filesec

package
v0.22.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 22, 2021 License: Apache-2.0 Imports: 28 Imported by: 1

Documentation

Overview

Package filesec provides a manually configurable security Provider it allows you set every parameter like key paths etc manually without making any assumptions about your system

It does not support any enrollment

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func MatchAnyRegex

func MatchAnyRegex(str []byte, regex []string) bool

MatchAnyRegex checks str against a list of possible regex, if any match true is returned

Types

type Config

type Config struct {
	// Identity when not empty will force the identity to be used for validations etc
	Identity string

	// Certificate is the path to the public certificate
	Certificate string

	// Key is the path to the private key
	Key string

	// CA is the path to the Certificate Authority
	CA string

	// Cache is where known client certificates will be stored
	Cache string

	// PrivilegedUsers is a list of regular expressions that identity privileged users
	PrivilegedUsers []string

	// AllowList is a list of regular expressions that identity valid users to allow in
	AllowList []string

	// DisableTLSVerify disables TLS verify in HTTP clients etc
	DisableTLSVerify bool

	// AlwaysOverwriteCache supports always overwriting the local filesystem cache
	AlwaysOverwriteCache bool

	// Is a URL where a remote signer is running
	RemoteSignerURL string

	// RemoteSignerTokenFile is a file with a token for access to the remote signer
	RemoteSignerTokenFile string

	// RemoteSignerTokenEnvironment is an environment variable that will hold the signer token
	RemoteSignerTokenEnvironment string

	// TLSSetup is the shared TLS configuration state between security providers
	TLSConfig *tlssetup.Config

	// BackwardCompatVerification enables custom verification that allows legacy certificates without SANs
	BackwardCompatVerification bool
}

Config is the configuration for FileSecurity

type FileSecurity

type FileSecurity struct {
	// contains filtered or unexported fields
}

FileSecurity implements SecurityProvider using files on disk

func New

func New(opts ...Option) (*FileSecurity, error)

New creates a new instance of the File Security provider

func (*FileSecurity) CachePublicData

func (s *FileSecurity) CachePublicData(data []byte, identity string) error

CachePublicData caches the public key for a identity

func (*FileSecurity) CachedPublicData

func (s *FileSecurity) CachedPublicData(identity string) ([]byte, error)

CachedPublicData retrieves the previously cached public data for a given identity

func (*FileSecurity) CallerIdentity

func (s *FileSecurity) CallerIdentity(caller string) (string, error)

CallerIdentity extracts the identity from a choria like caller name in the form of choria=identity

func (*FileSecurity) CallerName

func (s *FileSecurity) CallerName() string

CallerName creates a choria like caller name in the form of choria=identity

func (*FileSecurity) ChecksumBytes

func (s *FileSecurity) ChecksumBytes(data []byte) []byte

ChecksumBytes calculates a sha256 checksum for data

func (*FileSecurity) ChecksumString

func (s *FileSecurity) ChecksumString(data string) []byte

ChecksumString calculates a sha256 checksum for data

func (*FileSecurity) ClientTLSConfig added in v0.21.0

func (s *FileSecurity) ClientTLSConfig() (*tls.Config, error)

func (*FileSecurity) Enroll

func (s *FileSecurity) Enroll(ctx context.Context, wait time.Duration, cb func(digest string, try int)) error

Enroll is not supported

func (*FileSecurity) HTTPClient

func (s *FileSecurity) HTTPClient(secure bool) (*http.Client, error)

HTTPClient creates a standard HTTP client with optional security, it will be set to use the CA and client certs for auth. servername should match the remote hosts name for SNI

func (*FileSecurity) Identity

func (s *FileSecurity) Identity() string

Identity determines the choria certname

func (*FileSecurity) PrivilegedVerifyByteSignature

func (s *FileSecurity) PrivilegedVerifyByteSignature(dat []byte, sig []byte, identity string) bool

PrivilegedVerifyByteSignature verifies if the signature received is from any of the privileged certs or the given identity

func (*FileSecurity) PrivilegedVerifyStringSignature

func (s *FileSecurity) PrivilegedVerifyStringSignature(dat string, sig []byte, identity string) bool

PrivilegedVerifyStringSignature verifies if the signature received is from any of the privileged certs or the given identity

func (*FileSecurity) Provider

func (s *FileSecurity) Provider() string

Provider reports the name of the security provider

func (*FileSecurity) PublicCertPem

func (s *FileSecurity) PublicCertPem() (*pem.Block, error)

PublicCertPem retrieves the public certificate for this instance

func (*FileSecurity) PublicCertTXT

func (s *FileSecurity) PublicCertTXT() ([]byte, error)

PublicCertTXT retrieves pem data in textual form for the public certificate of the current identity

func (*FileSecurity) RemoteSignRequest

func (s *FileSecurity) RemoteSignRequest(str []byte) (signed []byte, err error)

RemoteSignRequest signs a choria request using a remote signer and returns a secure request

func (*FileSecurity) SSLContext

func (s *FileSecurity) SSLContext() (*http.Transport, error)

SSLContext creates a SSL context loaded with our certs and ca

func (*FileSecurity) SignBytes

func (s *FileSecurity) SignBytes(str []byte) ([]byte, error)

SignBytes signs a message using a SHA256 PKCS1v15 protocol

func (*FileSecurity) SignString

func (s *FileSecurity) SignString(str string) ([]byte, error)

SignString signs a message using a SHA256 PKCS1v15 protocol

func (*FileSecurity) TLSConfig

func (s *FileSecurity) TLSConfig() (*tls.Config, error)

TLSConfig creates a TLS configuration for use by NATS, HTTPS etc

func (*FileSecurity) Validate

func (s *FileSecurity) Validate() ([]string, bool)

Validate determines if the node represents a valid SSL configuration

func (*FileSecurity) VerifyByteSignature

func (s *FileSecurity) VerifyByteSignature(dat []byte, sig []byte, identity string) bool

VerifyByteSignature verify that dat matches signature sig made by the key of identity if identity is "" the active public key will be used

func (*FileSecurity) VerifyCertificate

func (s *FileSecurity) VerifyCertificate(certpem []byte, name string) error

VerifyCertificate verifies a certificate is signed with the configured CA and if name is not "" that it matches the name given

func (*FileSecurity) VerifyStringSignature

func (s *FileSecurity) VerifyStringSignature(str string, sig []byte, identity string) bool

VerifyStringSignature verify that str matches signature sig made by the key of identity

type Option

type Option func(*FileSecurity) error

Option is a function that can configure the File Security Provider

func WithChoriaConfig

func WithChoriaConfig(c *config.Config) Option

WithChoriaConfig optionally configures the File Security Provider from settings found in a typical Choria configuration

func WithConfig

func WithConfig(c *Config) Option

WithConfig optionally configures the File Security Provider using its native configuration format

func WithLog

func WithLog(l *logrus.Entry) Option

WithLog configures a logger for the File Security Provider

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL