Documentation
¶
Index ¶
- func JSONSerializer(keyring *api.KeyRing) ([]byte, error)
- func JSONUnserializer(b []byte) (*api.KeyRing, error)
- type APIKey
- type Account
- type AccountsLoader
- type Authenticator
- type Encapsulator
- type KeySpace
- type NamespaceInitializer
- type Options
- type Proxy
- type Serializer
- type Unencapsulator
- type Unserializer
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Account ¶
type Account struct {
// ID is the account identifier.
ID string
// Secret is the account secret. This is known by both the client and the server and is used for challenged-based authentication.
Secret string
// APIKeys defines a slice of keys used for API access. These keys are used
// primarily to limit access to specific clients without giving away the
// account secret.
APIKeys []*APIKey
// APINamespaces provides a basic map for permissions available to specific
// API keys.
APINamespaces map[string]string
}
type AccountsLoader ¶
type AccountsLoader func(uri string) (api.AccountHandler, error)
type Authenticator ¶
type Authenticator interface {
}
type Encapsulator ¶
Encapsulator is a type that specifies how multiple keys may be encapsulated in a Secret. Multiple encapsulators may be defined for distinct purposes. Only the ones used by KeyStar are defined herein.
type KeySpace ¶
func LoadKeySpace ¶
func LoadKeySpace(options *Options, loader NamespaceInitializer) (*KeySpace, error)
func (*KeySpace) GlobalNamespace ¶
type NamespaceInitializer ¶
type NamespaceInitializer func(*api.Namespace) (api.NamespaceHandler, error)
type Options ¶
type Options struct {
// BackendURI supplies a URI for configuring KeyStar's backend. This is always
// in the form of <protocol>://<host>:<port>/[?options...].
BackendURI string
// MasterKey is used as the default encryption/validation key pair for
// encrypting on-disk data. If provided, security can be further enhanced by
// enabling UseInternalKeys, which are then encrypted using this key pair.
MasterKey *api.CompositeKey
// ClientID for connecting to remote KeyStar instances. This may be your
// account or API identifier.
ClientID string
// ClientSecret for connecting to remote KeyStar instances. This is used by
// the challenge/response as a signing key.
ClientSecret string
// UseInternalKeys, if true, will generate a CompositeKey key pair for
// encrypting on-disk data. This feature cannot be enabled if MasterKey is
// nil.
UseInternalKeys bool
// Enables the internal cache to reduce file system access.
CacheEnabled bool
// CacheEntries to use, maximum, for the cache backing store.
CacheEntries int
// MultiUser enables multi-user occupancy for KeyStar. Enabling this feature
// also enables user namespaces and other features that require multi-user
// support. If this feature is disabled (default), KeyStar will run in
// single-occupancy mode where user namespaces, authentication, and
// authorization are disabled.
//
// Be aware that in single-occupancy mode, you must still configure a master
// account ID and secret pair at a minimum. API keys are still enabled and can
// be used to limit access to specific namespaces but still requires the
// master account ID plus the API key.
MultiUser bool
// MasterAccount is the primary account used to control, access, or configure
// KeyStar. This account is created either via the command `keystar init` or
// during prompts that appear during KeyStar's first run (which is effectively
// calling `keystar init`). The master account is also the only account that
// can be used in single-user occupancy.
MasterAccount Account
// DisableMasterAccount disables access to the master account in its entirety.
// This option is generally only used in multi-user mode and cannot be used in
// single-user mode without disabling authentication.
DisableMasterAccount bool
// DisableAuthentication turns off all accounting and user access. If true,
// this option also causes the HTTP API service to ignore any authentication
// headers and will cause the services to behave as if every request is
// performed by an authorized user. This option is read by both KeyStar and
// the KeyStar API service since both need to be aware of whether the
// authentication subsystem is enabled (or not).
DisableAuthentication bool
// Initializer replaces the backend initialization with the specified
// function. This is mostly useful for overriding pre-initialization
// configuration and returning special purpose backend handlers, such as via
// unit testing.
//
// Calling this will inhibit the loader from handling URI-defined engines.
Initializer func(*Options) (NamespaceInitializer, error)
}
Options provides configuration information for KeyStar. This may be configured directly or from a configuration file. The stock distribution provides a YAML-based configuration that is loaded by the API server, for example, which then populates this struct nad passes it into KeyStar.
type Proxy ¶
Proxy configures backend data structures using the loader provided. This is used internally by KeySpace for setting up the appropriately configured backend.
type Serializer ¶
Serializer is used by some backend storage types for persisting secret data. Currently, only the JSON serializer implements this interface. Other space-saving serializers may be implemented in the future. Serializer isn't used by all storage engines; in particular, backend that interface with databases or key storage may not necessarily use the serializer for storing key data. As an example, if we support SQLite-backed storage in the future, Serializer will not be used for that engine; however, Bolt and other key-value stores will.
type Unencapsulator ¶
Unencapsulator is a type that determines how a secret may be expanded into multiple keys. Unencapsulator returns a slice of keys that may then be consumed by composite key types to create more complicated relationships among keys.
type Unserializer ¶
Unserializer is used by some backend storage types for reading persisted secret data. Currently, only the JSON unserializers implement this interface. Other space-saving serializers may be implemented in the future.
See Serializer's doc string for more detailed discussion.
Source Files
Directories