sqlstore

package
v1.11.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 12, 2024 License: Apache-2.0 Imports: 47 Imported by: 2

Documentation

Index

Constants

View Source
const (
	PluginName = "sql"

	// MySQL database type
	MySQL = "mysql"
	// PostgreSQL database type
	PostgreSQL = "postgres"
	// SQLite database type
	SQLite = "sqlite3"

	// MySQL database provided by an AWS service
	AWSMySQL = "aws_mysql"

	// PostgreSQL database type provided by an AWS service
	AWSPostgreSQL = "aws_postgres"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type AttestedNode

type AttestedNode struct {
	Model

	SpiffeID        string `gorm:"unique_index"`
	DataType        string
	SerialNumber    string
	ExpiresAt       time.Time `gorm:"index"`
	NewSerialNumber string
	NewExpiresAt    *time.Time
	CanReattest     bool

	Selectors []*NodeSelector
}

AttestedNode holds an attested node (agent)

func (AttestedNode) TableName

func (AttestedNode) TableName() string

TableName gets table name of AttestedNode

type AttestedNodeEvent added in v1.7.2

type AttestedNodeEvent struct {
	Model

	SpiffeID string
}

AttestedNodeEvent holds the SPIFFE ID of nodes that had an event

func (AttestedNodeEvent) TableName added in v1.7.2

func (AttestedNodeEvent) TableName() string

TableName gets table name for AttestedNodeEvent

type Bundle

type Bundle struct {
	Model

	TrustDomain string `gorm:"not null;unique_index"`
	Data        []byte `gorm:"size:16777215"` // make MySQL to use MEDIUMBLOB (max 16MB) - doesn't affect PostgreSQL/SQLite

	FederatedEntries []RegisteredEntry `gorm:"many2many:federated_registration_entries;"`
}

Bundle holds a trust bundle.

type CAJournal added in v1.8.0

type CAJournal struct {
	Model

	// Information about X509 and JWT authorities of a single server.
	Data []byte `gorm:"size:16777215"` // Make MySQL to use MEDIUMBLOB(max 16MB) - doesn't affect PostgreSQL/SQLite

	// ActiveX509AuthorityID is the Subject Key ID of current active X509
	// authority in a server.
	ActiveX509AuthorityID string `gorm:"index:idx_ca_journals_active_x509_authority_id"`

	// ActiveJWTAuthorityID is the JWT key ID (i.e. "kid" claim) of the current
	// active JWT authority in a server.
	ActiveJWTAuthorityID string `gorm:"index:idx_ca_journals_active_jwt_authority_id"`
}

CAJournal holds information about prepared, active, and old X509 and JWT authorities of servers sharing this database. This information helps to manage the rotation of the keys in each server.

type DNSName

type DNSName struct {
	Model

	RegisteredEntryID uint   `gorm:"unique_index:idx_dns_entry"`
	Value             string `gorm:"unique_index:idx_dns_entry"`
}

DNSName holds a DNS for a registration entry

func (DNSName) TableName

func (DNSName) TableName() string

TableName gets table name for DNS entries

type FederatedTrustDomain

type FederatedTrustDomain struct {
	Model

	// TrustDomain is the trust domain name (e.g., "example.org") to federate with.
	TrustDomain string `gorm:"not null;unique_index"`

	// BundleEndpointURL is the URL of the SPIFFE bundle endpoint that provides the trust
	// bundle to federate with.
	BundleEndpointURL string

	// BundleEndpointProfile is the endpoint profile type.
	BundleEndpointProfile string

	// EndpointSPIFFEID specifies the expected SPIFFE ID of the
	// SPIFFE bundle endpoint server when BundleEndpointProfile
	// is "https_spiffe"
	EndpointSPIFFEID string

	// Implicit indicates whether the trust domain automatically federates with
	// all registration entries by default or not.
	Implicit bool
}

FederatedTrustDomain holds federated trust domains. It has the information needed to get updated bundles of the federated trust domain from a SPIFFE bundle endpoint server.

func (FederatedTrustDomain) TableName

func (FederatedTrustDomain) TableName() string

TableName gets table name of FederatedTrustDomain

type JoinToken

type JoinToken struct {
	Model

	Token  string `gorm:"unique_index"`
	Expiry int64
}

JoinToken holds a join token

type Migration

type Migration struct {
	Model

	// Database version
	Version int

	// SPIRE Code versioning
	CodeVersion string
}

Migration holds database schema version number, and the SPIRE Code version number

type Model

type Model struct {
	ID        uint `gorm:"primary_key"`
	CreatedAt time.Time
	UpdatedAt time.Time
}

Model is used as a base for other models. Similar to gorm.Model without `DeletedAt`. We don't want soft-delete support.

type NodeSelector

type NodeSelector struct {
	Model

	SpiffeID string `gorm:"unique_index:idx_node_resolver_map"`
	Type     string `gorm:"unique_index:idx_node_resolver_map"`
	Value    string `gorm:"unique_index:idx_node_resolver_map"`
}

NodeSelector holds a node selector by spiffe ID

func (NodeSelector) TableName

func (NodeSelector) TableName() string

TableName gets table name of NodeSelector

type Plugin

type Plugin struct {
	// contains filtered or unexported fields
}

Plugin is a DataStore plugin implemented via a SQL database

func New

func New(log logrus.FieldLogger) *Plugin

New creates a new sql plugin struct. Configure must be called in order to start the db.

func (*Plugin) AppendBundle

func (ds *Plugin) AppendBundle(ctx context.Context, b *common.Bundle) (bundle *common.Bundle, err error)

AppendBundle append bundle contents to the existing bundle (by trust domain). If no existing one is present, create it.

func (*Plugin) Close added in v1.3.1

func (ds *Plugin) Close() error

func (*Plugin) Configure

func (ds *Plugin) Configure(_ context.Context, hclConfiguration string) error

Configure parses HCL config payload into config struct, opens new DB based on the result, and prunes all orphaned records

func (*Plugin) CountAttestedNodes

func (ds *Plugin) CountAttestedNodes(ctx context.Context, req *datastore.CountAttestedNodesRequest) (count int32, err error)

CountAttestedNodes counts all attested nodes

func (*Plugin) CountBundles

func (ds *Plugin) CountBundles(ctx context.Context) (count int32, err error)

CountBundles can be used to count all existing bundles.

func (*Plugin) CountRegistrationEntries

func (ds *Plugin) CountRegistrationEntries(ctx context.Context, req *datastore.CountRegistrationEntriesRequest) (count int32, err error)

CountRegistrationEntries counts all registrations (pagination available)

func (*Plugin) CreateAttestedNode

func (ds *Plugin) CreateAttestedNode(ctx context.Context, node *common.AttestedNode) (attestedNode *common.AttestedNode, err error)

CreateAttestedNode stores the given attested node

func (*Plugin) CreateAttestedNodeEventForTesting added in v1.10.0

func (ds *Plugin) CreateAttestedNodeEventForTesting(ctx context.Context, event *datastore.AttestedNodeEvent) error

CreateRegistrationEntryEventForTestingForTesting creates an attested node event. Used for unit testing.

func (*Plugin) CreateBundle

func (ds *Plugin) CreateBundle(ctx context.Context, b *common.Bundle) (bundle *common.Bundle, err error)

CreateBundle stores the given bundle

func (*Plugin) CreateFederationRelationship added in v1.1.0

func (ds *Plugin) CreateFederationRelationship(ctx context.Context, fr *datastore.FederationRelationship) (newFr *datastore.FederationRelationship, err error)

CreateFederationRelationship creates a new federation relationship. If the bundle endpoint profile is 'https_spiffe' and the given federation relationship contains a bundle, the current stored bundle is overridden. If no bundle is provided and there is not a previously stored bundle in the datastore, the federation relationship is not created.

func (*Plugin) CreateJoinToken

func (ds *Plugin) CreateJoinToken(ctx context.Context, token *datastore.JoinToken) (err error)

CreateJoinToken takes a Token message and stores it

func (*Plugin) CreateOrReturnRegistrationEntry added in v1.1.0

func (ds *Plugin) CreateOrReturnRegistrationEntry(ctx context.Context,
	entry *common.RegistrationEntry,
) (registrationEntry *common.RegistrationEntry, existing bool, err error)

CreateOrReturnRegistrationEntry stores the given registration entry. If an entry already exists with the same (parentID, spiffeID, selector) tuple, that entry is returned instead.

func (*Plugin) CreateRegistrationEntry

func (ds *Plugin) CreateRegistrationEntry(ctx context.Context,
	entry *common.RegistrationEntry,
) (registrationEntry *common.RegistrationEntry, err error)

CreateRegistrationEntry stores the given registration entry

func (*Plugin) CreateRegistrationEntryEventForTesting added in v1.10.0

func (ds *Plugin) CreateRegistrationEntryEventForTesting(ctx context.Context, event *datastore.RegistrationEntryEvent) error

CreateRegistrationEntryEventForTesting creates a registration entry event. Used for unit testing.

func (*Plugin) DeleteAttestedNode

func (ds *Plugin) DeleteAttestedNode(ctx context.Context, spiffeID string) (attestedNode *common.AttestedNode, err error)

DeleteAttestedNode deletes the given attested node and the associated node selectors.

func (*Plugin) DeleteAttestedNodeEventForTesting added in v1.10.0

func (ds *Plugin) DeleteAttestedNodeEventForTesting(ctx context.Context, eventID uint) error

DeleteAttestedNodeEventForTesting deletes an attested node event by event ID. Used for unit testing.

func (*Plugin) DeleteBundle

func (ds *Plugin) DeleteBundle(ctx context.Context, trustDomainID string, mode datastore.DeleteMode) (err error)

DeleteBundle deletes the bundle with the matching TrustDomain. Any CACert data passed is ignored.

func (*Plugin) DeleteFederationRelationship added in v1.1.0

func (ds *Plugin) DeleteFederationRelationship(ctx context.Context, trustDomain spiffeid.TrustDomain) error

DeleteFederationRelationship deletes the federation relationship to the given trust domain. The associated trust bundle is not deleted.

func (*Plugin) DeleteJoinToken

func (ds *Plugin) DeleteJoinToken(ctx context.Context, token string) (err error)

DeleteJoinToken deletes the given join token

func (*Plugin) DeleteRegistrationEntry

func (ds *Plugin) DeleteRegistrationEntry(ctx context.Context,
	entryID string,
) (registrationEntry *common.RegistrationEntry, err error)

DeleteRegistrationEntry deletes the given registration

func (*Plugin) DeleteRegistrationEntryEventForTesting added in v1.10.0

func (ds *Plugin) DeleteRegistrationEntryEventForTesting(ctx context.Context, eventID uint) error

DeleteRegistrationEntryEventForTesting deletes the given registration entry event. Used for unit testing.

func (*Plugin) FetchAttestedNode

func (ds *Plugin) FetchAttestedNode(ctx context.Context, spiffeID string) (attestedNode *common.AttestedNode, err error)

FetchAttestedNode fetches an existing attested node by SPIFFE ID

func (*Plugin) FetchAttestedNodeEvent added in v1.10.0

func (ds *Plugin) FetchAttestedNodeEvent(ctx context.Context, eventID uint) (event *datastore.AttestedNodeEvent, err error)

FetchAttestedNodeEvent fetches an existing attested node event by event ID

func (*Plugin) FetchBundle

func (ds *Plugin) FetchBundle(ctx context.Context, trustDomainID string) (resp *common.Bundle, err error)

FetchBundle returns the bundle matching the specified Trust Domain.

func (*Plugin) FetchCAJournal added in v1.9.0

func (ds *Plugin) FetchCAJournal(ctx context.Context, activeX509AuthorityID string) (caJournal *datastore.CAJournal, err error)

FetchCAJournal fetches the CA journal that has the given active X509 authority domain. If the CA journal is not found, nil is returned.

func (*Plugin) FetchFederationRelationship added in v1.1.0

func (ds *Plugin) FetchFederationRelationship(ctx context.Context, trustDomain spiffeid.TrustDomain) (fr *datastore.FederationRelationship, err error)

FetchFederationRelationship fetches the federation relationship that matches the given trust domain. If the federation relationship is not found, nil is returned.

func (*Plugin) FetchJoinToken

func (ds *Plugin) FetchJoinToken(ctx context.Context, token string) (resp *datastore.JoinToken, err error)

FetchJoinToken takes a Token message and returns one, populating the fields we have knowledge of

func (*Plugin) FetchRegistrationEntry

func (ds *Plugin) FetchRegistrationEntry(ctx context.Context,
	entryID string,
) (*common.RegistrationEntry, error)

FetchRegistrationEntry fetches an existing registration by entry ID

func (*Plugin) FetchRegistrationEntryEvent added in v1.10.0

func (ds *Plugin) FetchRegistrationEntryEvent(ctx context.Context, eventID uint) (event *datastore.RegistrationEntryEvent, err error)

FetchRegistrationEntryEvent fetches an existing registration entry event by event ID

func (*Plugin) GetNodeSelectors

func (ds *Plugin) GetNodeSelectors(ctx context.Context, spiffeID string,
	dataConsistency datastore.DataConsistency,
) (selectors []*common.Selector, err error)

GetNodeSelectors gets node (agent) selectors by SPIFFE ID

func (*Plugin) ListAttestedNodeEvents added in v1.11.0

ListAttestedNodeEvents lists all attested node events

func (*Plugin) ListAttestedNodes

func (ds *Plugin) ListAttestedNodes(ctx context.Context,
	req *datastore.ListAttestedNodesRequest,
) (resp *datastore.ListAttestedNodesResponse, err error)

ListAttestedNodes lists all attested nodes (pagination available)

func (*Plugin) ListBundles

func (ds *Plugin) ListBundles(ctx context.Context, req *datastore.ListBundlesRequest) (resp *datastore.ListBundlesResponse, err error)

ListBundles can be used to fetch all existing bundles.

func (*Plugin) ListCAJournalsForTesting added in v1.9.0

func (ds *Plugin) ListCAJournalsForTesting(ctx context.Context) (caJournals []*datastore.CAJournal, err error)

ListCAJournalsForTesting returns all the CA journal records, and is meant to be used in tests.

func (*Plugin) ListFederationRelationships added in v1.1.0

ListFederationRelationships can be used to list all existing federation relationships

func (*Plugin) ListNodeSelectors

func (ds *Plugin) ListNodeSelectors(ctx context.Context,
	req *datastore.ListNodeSelectorsRequest,
) (resp *datastore.ListNodeSelectorsResponse, err error)

ListNodeSelectors gets node (agent) selectors by SPIFFE ID

func (*Plugin) ListRegistrationEntries

func (ds *Plugin) ListRegistrationEntries(ctx context.Context,
	req *datastore.ListRegistrationEntriesRequest,
) (resp *datastore.ListRegistrationEntriesResponse, err error)

ListRegistrationEntries lists all registrations (pagination available)

func (*Plugin) ListRegistrationEntryEvents added in v1.11.0

ListRegistrationEntryEvents lists all registration entry events

func (*Plugin) PruneAttestedNodeEvents added in v1.11.0

func (ds *Plugin) PruneAttestedNodeEvents(ctx context.Context, olderThan time.Duration) (err error)

PruneAttestedNodeEvents deletes all attested node events older than a specified duration (i.e. more than 24 hours old)

func (*Plugin) PruneBundle

func (ds *Plugin) PruneBundle(ctx context.Context, trustDomainID string, expiresBefore time.Time) (changed bool, err error)

PruneBundle removes expired certs and keys from a bundle

func (*Plugin) PruneCAJournals added in v1.9.0

func (ds *Plugin) PruneCAJournals(ctx context.Context, allAuthoritiesExpireBefore int64) error

PruneCAJournals prunes the CA journals that have all of their authorities expired.

func (*Plugin) PruneJoinTokens

func (ds *Plugin) PruneJoinTokens(ctx context.Context, expiry time.Time) (err error)

PruneJoinTokens takes a Token message, and deletes all tokens which have expired before the date in the message

func (*Plugin) PruneRegistrationEntries

func (ds *Plugin) PruneRegistrationEntries(ctx context.Context, expiresBefore time.Time) (err error)

PruneRegistrationEntries takes a registration entry message, and deletes all entries which have expired before the date in the message

func (*Plugin) PruneRegistrationEntryEvents added in v1.11.0

func (ds *Plugin) PruneRegistrationEntryEvents(ctx context.Context, olderThan time.Duration) (err error)

PruneRegistrationEntryEvents deletes all registration entry events older than a specified duration (i.e. more than 24 hours old)

func (*Plugin) RevokeJWTKey added in v1.6.3

func (ds *Plugin) RevokeJWTKey(ctx context.Context, trustDoaminID string, authorityID string) (*common.PublicKey, error)

RevokeJWTAuthority removes JWT key from the bundle

func (*Plugin) RevokeX509CA added in v1.6.3

func (ds *Plugin) RevokeX509CA(ctx context.Context, trustDoaminID string, subjectKeyIDToRevoke string) error

RevokeX509CA removes a Root CA from the bundle

func (*Plugin) SetBundle

func (ds *Plugin) SetBundle(ctx context.Context, b *common.Bundle) (bundle *common.Bundle, err error)

SetBundle sets bundle contents. If no bundle exists for the trust domain, it is created.

func (*Plugin) SetCAJournal added in v1.9.0

func (ds *Plugin) SetCAJournal(ctx context.Context, caJournal *datastore.CAJournal) (caj *datastore.CAJournal, err error)

SetCAJournal sets the content for the specified CA journal. If the CA journal does not exist, it is created.

func (*Plugin) SetNodeSelectors

func (ds *Plugin) SetNodeSelectors(ctx context.Context, spiffeID string, selectors []*common.Selector) (err error)

SetNodeSelectors sets node (agent) selectors by SPIFFE ID, deleting old selectors first

func (*Plugin) SetUseServerTimestamps added in v1.7.1

func (ds *Plugin) SetUseServerTimestamps(useServerTimestamps bool)

SetUseServerTimestamps controls whether server-generated timestamps should be used in the database. This is only intended to be used by tests in order to produce deterministic timestamp data, since some databases round off timestamp data with lower precision.

func (*Plugin) TaintJWTKey added in v1.6.3

func (ds *Plugin) TaintJWTKey(ctx context.Context, trustDoaminID string, authorityID string) (*common.PublicKey, error)

TaintJWTKey taints a JWT Authority key

func (*Plugin) TaintX509CA added in v1.6.3

func (ds *Plugin) TaintX509CA(ctx context.Context, trustDoaminID string, subjectKeyIDToTaint string) error

TaintX509CAByKey taints an X.509 CA signed using the provided public key

func (*Plugin) UpdateAttestedNode

func (ds *Plugin) UpdateAttestedNode(ctx context.Context, n *common.AttestedNode, mask *common.AttestedNodeMask) (node *common.AttestedNode, err error)

UpdateAttestedNode updates the given node's cert serial and expiration.

func (*Plugin) UpdateBundle

func (ds *Plugin) UpdateBundle(ctx context.Context, b *common.Bundle, mask *common.BundleMask) (bundle *common.Bundle, err error)

UpdateBundle updates an existing bundle with the given CAs. Overwrites any existing certificates.

func (*Plugin) UpdateFederationRelationship added in v1.1.0

func (ds *Plugin) UpdateFederationRelationship(ctx context.Context, fr *datastore.FederationRelationship, mask *types.FederationRelationshipMask) (newFr *datastore.FederationRelationship, err error)

UpdateFederationRelationship updates the given federation relationship. Attributes are only updated if the correspondent mask value is set to true.

func (*Plugin) UpdateRegistrationEntry

func (ds *Plugin) UpdateRegistrationEntry(ctx context.Context, e *common.RegistrationEntry, mask *common.RegistrationEntryMask) (entry *common.RegistrationEntry, err error)

UpdateRegistrationEntry updates an existing registration entry

type RegisteredEntry

type RegisteredEntry struct {
	Model

	EntryID  string `gorm:"unique_index"`
	SpiffeID string `gorm:"index"`
	ParentID string `gorm:"index"`
	// TTL of identities derived from this entry. This field represents the X509-SVID TTL of the Entry
	TTL           int32
	Selectors     []Selector
	FederatesWith []Bundle `gorm:"many2many:federated_registration_entries;"`
	Admin         bool
	Downstream    bool
	// (optional) expiry of this entry
	Expiry int64 `gorm:"index"`
	// (optional) DNS entries
	DNSList []DNSName

	// RevisionNumber is a counter that is incremented when the entry is
	// updated.
	RevisionNumber int64

	// StoreSvid determines if the issued SVID is exportable to a store
	StoreSvid bool

	// Hint is a "hint string" passed to the workload to distinguish between
	// multiple SVIDs
	Hint string `gorm:"index"`

	// TTL of JWT identities derived from this entry
	JWTSvidTTL int32 `gorm:"column:jwt_svid_ttl"`
}

RegisteredEntry holds a registered entity entry

type RegisteredEntryEvent added in v1.7.2

type RegisteredEntryEvent struct {
	Model

	EntryID string
}

RegisteredEntryEvent holds the entry id of a registered entry that had an event

func (RegisteredEntryEvent) TableName added in v1.7.2

func (RegisteredEntryEvent) TableName() string

TableName gets table name for RegisteredEntryEvent

type Selector

type Selector struct {
	Model

	RegisteredEntryID uint   `gorm:"unique_index:idx_selector_entry"`
	Type              string `gorm:"unique_index:idx_selector_entry;index:idx_selectors_type_value"`
	Value             string `gorm:"unique_index:idx_selector_entry;index:idx_selectors_type_value"`
}

type V3AttestedNode

type V3AttestedNode struct {
	Model

	SpiffeID     string `gorm:"unique_index"`
	DataType     string
	SerialNumber string
	ExpiresAt    time.Time
}

func (V3AttestedNode) TableName

func (V3AttestedNode) TableName() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL