security

package
v0.0.0-...-64decf6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 7, 2024 License: Apache-2.0 Imports: 24 Imported by: 22

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// SHA256 func
	SHA256 scram.HashGeneratorFcn = func() hash.Hash { return sha256.New() }
	// SHA512 func
	SHA512 scram.HashGeneratorFcn = func() hash.Hash { return sha512.New() }
)

Functions

func NewServerCredential4Test

func NewServerCredential4Test(cn string) (*CA, *Credential, error)

NewServerCredential4Test return a Credential for testing

func ToTLSConfigWithVerify

func ToTLSConfigWithVerify(
	caPath, certPath, keyPath string, verifyCN []string, mTLS bool,
) (*tls.Config, error)

ToTLSConfigWithVerify constructs a `*tls.Config` from the CA, certification and key paths, and add verify for CN.

If the CA path is empty, returns nil.

func WriteFile

func WriteFile(fileName string, content []byte) (path string, err error)

WriteFile write content to a temp file

Types

type CA

type CA struct {
	Cert  *x509.Certificate
	CAPEM []byte
	// contains filtered or unexported fields
}

CA represents a certificate authority

func NewCA

func NewCA() (*CA, error)

NewCA create a new CA

func (*CA) GenerateCerts

func (ca *CA) GenerateCerts(commonName string) (certPEM, KeyPEM []byte, err error)

GenerateCerts returns the PEM contents of a CA certificate and some certificates and private keys per Common Name in commonNames. thanks to https://shaneutt.com/blog/golang-ca-and-signed-cert-go/.

func (*CA) GetPrivKeyPEM

func (ca *CA) GetPrivKeyPEM() ([]byte, error)

GetPrivKeyPEM returns the PEM contents of the private key.

type Credential

type Credential struct {
	CAPath        string   `toml:"ca-path" json:"ca-path"`
	CertPath      string   `toml:"cert-path" json:"cert-path"`
	KeyPath       string   `toml:"key-path" json:"key-path"`
	CertAllowedCN []string `toml:"cert-allowed-cn" json:"cert-allowed-cn"`

	// MTLS indicates whether use mTLS, by default it will affect all connections,
	// cludings:
	// 1) connections between TiCDC and TiKV
	// 2) connections between TiCDC and PD
	// 3) http server of TiCDC which is used for open API
	// 4) p2p server of TiCDC which is used sending messages between TiCDC nodes
	// Todo: just enable mTLS for 3) and 4) by default
	MTLS bool `toml:"mtls" json:"mtls"`

	ClientUserRequired bool     `toml:"client-user-required" json:"client-user-required"`
	ClientAllowedUser  []string `toml:"client-allowed-user" json:"client-allowed-user"`
}

Credential holds necessary path parameter to build a tls.Config

func (*Credential) AddSelfCommonName

func (s *Credential) AddSelfCommonName() error

AddSelfCommonName add Common Name in certificate that specified by s.CertPath to s.CertAllowedCN

func (*Credential) IsEmpty

func (s *Credential) IsEmpty() bool

IsEmpty checks whether Credential is empty or not.

func (*Credential) IsTLSEnabled

func (s *Credential) IsTLSEnabled() bool

IsTLSEnabled checks whether TLS is enabled or not.

func (*Credential) PDSecurityOption

func (s *Credential) PDSecurityOption() pd.SecurityOption

PDSecurityOption creates a new pd SecurityOption from Security

func (*Credential) Scan

func (s *Credential) Scan(value interface{}) error

Scan implements the sql.Scanner interface

func (*Credential) ToGRPCDialOption

func (s *Credential) ToGRPCDialOption() (grpc.DialOption, error)

ToGRPCDialOption constructs a gRPC dial option.

func (*Credential) ToTLSConfig

func (s *Credential) ToTLSConfig() (*tls.Config, error)

ToTLSConfig generates tls's config from *Security

func (*Credential) ToTLSConfigWithVerify

func (s *Credential) ToTLSConfigWithVerify() (*tls.Config, error)

ToTLSConfigWithVerify generates tls's config from *Security and requires the remote common name to be verified.

func (Credential) Value

func (s Credential) Value() (driver.Value, error)

Value implements the driver.Valuer interface

type GSSAPI

type GSSAPI struct {
	AuthType           GSSAPIAuthType `toml:"sasl-gssapi-auth-type" json:"sasl-gssapi-auth-type"`
	KeyTabPath         string         `toml:"sasl-gssapi-keytab-path" json:"sasl-gssapi-keytab-path"`
	KerberosConfigPath string         `toml:"sasl-gssapi-kerberos-config-path" json:"sasl-gssapi-kerberos-config-path"`
	ServiceName        string         `toml:"sasl-gssapi-service-name" json:"sasl-gssapi-service-name"`
	Username           string         `toml:"sasl-gssapi-user" json:"sasl-gssapi-user"`
	Password           string         `toml:"sasl-gssapi-password" json:"sasl-gssapi-password"`
	Realm              string         `toml:"sasl-gssapi-realm" json:"sasl-gssapi-realm"`
	DisablePAFXFAST    bool           `toml:"sasl-gssapi-disable-pafxfast" json:"sasl-gssapi-disable-pafxfast"`
}

GSSAPI holds necessary path parameter to support sasl-gssapi.

type GSSAPIAuthType

type GSSAPIAuthType int

GSSAPIAuthType defines the type of GSSAPI authentication.

const (
	// UnknownAuth means the auth type is unknown.
	UnknownAuth GSSAPIAuthType = 0
	// UserAuth means the auth type is user.
	UserAuth GSSAPIAuthType = sarama.KRB5_USER_AUTH
	// KeyTabAuth means the auth type is keytab.
	KeyTabAuth GSSAPIAuthType = sarama.KRB5_KEYTAB_AUTH
)

func AuthTypeFromString

func AuthTypeFromString(s string) (GSSAPIAuthType, error)

AuthTypeFromString convent the string to GSSAPIAuthType.

type OAuth2

type OAuth2 struct {
	ClientID     string
	ClientSecret string
	TokenURL     string
	Scopes       []string
	GrantType    string
	Audience     string
}

OAuth2 holds necessary parameters to support sasl-oauth2.

func (*OAuth2) IsEnable

func (o *OAuth2) IsEnable() bool

IsEnable checks whether the OAuth2 is enabled. One of values of ClientID, ClientSecret and TokenURL is not empty means enabled.

func (*OAuth2) SetDefault

func (o *OAuth2) SetDefault()

SetDefault sets the default value of OAuth2.

func (*OAuth2) Validate

func (o *OAuth2) Validate() error

Validate validates the parameters of OAuth2. Some parameters are required, some are optional.

type SASL

type SASL struct {
	SASLUser      string
	SASLPassword  string
	SASLMechanism SASLMechanism
	GSSAPI        GSSAPI
	OAuth2        OAuth2
}

SASL holds necessary path parameter to support sasl-scram

type SASLMechanism

type SASLMechanism string

SASLMechanism defines SASL mechanism.

const (
	// UnknownMechanism means the SASL mechanism is unknown.
	UnknownMechanism SASLMechanism = ""
	// PlainMechanism means the SASL mechanism is plain.
	PlainMechanism SASLMechanism = sarama.SASLTypePlaintext
	// SCRAM256Mechanism means the SASL mechanism is SCRAM-SHA-256.
	SCRAM256Mechanism SASLMechanism = sarama.SASLTypeSCRAMSHA256
	// SCRAM512Mechanism means the SASL mechanism is SCRAM-SHA-512.
	SCRAM512Mechanism SASLMechanism = sarama.SASLTypeSCRAMSHA512
	// GSSAPIMechanism means the SASL mechanism is GSSAPI.
	GSSAPIMechanism SASLMechanism = sarama.SASLTypeGSSAPI
	// OAuthMechanism means the SASL mechanism is OAuth2.
	OAuthMechanism SASLMechanism = sarama.SASLTypeOAuth
)

The mechanisms we currently support.

func SASLMechanismFromString

func SASLMechanismFromString(s string) (SASLMechanism, error)

SASLMechanismFromString converts the string to SASL mechanism.

type XDGSCRAMClient

type XDGSCRAMClient struct {
	*scram.Client
	*scram.ClientConversation
	scram.HashGeneratorFcn
}

XDGSCRAMClient xdg scram client

func (*XDGSCRAMClient) Begin

func (x *XDGSCRAMClient) Begin(userName, password, authzID string) (err error)

Begin xdg scram client Begin

func (*XDGSCRAMClient) Done

func (x *XDGSCRAMClient) Done() bool

Done xdg scram client Done

func (*XDGSCRAMClient) Step

func (x *XDGSCRAMClient) Step(challenge string) (response string, err error)

Step xdg scram client Step

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL