Documentation
¶
Index ¶
- func NewAuthContext(ctx context.Context, a *AuthState) context.Context
- func Sha256FingerprintHex(cert *x509.Certificate) string
- type Auth
- type AuthState
- type CertFingerprint
- type CertRole
- type ClientAuth
- type ContextualServerStream
- type PeerCert
- type PeerCertMgr
- func (cm *PeerCertMgr) ActivePeerCertificates(cn string) int
- func (cm *PeerCertMgr) AddCert(cert *x509.Certificate, role CertRole, created time.Time) (CertFingerprint, error)
- func (cm *PeerCertMgr) LoadFromPath(dirpath string) error
- func (cm *PeerCertMgr) RevokeCert(cert *x509.Certificate)
- func (cm *PeerCertMgr) Role(cert *x509.Certificate) CertRole
- func (cm *PeerCertMgr) StoreToPath(dirpath string) error
- func (cm *PeerCertMgr) UpdateCert(cert *x509.Certificate, role CertRole)
- func (cm *PeerCertMgr) VerifyPeerIdentity(remote *x509.Certificate) (*PeerCert, error)
- type PeerID
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewAuthContext ¶
NewAuthContext creates a new context appending authentication information.
func Sha256FingerprintHex ¶
func Sha256FingerprintHex(cert *x509.Certificate) string
Types ¶
type Auth ¶
type Auth interface {
srpc.ServerModule
PeerCerts() *PeerCertMgr
}
type AuthState ¶
AuthState contains the information about the succeeded (or failed) client authentication.
type CertFingerprint ¶
type CertFingerprint string
func Sha256Fingerprint ¶
func Sha256Fingerprint(cert *x509.Certificate) CertFingerprint
type CertRole ¶
type CertRole uint8
CertRole defines the scope a certificate is valid for
const ( // Revoked indicates that the referenced certificate is not valid for any // action. On client-side, it should refuse a server connection. // On server-side, a connection should be aborted as early as possible. Revoked CertRole = iota // Inactive is the default status for a new certificate. It describes // that it is currently not used or associated. Therefore, it is not // valid for any server-side actions. Most of the time, this will change // later on. Inactive // Primary indicates this is the primary certificate. Primary // Backup indicates that all previously declared certs are invalidated. // A certificate with this option set allows to replace any of peer's certificates. Backup )
type ClientAuth ¶
type ClientAuth struct {
// contains filtered or unexported fields
}
func NewClientAuth ¶
func NewClientAuth() ClientAuth
func (*ClientAuth) InterceptMethods ¶
func (ca *ClientAuth) InterceptMethods() []srpc.UnaryInterceptInfo
func (*ClientAuth) PeerCerts ¶
func (ca *ClientAuth) PeerCerts() *PeerCertMgr
func (*ClientAuth) RegisterServer ¶
func (ca *ClientAuth) RegisterServer(g *grpc.Server)
type ContextualServerStream ¶
type ContextualServerStream struct {
// Embed ServerStream
grpc.ServerStream
// Additional context
Ctx context.Context
}
func NewContextualServerStream ¶
func NewContextualServerStream(ss grpc.ServerStream) *ContextualServerStream
NewContextualServerStream wraps gRPC's ServerStream and attaches a mutable context.
func (*ContextualServerStream) Context ¶
func (cs *ContextualServerStream) Context() context.Context
Context returns the embedded context associated with a gRPC ServerStream. It overwrites the Context() from the embedded ServerStream instance. By this, we can alter the context and pass additional information for authentication.
type PeerCert ¶
type PeerCert struct {
Certificate *x509.Certificate `json:"-"`
Role CertRole `json:"certRole"`
Created time.Time `json:"created"`
}
type PeerCertMgr ¶
type PeerCertMgr struct {
ManagedCertPool *x509.CertPool
// contains filtered or unexported fields
}
func NewPeerCertMgr ¶
func NewPeerCertMgr() *PeerCertMgr
NewCertManager creates a new instance to manage our own and peers' certificates
func (*PeerCertMgr) ActivePeerCertificates ¶
func (cm *PeerCertMgr) ActivePeerCertificates(cn string) int
func (*PeerCertMgr) AddCert ¶
func (cm *PeerCertMgr) AddCert(cert *x509.Certificate, role CertRole, created time.Time) (CertFingerprint, error)
AddCert adds a new certificate and associates it with the peer's CN.
If a peer with the same CN exists, it is associated with this peer. The application should check before whether a peer exists if this variant is not desired.
func (*PeerCertMgr) LoadFromPath ¶
func (cm *PeerCertMgr) LoadFromPath(dirpath string) error
LoadFromPath imports certificates from `peer_certificates.pem` into the local certificate pool. If a certificate in the pool is the same as one of the imported ones, it is skipped. Note: only certificates described by `peer_certificates.meta.json`, are
candidates for import.
func (*PeerCertMgr) RevokeCert ¶
func (cm *PeerCertMgr) RevokeCert(cert *x509.Certificate)
func (*PeerCertMgr) Role ¶
func (cm *PeerCertMgr) Role(cert *x509.Certificate) CertRole
func (*PeerCertMgr) StoreToPath ¶
func (cm *PeerCertMgr) StoreToPath(dirpath string) error
StoreToPath exports all managed certificates accompanied by a JSON meta file for additional properties, such as its role or issue time.
func (*PeerCertMgr) UpdateCert ¶
func (cm *PeerCertMgr) UpdateCert(cert *x509.Certificate, role CertRole)
func (*PeerCertMgr) VerifyPeerIdentity ¶
func (cm *PeerCertMgr) VerifyPeerIdentity(remote *x509.Certificate) (*PeerCert, error)
Source Files