Principal Service: Add support for multiple user accounts

services/vanadium/security/conventions.go

Index: services/vanadium/security/conventions.go
diff --git a/services/vanadium/security/conventions.go b/services/vanadium/security/conventions.go
new file mode 100644
index 0000000000000000000000000000000000000000..8f90018450288ef2de37daed5dbeff6dd129cad3
--- /dev/null
+++ b/services/vanadium/security/conventions.go
@@ -0,0 +1,49 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+package main
+
+import (
+	"fmt"
+	"strings"
+)
+
+const chainSeparator = "/"

[ashankar, 2015/10/30 02:24:13]

Can't we use the constant defined in the mojom file?

[ataly, 2015/11/04 00:24:30]

I tried to do that but for some reason the constant was not in the go generated
code. There may be a bug in the go code generation.

[ashankar, 2015/11/04 00:37:10]

Add a TODO about this - we should be able to remove this at some point :)

[ataly, 2015/11/04 21:22:51]

Done.

+
+// TODO(ataly): This is a hack! We should implement the security.BlessingNames
+// function from the Vanadium API.

[ashankar, 2015/10/30 02:24:13]

Not for this CL, but now that the Vanadium code is public, can we consider
importing it and not duplicating these things?
And in the mean time, maybe just have a comment about how this is related to:
godoc.org/v.io/v23/conventions
?

[ataly, 2015/11/04 00:24:30]

Yes this is one of the things we need to do. Will get this done in a subsequent
CL.

+func name(chain []certificate) string {
+	if len(chain) == 0 {
+		return ""
+	}
+	name := chain[0].Extension
+	for i := 1; i < len(chain); i++ {
+		name = name + chainSeparator + chain[i].Extension
+	}
+	return name
+}
+
+// emailFromBlessing returns the email address from a user
+// blessing chain in 'b', or nil if no such blessing chain exists.
+func emailFromBlessings(b *wireBlessings) (string, error) {
+	var rejected []string
+	for _, chain := range b.CertificateChains {
+		n := name(chain)
+		// n is valid OAuth2 token based blessing name iff
+		// n is of the form "dev.v.io/u/<clientID>/<email>"
+		parts := strings.Split(n, chainSeparator)
+		if len(parts) != 4 {

[ashankar, 2015/10/30 02:24:13]

We don't want "==4", but >=4, right?
So:
if len(parts) < 4 {
  ...
}

[ataly, 2015/11/04 00:24:30]

Done.

+			rejected = append(rejected, n)
+			continue
+		}
+		if (parts[0] != "dev.v.io") || (parts[1] != "u") {

[ashankar, 2015/10/30 02:24:13]

Should we have a TODO about the notion of an identity provider? Or maybe make
this function return (identityProvider, username string, err error) instead?

[ataly, 2015/11/04 00:24:30]

I have a TODO about specifying the identity provider in the user struct in the
Mojom. As you suggested the right thing is to use the v23/conventions library
instead. I added a TODO to do that.

+			rejected = append(rejected, n)
+			continue
+		}
+		// We assume that parts[2] must be the OAuth2 ClientID of
+		// this service, and parts[3] must be the user's email.
+		return parts[3], nil
+	}
+	return "", fmt.Errorf("the set of blessings (%v) obtained from the Vanadium identity provider does not contain any user blessing chain", rejected)
+}