github.com/jlmucb/cloudproxy@v0.0.0-20170830161738-b5aa0b619bc4/diffscussions/reviews/acls-fix.diff

github.com/jlmucb/cloudproxy@v0.0.0-20170830161738-b5aa0b619bc4/diffscussions/reviews/acls-fix.diff (about)

     1  #* 
     2  #* author: Tom Roeder
     3  #* email: tmroeder@google.com
     4  #* date: 2014-10-02T10:57:27-0700
     5  #* 
     6  #- Fix ACLs to support Args subprincipals.
     7  #- 
     8  #- This commit fixes the ACLs Guard support to work with Tao channel auth between
     9  #- the client and server sides of the demo app. It adds authorization to the ACLs
    10  #- for the Args() subprincipal in addition to the Program hash.
    11  #- 
    12  #- 
    13  diff --git a/apps/tao_admin/main.go b/apps/tao_admin/main.go
    14  index 7c89844..3b5b5fc 100644
    15  --- a/apps/tao_admin/main.go
    16  +++ b/apps/tao_admin/main.go
    17  @@ -114,55 +114,67 @@ func main() {
    18   		fatalIf(err)
    19   	}
    20   
    21   	if *clear {
    22   		didWork = true
    23   		domain.Guard.Clear()
    24   		err := domain.Save()
    25   		fatalIf(err)
    26   	}
    27   	if *canExecute != "" {
    28   		path := *canExecute
    29   		prin := makeHostPrin(*host)
    30   		subprin := makeProgramSubPrin(path)
    31   		prog := prin.MakeSubprincipal(subprin)
    32   		fmt.Fprintf(noise, "Authorizing program to execute:\n"+
    33   			"  path: %s\n"+
    34   			"  host: %s\n"+
    35   			"  name: %s\n", path, prin, subprin)
    36   		err := domain.Guard.Authorize(prog, "Execute", nil)
    37   		fatalIf(err)
    38  +
    39  +		// Also authorize a version with the path as an argument.
    40  +		argsSubprin := auth.SubPrin{auth.PrinExt{Name: "Args", Arg: []auth.Term{auth.Str(path)}}}
    41  +		progArgs := prog.MakeSubprincipal(argsSubprin)
    42  +		err = domain.Guard.Authorize(progArgs, "Execute", nil)
    43  +		fatalIf(err)
    44   		err = domain.Save()
    45   		fatalIf(err)
    46   		didWork = true
    47   	}
    48   	if *retractCanExecute != "" {
    49   		path := *retractCanExecute
    50   		prin := makeHostPrin(*host)
    51   		subprin := makeProgramSubPrin(path)
    52   		prog := prin.MakeSubprincipal(subprin)
    53   		fmt.Fprintf(noise, "Retracting program authorization to execute:\n"+
    54   			"  path: %s\n"+
    55   			"  host: %s\n"+
    56   			"  name: %s\n", path, prin, subprin)
    57   		err := domain.Guard.Retract(prog, "Execute", nil)
    58   		fatalIf(err)
    59  +
    60  +		// Also retract a version with the path as an argument.
    61  +		argsSubprin := auth.SubPrin{auth.PrinExt{Name: "Args", Arg: []auth.Term{auth.Str(path)}}}
    62  +		progArgs := prog.MakeSubprincipal(argsSubprin)
    63  +		err = domain.Guard.Retract(progArgs, "Execute", nil)
    64  +		fatalIf(err)
    65   		didWork = true
    66   	}
    67   	if *add != "" {
    68   		fmt.Fprintf(noise, "Adding policy rule: %s\n", *add)
    69   		err := domain.Guard.AddRule(*add)
    70   		fatalIf(err)
    71   		err = domain.Save()
    72   		fatalIf(err)
    73   		didWork = true
    74   	}
    75   	if *retract != "" {
    76   		fmt.Fprintf(noise, "Retracting policy rule: %s\n", *retract)
    77   		err := domain.Guard.RetractRule(*retract)
    78   		fatalIf(err)
    79   		err = domain.Save()
    80   		fatalIf(err)
    81   		didWork = true
    82   	}
    83   	if *query != "" {
    84   		fmt.Fprintf(noise, "Querying policy guard: %s\n", *query)