Documentation ¶
Overview ¶
Package filesec provides a manually configurable security Provider it allows you set every parameter like key paths etc manually without making any assumptions about your system
It does not support any enrollment
Index ¶
- func MatchAnyRegex(str []byte, regex []string) bool
- type Config
- type FileSecurity
- func (s *FileSecurity) CachePublicData(data []byte, identity string) error
- func (s *FileSecurity) CachedPublicData(identity string) ([]byte, error)
- func (s *FileSecurity) CallerIdentity(caller string) (string, error)
- func (s *FileSecurity) CallerName() string
- func (s *FileSecurity) ChecksumBytes(data []byte) []byte
- func (s *FileSecurity) ChecksumString(data string) []byte
- func (s *FileSecurity) ClientTLSConfig() (*tls.Config, error)
- func (s *FileSecurity) Enroll(ctx context.Context, wait time.Duration, cb func(digest string, try int)) error
- func (s *FileSecurity) HTTPClient(secure bool) (*http.Client, error)
- func (s *FileSecurity) Identity() string
- func (s *FileSecurity) PrivilegedVerifyByteSignature(dat []byte, sig []byte, identity string) bool
- func (s *FileSecurity) PrivilegedVerifyStringSignature(dat string, sig []byte, identity string) bool
- func (s *FileSecurity) Provider() string
- func (s *FileSecurity) PublicCertPem() (*pem.Block, error)
- func (s *FileSecurity) PublicCertTXT() ([]byte, error)
- func (s *FileSecurity) RemoteSignRequest(str []byte) (signed []byte, err error)
- func (s *FileSecurity) SSLContext() (*http.Transport, error)
- func (s *FileSecurity) SignBytes(str []byte) ([]byte, error)
- func (s *FileSecurity) SignString(str string) ([]byte, error)
- func (s *FileSecurity) TLSConfig() (*tls.Config, error)
- func (s *FileSecurity) Validate() ([]string, bool)
- func (s *FileSecurity) VerifyByteSignature(dat []byte, sig []byte, identity string) bool
- func (s *FileSecurity) VerifyCertificate(certpem []byte, name string) error
- func (s *FileSecurity) VerifyStringSignature(str string, sig []byte, identity string) bool
- type Option
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func MatchAnyRegex ¶
MatchAnyRegex checks str against a list of possible regex, if any match true is returned
Types ¶
type Config ¶
type Config struct { // Identity when not empty will force the identity to be used for validations etc Identity string // Certificate is the path to the public certificate Certificate string // Key is the path to the private key Key string // CA is the path to the Certificate Authority CA string // Cache is where known client certificates will be stored Cache string // PrivilegedUsers is a list of regular expressions that identity privileged users PrivilegedUsers []string // AllowList is a list of regular expressions that identity valid users to allow in AllowList []string // DisableTLSVerify disables TLS verify in HTTP clients etc DisableTLSVerify bool // AlwaysOverwriteCache supports always overwriting the local filesystem cache AlwaysOverwriteCache bool // Is a URL where a remote signer is running RemoteSignerURL string // RemoteSignerTokenFile is a file with a token for access to the remote signer RemoteSignerTokenFile string // RemoteSignerTokenEnvironment is an environment variable that will hold the signer token RemoteSignerTokenEnvironment string // TLSSetup is the shared TLS configuration state between security providers TLSConfig *tlssetup.Config // BackwardCompatVerification enables custom verification that allows legacy certificates without SANs BackwardCompatVerification bool }
Config is the configuration for FileSecurity
type FileSecurity ¶
type FileSecurity struct {
// contains filtered or unexported fields
}
FileSecurity implements SecurityProvider using files on disk
func New ¶
func New(opts ...Option) (*FileSecurity, error)
New creates a new instance of the File Security provider
func (*FileSecurity) CachePublicData ¶
func (s *FileSecurity) CachePublicData(data []byte, identity string) error
CachePublicData caches the public key for a identity
func (*FileSecurity) CachedPublicData ¶
func (s *FileSecurity) CachedPublicData(identity string) ([]byte, error)
CachedPublicData retrieves the previously cached public data for a given identity
func (*FileSecurity) CallerIdentity ¶
func (s *FileSecurity) CallerIdentity(caller string) (string, error)
CallerIdentity extracts the identity from a choria like caller name in the form of choria=identity
func (*FileSecurity) CallerName ¶
func (s *FileSecurity) CallerName() string
CallerName creates a choria like caller name in the form of choria=identity
func (*FileSecurity) ChecksumBytes ¶
func (s *FileSecurity) ChecksumBytes(data []byte) []byte
ChecksumBytes calculates a sha256 checksum for data
func (*FileSecurity) ChecksumString ¶
func (s *FileSecurity) ChecksumString(data string) []byte
ChecksumString calculates a sha256 checksum for data
func (*FileSecurity) ClientTLSConfig ¶ added in v0.21.0
func (s *FileSecurity) ClientTLSConfig() (*tls.Config, error)
func (*FileSecurity) Enroll ¶
func (s *FileSecurity) Enroll(ctx context.Context, wait time.Duration, cb func(digest string, try int)) error
Enroll is not supported
func (*FileSecurity) HTTPClient ¶
func (s *FileSecurity) HTTPClient(secure bool) (*http.Client, error)
HTTPClient creates a standard HTTP client with optional security, it will be set to use the CA and client certs for auth. servername should match the remote hosts name for SNI
func (*FileSecurity) Identity ¶
func (s *FileSecurity) Identity() string
Identity determines the choria certname
func (*FileSecurity) PrivilegedVerifyByteSignature ¶
func (s *FileSecurity) PrivilegedVerifyByteSignature(dat []byte, sig []byte, identity string) bool
PrivilegedVerifyByteSignature verifies if the signature received is from any of the privileged certs or the given identity
func (*FileSecurity) PrivilegedVerifyStringSignature ¶
func (s *FileSecurity) PrivilegedVerifyStringSignature(dat string, sig []byte, identity string) bool
PrivilegedVerifyStringSignature verifies if the signature received is from any of the privileged certs or the given identity
func (*FileSecurity) Provider ¶
func (s *FileSecurity) Provider() string
Provider reports the name of the security provider
func (*FileSecurity) PublicCertPem ¶
func (s *FileSecurity) PublicCertPem() (*pem.Block, error)
PublicCertPem retrieves the public certificate for this instance
func (*FileSecurity) PublicCertTXT ¶
func (s *FileSecurity) PublicCertTXT() ([]byte, error)
PublicCertTXT retrieves pem data in textual form for the public certificate of the current identity
func (*FileSecurity) RemoteSignRequest ¶
func (s *FileSecurity) RemoteSignRequest(str []byte) (signed []byte, err error)
RemoteSignRequest signs a choria request using a remote signer and returns a secure request
func (*FileSecurity) SSLContext ¶
func (s *FileSecurity) SSLContext() (*http.Transport, error)
SSLContext creates a SSL context loaded with our certs and ca
func (*FileSecurity) SignBytes ¶
func (s *FileSecurity) SignBytes(str []byte) ([]byte, error)
SignBytes signs a message using a SHA256 PKCS1v15 protocol
func (*FileSecurity) SignString ¶
func (s *FileSecurity) SignString(str string) ([]byte, error)
SignString signs a message using a SHA256 PKCS1v15 protocol
func (*FileSecurity) TLSConfig ¶
func (s *FileSecurity) TLSConfig() (*tls.Config, error)
TLSConfig creates a TLS configuration for use by NATS, HTTPS etc
func (*FileSecurity) Validate ¶
func (s *FileSecurity) Validate() ([]string, bool)
Validate determines if the node represents a valid SSL configuration
func (*FileSecurity) VerifyByteSignature ¶
func (s *FileSecurity) VerifyByteSignature(dat []byte, sig []byte, identity string) bool
VerifyByteSignature verify that dat matches signature sig made by the key of identity if identity is "" the active public key will be used
func (*FileSecurity) VerifyCertificate ¶
func (s *FileSecurity) VerifyCertificate(certpem []byte, name string) error
VerifyCertificate verifies a certificate is signed with the configured CA and if name is not "" that it matches the name given
func (*FileSecurity) VerifyStringSignature ¶
func (s *FileSecurity) VerifyStringSignature(str string, sig []byte, identity string) bool
VerifyStringSignature verify that str matches signature sig made by the key of identity
type Option ¶
type Option func(*FileSecurity) error
Option is a function that can configure the File Security Provider
func WithChoriaConfig ¶
WithChoriaConfig optionally configures the File Security Provider from settings found in a typical Choria configuration
func WithConfig ¶
WithConfig optionally configures the File Security Provider using its native configuration format