Documentation ¶
Overview ¶
Package cryptodata provides support for wrapping key-value store with crypto layer that will automatically decrypt all data passing through.
Index ¶
- Variables
- type ArbitraryDecrypter
- type BytesBrokerWrapper
- type BytesKeyValIteratorWrapper
- type BytesKeyValWrapper
- type BytesWatchRespWrapper
- type BytesWatcherWrapper
- type Client
- func (client *Client) DecryptData(inData []byte) (data []byte, err error)
- func (client *Client) EncryptData(inData []byte, pub *rsa.PublicKey) (data []byte, err error)
- func (client *Client) WrapBytes(cbw keyval.KvBytesPlugin, decrypter ArbitraryDecrypter) keyval.KvBytesPlugin
- func (client *Client) WrapProto(kvp keyval.KvProtoPlugin, decrypter ArbitraryDecrypter) keyval.KvProtoPlugin
- type ClientAPI
- type ClientConfig
- type Config
- type DecryptFunc
- type DecrypterJSON
- type DecrypterProto
- type Deps
- type EncryptionCheck
- type KvBytesPluginWrapper
- type KvProtoPluginWrapper
- type Option
- type Plugin
- type ProtoBrokerWrapper
- type ProtoKeyValIteratorWrapper
- type ProtoKeyValWrapper
- type ProtoWatchRespWrapper
- type ProtoWatcherWrapper
Constants ¶
This section is empty.
Variables ¶
var DefaultPlugin = *NewPlugin()
DefaultPlugin is a default instance of Plugin.
Functions ¶
This section is empty.
Types ¶
type ArbitraryDecrypter ¶
type ArbitraryDecrypter interface { // IsEncrypted checks if provided data are encrypted IsEncrypted(inData interface{}) bool // Decrypt processes input data and decrypts specific fields using decryptFunc Decrypt(inData interface{}, decryptFunc DecryptFunc) (data interface{}, err error) }
ArbitraryDecrypter represents decrypter that looks for encrypted values inside arbitrary data and returns the data with the values decrypted
type BytesBrokerWrapper ¶
type BytesBrokerWrapper struct { keyval.BytesBroker // contains filtered or unexported fields }
BytesBrokerWrapper wraps keyval.BytesBroker with additional support of reading encrypted data
func NewBytesBrokerWrapper ¶
func NewBytesBrokerWrapper(pb keyval.BytesBroker, decrypter ArbitraryDecrypter, decryptFunc DecryptFunc) *BytesBrokerWrapper
NewBytesBrokerWrapper creates wrapper for provided BytesBroker, adding support for decrypting encrypted data
func (*BytesBrokerWrapper) GetValue ¶
func (cbb *BytesBrokerWrapper) GetValue(key string) (data []byte, found bool, revision int64, err error)
GetValue retrieves and tries to decrypt one item under the provided key.
func (*BytesBrokerWrapper) ListValues ¶
func (cbb *BytesBrokerWrapper) ListValues(key string) (keyval.BytesKeyValIterator, error)
ListValues returns an iterator that enables to traverse all items stored under the provided <key>.
type BytesKeyValIteratorWrapper ¶
type BytesKeyValIteratorWrapper struct { keyval.BytesKeyValIterator // contains filtered or unexported fields }
BytesKeyValIteratorWrapper wraps keyval.BytesKeyValIterator with additional support of reading encrypted data
func (*BytesKeyValIteratorWrapper) GetNext ¶
func (r *BytesKeyValIteratorWrapper) GetNext() (kv keyval.BytesKeyVal, stop bool)
GetNext retrieves the following item from the context. When there are no more items to get, <stop> is returned as *true* and <kv> is simply *nil*.
type BytesKeyValWrapper ¶
type BytesKeyValWrapper struct { keyval.BytesKeyVal // contains filtered or unexported fields }
BytesKeyValWrapper wraps keyval.BytesKeyVal with additional support of reading encrypted data
func (*BytesKeyValWrapper) GetPrevValue ¶
func (r *BytesKeyValWrapper) GetPrevValue() []byte
GetPrevValue returns the previous value of the pair.
func (*BytesKeyValWrapper) GetValue ¶
func (r *BytesKeyValWrapper) GetValue() []byte
GetValue returns the value of the pair.
type BytesWatchRespWrapper ¶
type BytesWatchRespWrapper struct { keyval.BytesWatchResp BytesKeyValWrapper }
BytesWatchRespWrapper wraps keyval.BytesWatchResp with additional support of reading encrypted data
func (*BytesWatchRespWrapper) GetPrevValue ¶
func (r *BytesWatchRespWrapper) GetPrevValue() []byte
GetPrevValue returns the previous value of the pair.
func (*BytesWatchRespWrapper) GetValue ¶
func (r *BytesWatchRespWrapper) GetValue() []byte
GetValue returns the value of the pair.
type BytesWatcherWrapper ¶
type BytesWatcherWrapper struct { keyval.BytesWatcher // contains filtered or unexported fields }
BytesWatcherWrapper wraps keyval.BytesWatcher with additional support of reading encrypted data
func NewBytesWatcherWrapper ¶
func NewBytesWatcherWrapper(pb keyval.BytesWatcher, decrypter ArbitraryDecrypter, decryptFunc DecryptFunc) *BytesWatcherWrapper
NewBytesWatcherWrapper creates wrapper for provided BytesWatcher, adding support for decrypting encrypted data
func (*BytesWatcherWrapper) Watch ¶
func (b *BytesWatcherWrapper) Watch(respChan func(keyval.BytesWatchResp), closeChan chan string, keys ...string) error
Watch starts subscription for changes associated with the selected keys. Watch events will be delivered to callback (not channel) <respChan>. Channel <closeChan> can be used to close watching on respective key
type Client ¶
type Client struct {
ClientConfig
}
Client implements ClientAPI and ClientConfig
func NewClient ¶
func NewClient(clientConfig ClientConfig) *Client
NewClient creates new client from provided config and reader
func (*Client) DecryptData ¶
DecryptData implements ClientAPI.DecryptData
func (*Client) EncryptData ¶
EncryptData implements ClientAPI.EncryptData
func (*Client) WrapBytes ¶
func (client *Client) WrapBytes(cbw keyval.KvBytesPlugin, decrypter ArbitraryDecrypter) keyval.KvBytesPlugin
WrapBytes implements ClientAPI.WrapBytes
func (*Client) WrapProto ¶
func (client *Client) WrapProto(kvp keyval.KvProtoPlugin, decrypter ArbitraryDecrypter) keyval.KvProtoPlugin
WrapProto implements ClientAPI.WrapProto
type ClientAPI ¶
type ClientAPI interface { // EncryptData encrypts input data using provided public key EncryptData(inData []byte, pub *rsa.PublicKey) (data []byte, err error) // DecryptData decrypts input data DecryptData(inData []byte) (data []byte, err error) // WrapBytes wraps kv bytes plugin with support for decrypting encrypted data in values WrapBytes(cbw keyval.KvBytesPlugin, decrypter ArbitraryDecrypter) keyval.KvBytesPlugin // WrapBytes wraps kv proto plugin with support for decrypting encrypted data in values WrapProto(kvp keyval.KvProtoPlugin, decrypter ArbitraryDecrypter) keyval.KvProtoPlugin }
ClientAPI handles encrypting/decrypting and wrapping data
type ClientConfig ¶
type ClientConfig struct { // Private key is used to decrypt encrypted keys while reading them from store PrivateKeys []*rsa.PrivateKey // Reader used for encrypting/decrypting Reader io.Reader // Hash function used for hashing while encrypting Hash hash.Hash }
ClientConfig is result of converting Config.PrivateKeyFile to PrivateKey
type Config ¶
type Config struct { // Private key file is used to create rsa.PrivateKey from this PEM path PrivateKeyFiles []string `json:"private-key-files"` }
Config is used to read private key from file
type DecryptFunc ¶
DecryptFunc is function that decrypts input data
type DecrypterJSON ¶
type DecrypterJSON struct {
// contains filtered or unexported fields
}
DecrypterJSON is ArbitraryDecrypter implementation that can decrypt JSON values
func NewDecrypterJSON ¶
func NewDecrypterJSON() *DecrypterJSON
NewDecrypterJSON creates new JSON decrypter with default value for Prefix being `$crypto$`
func (DecrypterJSON) Decrypt ¶
func (d DecrypterJSON) Decrypt(object interface{}, decryptFunc DecryptFunc) (interface{}, error)
Decrypt tries to find encrypted values in JSON data and decrypt them. It uses IsEncrypted function on the data to check if it contains any encrypted data. Then it parses data as JSON as tries to lookup all values that begin with `Prefix`, then trim prefix, base64 decode the data and decrypt them using provided decrypt function. This function can accept only []byte and return []byte
func (DecrypterJSON) IsEncrypted ¶
func (d DecrypterJSON) IsEncrypted(object interface{}) bool
IsEncrypted checks if provided data are marked as encrypted. First it tries to unmarshal JSON to EncryptionCheck and then check the IsEncrypted for being true
func (DecrypterJSON) SetPrefix ¶
func (d DecrypterJSON) SetPrefix(prefix string)
SetPrefix sets prefix that is required for matching and decrypting values
type DecrypterProto ¶
type DecrypterProto struct {
// contains filtered or unexported fields
}
DecrypterProto is ArbitraryDecrypter implementation that can decrypt protobuf values
func NewDecrypterProto ¶
func NewDecrypterProto() *DecrypterProto
NewDecrypterProto creates new protobuf decrypter with empty mapping
func (DecrypterProto) Decrypt ¶
func (d DecrypterProto) Decrypt(object interface{}, decryptFunc DecryptFunc) (interface{}, error)
Decrypt tries to find encrypted values in protobuf data and decrypt them. It uses IsEncrypted function on the data to check if it contains any encrypted data. Then it goes through provided mapping and tries to reflect all fields in the mapping and decrypt string values the mappings must point to. This function can accept only proto.Message and return proto.Message
func (DecrypterProto) IsEncrypted ¶
func (d DecrypterProto) IsEncrypted(object interface{}) bool
IsEncrypted checks if provided data type is contained in the Mapping
func (DecrypterProto) RegisterMapping ¶
func (d DecrypterProto) RegisterMapping(object proto.Message, paths ...[]string)
RegisterMapping registers mapping to decrypter that maps proto.Message type to path used to access encrypted values
type EncryptionCheck ¶
type EncryptionCheck struct { // IsEncrypted returns true if data was marked as encrypted IsEncrypted bool `json:"encrypted"` }
EncryptionCheck is used to check for data to contain encrypted marker
type KvBytesPluginWrapper ¶
type KvBytesPluginWrapper struct { keyval.KvBytesPlugin // contains filtered or unexported fields }
KvBytesPluginWrapper wraps keyval.KvBytesPlugin with additional support of reading encrypted data
func NewKvBytesPluginWrapper ¶
func NewKvBytesPluginWrapper(cbw keyval.KvBytesPlugin, decrypter ArbitraryDecrypter, decryptFunc DecryptFunc) *KvBytesPluginWrapper
NewKvBytesPluginWrapper creates wrapper for provided CoreBrokerWatcher, adding support for decrypting encrypted data
func (*KvBytesPluginWrapper) NewBroker ¶
func (cbw *KvBytesPluginWrapper) NewBroker(prefix string) keyval.BytesBroker
NewBroker returns a BytesBroker instance with support for decrypting values that prepends given <keyPrefix> to all keys in its calls. To avoid using a prefix, pass keyval.Root constant as argument.
func (*KvBytesPluginWrapper) NewWatcher ¶
func (cbw *KvBytesPluginWrapper) NewWatcher(prefix string) keyval.BytesWatcher
NewWatcher returns a BytesWatcher instance with support for decrypting values that prepends given <keyPrefix> to all keys during watch subscribe phase. The prefix is removed from the key retrieved by GetKey() in BytesWatchResp. To avoid using a prefix, pass keyval.Root constant as argument.
type KvProtoPluginWrapper ¶
type KvProtoPluginWrapper struct { keyval.KvProtoPlugin // contains filtered or unexported fields }
KvProtoPluginWrapper wraps keyval.KvProtoPlugin with additional support of reading encrypted data
func NewKvProtoPluginWrapper ¶
func NewKvProtoPluginWrapper(kvp keyval.KvProtoPlugin, decrypter ArbitraryDecrypter, decryptFunc DecryptFunc) *KvProtoPluginWrapper
NewKvProtoPluginWrapper creates wrapper for provided KvProtoPlugin, adding support for decrypting encrypted data
func (*KvProtoPluginWrapper) NewBroker ¶
func (kvp *KvProtoPluginWrapper) NewBroker(prefix string) keyval.ProtoBroker
NewBroker returns a ProtoBroker instance with support for decrypting values that prepends given <keyPrefix> to all keys in its calls. To avoid using a prefix, pass keyval.Root constant as argument.
func (*KvProtoPluginWrapper) NewWatcher ¶
func (kvp *KvProtoPluginWrapper) NewWatcher(prefix string) keyval.ProtoWatcher
NewWatcher returns a ProtoWatcher instance with support for decrypting values that prepends given <keyPrefix> to all keys during watch subscribe phase. The prefix is removed from the key retrieved by GetKey() in ProtoWatchResp. To avoid using a prefix, pass keyval.Root constant as argument.
type Option ¶
type Option func(*Plugin)
Option is a function that can be used in NewPlugin to customize Plugin.
type Plugin ¶
Plugin implements cryptodata as plugin.
func NewPlugin ¶
NewPlugin creates a new Plugin with the provided Options.
func (*Plugin) Disabled ¶
Disabled returns *true* if the plugin is not in use due to missing configuration.
type ProtoBrokerWrapper ¶
type ProtoBrokerWrapper struct { keyval.ProtoBroker // contains filtered or unexported fields }
ProtoBrokerWrapper wraps keyval.ProtoBroker with additional support of reading encrypted data
func NewProtoBrokerWrapper ¶
func NewProtoBrokerWrapper(pb keyval.ProtoBroker, decrypter ArbitraryDecrypter, decryptFunc DecryptFunc) *ProtoBrokerWrapper
NewProtoBrokerWrapper creates wrapper for provided ProtoBroker, adding support for decrypting encrypted data
func (*ProtoBrokerWrapper) GetValue ¶
GetValue retrieves one item under the provided <key>. If the item exists, it is unmarshaled into the <reqObj> and its fields are decrypted.
func (*ProtoBrokerWrapper) ListValues ¶
func (db *ProtoBrokerWrapper) ListValues(key string) (keyval.ProtoKeyValIterator, error)
ListValues returns an iterator that enables to traverse all items stored under the provided <key>.
type ProtoKeyValIteratorWrapper ¶
type ProtoKeyValIteratorWrapper struct { keyval.ProtoKeyValIterator // contains filtered or unexported fields }
ProtoKeyValIteratorWrapper wraps keyval.ProtoKeyValIterator with additional support of reading encrypted data
func (*ProtoKeyValIteratorWrapper) GetNext ¶
func (r *ProtoKeyValIteratorWrapper) GetNext() (kv keyval.ProtoKeyVal, stop bool)
GetNext retrieves the following item from the context. When there are no more items to get, <stop> is returned as *true* and <kv> is simply *nil*.
type ProtoKeyValWrapper ¶
type ProtoKeyValWrapper struct { keyval.ProtoKeyVal // contains filtered or unexported fields }
ProtoKeyValWrapper wraps keyval.ProtoKeyVal with additional support of reading encrypted data
func (*ProtoKeyValWrapper) GetPrevValue ¶
func (r *ProtoKeyValWrapper) GetPrevValue(prevValue proto.Message) (prevValueExist bool, err error)
GetPrevValue returns the previous value of the pair.
func (*ProtoKeyValWrapper) GetValue ¶
func (r *ProtoKeyValWrapper) GetValue(value proto.Message) error
GetValue returns the value of the pair.
type ProtoWatchRespWrapper ¶
type ProtoWatchRespWrapper struct { datasync.ProtoWatchResp ProtoKeyValWrapper }
ProtoWatchRespWrapper wraps keyval.ProtoWatchResp with additional support of reading encrypted data
func (*ProtoWatchRespWrapper) GetPrevValue ¶
func (r *ProtoWatchRespWrapper) GetPrevValue(prevValue proto.Message) (prevValueExist bool, err error)
GetPrevValue returns the previous value of the pair.
func (*ProtoWatchRespWrapper) GetValue ¶
func (r *ProtoWatchRespWrapper) GetValue(value proto.Message) error
GetValue returns the value of the pair.
type ProtoWatcherWrapper ¶
type ProtoWatcherWrapper struct { keyval.ProtoWatcher // contains filtered or unexported fields }
ProtoWatcherWrapper wraps keyval.ProtoWatcher with additional support of reading encrypted data
func NewProtoWatcherWrapper ¶
func NewProtoWatcherWrapper(pb keyval.ProtoWatcher, decrypter ArbitraryDecrypter, decryptFunc DecryptFunc) *ProtoWatcherWrapper
NewProtoWatcherWrapper creates wrapper for provided ProtoWatcher, adding support for decrypting encrypted data
func (*ProtoWatcherWrapper) Watch ¶
func (b *ProtoWatcherWrapper) Watch(respChan func(datasync.ProtoWatchResp), closeChan chan string, keys ...string) error
Watch starts subscription for changes associated with the selected keys. Watch events will be delivered to callback (not channel) <respChan>. Channel <closeChan> can be used to close watching on respective key