Documentation ¶
Overview ¶
Package filesec provides a manually configurable security Provider it allows you set every parameter like key paths etc manually without making any assumptions about your system
It does not support any enrollment
Index ¶
- func MatchAnyRegex(str string, regex []string) bool
- type BuildInfoProvider
- type Config
- type FileSecurity
- func (s *FileSecurity) BackingTechnology() inter.SecurityTechnology
- func (s *FileSecurity) CallerIdentity(caller string) (string, error)
- func (s *FileSecurity) CallerName() string
- func (s *FileSecurity) ChecksumBytes(data []byte) []byte
- func (s *FileSecurity) ClientTLSConfig() (*tls.Config, error)
- func (s *FileSecurity) Enroll(ctx context.Context, wait time.Duration, cb func(digest string, try int)) error
- func (s *FileSecurity) HTTPClient(secure bool) (*http.Client, error)
- func (s *FileSecurity) Identity() string
- func (s *FileSecurity) IsRemoteSigning() bool
- func (s *FileSecurity) Provider() string
- func (s *FileSecurity) PublicCert() (*x509.Certificate, error)
- func (s *FileSecurity) PublicCertBytes() ([]byte, error)
- func (s *FileSecurity) PublicCertPem() (*pem.Block, error)
- func (s *FileSecurity) RemoteSignRequest(ctx context.Context, request []byte) (signed []byte, err error)
- func (s *FileSecurity) RemoteSignerToken() ([]byte, error)
- func (s *FileSecurity) RemoteSignerURL() (*url.URL, error)
- func (s *FileSecurity) SSLContext() (*http.Transport, error)
- func (s *FileSecurity) ShouldAllowCaller(data []byte, name string) (privileged bool, err error)
- func (s *FileSecurity) SignBytes(str []byte) ([]byte, error)
- func (s *FileSecurity) TLSConfig() (*tls.Config, error)
- func (s *FileSecurity) Validate() ([]string, bool)
- func (s *FileSecurity) VerifyCertificate(certpem []byte, name string) error
- func (s *FileSecurity) VerifySignatureBytes(dat []byte, sig []byte, public ...[]byte) (should bool, signer string)
- type Option
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func MatchAnyRegex ¶
MatchAnyRegex checks str against a list of possible regex, if any match true is returned
Types ¶
type BuildInfoProvider ¶ added in v0.23.0
type BuildInfoProvider interface {
ClientIdentitySuffix() string
}
BuildInfoProvider provides info about the build
type Config ¶
type Config struct { // Identity when not empty will force the identity to be used for validations etc Identity string // Certificate is the path to the public certificate Certificate string // Key is the path to the private key Key string // CA is the path to the Certificate Authority CA string // PrivilegedUsers is a list of regular expressions that identity privileged users PrivilegedUsers []string // AllowList is a list of regular expressions that identity valid users to allow in AllowList []string // DisableTLSVerify disables TLS verify in HTTP clients etc DisableTLSVerify bool // Is a URL where a remote signer is running RemoteSignerURL string // RemoteSignerTokenFile is a file with a token for access to the remote signer RemoteSignerTokenFile string // TLSSetup is the shared TLS configuration state between security providers TLSConfig *tlssetup.Config // BackwardCompatVerification enables custom verification that allows legacy certificates without SANs BackwardCompatVerification bool // IdentitySuffix is the suffix to append to usernames when creating certnames and identities IdentitySuffix string // RemoteSigner is the signer used to sign requests using a remote like AAA Service RemoteSigner inter.RequestSigner }
Config is the configuration for FileSecurity
type FileSecurity ¶
type FileSecurity struct {
// contains filtered or unexported fields
}
FileSecurity implements SecurityProvider using files on disk
func New ¶
func New(opts ...Option) (*FileSecurity, error)
New creates a new instance of the File Security provider
func (*FileSecurity) BackingTechnology ¶ added in v0.26.2
func (s *FileSecurity) BackingTechnology() inter.SecurityTechnology
func (*FileSecurity) CallerIdentity ¶
func (s *FileSecurity) CallerIdentity(caller string) (string, error)
CallerIdentity extracts the identity from a choria like caller name in the form of choria=identity
func (*FileSecurity) CallerName ¶
func (s *FileSecurity) CallerName() string
CallerName creates a choria like caller name in the form of choria=identity
func (*FileSecurity) ChecksumBytes ¶
func (s *FileSecurity) ChecksumBytes(data []byte) []byte
ChecksumBytes calculates a sha256 checksum for data
func (*FileSecurity) ClientTLSConfig ¶ added in v0.21.0
func (s *FileSecurity) ClientTLSConfig() (*tls.Config, error)
func (*FileSecurity) Enroll ¶
func (s *FileSecurity) Enroll(ctx context.Context, wait time.Duration, cb func(digest string, try int)) error
Enroll is not supported
func (*FileSecurity) HTTPClient ¶
func (s *FileSecurity) HTTPClient(secure bool) (*http.Client, error)
HTTPClient creates a standard HTTP client with optional security, it will be set to use the CA and client certs for auth. servername should match the remote hosts name for SNI
func (*FileSecurity) Identity ¶
func (s *FileSecurity) Identity() string
Identity determines the choria certname
func (*FileSecurity) IsRemoteSigning ¶ added in v0.24.0
func (s *FileSecurity) IsRemoteSigning() bool
IsRemoteSigning determines if remote signer is set
func (*FileSecurity) Provider ¶
func (s *FileSecurity) Provider() string
Provider reports the name of the security provider
func (*FileSecurity) PublicCert ¶ added in v0.23.0
func (s *FileSecurity) PublicCert() (*x509.Certificate, error)
PublicCert is the parsed public certificate
func (*FileSecurity) PublicCertBytes ¶ added in v0.26.2
func (s *FileSecurity) PublicCertBytes() ([]byte, error)
PublicCertBytes retrieves pem data in textual form for the public certificate of the current identity
func (*FileSecurity) PublicCertPem ¶
func (s *FileSecurity) PublicCertPem() (*pem.Block, error)
PublicCertPem retrieves the public certificate for this instance
func (*FileSecurity) RemoteSignRequest ¶
func (s *FileSecurity) RemoteSignRequest(ctx context.Context, request []byte) (signed []byte, err error)
RemoteSignRequest signs a choria request using a remote signer and returns a secure request
func (*FileSecurity) RemoteSignerToken ¶ added in v0.24.0
func (s *FileSecurity) RemoteSignerToken() ([]byte, error)
func (*FileSecurity) RemoteSignerURL ¶ added in v0.24.0
func (s *FileSecurity) RemoteSignerURL() (*url.URL, error)
func (*FileSecurity) SSLContext ¶
func (s *FileSecurity) SSLContext() (*http.Transport, error)
SSLContext creates a SSL context loaded with our certs and ca
func (*FileSecurity) ShouldAllowCaller ¶ added in v0.26.2
func (s *FileSecurity) ShouldAllowCaller(data []byte, name string) (privileged bool, err error)
func (*FileSecurity) SignBytes ¶
func (s *FileSecurity) SignBytes(str []byte) ([]byte, error)
SignBytes signs a message using a SHA256 PKCS1v15 protocol
func (*FileSecurity) TLSConfig ¶
func (s *FileSecurity) TLSConfig() (*tls.Config, error)
TLSConfig creates a TLS configuration for use by NATS, HTTPS etc
func (*FileSecurity) Validate ¶
func (s *FileSecurity) Validate() ([]string, bool)
Validate determines if the node represents a valid SSL configuration
func (*FileSecurity) VerifyCertificate ¶
func (s *FileSecurity) VerifyCertificate(certpem []byte, name string) error
VerifyCertificate verifies a certificate is signed with the configured CA and if name is not "" that it matches the name given
func (*FileSecurity) VerifySignatureBytes ¶ added in v0.26.2
func (s *FileSecurity) VerifySignatureBytes(dat []byte, sig []byte, public ...[]byte) (should bool, signer string)
VerifyByteSignature verify that dat matches signature sig made by the key, if pub cert is empty the active public key will be used
type Option ¶
type Option func(*FileSecurity) error
Option is a function that can configure the File Security Provider
func WithChoriaConfig ¶
func WithChoriaConfig(bi BuildInfoProvider, c *config.Config) Option
WithChoriaConfig optionally configures the File Security Provider from settings found in a typical Choria configuration
func WithConfig ¶
WithConfig optionally configures the File Security Provider using its native configuration format
func WithSigner ¶ added in v0.24.0
func WithSigner(signer inter.RequestSigner) Option
WithSigner configures a remote request signer