security

package
v0.9.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 17, 2020 License: Apache-2.0 Imports: 18 Imported by: 16

README

Certificate Management

Documentation

Index

Constants

View Source
const (
	MaxKeyPerm  os.FileMode = 0700
	MaxCertPerm os.FileMode = 0664
	MaxDirPerm  os.FileMode = 0700
)

Variables

This section is empty.

Functions

func DialOptionForTransportConfig

func DialOptionForTransportConfig(cfg *TransportConfig) (grpc.DialOption, error)

func GetClientTransportCredentials

func GetClientTransportCredentials(cfg *TransportConfig) (credentials.TransportCredentials, error)

func GetServerTransportCredentials

func GetServerTransportCredentials(cfg *TransportConfig) (credentials.TransportCredentials, error)

func LoadCertificate

func LoadCertificate(certPath string) (*x509.Certificate, error)

LoadCertificate loads the certificate specified at the given path into an x509 Certificate object

func LoadPEMData

func LoadPEMData(filePath string, perms os.FileMode) ([]byte, error)

LoadPEMData handles security checking on the PEM file based on perms and returns the bytes in the PEM file

func LoadPrivateKey

func LoadPrivateKey(keyPath string) (crypto.PrivateKey, error)

LoadPrivateKey loads the private key specified at the given path into an crypto.PrivateKey interface compliant object.

func ServerOptionForTransportConfig

func ServerOptionForTransportConfig(cfg *TransportConfig) (grpc.ServerOption, error)

func ValidateCertDirectory

func ValidateCertDirectory(certDir string) error

ValidateCertDirectory ensures the certificate directory has safe permissions set on it.

Types

type CertificateConfig

type CertificateConfig struct {
	ServerName      string `yaml:"server_name,omitempty"`
	ClientCertDir   string `yaml:"client_cert_dir,omitempty"`
	CARootPath      string `yaml:"ca_cert"`
	CertificatePath string `yaml:"cert"`
	PrivateKeyPath  string `yaml:"key"`
	// contains filtered or unexported fields
}

CertificateConfig contains the specific certificate information for the daos component. ServerName is only needed if the config is being used as a transport credential for a gRPC tls client.

type Component added in v0.9.0

type Component int

Component represents the DAOS component being granted authorization.

const (
	ComponentUndefined Component = iota
	ComponentAdmin
	ComponentAgent
	ComponentServer
)

func CommonNameToComponent added in v0.9.0

func CommonNameToComponent(commonname string) Component

CommonNameToComponent returns the correct component based on the CommonName

func (Component) HasAccess added in v0.9.0

func (c Component) HasAccess(FullMethod string) bool

HasAccess check if the given component has access to method given in FullMethod

func (Component) String added in v0.9.0

func (c Component) String() string

type DomainInfo

type DomainInfo struct {
	// contains filtered or unexported fields
}

DomainInfo holds our socket credentials to be used by the DomainSocketServer

func DomainInfoFromUnixConn

func DomainInfoFromUnixConn(log logging.Logger, sock *net.UnixConn) (*DomainInfo, error)

DomainInfoFromUnixConn determines credentials from a unix socket.

func InitDomainInfo

func InitDomainInfo(creds *syscall.Ucred, ctx string) *DomainInfo

InitDomainInfo returns an initialized DomainInfo structure

func (*DomainInfo) Ctx

func (d *DomainInfo) Ctx() string

Ctx returns the additional security information obtained from the domain socket

func (*DomainInfo) Gid

func (d *DomainInfo) Gid() uint32

Gid returns the GID obtained from the domain socket

func (*DomainInfo) Uid

func (d *DomainInfo) Uid() uint32

Uid returns the UID obtained from the domain socket

type TokenSigner

type TokenSigner struct {
	// contains filtered or unexported fields
}

TokenSigner serves to encapsulate the functionality needed to sign and verify auth token signatures.

func DefaultTokenSigner

func DefaultTokenSigner() *TokenSigner

DefaultTokenSigner creates a TokenSigner with an instantiated entropy pool.

func (*TokenSigner) Hash

func (s *TokenSigner) Hash(data []byte) ([]byte, error)

Hash returns the SHA-512 hash of the byte array passed in.

func (*TokenSigner) Sign

func (s *TokenSigner) Sign(key crypto.PrivateKey, data []byte) ([]byte, error)

Sign takes an unhashed set of bytes and hashes and signs the result with the key passed in.

func (*TokenSigner) Verify

func (s *TokenSigner) Verify(key crypto.PublicKey, data []byte, sig []byte) error

Verify takes an unhashed set of bytes and hashes the data and verifies the signature against the hash and the publickey passed in.

type TransportConfig

type TransportConfig struct {
	AllowInsecure     bool `yaml:"allow_insecure"`
	CertificateConfig `yaml:",inline"`
}

TransportConfig contains all the information on whether or not to use certificates and their location if their use is specified.

func DefaultClientTransportConfig

func DefaultClientTransportConfig() *TransportConfig

DefaultClientTransportConfig provides a default transport config disabling certificate usage and specifying certificates located under .daos. As this credential is meant to be used as a client credential it specifies a default ServerName as well.

func DefaultServerTransportConfig

func DefaultServerTransportConfig() *TransportConfig

DefaultServerTransportConfig provides a default transport config disabling certificate usage and specifying certificates located under .daos.

func (*TransportConfig) PreLoadCertData

func (cfg *TransportConfig) PreLoadCertData() error

PreLoadCertData reads the certificate files in and parses them into TLS key pair and Certificate pool to provide a mechanism for detecting certificate/ error before first use.

func (*TransportConfig) PrivateKey

func (cfg *TransportConfig) PrivateKey() (crypto.PrivateKey, error)

PrivateKey returns the private key stored in the certificates loaded into the TransportConfig

func (*TransportConfig) PublicKey

func (cfg *TransportConfig) PublicKey() (crypto.PublicKey, error)

PublicKey returns the private key stored in the certificates loaded into the TransportConfig

func (*TransportConfig) ReloadCertData

func (cfg *TransportConfig) ReloadCertData() error

ReloadCertData reloads and stores the certificate data in the case when certificate data has changed since initial loading.

func (*TransportConfig) String added in v0.9.0

func (tc *TransportConfig) String() string

type UnsupportedKeyError

type UnsupportedKeyError struct{}

UnsupportedKeyError is a structured error used to indicate that the PublicKey or PrivateKey interface passed in represents a key type we do not support.

func (*UnsupportedKeyError) Error

func (err *UnsupportedKeyError) Error() string

Error is the implementation of the error interface.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL