security

package
v0.2.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 12, 2018 License: Apache-2.0 Imports: 20 Imported by: 0

README

Security

Certificates

Gaia, when first started will create a signed certificate in a location defined by the user under gaia.Cfg.CAPath which can be set by the runtime flag -capath=/etc/gaia/cert for example. It is recommended that the certificate is kept separate from the main Gaia work folder and in a secure location.

This certificate is used in two places. First, in the communication between the admin portal and the back-end. Second, by the Vault.

The Vault

The Vault is a secure storage for secret values like, password, tokens and other things that the user would like to pass securly into a Pipeline. The Vault is encrypted using AES cipher technology where the key is derived from the above certificate and the IV is included in the encrypted content.

The Vault file's location can be configured through the runtime variable called VaultPath. For maximum security it is recommended that this file is kept on an encrypted, mounted drive. In case there is a breach the drive can be quickly removed and the file deleted, thus rotating all of the secrets at once, under Gaia.

To create an encrypted MacOSX image follow this guide: Encrypted Secure Disk Image on Mac.

To create an encrypted disk on Linux follow this guide: Encrypted Disk Image on Linux.

The admin will never see the secure values, not when editing, not when adding and not when looking at the list of secrets. Only the Key names are displayed at all times.

It's possible to Add, Delete, Update and List secrets in the system.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type CA

type CA struct {
	// contains filtered or unexported fields
}

CA represents one generated CA.

func InitCA

func InitCA() (*CA, error)

InitCA setups a new instance of CA and generates a new CA if not already exists.

func (*CA) CleanupCerts

func (c *CA) CleanupCerts(crt, key string) error

CleanupCerts removes certificates at the given path.

func (*CA) CreateSignedCert

func (c *CA) CreateSignedCert() (string, string, error)

CreateSignedCert creates a new key pair which is signed by the CA.

func (*CA) GenerateTLSConfig

func (c *CA) GenerateTLSConfig(certPath, keyPath string) (*tls.Config, error)

GenerateTLSConfig generates a new TLS config based on given certificate path and key path.

func (*CA) GetCACertPath

func (c *CA) GetCACertPath() (string, string)

GetCACertPath returns the path to the cert and key from the root CA.

type CAAPI

type CAAPI interface {
	// CreateSignedCert creates a new signed certificate.
	// First return param is the public cert.
	// Second return param is the private key.
	CreateSignedCert() (string, string, error)

	// GenerateTLSConfig generates a TLS config.
	// It requires the path to the cert and the key.
	GenerateTLSConfig(certPath, keyPath string) (*tls.Config, error)

	// CleanupCerts cleans up the certs at the given path.
	CleanupCerts(crt, key string) error

	// GetCACertPath returns the public cert and private key
	// of the CA.
	GetCACertPath() (string, string)
}

CAAPI represents the interface used to handle certificates.

type FileVaultStorer

type FileVaultStorer struct {
	// contains filtered or unexported fields
}

FileVaultStorer implements VaultStorer as a simple file based storage device.

func (*FileVaultStorer) Init

func (fvs *FileVaultStorer) Init() error

Init initializes the FileVaultStorer.

func (*FileVaultStorer) Read

func (fvs *FileVaultStorer) Read() ([]byte, error)

Read defines a read for the FileVaultStorer.

func (*FileVaultStorer) Write

func (fvs *FileVaultStorer) Write(data []byte) error

Write defines a read for the FileVaultStorer.

type Vault

type Vault struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

Vault is a secret storage for data that gaia needs to store encrypted.

func NewVault

func NewVault(ca CAAPI, storer VaultStorer) (*Vault, error)

NewVault creates a vault which is a simple k/v storage medium with AES encryption. The format is: KEY=VALUE KEY2=VALUE2 NewVault also can take a storer which is an implementation of VaultStorer. This defines a storage medium for the vault. If it's left to nil the vault will use a default FileVaultStorer.

func (*Vault) Add

func (v *Vault) Add(key string, value []byte)

Add adds a value to the vault. This operation is safe to use concurrently. Add will overwrite if the key already exists and not warn.

func (*Vault) Get

func (v *Vault) Get(key string) ([]byte, error)

Get returns a value for a key. This operation is safe to use concurrently. Get will return an error if the data doesn't exist.

func (*Vault) GetAll

func (v *Vault) GetAll() []string

GetAll returns all keys and values in a copy of the internal data.

func (*Vault) LoadSecrets

func (v *Vault) LoadSecrets() error

LoadSecrets decrypts the contents of the vault and fills up a map of data to work with.

func (*Vault) Remove

func (v *Vault) Remove(key string)

Remove removes a key from the vault. This operation is safe to use concurrently. Remove is a no-op if the data doesn't exist.

func (*Vault) SaveSecrets

func (v *Vault) SaveSecrets() error

SaveSecrets encrypts data passed to the vault in a k/v format and saves it to the vault file.

type VaultAPI

type VaultAPI interface {
	LoadSecrets() error
	GetAll() []string
	SaveSecrets() error
	Add(key string, value []byte)
	Remove(key string)
	Get(key string) ([]byte, error)
}

VaultAPI defines a set of apis that a Vault must provide in order to be a Gaia Vault.

type VaultStorer

type VaultStorer interface {
	// Init initializes the medium by creating the file, or bootstraping the
	// db or simply setting up an in-memory mock storage device. The Init
	// function of a storage medium should be idempotent. Meaning it should
	// be callable multiple times without changing the underlying medium.
	Init() error
	// Read will read bytes from the storage medium and return it to the caller.
	Read() (data []byte, err error)
	// Write will store the passed in encrypted data. How, is up to the implementor.
	Write(data []byte) error
}

VaultStorer defines a storage medium for the Vault.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL