Principal Service: Add support for multiple user accounts

services/vanadium/security/conventions.go

+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+package main
+
+import (
+        "fmt"
+        "strings"
+)
+
+const chainSeparator = "/"

[ashankar, 2015/10/30 02:24:13]

Can't we use the constant defined in the mojom file?

[ataly, 2015/11/04 00:24:30]

I tried to do that but for some reason the constant was not in the go generated
code. There may be a bug in the go code generation.

[ashankar, 2015/11/04 00:37:10]

Add a TODO about this - we should be able to remove this at some point :)

[ataly, 2015/11/04 21:22:51]

Done.

+
+// TODO(ataly): This is a hack! We should implement the security.BlessingNames
+// function from the Vanadium API.

[ashankar, 2015/10/30 02:24:13]

Not for this CL, but now that the Vanadium code is public, can we consider
importing it and not duplicating these things?
And in the mean time, maybe just have a comment about how this is related to:
godoc.org/v.io/v23/conventions
?

[ataly, 2015/11/04 00:24:30]

Yes this is one of the things we need to do. Will get this done in a subsequent
CL.

+func name(chain []certificate) string {
+        if len(chain) == 0 {
+                return ""
+        }
+        name := chain[0].Extension
+        for i := 1; i < len(chain); i++ {
+                name = name + chainSeparator + chain[i].Extension
+        }
+        return name
+}
+
+// emailFromBlessing returns the email address from a user
+// blessing chain in 'b', or nil if no such blessing chain exists.
+func emailFromBlessings(b *wireBlessings) (string, error) {
+        var rejected []string
+        for _, chain := range b.CertificateChains {
+                n := name(chain)
+                // n is valid OAuth2 token based blessing name iff
+                // n is of the form "dev.v.io/u/<clientID>/<email>"
+                parts := strings.Split(n, chainSeparator)
+                if len(parts) != 4 {

[ashankar, 2015/10/30 02:24:13]

We don't want "==4", but >=4, right?
So:
if len(parts) < 4 {
  ...
}

[ataly, 2015/11/04 00:24:30]

Done.

+                        rejected = append(rejected, n)
+                        continue
+                }
+                if (parts[0] != "dev.v.io") || (parts[1] != "u") {

[ashankar, 2015/10/30 02:24:13]

Should we have a TODO about the notion of an identity provider? Or maybe make
this function return (identityProvider, username string, err error) instead?

[ataly, 2015/11/04 00:24:30]

I have a TODO about specifying the identity provider in the user struct in the
Mojom. As you suggested the right thing is to use the v23/conventions library
instead. I added a TODO to do that.

+                        rejected = append(rejected, n)
+                        continue
+                }
+                // We assume that parts[2] must be the OAuth2 ClientID of
+                // this service, and parts[3] must be the user's email.
+                return parts[3], nil
+        }
+        return "", fmt.Errorf("the set of blessings (%v) obtained from the Vanadium identity provider does not contain any user blessing chain", rejected)
+}