sys

package
v0.22.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 15, 2022 License: AGPL-3.0 Imports: 26 Imported by: 0

Documentation

Index

Constants

View Source 
const DefaultEnclaveName = "default"

DefaultEnclaveName is the default Enclave name used when the client does not specify the Enclave name explicitly.

Variables

View Source 
var ErrMoreUnsealKeysRequired = errors.New("sys: more unseal keys required")

ErrMoreUnsealKeysRequired is an error indicating that the Unsealer requires more UnsealKeys to decrypt the sealed key.

Functions

This section is empty.

Types

type BuildInfo added in v0.19.4 

type BuildInfo struct {
	Version  string
	CommitID string
}

BuildInfo contains build information about a Go binary.

func BinaryInfo added in v0.19.4 

func BinaryInfo() BuildInfo

BinaryInfo returns the BuildInfo of the binary itself.

It returns some default information when no build information has been compiled into the binary.

type Enclave 

type Enclave struct {
	// contains filtered or unexported fields
}

An Enclave is a shielded environment within a Vault that stores keys, policies and identities.

func NewEnclave 

func NewEnclave(keys KeyFS, policies PolicyFS, identities IdentityFS) *Enclave

NewEnclave returns a new Enclave with the given key store, policy set and identity set.

func (*Enclave) Admin added in v0.21.0 

func (e *Enclave) Admin(ctx context.Context) (kes.Identity, error)

Admin returns the current Enclave admin identity.

func (*Enclave) AssignPolicy 

func (e *Enclave) AssignPolicy(ctx context.Context, policy string, identity kes.Identity) error

AssignPolicy assigns the policy to the identity.

func (*Enclave) CreateKey 

func (e *Enclave) CreateKey(ctx context.Context, name string, key key.Key) error

CreateKey stores the given key if and only if no entry with the given name exists.

It returns kes.ErrKeyExists if such an entry exists.

func (*Enclave) DeleteIdentity 

func (e *Enclave) DeleteIdentity(ctx context.Context, identity kes.Identity) error

DeleteIdentity deletes the given identity.

func (*Enclave) DeleteKey 

func (e *Enclave) DeleteKey(ctx context.Context, name string) error

DeleteKey deletes the key associated with the given name.

func (*Enclave) DeletePolicy 

func (e *Enclave) DeletePolicy(ctx context.Context, name string) error

DeletePolicy deletes the policy associated with the given name.

func (*Enclave) GetIdentity 

func (e *Enclave) GetIdentity(ctx context.Context, identity kes.Identity) (auth.IdentityInfo, error)

GetIdentity returns metadata about the given identity.

func (*Enclave) GetKey 

func (e *Enclave) GetKey(ctx context.Context, name string) (key.Key, error)

GetKey returns the key associated with the given name.

It returns kes.ErrKeyNotFound if no such entry exists.

func (*Enclave) GetPolicy 

func (e *Enclave) GetPolicy(ctx context.Context, name string) (auth.Policy, error)

GetPolicy returns the policy associated with the given name.

It returns kes.ErrPolicyNotFound when no such entry exists.

func (*Enclave) ListIdentities 

func (e *Enclave) ListIdentities(ctx context.Context) (auth.IdentityIterator, error)

ListIdentities returns an iterator over all identites within the Enclave.

The iterator makes no guarantees about whether concurrent changes to the enclave - i.e. assignment or deletion of identities - are reflected. It does not provide any ordering guarantees.

func (*Enclave) ListKeys 

func (e *Enclave) ListKeys(ctx context.Context) (kms.Iter, error)

ListKeys returns a new iterator over all keys within the Enclave.

The iterator makes no guarantees about whether concurrent changes to the enclave - i.e. creation or deletion of keys - are reflected. It does not provide any ordering guarantees.

func (*Enclave) ListPolicies 

func (e *Enclave) ListPolicies(ctx context.Context) (auth.PolicyIterator, error)

ListPolicies returns a new iterator over all policies within the Enclave.

The iterator makes no guarantees about whether concurrent changes to the enclave - i.e. creation or deletion of policies - are reflected. It does not provide any ordering guarantees.

func (*Enclave) Locker added in v0.21.0 

func (e *Enclave) Locker() sync.Locker

Locker returns a sync.Locker that locks the Enclave for writes.

func (*Enclave) RLocker added in v0.21.0 

func (e *Enclave) RLocker() sync.Locker

RLocker returns a sync.Locker that locks the Enclave for reads.

func (*Enclave) SetAdmin added in v0.21.0 

func (e *Enclave) SetAdmin(ctx context.Context, admin kes.Identity) error

SetAdmin sets the Enclave admin to the given identity. The new admin identity must not be an existing identity that is already assigned to a policy.

func (*Enclave) SetPolicy 

func (e *Enclave) SetPolicy(ctx context.Context, name string, policy auth.Policy) error

SetPolicy creates or overwrites the policy with the given name.

func (*Enclave) Status 

func (e *Enclave) Status(ctx context.Context) (kms.State, error)

Status returns the current state of the key store.

If Status fails to reach the Store - e.g. due to a network error - it returns a StoreState with StoreUnreachable and no error.

func (*Enclave) VerifyRequest 

func (e *Enclave) VerifyRequest(r *http.Request) error

VerifyRequest verifies the given request is allowed based on the policies and identities within the Enclave.

type EnclaveInfo added in v0.20.0 

type EnclaveInfo struct {
	// Name is the Enclave's name.
	Name string

	// KeyStoreKey is the root encryption key used to
	// en/decrypt the key store.
	KeyStoreKey key.Key

	// PolicyKey is the root encryption key used to
	// en/decrypt the policy set.
	PolicyKey key.Key

	// IdentityKey is the root encryption key used to
	// en/decrypt the identity set.
	IdentityKey key.Key

	// CreatedAt is the point in time when the Enclave
	// got created.
	CreatedAt time.Time

	// CreatedBy is the identity that created the Enclave.
	CreatedBy kes.Identity
}

EnclaveInfo contains information about an Enclave.

func (EnclaveInfo) MarshalBinary added in v0.20.0 

func (e EnclaveInfo) MarshalBinary() ([]byte, error)

MarshalBinary returns the EnclaveInfo's binary representation.

func (*EnclaveInfo) UnmarshalBinary added in v0.20.0 

func (e *EnclaveInfo) UnmarshalBinary(b []byte) error

UnmarshalBinary unmarshals the EnclaveInfo's binary representation.

type IdentityFS added in v0.21.0 

type IdentityFS interface {
	// Admin returns the enclave admin identity.
	Admin(ctx context.Context) (kes.Identity, error)

	// SetAdmin sets the enclave admin to the given identity.
	//
	// The new admin identity must not be an existing identity
	// that is already assigned to a policy.
	SetAdmin(ctx context.Context, admin kes.Identity) error

	// AssignPolicy assigns the policy to the given identity.
	//
	// No policy must be assigned to the admin identity.
	AssignPolicy(ctx context.Context, policy string, identity kes.Identity) error

	// GetIdentity returns identity information for the given identity,
	// including the admin identity information.
	//
	// It returns ErrIdentityNotFound if no such identity exists.
	GetIdentity(ctx context.Context, identity kes.Identity) (auth.IdentityInfo, error)

	// DeleteIdentity deletes the identity information for the
	// specified identity.
	//
	// It returns ErrIdentityNotFound if no such identity exists.
	DeleteIdentity(ctx context.Context, identity kes.Identity) error

	// ListIdentities returns an iterator over all identities within
	// the enclave.
	ListIdentities(ctx context.Context) (auth.IdentityIterator, error)
}

IdentityFS provides access to identities, including the admin identity, within a particular Enclave.

func NewIdentityFS added in v0.21.0 

func NewIdentityFS(filename string, key key.Key) IdentityFS

NewIdentityFS returns a new IdentityFS that reads/writes identities from/to the given directory path and en/decrypts them with the given encryption key.

type KeyFS added in v0.21.0 

type KeyFS interface {
	// CreateKey creates a new entry for the given key if and only
	// if no such entry exists already.
	//
	// It returns ErrKeyExists if such a key already exists.
	CreateKey(ctx context.Context, name string, key key.Key) error

	// GetKey returns the requested key.
	//
	// It returns ErrKeyNotFound if no such key exists.
	GetKey(ctx context.Context, name string) (key.Key, error)

	// DeleteKey deletes the specified key.
	//
	// It returns ErrKeyNotFound if no such key exists.
	DeleteKey(ctx context.Context, name string) error

	// ListKeys returns an iterator over all key entries.
	ListKeys(ctx context.Context) (kms.Iter, error)
}

KeyFS provides access to cryptographic keys within a particular Enclave.

func NewKeyFS added in v0.21.0 

func NewKeyFS(filename string, key key.Key) KeyFS

NewKeyFS returns a new KeyFS that reads/writes keys from/to the given directory path and en/decrypts them with the given encryption key.

type PolicyFS added in v0.21.0 

type PolicyFS interface {
	// SetPolicy creates or overwrites any existing policy with the
	// given one.
	SetPolicy(ctx context.Context, name string, policy auth.Policy) error

	// GetPolicy returns the requested policy.
	//
	// It returns ErrPolicyNotFound if no such policy exists.
	GetPolicy(ctx context.Context, name string) (auth.Policy, error)

	// DeletePolicy deletes the specified policy.
	//
	// It returns ErrPolicyNotFound if no such policy exists.
	DeletePolicy(ctx context.Context, name string) error

	// ListPolicies returns an iterator over all policy entries.
	ListPolicies(ctx context.Context) (auth.PolicyIterator, error)
}

PolicyFS provides access to policies within a particular Enclave.

func NewPolicyFS added in v0.21.0 

func NewPolicyFS(filename string, key key.Key) PolicyFS

NewPolicyFS returns a new PolicyFS that reads/writes policies from/to the given directory path and en/decrypts them with the given encryption key.

type Sealer added in v0.20.0 

type Sealer interface {
	// Seal encrypts the given plaintext and
	// returns a Stanza and a set of UnsealKeys.
	//
	// The Stanza contains the sealed plaintext
	// data. The set of UnsealKeys are used by a
	// corresponding Unsealer to decrypt the stanza
	// and obtain the original plaintext.
	Seal(plaintext []byte) (*Stanza, []UnsealKey, error)
}

A Sealer seals secrets, i.e. cryptographic keys.

func SealFromEnvironment added in v0.20.0 

func SealFromEnvironment(name string) (Sealer, error)

SealFromEnvironment returns a new Sealer that encrypts secrets using a key from the named environment variable. It returns an error if it fails to read a key from the named environment variable.

type Stanza added in v0.20.0 

type Stanza struct {
	// Type describes the seal/unseal method used to
	// produce this Stanza.
	Type string

	// Body contains the sealed information. It's
	// an opaque byte string specific to the seal
	// method.
	Body []byte
}

A Stanza describes a sealed value.

func (Stanza) MarshalBinary added in v0.20.0 

func (s Stanza) MarshalBinary() ([]byte, error)

MarshalBinary returns the Stanza's binary representation.

func (*Stanza) UnmarshalBinary added in v0.20.0 

func (s *Stanza) UnmarshalBinary(b []byte) error

UnmarshalBinary unmarshals the Stanza's binary representation.

type UnsealKey added in v0.20.0 

type UnsealKey interface {
	String() string
}

An UnsealKey is a key generated by a Sealer that can (partially) unseal a Stanza.

type Unsealer added in v0.20.0 

type Unsealer interface {
	// Unseal decrypts the given stanza with a set of
	// UnsealKeys and returns the plaintext data.
	//
	// Unseal returns MoreUnsealKeysRequired if at
	// least one more UnsealKey is required to decrypt
	// the Stanza.
	Unseal(*Stanza, ...UnsealKey) ([]byte, error)
}

An Unsealer decrypts sealed secrets encrypted by the corresponding Sealer.

func UnsealFromEnvironment added in v0.20.0 

func UnsealFromEnvironment() Unsealer

UnsealFromEnvironment returns a new Unsealer that decrypts sealed secrets using a key from the environment.

type Vault 

type Vault struct {
	// contains filtered or unexported fields
}

A Vault manages a set of enclaves. It is either in a sealed or unsealed state. When sealed, any Vault operation, except unsealing, returns ErrSealed.

func NewVault added in v0.21.0 

func NewVault(fs VaultFS) *Vault

NewVault returns a new Vault that uses the given VaultFS to persist state.

func (*Vault) Admin added in v0.21.0 

func (v *Vault) Admin(ctx context.Context) (kes.Identity, error)

Admin returns the current Vault admin identity.

func (*Vault) CreateEnclave 

func (v *Vault) CreateEnclave(ctx context.Context, name string, admin kes.Identity) (EnclaveInfo, error)

CreateEnclave creates a new enclave with the given name and enclave admin identity.

It returns ErrEnclaveExists if such an enclave already exists.

func (*Vault) DeleteEnclave 

func (v *Vault) DeleteEnclave(ctx context.Context, name string) error

DeleteEnclave deletes the enclave with the given name.

It returns ErrEnclaveNotFound if no such enclave exists.

func (*Vault) GetEnclave 

func (v *Vault) GetEnclave(ctx context.Context, name string) (*Enclave, error)

GetEnclave returns the Enclave with the given name.

It returns ErrEnclaveNotFound if no such enclave exists.

func (*Vault) GetEnclaveInfo added in v0.21.1 

func (v *Vault) GetEnclaveInfo(ctx context.Context, name string) (EnclaveInfo, error)

GetEnclaveInfo returns information about the specified enclave.

It returns ErrEnclaveNotFound if no such enclave exists.

func (*Vault) Locker added in v0.21.0 

func (v *Vault) Locker() sync.Locker

Locker returns a sync.Locker that locks the Vault for writes.

func (*Vault) RLocker added in v0.21.0 

func (v *Vault) RLocker() sync.Locker

RLocker returns a sync.Locker that locks the Vault for reads.

func (*Vault) Seal 

func (v *Vault) Seal(ctx context.Context) error

Seal seals the Vault. Once sealed, any subsequent Vault operation, returns ErrSealed until the Vault gets unsealed again.

func (*Vault) Unseal 

func (v *Vault) Unseal(ctx context.Context, keys ...UnsealKey) error

Unseal unseals the Vault. In case of an unsealed Vault, Unseal is a no-op.

type VaultFS added in v0.21.0 

type VaultFS interface {
	// Seal seals the VaultFS. A sealed VaultFS must
	// be unsealed before it can process any new
	// requests.
	Seal(ctx context.Context) error

	// Unseal unseals a sealed VaultFS.
	Unseal(ctx context.Context, unsealKeys ...UnsealKey) error

	// Admin returns the current VaultFS admin identity.
	Admin(ctx context.Context) (kes.Identity, error)

	// CreateEnclave creates a new enclave with the given identity
	// as enclave admin.
	//
	// It returns ErrEnclaveExists if such an enclave already exists.
	CreateEnclave(ctx context.Context, name string, admin kes.Identity) (EnclaveInfo, error)

	// GetEnclave returns the requested enclave.
	//
	// It returns ErrEnclaveNotFound if no such enclave exists.
	GetEnclave(ctx context.Context, name string) (*Enclave, error)

	// GetEnclaveInfo returns information about the specified enclave.
	//
	// It returns ErrEnclaveNotFound if no such enclave exists.
	GetEnclaveInfo(ctx context.Context, name string) (EnclaveInfo, error)

	// DeleteEnclave deletes the specified enclave.
	//
	// It returns ErrEnclaveNotFound if no such enclave exists.
	DeleteEnclave(ctx context.Context, name string) error
}

VaultFS provides access to Vault state.

func NewVaultFS added in v0.21.0 

func NewVaultFS(filename string, key key.Key) VaultFS

NewVaultFS returns a new VaultFS that reads/writes enclaves from/to the given directory path and en/decrypts them with the given encryption key.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.