keydb

package
v0.0.0-...-7eb09aa Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 11, 2021 License: GPL-3.0 Imports: 16 Imported by: 2

Documentation

Overview

cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany This source code is licensed under GPL version 3 that can be found in LICENSE file.

cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany This source code is licensed under GPL version 3 that can be found in LICENSE file.

Index

Constants

View Source 
const (
	DB_DIR_FILE_MODE = 0700
	DB_REC_FILE_MODE = 0600
)
View Source 
const (
	CurrentRecordVersion = 2 // CurrentRecordVersion is the version of new database records to be created by cryptctl.
)

Variables

View Source 
var RegexUUID = regexp.MustCompile("^[a-zA-Z0-9-]+$") // RegexUUID matches characters that are allowed in a UUID

Functions

func ValidateUUID 

func ValidateUUID(in string) error

ValidateUUID returns an error only if the input string is empty, or if there are illegal characters among the input.

Types

type AliveMessage 

type AliveMessage struct {
	Hostname  string // Hostname is the host name reported by client computer itself.
	IP        string // IP is the client computer's IP as seen by cryptctl server.
	Timestamp int64  // Timestamp is the moment the message arrived at cryptctl server.
}

AliveMessage is a component of key database record, it represents a heartbeat sent by a computer who is actively using an encryption key - i.e. the encrypted disk is currently unlocked and online.

type DB 

type DB struct {
	Dir             string
	RecordsByUUID   map[string]Record // key is record UUID string
	RecordsByID     map[string]Record // when saved by built-in KMIP server, the ID is a sequence number; otherwise it can be anything.
	LastSequenceNum int64             // the last sequence number currently in-use
	Lock            *sync.RWMutex     // prevent concurrent access to records
}

The database of key records reside in a directory, each key record is serialised into a file. All key records are read into memory upon startup for fast retrieval. All exported functions are safe for concurrent usage.

func OpenDB 

func OpenDB(dir string) (db *DB, err error)

Open a key database directory and read all key records into memory. Caller should consider to lock memory.

func OpenDBOneRecord 

func OpenDBOneRecord(dir, recordUUID string) (db *DB, err error)

Open a key database directory but only load a single record into memory. If the specified record is not found in file system, an error is returned Caller should consider ot lock memory.

func (*DB) Erase 

func (db *DB) Erase(uuid string) error

Erase a record from both memory and disk.

func (*DB) GetByID 

func (db *DB) GetByID(id string) (rec Record, found bool)

Retrieve a key record by its KMIP ID.

func (*DB) GetByUUID 

func (db *DB) GetByUUID(uuid string) (rec Record, found bool)

Retrieve a key record by its disk UUID.

func (*DB) List 

func (db *DB) List() (sortedRecords RecordSlice)

Return all key records (not including key content) sorted according to latest usage.

func (*DB) ReadRecord 

func (db *DB) ReadRecord(absPath string) (keyRecord Record, err error)

Read and deserialise a key record from file system.

func (*DB) ReloadDB 

func (db *DB) ReloadDB() error

(Re)load database records.

func (*DB) ReloadRecord 

func (db *DB) ReloadRecord(uuid string) error

ReloadRecord reads the latest record content corresponding to the UUID from disk file and loads it into memory. The function panics if the record version is not the latest.

func (*DB) Select 

func (db *DB) Select(aliveMessage AliveMessage, checkMaxActive bool, uuids ...string) (found map[string]Record, rejected, missing []string)

Retrieve key records that belong to those UUIDs, and immediately persist last-retrieval information on those records.

func (*DB) UpdateAliveMessage 

func (db *DB) UpdateAliveMessage(latest AliveMessage, uuids ...string) (rejected []string)

Record and immediately persist alive message that came from a host.

func (*DB) UpdateCommandResult 

func (db *DB) UpdateCommandResult(uuid, ip string, content interface{}, result string)

UpdateCommandResult updates execution result of a pending command. The pending command is updated by looking for a command record matched to the specified UUID, IP, and content. If a matching record is not found, the function will do nothing.

func (*DB) UpdateSeenFlag 

func (db *DB) UpdateSeenFlag(uuid, ip string, content interface{})

UpdateSeenFlag updates "seen" flag of a pending command to true. The flag is updated by looking for a command record matched to the specified IP, array index, and content. If a matching record is not found, the function will do nothing.

func (*DB) UpgradeRecord 

func (db *DB) UpgradeRecord(record Record) error

Upgrade a record to the latest version.

func (*DB) UpgradeRecordToVersion1 

func (db *DB) UpgradeRecordToVersion1(record Record) error

Record version 0 was the first version prior and equal to cryptctl 1.99 pre-release. Version number 1 gives each record a KMIP key ID, a creation time, and knows whether key content is located on external KMIP server.

func (*DB) Upsert 

func (db *DB) Upsert(rec Record) (kmipID string, err error)

Create/update and immediately persist a key record. IO errors are returned and logged to stderr.

type PendingCommand 

type PendingCommand struct {
	ValidFrom    time.Time     // ValidFrom is the timestamp at which moment the command was created.
	Validity     time.Duration // Validity determines the point in time the command expires. Expired commands disappear almost immediately.
	IP           string        // IP is the client computer's IP the command is issued to.
	Content      interface{}   // Content is the command content, serialised and transmitted between server and client.
	SeenByClient bool          // SeenByClient is updated to true via RPC once the client has seen this command.
	ClientResult string        // ClientResult is updated via RPC once client has finished executing this command.
}

PendingCommand is a time-restricted command issued by cryptctl server administrator to be polled by a client.

func (*PendingCommand) IsValid 

func (cmd *PendingCommand) IsValid() bool

IsValid returns true only if the command has not expired.

type Record 

type Record struct {
	ID           string    // ID is assigned by KMIP server for the encryption key.
	Version      int       // Version is the version number of this record. Outdated records are automatically upgraded.
	CreationTime time.Time // CreationTime is the timestamp at which the record was created.
	Key          []byte    // Key is the disk encryption key if the key is not stored on an external KMIP server.

	UUID         string   // UUID is the block device UUID of the file system.
	MountPoint   string   // MountPoint is the location (directory) where this file system is expected to be mounted to.
	MountOptions []string // MountOptions is a string array of mount options specific to the file system.

	MaxActive        int // MaxActive is the maximum simultaneous number of online users (computers) for the key, or <=0 for unlimited.
	AliveIntervalSec int // AliveIntervalSec is interval in seconds that all key users (computers) should report they're online.
	AliveCount       int // AliveCount is number of times a key user (computer) can miss regular report and be considered offline.

	LastRetrieval   AliveMessage                // LastRetrieval is the computer who most recently successfully retrieved the key.
	AliveMessages   map[string][]AliveMessage   // AliveMessages are the most recent alive reports in IP - message array pairs.
	PendingCommands map[string][]PendingCommand // PendingCommands are some command to be periodcally polled by clients carrying the IP address (keys).
}

A key record that knows all about the encrypted file system, its mount point, and unlocking keys. When stored on disk, the record resides in a file encoded in gob. The binary encoding method is intentionally chosen to deter users from manually editing the files on disk.

func (*Record) AddPendingCommand 

func (rec *Record) AddPendingCommand(ip string, cmd PendingCommand)

AddPendingCommand stores a command associated to the input IP address, and clears expired pending commands along the way.

func (*Record) ClearPendingCommands 

func (rec *Record) ClearPendingCommands()

ClearPendingCommands removes all pending commands, and clears expired pending commands along the way.

func (*Record) Deserialise 

func (rec *Record) Deserialise(in []byte) error

Deserialise record from input binary content using gob encoding.

func (*Record) FillBlanks 

func (rec *Record) FillBlanks()

Initialise all nil attributes.

func (*Record) FormatAttrs 

func (rec *Record) FormatAttrs(separator string) string

Format all attributes (except the binary key) for pretty printing, using the specified separator.

func (*Record) GetMountOptionStr 

func (rec *Record) GetMountOptionStr() string

Return mount options in a single string, as accepted by mount command.

func (*Record) IsHostAlive 

func (rec *Record) IsHostAlive(hostIP string) (alive bool, finalMessage AliveMessage)

Determine whether a host is still alive according to recent alive messages.

func (*Record) RemoveDeadHosts 

func (rec *Record) RemoveDeadHosts() (deadFinalMessage map[string]AliveMessage)

Remove all dead hosts from alive message history, return each dead host's final alive .

func (*Record) RemoveExpiredPendingCommands 

func (rec *Record) RemoveExpiredPendingCommands()

RemoveDeadPendingCommands removes pending commands and results that were made 10x validity period in the past.

func (*Record) Serialise 

func (rec *Record) Serialise() []byte

Serialise the record into binary content using gob encoding.

func (*Record) UpdateAliveMessage 

func (rec *Record) UpdateAliveMessage(latestBeat AliveMessage) bool

Record the latest alive message in message history.

func (*Record) UpdateLastRetrieval 

func (rec *Record) UpdateLastRetrieval(latestBeat AliveMessage, checkMaxActive bool) (updateOK bool,
	deadFinalMessage map[string]AliveMessage)

If number of maximum active users must be enforced, determine number of active key users from alive message history - if the maximum number is not yet exceeded, update last retrieval information and alive message history for the host; if maximum number is already met, the last retrieval information and alive message history are left untouched.

If number of maximum active users is not enforced, the last retrieval information and alive message history are unconditionally updated.

func (*Record) Validate 

func (rec *Record) Validate() error

Return an error if a record attribute does not make sense.

type RecordSlice 

type RecordSlice []Record // a slice of key database records that can be sorted by latest usage.

func (RecordSlice) Len 

func (r RecordSlice) Len() int

func (RecordSlice) Less 

func (r RecordSlice) Less(i, j int) bool

func (RecordSlice) Swap 

func (r RecordSlice) Swap(i, j int)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.