Documentation ¶
Index ¶
- Constants
- Variables
- type Database
- func (db *Database) Get(ctx context.Context, accessKeyID EncryptionKey) (result ResultRecord, err error)
- func (db *Database) HealthCheck(ctx context.Context) (err error)
- func (db *Database) Put(ctx context.Context, key EncryptionKey, accessGrant string, public bool) (secretKey SecretKey, err error)
- func (db *Database) SetAllowedSatellites(allowedSatelliteURLs map[storj.NodeURL]struct{})
- type EncryptionKey
- type FullRecord
- type KeyHash
- type Record
- type ResultRecord
- type SecretKey
- type Storage
- type StorageAdmin
Constants ¶
const EncKeySizeEncoded = 28
EncKeySizeEncoded is size in base32 bytes + magic byte.
const KeyHashSizeEncoded = 64
KeyHashSizeEncoded is the length of a hex encoded KeyHash.
Variables ¶
var ( // NotFound is returned when a record is not found. NotFound = errs.Class("not found") // ErrAccessGrant occurs when an invalid access grant is given. ErrAccessGrant = errs.Class("access grant") )
var Invalid = errs.Class("invalid")
Invalid is the class of error that is returned for invalid records.
var KeyHashError = errs.Class("key hash")
KeyHashError is a class of key hash errors.
Functions ¶
This section is empty.
Types ¶
type Database ¶
type Database struct {
// contains filtered or unexported fields
}
Database wraps Storage implementation and uses it to store encrypted accesses and secrets.
func NewDatabase ¶
func NewDatabase(logger *zap.Logger, storage Storage, allowedSatelliteURLs map[storj.NodeURL]struct{}, retrievePublicProjectID bool) *Database
NewDatabase constructs a Database. allowedSatelliteAddresses should contain the full URL (with a node ID), including port, for each satellite we allow for incoming access grants.
func (*Database) Get ¶
func (db *Database) Get(ctx context.Context, accessKeyID EncryptionKey) (result ResultRecord, err error)
Get retrieves an access grant and secret key, looked up by the hash of the access key, and then decrypted.
func (*Database) HealthCheck ¶
HealthCheck ensures the underlying storage backend works and returns an error otherwise.
func (*Database) Put ¶
func (db *Database) Put(ctx context.Context, key EncryptionKey, accessGrant string, public bool) (secretKey SecretKey, err error)
Put encrypts the access grant with the key and stores it under the hash of the encryption key. It rejects access grants with expiration times that are before a minute from now.
func (*Database) SetAllowedSatellites ¶
SetAllowedSatellites updates the allowed satellites list from configuration values.
type EncryptionKey ¶
type EncryptionKey [16]byte
EncryptionKey is an encryption key that an access/secret are encrypted with.
func NewEncryptionKey ¶
func NewEncryptionKey() (EncryptionKey, error)
NewEncryptionKey returns a new random EncryptionKey with initial version byte.
func (*EncryptionKey) FromBase32 ¶
func (k *EncryptionKey) FromBase32(encoded string) error
FromBase32 loads the EncryptionKey from a lowercase RFC 4648 base32 string.
func (*EncryptionKey) FromBinary ¶
func (k *EncryptionKey) FromBinary(data []byte) error
FromBinary reads the key from binary which must include the version byte.
func (EncryptionKey) Hash ¶
func (k EncryptionKey) Hash() KeyHash
Hash returns the KeyHash for the EncryptionKey.
func (EncryptionKey) ToBase32 ¶
func (k EncryptionKey) ToBase32() string
ToBase32 returns the EncryptionKey as a lowercase RFC 4648 base32 string.
func (EncryptionKey) ToBinary ¶
func (k EncryptionKey) ToBinary() []byte
ToBinary returns the EncryptionKey including the version byte.
func (EncryptionKey) ToStorjKey ¶
func (k EncryptionKey) ToStorjKey() storj.Key
ToStorjKey returns the storj.Key equivalent for the EncryptionKey.
type FullRecord ¶ added in v1.69.0
type FullRecord struct { Record CreatedAt time.Time InvalidatedAt time.Time InvalidationReason string }
FullRecord extends Record and includes invalidation information.
func (FullRecord) EqualWithinDuration ¶ added in v1.70.0
func (f FullRecord) EqualWithinDuration(other FullRecord, dur time.Duration) bool
EqualWithinDuration checks if this FullRecord is equal to another, comparing time.Time fields (CreatedAt, ExpiresAt, InvalidatedAt) using a given margin of error.
func (FullRecord) IsInvalid ¶ added in v1.69.0
func (f FullRecord) IsInvalid() bool
IsInvalid returns whether the record was invalidated.
type KeyHash ¶
type KeyHash [32]byte
KeyHash is the key under which Records are saved.
type Record ¶
type Record struct { SatelliteAddress string PublicProjectID []byte MacaroonHead []byte // 32 bytes probably EncryptedSecretKey []byte EncryptedAccessGrant []byte ExpiresAt *time.Time Public bool // if true, knowledge of secret key is not required }
Record holds encrypted credentials alongside metadata.
type ResultRecord ¶ added in v1.80.0
ResultRecord is returned when retrieving a record.
type SecretKey ¶
type SecretKey [32]byte
SecretKey is the secret key used to sign requests.
type Storage ¶
type Storage interface { // Put stores the record. // It is an error if the key already exists. Put(ctx context.Context, keyHash KeyHash, record *Record) (err error) // Get retrieves the record. // It returns (nil, nil) if the key does not exist. // If the record is invalid, the error contains why. Get(ctx context.Context, keyHash KeyHash) (record *Record, err error) // HealthCheck ensures the storage backend works and returns an error // otherwise. HealthCheck(ctx context.Context) error // Close closes the storage backend. Close() error }
Storage is meant to be the storage backend for Auth Service's database, with the ability to store and retrieve records saved under key hashes.
type StorageAdmin ¶ added in v1.67.0
type StorageAdmin interface { Storage // GetFullRecord retrieves a record with information relevant to auth service administration. // It returns (nil, nil) if the key does not exist. GetFullRecord(ctx context.Context, keyHash KeyHash) (record *FullRecord, err error) // Invalidate invalidates the record. Invalidate(ctx context.Context, keyHash KeyHash, reason string) error // Unpublish unpublishes the record; this way it's not accessible through, // e.g., Link Sharing Service. Unpublish(ctx context.Context, keyHash KeyHash) error // Delete deletes the record. Delete(ctx context.Context, keyHash KeyHash) error }
StorageAdmin extends Storage by allowing administrative queries to Auth Service's database.