peertracker

package
v1.11.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 23, 2024 License: Apache-2.0 Imports: 17 Imported by: 5

Documentation

Overview

Package peertracker handles attestation security for the SPIFFE Workload API. It does so in part by implementing the `net.Listener` interface and the gRPC credential interface, the functions of which are dependent on the underlying platform. Currently, UNIX domain sockets are supported on Linux, Darwin and the BSDs. Named pipes is supported on Windows.

To accomplish the attestation security required by SPIFFE and SPIRE, this package provides process tracking - namely, exit detection. By using the included listener, `net.Conn`s can be cast back into the *peertracker.Conn type which allows access to caller information and liveness checks. By further utilizing the included gRPC credentials, this information can be extracted directly from the context by dependent handlers.

Consumers that wish to use the included PID information for additional process interrogation should call IsAlive() following its use to ensure that the original caller is still alive and that the PID has not been reused.

Index

Constants

This section is empty.

Variables

View Source
var (
	ErrInvalidConnection    = errors.New("invalid connection")
	ErrUnsupportedPlatform  = errors.New("unsupported platform")
	ErrUnsupportedTransport = errors.New("unsupported transport")
)

Functions

func NewCredentials

func NewCredentials() credentials.TransportCredentials

Types

type AuthInfo

type AuthInfo struct {
	Caller  CallerInfo
	Watcher Watcher
}

func AuthInfoFromContext

func AuthInfoFromContext(ctx context.Context) (AuthInfo, bool)

func (AuthInfo) AuthType

func (AuthInfo) AuthType() string

AuthType returns the authentication type and allows us to conform to the gRPC AuthInfo interface

type CallerInfo

type CallerInfo struct {
	Addr net.Addr
	PID  int32
	UID  uint32
	GID  uint32
}

func CallerFromContext

func CallerFromContext(ctx context.Context) (CallerInfo, bool)

func CallerFromNamedPipeConn added in v1.3.0

func CallerFromNamedPipeConn(conn net.Conn) (CallerInfo, error)

func CallerFromUDSConn

func CallerFromUDSConn(conn net.Conn) (CallerInfo, error)

type Conn

type Conn struct {
	net.Conn
	Info AuthInfo
}

func (*Conn) Close

func (c *Conn) Close() error

type Listener

type Listener struct {
	Tracker PeerTracker
	// contains filtered or unexported fields
}

func (*Listener) Accept

func (l *Listener) Accept() (net.Conn, error)

func (*Listener) Addr

func (l *Listener) Addr() net.Addr

func (*Listener) Close

func (l *Listener) Close() error

type ListenerFactory

type ListenerFactory struct {
	Log               logrus.FieldLogger
	NewTracker        func(log logrus.FieldLogger) (PeerTracker, error)
	ListenerFactoryOS // OS specific
}

func (*ListenerFactory) ListenUnix

func (lf *ListenerFactory) ListenUnix(network string, laddr *net.UnixAddr) (*Listener, error)

type ListenerFactoryOS added in v1.3.0

type ListenerFactoryOS struct {
	NewUnixListener func(network string, laddr *net.UnixAddr) (*net.UnixListener, error)
}

type PeerTracker

type PeerTracker interface {
	Close()
	NewWatcher(CallerInfo) (Watcher, error)
}

func NewTracker

func NewTracker(log logrus.FieldLogger) (PeerTracker, error)

NewTracker creates a new platform-specific peer tracker. Close() must be called when done to release associated resources.

type Watcher

type Watcher interface {
	Close()
	IsAlive() error
	PID() int32
}

func WatcherFromContext

func WatcherFromContext(ctx context.Context) (Watcher, bool)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL