peertracker

package
v0.12.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 4, 2021 License: Apache-2.0 Imports: 11 Imported by: 5

Documentation

Overview

Package peertracker handles attestation security for the SPIFFE Workload API. It does so in part by implementing the `net.Listener` interface and the gRPC credential interface, the functions of which are dependent on the underlying platform. Currently, only UNIX domain sockets on Linux, Darwin, and the BSDs are supported.

To accomplish the attestation security required by SPIFFE and SPIRE, this package provides process tracking - namely, exit detection. By using the included listener, `net.Conn`s can be cast back into the *peertracker.Conn type which allows access to caller information and liveness checks. By further utilizing the included gRPC credentials, this information can be extracted directly from the context by dependent handlers.

Consumers that wish to use the included PID information for additional process interrogation should call IsAlive() following its use to ensure that the original caller is still alive and that the PID has not been reused.

Index

Constants

This section is empty.

Variables

View Source
var (
	ErrInvalidConnection    = errors.New("invalid connection")
	ErrUnsupportedPlatform  = errors.New("unsupported platform")
	ErrUnsupportedTransport = errors.New("unsupported transport")
)

Functions

func NewCredentials

func NewCredentials() credentials.TransportCredentials

Types

type AuthInfo

type AuthInfo struct {
	Caller  CallerInfo
	Watcher Watcher
}

func AuthInfoFromContext

func AuthInfoFromContext(ctx context.Context) (AuthInfo, bool)

func (AuthInfo) AuthType

func (AuthInfo) AuthType() string

AuthType returns the authentication type and allows us to conform to the gRPC AuthInfo interface

type CallerInfo

type CallerInfo struct {
	Addr net.Addr
	PID  int32
	UID  uint32
	GID  uint32
}

func CallerFromContext

func CallerFromContext(ctx context.Context) (CallerInfo, bool)

func CallerFromUDSConn

func CallerFromUDSConn(conn net.Conn) (CallerInfo, error)

type Conn

type Conn struct {
	net.Conn
	Info AuthInfo
}

func (*Conn) Close

func (c *Conn) Close() error

type Listener

type Listener struct {
	Tracker PeerTracker
	// contains filtered or unexported fields
}

func (*Listener) Accept

func (l *Listener) Accept() (net.Conn, error)

func (*Listener) Addr

func (l *Listener) Addr() net.Addr

func (*Listener) Close

func (l *Listener) Close() error

type ListenerFactory

type ListenerFactory struct {
	Log             logrus.FieldLogger
	NewTracker      func() (PeerTracker, error)
	NewUnixListener func(network string, laddr *net.UnixAddr) (*net.UnixListener, error)
}

func (*ListenerFactory) ListenUnix

func (lf *ListenerFactory) ListenUnix(network string, laddr *net.UnixAddr) (*Listener, error)

type PeerTracker

type PeerTracker interface {
	Close()
	NewWatcher(CallerInfo) (Watcher, error)
}

func NewTracker

func NewTracker() (PeerTracker, error)

NewTracker creates a new platform-specific peer tracker. Close() must be called when done to release associated resources.

type Watcher

type Watcher interface {
	Close()
	IsAlive() error
	PID() int32
}

func WatcherFromContext

func WatcherFromContext(ctx context.Context) (Watcher, bool)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL