cryptodata

package
v2.0.0+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 2, 2019 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Overview

Package cryptodata provides support for wrapping key-value store with crypto layer that will automatically decrypt all data passing through.

Index

Constants

This section is empty.

Variables

View Source
var DefaultPlugin = *NewPlugin()

DefaultPlugin is a default instance of Plugin.

Functions

This section is empty.

Types

type ArbitraryDecrypter

type ArbitraryDecrypter interface {
	// IsEncrypted checks if provided data are encrypted
	IsEncrypted(inData interface{}) bool
	// Decrypt processes input data and decrypts specific fields using decryptFunc
	Decrypt(inData interface{}, decryptFunc DecryptFunc) (data interface{}, err error)
}

ArbitraryDecrypter represents decrypter that looks for encrypted values inside arbitrary data and returns the data with the values decrypted

type BytesBrokerWrapper

type BytesBrokerWrapper struct {
	keyval.BytesBroker
	// contains filtered or unexported fields
}

BytesBrokerWrapper wraps keyval.BytesBroker with additional support of reading encrypted data

func NewBytesBrokerWrapper

func NewBytesBrokerWrapper(pb keyval.BytesBroker, decrypter ArbitraryDecrypter, decryptFunc DecryptFunc) *BytesBrokerWrapper

NewBytesBrokerWrapper creates wrapper for provided BytesBroker, adding support for decrypting encrypted data

func (*BytesBrokerWrapper) GetValue

func (cbb *BytesBrokerWrapper) GetValue(key string) (data []byte, found bool, revision int64, err error)

GetValue retrieves and tries to decrypt one item under the provided key.

func (*BytesBrokerWrapper) ListValues

func (cbb *BytesBrokerWrapper) ListValues(key string) (keyval.BytesKeyValIterator, error)

ListValues returns an iterator that enables to traverse all items stored under the provided <key>.

type BytesKeyValIteratorWrapper

type BytesKeyValIteratorWrapper struct {
	keyval.BytesKeyValIterator
	// contains filtered or unexported fields
}

BytesKeyValIteratorWrapper wraps keyval.BytesKeyValIterator with additional support of reading encrypted data

func (*BytesKeyValIteratorWrapper) GetNext

func (r *BytesKeyValIteratorWrapper) GetNext() (kv keyval.BytesKeyVal, stop bool)

GetNext retrieves the following item from the context. When there are no more items to get, <stop> is returned as *true* and <kv> is simply *nil*.

type BytesKeyValWrapper

type BytesKeyValWrapper struct {
	keyval.BytesKeyVal
	// contains filtered or unexported fields
}

BytesKeyValWrapper wraps keyval.BytesKeyVal with additional support of reading encrypted data

func (*BytesKeyValWrapper) GetPrevValue

func (r *BytesKeyValWrapper) GetPrevValue() []byte

GetPrevValue returns the previous value of the pair.

func (*BytesKeyValWrapper) GetValue

func (r *BytesKeyValWrapper) GetValue() []byte

GetValue returns the value of the pair.

type BytesWatchRespWrapper

type BytesWatchRespWrapper struct {
	keyval.BytesWatchResp
	BytesKeyValWrapper
}

BytesWatchRespWrapper wraps keyval.BytesWatchResp with additional support of reading encrypted data

func (*BytesWatchRespWrapper) GetPrevValue

func (r *BytesWatchRespWrapper) GetPrevValue() []byte

GetPrevValue returns the previous value of the pair.

func (*BytesWatchRespWrapper) GetValue

func (r *BytesWatchRespWrapper) GetValue() []byte

GetValue returns the value of the pair.

type BytesWatcherWrapper

type BytesWatcherWrapper struct {
	keyval.BytesWatcher
	// contains filtered or unexported fields
}

BytesWatcherWrapper wraps keyval.BytesWatcher with additional support of reading encrypted data

func NewBytesWatcherWrapper

func NewBytesWatcherWrapper(pb keyval.BytesWatcher, decrypter ArbitraryDecrypter, decryptFunc DecryptFunc) *BytesWatcherWrapper

NewBytesWatcherWrapper creates wrapper for provided BytesWatcher, adding support for decrypting encrypted data

func (*BytesWatcherWrapper) Watch

func (b *BytesWatcherWrapper) Watch(respChan func(keyval.BytesWatchResp), closeChan chan string, keys ...string) error

Watch starts subscription for changes associated with the selected keys. Watch events will be delivered to callback (not channel) <respChan>. Channel <closeChan> can be used to close watching on respective key

type Client

type Client struct {
	ClientConfig
}

Client implements ClientAPI and ClientConfig

func NewClient

func NewClient(clientConfig ClientConfig) *Client

NewClient creates new client from provided config and reader

func (*Client) DecryptData

func (client *Client) DecryptData(inData []byte) (data []byte, err error)

DecryptData implements ClientAPI.DecryptData

func (*Client) EncryptData

func (client *Client) EncryptData(inData []byte, pub *rsa.PublicKey) (data []byte, err error)

EncryptData implements ClientAPI.EncryptData

func (*Client) WrapBytes

func (client *Client) WrapBytes(cbw keyval.KvBytesPlugin, decrypter ArbitraryDecrypter) keyval.KvBytesPlugin

WrapBytes implements ClientAPI.WrapBytes

func (*Client) WrapProto

func (client *Client) WrapProto(kvp keyval.KvProtoPlugin, decrypter ArbitraryDecrypter) keyval.KvProtoPlugin

WrapProto implements ClientAPI.WrapProto

type ClientAPI

type ClientAPI interface {
	// EncryptData encrypts input data using provided public key
	EncryptData(inData []byte, pub *rsa.PublicKey) (data []byte, err error)
	// DecryptData decrypts input data
	DecryptData(inData []byte) (data []byte, err error)
	// WrapBytes wraps kv bytes plugin with support for decrypting encrypted data in values
	WrapBytes(cbw keyval.KvBytesPlugin, decrypter ArbitraryDecrypter) keyval.KvBytesPlugin
	// WrapBytes wraps kv proto plugin with support for decrypting encrypted data in values
	WrapProto(kvp keyval.KvProtoPlugin, decrypter ArbitraryDecrypter) keyval.KvProtoPlugin
}

ClientAPI handles encrypting/decrypting and wrapping data

type ClientConfig

type ClientConfig struct {
	// Private key is used to decrypt encrypted keys while reading them from store
	PrivateKeys []*rsa.PrivateKey
	// Reader used for encrypting/decrypting
	Reader io.Reader
	// Hash function used for hashing while encrypting
	Hash hash.Hash
}

ClientConfig is result of converting Config.PrivateKeyFile to PrivateKey

type Config

type Config struct {
	// Private key file is used to create rsa.PrivateKey from this PEM path
	PrivateKeyFiles []string `json:"private-key-files"`
}

Config is used to read private key from file

type DecryptFunc

type DecryptFunc func(inData []byte) (data []byte, err error)

DecryptFunc is function that decrypts input data

type DecrypterJSON

type DecrypterJSON struct {
	// contains filtered or unexported fields
}

DecrypterJSON is ArbitraryDecrypter implementation that can decrypt JSON values

func NewDecrypterJSON

func NewDecrypterJSON() *DecrypterJSON

NewDecrypterJSON creates new JSON decrypter with default value for Prefix being `$crypto$`

func (DecrypterJSON) Decrypt

func (d DecrypterJSON) Decrypt(object interface{}, decryptFunc DecryptFunc) (interface{}, error)

Decrypt tries to find encrypted values in JSON data and decrypt them. It uses IsEncrypted function on the data to check if it contains any encrypted data. Then it parses data as JSON as tries to lookup all values that begin with `Prefix`, then trim prefix, base64 decode the data and decrypt them using provided decrypt function. This function can accept only []byte and return []byte

func (DecrypterJSON) IsEncrypted

func (d DecrypterJSON) IsEncrypted(object interface{}) bool

IsEncrypted checks if provided data are marked as encrypted. First it tries to unmarshal JSON to EncryptionCheck and then check the IsEncrypted for being true

func (DecrypterJSON) SetPrefix

func (d DecrypterJSON) SetPrefix(prefix string)

SetPrefix sets prefix that is required for matching and decrypting values

type DecrypterProto

type DecrypterProto struct {
	// contains filtered or unexported fields
}

DecrypterProto is ArbitraryDecrypter implementation that can decrypt protobuf values

func NewDecrypterProto

func NewDecrypterProto() *DecrypterProto

NewDecrypterProto creates new protobuf decrypter with empty mapping

func (DecrypterProto) Decrypt

func (d DecrypterProto) Decrypt(object interface{}, decryptFunc DecryptFunc) (interface{}, error)

Decrypt tries to find encrypted values in protobuf data and decrypt them. It uses IsEncrypted function on the data to check if it contains any encrypted data. Then it goes through provided mapping and tries to reflect all fields in the mapping and decrypt string values the mappings must point to. This function can accept only proto.Message and return proto.Message

func (DecrypterProto) IsEncrypted

func (d DecrypterProto) IsEncrypted(object interface{}) bool

IsEncrypted checks if provided data type is contained in the Mapping

func (DecrypterProto) RegisterMapping

func (d DecrypterProto) RegisterMapping(object proto.Message, paths ...[]string)

RegisterMapping registers mapping to decrypter that maps proto.Message type to path used to access encrypted values

type Deps

type Deps struct {
	infra.PluginDeps
}

Deps lists dependencies of the cryptodata plugin.

type EncryptionCheck

type EncryptionCheck struct {
	// IsEncrypted returns true if data was marked as encrypted
	IsEncrypted bool `json:"encrypted"`
}

EncryptionCheck is used to check for data to contain encrypted marker

type KvBytesPluginWrapper

type KvBytesPluginWrapper struct {
	keyval.KvBytesPlugin
	// contains filtered or unexported fields
}

KvBytesPluginWrapper wraps keyval.KvBytesPlugin with additional support of reading encrypted data

func NewKvBytesPluginWrapper

func NewKvBytesPluginWrapper(cbw keyval.KvBytesPlugin, decrypter ArbitraryDecrypter, decryptFunc DecryptFunc) *KvBytesPluginWrapper

NewKvBytesPluginWrapper creates wrapper for provided CoreBrokerWatcher, adding support for decrypting encrypted data

func (*KvBytesPluginWrapper) NewBroker

func (cbw *KvBytesPluginWrapper) NewBroker(prefix string) keyval.BytesBroker

NewBroker returns a BytesBroker instance with support for decrypting values that prepends given <keyPrefix> to all keys in its calls. To avoid using a prefix, pass keyval.Root constant as argument.

func (*KvBytesPluginWrapper) NewWatcher

func (cbw *KvBytesPluginWrapper) NewWatcher(prefix string) keyval.BytesWatcher

NewWatcher returns a BytesWatcher instance with support for decrypting values that prepends given <keyPrefix> to all keys during watch subscribe phase. The prefix is removed from the key retrieved by GetKey() in BytesWatchResp. To avoid using a prefix, pass keyval.Root constant as argument.

type KvProtoPluginWrapper

type KvProtoPluginWrapper struct {
	keyval.KvProtoPlugin
	// contains filtered or unexported fields
}

KvProtoPluginWrapper wraps keyval.KvProtoPlugin with additional support of reading encrypted data

func NewKvProtoPluginWrapper

func NewKvProtoPluginWrapper(kvp keyval.KvProtoPlugin, decrypter ArbitraryDecrypter, decryptFunc DecryptFunc) *KvProtoPluginWrapper

NewKvProtoPluginWrapper creates wrapper for provided KvProtoPlugin, adding support for decrypting encrypted data

func (*KvProtoPluginWrapper) NewBroker

func (kvp *KvProtoPluginWrapper) NewBroker(prefix string) keyval.ProtoBroker

NewBroker returns a ProtoBroker instance with support for decrypting values that prepends given <keyPrefix> to all keys in its calls. To avoid using a prefix, pass keyval.Root constant as argument.

func (*KvProtoPluginWrapper) NewWatcher

func (kvp *KvProtoPluginWrapper) NewWatcher(prefix string) keyval.ProtoWatcher

NewWatcher returns a ProtoWatcher instance with support for decrypting values that prepends given <keyPrefix> to all keys during watch subscribe phase. The prefix is removed from the key retrieved by GetKey() in ProtoWatchResp. To avoid using a prefix, pass keyval.Root constant as argument.

type Option

type Option func(*Plugin)

Option is a function that can be used in NewPlugin to customize Plugin.

func UseDeps

func UseDeps(cb func(*Deps)) Option

UseDeps returns Option that can inject custom dependencies.

type Plugin

type Plugin struct {
	Deps
	ClientAPI
	// contains filtered or unexported fields
}

Plugin implements cryptodata as plugin.

func NewPlugin

func NewPlugin(opts ...Option) *Plugin

NewPlugin creates a new Plugin with the provided Options.

func (*Plugin) Close

func (p *Plugin) Close() error

Close closes cryptodata plugin.

func (*Plugin) Disabled

func (p *Plugin) Disabled() bool

Disabled returns *true* if the plugin is not in use due to missing configuration.

func (*Plugin) Init

func (p *Plugin) Init() (err error)

Init initializes cryptodata plugin.

type ProtoBrokerWrapper

type ProtoBrokerWrapper struct {
	keyval.ProtoBroker
	// contains filtered or unexported fields
}

ProtoBrokerWrapper wraps keyval.ProtoBroker with additional support of reading encrypted data

func NewProtoBrokerWrapper

func NewProtoBrokerWrapper(pb keyval.ProtoBroker, decrypter ArbitraryDecrypter, decryptFunc DecryptFunc) *ProtoBrokerWrapper

NewProtoBrokerWrapper creates wrapper for provided ProtoBroker, adding support for decrypting encrypted data

func (*ProtoBrokerWrapper) GetValue

func (db *ProtoBrokerWrapper) GetValue(key string, reqObj proto.Message) (bool, int64, error)

GetValue retrieves one item under the provided <key>. If the item exists, it is unmarshaled into the <reqObj> and its fields are decrypted.

func (*ProtoBrokerWrapper) ListValues

func (db *ProtoBrokerWrapper) ListValues(key string) (keyval.ProtoKeyValIterator, error)

ListValues returns an iterator that enables to traverse all items stored under the provided <key>.

type ProtoKeyValIteratorWrapper

type ProtoKeyValIteratorWrapper struct {
	keyval.ProtoKeyValIterator
	// contains filtered or unexported fields
}

ProtoKeyValIteratorWrapper wraps keyval.ProtoKeyValIterator with additional support of reading encrypted data

func (*ProtoKeyValIteratorWrapper) GetNext

func (r *ProtoKeyValIteratorWrapper) GetNext() (kv keyval.ProtoKeyVal, stop bool)

GetNext retrieves the following item from the context. When there are no more items to get, <stop> is returned as *true* and <kv> is simply *nil*.

type ProtoKeyValWrapper

type ProtoKeyValWrapper struct {
	keyval.ProtoKeyVal
	// contains filtered or unexported fields
}

ProtoKeyValWrapper wraps keyval.ProtoKeyVal with additional support of reading encrypted data

func (*ProtoKeyValWrapper) GetPrevValue

func (r *ProtoKeyValWrapper) GetPrevValue(prevValue proto.Message) (prevValueExist bool, err error)

GetPrevValue returns the previous value of the pair.

func (*ProtoKeyValWrapper) GetValue

func (r *ProtoKeyValWrapper) GetValue(value proto.Message) error

GetValue returns the value of the pair.

type ProtoWatchRespWrapper

type ProtoWatchRespWrapper struct {
	datasync.ProtoWatchResp
	ProtoKeyValWrapper
}

ProtoWatchRespWrapper wraps keyval.ProtoWatchResp with additional support of reading encrypted data

func (*ProtoWatchRespWrapper) GetPrevValue

func (r *ProtoWatchRespWrapper) GetPrevValue(prevValue proto.Message) (prevValueExist bool, err error)

GetPrevValue returns the previous value of the pair.

func (*ProtoWatchRespWrapper) GetValue

func (r *ProtoWatchRespWrapper) GetValue(value proto.Message) error

GetValue returns the value of the pair.

type ProtoWatcherWrapper

type ProtoWatcherWrapper struct {
	keyval.ProtoWatcher
	// contains filtered or unexported fields
}

ProtoWatcherWrapper wraps keyval.ProtoWatcher with additional support of reading encrypted data

func NewProtoWatcherWrapper

func NewProtoWatcherWrapper(pb keyval.ProtoWatcher, decrypter ArbitraryDecrypter, decryptFunc DecryptFunc) *ProtoWatcherWrapper

NewProtoWatcherWrapper creates wrapper for provided ProtoWatcher, adding support for decrypting encrypted data

func (*ProtoWatcherWrapper) Watch

func (b *ProtoWatcherWrapper) Watch(respChan func(datasync.ProtoWatchResp), closeChan chan string, keys ...string) error

Watch starts subscription for changes associated with the selected keys. Watch events will be delivered to callback (not channel) <respChan>. Channel <closeChan> can be used to close watching on respective key

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL