hoard

package module
v7.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 18, 2019 License: Apache-2.0 Imports: 16 Imported by: 0

README

Hoard

Hoard is a stateless, deterministically encrypted, content-addressed object store.

hoarding marmot

Introduction

It convergently encrypts an object using its (SHA256) hash as the secret key (which can than be shared as a 'grant'). The address is then deterministically generated from the encrypted object's (SHA256) digest and allocated to the configured storage back-end:

Installing

Hoard should be go-gettable with:

# Install Hoard-Daemon:
go get github.com/monax/hoard/cmd/hoard

# Install Hoard-Control:
go get github.com/monax/hoard/cmd/hoarctl

Usage

Hoard runs as a daemon providing a GRPC service to other clients including the command line client hoarctl. The purpose of the daemon is to read local secrets (such as PGP or other keys) and to configure itself to use a particular storage backend. You can run the daemon with:

# Run the daemon
hoard

# or with logging
hoard --logging

You can initialise a Hoard config by running one of:

# Initialise Hoard with memory backend
hoard config --init memory

# Initialise Hoard with filesystem backend
hoard config --init filesystem

# Initialise Hoard with AWS (S3) backend
hoard config --init aws

# Initialise Hoard with Azure backend
hoard config --init azure

# Initialise Hoard with GCP backend
hoard config --init gcp

# Initialise Hoard with IPFS backend
hoard config --init ipfs

These will provide base configurations you can configure to meet your needs. The config is located by default in $HOME/.config/hoard.conf but you can specify a file with hoard -c /path/to/config. The XDG base directory specification is used to search for config.

You can interact with Hoard using the go client hoarctl:

# Store an object:
ref=$(echo bar | hoarctl put)

# Retrieve 'bar' from its (deterministic) reference
echo $ref | hoarctl get

# Or get information about the object without decrypting
echo $ref | hoarctl stat

# This one-liner exercises the entire API:
echo foo | hoarctl put | hoarctl get | hoarctl putseal | hoarctl unsealget | hoarctl encrypt | hoarctl insert | hoarctl stat | hoarctl cat | hoarctl decrypt -k tbudgBSg+bHWHiHnlteNzN8TUvI80ygS9IULh4rklEw= | hoarctl ref | hoarctl seal | hoarctl reseal | hoarctl unseal | hoarctl get

You can chop off segments of the final command to see the output of each intermediate command. It is contrived so that the outputs can be used as inputs for the next pipeline step. hoarctl either returns JSON references or raw bytes depending on the command. You may find the excellent jq useful for working with single-line JSON files on the command line.

Config

Using the filesystem storage backend as an example (generated with hoard init -o- fs) you can configure Hoard with a file like:

# The listen address, also supported is "unix:///tmp/hoard.socket" for a unix domain socket
ListenAddress = "tcp://localhost:53431"

[Storage]
  StorageType = "filesystem"
  # One of: base64, base32, or hex (base 16)
  AddressEncoding = "base64"
  RootDirectory = "/home/user/.local/share/hoard"

[Logging]
  LoggingType = "logfmt"
  # Removing "trace" from this array will reduce log output
  Channels = ["info", "trace"]

The default directory is $HOME/.config/hoard.toml or you can pass the file with hoard -c.

Specification

See hoard.proto for the protobuf3 definition of the API. Hoard uses GRPC for its API for which there is a wide range of client libraries available. You should be able to set up a client in any GRPC supported language with relative ease. Also see hoarctl <CMD> -h for full help on each sub-command.

For more information on the design of Hoard please checkout our documentation.

Building

To build Hoard you will need to have the following installed:

Then, from the project root run:

# Install protobuf GRPC plugin, glide, and glide dependencies
make protobuf_deps
# Run checks, tests, and build binaries
make build && make install

Javascript Client

A Javascript client library can be found here: hoard-js.

Hoard-js is a fairly lightweight wrapper around the Hoard GRPC API. It mainly serves to abstract over the dynamic protobuf library and the static protobuf generation.

Usage

First we need to have Hoard running. For development purposes this can be accomplished by:

go get github.com/monax/hoard/cmd/hoard 
# Run Hoard with logging
hoard --logging

Hoard will run with an in-memory store by default that will be discarded when it is shutdown, but will expose the same interface as when using remote storage backends.

To interact with Hoard from Node see example.js for a self-contained example of how to use every method of the API. To run use:

# Get dependencies
npm install
# Run example
node example.js

Documentation

Index

Constants

View Source 
const MaxChunkSize = 1 << 20

1MiB

Variables

This section is empty.

Functions

func GetDocument 

func GetDocument(gs GrantService, grant *grant.Grant) (*meta.Document, []byte, error)

GetDocument retrieves a document from hoard and parses it into a document struct. NOTE: if this schema changes hoard will break.

func PutDocument 

func PutDocument(gs GrantService, pgsm *api.PlaintextAndGrantSpecAndMeta) (*grant.Grant, error)

PostDocument is given a document struct which is then parsed into a document object which matches the encoding system established. NOTE: if this schema changes hoard will break.

This function puts and seals the document into hoard's store and returns back the grant which is given from hoard.

func ReceiveCiphertext 

func ReceiveCiphertext(srv CiphertextReceiver) ([]byte, error)

func ReceiveDocument 

func ReceiveDocument(srv DocumentReceiver) (*meta.Document, error)

func ReceiveDocumentAndGrantSpec 

func ReceiveDocumentAndGrantSpec(srv DocumentAndGrantReceiver) (*api.PlaintextAndGrantSpecAndMeta, error)

func ReceivePlaintext 

func ReceivePlaintext(srv PlaintextReceiver) (*api.Plaintext, error)

func ReceivePlaintextAndGrantSpec 

func ReceivePlaintextAndGrantSpec(srv PlaintextAndGrantSpecReceiver) (*api.PlaintextAndGrantSpec, error)

Receive chunks of plaintext and spec and aggregate into complete objects

func SendCiphertext 

func SendCiphertext(srv CiphertextSender, data []byte, chunkSize int) error

func SendDocument 

func SendDocument(srv DocumentSender, doc *meta.Document, salt []byte, chunkSize int) error

func SendDocumentAndGrantSpec 

func SendDocumentAndGrantSpec(srv DocumentAndGrantSender, doc *meta.Document, salt []byte, spec *grant.Spec, chunkSize int) error

func SendPlaintext 

func SendPlaintext(srv PlaintextSender, data, salt []byte, chunkSize int) error

func SendPlaintextAndGrantSpec 

func SendPlaintextAndGrantSpec(srv PlaintextAndGrantSpecSender, pgs *api.PlaintextAndGrantSpec, chunkSize int) error

Send some plaintext and spec to a service in chunks

Types

type CiphertextReceiver 

type CiphertextReceiver interface {
	Recv() (*api.Ciphertext, error)
}

type CiphertextSender 

type CiphertextSender interface {
	Send(*api.Ciphertext) error
}

type DocumentAndGrantReceiver 

type DocumentAndGrantReceiver interface {
	Recv() (*api.PlaintextAndGrantSpecAndMeta, error)
}

type DocumentAndGrantSender 

type DocumentAndGrantSender interface {
	Send(*api.PlaintextAndGrantSpecAndMeta) error
}

type DocumentReceiver 

type DocumentReceiver interface {
	Recv() (*api.PlaintextAndMeta, error)
}

type DocumentSender 

type DocumentSender interface {
	Send(*api.PlaintextAndMeta) error
}

type EncryptionService 

type EncryptionService interface {
	// Encrypt data and return it along with reference
	Encrypt(data, salt []byte) (ref *reference.Ref, encryptedData []byte, err error)
	// Encrypt data and return it along with reference
	Decrypt(ref *reference.Ref, encryptedData []byte) (data []byte, err error)
}

type GrantService 

type GrantService interface {
	ObjectService
	// Seal a reference by encrypting it according to a grant spec
	Seal(ref *reference.Ref, spec *grant.Spec) (*grant.Grant, error)
	// Unseal a grant by decrypting it and returning the reference
	Unseal(grt *grant.Grant) (*reference.Ref, error)
}

type Hoard 

type Hoard struct {
	// contains filtered or unexported fields
}

This is our top level API object providing library acting as a deterministic encrypted store and a grant issuer. It can be consumed as a Go library or as a GRPC service through grpcService which just plumbs this object into the hoard.proto interface.

func NewHoard 

func NewHoard(store stores.NamedStore, secrets config.SecretsManager, logger log.Logger) *Hoard

func (*Hoard) Decrypt 

func (hrd *Hoard) Decrypt(ref *reference.Ref, encryptedData []byte) ([]byte, error)

Decrypt data using reference

func (*Hoard) Delete 

func (hrd *Hoard) Delete(address []byte) error

func (*Hoard) Encrypt 

func (hrd *Hoard) Encrypt(data, salt []byte) (*reference.Ref, []byte, error)

Encrypt data and get reference

func (*Hoard) Get 

func (hrd *Hoard) Get(ref *reference.Ref) ([]byte, error)

Gets encrypted blob

func (*Hoard) Name 

func (hrd *Hoard) Name() string

func (*Hoard) Put 

func (hrd *Hoard) Put(data, salt []byte) (*reference.Ref, error)

Encrypts data and storage it in underlying store and returns the address

func (*Hoard) Seal 

func (hrd *Hoard) Seal(ref *reference.Ref, spec *grant.Spec) (*grant.Grant, error)

func (*Hoard) Store 

func (hrd *Hoard) Store() stores.ContentAddressedStore

func (*Hoard) Unseal 

func (hrd *Hoard) Unseal(grt *grant.Grant) (*reference.Ref, error)

type ObjectService 

type ObjectService interface {
	EncryptionService
	// Get encrypted data from underlying storage at address and decrypt it
	Get(ref *reference.Ref) (data []byte, err error)
	// Encrypt data and put it in underlying storage
	Put(data, salt []byte) (*reference.Ref, error)
	// Delete underlying data obtained by address
	Delete(address []byte) error
	// Get the underlying ContentAddressedStore
	Store() stores.ContentAddressedStore
}

type PlaintextAndGrantSpecReceiver 

type PlaintextAndGrantSpecReceiver interface {
	Recv() (*api.PlaintextAndGrantSpec, error)
}

type PlaintextAndGrantSpecSender 

type PlaintextAndGrantSpecSender interface {
	Send(*api.PlaintextAndGrantSpec) error
}

type PlaintextReceiver 

type PlaintextReceiver interface {
	Recv() (*api.Plaintext, error)
}

type PlaintextSender 

type PlaintextSender interface {
	Send(*api.Plaintext) error
}

type Service 

type Service struct {
	// contains filtered or unexported fields
}

Here we implement the GRPC Hoard service. It should mostly be plumbing to a DeterministicEncryptedStore (for which hoard.hoard is the canonical example) and also to Grants.

func NewService 

func NewService(grantService GrantService, chunkSize int) *Service

func (*Service) Decrypt 

func (service *Service) Decrypt(refAndCiphertext *api.ReferenceAndCiphertext, srv api.Encryption_DecryptServer) error

func (*Service) Delete 

func (service *Service) Delete(ctx context.Context, address *api.Address) (*api.Address, error)

func (*Service) Download 

func (service *Service) Download(grt *grant.Grant, srv api.Document_DownloadServer) error

func (*Service) Encrypt 

func (service *Service) Encrypt(srv api.Encryption_EncryptServer) error

func (*Service) Get 

func (service *Service) Get(ref *reference.Ref, srv api.Cleartext_GetServer) error

func (*Service) Pull 

func (service *Service) Pull(address *api.Address, srv api.Storage_PullServer) error

func (*Service) Push 

func (service *Service) Push(srv api.Storage_PushServer) error

StorageServer

func (*Service) Put 

func (service *Service) Put(srv api.Cleartext_PutServer) error

func (*Service) PutSeal 

func (service *Service) PutSeal(srv api.Grant_PutSealServer) error

func (*Service) Reseal 

func (service *Service) Reseal(ctx context.Context, arg *api.GrantAndGrantSpec) (*grant.Grant, error)

func (*Service) Seal 

func (service *Service) Seal(ctx context.Context, arg *api.ReferenceAndGrantSpec) (*grant.Grant, error)

func (*Service) Stat 

func (service *Service) Stat(ctx context.Context, address *api.Address) (*stores.StatInfo, error)

func (*Service) Unseal 

func (service *Service) Unseal(ctx context.Context, grt *grant.Grant) (*reference.Ref, error)

func (*Service) UnsealDelete 

func (service *Service) UnsealDelete(ctx context.Context, grt *grant.Grant) (*api.Address, error)

func (*Service) UnsealGet 

func (service *Service) UnsealGet(grt *grant.Grant, srv api.Grant_UnsealGetServer) error

func (*Service) Upload 

func (service *Service) Upload(srv api.Document_UploadServer) error

Source Files

View all Source files

Directories

Path Synopsis
cmd
hoarctl
hoard
loggers
structure
cmd/changelog
cmd/notes
cmd/version
Contains core types and logic pertaining to Hoard's backend storage services - but not the implementations of those stores to avoid a large number of possibly unwanted dependencies
 Contains core types and logic pertaining to Hoard's backend storage services - but not the implementations of those stores to avoid a large number of possibly unwanted dependencies
cloud
ipfs
test
helpers

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.