From c5e23466e7b9f814fd5ecc3a5d965bd1f1dd2987 Mon Sep 17 00:00:00 2001
From: "Joe Richey joerichey@google.com" <joerichey@google.com>
Date: Mon, 17 Jul 2017 12:15:20 -0700
Subject: actions: Protectors can directly unlock Policies

In addition to using callbacks, unlocked Protectors can now directly
unlock a policy. The error codes are updated to make more sense.
---
 actions/policy.go | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

(limited to 'actions/policy.go')

diff --git a/actions/policy.go b/actions/policy.go
index 0d0ed02..1291e6b 100644
--- a/actions/policy.go
+++ b/actions/policy.go
@@ -248,6 +248,27 @@ func (policy *Policy) Unlock(optionFn OptionFunc, keyFn KeyFunc) error {
 	return err
 }
 
+// UnlockWithProtector uses an unlocked Protector to unlock a policy. An error
+// is returned if the Protector is not yet unlocked or does not protect the
+// policy. Does nothing if policy is already unlocked.
+func (policy *Policy) UnlockWithProtector(protector *Protector) error {
+	if policy.key != nil {
+		return nil
+	}
+	if protector.key == nil {
+		return ErrLocked
+	}
+	idx, ok := policy.findWrappedKeyIndex(protector.Descriptor())
+	if !ok {
+		return ErrNotProtected
+	}
+
+	var err error
+	wrappedPolicyKey := policy.data.WrappedPolicyKeys[idx].WrappedKey
+	policy.key, err = crypto.Unwrap(protector.key, wrappedPolicyKey)
+	return err
+}
+
 // Lock wipes a Policy's internal Key. It should always be called after using a
 // Policy. This is often done with a defer statement. There is no effect if
 // called multiple times.
-- 
cgit v1.2.3