requestorserver

package
v0.12.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 28, 2023 License: Apache-2.0 Imports: 20 Imported by: 1

Documentation

Overview

Package requestorserver is a server allowing IRMA verifiers, issuers or attribute-based signature applications (the requestor) to perform IRMA sessions with irmaclient instances (i.e. the IRMA app). It exposes a RESTful protocol with which the requestor can start and manage the session as well as HTTP endpoints for the irmaclient.

Index

Constants

View Source 
const (
	AuthenticationMethodHmac      = "hmac"
	AuthenticationMethodPublicKey = "publickey"
	AuthenticationMethodToken     = "token"
	AuthenticationMethodNone      = "none"
)

Currently supported requestor authentication methods

Variables

This section is empty.

Functions

This section is empty.

Types

type AuthenticationMethod 

type AuthenticationMethod string

type Authenticator 

type Authenticator interface {
	// Initialize is called once on server startup for each requestor that uses this authentication method.
	// Used to parse keys or populate caches for later use.
	Initialize(name string, requestor Requestor) error

	// AuthenticateSession checks, given the HTTP header and POST body, if the authenticator is known
	// and allowed to submit session requests. It returns whether or not the current authenticator
	// is applicable to this sesion requests; the request itself; the name of the requestor;
	// or an error (which is only non-nil if applies is true; i.e. this authenticator applies but
	// it was not able to successfully authenticate the request).
	AuthenticateSession(
		headers http.Header, body []byte,
	) (applies bool, request irma.RequestorRequest, requestor string, err *irma.RemoteError)

	AuthenticateRevocation(
		headers http.Header, body []byte,
	) (applies bool, request *irma.RevocationRequest, requestor string, err *irma.RemoteError)
}

Authenticator instances authenticate incoming session requests. Given details of the HTTP post done by the requestor, it is checked whether or not the requestor is known and allowed to submit session requests.

type Configuration 

type Configuration struct {
	*server.Configuration `mapstructure:",squash"`

	// Disclosing, signing or issuance permissions that apply to all requestors
	Permissions          `mapstructure:",squash"`
	SkipPrivateKeysCheck bool `json:"skip_private_keys_check" mapstructure:"skip_private_keys_check"`

	// Whether or not incoming session requests should be authenticated. If false, anyone
	// can submit session requests. If true, the request is first authenticated against the
	// server configuration before the server accepts it.
	DisableRequestorAuthentication bool `json:"no_auth" mapstructure:"no_auth"`

	// Address to listen at
	ListenAddress string `json:"listen_addr" mapstructure:"listen_addr"`
	// Port to listen at
	Port int `json:"port" mapstructure:"port"`
	// Route requests via this path, so instead of POST /session, it will
	// be POST {ApiPrefix}/session.  Should start with a "/".
	ApiPrefix string `json:"api_prefix" mapstructure:"api_prefix"`
	// TLS configuration
	TlsCertificate     string `json:"tls_cert" mapstructure:"tls_cert"`
	TlsCertificateFile string `json:"tls_cert_file" mapstructure:"tls_cert_file"`
	TlsPrivateKey      string `json:"tls_privkey" mapstructure:"tls_privkey"`
	TlsPrivateKeyFile  string `json:"tls_privkey_file" mapstructure:"tls_privkey_file"`

	// If specified, start a separate server for the IRMA app at his port
	ClientPort int `json:"client_port" mapstructure:"client_port"`
	// If clientport is specified, the server for the IRMA app listens at this address
	ClientListenAddress string `json:"client_listen_addr" mapstructure:"client_listen_addr"`
	// TLS configuration for irmaclient HTTP API
	ClientTlsCertificate     string `json:"client_tls_cert" mapstructure:"client_tls_cert"`
	ClientTlsCertificateFile string `json:"client_tls_cert_file" mapstructure:"client_tls_cert_file"`
	ClientTlsPrivateKey      string `json:"client_tls_privkey" mapstructure:"client_tls_privkey"`
	ClientTlsPrivateKeyFile  string `json:"client_tls_privkey_file" mapstructure:"client_tls_privkey_file"`

	// Requestor-specific permission and authentication configuration
	Requestors map[string]Requestor `json:"requestors"`

	// Max age in seconds of a session request JWT (using iat field)
	MaxRequestAge int `json:"max_request_age" mapstructure:"max_request_age"`

	// Host files under this path as static files (leave empty to disable)
	StaticPath string `json:"static_path" mapstructure:"static_path"`
	// Host static files under this URL prefix
	StaticPrefix string `json:"static_prefix" mapstructure:"static_prefix"`
}

func (*Configuration) CanIssue 

func (conf *Configuration) CanIssue(requestor string, creds []*irma.CredentialRequest) (bool, string)

CanIssue returns whether or not the specified requestor may issue the specified credentials. (In case of combined issuance/disclosure sessions, this method does not check whether or not the identity provider is allowed to verify the attributes being verified; use CanVerifyOrSign for that).

func (*Configuration) CanRevoke added in v0.5.0 

func (conf *Configuration) CanRevoke(requestor string, cred irma.CredentialTypeIdentifier) (bool, string)

func (*Configuration) CanVerifyOrSign 

func (conf *Configuration) CanVerifyOrSign(requestor string, action irma.Action, disjunctions irma.AttributeConDisCon) (bool, string)

CanVerifyOrSign returns whether or not the specified requestor may use the selected attributes in any of the supported session types.

type HmacAuthenticator 

type HmacAuthenticator struct {
	// contains filtered or unexported fields
}

func (*HmacAuthenticator) AuthenticateRevocation added in v0.5.0 

func (hauth *HmacAuthenticator) AuthenticateRevocation(headers http.Header, body []byte) (bool, *irma.RevocationRequest, string, *irma.RemoteError)

func (*HmacAuthenticator) AuthenticateSession added in v0.5.0 

func (hauth *HmacAuthenticator) AuthenticateSession(
	headers http.Header, body []byte,
) (applies bool, request irma.RequestorRequest, requestor string, err *irma.RemoteError)

func (*HmacAuthenticator) Initialize 

func (hauth *HmacAuthenticator) Initialize(name string, requestor Requestor) error

type NilAuthenticator 

type NilAuthenticator struct{}

func (NilAuthenticator) AuthenticateRevocation added in v0.5.0 

func (NilAuthenticator) AuthenticateRevocation(headers http.Header, body []byte) (bool, *irma.RevocationRequest, string, *irma.RemoteError)

func (NilAuthenticator) AuthenticateSession added in v0.5.0 

func (NilAuthenticator) AuthenticateSession(
	headers http.Header, body []byte,
) (bool, irma.RequestorRequest, string, *irma.RemoteError)

func (NilAuthenticator) Initialize 

func (NilAuthenticator) Initialize(name string, requestor Requestor) error

type Permissions 

type Permissions struct {
	Disclosing []string `json:"disclose_perms" mapstructure:"disclose_perms"`
	Signing    []string `json:"sign_perms" mapstructure:"sign_perms"`
	Issuing    []string `json:"issue_perms" mapstructure:"issue_perms"`
	Revoking   []string `json:"revoke_perms" mapstructure:"revoke_perms"`
}

Permissions specify which attributes or credential a requestor may verify or issue.

type PresharedKeyAuthenticator 

type PresharedKeyAuthenticator struct {
	// contains filtered or unexported fields
}

func (*PresharedKeyAuthenticator) AuthenticateRevocation added in v0.5.0 

func (pskauth *PresharedKeyAuthenticator) AuthenticateRevocation(headers http.Header, body []byte) (bool, *irma.RevocationRequest, string, *irma.RemoteError)

func (*PresharedKeyAuthenticator) AuthenticateSession added in v0.5.0 

func (pskauth *PresharedKeyAuthenticator) AuthenticateSession(
	headers http.Header, body []byte,
) (bool, irma.RequestorRequest, string, *irma.RemoteError)

func (*PresharedKeyAuthenticator) Initialize 

func (pskauth *PresharedKeyAuthenticator) Initialize(name string, requestor Requestor) error

type PublicKeyAuthenticator 

type PublicKeyAuthenticator struct {
	// contains filtered or unexported fields
}

func (*PublicKeyAuthenticator) AuthenticateRevocation added in v0.5.0 

func (pkauth *PublicKeyAuthenticator) AuthenticateRevocation(headers http.Header, body []byte) (bool, *irma.RevocationRequest, string, *irma.RemoteError)

func (*PublicKeyAuthenticator) AuthenticateSession added in v0.5.0 

func (pkauth *PublicKeyAuthenticator) AuthenticateSession(
	headers http.Header, body []byte,
) (bool, irma.RequestorRequest, string, *irma.RemoteError)

func (*PublicKeyAuthenticator) Initialize 

func (pkauth *PublicKeyAuthenticator) Initialize(name string, requestor Requestor) error

type Requestor 

type Requestor struct {
	Permissions `mapstructure:",squash"`

	AuthenticationMethod  AuthenticationMethod `json:"auth_method" mapstructure:"auth_method"`
	AuthenticationKey     string               `json:"key" mapstructure:"key"`
	AuthenticationKeyFile string               `json:"key_file" mapstructure:"key_file"`
}

Requestor contains all configuration (disclosure or verification permissions and authentication) for a requestor.

type Server 

type Server struct {
	// contains filtered or unexported fields
}

Server is a requestor server instance.

func New 

func New(config *Configuration) (*Server, error)

func (*Server) ClientHandler 

func (s *Server) ClientHandler() http.Handler

func (*Server) Handler 

func (s *Server) Handler() http.Handler

Handler returns a http.Handler that handles all IRMA requestor messages and IRMA client messages.

func (*Server) Start 

func (s *Server) Start(config *Configuration) error

Start the server. If successful then it will not return until Stop() is called.

func (*Server) StaticFilesHandler 

func (s *Server) StaticFilesHandler() http.Handler

func (*Server) Stop 

func (s *Server) Stop()

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.