themis

command module
v0.4.7 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 4, 2021 License: Apache-2.0 Imports: 28 Imported by: 0

README

Themis

Build Status codecov.io Go Report Card Apache V2 License GitHub release Quality Gate Status

Summary

A JWT token issuer for devices that connect to the XMiDT cluster.

Table of Contents

Code of Conduct

This project and everyone participating in it are governed by the XMiDT Code Of Conduct. By participating, you agree to this Code.

Details

Themis provides a flexible strategy to issue JWT tokens to devices that need to connect to the XMiDT cluster.

Endpoints

There are three main endpoints (directly mapped to servers key, issuer and claims in configuration) this service provides:

  • GET /keys/{KID} - PEM format
  • GET /keys/{KID}/jwk.json - JWK format

This endpoint allows fetching the public portion of the key that themis uses to sign JWT tokens. For example, Talaria can use this endpoint to verify the signature of tokens which devices present when they attempt to connect to XMiDT.

Configuration for this endpoint is required when the issue endpoint is configured and vice versa.

  • GET /issue

This is the main and most compute intensive Themis endpoint as it creates JWT tokens based on configuration.

  • GET /claims

Configuring this endpoint is required if no configuration is provided for the previous two.

JWT Claims Configuration

Claims can be configured through the token.claims, partnerID and remote configuration elements. The claim values themselves can come from multiple sources.

Fixed values in configuration
token:
  ...

  claims:
    capabilities
      value:
        - capability0
        - capability1

The above config would create the claim:

"capabilities":  ["capability0", "capability1"]
HTTP Header or Parameter
token:  
  ...

  claims:
    mac:
      header: X-Midt-Mac-Address
      parameter: mac

The value of the mac claim would come from the specified header or parameter name of the request to the /issue endpoint.

PartnerID

Although it is configured separately, it behaves very similarly to the previous source type.

partnerID:
  claim: partner-id
  metadata: pid # only needed when a remote claims server needs this value
  header: X-Midt-Partner-ID
  parameter: pid
  default: comcast
Remote claims
remote:
  method: "POST"
  url: "http://remote-claims-server.example.com/claims"

For more informatiom on how to configure Themis to run as your remote claims server, read the next section on Remote Server Claims Configuration.

Remote Server Claims Configuration
Using Themis as the remote claims server

You can do this by configuring only the claims server in your configuration file. Claims are configured exactly the same as explained above.

Sending data to remote server

Suppose the remote claims server needs the ID of the device requesting a token in the form of an HTTP Header named X-Midt-Device-Id. The token.metadata configuration element allows you to specify which values are sent to the remote claims server.

token:
  ...
  metadata:
    ID:
      header: X-Midt-Device-Id

Build

There is a single binary for themis and its execution is fully driven by configuration.

Makefile

The Makefile has the following options you may find helpful:

  • make build: builds the Themis binary
  • make docker: builds a docker image for themis
  • make local-docker: builds a docker image for themis with the local version tag
  • make test: runs unit tests with coverage for Themis
  • make clean: deletes previously-built binaries and object files

Deploy

At the simplest form, run the binary with the flag specifying the configuration file

./themis -f themis.yaml
Docker

We recommend using docker for local development.

# Build docker image for themis
# themis.yaml specifies the static claims which will be returned in the JWT
make local-docker

# Run container service
docker run -p 6501:6501 themis:local

# Request a JWT token
curl http://localhost:6501/issue -H 'X-Midt-Mac-Address: mac:1122334455'

Contributing

Refer to CONTRIBUTING.md.

Documentation

The Go Gopher

There is no documentation for this package.

Directories

Path Synopsis
Package config supplies a simple workflow for initializing an uber/fx App instance with spf13/pflag, spf13/viper, and any other components that need to be initialized prior to any uber/fx providers running.
Package config supplies a simple workflow for initializing an uber/fx App instance with spf13/pflag, spf13/viper, and any other components that need to be initialized prior to any uber/fx providers running.
xhttpserver/pprof
Package pprof exposes simple integrations between net/http/pprof, gorilla/mux, and uber/fx.
Package pprof exposes simple integrations between net/http/pprof, gorilla/mux, and uber/fx.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL