commit 5cec4b58c438bd98288aeb248bab2c1840713d21
author Sam Whited <sam@samwhited.com> Sun May 20 11:02:21 2018 -0500
committer Marcel van Lohuizen <mpvl@golang.org> Sun Jun 17 08:41:12 2018 +0000
tree cfb067f4c9d10f4472ead76f1c4b57d979ed2cf7
parent 5c1cf69b5978e5a34c5f9ba09a83e56acc4b7877

secure/precis: add ability to restrict profiles

Fixes golang/go#24885

Change-Id: I4d5e6c9279af9c3183aa71b4f4562209445af165
Reviewed-on: https://go-review.googlesource.com/113816
Reviewed-by: Marcel van Lohuizen <mpvl@golang.org>

secure/precis/enforce10.0.0_test.go

diff --git a/secure/precis/enforce10.0.0_test.go b/secure/precis/enforce10.0.0_test.go
index f224936..34da150 100644
--- a/secure/precis/enforce10.0.0_test.go
+++ b/secure/precis/enforce10.0.0_test.go
@@ -7,6 +7,9 @@
 package precis
 
 import (
+	"strings"
+
+	"golang.org/x/text/runes"
 	"golang.org/x/text/secure/bidirule"
 )
 
@@ -241,4 +244,10 @@
 		{"\u212B", "\u00c5", nil},    // Angstrom sign, NFC -> U+00E5
 		{"ẛ", "", errDisallowedRune}, // LATIN SMALL LETTER LONG S WITH DOT ABOVE
 	}},
+	{"UsernameCaseMappedRestricted", NewRestrictedProfile(UsernameCaseMapped, runes.Predicate(func(r rune) bool {
+		return strings.ContainsRune(`@`, r)
+	})), []testCase{
+		{"juliet@example.com", "", errDisallowedRune},
+		{"\u0049", "\u0069", nil},
+	}},
 }

secure/precis/enforce9.0.0_test.go

diff --git a/secure/precis/enforce9.0.0_test.go b/secure/precis/enforce9.0.0_test.go
index 298c8a9..ed5759c 100644
--- a/secure/precis/enforce9.0.0_test.go
+++ b/secure/precis/enforce9.0.0_test.go
@@ -241,4 +241,10 @@
 		{"\u212B", "\u00c5", nil},    // Angstrom sign, NFC -> U+00E5
 		{"ẛ", "", errDisallowedRune}, // LATIN SMALL LETTER LONG S WITH DOT ABOVE
 	}},
+	{"UsernameCaseMappedRestricted", NewRestrictedProfile(UsernameCaseMapped, runes.Predicate(func(r rune) bool {
+		return strings.ContainsRune(`@`, r)
+	})), []testCase{
+		{"juliet@example.com", "", errDisallowedRune},
+		{"\u0049", "\u0069", nil},
+	}},
 }

secure/precis/profile.go

diff --git a/secure/precis/profile.go b/secure/precis/profile.go
index 0419159..35bd6f0 100644
--- a/secure/precis/profile.go
+++ b/secure/precis/profile.go
@@ -52,6 +52,16 @@
 	}
 }
 
+// NewRestrictedProfile creates a new PRECIS profile based on an existing
+// profile.
+// If the parent profile already had the Disallow option set, the new rule
+// overrides the parents rule.
+func NewRestrictedProfile(parent *Profile, disallow runes.Set) *Profile {
+	p := *parent
+	Disallow(disallow)(&p.options)
+	return &p
+}
+
 // NewTransformer creates a new transform.Transformer that performs the PRECIS
 // preparation and enforcement steps on the given UTF-8 encoded bytes.
 func (p *Profile) NewTransformer() *Transformer {