Documentation ¶
Overview ¶
Package requestorserver is a server allowing IRMA verifiers, issuers or attribute-based signature applications (the requestor) to perform IRMA sessions with irmaclient instances (i.e. the IRMA app). It exposes a RESTful protocol with which the requestor can start and manage the session as well as HTTP endpoints for the irmaclient.
Index ¶
- Constants
- type AuthenticationMethod
- type Authenticator
- type Configuration
- func (conf *Configuration) CanIssue(requestor string, creds []*irma.CredentialRequest) (bool, string)
- func (conf *Configuration) CanRequest(requestor string, request irma.SessionRequest) (bool, string)
- func (conf *Configuration) CanRevoke(requestor string, cred irma.CredentialTypeIdentifier) (bool, string)
- func (conf *Configuration) CanVerifyOrSign(requestor string, action irma.Action, disjunctions irma.AttributeConDisCon) (bool, string)
- type HmacAuthenticator
- func (hauth *HmacAuthenticator) AuthenticateRevocation(headers http.Header, body []byte) (bool, *irma.RevocationRequest, string, *irma.RemoteError)
- func (hauth *HmacAuthenticator) AuthenticateSession(headers http.Header, body []byte) (applies bool, request irma.RequestorRequest, requestor string, ...)
- func (hauth *HmacAuthenticator) Initialize(name string, requestor Requestor) error
- type NilAuthenticator
- func (NilAuthenticator) AuthenticateRevocation(headers http.Header, body []byte) (bool, *irma.RevocationRequest, string, *irma.RemoteError)
- func (NilAuthenticator) AuthenticateSession(headers http.Header, body []byte) (bool, irma.RequestorRequest, string, *irma.RemoteError)
- func (NilAuthenticator) Initialize(name string, requestor Requestor) error
- type Permissions
- type PresharedKeyAuthenticator
- func (pskauth *PresharedKeyAuthenticator) AuthenticateRevocation(headers http.Header, body []byte) (bool, *irma.RevocationRequest, string, *irma.RemoteError)
- func (pskauth *PresharedKeyAuthenticator) AuthenticateSession(headers http.Header, body []byte) (bool, irma.RequestorRequest, string, *irma.RemoteError)
- func (pskauth *PresharedKeyAuthenticator) Initialize(name string, requestor Requestor) error
- type PublicKeyAuthenticator
- func (pkauth *PublicKeyAuthenticator) AuthenticateRevocation(headers http.Header, body []byte) (bool, *irma.RevocationRequest, string, *irma.RemoteError)
- func (pkauth *PublicKeyAuthenticator) AuthenticateSession(headers http.Header, body []byte) (bool, irma.RequestorRequest, string, *irma.RemoteError)
- func (pkauth *PublicKeyAuthenticator) Initialize(name string, requestor Requestor) error
- type Requestor
- type Server
Constants ¶
const ( AuthenticationMethodHmac = "hmac" AuthenticationMethodPublicKey = "publickey" AuthenticationMethodToken = "token" AuthenticationMethodNone = "none" )
Currently supported requestor authentication methods
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AuthenticationMethod ¶
type AuthenticationMethod string
type Authenticator ¶
type Authenticator interface { // Initialize is called once on server startup for each requestor that uses this authentication method. // Used to parse keys or populate caches for later use. Initialize(name string, requestor Requestor) error // AuthenticateSession checks, given the HTTP header and POST body, if the authenticator is known // and allowed to submit session requests. It returns whether or not the current authenticator // is applicable to this sesion requests; the request itself; the name of the requestor; // or an error (which is only non-nil if applies is true; i.e. this authenticator applies but // it was not able to successfully authenticate the request). AuthenticateSession( headers http.Header, body []byte, ) (applies bool, request irma.RequestorRequest, requestor string, err *irma.RemoteError) AuthenticateRevocation( headers http.Header, body []byte, ) (applies bool, request *irma.RevocationRequest, requestor string, err *irma.RemoteError) }
Authenticator instances authenticate incoming session requests. Given details of the HTTP post done by the requestor, it is checked whether or not the requestor is known and allowed to submit session requests.
type Configuration ¶
type Configuration struct { *server.Configuration `mapstructure:",squash"` // Disclosing, signing or issuance permissions that apply to all requestors Permissions `mapstructure:",squash"` SkipPrivateKeysCheck bool `json:"skip_private_keys_check" mapstructure:"skip_private_keys_check"` // Whether or not incoming session requests should be authenticated. If false, anyone // can submit session requests. If true, the request is first authenticated against the // server configuration before the server accepts it. DisableRequestorAuthentication bool `json:"no_auth" mapstructure:"no_auth"` // Address to listen at ListenAddress string `json:"listen_addr" mapstructure:"listen_addr"` // Port to listen at Port int `json:"port" mapstructure:"port"` // Route requests via this path, so instead of POST /session, it will // be POST {ApiPrefix}/session. Should start with a "/". ApiPrefix string `json:"api_prefix" mapstructure:"api_prefix"` // TLS configuration TlsCertificate string `json:"tls_cert" mapstructure:"tls_cert"` TlsCertificateFile string `json:"tls_cert_file" mapstructure:"tls_cert_file"` TlsPrivateKey string `json:"tls_privkey" mapstructure:"tls_privkey"` TlsPrivateKeyFile string `json:"tls_privkey_file" mapstructure:"tls_privkey_file"` // If specified, start a separate server for the IRMA app at his port ClientPort int `json:"client_port" mapstructure:"client_port"` // If clientport is specified, the server for the IRMA app listens at this address ClientListenAddress string `json:"client_listen_addr" mapstructure:"client_listen_addr"` // TLS configuration for irmaclient HTTP API ClientTlsCertificate string `json:"client_tls_cert" mapstructure:"client_tls_cert"` ClientTlsCertificateFile string `json:"client_tls_cert_file" mapstructure:"client_tls_cert_file"` ClientTlsPrivateKey string `json:"client_tls_privkey" mapstructure:"client_tls_privkey"` ClientTlsPrivateKeyFile string `json:"client_tls_privkey_file" mapstructure:"client_tls_privkey_file"` // Requestor-specific permission and authentication configuration Requestors map[string]Requestor `json:"requestors"` // Max age in seconds of a session request JWT (using iat field) MaxRequestAge int `json:"max_request_age" mapstructure:"max_request_age"` // Host files under this path as static files (leave empty to disable) StaticPath string `json:"static_path" mapstructure:"static_path"` // Host static files under this URL prefix StaticPrefix string `json:"static_prefix" mapstructure:"static_prefix"` }
func (*Configuration) CanIssue ¶
func (conf *Configuration) CanIssue(requestor string, creds []*irma.CredentialRequest) (bool, string)
CanIssue returns whether or not the specified requestor may issue the specified credentials. (In case of combined issuance/disclosure sessions, this method does not check whether or not the identity provider is allowed to verify the attributes being verified; use CanVerifyOrSign for that).
func (*Configuration) CanRequest ¶ added in v0.14.0
func (conf *Configuration) CanRequest(requestor string, request irma.SessionRequest) (bool, string)
func (*Configuration) CanRevoke ¶ added in v0.5.0
func (conf *Configuration) CanRevoke(requestor string, cred irma.CredentialTypeIdentifier) (bool, string)
func (*Configuration) CanVerifyOrSign ¶
func (conf *Configuration) CanVerifyOrSign(requestor string, action irma.Action, disjunctions irma.AttributeConDisCon) (bool, string)
CanVerifyOrSign returns whether or not the specified requestor may use the selected attributes in any of the supported session types.
type HmacAuthenticator ¶
type HmacAuthenticator struct {
// contains filtered or unexported fields
}
func (*HmacAuthenticator) AuthenticateRevocation ¶ added in v0.5.0
func (*HmacAuthenticator) AuthenticateSession ¶ added in v0.5.0
func (*HmacAuthenticator) Initialize ¶
func (hauth *HmacAuthenticator) Initialize(name string, requestor Requestor) error
type NilAuthenticator ¶
type NilAuthenticator struct{}
func (NilAuthenticator) AuthenticateRevocation ¶ added in v0.5.0
func (NilAuthenticator) AuthenticateSession ¶ added in v0.5.0
func (NilAuthenticator) Initialize ¶
func (NilAuthenticator) Initialize(name string, requestor Requestor) error
type Permissions ¶
type Permissions struct { Disclosing []string `json:"disclose_perms" mapstructure:"disclose_perms"` Signing []string `json:"sign_perms" mapstructure:"sign_perms"` Issuing []string `json:"issue_perms" mapstructure:"issue_perms"` Revoking []string `json:"revoke_perms" mapstructure:"revoke_perms"` Hosts []string `json:"host_perms" mapstructure:"host_perms"` }
Permissions specify which attributes or credential a requestor may verify or issue.
type PresharedKeyAuthenticator ¶
type PresharedKeyAuthenticator struct {
// contains filtered or unexported fields
}
func (*PresharedKeyAuthenticator) AuthenticateRevocation ¶ added in v0.5.0
func (*PresharedKeyAuthenticator) AuthenticateSession ¶ added in v0.5.0
func (*PresharedKeyAuthenticator) Initialize ¶
func (pskauth *PresharedKeyAuthenticator) Initialize(name string, requestor Requestor) error
type PublicKeyAuthenticator ¶
type PublicKeyAuthenticator struct {
// contains filtered or unexported fields
}
func (*PublicKeyAuthenticator) AuthenticateRevocation ¶ added in v0.5.0
func (*PublicKeyAuthenticator) AuthenticateSession ¶ added in v0.5.0
func (*PublicKeyAuthenticator) Initialize ¶
func (pkauth *PublicKeyAuthenticator) Initialize(name string, requestor Requestor) error
type Requestor ¶
type Requestor struct { Permissions `mapstructure:",squash"` AuthenticationMethod AuthenticationMethod `json:"auth_method" mapstructure:"auth_method"` AuthenticationKey string `json:"key" mapstructure:"key"` AuthenticationKeyFile string `json:"key_file" mapstructure:"key_file"` }
Requestor contains all configuration (disclosure or verification permissions and authentication) for a requestor.
type Server ¶
type Server struct {
// contains filtered or unexported fields
}
Server is a requestor server instance.
func New ¶
func New(config *Configuration) (*Server, error)
func (*Server) ClientHandler ¶
func (*Server) Handler ¶
Handler returns a http.Handler that handles all IRMA requestor messages and IRMA client messages.
func (*Server) Start ¶
func (s *Server) Start(config *Configuration) error
Start the server. If successful then it will not return until Stop() is called.