Documentation
¶
Index ¶
- Constants
- Variables
- func BuildV2AuthToken(v2WalletKey, v2IdentityKey *ecdsa.PrivateKey, createdAt time.Time) (*messagev1.Token, *messagev1.AuthData, error)
- func EncodeAuthToken(token *messagev1.Token) (string, error)
- type AuthnConfig
- type AuthnOptions
- type Config
- type Options
- type Server
- type TelemetryInterceptor
- type WalletAuthorizer
Constants ¶
View Source
const ( TopicCategoryPermissionUnknown = 0 TopicCategoryPermissionAuthRequired = 1 TopicCategoryPermissionNoAuthRequired = 2 )
Variables ¶
View Source
var ( TokenExpiration = time.Hour ErrTokenExpired = errors.New("token expired") ErrMissingAuthData = errors.New("missing auth data") ErrMissingAuthDataSignature = errors.New("missing auth data signature") ErrInvalidSignature = errors.New("invalid signature") ErrWalletMismatch = errors.New("wallet address mismatch") ErrUnsignedKey = errors.New("identity key is not signed") ErrUnknownSignatureType = errors.New("unknown signature type") ErrUnknownKeyType = errors.New("unknown public key type") ErrMissingIdentityKey = errors.New("missing identity key") )
View Source
var ( ErrMissingLog = errors.New("missing log config") ErrMissingWaku = errors.New("missing waku config") ErrMissingStore = errors.New("missing store config") )
View Source
var ErrDenyListed = errors.New("wallet is deny listed")
View Source
var TopicCategoryPermissions = map[string]int{ "privatestore": TopicCategoryPermissionAuthRequired, "contact": TopicCategoryPermissionAuthRequired, "m": TopicCategoryPermissionNoAuthRequired, "mE": TopicCategoryPermissionNoAuthRequired, "dm": TopicCategoryPermissionNoAuthRequired, "dmE": TopicCategoryPermissionNoAuthRequired, "intro": TopicCategoryPermissionNoAuthRequired, "invite": TopicCategoryPermissionNoAuthRequired, "groupInvite": TopicCategoryPermissionNoAuthRequired, }
Functions ¶
func BuildV2AuthToken ¶
Types ¶
type AuthnConfig ¶
type AuthnConfig struct {
AuthnOptions
Limiter ratelimiter.RateLimiter
AllowLister authz.WalletAllowLister
Log *zap.Logger
}
Config bundles Options and other parameters needed to set up an authorizer.
type AuthnOptions ¶
type AuthnOptions struct {
/*
Enable is the master switch for the authentication module.
If it is false then the other options in this group are ignored.
The module enforces authentication for requests that require it (currently Publish only).
Authenticated requests will be permitted according to the rules of the request type,
(i.e. you can't publish into other wallets' contact and private topics).
*/
Enable bool `long:"enable" description:"require client authentication via wallet tokens"`
/*
Ratelimits enables request rate limiting.
Requests are bucketed by client IP address and request type (there is one bucket for all requests without IPs).
Each bucket is allocated a number of tokens that are refilled at a fixed rate per minute
up to a given maximum number of tokens.
Requests cost 1 token by default, except Publish requests cost the number of Envelopes carried
and BatchQuery requests cost the number of queries carried.
The limits depend on request type, e.g. Publish requests get lower limits than other types of request.
If Allowlists is also true then requests with Bearer tokens from wallets explicitly Allowed get priority,
i.e. a predefined multiple the configured limit.
Priority wallets get separate IP buckets from regular wallets.
*/
Ratelimits bool `long:"ratelimits" description:"apply rate limits per client IP address"`
/*
Allowlists enables wallet allow lists.
All requests that require authentication (currently Publish only) will be rejected
for wallets that are set as Denied in the allow list.
Wallets that are explicitly Allowed will get priority rate limits if Ratelimits is true.
*/
AllowLists bool `long:"allowlists" description:"apply higher limits for allow listed wallets (requires authz and ratelimits)"`
PrivilegedAddresses []string `long:"privileged-address" description:"allow this address to publish into other user's topics"`
}
AuthnOptions bundle command line options associated with the authn package.
type Config ¶
type Config struct {
Options
AllowLister authz.WalletAllowLister
Waku *wakunode.WakuNode
Log *zap.Logger
Store *store.Store
MLSStore mlsstore.MlsStore
MLSValidator mlsvalidate.MLSValidationService
}
type Options ¶
type Options struct {
GRPCAddress string `long:"grpc-address" description:"API GRPC listening address" default:"0.0.0.0"`
GRPCPort uint `long:"grpc-port" description:"API GRPC listening port" default:"5556"`
HTTPAddress string `long:"http-address" description:"API HTTP listening address" default:"0.0.0.0"`
HTTPPort uint `long:"http-port" description:"API HTTP listening port" default:"5555"`
Authn AuthnOptions `group:"API Authentication Options" namespace:"authn"`
MaxMsgSize int `long:"max-msg-size" description:"Max message size in bytes (default 50MB)" default:"52428800"`
EnableMls bool `long:"enable-mls" description:"Enable the MLS server"`
}
type TelemetryInterceptor ¶
type TelemetryInterceptor struct {
// contains filtered or unexported fields
}
func NewTelemetryInterceptor ¶
func NewTelemetryInterceptor(log *zap.Logger) *TelemetryInterceptor
func (*TelemetryInterceptor) Stream ¶
func (ti *TelemetryInterceptor) Stream() grpc.StreamServerInterceptor
func (*TelemetryInterceptor) Unary ¶
func (ti *TelemetryInterceptor) Unary() grpc.UnaryServerInterceptor
type WalletAuthorizer ¶
type WalletAuthorizer struct {
*AuthnConfig
// contains filtered or unexported fields
}
WalletAuthorizer implements the authentication/authorization flow of client requests. It is intended to be hooked up with a GRPC server as an interceptor. It requires all requests to include an Authorization: Bearer header carrying a base-64 encoded messagev1.Token. The token ties the request to a wallet (authentication). Authorization decisions are then based on the authenticated wallet.
func NewWalletAuthorizer ¶
func NewWalletAuthorizer(config *AuthnConfig) *WalletAuthorizer
NewWalletAuthorizer creates an authorizer configured based on the Config.
func (*WalletAuthorizer) Stream ¶
func (wa *WalletAuthorizer) Stream() grpc.StreamServerInterceptor
func (*WalletAuthorizer) Unary ¶
func (wa *WalletAuthorizer) Unary() grpc.UnaryServerInterceptor
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.