Documentation ¶
Overview ¶
Package authorization is used for managing one-time-use certificate-signing- authorizations and claims.
Index ¶
- Constants
- Variables
- type Authorization
- type Claim
- type ClaimOpts
- type DB
- func (authDB *DB) Claim(ctx context.Context, opts *ClaimOpts) (err error)
- func (authDB *DB) Close() error
- func (authDB *DB) Create(ctx context.Context, userID string, count int) (_ Group, err error)
- func (authDB *DB) Get(ctx context.Context, userID string) (_ Group, err error)
- func (authDB *DB) List(ctx context.Context) (auths Group, err error)
- func (authDB *DB) Unclaim(ctx context.Context, authToken string) (err error)
- func (authDB *DB) UserIDs(ctx context.Context) (userIDs []string, err error)
- type DBConfig
- type Endpoint
- type Group
- type Service
- type Token
Constants ¶
const ( // Bucket is the bucket used with a bolt-backed authorizations DB. Bucket = "authorizations" // MaxClockSkew is the max duration in the past or future that a claim // timestamp is allowed to have and still be valid. MaxClockSkew = 5 * time.Minute )
Variables ¶
var ( // Error is used when an error occurs involving an authorization. Error = errs.Class("authorization error") // ErrDB is used when an error occurs involving the authorization database. ErrDB = errs.Class("authorization db error") // ErrInvalidToken is used when a token is invalid. ErrInvalidToken = errs.Class("invalid token error") // ErrCount is used when attempting to create an invalid number of authorizations. ErrCount = ErrDB.New("cannot add less than one authorizations") // ErrEmptyUserID is used when a user ID is required but not provided. ErrEmptyUserID = ErrDB.New("userID cannot be empty") )
var ErrEndpoint = errs.Class("authorization endpoint error")
ErrEndpoint is the default error class for the authorization endpoint.
var ErrService = errs.Class("authorization service error")
ErrService is the default error class for the authorization service.
Functions ¶
This section is empty.
Types ¶
type Authorization ¶
Authorization represents a single-use authorization token and its status.
func NewAuthorization ¶
func NewAuthorization(userID string) (*Authorization, error)
NewAuthorization creates a new, unclaimed authorization with a random token value.
func (Authorization) String ¶
func (a Authorization) String() string
String implements the stringer interface and prevents authorization data from completely leaking into logs and errors.
type Claim ¶
type Claim struct { Addr string Timestamp int64 Identity *identity.PeerIdentity SignedChainBytes [][]byte }
Claim holds information about the circumstances under which an authorization token was claimed.
type ClaimOpts ¶
type ClaimOpts struct { Req *pb.SigningRequest Peer *rpcpeer.Peer ChainBytes [][]byte MinDifficulty uint16 }
ClaimOpts hold parameters for claiming an authorization.
type DB ¶
type DB struct {
// contains filtered or unexported fields
}
DB stores authorizations which may be claimed in exchange for a certificate signature.
func NewDBFromCfg ¶
NewDBFromCfg creates and/or opens the authorization database specified by the config.
type DBConfig ¶
type DBConfig struct { URL string `default:"bolt://$CONFDIR/authorizations.db" help:"url to the certificate signing authorization database"` Overwrite bool `default:"false" help:"if true, overwrites config AND authorization db is truncated" setup:"true"` }
DBConfig is the authorization db config.
type Endpoint ¶
type Endpoint struct {
// contains filtered or unexported fields
}
Endpoint provides a http endpoint for interacting with an authorization service.
func NewEndpoint ¶
NewEndpoint creates a authorization endpoint.
type Group ¶
type Group []*Authorization
Group is a slice of authorizations for convenient de/serialization. and grouping.
func (Group) GroupByClaimed ¶
GroupByClaimed separates a group of authorizations into a group of claimed and a group of open authorizations.
type Service ¶
type Service struct {
// contains filtered or unexported fields
}
Service is the authorization service.
func NewService ¶
NewService creates a new authorization service.
type Token ¶
type Token struct { // NB: currently email address for convenience UserID string Data [tokenDataLength]byte }
Token is a userID and a random byte array, when serialized, can be used like a pre-shared key for claiming certificate signatures.
func ParseToken ¶
ParseToken splits the token string on the delimiter to get a userID and data for a token and base58 decodes the data.