server

package
v0.16.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 17, 2024 License: Apache-2.0 Imports: 28 Imported by: 14

Documentation

Index

Constants

View Source
const (
	ComponentRevocation      = "revocation"
	ComponentSession         = "session"
	ComponentFrontendSession = "frontendsession"
	ComponentStatic          = "static"
)
View Source
const (
	ReadTimeout  = 2 * time.Second
	WriteTimeout = 2 * ReadTimeout
)

Variables

View Source
var (
	ErrorUserNotRegistered = Error{Type: "USER_NOT_REGISTERED", Status: 403, Description: "User is not yet fully registered"}
	ErrorInvalidJWT        = Error{Type: "UNAUTHORIZED", Status: 403, Description: "Invalid or expired jwt provided"}
	ErrorInvalidEmail      = Error{Type: "INVALID_EMAIL", Status: 400, Description: "Invalid email address"}
	ErrorTooManyRequests   = Error{Type: "TOO_MANY_REQUESTS", Status: 429, Description: "Too many requests"}
)

Keyshare errors

View Source
var PostSizeLimit int64 = 10 << 20 // 10 MB

Functions

func BinaryResponse added in v0.5.0

func BinaryResponse(v interface{}, err *irma.RemoteError) (int, []byte)

func DoResultCallback added in v0.5.0

func DoResultCallback(callbackUrl string, result *SessionResult, issuer string, validity int, privatekey *rsa.PrivateKey)

func FilterStopError added in v0.8.0

func FilterStopError(err error) error

func GocronPanicHandler added in v0.11.0

func GocronPanicHandler(logger *logrus.Logger) gocron.PanicHandlerFunc

func JsonResponse

func JsonResponse(v interface{}, err *irma.RemoteError) (int, []byte)

JsonResponse JSON-marshals the specified object or error and returns it along with a suitable HTTP status code

func LocalIP

func LocalIP() (string, error)

LocalIP returns the IP address of one of the (non-loopback) network interfaces

func LogError

func LogError(err error, msg ...string) error

func LogFatal

func LogFatal(err error, msg ...string) error

func LogMiddleware added in v0.5.0

func LogMiddleware(typ string, opts LogOptions) func(next http.Handler) http.Handler

LogMiddleware is middleware for logging HTTP requests and responses.

func LogRequest added in v0.3.0

func LogRequest(typ, proto, method, url, from string, headers http.Header, message []byte)

func LogResponse added in v0.3.0

func LogResponse(url string, status int, duration time.Duration, binary bool, response []byte)

func LogWarning

func LogWarning(err error, msg ...string) error

func NewLogger

func NewLogger(verbosity int, quiet bool, json bool) *logrus.Logger

func ParseBody added in v0.8.0

func ParseBody(r *http.Request, input interface{}) error

func ParseSessionRequest

func ParseSessionRequest(request interface{}) (irma.RequestorRequest, error)

ParseSessionRequest attempts to parse the input as an irma.RequestorRequest instance, accepting (skipping "irma.")

  • RequestorRequest instances directly (ServiceProviderRequest, SignatureRequestorRequest, IdentityProviderRequest)
  • SessionRequest instances (DisclosureRequest, SignatureRequest, IssuanceRequest)
  • JSON representations ([]byte or string) of any of the above.

func RecoverMiddleware added in v0.11.0

func RecoverMiddleware(next http.Handler) http.Handler

RecoverMiddleware is middleware that logs and returns a 500 error if something unhandled (panic) occurs

func RemoteError

func RemoteError(err Error, message string) *irma.RemoteError

RemoteError converts an error and an explaining message to an *irma.RemoteError.

func ReplacePortString added in v0.8.0

func ReplacePortString(url string, port int) string

ReplacePortString is a helper that returns a copy of the specified url of the form "http(s)://...:port" with "port" replaced by the specified port.

func ResultJwt added in v0.5.0

func ResultJwt(sessionresult *SessionResult, issuer string, validity int, privatekey *rsa.PrivateKey) (string, error)

func SizeLimitMiddleware added in v0.5.0

func SizeLimitMiddleware(next http.Handler) http.Handler

func TLSConf added in v0.8.0

func TLSConf(cert, certfile, key, keyfile string) (*tls.Config, error)

func TimeoutMiddleware added in v0.5.0

func TimeoutMiddleware(except []string, timeout time.Duration) func(http.Handler) http.Handler

func ToJson

func ToJson(o interface{}) string

func TypeString

func TypeString(x interface{}) string

func Verbosity

func Verbosity(level int) logrus.Level

func WriteBinaryResponse added in v0.5.0

func WriteBinaryResponse(w http.ResponseWriter, object interface{}, rerr *irma.RemoteError)

func WriteError

func WriteError(w http.ResponseWriter, err Error, msg string)

WriteError writes the specified error and explaining message as JSON to the http.ResponseWriter.

func WriteJson

func WriteJson(w http.ResponseWriter, object interface{})

WriteJson writes the specified object as JSON to the http.ResponseWriter.

func WriteResponse

func WriteResponse(w http.ResponseWriter, object interface{}, rerr *irma.RemoteError)

WriteResponse writes the specified object or error as JSON to the http.ResponseWriter.

func WriteString

func WriteString(w http.ResponseWriter, str string)

WriteString writes the specified string to the http.ResponseWriter.

Types

type Configuration

type Configuration struct {
	// irma_configuration. If not given, this will be popupated using SchemesPath.
	IrmaConfiguration *irma.Configuration `json:"-"`
	// Path to IRMA schemes to parse into IrmaConfiguration (only used if IrmaConfiguration == nil).
	// If left empty, default value is taken using DefaultSchemesPath().
	// If an empty folder is specified, default schemes (irma-demo and pbdf) are downloaded into it.
	SchemesPath string `json:"schemes_path" mapstructure:"schemes_path"`
	// If specified, schemes found here are copied into SchemesPath (only used if IrmaConfiguration == nil)
	SchemesAssetsPath string `json:"schemes_assets_path" mapstructure:"schemes_assets_path"`
	// Disable scheme updating
	DisableSchemesUpdate bool `json:"disable_schemes_update" mapstructure:"disable_schemes_update"`
	// Update all schemes every x minutes (default value 0 means 60) (use DisableSchemesUpdate to disable)
	SchemesUpdateInterval int `json:"schemes_update" mapstructure:"schemes_update"`
	// Path to issuer private keys to parse
	IssuerPrivateKeysPath string `json:"privkeys" mapstructure:"privkeys"`
	// URL at which the IRMA app can reach this server during sessions
	URL string `json:"url" mapstructure:"url"`
	// Required to be set to true if URL does not begin with https:// in production mode.
	// In this case, the server would communicate with IRMA apps over plain HTTP. You must otherwise
	// ensure (using eg a reverse proxy with TLS enabled) that the attributes are protected in transit.
	DisableTLS bool `json:"disable_tls" mapstructure:"disable_tls"`
	// (Optional) email address of server admin, for incidental notifications such as breaking API changes
	// See https://github.com/privacybydesign/irmago/tree/master/server#specifying-an-email-address
	// for more information
	Email string `json:"email" mapstructure:"email"`
	// Enable server sent events for status updates (experimental; tends to hang when a reverse proxy is used)
	EnableSSE bool `json:"enable_sse" mapstructure:"enable_sse"`
	// StoreType in which session data will be stored.
	// If left empty, session data will be stored in memory by default.
	StoreType string `json:"store_type" mapstructure:"store_type"`
	// RedisSettings that need to be specified when Redis is used as session data store.
	RedisSettings *RedisSettings `json:"redis_settings" mapstructure:"redis_settings"`

	// Static session requests that can be created by POST /session/{name}
	StaticSessions map[string]interface{} `json:"static_sessions"`
	// Static session requests after parsing
	StaticSessionRequests map[string]irma.RequestorRequest `json:"-"`

	// Maximum duration of a session once a client connects in minutes (default value 0 means 15)
	MaxSessionLifetime int `json:"max_session_lifetime" mapstructure:"max_session_lifetime"`
	// Determines how long a session result is preserved in minutes (default value 0 means 5)
	SessionResultLifetime int `json:"session_result_lifetime" mapstructure:"session_result_lifetime"`

	// Used in the "iss" field of result JWTs from /result-jwt and /getproof
	JwtIssuer string `json:"jwt_issuer" mapstructure:"jwt_issuer"`
	// Private key to sign result JWTs with. If absent, /result-jwt and /getproof are disabled.
	JwtPrivateKey     string `json:"jwt_privkey" mapstructure:"jwt_privkey"`
	JwtPrivateKeyFile string `json:"jwt_privkey_file" mapstructure:"jwt_privkey_file"`
	// Parsed JWT private key
	JwtRSAPrivateKey *rsa.PrivateKey `json:"-"`
	// Whether to allow callbackUrl to be set in session requests when no JWT privatekey is installed
	// (which is potentially unsafe depending on the setup)
	AllowUnsignedCallbacks bool `json:"allow_unsigned_callbacks" mapstructure:"allow_unsigned_callbacks"`
	// Whether to augment the clientreturnurl with the server token of the request (this allows for stateless
	// requestor servers more easily)
	AugmentClientReturnURL bool `json:"augment_client_return_url" mapstructure:"augment_client_return_url"`

	// Logging verbosity level: 0 is normal, 1 includes DEBUG level, 2 includes TRACE level
	Verbose int `json:"verbose" mapstructure:"verbose"`
	// Don't log anything at all
	Quiet bool `json:"quiet" mapstructure:"quiet"`
	// Output structured log in JSON format
	LogJSON bool `json:"log_json" mapstructure:"log_json"`
	// Custom logger instance. If specified, Verbose, Quiet and LogJSON are ignored.
	Logger *logrus.Logger `json:"-"`

	// Connection string for revocation database
	RevocationDBConnStr string `json:"revocation_db_str" mapstructure:"revocation_db_str"`
	// Database type for revocation database, supported: postgres, mysql
	RevocationDBType string `json:"revocation_db_type" mapstructure:"revocation_db_type"`
	// Credentials types for which revocation database should be hosted
	RevocationSettings irma.RevocationSettings `json:"revocation_settings" mapstructure:"revocation_settings"`

	// Production mode: enables safer and stricter defaults and config checking
	Production bool `json:"production" mapstructure:"production"`
	// contains filtered or unexported fields
}

Configuration contains configuration for the irmaserver library and irmad.

func (*Configuration) Check added in v0.5.0

func (conf *Configuration) Check() error

Check ensures that the Configuration is loaded, usable and free of errors.

func (*Configuration) HavePrivateKeys

func (conf *Configuration) HavePrivateKeys() bool

func (*Configuration) RedisClient added in v0.15.0

func (conf *Configuration) RedisClient() (*RedisClient, error)

RedisClient returns the Redis client using the settings from the configuration.

type Error

type Error struct {
	Type        ErrorType `json:"error"`
	Status      int       `json:"status"`
	Description string    `json:"description"`
}

Error represents an error that occurred during an IRMA sessions.

var (
	ErrorInvalidTimestamp          Error = Error{Type: "INVALID_TIMESTAMP", Status: 400, Description: "Timestamp was not an epoch boundary"}
	ErrorIssuingDisabled           Error = Error{Type: "ISSUING_DISABLED", Status: 403, Description: "This server does not support issuing"}
	ErrorMalformedVerifierRequest  Error = Error{Type: "MALFORMED_VERIFIER_REQUEST", Status: 400, Description: "Malformed verification request"}
	ErrorMalformedSignatureRequest Error = Error{Type: "MALFORMED_SIGNATURE_REQUEST", Status: 400, Description: "Malformed signature request"}
	ErrorMalformedIssuerRequest    Error = Error{Type: "MALFORMED_ISSUER_REQUEST", Status: 400, Description: "Malformed issuer request"}
	ErrorUnauthorized              Error = Error{Type: "UNAUTHORIZED", Status: 403, Description: "You are not authorized to issue or verify this attribute"}
	ErrorAttributesWrong           Error = Error{Type: "ATTRIBUTES_WRONG", Status: 400, Description: "Specified attribute(s) do not belong to this credential type or missing attributes"}
	ErrorCannotIssue               Error = Error{Type: "CANNOT_ISSUE", Status: 500, Description: "Cannot issue this credential"}

	ErrorIrmaUnauthorized     Error = Error{Type: "UNAUTHORIZED", Status: 403, Description: "You are not authorized to access the session"}
	ErrorPairingRequired      Error = Error{Type: "PAIRING_REQUIRED", Status: 403, Description: "Pairing is required first"}
	ErrorIssuanceFailed       Error = Error{Type: "ISSUANCE_FAILED", Status: 500, Description: "Failed to create credential(s)"}
	ErrorInvalidProofs        Error = Error{Type: "INVALID_PROOFS", Status: 400, Description: "Invalid secret key commitments and/or disclosure proofs"}
	ErrorAttributesMissing    Error = Error{Type: "ATTRIBUTES_MISSING", Status: 400, Description: "Not all requested-for attributes were present"}
	ErrorAttributesExpired    Error = Error{Type: "ATTRIBUTES_EXPIRED", Status: 400, Description: "Disclosed attributes were expired"}
	ErrorUnexpectedRequest    Error = Error{Type: "UNEXPECTED_REQUEST", Status: 403, Description: "Unexpected request in this state"}
	ErrorUnknownPublicKey     Error = Error{Type: "UNKNOWN_PUBLIC_KEY", Status: 403, Description: "Attributes were not valid against a known public key"}
	ErrorKeyshareProofMissing Error = Error{Type: "KEYSHARE_PROOF_MISSING", Status: 403, Description: "ProofP object from a keyshare server missing"}
	ErrorSessionUnknown       Error = Error{Type: "SESSION_UNKNOWN", Status: 400, Description: "Unknown or expired session"}
	ErrorMalformedInput       Error = Error{Type: "MALFORMED_INPUT", Status: 400, Description: "Input could not be parsed"}
	ErrorUnknown              Error = Error{Type: "EXCEPTION", Status: 500, Description: "Encountered unexpected problem"}
	ErrorNextSession          Error = Error{Type: "NEXT_SESSION", Status: 500, Description: "Error starting next session"}
	ErrorRevocation           Error = Error{Type: "REVOCATION", Status: 500, Description: "Revocation error"}
	ErrorUnknownRevocationKey Error = Error{Type: "UNKNOWN_REVOCATION_KEY", Status: 404, Description: "No issuance records correspond to the given revocationKey"}

	ErrorUnsupported     Error = Error{Type: "UNSUPPORTED", Status: 501, Description: "Unsupported by this server"}
	ErrorInvalidRequest  Error = Error{Type: "INVALID_REQUEST", Status: 400, Description: "Invalid HTTP request"}
	ErrorProtocolVersion Error = Error{Type: "PROTOCOL_VERSION", Status: 400, Description: "Protocol version negotiation failed"}
	ErrorInvalidToken    Error = Error{Type: "INVALID_TOKEN", Status: 403, Description: "Provided token is unknown or invalid"}
	ErrorInternal        Error = Error{Type: "INTERNAL_ERROR", Status: 500, Description: "Internal server error"}
	ErrorRevalidateEmail Error = Error{Type: "REVALIDATE_EMAIL", Status: 500, Description: "Invalid email address is scheduled for revalidation"}
)

General errors

type ErrorType

type ErrorType string

type HTTPResponseRecorder added in v0.15.0

type HTTPResponseRecorder struct {
	Flushed bool
	// contains filtered or unexported fields
}

func NewHTTPResponseRecorder added in v0.15.0

func NewHTTPResponseRecorder(w http.ResponseWriter) *HTTPResponseRecorder

func (*HTTPResponseRecorder) Flush added in v0.15.0

func (r *HTTPResponseRecorder) Flush()

Flush implements http.Flusher.

func (*HTTPResponseRecorder) Header added in v0.15.0

func (r *HTTPResponseRecorder) Header() http.Header

Header implements http.ResponseWriter

func (*HTTPResponseRecorder) Write added in v0.15.0

func (r *HTTPResponseRecorder) Write(b []byte) (int, error)

Write implements http.ResponseWriter

func (*HTTPResponseRecorder) WriteHeader added in v0.15.0

func (r *HTTPResponseRecorder) WriteHeader(statusCode int)

WriteHeader implements http.ResponseWriter

type LegacySessionResult added in v0.3.1

type LegacySessionResult struct {
	Token       irma.RequestorToken        `json:"token"`
	Status      irma.ServerStatus          `json:"status"`
	Type        irma.Action                `json:"type"`
	ProofStatus irma.ProofStatus           `json:"proofStatus,omitempty"`
	Disclosed   []*irma.DisclosedAttribute `json:"disclosed,omitempty"`
	Signature   *irma.SignedMessage        `json:"signature,omitempty"`
	Err         *irma.RemoteError          `json:"error,omitempty"`
}

LegacySessionResult is a pre-condiscon version of SessionResult. Remove this when dropping support for legacy pre-condiscon session requests.

type LogOptions added in v0.5.0

type LogOptions struct {
	Response, Headers, From, EncodeBinary bool
}

type RedisClient added in v0.15.0

type RedisClient struct {
	*redis.Client
	FailoverMode bool
	KeyPrefix    string
}

type RedisSettings added in v0.9.0

type RedisSettings struct {
	Addr                    string   `json:"address,omitempty" mapstructure:"address"`
	SentinelAddrs           []string `json:"sentinel_addresses,omitempty" mapstructure:"sentinel_addresses"`
	SentinelMasterName      string   `json:"sentinel_master_name,omitempty" mapstructure:"sentinel_master_name"`
	AcceptInconsistencyRisk bool     `json:"accept_inconsistency_risk,omitempty" mapstructure:"accept_inconsistency_risk"`

	// Username for Redis authentication. If username is empty, the default user is used.
	Username string `json:"username,omitempty" mapstructure:"username"`
	// Password for Redis authentication.
	Password string `json:"password,omitempty" mapstructure:"password"`
	// ACLUseKeyPrefixes ensures all Redis keys are prefixed with the username in the format "username:key".
	// This can be used for key permissions in the Redis ACL system. If ACLUseKeyPrefixes is false, no prefix is used.
	ACLUseKeyPrefixes bool `json:"acl_use_key_prefixes,omitempty" mapstructure:"acl_use_key_prefixes"`

	// SentinelUsername for Redis Sentinel authentication. If sentinel_username is empty, the default user is used.
	SentinelUsername string `json:"sentinel_username,omitempty" mapstructure:"sentinel_username"`
	// SentinelPassword for Redis Sentinel authentication.
	SentinelPassword string `json:"sentinel_password,omitempty" mapstructure:"sentinel_password"`

	DB int `json:"db,omitempty" mapstructure:"db"`

	TLSCertificate           string `json:"tls_cert,omitempty" mapstructure:"tls_cert"`
	TLSCertificateFile       string `json:"tls_cert_file,omitempty" mapstructure:"tls_cert_file"`
	TLSClientCertificateFile string `json:"tls_client_cert_file,omitempty" mapstructure:"tls_client_cert_file"`
	TLSClientKeyFile         string `json:"tls_client_key_file,omitempty" mapstructure:"tls_client_key_file"`
	DisableTLS               bool   `json:"no_tls,omitempty" mapstructure:"no_tls"`
}

type SessionHandler added in v0.5.0

type SessionHandler func(*SessionResult)

SessionHandler is a function that can handle a session result once an IRMA session has completed.

type SessionPackage

type SessionPackage struct {
	SessionPtr      *irma.Qr                     `json:"sessionPtr"`
	Token           irma.RequestorToken          `json:"token,omitempty"`
	FrontendRequest *irma.FrontendSessionRequest `json:"frontendRequest"`
}

type SessionResult

type SessionResult struct {
	Token       irma.RequestorToken          `json:"token"`
	Status      irma.ServerStatus            `json:"status"`
	Type        irma.Action                  `json:"type"`
	ProofStatus irma.ProofStatus             `json:"proofStatus,omitempty"`
	Disclosed   [][]*irma.DisclosedAttribute `json:"disclosed,omitempty"`
	Signature   *irma.SignedMessage          `json:"signature,omitempty"`
	Err         *irma.RemoteError            `json:"error,omitempty"`
	NextSession irma.RequestorToken          `json:"nextSession,omitempty"`

	LegacySession bool `json:"-"` // true if request was started with legacy (i.e. pre-condiscon) session request
}

SessionResult contains session information such as the session status, type, possible errors, and disclosed attributes or attribute-based signature if appropriate to the session type.

func (*SessionResult) Legacy added in v0.3.0

func (r *SessionResult) Legacy() *LegacySessionResult

Legacy returns a pre-condiscon version of this SessionResult. Remove this when dropping support for legacy pre-condiscon session requests.

Directories

Path Synopsis
Required to be main when building a shared library
Required to be main when building a shared library
Package irmaserver is a library that allows IRMA verifiers, issuers or attribute-based signature applications to perform IRMA sessions with irmaclient instances (i.e.
Package irmaserver is a library that allows IRMA verifiers, issuers or attribute-based signature applications to perform IRMA sessions with irmaclient instances (i.e.
Package requestorserver is a server allowing IRMA verifiers, issuers or attribute-based signature applications (the requestor) to perform IRMA sessions with irmaclient instances (i.e.
Package requestorserver is a server allowing IRMA verifiers, issuers or attribute-based signature applications (the requestor) to perform IRMA sessions with irmaclient instances (i.e.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL