Documentation
¶
Overview ¶
Package filesec provides a manually configurable security Provider it allows you set every parameter like key paths etc manually without making any assumptions about your system
It does not support any enrollment
Index ¶
- func MatchAnyRegex(str []byte, regex []string) bool
- type Config
- type FileSecurity
- func (s *FileSecurity) CachePublicData(data []byte, identity string) error
- func (s *FileSecurity) CachedPublicData(identity string) ([]byte, error)
- func (s *FileSecurity) CallerIdentity(caller string) (string, error)
- func (s *FileSecurity) CallerName() string
- func (s *FileSecurity) ChecksumBytes(data []byte) []byte
- func (s *FileSecurity) ChecksumString(data string) []byte
- func (s *FileSecurity) Enroll(ctx context.Context, wait time.Duration, cb func(int)) error
- func (s *FileSecurity) HTTPClient(secure bool) (*http.Client, error)
- func (s *FileSecurity) Identity() string
- func (s *FileSecurity) PrivilegedVerifyByteSignature(dat []byte, sig []byte, identity string) bool
- func (s *FileSecurity) PrivilegedVerifyStringSignature(dat string, sig []byte, identity string) bool
- func (s *FileSecurity) Provider() string
- func (s *FileSecurity) PublicCertPem() (*pem.Block, error)
- func (s *FileSecurity) PublicCertTXT() ([]byte, error)
- func (s *FileSecurity) RemoteSignRequest(str []byte) (signed []byte, err error)
- func (s *FileSecurity) SSLContext() (*http.Transport, error)
- func (s *FileSecurity) SignBytes(str []byte) ([]byte, error)
- func (s *FileSecurity) SignString(str string) ([]byte, error)
- func (s *FileSecurity) TLSConfig() (*tls.Config, error)
- func (s *FileSecurity) Validate() ([]string, bool)
- func (s *FileSecurity) VerifyByteSignature(dat []byte, sig []byte, identity string) bool
- func (s *FileSecurity) VerifyCertificate(certpem []byte, name string) error
- func (s *FileSecurity) VerifyStringSignature(str string, sig []byte, identity string) bool
- type Option
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func MatchAnyRegex ¶
MatchAnyRegex checks str against a list of possible regex, if any match true is returned
Types ¶
type Config ¶
type Config struct {
// Identity when not empty will force the identity to be used for validations etc
Identity string
// Certificate is the path to the public certificate
Certificate string
// Key is the path to the private key
Key string
// CA is the path to the Certificate Authority
CA string
// Cache is where known client certificates will be stored
Cache string
// PrivilegedUsers is a list of regular expressions that identity privileged users
PrivilegedUsers []string
// AllowList is a list of regular expressions that identity valid users to allow in
AllowList []string
// DisableTLSVerify disables TLS verify in HTTP clients etc
DisableTLSVerify bool
// AlwaysOverwriteCache supports always overwriting the local filesystem cache
AlwaysOverwriteCache bool
// Is a URL where a remote signer is running
RemoteSignerURL string
// RemoteSignerTokenFile is a file with a token for access to the remote signer
RemoteSignerTokenFile string
// RemoteSignerTokenEnvironment is an environment variable that will hold the signer token
RemoteSignerTokenEnvironment string
}
Config is the configuration for FileSecurity
type FileSecurity ¶
type FileSecurity struct {
// contains filtered or unexported fields
}
FileSecurity implements SecurityProvider using files on disk
func New ¶
func New(opts ...Option) (*FileSecurity, error)
New creates a new instance of the File Security provider
func (*FileSecurity) CachePublicData ¶
func (s *FileSecurity) CachePublicData(data []byte, identity string) error
CachePublicData caches the public key for a identity
func (*FileSecurity) CachedPublicData ¶
func (s *FileSecurity) CachedPublicData(identity string) ([]byte, error)
CachedPublicData retrieves the previously cached public data for a given identity
func (*FileSecurity) CallerIdentity ¶
func (s *FileSecurity) CallerIdentity(caller string) (string, error)
CallerIdentity extracts the identity from a choria like caller name in the form of choria=identity
func (*FileSecurity) CallerName ¶
func (s *FileSecurity) CallerName() string
CallerName creates a choria like caller name in the form of choria=identity
func (*FileSecurity) ChecksumBytes ¶
func (s *FileSecurity) ChecksumBytes(data []byte) []byte
ChecksumBytes calculates a sha256 checksum for data
func (*FileSecurity) ChecksumString ¶
func (s *FileSecurity) ChecksumString(data string) []byte
ChecksumString calculates a sha256 checksum for data
func (*FileSecurity) HTTPClient ¶
func (s *FileSecurity) HTTPClient(secure bool) (*http.Client, error)
HTTPClient creates a standard HTTP client with optional security, it will be set to use the CA and client certs for auth. servername should match the remote hosts name for SNI
func (*FileSecurity) Identity ¶
func (s *FileSecurity) Identity() string
Identity determines the choria certname
func (*FileSecurity) PrivilegedVerifyByteSignature ¶
func (s *FileSecurity) PrivilegedVerifyByteSignature(dat []byte, sig []byte, identity string) bool
PrivilegedVerifyByteSignature verifies if the signature received is from any of the privileged certs or the given identity
func (*FileSecurity) PrivilegedVerifyStringSignature ¶
func (s *FileSecurity) PrivilegedVerifyStringSignature(dat string, sig []byte, identity string) bool
PrivilegedVerifyStringSignature verifies if the signature received is from any of the privileged certs or the given identity
func (*FileSecurity) Provider ¶
func (s *FileSecurity) Provider() string
Provider reports the name of the security provider
func (*FileSecurity) PublicCertPem ¶
func (s *FileSecurity) PublicCertPem() (*pem.Block, error)
PublicCertPem retrieves the public certificate for this instance
func (*FileSecurity) PublicCertTXT ¶
func (s *FileSecurity) PublicCertTXT() ([]byte, error)
PublicCertTXT retrieves pem data in textual form for the public certificate of the current identity
func (*FileSecurity) RemoteSignRequest ¶ added in v0.6.0
func (s *FileSecurity) RemoteSignRequest(str []byte) (signed []byte, err error)
RemoteSignRequest signs a choria request using a remote signer and returns a secure request
func (*FileSecurity) SSLContext ¶
func (s *FileSecurity) SSLContext() (*http.Transport, error)
SSLContext creates a SSL context loaded with our certs and ca
func (*FileSecurity) SignBytes ¶
func (s *FileSecurity) SignBytes(str []byte) ([]byte, error)
SignBytes signs a message using a SHA256 PKCS1v15 protocol
func (*FileSecurity) SignString ¶
func (s *FileSecurity) SignString(str string) ([]byte, error)
SignString signs a message using a SHA256 PKCS1v15 protocol
func (*FileSecurity) TLSConfig ¶
func (s *FileSecurity) TLSConfig() (*tls.Config, error)
TLSConfig creates a TLS configuration for use by NATS, HTTPS etc
func (*FileSecurity) Validate ¶
func (s *FileSecurity) Validate() ([]string, bool)
Validate determines if the node represents a valid SSL configuration
func (*FileSecurity) VerifyByteSignature ¶
func (s *FileSecurity) VerifyByteSignature(dat []byte, sig []byte, identity string) bool
VerifyByteSignature verify that dat matches signature sig made by the key of identity if identity is "" the active public key will be used
func (*FileSecurity) VerifyCertificate ¶
func (s *FileSecurity) VerifyCertificate(certpem []byte, name string) error
VerifyCertificate verifies a certificate is signed with the configured CA and if name is not "" that it matches the name given
func (*FileSecurity) VerifyStringSignature ¶
func (s *FileSecurity) VerifyStringSignature(str string, sig []byte, identity string) bool
VerifyStringSignature verify that str matches signature sig made by the key of identity
type Option ¶
type Option func(*FileSecurity) error
Option is a function that can configure the File Security Provider
func WithChoriaConfig ¶
func WithChoriaConfig(c *config.Config) Option
WithChoriaConfig optionally configures the File Security Provider from settings found in a typical Choria configuration
func WithConfig ¶
WithConfig optionally configures the File Security Provider using its native configuration format
Source Files