gds

package
v1.4.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 17, 2022 License: MIT Imports: 53 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func MockConfig

func MockConfig() config.Config

MockConfig returns a configuration that ensures the service will operate in a fully mocked way with all testing parameters set correctly. The config is returned directly for required modifications, such as pointing the database path to a fixtures path.

func ValidateCommonName added in v1.3.1

func ValidateCommonName(name string) (err error)

Validate a common name. The common name should not be empty, nor start with an "*" (e.g. a DNS wildcard). It should not start with a - and each label should be no more than 63 octets long. The common name should not have a scheme e.g. https:// prefix and it shouldn't have a port, e.g. example.com:443. Parsing is primarily based on a regular expression match from the cnre pattern.

Types

type Admin

type Admin struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

Admin implements the DirectoryAdministrationServer as defined by the v2 JSON API. This service is the primary interaction point with authorized TRISA users that are performing secure commands with authentication.

func NewAdmin

func NewAdmin(svc *Service) (a *Admin, err error)

NewAdmin creates a new GDS admin server derived from a parent Service.

func (*Admin) Authenticate

func (s *Admin) Authenticate(c *gin.Context)

Authenticate expects a Google OAuth JWT token that is verified by the server. Once verified, the JWT claims are authenticated against the server. Provided valid claims, the server will issue access and referesh tokens that the client should submit in the Authorization header for all future requests. This method also resets the CSRF double cookies to ensure that max-age matches the duration of the refresh tokens.

func (*Admin) Autocomplete

func (s *Admin) Autocomplete(c *gin.Context)

Autocomplete returns a mapping of name to VASP UUID for the search bar.

func (*Admin) Available

func (s *Admin) Available() gin.HandlerFunc

Available is middleware that uses the healthy boolean to return a service unavailable http status code if the server is shutting down. It does this before all routes to ensure that complex handling doesn't bog down the server.

func (*Admin) CreateReviewNote

func (s *Admin) CreateReviewNote(c *gin.Context)

CreateReviewNote creates a new review note given the vaspID param and a CreateReviewNoteRequest.

func (*Admin) DeleteContact added in v1.3.1

func (s *Admin) DeleteContact(c *gin.Context)

DeleteContact deletes a contact on a VASP.

func (*Admin) DeleteReviewNote

func (s *Admin) DeleteReviewNote(c *gin.Context)

DeleteReviewNote deletes a review note given vaspID and noteID params.

func (*Admin) DeleteVASP added in v1.3.1

func (s *Admin) DeleteVASP(c *gin.Context)

DeleteVASP removes a VASP and its associated certificate requests if and only if the VASP verification status is in PENDING_REVIEW or earlier or ERRORED.

func (*Admin) GetRouter

func (s *Admin) GetRouter() http.Handler

GetRouter returns the Admin API router for testing purposes.

func (*Admin) GetTokenManager

func (s *Admin) GetTokenManager() *tokens.TokenManager

GetTokenManager returns the underlying token manager for testing.

func (*Admin) ListReviewNotes

func (s *Admin) ListReviewNotes(c *gin.Context)

ListReviewNotes returns a list of review notes given a vaspID param.

func (*Admin) ListVASPs

func (s *Admin) ListVASPs(c *gin.Context)

ListVASPs returns a paginated, summary data structure of all VASPs managed by the directory service. This is an authenticated endpoint that is used to support the Admin UI and facilitate the review and registration process.

func (*Admin) ProtectAuthenticate

func (s *Admin) ProtectAuthenticate(c *gin.Context)

ProtectAuthenticate prepares the front-end for submitting a login token by setting the double cookie tokens for CSRF protection. The front-end should call this before posting credentials from Google.

func (*Admin) Reauthenticate

func (s *Admin) Reauthenticate(c *gin.Context)

Reauthenticate allows the submission of a refresh token to reauthenticate an expired or expiring access token and issues a new token pair. The access token must still be provided in the Authorization header as a Bearer token, even if it is expired since the access token contains the claims that need to be reissued. The refresh token is posted in the request body as the credential. This method also resets the CSRF double cookies to ensure that the max-age matches the duration of the refresh tokens.

func (*Admin) ReplaceContact added in v1.3.1

func (s *Admin) ReplaceContact(c *gin.Context)

ReplaceContact completely replaces a contact on a VASP with a new contact.

func (*Admin) Resend

func (s *Admin) Resend(c *gin.Context)

Resend emails in case they went to spam or the initial email send failed.

func (*Admin) RetrieveVASP

func (s *Admin) RetrieveVASP(c *gin.Context)

func (*Admin) Review

func (s *Admin) Review(c *gin.Context)

Review a registration request and either accept or reject it. On accept, the certificate request that was created on verify is used to send a Sectigo request and the certificate manager process watches it until the certificate has been issued. On reject, the VASP and certificate request records are deleted and the reject reason is sent to the technical contact.

func (*Admin) ReviewTimeline

func (s *Admin) ReviewTimeline(c *gin.Context)

ReviewTimeline returns a list of time series records containing registration state counts by week.

func (*Admin) ReviewToken added in v1.3.1

func (s *Admin) ReviewToken(c *gin.Context)

ReviewToken returns the admin verification token of the VASP if the VASP is in a state that it can be reviewed in, e.g. PENDING_REVIEW, otherwise a 404 is returned.

func (*Admin) Serve

func (s *Admin) Serve() (err error)

Serve GRPC requests on the specified address.

func (*Admin) SetHealth

func (s *Admin) SetHealth(health bool)

SetHealth sets the health status on the API server, putting it into unavailable mode if health is false, and removing maintenance mode if health is true.

func (*Admin) Shutdown

func (s *Admin) Shutdown() (err error)

Shutdown the Directory Administration Service gracefully

func (*Admin) Status

func (s *Admin) Status(c *gin.Context)

Get current counts of registration statuses and certificate requests.

func (*Admin) Summary

func (s *Admin) Summary(c *gin.Context)

Summary provides aggregate statistics that describe the state of the GDS.

func (*Admin) UpdateReviewNote

func (s *Admin) UpdateReviewNote(c *gin.Context)

UpdateReivewNote updates the text of a review note given vaspIP and noteID params and an UpdateReviewNoteRequest.

func (*Admin) UpdateVASP

func (s *Admin) UpdateVASP(c *gin.Context)

UpdateVASP is a single entry point to a variety of different patches that can be made to the VASP object. In particular, the user may update the business details (website, categories, and established on), update the IVMS 101 Legal Person entity, change their responses to the TRIXO form, update the common name or endpoint, or manage contact details. Although technically, this endpoint would allow all those changes to be made simultaneously, the idea is that the PATCH only happens inside of those collections or groups of fields. Individual update methods define the logic for how each of those groups is updated together.

type GDS

type GDS struct {
	api.UnimplementedTRISADirectoryServer
	// contains filtered or unexported fields
}

GDS implements the TRISADirectoryService as defined by the v1beta1 or later TRISA protocol buffers. This service is the primary interaction point with TRISA service implementations that lookup information from the directory service, and this service also allows users to register and verify with the directory.

SEE FIRST: Service as defined in service.go (the main entrypoint of the server)

func NewGDS

func NewGDS(svc *Service) (gds *GDS, err error)

NewGDS creates a new GDS server derived from a parent Service.

func (*GDS) Lookup

func (s *GDS) Lookup(ctx context.Context, in *api.LookupRequest) (out *api.LookupReply, err error)

Lookup a VASP entity by name or ID to get full details including the TRISA certification if it exists and the entity has been verified.

func (*GDS) Register

func (s *GDS) Register(ctx context.Context, in *api.RegisterRequest) (out *api.RegisterReply, err error)

Register a new VASP entity with the directory service. After registration, the new entity must go through the verification process to get issued a certificate. The status of verification can be obtained by using the lookup RPC call. Register generates a PKCS12 password, provided in the RPC response which can be used to access the certificate private keys when they're emailed.

func (*GDS) Run

func (s *GDS) Run(sock net.Listener)

Run the gRPC server. This method is extracted from the Serve function so that it can be run in its own go routine and to allow tests to Run a bufconn server without starting a live server with all of the various go routines and channels running.

func (*GDS) Search

func (s *GDS) Search(ctx context.Context, in *api.SearchRequest) (out *api.SearchReply, err error)

Search for VASP entity records by name or by country in order to perform more detailed Lookup requests. The search process is purposefully simplistic at the moment.

func (*GDS) Serve

func (s *GDS) Serve() (err error)

Serve gRPC requests on the specified address.

func (*GDS) Shutdown

func (s *GDS) Shutdown() (err error)

Shutdown the TRISA Directory Service gracefully

func (*GDS) Status

func (s *GDS) Status(ctx context.Context, in *api.HealthCheck) (out *api.ServiceState, err error)

func (*GDS) Verification

func (s *GDS) Verification(ctx context.Context, in *api.VerificationRequest) (out *api.VerificationReply, err error)

Verification returns the status of a VASP including its verification and service status if the directory service is performing health check monitoring.

func (*GDS) VerifyContact

func (s *GDS) VerifyContact(ctx context.Context, in *api.VerifyContactRequest) (out *api.VerifyContactReply, err error)

VerifyEmail checks the contact tokens for the specified VASP and registers the contact email verification. If successful, this method then sends the verification request to the TRISA Admins for review.

type Members

type Members struct {
	api.UnimplementedTRISAMembersServer
	// contains filtered or unexported fields
}

Members implements the TRISAMembers service as defined by the experimental v1alpha1 protocol buffers in the GDS repository. This service is intended to be an mTLS authenticated service (which is why it is separate from the GDS service) that is used directly by TRISA members to facilitate p2p exchanges and GDS lookups.

NOTE: this is a prototype service, this service may eventually be moved into the GDS specification in trisacrypto/trisa.

func NewMembers

func NewMembers(svc *Service) (members *Members, err error)

NewMembers creates a new Member server derived from a parent Service.

func (*Members) List

func (s *Members) List(ctx context.Context, in *api.ListRequest) (out *api.ListReply, err error)

List all verified VASP members in the Directory Service. This RPC returns an abbreviated listing of VASP details intended to facilitate p2p exchanges or more detailed lookups against the Directory Service. The response is paginated. If there are more results than the specified page size, then the reply will include a next page token. That token can be used to fetch the next page so long as the parameters of the original request are not modified (e.g. any filters or pagination parameters). See https://cloud.google.com/apis/design/design_patterns#list_pagination for more.

func (*Members) Run

func (s *Members) Run(sock net.Listener)

Run the gRPC server. This method is extracted from the Serve function so that it can be run in its own go routine and to allow tests to Run a bufconn server without starting a live server with all of the various go routines and channels running.

func (*Members) Serve

func (s *Members) Serve() (err error)

Serve gRPC requests on the specified address.

func (*Members) Shutdown

func (s *Members) Shutdown() (err error)

Shutdown the TRISA Members Service gracefully

type Service

type Service struct {
	// contains filtered or unexported fields
}

Service defines the entirety of the TRISA Global Directory Service including the GDS server that handles TRISA requests, the Admin server that handles administrative interactions, as well as the smaller routines and managers to handle email, secrets, backups, and certificates. E.g. this is the parent service that coordinates all subservices.

func New

func New(conf config.Config) (s *Service, err error)

New creates a TRISA Directory Service with the specified configuration and prepares it to listen for and serve GRPC requests.

func NewMock

func NewMock(conf config.Config, trtlConn *grpc.ClientConn) (s *Service, err error)

NewMock creates and returns a mocked Service for testing, using values provided in the config. The config should contain values specific to testing as the mock method only mocks at the top level of the service, lower level mocks such as mocking the secret manager or email service must be implemented with configuration. Use MockConfig to ensure a configuration is generated that fully mocks the service.

func (*Service) Backup added in v1.4.0

func (s *Service) Backup(path string) (err error)

Backup performs a backup on behalf of the service. BackupManager calls this function at a periodic interval to take a snapshot of the store to disk and to keep only the configured number of archives.

func (*Service) BackupManager

func (s *Service) BackupManager(stop <-chan bool)

BackupManager is a go routine that periodically copies the directory storage to a compressed backup location, either locally on disk or to a cloud location. The manager may also encrypt the storage with provided keys. The manager is started when the server is started; but if it is not able to run, it will exit before continuing.

func (*Service) CertManager

func (s *Service) CertManager(stop <-chan struct{})

CertManager is a go routine that periodically checks on the status of certificate requests and moves them through the request pipeline. Once CertManager detects a certificate request that is ready to submit, it submits the request via the Sectigo API. If processing, it checks the batch status, and when it detects that the bact is done processing it downloads the certs and emails them to the technical conacts. If the certificate processing fails for any reason, it sends and error message to the TRISA admins since this will prevent the integrator from joining the network.

TODO: move completed certificate requests to archive so that the CertManger routine isn't continuously handling a growing number of requests over time.

TODO: notify admins if cert-manager errors since this will block integration.

func (*Service) GetAdmin

func (s *Service) GetAdmin() *Admin

GetAdmin returns the Admin server

func (*Service) GetConf

func (s *Service) GetConf() config.Config

GetConf returns a copy of the current configuration

func (*Service) GetGDS

func (s *Service) GetGDS() *GDS

GetGDS returns the GDS gRPC server

func (*Service) GetMembers

func (s *Service) GetMembers() *Members

GetMembers returns the Members gRPC server

func (*Service) GetSecretManager

func (s *Service) GetSecretManager() *secrets.SecretManager

GetSecretManager returns the secret manager

func (*Service) GetStore

func (s *Service) GetStore() store.Store

GetStore returns the underlying database store used by all sub-services.

func (*Service) Serve

func (s *Service) Serve() (err error)

Serve GRPC requests on the specified addresses and all internal servers.

func (*Service) Shutdown

func (s *Service) Shutdown() (err error)

Shutdown the TRISA Directory Service gracefully

Directories

Path Synopsis
admin
v1
v2
members
models
v1
Package store provides an interface to multiple types of embedded storage across multiple objects.
Package store provides an interface to multiple types of embedded storage across multiple objects.
Package tokens handles the creation and verification of JWT tokens for authentication.
Package tokens handles the creation and verification of JWT tokens for authentication.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL