Documentation ¶
Index ¶
- Constants
- Variables
- func CompareHashAndPassword(hashedPassword []byte, password string) error
- func CreateCAPair(certsDir, caKeyPath string, keySize int, lifetime time.Duration, ...) error
- func CreateClientPair(certsDir, caKeyPath string, keySize int, lifetime time.Duration, ...) error
- func CreateNodePair(certsDir, caKeyPath string, keySize int, lifetime time.Duration, ...) error
- func ExtKeyUsageToString(eku x509.ExtKeyUsage) string
- func GenerateCA(signer crypto.Signer, lifetime time.Duration) ([]byte, error)
- func GenerateClientCert(caCert *x509.Certificate, caPrivateKey crypto.PrivateKey, ...) ([]byte, error)
- func GenerateServerCert(caCert *x509.Certificate, caPrivateKey crypto.PrivateKey, ...) ([]byte, error)
- func GetCertificateUser(tlsState *tls.ConnectionState) (string, error)
- func HashPassword(password string) ([]byte, error)
- func KeyUsageToString(ku x509.KeyUsage) []string
- func LoadClientTLSConfig(sslCA, sslCert, sslCertKey string) (*tls.Config, error)
- func LoadServerTLSConfig(sslCA, sslCert, sslCertKey string) (*tls.Config, error)
- func PEMContentsToX509(contents []byte) ([]*x509.Certificate, error)
- func PEMToCertificates(contents []byte) ([]*pem.Block, error)
- func PEMToPrivateKey(contents []byte) (crypto.PrivateKey, error)
- func PrivateKeyToPEM(key crypto.PrivateKey) (*pem.Block, error)
- func PromptForPassword() (string, error)
- func PromptForPasswordAndHash() ([]byte, error)
- func PromptForPasswordTwice() (string, error)
- func ProtoAuthHook(insecureMode bool, tlsState *tls.ConnectionState) (func(proto.Message, bool) error, error)
- func ResetAssetLoader()
- func SetAssetLoader(al AssetLoader)
- func WritePEMToFile(path string, mode os.FileMode, overwrite bool, blocks ...*pem.Block) error
- type AssetLoader
- type CertInfo
- type CertificateLoader
- type CertificateManager
- func (cm *CertificateManager) CACert() *CertInfo
- func (cm *CertificateManager) CACertPath() string
- func (cm *CertificateManager) ClientCertPath(user string) string
- func (cm *CertificateManager) ClientCerts() map[string]*CertInfo
- func (cm *CertificateManager) ClientKeyPath(user string) string
- func (cm *CertificateManager) GetCACertPath() (string, error)
- func (cm *CertificateManager) GetClientCertPaths(user string) (string, string, error)
- func (cm *CertificateManager) GetClientTLSConfig(user string) (*tls.Config, error)
- func (cm *CertificateManager) GetEmbeddedServerTLSConfig(_ *tls.ClientHelloInfo) (*tls.Config, error)
- func (cm *CertificateManager) GetServerTLSConfig() (*tls.Config, error)
- func (cm *CertificateManager) ListCertificates() ([]*CertInfo, error)
- func (cm *CertificateManager) LoadCertificates() error
- func (cm *CertificateManager) Metrics() CertificateMetrics
- func (cm *CertificateManager) NodeCert() *CertInfo
- func (cm *CertificateManager) NodeCertPath() string
- func (cm *CertificateManager) NodeKeyPath() string
- func (cm *CertificateManager) RegisterSignalHandler(stopper *stop.Stopper)
- type CertificateMetrics
- type RequestWithUser
- type UserAuthHook
Constants ¶
const ( // NodeUser is used by nodes for intra-cluster traffic. NodeUser = "node" // RootUser is the default cluster administrator. RootUser = "root" )
const ( // CAPem describes a CA certificate. CAPem pemUsage // NodePem describes a combined server/client certificate for user Node. NodePem // ClientPem describes a client certificate. ClientPem )
const ( EmbeddedCertsDir = "test_certs" EmbeddedCACert = "ca.crt" EmbeddedCAKey = "ca.key" EmbeddedNodeCert = "node.crt" EmbeddedNodeKey = "node.key" EmbeddedRootCert = "client.root.crt" EmbeddedRootKey = "client.root.key" EmbeddedTestUserCert = "client.testuser.crt" EmbeddedTestUserKey = "client.testuser.key" )
EmbeddedCertsDir is the certs directory inside embedded assets. Embedded*{Cert,Key} are the filenames for embedded certs.
Variables ¶
var ErrEmptyPassword = errors.New("empty passwords are not permitted")
ErrEmptyPassword indicates that an empty password was attempted to be set.
Functions ¶
func CompareHashAndPassword ¶
CompareHashAndPassword tests that the provided bytes are equivalent to the hash of the supplied password. If they are not equivalent, returns an error.
func CreateCAPair ¶
func CreateCAPair( certsDir, caKeyPath string, keySize int, lifetime time.Duration, allowKeyReuse bool, overwrite bool, ) error
CreateCAPair creates a CA key and a CA certificate. If the certs directory does not exist, it is created. If the key does not exist, it is created. The certificate is written to the certs directory. If the file already exists, we append the original certificates to the new certificate.
func CreateClientPair ¶
func CreateClientPair( certsDir, caKeyPath string, keySize int, lifetime time.Duration, overwrite bool, user string, ) error
CreateClientPair creates a node key and certificate. The CA cert and key must load properly. If multiple certificates exist in the CA cert, the first one is used.
func CreateNodePair ¶
func CreateNodePair( certsDir, caKeyPath string, keySize int, lifetime time.Duration, overwrite bool, hosts []string, ) error
CreateNodePair creates a node key and certificate. The CA cert and key must load properly. If multiple certificates exist in the CA cert, the first one is used.
func ExtKeyUsageToString ¶
func ExtKeyUsageToString(eku x509.ExtKeyUsage) string
ExtKeyUsageToString converts a x509.ExtKeyUsage to a string, returning "unknown" if the list is not up-to-date.
func GenerateCA ¶
GenerateCA generates a CA certificate and signs it using the signer (a private key). It returns the DER-encoded certificate.
func GenerateClientCert ¶
func GenerateClientCert( caCert *x509.Certificate, caPrivateKey crypto.PrivateKey, clientPublicKey crypto.PublicKey, lifetime time.Duration, user string, ) ([]byte, error)
GenerateClientCert generates a client certificate and returns the cert bytes. Takes in the CA cert and private key, the client public key, the certificate lifetime, and the username.
func GenerateServerCert ¶
func GenerateServerCert( caCert *x509.Certificate, caPrivateKey crypto.PrivateKey, nodePublicKey crypto.PublicKey, lifetime time.Duration, hosts []string, ) ([]byte, error)
GenerateServerCert generates a server certificate and returns the cert bytes. Takes in the CA cert and private key, the node public key, the certificate lifetime, and the list of hosts/ip addresses this certificate applies to.
func GetCertificateUser ¶
func GetCertificateUser(tlsState *tls.ConnectionState) (string, error)
GetCertificateUser extract the username from a client certificate.
func HashPassword ¶
HashPassword takes a raw password and returns a bcrypt hashed password.
func KeyUsageToString ¶
KeyUsageToString returns the list of key usages described by the bitmask. This list may not up-to-date with https://golang.org/pkg/crypto/x509/#KeyUsage
func LoadClientTLSConfig ¶
LoadClientTLSConfig creates a client TLSConfig by loading the CA and client certs. The following paths must be passed: - sslCA: path to the CA certificate - sslCert: path to the client certificate - sslCertKey: path to the client key If the path is prefixed with "embedded=", load the embedded certs.
func LoadServerTLSConfig ¶
LoadServerTLSConfig creates a server TLSConfig by loading the CA and server certs. The following paths must be passed: - sslCA: path to the CA certificate - sslCert: path to the server certificate - sslCertKey: path to the server key If the path is prefixed with "embedded=", load the embedded certs.
func PEMContentsToX509 ¶
func PEMContentsToX509(contents []byte) ([]*x509.Certificate, error)
PEMContentsToX509 takes raw pem-encoded contents and attempts to parse into x509.Certificate objects.
func PEMToCertificates ¶
PEMToCertificates parses multiple certificate PEM blocks and returns them. Each block must be a certificate. It is allowed to have zero certificates.
func PEMToPrivateKey ¶
func PEMToPrivateKey(contents []byte) (crypto.PrivateKey, error)
PEMToPrivateKey parses a PEM block and returns the private key.
func PrivateKeyToPEM ¶
func PrivateKeyToPEM(key crypto.PrivateKey) (*pem.Block, error)
PrivateKeyToPEM generates a PEM block from a private key.
func PromptForPassword ¶
PromptForPassword prompts for a password. This is meant to be used when using a password.
func PromptForPasswordAndHash ¶
PromptForPasswordAndHash prompts for a password twice and returns the bcrypt hash.
func PromptForPasswordTwice ¶
PromptForPasswordTwice prompts for a password twice, returning the read string if they match, or an error. This is meant to be used when setting a password.
func ProtoAuthHook ¶
func ProtoAuthHook( insecureMode bool, tlsState *tls.ConnectionState, ) (func(proto.Message, bool) error, error)
ProtoAuthHook builds an authentication hook based on the security mode and client certificate. The proto.Message passed to the hook must implement RequestWithUser.
func ResetAssetLoader ¶
func ResetAssetLoader()
ResetAssetLoader restores the asset loader to the default value.
func SetAssetLoader ¶
func SetAssetLoader(al AssetLoader)
SetAssetLoader overrides the asset loader with the passed-in one.
func WritePEMToFile ¶
WritePEMToFile writes an arbitrary number of PEM blocks to a file. The file "path" is created with "mode" and WRONLY|CREATE. If overwrite is true, the file will be overwritten if it exists.
Types ¶
type AssetLoader ¶
type AssetLoader struct { ReadDir func(dirname string) ([]os.FileInfo, error) ReadFile func(filename string) ([]byte, error) Stat func(name string) (os.FileInfo, error) }
AssetLoader describes the functions necessary to read certificate and key files.
type CertInfo ¶
type CertInfo struct { // FileUsage describes the use of this certificate. FileUsage pemUsage // Filename is the base filename of the certificate. Filename string // FileContents is the raw cert file data. FileContents []byte // KeyFilename is the base filename of the key, blank if not found (CA certs only). KeyFilename string // KeyFileContents is the raw key file data. KeyFileContents []byte // Name is the blob in the middle of the filename. eg: username for client certs. Name string // Parsed certificates. This is used by debugging/printing/monitoring only, // TLS config objects are passed raw certificate file contents. // CA certs may contain (and use) more than one certificate. // Client/Server certs may contain more than one, but only the first certificate will be used. ParsedCertificates []*x509.Certificate // Expiration time is the latest "Not After" date across all parsed certificates. ExpirationTime time.Time // Error is any error encountered when loading the certificate/key pair. // For example: bad permissions on the key will be stored here. Error error }
CertInfo describe a certificate file and optional key file. To obtain the full path, Filename and KeyFilename must be joined with the certs directory. The key may not be present if this is a CA certificate. If Err != nil, the CertInfo must NOT be used.
type CertificateLoader ¶
type CertificateLoader struct {
// contains filtered or unexported fields
}
CertificateLoader searches for certificates and keys in the certs directory.
func NewCertificateLoader ¶
func NewCertificateLoader(certsDir string) *CertificateLoader
NewCertificateLoader creates a new instance of the certificate loader.
func (*CertificateLoader) Certificates ¶
func (cl *CertificateLoader) Certificates() []*CertInfo
Certificates returns the loaded certificates.
func (*CertificateLoader) Load ¶
func (cl *CertificateLoader) Load() error
Load examines all .crt files in the certs directory, determines their usage, and looks for their keys. It populates the certificates field.
func (*CertificateLoader) MaybeCreateCertsDir ¶
func (cl *CertificateLoader) MaybeCreateCertsDir() error
MaybeCreateCertsDir creates the certificate directory if it does not exist. Returns an error if we could not stat or create the directory.
func (*CertificateLoader) TestDisablePermissionChecks ¶
func (cl *CertificateLoader) TestDisablePermissionChecks()
TestDisablePermissionChecks turns off permissions checks. Used by tests only.
type CertificateManager ¶
type CertificateManager struct {
// contains filtered or unexported fields
}
CertificateManager lives for the duration of the process and manages certificates and keys. It reloads all certificates when triggered and construct tls.Config objects for servers or clients.
Important note: Load() performs some sanity checks (file pairs match, CA certs don't disappear), but these are by no means complete. Completeness is not required as nodes restarting have no fallback if invalid certs/keys are present.
func NewCertificateManager ¶
func NewCertificateManager(certsDir string) (*CertificateManager, error)
NewCertificateManager creates a new certificate manager.
func NewCertificateManagerFirstRun ¶
func NewCertificateManagerFirstRun(certsDir string) (*CertificateManager, error)
NewCertificateManagerFirstRun creates a new certificate manager. The certsDir is created if it does not exist. This should only be called when generating certificates, the server has no business creating the certs directory.
func (*CertificateManager) CACert ¶
func (cm *CertificateManager) CACert() *CertInfo
CACert returns the CA cert. May be nil. Callers should check for an internal Error field.
func (*CertificateManager) CACertPath ¶
func (cm *CertificateManager) CACertPath() string
CACertPath returns the expected file path for the CA certificate.
func (*CertificateManager) ClientCertPath ¶
func (cm *CertificateManager) ClientCertPath(user string) string
ClientCertPath returns the expected file path for the user's certificate.
func (*CertificateManager) ClientCerts ¶
func (cm *CertificateManager) ClientCerts() map[string]*CertInfo
ClientCerts returns the Client certs. Callers should check for internal Error fields.
func (*CertificateManager) ClientKeyPath ¶
func (cm *CertificateManager) ClientKeyPath(user string) string
ClientKeyPath returns the expected file path for the user's key.
func (*CertificateManager) GetCACertPath ¶
func (cm *CertificateManager) GetCACertPath() (string, error)
GetCACertPath returns the path to the CA certificate.
func (*CertificateManager) GetClientCertPaths ¶
func (cm *CertificateManager) GetClientCertPaths(user string) (string, string, error)
GetClientCertPaths returns the paths to the client cert and key. Returns the node cert and key if user == NodeUser.
func (*CertificateManager) GetClientTLSConfig ¶
func (cm *CertificateManager) GetClientTLSConfig(user string) (*tls.Config, error)
GetClientTLSConfig returns the most up-to-date server tls.Config. Returns the dual-purpose node certs if user == NodeUser.
func (*CertificateManager) GetEmbeddedServerTLSConfig ¶
func (cm *CertificateManager) GetEmbeddedServerTLSConfig( _ *tls.ClientHelloInfo, ) (*tls.Config, error)
GetEmbeddedServerTLSConfig returns the most up-to-date server tls.Config. This is the callback set in tls.Config.GetConfigForClient. We currently ignore the ClientHelloInfo object.
func (*CertificateManager) GetServerTLSConfig ¶
func (cm *CertificateManager) GetServerTLSConfig() (*tls.Config, error)
GetServerTLSConfig returns a server TLS config with a callback to fetch the latest TLS config. We still attempt to get the config to make sure the initial call has a valid config loaded.
func (*CertificateManager) ListCertificates ¶
func (cm *CertificateManager) ListCertificates() ([]*CertInfo, error)
ListCertificates returns all loaded certificates, or an error if not yet initialized.
func (*CertificateManager) LoadCertificates ¶
func (cm *CertificateManager) LoadCertificates() error
LoadCertificates creates a CertificateLoader to load all certs and keys. Upon success, it swaps the existing certificates for the new ones.
func (*CertificateManager) Metrics ¶
func (cm *CertificateManager) Metrics() CertificateMetrics
Metrics returns the metrics struct.
func (*CertificateManager) NodeCert ¶
func (cm *CertificateManager) NodeCert() *CertInfo
NodeCert returns the Node cert. May be nil. Callers should check for an internal Error field.
func (*CertificateManager) NodeCertPath ¶
func (cm *CertificateManager) NodeCertPath() string
NodeCertPath returns the expected file path for the node certificate.
func (*CertificateManager) NodeKeyPath ¶
func (cm *CertificateManager) NodeKeyPath() string
NodeKeyPath returns the expected file path for the node key.
func (*CertificateManager) RegisterSignalHandler ¶
func (cm *CertificateManager) RegisterSignalHandler(stopper *stop.Stopper)
RegisterSignalHandler registers a signal handler for SIGHUP, triggering a refresh of the certificates directory on notification.
type CertificateMetrics ¶
CertificateMetrics holds metrics about the various certificates. These are initialized when the certificate manager is created and updated on reload.
type RequestWithUser ¶
type RequestWithUser interface {
GetUser() string
}
RequestWithUser must be implemented by `roachpb.Request`s which are arguments to methods that are not permitted to skip user checks.
type UserAuthHook ¶
UserAuthHook authenticates a user based on their username and whether their connection originates from a client or another node in the cluster.
func UserAuthCertHook ¶
func UserAuthCertHook(insecureMode bool, tlsState *tls.ConnectionState) (UserAuthHook, error)
UserAuthCertHook builds an authentication hook based on the security mode and client certificate.
func UserAuthPasswordHook ¶
func UserAuthPasswordHook(insecureMode bool, password string, hashedPassword []byte) UserAuthHook
UserAuthPasswordHook builds an authentication hook based on the security mode, password, and its potentially matching hash.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package securitytest embeds the TLS test certificates.
|
Package securitytest embeds the TLS test certificates. |