v0

package
v0.0.0-c241dcf Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 5, 2023 License: Apache-2.0 Imports: 14 Imported by: 9

Documentation

Overview

Package v0 contains versioned JVS contracts, e.g. service definition.

Index

Constants

View Source 
const (
	// JustificationsKey is the key in the JWT where justifications are stored.
	// Ideally this would be "justifications", but the RFC and various online
	// resources recommend key names be as short as possible to keep the JWTs
	// small. Akamai recommends less than 8 characters and Okta recommends less
	// than 6.
	//
	// Most callers should use the higher-level functions, but this is exposed in
	// case users need to manipulate lower-level structures in the claims map.
	JustificationsKey string = "justs"

	// RequestorKey is the key in the JWT that holds the identity of the principal
	// that requested this JWT.
	RequestorKey string = "req"
)
View Source 
const (
	// BreakglassHMACSecret is the HMAC key to use for creating breakglass tokens.
	// Breakglass tokens are already "unverified", so having this static secret
	// does not introduce additional risk, and breakglass is disabled by default.
	BreakglassHMACSecret = "BHzwNUbxcgpNoDfzwzt4Dr2nVXByUCWl1m8Eq2Jh26CGqu8IQ0VdiyjxnCtNahh9" //nolint:gosec

)

Variables

View Source 
var (
	Action_ACTION_name = map[int32]string{
		0: "ROTATE",
		1: "FORCE_DISABLE",
		2: "FORCE_DESTROY",
	}
	Action_ACTION_value = map[string]int32{
		"ROTATE":        0,
		"FORCE_DISABLE": 1,
		"FORCE_DESTROY": 2,
	}
)

Enum value maps for Action_ACTION.

View Source 
var CertificateActionService_ServiceDesc = grpc.ServiceDesc{
	ServiceName: "abcxyz.jvs.CertificateActionService",
	HandlerType: (*CertificateActionServiceServer)(nil),
	Methods: []grpc.MethodDesc{
		{
			MethodName: "CertificateAction",
			Handler:    _CertificateActionService_CertificateAction_Handler,
		},
	},
	Streams:  []grpc.StreamDesc{},
	Metadata: "cert_action_service.proto",
}

CertificateActionService_ServiceDesc is the grpc.ServiceDesc for CertificateActionService service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)

View Source 
var File_cert_action_request_proto protoreflect.FileDescriptor
View Source 
var File_cert_action_service_proto protoreflect.FileDescriptor
View Source 
var File_jvs_request_proto protoreflect.FileDescriptor
View Source 
var File_jvs_service_proto protoreflect.FileDescriptor
View Source 
var JVSService_ServiceDesc = grpc.ServiceDesc{
	ServiceName: "abcxyz.jvs.JVSService",
	HandlerType: (*JVSServiceServer)(nil),
	Methods: []grpc.MethodDesc{
		{
			MethodName: "CreateJustification",
			Handler:    _JVSService_CreateJustification_Handler,
		},
	},
	Streams:  []grpc.StreamDesc{},
	Metadata: "jvs_service.proto",
}

JVSService_ServiceDesc is the grpc.ServiceDesc for JVSService service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)

Functions

func ClearJustifications added in v0.0.2 

func ClearJustifications(t jwt.Token) error

ClearJustifications removes the justifications from the token by deleting the entire key.

func ClearRequestor added in v0.0.3 

func ClearRequestor(t jwt.Token) error

ClearRequestor removes the req field from the JWT.

func CreateBreakglassToken added in v0.0.2 

func CreateBreakglassToken(token jwt.Token, explanation string) (string, error)

CreateBreakglassToken creates a JWT that can be used as "breakglass" if the system is configured to allow breakglass tokens. The incoming jwt.Token must be built by the caller to include the standard fields. This function will overwrite all existing justifications, insert the breakglass justification, and sign JWT with an HMAC signature.

func GetRequestor added in v0.0.3 

func GetRequestor(t jwt.Token) (string, error)

GetRequestor retrieves the identity of the principal that requested this JWT. This is typically an email address that is extracted by the JVS using an incoming authentication header. However, if the JVS is not protected by authentication, it could be the empty string or omitted entirely.

func ParseBreakglassToken added in v0.0.2 

func ParseBreakglassToken(tokenStr string) (jwt.Token, error)

VerifyBreakglassToken accepts an HMAC-signed JWT and verifies the signature. It then inspects the justifications to ensure that one of them is a "breakglass" justification. If successful, it returns the parsed token and the extracted explanation for breakglass.

func RegisterCertificateActionServiceServer 

func RegisterCertificateActionServiceServer(s grpc.ServiceRegistrar, srv CertificateActionServiceServer)

func RegisterJVSServiceServer 

func RegisterJVSServiceServer(s grpc.ServiceRegistrar, srv JVSServiceServer)

func SetJustifications added in v0.0.2 

func SetJustifications(t jwt.Token, justifications []*Justification) error

SetJustifications updates the justifications on the token. It overwrites any existing values and uses a copy of the inbound slice.

func SetRequestor added in v0.0.3 

func SetRequestor(t jwt.Token, req string) error

SetRequestor sets the req field on the JWT. It overwrites any existing value.

func WithTypedJustifications added in v0.0.2 

func WithTypedJustifications() jwt.ParseOption

WithTypedJustifications is an option for parsing JWTs that will convert decode the Justification claims into the correct Go structure. If this is not supplied, the claims will be "any" and future type assertions may fail.

Types

type Action 

type Action struct {
	Version string        `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"`
	Action  Action_ACTION `protobuf:"varint,2,opt,name=action,proto3,enum=abcxyz.jvs.Action_ACTION" json:"action,omitempty"`
	// contains filtered or unexported fields
}

Action is intended to specify an action to be taken on a certificate version.

func (*Action) Descriptor deprecated 

func (*Action) Descriptor() ([]byte, []int)

Deprecated: Use Action.ProtoReflect.Descriptor instead.

func (*Action) GetAction 

func (x *Action) GetAction() Action_ACTION

func (*Action) GetVersion 

func (x *Action) GetVersion() string

func (*Action) ProtoMessage 

func (*Action) ProtoMessage()

func (*Action) ProtoReflect 

func (x *Action) ProtoReflect() protoreflect.Message

func (*Action) Reset 

func (x *Action) Reset()

func (*Action) String 

func (x *Action) String() string

type Action_ACTION 

type Action_ACTION int32
const (
	// This rotates the specified key gracefully. it will make a new primary and
	// promote that new key to primary, but will not immediately disable the
	// version specified (so it can still be used for JWT validation).
	Action_ROTATE Action_ACTION = 0
	// This will immediately disable the version specified. If the version is
	// primary, it will make a new primary and promote that new key to primary.
	// This is intended to make it invalid for use in JWT validation as soon as
	// possible. However, until client caches are updated, JWTs could still be
	// validated using the version.
	Action_FORCE_DISABLE Action_ACTION = 1
	// This will immediately destroy the version specified. If the version is
	// primary, it will make a new primary and promote that new key to primary.
	// This is intended to make it invalid for use in JWT validation as soon as
	// possible. However, until client caches are updated, JWTs could still be
	// validated using the version.
	Action_FORCE_DESTROY Action_ACTION = 2
)

func (Action_ACTION) Descriptor 

func (Action_ACTION) Descriptor() protoreflect.EnumDescriptor

func (Action_ACTION) Enum 

func (x Action_ACTION) Enum() *Action_ACTION

func (Action_ACTION) EnumDescriptor deprecated 

func (Action_ACTION) EnumDescriptor() ([]byte, []int)

Deprecated: Use Action_ACTION.Descriptor instead.

func (Action_ACTION) Number 

func (x Action_ACTION) Number() protoreflect.EnumNumber

func (Action_ACTION) String 

func (x Action_ACTION) String() string

func (Action_ACTION) Type 

func (Action_ACTION) Type() protoreflect.EnumType

type CertificateActionRequest 

type CertificateActionRequest struct {
	Actions []*Action `protobuf:"bytes,1,rep,name=actions,proto3" json:"actions,omitempty"`
	// contains filtered or unexported fields
}

CertificateActionRequest is a request to do a manual action on a certificate.

func (*CertificateActionRequest) Descriptor deprecated 

func (*CertificateActionRequest) Descriptor() ([]byte, []int)

Deprecated: Use CertificateActionRequest.ProtoReflect.Descriptor instead.

func (*CertificateActionRequest) GetActions 

func (x *CertificateActionRequest) GetActions() []*Action

func (*CertificateActionRequest) ProtoMessage 

func (*CertificateActionRequest) ProtoMessage()

func (*CertificateActionRequest) ProtoReflect 

func (x *CertificateActionRequest) ProtoReflect() protoreflect.Message

func (*CertificateActionRequest) Reset 

func (x *CertificateActionRequest) Reset()

func (*CertificateActionRequest) String 

func (x *CertificateActionRequest) String() string

type CertificateActionResponse 

type CertificateActionResponse struct {
	// contains filtered or unexported fields
}

CertificateActionResponse is a blank response.

func (*CertificateActionResponse) Descriptor deprecated 

func (*CertificateActionResponse) Descriptor() ([]byte, []int)

Deprecated: Use CertificateActionResponse.ProtoReflect.Descriptor instead.

func (*CertificateActionResponse) ProtoMessage 

func (*CertificateActionResponse) ProtoMessage()

func (*CertificateActionResponse) ProtoReflect 

func (x *CertificateActionResponse) ProtoReflect() protoreflect.Message

func (*CertificateActionResponse) Reset 

func (x *CertificateActionResponse) Reset()

func (*CertificateActionResponse) String 

func (x *CertificateActionResponse) String() string

type CertificateActionServiceClient 

type CertificateActionServiceClient interface {
	CertificateAction(ctx context.Context, in *CertificateActionRequest, opts ...grpc.CallOption) (*CertificateActionResponse, error)
}

CertificateActionServiceClient is the client API for CertificateActionService service.

For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.

func NewCertificateActionServiceClient 

func NewCertificateActionServiceClient(cc grpc.ClientConnInterface) CertificateActionServiceClient

type CertificateActionServiceServer 

type CertificateActionServiceServer interface {
	CertificateAction(context.Context, *CertificateActionRequest) (*CertificateActionResponse, error)
	// contains filtered or unexported methods
}

CertificateActionServiceServer is the server API for CertificateActionService service. All implementations must embed UnimplementedCertificateActionServiceServer for forward compatibility

type CreateJustificationRequest 

type CreateJustificationRequest struct {
	Justifications []*Justification     `protobuf:"bytes,1,rep,name=justifications,proto3" json:"justifications,omitempty"`
	Ttl            *durationpb.Duration `protobuf:"bytes,2,opt,name=ttl,proto3" json:"ttl,omitempty"`
	// Optional audiences for the justifications.
	Audiences []string `protobuf:"bytes,3,rep,name=audiences,proto3" json:"audiences,omitempty"`
	// Subject will be the corresponding subject in the JWT. Consumers of these
	// JWTs must verify that the caller matches the embedded principal. If
	// unspecified, the JVS will attempt to extract this from the caller's
	// identity.
	Subject string `protobuf:"bytes,4,opt,name=subject,proto3" json:"subject,omitempty"`
	// contains filtered or unexported fields
}

CreateJustificationRequest provides a justification to the server in order to receive a token.

func (*CreateJustificationRequest) Descriptor deprecated 

func (*CreateJustificationRequest) Descriptor() ([]byte, []int)

Deprecated: Use CreateJustificationRequest.ProtoReflect.Descriptor instead.

func (*CreateJustificationRequest) GetAudiences added in v0.0.2 

func (x *CreateJustificationRequest) GetAudiences() []string

func (*CreateJustificationRequest) GetJustifications 

func (x *CreateJustificationRequest) GetJustifications() []*Justification

func (*CreateJustificationRequest) GetSubject added in v0.0.3 

func (x *CreateJustificationRequest) GetSubject() string

func (*CreateJustificationRequest) GetTtl 

func (x *CreateJustificationRequest) GetTtl() *durationpb.Duration

func (*CreateJustificationRequest) ProtoMessage 

func (*CreateJustificationRequest) ProtoMessage()

func (*CreateJustificationRequest) ProtoReflect 

func (x *CreateJustificationRequest) ProtoReflect() protoreflect.Message

func (*CreateJustificationRequest) Reset 

func (x *CreateJustificationRequest) Reset()

func (*CreateJustificationRequest) String 

func (x *CreateJustificationRequest) String() string

type CreateJustificationResponse 

type CreateJustificationResponse struct {
	Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"`
	// contains filtered or unexported fields
}

CreateJustificationResponse contains a signed justification token.

func (*CreateJustificationResponse) Descriptor deprecated 

func (*CreateJustificationResponse) Descriptor() ([]byte, []int)

Deprecated: Use CreateJustificationResponse.ProtoReflect.Descriptor instead.

func (*CreateJustificationResponse) GetToken 

func (x *CreateJustificationResponse) GetToken() string

func (*CreateJustificationResponse) ProtoMessage 

func (*CreateJustificationResponse) ProtoMessage()

func (*CreateJustificationResponse) ProtoReflect 

func (x *CreateJustificationResponse) ProtoReflect() protoreflect.Message

func (*CreateJustificationResponse) Reset 

func (x *CreateJustificationResponse) Reset()

func (*CreateJustificationResponse) String 

func (x *CreateJustificationResponse) String() string

type JVSServiceClient 

type JVSServiceClient interface {
	CreateJustification(ctx context.Context, in *CreateJustificationRequest, opts ...grpc.CallOption) (*CreateJustificationResponse, error)
}

JVSServiceClient is the client API for JVSService service.

For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.

func NewJVSServiceClient 

func NewJVSServiceClient(cc grpc.ClientConnInterface) JVSServiceClient

type JVSServiceServer 

type JVSServiceServer interface {
	CreateJustification(context.Context, *CreateJustificationRequest) (*CreateJustificationResponse, error)
	// contains filtered or unexported methods
}

JVSServiceServer is the server API for JVSService service. All implementations must embed UnimplementedJVSServiceServer for forward compatibility

type Justification 

type Justification struct {
	Category string `protobuf:"bytes,1,opt,name=category,proto3" json:"category,omitempty"` // In MVP, the only supported category is "explanation".
	Value    string `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"`
	// contains filtered or unexported fields
}

Justification is intended to be used to provide reasons that data access is required.

func GetJustifications added in v0.0.2 

func GetJustifications(t jwt.Token) ([]*Justification, error)

GetJustifications retrieves a copy of the justifications on the token. If the token does not have any justifications, it returns an empty slice of justifications.

This function is incredibly defensive against a poorly-parsed jwt. It handles situations where the JWT was not properly decoded (i.e. the caller did not use WithTypedJustifications), and when the token uses a single justification instead of a slice.

Modifying the slice does not modify the underlying token - you must call SetJustifications to update the data on the token.

func (*Justification) Descriptor deprecated 

func (*Justification) Descriptor() ([]byte, []int)

Deprecated: Use Justification.ProtoReflect.Descriptor instead.

func (*Justification) GetCategory 

func (x *Justification) GetCategory() string

func (*Justification) GetValue 

func (x *Justification) GetValue() string

func (*Justification) ProtoMessage 

func (*Justification) ProtoMessage()

func (*Justification) ProtoReflect 

func (x *Justification) ProtoReflect() protoreflect.Message

func (*Justification) Reset 

func (x *Justification) Reset()

func (*Justification) String 

func (x *Justification) String() string

type UnimplementedCertificateActionServiceServer 

type UnimplementedCertificateActionServiceServer struct {
}

UnimplementedCertificateActionServiceServer must be embedded to have forward compatible implementations.

func (UnimplementedCertificateActionServiceServer) CertificateAction 

func (UnimplementedCertificateActionServiceServer) CertificateAction(context.Context, *CertificateActionRequest) (*CertificateActionResponse, error)

type UnimplementedJVSServiceServer 

type UnimplementedJVSServiceServer struct {
}

UnimplementedJVSServiceServer must be embedded to have forward compatible implementations.

func (UnimplementedJVSServiceServer) CreateJustification 

func (UnimplementedJVSServiceServer) CreateJustification(context.Context, *CreateJustificationRequest) (*CreateJustificationResponse, error)

type UnsafeCertificateActionServiceServer 

type UnsafeCertificateActionServiceServer interface {
	// contains filtered or unexported methods
}

UnsafeCertificateActionServiceServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to CertificateActionServiceServer will result in compilation errors.

type UnsafeJVSServiceServer 

type UnsafeJVSServiceServer interface {
	// contains filtered or unexported methods
}

UnsafeJVSServiceServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to JVSServiceServer will result in compilation errors.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.