Documentation
¶
Overview ¶
Package requestorserver is a server allowing IRMA verifiers, issuers or attribute-based signature applications (the requestor) to perform IRMA sessions with irmaclient instances (i.e. the IRMA app). It exposes a RESTful protocol with which the requestor can start and manage the session as well as HTTP endpoints for the irmaclient.
Index ¶
Constants ¶
View Source
const ( AuthenticationMethodHmac = "hmac" AuthenticationMethodPublicKey = "publickey" AuthenticationMethodToken = "token" AuthenticationMethodNone = "none" )
Currently supported requestor authentication methods
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AuthenticationMethod ¶
type AuthenticationMethod string
type Authenticator ¶
type Authenticator interface {
// Initialize is called once on server startup for each requestor that uses this authentication method.
// Used to parse keys or populate caches for later use.
Initialize(name string, requestor Requestor) error
// Authenticate checks, given the HTTP header and POST body, if the authenticator is known
// and allowed to submit session requests. It returns whether or not the current authenticator
// is applicable to this sesion requests; the request itself; the name of the requestor;
// or an error (which is only non-nil if applies is true; i.e. this authenticator applies but
// it was not able to successfully authenticate the request).
Authenticate(
headers http.Header, body []byte,
) (applies bool, request irma.RequestorRequest, requestor string, err *irma.RemoteError)
}
Authenticator instances authenticate incoming session requests. Given details of the HTTP post done by the requestor, it is checked whether or not the requestor is known and allowed to submit session requests.
type Configuration ¶
type Configuration struct {
*server.Configuration `mapstructure:",squash"`
// Disclosing, signing or issuance permissions that apply to all requestors
Permissions `mapstructure:",squash"`
// Whether or not incoming session requests should be authenticated. If false, anyone
// can submit session requests. If true, the request is first authenticated against the
// server configuration before the server accepts it.
DisableRequestorAuthentication bool `json:"no_auth" mapstructure:"no_auth"`
// Address to listen at
ListenAddress string `json:"listen_addr" mapstructure:"listen_addr"`
// Port to listen at
Port int `json:"port" mapstructure:"port"`
// TLS configuration
TlsCertificate string `json:"tls_cert" mapstructure:"tls_cert"`
TlsCertificateFile string `json:"tls_cert_file" mapstructure:"tls_cert_file"`
TlsPrivateKey string `json:"tls_privkey" mapstructure:"tls_privkey"`
TlsPrivateKeyFile string `json:"tls_privkey_file" mapstructure:"tls_privkey_file"`
// If specified, start a separate server for the IRMA app at his port
ClientPort int `json:"client_port" mapstructure:"client_port"`
// If clientport is specified, the server for the IRMA app listens at this address
ClientListenAddress string `json:"client_listen_addr" mapstructure:"client_listen_addr"`
// TLS configuration for irmaclient HTTP API
ClientTlsCertificate string `json:"client_tls_cert" mapstructure:"client_tls_cert"`
ClientTlsCertificateFile string `json:"client_tls_cert_file" mapstructure:"client_tls_cert_file"`
ClientTlsPrivateKey string `json:"client_tls_privkey" mapstructure:"client_tls_privkey"`
ClientTlsPrivateKeyFile string `json:"client_tls_privkey_file" mapstructure:"client_tls_privkey_file"`
// Requestor-specific permission and authentication configuration
RequestorsString string `json:"-" mapstructure:"requestors"`
Requestors map[string]Requestor `json:"requestors"`
// Used in the "iss" field of result JWTs from /result-jwt and /getproof
JwtIssuer string `json:"jwt_issuer" mapstructure:"jwt_issuer"`
// Private key to sign result JWTs with. If absent, /result-jwt and /getproof are disabled.
JwtPrivateKey string `json:"jwt_privkey" mapstructure:"jwt_privkey"`
JwtPrivateKeyFile string `json:"jwt_privkey_file" mapstructure:"jwt_privkey_file"`
// Max age in seconds of a session request JWT (using iat field)
MaxRequestAge int `json:"max_request_age" mapstructure:"max_request_age"`
// Host files under this path as static files (leave empty to disable)
StaticPath string `json:"static_path" mapstructure:"static_path"`
// Host static files under this URL prefix
StaticPrefix string `json:"static_prefix" mapstructure:"static_prefix"`
StaticSessions map[string]interface{} `json:"static_sessions"`
// contains filtered or unexported fields
}
func (*Configuration) CanIssue ¶
func (conf *Configuration) CanIssue(requestor string, creds []*irma.CredentialRequest) (bool, string)
CanIssue returns whether or not the specified requestor may issue the specified credentials. (In case of combined issuance/disclosure sessions, this method does not check whether or not the identity provider is allowed to verify the attributes being verified; use CanVerifyOrSign for that).
func (*Configuration) CanVerifyOrSign ¶
func (conf *Configuration) CanVerifyOrSign(requestor string, action irma.Action, disjunctions irma.AttributeConDisCon) (bool, string)
CanVerifyOrSign returns whether or not the specified requestor may use the selected attributes in any of the supported session types.
type HmacAuthenticator ¶
type HmacAuthenticator struct {
// contains filtered or unexported fields
}
func (*HmacAuthenticator) Authenticate ¶
func (*HmacAuthenticator) Initialize ¶
func (hauth *HmacAuthenticator) Initialize(name string, requestor Requestor) error
type NilAuthenticator ¶
type NilAuthenticator struct{}
func (NilAuthenticator) Authenticate ¶
func (NilAuthenticator) Initialize ¶
func (NilAuthenticator) Initialize(name string, requestor Requestor) error
type Permissions ¶
type Permissions struct {
Disclosing []string `json:"disclose_perms" mapstructure:"disclose_perms"`
Signing []string `json:"sign_perms" mapstructure:"sign_perms"`
Issuing []string `json:"issue_perms" mapstructure:"issue_perms"`
}
Permissions specify which attributes or credential a requestor may verify or issue.
type PresharedKeyAuthenticator ¶
type PresharedKeyAuthenticator struct {
// contains filtered or unexported fields
}
func (*PresharedKeyAuthenticator) Authenticate ¶
func (*PresharedKeyAuthenticator) Initialize ¶
func (pskauth *PresharedKeyAuthenticator) Initialize(name string, requestor Requestor) error
type PublicKeyAuthenticator ¶
type PublicKeyAuthenticator struct {
// contains filtered or unexported fields
}
func (*PublicKeyAuthenticator) Authenticate ¶
func (*PublicKeyAuthenticator) Initialize ¶
func (pkauth *PublicKeyAuthenticator) Initialize(name string, requestor Requestor) error
type Requestor ¶
type Requestor struct {
Permissions `mapstructure:",squash"`
AuthenticationMethod AuthenticationMethod `json:"auth_method" mapstructure:"auth_method"`
AuthenticationKey string `json:"key" mapstructure:"key"`
AuthenticationKeyFile string `json:"key_file" mapstructure:"key_file"`
}
Requestor contains all configuration (disclosure or verification permissions and authentication) for a requestor.
type Server ¶
type Server struct {
// contains filtered or unexported fields
}
Server is a requestor server instance.
func New ¶
func New(config *Configuration) (*Server, error)
func (*Server) ClientHandler ¶
func (*Server) Handler ¶
Handler returns a http.Handler that handles all IRMA requestor messages and IRMA client messages.
func (*Server) Start ¶
func (s *Server) Start(config *Configuration) error
Start the server. If successful then it will not return until Stop() is called.
func (*Server) StaticFilesHandler ¶
Source Files
Click to show internal directories.
Click to hide internal directories.