authdb

package
v1.87.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 26, 2024 License: AGPL-3.0 Imports: 20 Imported by: 4

Documentation

Index

Constants

View Source
const EncKeySizeEncoded = 28

EncKeySizeEncoded is size in base32 bytes + magic byte.

View Source
const KeyHashSizeEncoded = 64

KeyHashSizeEncoded is the length of a hex encoded KeyHash.

Variables

View Source
var (

	// NotFound is returned when a record is not found.
	NotFound = errs.Class("not found")

	// ErrAccessGrant occurs when an invalid access grant is given.
	ErrAccessGrant = errs.Class("access grant")
)
View Source
var Invalid = errs.Class("invalid")

Invalid is the class of error that is returned for invalid records.

View Source
var KeyHashError = errs.Class("key hash")

KeyHashError is a class of key hash errors.

Functions

This section is empty.

Types

type Database

type Database struct {
	// contains filtered or unexported fields
}

Database wraps Storage implementation and uses it to store encrypted accesses and secrets.

func NewDatabase

func NewDatabase(storage Storage, allowedSatelliteURLs map[storj.NodeURL]struct{}, retrievePublicProjectID bool) *Database

NewDatabase constructs a Database. allowedSatelliteAddresses should contain the full URL (with a node ID), including port, for each satellite we allow for incoming access grants.

func (*Database) Get

func (db *Database) Get(ctx context.Context, accessKeyID EncryptionKey) (result ResultRecord, err error)

Get retrieves an access grant and secret key, looked up by the hash of the access key, and then decrypted.

func (*Database) HealthCheck

func (db *Database) HealthCheck(ctx context.Context) (err error)

HealthCheck ensures the underlying storage backend works and returns an error otherwise.

func (*Database) Put

func (db *Database) Put(ctx context.Context, key EncryptionKey, accessGrant string, public bool) (secretKey SecretKey, err error)

Put encrypts the access grant with the key and stores it under the hash of the encryption key. It rejects access grants with expiration times that are before a minute from now.

func (*Database) SetAllowedSatellites

func (db *Database) SetAllowedSatellites(allowedSatelliteURLs map[storj.NodeURL]struct{})

SetAllowedSatellites updates the allowed satellites list from configuration values.

type EncryptionKey

type EncryptionKey [16]byte

EncryptionKey is an encryption key that an access/secret are encrypted with.

func NewEncryptionKey

func NewEncryptionKey() (EncryptionKey, error)

NewEncryptionKey returns a new random EncryptionKey with initial version byte.

func (*EncryptionKey) FromBase32

func (k *EncryptionKey) FromBase32(encoded string) error

FromBase32 loads the EncryptionKey from a lowercase RFC 4648 base32 string.

func (*EncryptionKey) FromBinary

func (k *EncryptionKey) FromBinary(data []byte) error

FromBinary reads the key from binary which must include the version byte.

func (EncryptionKey) Hash

func (k EncryptionKey) Hash() KeyHash

Hash returns the KeyHash for the EncryptionKey.

func (EncryptionKey) ToBase32

func (k EncryptionKey) ToBase32() string

ToBase32 returns the EncryptionKey as a lowercase RFC 4648 base32 string.

func (EncryptionKey) ToBinary

func (k EncryptionKey) ToBinary() []byte

ToBinary returns the EncryptionKey including the version byte.

func (EncryptionKey) ToStorjKey

func (k EncryptionKey) ToStorjKey() storj.Key

ToStorjKey returns the storj.Key equivalent for the EncryptionKey.

type FullRecord added in v1.69.0

type FullRecord struct {
	Record
	CreatedAt          time.Time
	InvalidatedAt      time.Time
	InvalidationReason string
}

FullRecord extends Record and includes invalidation information.

func (FullRecord) EqualWithinDuration added in v1.70.0

func (f FullRecord) EqualWithinDuration(other FullRecord, dur time.Duration) bool

EqualWithinDuration checks if this FullRecord is equal to another, comparing time.Time fields (CreatedAt, ExpiresAt, InvalidatedAt) using a given margin of error.

func (FullRecord) IsInvalid added in v1.69.0

func (f FullRecord) IsInvalid() bool

IsInvalid returns whether the record was invalidated.

type KeyHash

type KeyHash [32]byte

KeyHash is the key under which Records are saved.

func (KeyHash) Bytes

func (kh KeyHash) Bytes() []byte

Bytes returns the bytes for key hash.

func (*KeyHash) FromHex

func (kh *KeyHash) FromHex(encoded string) error

FromHex sets the key hash from a hex encoded string.

func (*KeyHash) SetBytes

func (kh *KeyHash) SetBytes(v []byte) error

SetBytes sets the key hash from bytes.

func (KeyHash) ToHex

func (kh KeyHash) ToHex() string

ToHex converts a key hash to a hex encoded string.

type Record

type Record struct {
	SatelliteAddress     string
	PublicProjectID      []byte
	MacaroonHead         []byte // 32 bytes probably
	EncryptedSecretKey   []byte
	EncryptedAccessGrant []byte
	ExpiresAt            *time.Time
	Public               bool // if true, knowledge of secret key is not required
}

Record holds encrypted credentials alongside metadata.

type ResultRecord added in v1.80.0

type ResultRecord struct {
	AccessGrant string
	SecretKey   SecretKey
	*Record
}

ResultRecord is returned when retrieving a record.

type SecretKey

type SecretKey [32]byte

SecretKey is the secret key used to sign requests.

func (SecretKey) ToBase32

func (s SecretKey) ToBase32() string

ToBase32 returns the SecretKey as a lowercase RFC 4648 base32 string.

func (SecretKey) ToBinary

func (s SecretKey) ToBinary() []byte

ToBinary returns the SecretKey including the version byte.

type Storage

type Storage interface {
	// Put stores the record.
	// It is an error if the key already exists.
	Put(ctx context.Context, keyHash KeyHash, record *Record) (err error)

	// Get retrieves the record.
	// It returns (nil, nil) if the key does not exist.
	// If the record is invalid, the error contains why.
	Get(ctx context.Context, keyHash KeyHash) (record *Record, err error)

	// HealthCheck ensures the storage backend works and returns an error
	// otherwise.
	HealthCheck(ctx context.Context) error

	// Run runs the storage backend.
	Run(ctx context.Context) error

	// Close closes the storage backend.
	Close() error
}

Storage is meant to be the storage backend for Auth Service's database, with the ability to store and retrieve records saved under key hashes.

type StorageAdmin added in v1.67.0

type StorageAdmin interface {
	Storage

	// GetFullRecord retrieves a record with information relevant to auth service administration.
	// It returns (nil, nil) if the key does not exist.
	GetFullRecord(ctx context.Context, keyHash KeyHash) (record *FullRecord, err error)

	// Invalidate invalidates the record.
	Invalidate(ctx context.Context, keyHash KeyHash, reason string) error

	// Unpublish unpublishes the record; this way it's not accessible through,
	// e.g., Link Sharing Service.
	Unpublish(ctx context.Context, keyHash KeyHash) error

	// Delete deletes the record.
	Delete(ctx context.Context, keyHash KeyHash) error
}

StorageAdmin extends Storage by allowing administrative queries to Auth Service's database.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL