warner/test-chain.js

## test-chain.js

const secondaryPower = { all: true,
                         domains: "all",
                         expiration: Number.MAX_VALUE };
function makePrimaryPower(domain) { // also used for IdP Proxies
    return { all: false, domains: [domain], expiration: Number.MAX_VALUE};
}

function evalChain(initialPower, certParamsArray) {
    // Returns principal or throws error
    var power = { all: initialPower.all,
                  domains: initialPower.domains,
                  expiration: initialPower.expiration };

    var delegations = certParamsArray.slice(0, certParamsArray.length-1);
    for (var d=0; i < delegations.length; d++) {
        var cert = delegations[d];
        var ap = cert.assertionParams;
        var cp = cert.certParams;
        power.expiration = Math.min(power.expiration, ap.expiresAt);
        if (!cp.delegate)
            throw new Error("non-final cert lacks .delegate");
        if (!cp.delegate.all)
            power.all = false;
        if (!power.all) {
            if (power.domains == "all")
                power.domains = cp.delegate.domains.slice();
            else {
                // intersection: power.domains *= delegate.domains
                var remaining = [];
                for (var i=0; i<power.domains.length; i++) {
                    var domain = power.domains[i];
                    if (cp.delegate.domains.indexOf(domain) != -1)
                        remaining.push(domain);
                }
                power.domains = remaining.slice();
            }
        }
    }

    var last = certParamsArray[certParamsArray.length-1].certParams;
    if (!last.delegate)
        throw new Error("final cert must not have .delegate");
    if (!last.principal)
        throw new Error("final cert lacks .principal");
    if (!last.principal.email)
        throw new Error("principals must be email for now");
    var domainFromEmail = last.principal.email.replace(/^.*@/, '');

    // now, does this certchain allow this domain?
    if (power.all || (power.domains == "all") ||
        (power.domains.indexOf(domainFromEmail) != -1))
        return last.principal;
    throw new Error("domain not allowed by cert chain");
}

	const secondaryPower = { all: true,
	domains: "all",
	expiration: Number.MAX_VALUE };
	function makePrimaryPower(domain) { // also used for IdP Proxies
	return { all: false, domains: [domain], expiration: Number.MAX_VALUE};
	}

	function evalChain(initialPower, certParamsArray) {
	// Returns principal or throws error
	var power = { all: initialPower.all,
	domains: initialPower.domains,
	expiration: initialPower.expiration };

	var delegations = certParamsArray.slice(0, certParamsArray.length-1);
	for (var d=0; i < delegations.length; d++) {
	var cert = delegations[d];
	var ap = cert.assertionParams;
	var cp = cert.certParams;
	power.expiration = Math.min(power.expiration, ap.expiresAt);
	if (!cp.delegate)
	throw new Error("non-final cert lacks .delegate");
	if (!cp.delegate.all)
	power.all = false;
	if (!power.all) {
	if (power.domains == "all")
	power.domains = cp.delegate.domains.slice();
	else {
	// intersection: power.domains *= delegate.domains
	var remaining = [];
	for (var i=0; i<power.domains.length; i++) {
	var domain = power.domains[i];
	if (cp.delegate.domains.indexOf(domain) != -1)
	remaining.push(domain);
	}
	power.domains = remaining.slice();
	}
	}
	}

	var last = certParamsArray[certParamsArray.length-1].certParams;
	if (!last.delegate)
	throw new Error("final cert must not have .delegate");
	if (!last.principal)
	throw new Error("final cert lacks .principal");
	if (!last.principal.email)
	throw new Error("principals must be email for now");
	var domainFromEmail = last.principal.email.replace(/^.*@/, '');

	// now, does this certchain allow this domain?
	if (power.all \|\| (power.domains == "all") \|\|
	(power.domains.indexOf(domainFromEmail) != -1))
	return last.principal;
	throw new Error("domain not allowed by cert chain");
	}