certificates

package
v0.13.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 14, 2019 License: AGPL-3.0 Imports: 29 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// AuthorizationsBucket is the bucket used with a bolt-backed authorizations DB.
	AuthorizationsBucket = "authorizations"
	// MaxClaimDelaySeconds is the max duration in seconds in the past or
	// future that a claim timestamp is allowed to have and still be valid.
	MaxClaimDelaySeconds = 15
)

Variables

View Source
var (

	// ErrAuthorization is used when an error occurs involving an authorization.
	ErrAuthorization = errs.Class("authorization error")
	// ErrAuthorizationDB is used when an error occurs involving the authorization database.
	ErrAuthorizationDB = errs.Class("authorization db error")
	// ErrInvalidToken is used when a token is invalid
	ErrInvalidToken = errs.Class("invalid token error")
	// ErrAuthorizationCount is used when attempting to create an invalid number of authorizations.
	ErrAuthorizationCount = ErrAuthorizationDB.New("cannot add less than one authorizations")
)

Functions

This section is empty.

Types

type Authorization

type Authorization struct {
	Token Token
	Claim *Claim
}

Authorization represents a single-use authorization token and its status

func NewAuthorization

func NewAuthorization(userID string) (*Authorization, error)

NewAuthorization creates a new, unclaimed authorization with a random token value

func (Authorization) String

func (a Authorization) String() string

String implements the stringer interface and prevents authorization data from completely leaking into logs and errors.

type AuthorizationDB

type AuthorizationDB struct {
	DB storage.KeyValueStore
}

AuthorizationDB stores authorizations which may be claimed in exchange for a certificate signature.

func (*AuthorizationDB) Claim

func (authDB *AuthorizationDB) Claim(ctx context.Context, opts *ClaimOpts) (err error)

Claim marks an authorization as claimed and records claim information.

func (*AuthorizationDB) Close

func (authDB *AuthorizationDB) Close() error

Close closes the authorization database's underlying store.

func (*AuthorizationDB) Create

func (authDB *AuthorizationDB) Create(ctx context.Context, userID string, count int) (_ Authorizations, err error)

Create creates a new authorization and adds it to the authorization database.

func (*AuthorizationDB) Get

func (authDB *AuthorizationDB) Get(ctx context.Context, userID string) (_ Authorizations, err error)

Get retrieves authorizations by user ID.

func (*AuthorizationDB) List

func (authDB *AuthorizationDB) List(ctx context.Context) (auths Authorizations, err error)

List returns all authorizations in the database.

func (*AuthorizationDB) Unclaim

func (authDB *AuthorizationDB) Unclaim(ctx context.Context, authToken string) (err error)

Unclaim removes a claim from an authorization.

func (*AuthorizationDB) UserIDs

func (authDB *AuthorizationDB) UserIDs(ctx context.Context) (userIDs []string, err error)

UserIDs returns a list of all userIDs present in the authorization database.

type Authorizations

type Authorizations []*Authorization

Authorizations is a slice of authorizations for convenient de/serialization and grouping.

func (Authorizations) Group

func (a Authorizations) Group() (claimed, open Authorizations)

Group separates a set of authorizations into a set of claimed and a set of open authorizations.

func (Authorizations) Marshal

func (a Authorizations) Marshal() ([]byte, error)

Marshal serializes a set of authorizations

func (*Authorizations) Unmarshal

func (a *Authorizations) Unmarshal(data []byte) error

Unmarshal deserializes a set of authorizations

type CertClientConfig

type CertClientConfig struct {
	Address string `help:"address of the certificate signing rpc service"`
	TLS     tlsopts.Config
}

CertClientConfig is a config struct for use with a certificate signing service client

func (CertClientConfig) Sign

func (c CertClientConfig) Sign(ctx context.Context, ident *identity.FullIdentity, authToken string) (_ [][]byte, err error)

Sign submits a certificate signing request given the config

type CertServerConfig

type CertServerConfig struct {
	Overwrite          bool   `default:"false" help:"if true, overwrites config AND authorization db is truncated" setup:"true"`
	AuthorizationDBURL string `default:"bolt://$CONFDIR/authorizations.db" help:"url to the certificate signing authorization database"`
	MinDifficulty      uint   `default:"30" help:"minimum difficulty of the requester's identity required to claim an authorization"`
	CA                 identity.FullCAConfig
}

CertServerConfig is a config struct for use with a certificate signing service server

func (CertServerConfig) NewAuthDB

func (c CertServerConfig) NewAuthDB() (*AuthorizationDB, error)

NewAuthDB creates or opens the authorization database specified by the config

func (CertServerConfig) Run

func (c CertServerConfig) Run(ctx context.Context, srv *server.Server) (err error)

Run implements the responsibility interface, starting a certificate signing server.

type CertificateSigner

type CertificateSigner struct {
	// contains filtered or unexported fields
}

CertificateSigner implements pb.CertificatesServer

func NewServer

func NewServer(log *zap.Logger, signer *identity.FullCertificateAuthority, authDB *AuthorizationDB, minDifficulty uint16) *CertificateSigner

NewServer creates a new certificate signing grpc server

func (CertificateSigner) Sign

Sign signs the CA certificate of the remote peer's identity with the signer's certificate. Returns a certificate chain consisting of the remote peer's CA followed by the signer's chain.

type Claim

type Claim struct {
	Addr             string
	Timestamp        int64
	Identity         *identity.PeerIdentity
	SignedChainBytes [][]byte
}

Claim holds information about the circumstances under which an authorization token was claimed.

type ClaimOpts

type ClaimOpts struct {
	Req           *pb.SigningRequest
	Peer          *peer.Peer
	ChainBytes    [][]byte
	MinDifficulty uint16
}

ClaimOpts hold parameters for claiming an authorization

type Client

type Client struct {
	// contains filtered or unexported fields
}

Client implements pb.CertificateClient

func NewClient

func NewClient(ctx context.Context, tc transport.Client, address string) (*Client, error)

NewClient creates a new certificate signing grpc client

func NewClientFrom

func NewClientFrom(client pb.CertificatesClient) (*Client, error)

NewClientFrom creates a new certificate signing grpc client from an existing grpc cert signing client

func (*Client) Close

func (c *Client) Close() error

Close closes the client

func (*Client) Sign

func (c *Client) Sign(ctx context.Context, tokenStr string) (_ [][]byte, err error)

Sign claims an authorization using the token string and returns a signed copy of the client's CA certificate

type Token

type Token struct {
	// NB: currently email address for convenience
	UserID string
	Data   [tokenDataLength]byte
}

Token is a userID and a random byte array, when serialized, can be used like a pre-shared key for claiming certificate signatures.

func ParseToken

func ParseToken(tokenString string) (*Token, error)

ParseToken splits the token string on the delimiter to get a userID and data for a token and base58 decodes the data.

func (*Token) Equal

func (t *Token) Equal(cmpToken *Token) bool

Equal checks if two tokens have equal user IDs and data

func (*Token) String

func (t *Token) String() string

String implements the stringer interface. Base68 w/ version and checksum bytes are used for easy and reliable human transport.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL