Documentation ¶
Index ¶
- Constants
- func GenerateCA(keySize int) ([]byte, crypto.PrivateKey, error)
- func GenerateClientCert(caCert *x509.Certificate, caKey crypto.PrivateKey, keySize int, name string) ([]byte, crypto.PrivateKey, error)
- func GenerateServerCert(caCert *x509.Certificate, caKey crypto.PrivateKey, keySize int, hosts []string) ([]byte, crypto.PrivateKey, error)
- func GetCertificateUser(tlsState *tls.ConnectionState) (string, error)
- func HashPassword(raw []byte) ([]byte, error)
- func LoadClientTLSConfig(sslCA, sslCert, sslCertKey string) (*tls.Config, error)
- func LoadServerTLSConfig(sslCA, sslCert, sslCertKey string) (*tls.Config, error)
- func PromptForPasswordAndHash() ([]byte, error)
- func ProtoAuthHook(insecureMode bool, tlsState *tls.ConnectionState) (func(proto.Message, bool) error, error)
- func ResetReadFileFn()
- func RunCreateCACert(sslCA, sslCAKey string, keySize int) error
- func RunCreateClientCert(sslCA, sslCAKey, sslCert, sslCertKey string, keySize int, username string) error
- func RunCreateNodeCert(sslCA, sslCAKey, sslCert, sslCertKey string, keySize int, hosts []string) error
- func SetReadFileFn(f func(string) ([]byte, error))
- func UserAuthHook(insecureMode bool, tlsState *tls.ConnectionState) (func(string, bool) error, error)
- type RequestWithUser
Constants ¶
const ( // NodeUser is used by nodes for intra-cluster traffic. NodeUser = "node" // RootUser is the default cluster administrator. RootUser = "root" )
const ( EmbeddedCertsDir = "test_certs" EmbeddedCACert = "ca.crt" EmbeddedCAKey = "ca.key" EmbeddedNodeCert = "node.crt" EmbeddedNodeKey = "node.key" EmbeddedRootCert = "root.crt" EmbeddedRootKey = "root.key" EmbeddedTestUserCert = "testuser.crt" EmbeddedTestUserKey = "testuser.key" )
EmbeddedCertsDir is the certs directory inside embedded assets. Embedded*{Cert,Key} are the filenames for embedded certs.
Variables ¶
This section is empty.
Functions ¶
func GenerateCA ¶
func GenerateCA(keySize int) ([]byte, crypto.PrivateKey, error)
GenerateCA generates a CA certificate and returns the cert bytes as well as the private key used to generate the certificate.
func GenerateClientCert ¶
func GenerateClientCert(caCert *x509.Certificate, caKey crypto.PrivateKey, keySize int, name string) ( []byte, crypto.PrivateKey, error)
GenerateClientCert generates a client certificate and returns the cert bytes as well as the private key used to generate the certificate. The CA cert and private key should be passed in. 'user' is the unique username stored in the Subject.CommonName field.
func GenerateServerCert ¶
func GenerateServerCert(caCert *x509.Certificate, caKey crypto.PrivateKey, keySize int, hosts []string) ( []byte, crypto.PrivateKey, error)
GenerateServerCert generates a server certificate and returns the cert bytes as well as the private key used to generate the certificate. Takes in the CA cert and key, the size of the key to generate, and the list of hosts/ip addresses this certificate applies to.
func GetCertificateUser ¶
func GetCertificateUser(tlsState *tls.ConnectionState) (string, error)
GetCertificateUser extract the username from a client certificate.
func HashPassword ¶
HashPassword takes a raw password and returns a bcrypt hashed password.
func LoadClientTLSConfig ¶
LoadClientTLSConfig creates a client TLSConfig by loading the CA and client certs. The following paths must be passed: - sslCA: path to the CA certificate - sslCert: path to the client certificate - sslCertKey: path to the client key If the path is prefixed with "embedded=", load the embedded certs.
func LoadServerTLSConfig ¶
LoadServerTLSConfig creates a server TLSConfig by loading the CA and server certs. The following paths must be passed: - sslCA: path to the CA certificate - sslCert: path to the server certificate - sslCertKey: path to the server key If the path is prefixed with "embedded=", load the embedded certs.
func PromptForPasswordAndHash ¶
PromptForPasswordAndHash prompts for a password on the stdin twice, and if both match, returns a bcrypt hashed password.
func ProtoAuthHook ¶
func ProtoAuthHook(insecureMode bool, tlsState *tls.ConnectionState) ( func(proto.Message, bool) error, error)
ProtoAuthHook builds an authentication hook based on the security mode and client certificate. The proto.Message passed to the hook must implement RequestWithUser.
func ResetReadFileFn ¶
func ResetReadFileFn()
ResetReadFileFn is the counterpart to SetReadFileFn, restoring the original behaviour for loading certificate related data from disk.
func RunCreateCACert ¶
RunCreateCACert is the entry-point from the command-line interface to generate CA cert and key. Takes in: - sslCA: path to the CA certificate - sslCAKey: path to the CA key
func RunCreateClientCert ¶
func RunCreateClientCert(sslCA, sslCAKey, sslCert, sslCertKey string, keySize int, username string) error
RunCreateClientCert is the entry-point from the command-line interface to generate a client cert and key. - sslCA: path to the CA certificate - sslCAKey: path to the CA key - sslCert: path to the node certificate - sslCertKey: path to the node key
func RunCreateNodeCert ¶
func RunCreateNodeCert(sslCA, sslCAKey, sslCert, sslCertKey string, keySize int, hosts []string) error
RunCreateNodeCert is the entry-point from the command-line interface to generate node certs and keys: - sslCA: path to the CA certificate - sslCAKey: path to the CA key - sslCert: path to the node certificate - sslCertKey: path to the node key
func SetReadFileFn ¶
SetReadFileFn allows to switch out ioutil.ReadFile by a mock for testing purposes.
func UserAuthHook ¶
func UserAuthHook(insecureMode bool, tlsState *tls.ConnectionState) ( func(string, bool) error, error)
UserAuthHook builds an authentication hook based on the security mode and client certificate.
Types ¶
type RequestWithUser ¶
type RequestWithUser interface {
GetUser() string
}
RequestWithUser must be implemented by `roachpb.Request`s which are arguments to methods that are not permitted to skip user checks.
Directories ¶
Path | Synopsis |
---|---|
Package securitytest embeds the TLS test certificates.
|
Package securitytest embeds the TLS test certificates. |