Documentation
¶
Index ¶
- Constants
- Variables
- func EncodeSecretDataToBase64(data interface{}) (string, error)
- func EncodeSecretDataToHex(data interface{}) (string, error)
- func EncodeSecretDataToPem(data interface{}) (string, error)
- func EncodeSecretDataToRaw(data interface{}) (string, error)
- func EncodeSecretDataToString(data interface{}) (string, error)
- func ParseUserSecrets(newSecrets map[string]UserSecret, originalSecrets map[string]Secret) (map[string]Secret, error)
- type Certificate
- type Config
- type File
- type Manifest
- func (m Manifest) Check(zaplogger *zap.Logger) error
- func (m Manifest) CheckUpdate(originalPackages map[string]quote.PackageProperties) error
- func (m Manifest) GenerateUsers() ([]*user.User, error)
- func (m Manifest) IsUpdateManifest() bool
- func (m Manifest) TemplateDryRun(secrets map[string]Secret) error
- type Marble
- type Parameters
- type PrivateKey
- type PublicKey
- type ReservedSecrets
- type Role
- type Secret
- type SecretsWrapper
- type TLSTagEntry
- type TLStag
- type User
- type UserSecret
Constants ¶
const ( // SecretTypeCertECDSA defines the type of a secret containing an ECDSA certificate. SecretTypeCertECDSA = "cert-ecdsa" // SecretTypeCertED25519 defines the type of a secret containing an ED25519 certificate. SecretTypeCertED25519 = "cert-ed25519" // SecretTypeCertRSA defines the type of a secret containing an RSA certificate. SecretTypeCertRSA = "cert-rsa" // SecretTypeSymmetricKey defines the type of a secret containing a symmetric key. SecretTypeSymmetricKey = "symmetric-key" // SecretTypePlain defines the type of a secret containing arbitrary data. SecretTypePlain = "plain" )
const ( // FeatureSignQuoteEndpoint enables the /sign-quote endpoint. // This endpoint allows to verify an SGX quote and sign the result with the Coordinator's private key. FeatureSignQuoteEndpoint = "SignQuoteEndpoint" )
Variables ¶
var ManifestEnvTemplateFuncMap = template.FuncMap{ "pem": EncodeSecretDataToPem, "hex": EncodeSecretDataToHex, "string": EncodeSecretDataToString, "base64": EncodeSecretDataToBase64, }
ManifestEnvTemplateFuncMap defines the functions which can be specified for secret injections into Env variables in the Go template format.
var ManifestFileTemplateFuncMap = template.FuncMap{ "pem": EncodeSecretDataToPem, "hex": EncodeSecretDataToHex, "raw": EncodeSecretDataToRaw, "base64": EncodeSecretDataToBase64, }
ManifestFileTemplateFuncMap defines the functions which can be specified for secret injections into files in the in Go template format.
Functions ¶
func EncodeSecretDataToBase64 ¶
EncodeSecretDataToBase64 encodes the byte value of a secret to a Base64 string.
func EncodeSecretDataToHex ¶
EncodeSecretDataToHex encodes a secret to a hex string.
func EncodeSecretDataToPem ¶
EncodeSecretDataToPem encodes a secret to an appropriate PEM block.
func EncodeSecretDataToRaw ¶
EncodeSecretDataToRaw encodes a secret to a raw byte string.
func EncodeSecretDataToString ¶ added in v0.5.0
EncodeSecretDataToString encodes secrets to C type strings (no NULL bytes allowed as part of the string).
func ParseUserSecrets ¶ added in v0.4.0
func ParseUserSecrets(newSecrets map[string]UserSecret, originalSecrets map[string]Secret) (map[string]Secret, error)
ParseUserSecrets checks if a map of UserSecrets only contains supported values and parses them to a map of Secrets.
Types ¶
type Certificate ¶
type Certificate x509.Certificate
Certificate is a x509.Certificate.
func (Certificate) MarshalJSON ¶
func (c Certificate) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface.
func (*Certificate) UnmarshalJSON ¶
func (c *Certificate) UnmarshalJSON(data []byte) error
UnmarshalJSON implements the json.Marshaler interface.
type Config ¶ added in v1.5.0
type Config struct {
// SealMode specifies how the data should be sealed. Can be "ProductKey" (default if empty), "UniqueKey", or "Disabled".
SealMode string
// FeatureGates is a list of additional features to enable on the Coordinator.
FeatureGates []string
}
Config contains optional configuration for the Coordinator.
type File ¶ added in v0.5.0
type File struct {
// Data is the data to be saved as a file or environment variable.
Data string
// Encoding is the initial encoding of Data (as it is written in the manifest). One of {'string', 'base64', 'hex'}.
Encoding string
// NoTemplates specifies if Data contains templates which should be filled with information by the Coordinator.
NoTemplates bool
}
File defines data, encoding type, and if data contains templates for a File or Env variable.
func (File) MarshalJSON ¶ added in v0.5.0
MarshalJSON implements the json.Marshaler interface.
func (*File) UnmarshalJSON ¶ added in v0.5.0
UnmarshalJSON implements the json.Marshaler interface.
type Manifest ¶
type Manifest struct {
// Packages contains the allowed enclaves and their properties.
Packages map[string]quote.PackageProperties
// Infrastructures contains the allowed infrastructure providers and their properties.
Infrastructures map[string]quote.InfrastructureProperties
// Marbles contains the allowed services with their corresponding enclave and configuration parameters.
Marbles map[string]Marble
// Users contains user definitions, including certificates used for authentication and permissions.
Users map[string]User
// Secrets holds user-specified secrets, which should be generated and later on stored in a marble (if not shared) or in the core (if shared).
Secrets map[string]Secret
// RecoveryKeys holds one or multiple RSA public keys to encrypt multiple secrets, which can be used to decrypt the sealed state again in case the encryption key on disk was corrupted somehow.
RecoveryKeys map[string]string
// Roles contains role definitions to manage permissions across the MarbleRun mesh
Roles map[string]Role
// TLS contains tags which can be assigned to Marbles to specify which connections should be elevated to TLS
TLS map[string]TLStag
// Config contains optional configuration for the Coordinator.
Config Config
}
Manifest defines the rules of a MarbleRun deployment.
func (Manifest) CheckUpdate ¶
func (m Manifest) CheckUpdate(originalPackages map[string]quote.PackageProperties) error
CheckUpdate checks if the manifest is consistent and only contains supported values.
func (Manifest) GenerateUsers ¶ added in v1.0.0
GenerateUsers creates users and assigns permissions from the manifest.
func (Manifest) IsUpdateManifest ¶ added in v1.0.0
IsUpdateManifest returns true if the manifest specifies only packages. The Manifest still needs to be check for consistency, e.g. by calling CheckUpdate.
type Marble ¶
type Marble struct {
// Package references one of the allowed enclaves in the manifest.
Package string
// MaxActivations allows to limit the number of marbles of a kind.
MaxActivations uint
// Parameters contains lists for files, environment variables and commandline arguments that should be passed to the application.
// Placeholder variables are supported for specific assets of the marble's activation process.
Parameters Parameters
// TLS holds a list of tags which are specified in the manifest
TLS []string
}
Marble describes a service in the mesh that should be handled and verified by the Coordinator.
type Parameters ¶ added in v0.5.0
Parameters contains lists for files, environment variables and commandline arguments that should be passed to an application.
func (Parameters) Equal ¶ added in v1.0.0
func (p Parameters) Equal(other Parameters) bool
Equal returns true if two Parameters are equal. This checks if all Files and Env definitions are equal, and if the Argv lists are in the same order, and contain the same arguments.
type PrivateKey ¶
type PrivateKey []byte
PrivateKey is a symmetric key or an asymmetric private key in PKCS #8, ASN.1 DER form, typically created by calling x509.MarshalPKCS8PrivateKey.
type PublicKey ¶
type PublicKey []byte
PublicKey is a symmetric key or an asymmetric public key in PKIX, ASN.1 DER form, typically created by calling x509.MarshalPKIXPublicKey.
type ReservedSecrets ¶ added in v1.0.0
ReservedSecrets is a tuple of secrets reserved for a single Marble.
type Role ¶ added in v0.4.0
type Role struct {
// ResourceType is the type of the affected resources.
ResourceType string
// ResourceNames is a list of names of type ResourceType.
ResourceNames []string
// Actions are the allowed actions for the defined resources.
Actions []string
}
Role describes a set of actions permitted for a specific set of resources.
type Secret ¶
type Secret struct {
// Type of the secret.
// One of {"cert-ecdsa", "cert-ed25519", "cert-rsa", "symmetric-key", "plain"}.
Type string
// Size of the key in bits.
// For Type "symmetric-key", this needs to be a multiple of 8.
// For Type "cert-ecdsa", this needs to map to a curve supported by Go's crypto library, currently: 224, 256, 384, or 521.
// For "cert-ed25519", this should be omitted.
Size uint
// or if it is unique to each marble.
Shared bool
// UserDefined specifies whether a secret should be generated by the MarbleRun (false),
// or if it will be uploaded by a user at a later point (true).
UserDefined bool
// Cert is a X.509 certificate.
Cert Certificate
// ValidFor is the validity of a certificate in days.
ValidFor uint
// Private is a private key of a certificate, or a symmetric key.
Private PrivateKey
// Public is a public key of a certificate, or a symmetric key.
Public PublicKey
}
Secret is the structure of a secret managed by MarbleRun.
func (Secret) Equal ¶ added in v1.0.0
Equal returns true if the two secrets are equal. This checks if the secrets are equal in all fields.
func (Secret) EqualDefinition ¶ added in v1.0.0
EqualDefinition returns true if the two secrets are equal. This only checks if the secret definitions are equal, i.e. if the secrets are equal in all fields except for the actual secret data.
type SecretsWrapper ¶ added in v1.0.0
type SecretsWrapper struct {
MarbleRun ReservedSecrets
Secrets map[string]Secret
}
SecretsWrapper is used to define the "MarbleRun" prefix when mentioned in a manifest.
type TLSTagEntry ¶ added in v0.3.1
TLSTagEntry describes one connection which should be elevated to ttls.
func (TLSTagEntry) Equal ¶ added in v1.0.0
func (t TLSTagEntry) Equal(other TLSTagEntry) bool
Equal returns true if two TLSTagEntries are equal.
type TLStag ¶ added in v0.3.1
type TLStag struct {
// Outgoing holds a list of all outgoing addresses that should be elevated to TLS.
Outgoing []TLSTagEntry
// Incoming holds a list of all incoming addresses that should be elevated to TLS.
Incoming []TLSTagEntry
}
TLStag describes which entries should be used to determine the ttls connections of a marble.
type User ¶ added in v0.4.0
type User struct {
// Certificate is the TLS certificate used by the user for authentication.
Certificate string
// Roles is a list of roles granting permissions to the user.
Roles []string
}
User describes the attributes of a MarbleRun user.
type UserSecret ¶ added in v0.4.0
type UserSecret struct {
// Cert is a certificate uploaded by a user.
Cert Certificate
// Private is a private key of a certificate uploaded by a user.
Private PrivateKey
// Key is a symmetric key or arbitrary binary data uploaded by a user.
Key []byte
}
UserSecret is a secret uploaded by a user. Only Key, or Cert and Private may be set at the same time.
Source Files