlobalPermissions.Disclosing, "disclose")
conf.GlobalPermissions.Signing = handlePermission(conf.GlobalPermissions.Signing, "sign")
conf.GlobalPermissions.Issuing = handlePermission(conf.GlobalPermissions.Issuing, "issue")
// Handle requestors
if len(viper.GetStringMap("requestors")) > 0 { // First read config file
......@@ -190,14 +187,18 @@ func configure() error {
return nil
}
func handlePermission(conf *[]string, typ string) {
if viper.GetString(typ) == "*" {
*conf = []string{"*"}
}
func handlePermission(conf []string, typ string) []string {
perms := viper.GetStringSlice(typ)
if len(perms) > 0 {
*conf = perms
if len(perms) == 0 {
return conf
}
if perms[0] == "" {
perms = perms[1:]
}
if perms[len(perms)-1] == "" {
perms = perms[:len(perms)-1]
}
return perms
}
func localIP() (string, error) {
......
......@@ -26,7 +26,7 @@ type Configuration struct {
Requestors map[string]Requestor `json:"requestors"`
// Disclosing, signing or issuance permissions that apply to all requestors
GlobalPermissionsString string `json:"-" mapstructure:"permissions"`
GlobalPermissions Permissions `json:"permissions"`
GlobalPermissions Permissions `json:"permissions" mapstructure:"permissions"`
// Used in the "iss" field of result JWTs from /result-jwt and /getproof
JwtIssuer string `json:"jwtissuer" mapstructure:"jwtissuer"`
// Private key to sign result JWTs with. If absent, /result-jwt and /getproof are disabled.
......@@ -40,9 +40,9 @@ type Configuration struct {
// Permissions specify which attributes or credential a requestor may verify or issue.
type Permissions struct {
Disclosing []string `json:"disclosing" mapstructure:"disclosing"`
Signing []string `json:"signing" mapstructure:"signing"`
Issuing []string `json:"issuing" mapstructure:"issuing"`
Disclosing []string `json:"disclose" mapstructure:"disclose"`
Signing []string `json:"sign" mapstructure:"sign"`
Issuing []string `json:"issue" mapstructure:"issue"`
}
// Requestor contains all configuration (disclosure or verification permissions and authentication)
......@@ -120,20 +120,6 @@ func (conf *Configuration) initialize() error {
if conf.DisableRequestorAuthentication {
conf.Logger.Warn("Authentication of incoming session requests disabled")
authenticators = map[AuthenticationMethod]Authenticator{AuthenticationMethodNone: NilAuthenticator{}}
// Leaving the global permission whitelists empty in this mode means enabling it for everyone
if len(conf.GlobalPermissions.Disclosing) == 0 {
conf.Logger.Info("No disclosing whitelist found: allowing verification of any attribute")
conf.GlobalPermissions.Disclosing = []string{"*"}
}
if len(conf.GlobalPermissions.Signing) == 0 {
conf.Logger.Info("No signing whitelist found: allowing attribute-based signature sessions with any attribute")
conf.GlobalPermissions.Signing = []string{"*"}
}
if len(conf.GlobalPermissions.Issuing) == 0 {
conf.Logger.Info("No issuance whitelist found: allowing issuance of any credential (for which private keys are installed)")
conf.GlobalPermissions.Issuing = []string{"*"}
}
} else {
authenticators = map[AuthenticationMethod]Authenticator{
AuthenticationMethodPublicKey: &PublicKeyAuthenticator{publickeys: map[string]*rsa.PublicKey{}},
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment