Documentation ¶
Overview ¶
Package client implements pRPC client for The Token Server.
It is a thin wrapper around regular pRPC client, that knows how to use private keys and certificates to properly prepare requests for the token server.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Client ¶
type Client struct { // Client is interface to use for raw RPC calls to the token server. // // Use minter.NewTokenMinterClient to create it. Note that transport-level // authentication is not needed. Client TokenMinterClient // Signer knows how to sign requests using some private key. Signer Signer }
Client can make signed requests to the token server.
func New ¶
func New(params Parameters) (*Client, error)
New returns new Client that uses PEM encoded keys and talks to the server via pRPC.
func (*Client) MintMachineToken ¶
func (c *Client) MintMachineToken(ctx context.Context, req *minter.MachineTokenRequest, opts ...grpc.CallOption) (*minter.MachineTokenResponse, error)
MintMachineToken signs the request using the signer and sends it.
It will update in-place the following fields of the request:
- Certificate will be set to ASN1 cert corresponding to the signer key.
- SignatureAlgorithm will be set to the algorithm used to sign the request.
- IssuedAt will be set to the current time.
The rest of the fields must be already populated by the caller and will be sent to the server as is.
Returns:
- TokenResponse on success.
- Non-transient error on fatal errors.
- Transient error on transient errors.
You can sniff error for RPCError type to grab more error details.
type Parameters ¶
type Parameters struct { // PrivateKeyPath is a path to a file with a private key PEM file. // // Required. PrivateKeyPath string // CertificatePath is a path to a file with a corresponding certificate. // // Required. It must match the private key (this will be verified). CertificatePath string // Backend is a hostname of the token server to talk to. // // Required. Backend string // Insecure is true to use 'http' protocol instead of 'https'. // // Useful on localhost. Default is "secure". Insecure bool // Client is non-authenticating HTTP client to build pRPC transport on top of. // // Default is http.DefaultClient. Client *http.Client // Retry defines how to retry RPC requests on transient errors. // // Use retry.Default for default strategy. Default is "no retries". Retry retry.Factory }
Parameters is passed to New.
type RPCError ¶
type RPCError struct { GrpcCode codes.Code // grpc-level status code ErrorCode minter.ErrorCode // protocol-level status code ServiceVersion string // version of the backend, if known // contains filtered or unexported fields }
RPCError is optionally returned for recognized RPC errors.
Use typecast to distinguish recognized and unrecognized errors.
type Signer ¶
type Signer interface { // Algo returns an algorithm that the signer implements. Algo(ctx context.Context) (x509.SignatureAlgorithm, error) // Certificate returns ASN.1 DER blob with the certificate of the signer. Certificate(ctx context.Context) ([]byte, error) // Sign signs a blob using the private key. Sign(ctx context.Context, blob []byte) ([]byte, error) }
Signer knows how to sign requests using some private key.
type TokenMinterClient ¶
type TokenMinterClient interface { // MintMachineToken generates a new token for an authenticated machine. MintMachineToken(context.Context, *minter.MintMachineTokenRequest, ...grpc.CallOption) (*minter.MintMachineTokenResponse, error) }
TokenMinterClient is subset of minter.TokenMinterClient this package uses.
type X509Signer ¶
type X509Signer struct { // PrivateKeyPEM is PEM-encoded ASN.1 PKCS#1 private key. // // See https://openssl.org/docs/manmaster/apps/rsa.html. PrivateKeyPEM []byte // CertificatePEM is PEM-encoded ASN.1 x509 certificate. // // It must contain a public key matching the private key specified by // PrivateKeyPEM (this will be verified). // // See https://openssl.org/docs/manmaster/apps/x509.html. CertificatePEM []byte // contains filtered or unexported fields }
X509Signer implements Signer interface by using a private key and a certificate specified in ANS.1 x509 PEM encoded structures.
It is fine to initialize this struct directly if you have loaded private key and certificate already. You can optionally use Validate() to make sure they are valid before making other calls (all calls do validation anyhow).
Use LoadX509Signer to load the key and certificate from files on disk.
func LoadX509Signer ¶
func LoadX509Signer(privateKeyPath, certPath string) (*X509Signer, error)
LoadX509Signer parses and validates private key and certificate PEM files.
Returns X509Signer that is ready for work.
func (*X509Signer) Algo ¶
func (s *X509Signer) Algo(ctx context.Context) (x509.SignatureAlgorithm, error)
Algo returns an algorithm that the signer implements.
func (*X509Signer) Certificate ¶
func (s *X509Signer) Certificate(ctx context.Context) ([]byte, error)
Certificate returns ASN.1 DER blob with the certificate of the signer.
func (*X509Signer) Validate ¶
func (s *X509Signer) Validate() error
Validate parses the private key and certificate file and verifies them.
It checks that the public portion of the key matches what's in the certificate.