server

package
v0.11.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 8, 2022 License: MPL-2.0 Imports: 35 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	NoncePurposeRecovery   = "recovery"
	NoncePurposeWorkerAuth = "worker-auth"
)
View Source 
const (
	UnknownWorkerType        WorkerType       = "unknown"
	KmsWorkerType            WorkerType       = "kms"
	PkiWorkerType            WorkerType       = "pki"
	ActiveOperationalState   OperationalState = "active"
	ShutdownOperationalState OperationalState = "shutdown"
	UnknownOperationalState  OperationalState = "unknown"
)
View Source 
const CaId = "roots"

The CertificateAuthority id will always be set to "roots". The const CaId contains this value

View Source 
const (
	// DefaultLiveness is a default used for various timing parameters, such as
	// grace period for status updates, server liveness, etc.
	DefaultLiveness = 15 * time.Second
)
View Source 
const (
	WorkerPrefix = "w"
)

PublicId prefixes for the resources in the server package.

Variables

This section is empty.

Functions

func AttachWorkerIdToState 

func AttachWorkerIdToState(ctx context.Context, workerId string) (*structpb.Struct, error)

AttachWorkerIdToState accepts a workerId and creates a struct for use with the Nodeenrollment lib This is intended for use in worker authorization; AuthorizeNode in the lib accepts the option WithState so that the workerId is passed through to storage and associated with a WorkerAuth record

func GetOpts added in v0.10.4 

func GetOpts(opt ...Option) options

getOpts - iterate the inbound Options and return a struct

func ReinitializeRoots added in v0.11.0 

func ReinitializeRoots(ctx context.Context, workerAuthRepo *WorkerAuthRepositoryStorage, opt ...nodeenrollment.Option) (*types.RootCertificates, error)

ReinitializeRoots is a domain service function that removes both root certificates and then calls RotateRoots to generate new root certificates. Accepts the nodeenrollment option, WithCertificateLifetime(time.Duration) to specify the lifetime of the generated cert(s)

func RotateRoots 

func RotateRoots(ctx context.Context, workerAuthRepo *WorkerAuthRepositoryStorage, opt ...nodeenrollment.Option) (*types.RootCertificates, error)

RotateRoots is a domain service function that initiates a rotation of root certificates via a call to the nodenenrollment RotateRootCertificates function Accepts the nodeenrollment option, WithCertificateLifetime(time.Duration) to specify the lifetime of the generated cert(s)

func StoreNodeInformationTx 

func StoreNodeInformationTx(ctx context.Context, writer db.Writer, databaseWrapper wrapping.Wrapper, node *types.NodeInformation, _ ...Option) error

StoreNodeInformationTx stores NodeInformation. No options are currently supported.

This function encapsulates all the work required within a dbw.TxHandler and allows this capability to be shared with other repositories or just called within a transaction. To be clear, this repository function doesn't include its own transaction and is intended to be used within a transaction provided by the caller.

Node information is stored in two parts: * the workerAuth record is stored with a reference to a worker * certificate bundles are stored with a reference to the workerAuth record and issuing root certificate

func TestKmsKey 

func TestKmsKey(ctx context.Context, t *testing.T, conn *db.DB, wrapper wrapping.Wrapper) (string, wrapping.Wrapper)

func ValidOperationalState added in v0.11.0 

func ValidOperationalState(s string) bool

Types

type CertificateAuthority 

type CertificateAuthority struct {
	*store.CertificateAuthority
	// contains filtered or unexported fields
}

CertificateAuthority is a versioned entity used to lock the database when rotation RootCertificates

func (*CertificateAuthority) SetTableName 

func (r *CertificateAuthority) SetTableName(n string)

SetTableName sets the table name.

func (*CertificateAuthority) TableName 

func (r *CertificateAuthority) TableName() string

TableName returns the table name.

type CertificateState 

type CertificateState string

CertificateState defines the possible states for a workerauth certificate 

const (
	UnknownState CertificateState = "unknown"
	CurrentState CertificateState = "current"
	NextState    CertificateState = "next"
)

type Nonce 

type Nonce struct {
	Nonce   string
	Purpose string
}

func (*Nonce) TableName 

func (n *Nonce) TableName() string

TableName returns the table name.

type OperationalState added in v0.11.0 

type OperationalState string

func (OperationalState) String added in v0.11.0 

func (t OperationalState) String() string

type Option 

type Option func(*options)

Option - how Options are passed as arguments

func WithActiveWorkers added in v0.11.0 

func WithActiveWorkers(withActive bool) Option

WithActiveWorkers provides an optional filter to only include active workers

func WithAddress 

func WithAddress(address string) Option

WithAddress provides an optional address.

func WithControllerEncryptionPrivateKey 

func WithControllerEncryptionPrivateKey(controllerKey []byte) Option

func WithCreateControllerLedActivationToken added in v0.10.4 

func WithCreateControllerLedActivationToken(with bool) Option

WithCreateControllerLedActivationToken provides an optional stop after count

func WithDescription 

func WithDescription(desc string) Option

WithDescription provides an optional description.

func WithFetchNodeCredentialsRequest 

func WithFetchNodeCredentialsRequest(req *types.FetchNodeCredentialsRequest) Option

WithFetchNodeCredentialsRequest allows an optional FetchNodeCredentialsRequest to be specified.

func WithKeyId 

func WithKeyId(keyId string) Option

func WithLimit 

func WithLimit(limit int) Option

WithLimit provides an option to provide a limit. Intentionally allowing negative integers. If WithLimit < 0, then unlimited results are returned. If WithLimit == 0, then default limits are used for results.

func WithLiveness 

func WithLiveness(liveness time.Duration) Option

WithLiveness indicates how far back we want to search for server entries. Use 0 for the default liveness (15 seconds). A liveness value of -1 removes the liveliness condition.

func WithName 

func WithName(name string) Option

WithName provides an optional name.

func WithNewIdFunc 

func WithNewIdFunc(fn func(context.Context) (string, error)) Option

WithNewIdFunc allows an optional factory function for new worker IDs to be specified (this option is likely only useful for tests).

func WithNonce 

func WithNonce(nonce []byte) Option

func WithOperationalState added in v0.11.0 

func WithOperationalState(state string) Option

WithOperationalState provides an optional operational state.

func WithPublicId 

func WithPublicId(id string) Option

WithPublicId provides an optional public Id used for skipping one db call.

func WithReleaseVersion added in v0.11.0 

func WithReleaseVersion(version string) Option

WithRelease version provides an optional release version

func WithRoot added in v0.10.0 

func WithRoot(workerId string) Option

WithRoot provides an optional root worker id.

func WithStopAfter added in v0.10.0 

func WithStopAfter(stopAfter uint) Option

WithStopAfter provides an optional stop after count

func WithTestPkiWorkerAuthorizedKeyId 

func WithTestPkiWorkerAuthorizedKeyId(id *string) Option

WithTestPkiWorkerAuthorizedKeyId should only be used in tests. It specifies that the test worker should be authorized when returned and assigns the key id for that worker to the string pointer in this option.

func WithUpdateTags 

func WithUpdateTags(updateTags bool) Option

WithUpdateTags indicates that we should perform tag updates in the DB. This would happen on first sync from a worker after startup or (eventually, perhaps), after a SIGHUP.

func WithWorkerKeyIdentifier 

func WithWorkerKeyIdentifier(workerKeyIdentifier string) Option

func WithWorkerKeys 

func WithWorkerKeys(workerKeys WorkerKeys) Option

func WithWorkerTags 

func WithWorkerTags(tags ...*Tag) Option

WithWorkerTags provides worker tags.

func WithWorkerType added in v0.10.0 

func WithWorkerType(with WorkerType) Option

WithWorkerType allows specifying a particular type of worker (kms, pki) during lookup or listing

type Repository 

type Repository struct {
	// contains filtered or unexported fields
}

Repository is the server database repository

func NewRepository 

func NewRepository(r db.Reader, w db.Writer, kms *kms.Kms, opt ...Option) (*Repository, error)

NewRepository creates a new server Repository. Supports the options: WithLimit which sets a default limit on results returned by repo operations.

func (*Repository) AddNonce 

func (r *Repository) AddNonce(ctx context.Context, nonce, purpose string, opt ...Option) error

AddNonce adds a nonce

func (*Repository) AddWorkerTags 

func (r *Repository) AddWorkerTags(ctx context.Context, workerId string, workerVersion uint32, tags []*Tag, _ ...Option) ([]*Tag, error)

AddWorkerTags adds specified api tags to the repo worker and returns its new tags. No options are currently supported.

func (*Repository) CleanupNonces 

func (r *Repository) CleanupNonces(ctx context.Context, opt ...Option) (int, error)

CleanupNonces removes nonces that no longer need to be stored

func (*Repository) CreateWorker 

func (r *Repository) CreateWorker(ctx context.Context, worker *Worker, opt ...Option) (*Worker, error)

CreateWorker will create a worker in the repository and return the written worker. Creating a worker is not intentionally oplogged. A worker's ReportedStatus and Tags are intentionally ignored when creating a worker (not included). Currently, a worker can only be created in the global scope

Options supported: WithNewIdFunc (this option is likely only useful for tests), WithFetchNodeCredentialsRequest, WithCreateControllerLedActivationToken. The latter two are mutually exclusive.

func (*Repository) DeleteWorker 

func (r *Repository) DeleteWorker(ctx context.Context, publicId string, _ ...Option) (int, error)

DeleteWorker will delete a worker from the repository.

func (*Repository) DeleteWorkerTags 

func (r *Repository) DeleteWorkerTags(ctx context.Context, workerId string, workerVersion uint32, tags []*Tag, _ ...Option) (int, error)

DeleteWorkerTags deletes specified api worker tags from the repo. Returns the number of rows deleted. No options are currently supported.

func (*Repository) ListControllers 

func (r *Repository) ListControllers(ctx context.Context, opt ...Option) ([]*store.Controller, error)

func (*Repository) ListNonces 

func (r *Repository) ListNonces(ctx context.Context, purpose string, opt ...Option) ([]*Nonce, error)

ListNonces lists nonces. Used only for tests at the moment.

func (*Repository) ListWorkers 

func (r *Repository) ListWorkers(ctx context.Context, scopeIds []string, opt ...Option) ([]*Worker, error)

ListWorkers will return a listing of Workers and honor the WithLimit option. If WithLiveness is zero the default liveness value is used, if it is negative then the last status update time is ignored. If WithLimit < 0, then unlimited results are returned. If WithLimit == 0, then default limits are used for results. Also supports: WithWorkerType, WithActiveWorkers

func (*Repository) LookupWorker 

func (r *Repository) LookupWorker(ctx context.Context, publicId string, _ ...Option) (*Worker, error)

LookupWorker returns the worker for the provided publicId. This returns nil nil in the situation where no worker can be found with that public id.

func (*Repository) LookupWorkerByName 

func (r *Repository) LookupWorkerByName(ctx context.Context, name string) (*Worker, error)

LookupWorkerByName returns the worker with the provided name. In the event that no worker is found that matches then nil, nil will be returned.

func (*Repository) LookupWorkerIdByKeyId 

func (r *Repository) LookupWorkerIdByKeyId(ctx context.Context, keyId string) (string, error)

func (*Repository) SetWorkerTags 

func (r *Repository) SetWorkerTags(ctx context.Context, workerId string, workerVersion uint32, tags []*Tag, _ ...Option) ([]*Tag, error)

SetWorkerTags clears the current repo worker's api tags and sets them from the input parameters. Returns the current repo worker tags. No options are currently supported.

func (*Repository) UpdateWorker 

func (r *Repository) UpdateWorker(ctx context.Context, worker *Worker, version uint32, fieldMaskPaths []string, opt ...Option) (*Worker, int, error)

UpdateWorker will update a worker in the repository and return the resulting worker. fieldMaskPaths provides field_mask.proto paths for fields that should be updated. Fields will be set to NULL if the field is a zero value and included in fieldMask. Name, Description, and Address are the only updatable fields, if no updatable fields are included in the fieldMaskPaths, then an error is returned. If any paths besides those listed above are included in the path then an error is returned.

func (*Repository) UpsertController 

func (r *Repository) UpsertController(ctx context.Context, controller *store.Controller) (int, error)

func (*Repository) UpsertWorkerStatus 

func (r *Repository) UpsertWorkerStatus(ctx context.Context, worker *Worker, opt ...Option) (*Worker, error)

UpsertWorkerStatus will update the address and last status time for a worker. If the worker is a kms worker that hasn't been seen yet, it'll attempt to create a new one, but will return an error if another worker (kms or other) has the same name. This returns the Worker object with the changes applied. The WithPublicId, WithKeyId, and WithUpdateTags options are the only ones used. All others are ignored. Workers are intentionally not oplogged.

type RootCertificate 

type RootCertificate struct {
	*store.RootCertificate
	// contains filtered or unexported fields
}

RootCertificate contains fields related to a RootCertificate resource This includes public/ private keys, the PEM encoded certificate, and the certificate validity period

func TestRootCertificate 

func TestRootCertificate(ctx context.Context, t *testing.T, conn *db.DB, kmsKey string) *RootCertificate

func (*RootCertificate) SetTableName 

func (r *RootCertificate) SetTableName(n string)

SetTableName sets the table name.

func (*RootCertificate) TableName 

func (r *RootCertificate) TableName() string

TableName returns the table name.

func (*RootCertificate) ValidateNewRootCertificate 

func (r *RootCertificate) ValidateNewRootCertificate(ctx context.Context) error

Validate the RootCertificate. On success, return nil

type RootCertificateKeys 

type RootCertificateKeys struct {
	// contains filtered or unexported fields
}

RootCertificateKeys contains the public and private keys for use in constructing a RootCertificate

type Tag 

type Tag struct {
	Key   string
	Value string
}

A Tag is a custom key/value pair which can be attached to a Worker. Multiple Tags may contain the same key and different values in which case both key/value pairs are valid. Tags can be sourced from either the worker's configuration or the api. key/value pairs can be the same from different sources.

type TagSource 

type TagSource string
const (
	ConfigurationTagSource TagSource = "configuration"
	ApiTagSource           TagSource = "api"
)

func (TagSource) String 

func (t TagSource) String() string

type Worker 

type Worker struct {
	*store.Worker

	// This is used to pass the token back to the calling function
	ControllerGeneratedActivationToken string `gorm:"-"`
	// contains filtered or unexported fields
}

A Worker is a server that provides an address which can be used to proxy session connections. It can be tagged with custom tags and is used when authorizing and establishing a session. It is owned by a scope.

func NewWorker 

func NewWorker(scopeId string, opt ...Option) *Worker

NewWorker returns a new Worker. Valid options are WithName, WithDescription WithAddress, and WithWorkerTags. All other options are ignored. This does not set any of the worker reported values.

func TestKmsWorker 

func TestKmsWorker(t *testing.T, conn *db.DB, wrapper wrapping.Wrapper, opt ...Option) *Worker

TestKmsWorker inserts a worker into the db to satisfy foreign key constraints. The worker provided fields are auto generated. if WithName is not present a random name will be generated and assigned to the worker.

func TestPkiWorker 

func TestPkiWorker(t *testing.T, conn *db.DB, wrapper wrapping.Wrapper, opt ...Option) *Worker

TestPkiWorker inserts a worker into the db to satisfy foreign key constraints. The worker provided fields are auto generated. WithName and WithDescription, are applied to the resource name, description if present. WithTestPkiWorkerAuthorizedKeyId can be used to make the PkiWorker authorized in which case the string pointer passed to WithTestPkiWorkerAuthorizedKeyId is set to the key id.

func (*Worker) ActiveConnectionCount 

func (w *Worker) ActiveConnectionCount() uint32

ActiveConnectionCount is the current number of sessions this worker is handling according to the controllers.

func (*Worker) CanonicalTags 

func (w *Worker) CanonicalTags() map[string][]string

CanonicalTags is the deduplicated set of tags contained on both the resource set over the API as well as the tags reported by the worker itself. This function is guaranteed to return a non-nil map.

func (*Worker) GetApiTags added in v0.10.0 

func (w *Worker) GetApiTags() map[string][]string

GetApiTags returns the api tags which have been set for this worker.

func (*Worker) GetConfigTags 

func (w *Worker) GetConfigTags() map[string][]string

GetConfigTags returns the tags for this worker which has been set through the worker daemon's configuration file.

func (*Worker) GetLastStatusTime 

func (w *Worker) GetLastStatusTime() *timestamp.Timestamp

GetLastStatusTime contains the last time the worker has reported to the controller its connection status. If the worker has never reported to a controller then nil is returned.

func (Worker) TableName 

func (Worker) TableName() string

TableName overrides the table name used by Worker to `server_worker`

type WorkerAuth 

type WorkerAuth struct {
	*store.WorkerAuth
	// contains filtered or unexported fields
}

WorkerAuth contains all fields related to an authorized Worker resource This includes worker public keys, the controller encryption key, and certificate bundles issued by the Boundary CA

func TestWorkerAuth 

func TestWorkerAuth(t *testing.T, conn *db.DB, worker *Worker, kmsWrapper wrapping.Wrapper) *WorkerAuth

func (*WorkerAuth) SetTableName 

func (w *WorkerAuth) SetTableName(n string)

SetTableName sets the table name.

func (*WorkerAuth) TableName 

func (w *WorkerAuth) TableName() string

TableName returns the table name.

func (*WorkerAuth) ValidateNewWorkerAuth 

func (w *WorkerAuth) ValidateNewWorkerAuth(ctx context.Context) error

Validate is called before storing a WorkerAuth in the db

type WorkerAuthRepositoryStorage 

type WorkerAuthRepositoryStorage struct {
	// contains filtered or unexported fields
}

WorkerAuthRepositoryStorage is the Worker Auth database repository

func NewRepositoryStorage 

func NewRepositoryStorage(ctx context.Context, r db.Reader, w db.Writer, kms *kms.Kms) (*WorkerAuthRepositoryStorage, error)

NewRepositoryStorage creates a new WorkerAuthRepositoryStorage that implements the Storage interface

func (*WorkerAuthRepositoryStorage) FilterToAuthorizedWorkerKeyIds added in v0.11.1 

func (r *WorkerAuthRepositoryStorage) FilterToAuthorizedWorkerKeyIds(ctx context.Context, workerKeyIds []string) ([]string, error)

FilterToAuthorizedWorkerKeyIds returns all the worker key identifiers that are authorized from the slice of key identifiers provided to the function.

func (*WorkerAuthRepositoryStorage) FindWorkerAuthByWorkerId added in v0.10.4 

func (r *WorkerAuthRepositoryStorage) FindWorkerAuthByWorkerId(ctx context.Context, workerId string) (*WorkerAuthSet, error)

FindWorkerAuthByWorkerId takes a workerId and returns the WorkerAuthSet for this worker.

func (*WorkerAuthRepositoryStorage) List 

func (r *WorkerAuthRepositoryStorage) List(ctx context.Context, msg proto.Message) ([]string, error)

List implements the Storage interface. List returns a list of IDs; the type of the message is used to disambiguate what to list.

func (*WorkerAuthRepositoryStorage) Load 

func (r *WorkerAuthRepositoryStorage) Load(ctx context.Context, msg nodee.MessageWithId) error

Load implements the Storage interface. Load loads values into the given message. The message must be populated with the ID value. If not found, the returned error should be ErrNotFound.

func (*WorkerAuthRepositoryStorage) Remove 

func (r *WorkerAuthRepositoryStorage) Remove(ctx context.Context, msg nodee.MessageWithId) error

Remove implements the Storage interface. Remove removes the given message. Only the ID field of the message is considered.

func (*WorkerAuthRepositoryStorage) Store 

func (r *WorkerAuthRepositoryStorage) Store(ctx context.Context, msg nodee.MessageWithId) error

Store implements the Storage interface

type WorkerAuthServerLedActivationToken added in v0.10.4 

type WorkerAuthServerLedActivationToken struct {
	*store.WorkerAuthServerLedActivationToken
	// contains filtered or unexported fields
}

WorkerAuthServerLedActivationToken contains an activation token for a worker

func (*WorkerAuthServerLedActivationToken) SetTableName added in v0.10.4 

func (w *WorkerAuthServerLedActivationToken) SetTableName(n string)

SetTableName sets the table name.

func (*WorkerAuthServerLedActivationToken) TableName added in v0.10.4 

func (w *WorkerAuthServerLedActivationToken) TableName() string

TableName returns the table name.

func (*WorkerAuthServerLedActivationToken) ValidateNewWorkerAuthServerLedActivationToken added in v0.10.4 

func (w *WorkerAuthServerLedActivationToken) ValidateNewWorkerAuthServerLedActivationToken(ctx context.Context) error

ValidateNewWorkerAuthServerLedActivationToken is called before storing a WorkerAuthActivationToken in the db

type WorkerAuthSet added in v0.11.0 

type WorkerAuthSet struct {
	Previous *WorkerAuth
	Current  *WorkerAuth
}

WorkerAuthSet is intended to store a set of WorkerAuth records This set represents the current and previous WorkerAuth records for a worker

type WorkerCertBundle 

type WorkerCertBundle struct {
	*store.WorkerCertBundle
	// contains filtered or unexported fields
}

WorkerCertBundle contains all fields related to a WorkerCertBundle resource This includes the serial number of the issuing CA, the worker id, and the certificate bundles issued by the CA

func (*WorkerCertBundle) SetTableName 

func (w *WorkerCertBundle) SetTableName(n string)

SetTableName sets the table name.

func (*WorkerCertBundle) TableName 

func (w *WorkerCertBundle) TableName() string

TableName returns the table name.

func (*WorkerCertBundle) ValidateNewWorkerCertBundle 

func (w *WorkerCertBundle) ValidateNewWorkerCertBundle(ctx context.Context) error

Validate is called before storing a WorkerCertBundle in the db

type WorkerKeys 

type WorkerKeys struct {
	// contains filtered or unexported fields
}

WorkerKeys contain the signing and encryption keys for a WorkerAuth resource

type WorkerType 

type WorkerType string

func (WorkerType) String 

func (t WorkerType) String() string

func (WorkerType) Valid 

func (t WorkerType) Valid() bool

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.