Documentation ¶
Index ¶
- Constants
- func AuthenticationHook(insecureMode bool, tlsState *tls.ConnectionState) (func(request proto.Message, public bool) error, error)
- func GenerateCA(keySize int) ([]byte, crypto.PrivateKey, error)
- func GenerateClientCert(caCert *x509.Certificate, caKey crypto.PrivateKey, keySize int, name string) ([]byte, crypto.PrivateKey, error)
- func GenerateServerCert(caCert *x509.Certificate, caKey crypto.PrivateKey, keySize int, hosts []string) ([]byte, crypto.PrivateKey, error)
- func GetCertificateUser(tlsState *tls.ConnectionState) (string, error)
- func LoadClientTLSConfig(certDir, username string) (*tls.Config, error)
- func LoadInsecureClientTLSConfig() *tls.Config
- func LoadInsecureTLSConfig() *tls.Config
- func LoadServerTLSConfig(certDir, username string) (*tls.Config, error)
- func LogTLSState(method string, tlsState *tls.ConnectionState)
- func PromptForPasswordAndHash() ([]byte, error)
- func ResetReadFileFn()
- func RunCreateCACert(certsDir string, keySize int) error
- func RunCreateClientCert(certsDir string, keySize int, username string) error
- func RunCreateNodeCert(certsDir string, keySize int, hosts []string) error
- func SetReadFileFn(f func(string) ([]byte, error))
- type RequestWithUser
Constants ¶
const ( // NodeUser is used by nodes for intra-cluster traffic. NodeUser = "node" // RootUser is the default cluster administrator. RootUser = "root" )
const (
// EmbeddedCertsDir is the certs directory inside embedded assets.
EmbeddedCertsDir = "test_certs"
)
Variables ¶
This section is empty.
Functions ¶
func AuthenticationHook ¶
func AuthenticationHook(insecureMode bool, tlsState *tls.ConnectionState) ( func(request proto.Message, public bool) error, error)
AuthenticationHook builds an authentication hook based on the security mode and client certificate. Must be called at connection time and passed the TLS state. Returns a func(proto.Message,bool) error. The passed-in proto must implement the GetUser interface.
func GenerateCA ¶
func GenerateCA(keySize int) ([]byte, crypto.PrivateKey, error)
GenerateCA generates a CA certificate and returns the cert bytes as well as the private key used to generate the certificate.
func GenerateClientCert ¶
func GenerateClientCert(caCert *x509.Certificate, caKey crypto.PrivateKey, keySize int, name string) ( []byte, crypto.PrivateKey, error)
GenerateClientCert generates a client certificate and returns the cert bytes as well as the private key used to generate the certificate. The CA cert and private key should be passed in. 'user' is the unique username stored in the Subject.CommonName field.
func GenerateServerCert ¶
func GenerateServerCert(caCert *x509.Certificate, caKey crypto.PrivateKey, keySize int, hosts []string) ( []byte, crypto.PrivateKey, error)
GenerateServerCert generates a server certificate and returns the cert bytes as well as the private key used to generate the certificate. Takes in the CA cert and key, the size of the key to generate, and the list of hosts/ip addresses this certificate applies to.
func GetCertificateUser ¶
func GetCertificateUser(tlsState *tls.ConnectionState) (string, error)
GetCertificateUser extract the username from a client certificate.
func LoadClientTLSConfig ¶
LoadClientTLSConfig creates a client TLSConfig by loading the CA and client certs from the specified directory. The directory must contain the following files: - ca.crt -- the certificate of the cluster CA - <username>.client.crt -- the client certificate of this client; should be signed by the CA - <username>.client.key -- the certificate key If the path is prefixed with "embedded=", load the embedded certs.
func LoadInsecureClientTLSConfig ¶
LoadInsecureClientTLSConfig creates a TLSConfig that disables TLS.
func LoadInsecureTLSConfig ¶
LoadInsecureTLSConfig creates a TLSConfig that disables TLS.
func LoadServerTLSConfig ¶
LoadServerTLSConfig creates a server TLSConfig by loading our keys and certs from the specified directory. The directory must contain the following files: - ca.crt -- the certificate of the cluster CA - node.server.crt -- the server certificate of this node; should be signed by the CA - node.server.key -- the certificate key If the path is prefixed with "embedded=", load the embedded certs. We should never have username != "node", but this is a good way to catch tests that use the wrong users.
func LogTLSState ¶
func LogTLSState(method string, tlsState *tls.ConnectionState)
LogTLSState logs information about TLS state in the form: "<method>: peer certs: [<Subject.CommonName>...], chain: [[<CommonName>...][..]]"
func PromptForPasswordAndHash ¶
PromptForPasswordAndHash prompts for a password on the stdin twice, and if both match, returns a bcrypt hashed password.
func ResetReadFileFn ¶
func ResetReadFileFn()
ResetReadFileFn is the counterpart to SetReadFileFn, restoring the original behaviour for loading certificate related data from disk.
func RunCreateCACert ¶
RunCreateCACert is the entry-point from the command-line interface to generate CA cert and key.
func RunCreateClientCert ¶
RunCreateClientCert is the entry-point from the command-line interface to generate a client cert and key.
func RunCreateNodeCert ¶
RunCreateNodeCert is the entry-point from the command-line interface to generate node certs and keys: - node.server.{crt,key}: server cert with list of dns/ip addresses - node.client.{crt,key}: client cert with "node" as the Common Name. We intentionally generate distinct keys for each cert.
func SetReadFileFn ¶
SetReadFileFn allows to switch out ioutil.ReadFile by a mock for testing purposes.
Types ¶
type RequestWithUser ¶
type RequestWithUser interface {
GetUser() string
}
RequestWithUser must be implemented by `roachpb.Request`s which are arguments to methods that are not permitted to skip user checks.
Directories ¶
Path | Synopsis |
---|---|
Package securitytest embeds the TLS test certificates.
|
Package securitytest embeds the TLS test certificates. |