Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(393)

Side by Side Diff: services/vanadium/security/conventions.go

Issue 1418013004: Principal Service: Add support for multiple user accounts (Closed) Base URL: https://github.com/domokit/mojo.git@master
Patch Set: Created 5 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
(Empty)
1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 package main
6
7 import (
8 "fmt"
9 "strings"
10 )
11
12 const chainSeparator = "/"
13
14 // TODO(ataly): This is a hack! We should implement the security.BlessingNames
15 // function from the Vanadium API.
16 func name(chain []certificate) string {
17 if len(chain) == 0 {
18 return ""
19 }
20 name := chain[0].Extension
21 for i := 1; i < len(chain); i++ {
22 name = name + chainSeparator + chain[i].Extension
23 }
24 return name
25 }
26
27 // emailFromBlessing returns the email address from a user
28 // blessing chain in 'b', or nil if no such blessing chain exists.
29 // This function relies on the Vanadium identity provider employing
30 // the following convention for blessings returned in exchange for
31 // OAuth2 tokens: All blessings must be of the form
32 // dev.v.io/u/<OAuth2 ClientID>/<user email>.
33 // See Also: https://godoc.org/v.io/v23/conventions
34 // TODO(ataly): Import "v23/conventions" here rather than duplicating
35 // the code.
36 func emailFromBlessings(b *wireBlessings) (string, error) {
37 var rejected []string
38 for _, chain := range b.CertificateChains {
39 n := name(chain)
40 // n is valid OAuth2 token based blessing name iff
41 // n is of the form "dev.v.io/u/<clientID>/<email>"
42 parts := strings.Split(n, chainSeparator)
43 if len(parts) < 4 {
44 rejected = append(rejected, n)
45 continue
46 }
47 if (parts[0] != "dev.v.io") || (parts[1] != "u") {
48 rejected = append(rejected, n)
49 continue
50 }
51 // We assume that parts[2] must be the OAuth2 ClientID of
52 // this service, and parts[3] must be the user's email.
53 return parts[3], nil
54 }
55 return "", fmt.Errorf("the set of blessings (%v) obtained from the Vanad ium identity provider does not contain any user blessing chain", rejected)
56 }
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698