func createDomain() {
dt := template()
if dt.Config.DomainInfo.GetPolicyKeysPath() == "" {
options.Usage("Must supply a policy_keys_path in the domain configuration")
}
pwd := getKey("domain policy key password", "pass")
domain, err := tao.CreateDomain(*dt.Config, configPath(), pwd)
options.FailIf(err, "Can't create domain")
if domain.Config.DomainInfo.GetGuardType() == "Datalog" {
// Add any rules specified in the domain template.
for _, rule := range dt.DatalogRules {
err := domain.Guard.AddRule(rule)
options.FailIf(err, "Can't add rule to domain")
}
} else if domain.Config.DomainInfo.GetGuardType() == "ACLs" {
for _, rule := range dt.AclRules {
err := domain.Guard.AddRule(rule)
options.FailIf(err, "Can't add rule to domain")
}
}
err = domain.Save()
options.FailIf(err, "Can't save domain")
// Optionally, create a public cached domain.
if addr := *options.String["pub_domain_address"]; addr != "" {
net := *options.String["pub_domain_network"]
ttl := *options.Duration["pub_domain_ttl"]
_, err = domain.CreatePublicCachedDomain(net, addr, int64(ttl))
options.FailIf(err, "Can't create public cached domain")
}
}
func createDomain() (*tao.Domain, *x509.CertPool, error) {
var cfg tao.DomainConfig
d, err := ioutil.ReadFile(*configPath)
if err != nil {
return nil, nil, err
}
if err := proto.UnmarshalText(string(d), &cfg); err != nil {
return nil, nil, err
}
domain, err := tao.CreateDomain(cfg, *configPath, []byte(*domainPass))
if domain == nil {
log.Printf("domainserver: no domain path - %s, pass - %s, err - %s\n",
*configPath, *domainPass, err)
return nil, nil, err
} else if err != nil {
log.Printf("domainserver: Couldn't load the config path %s: %s\n",
*configPath, err)
return nil, nil, err
}
log.Printf("domainserver: Created domain\n")
err = domain_service.InitAcls(domain, *trustedEntitiesPath)
if err != nil {
return nil, nil, err
}
err = domain.Save()
if err != nil {
return nil, nil, err
}
certPool := x509.NewCertPool()
certPool.AddCert(domain.Keys.Cert)
return domain, certPool, nil
}
func makeTrivialDomain(configDir string) (*tao.Domain, error) {
var policyDomainConfig tao.DomainConfig
policyDomainConfig.SetDefaults()
policyDomainConfig.DomainInfo.GuardType = proto.String("AllowAll")
configPath := path.Join(configDir, "tao.config")
return tao.CreateDomain(policyDomainConfig, configPath, password)
}
func TestInitAcls(t *testing.T) {
if _, err := os.Stat("./tmpdir"); os.IsNotExist(err) {
err = os.Mkdir("./tmpdir", 0777)
if err != nil {
t.Fatal(err)
}
}
trustedEntities := TrustedEntities{
TrustedProgramTaoNames: []string{fmt.Sprintf("%v", programName)},
TrustedHostTaoNames: []string{fmt.Sprintf("%v", hostName)},
TrustedMachineInfos: []string{machineName}}
f, err := os.Create("./tmpdir/TrustedEntities")
if err != nil {
t.Fatal(err)
}
err = proto.MarshalText(f, &trustedEntities)
if err != nil {
t.Fatal(err)
}
err = f.Close()
if err != nil {
t.Fatal(err)
}
aclGuardType := "ACLs"
aclGuardPath := "acls"
cfg := tao.DomainConfig{
DomainInfo: &tao.DomainDetails{
GuardType: &aclGuardType},
AclGuardInfo: &tao.ACLGuardDetails{
SignedAclsPath: &aclGuardPath}}
domain, err := tao.CreateDomain(cfg, "./tmpdir/domain", []byte("xxx"))
if err != nil {
t.Fatal(err)
}
err = InitAcls(domain, "./tmpdir/TrustedEntities")
if err != nil {
t.Fatal(err)
}
machinePrin := auth.Prin{
Type: "MachineInfo",
KeyHash: auth.Str(machineName),
}
if !domain.Guard.IsAuthorized(*programName, "Execute", []string{}) ||
!domain.Guard.IsAuthorized(*hostName, "Host", []string{}) ||
!domain.Guard.IsAuthorized(machinePrin, "Root", []string{}) {
t.Fatal("Authorization checks fail")
}
err = os.RemoveAll("./tmpdir")
if err != nil {
t.Fatal(err)
}
}
func setUpDomain(t *testing.T) *tao.Domain {
var err error
if _, err = os.Stat("./tmpdir"); os.IsNotExist(err) {
err = os.Mkdir("./tmpdir", 0777)
if err != nil {
t.Fatal(err)
}
}
aclGuardType := "ACLs"
aclGuardPath := "acls"
cfg := tao.DomainConfig{
DomainInfo: &tao.DomainDetails{
GuardType: &aclGuardType},
AclGuardInfo: &tao.ACLGuardDetails{
SignedAclsPath: &aclGuardPath}}
domain, err := tao.CreateDomain(cfg, "./tmpdir/domain", []byte("xxx"))
if err != nil {
t.Fatal(err)
}
return domain
}