certificates

package
v0.9.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 10, 2019 License: AGPL-3.0 Imports: 29 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// AuthorizationsBucket is the bucket used with a bolt-backed authorizations DB.
	AuthorizationsBucket = "authorizations"
	// MaxClaimDelaySeconds is the max duration in seconds in the past or
	// future that a claim timestamp is allowed to have and still be valid.
	MaxClaimDelaySeconds = 15
)

Variables

View Source 
var (

	// ErrAuthorization is used when an error occurs involving an authorization.
	ErrAuthorization = errs.Class("authorization error")
	// ErrAuthorizationDB is used when an error occurs involving the authorization database.
	ErrAuthorizationDB = errs.Class("authorization db error")
	// ErrInvalidToken is used when a token is invalid
	ErrInvalidToken = errs.Class("invalid token error")
	// ErrAuthorizationCount is used when attempting to create an invalid number of authorizations.
	ErrAuthorizationCount = ErrAuthorizationDB.New("cannot add less than one authorizations")
)

Functions

This section is empty.

Types

type Authorization 

type Authorization struct {
	Token Token
	Claim *Claim
}

Authorization represents a single-use authorization token and its status

func NewAuthorization 

func NewAuthorization(userID string) (*Authorization, error)

NewAuthorization creates a new, unclaimed authorization with a random token value

func (Authorization) String 

func (a Authorization) String() string

String implements the stringer interface and prevents authorization data from completely leaking into logs and errors.

type AuthorizationDB 

type AuthorizationDB struct {
	DB storage.KeyValueStore
}

AuthorizationDB stores authorizations which may be claimed in exchange for a certificate signature.

func (*AuthorizationDB) Claim 

func (authDB *AuthorizationDB) Claim(opts *ClaimOpts) error

Claim marks an authorization as claimed and records claim information.

func (*AuthorizationDB) Close 

func (authDB *AuthorizationDB) Close() error

Close closes the authorization database's underlying store.

func (*AuthorizationDB) Create 

func (authDB *AuthorizationDB) Create(userID string, count int) (Authorizations, error)

Create creates a new authorization and adds it to the authorization database.

func (*AuthorizationDB) Get 

func (authDB *AuthorizationDB) Get(userID string) (Authorizations, error)

Get retrieves authorizations by user ID.

func (*AuthorizationDB) List 

func (authDB *AuthorizationDB) List() (auths Authorizations, _ error)

List returns all authorizations in the database.

func (*AuthorizationDB) Unclaim 

func (authDB *AuthorizationDB) Unclaim(authToken string) error

Unclaim removes a claim from an authorization.

func (*AuthorizationDB) UserIDs 

func (authDB *AuthorizationDB) UserIDs() ([]string, error)

UserIDs returns a list of all userIDs present in the authorization database.

type Authorizations 

type Authorizations []*Authorization

Authorizations is a slice of authorizations for convenient de/serialization and grouping.

func (Authorizations) Group 

func (a Authorizations) Group() (claimed, open Authorizations)

Group separates a set of authorizations into a set of claimed and a set of open authorizations.

func (Authorizations) Marshal 

func (a Authorizations) Marshal() ([]byte, error)

Marshal serializes a set of authorizations

func (*Authorizations) Unmarshal 

func (a *Authorizations) Unmarshal(data []byte) error

Unmarshal deserializes a set of authorizations

type CertClientConfig 

type CertClientConfig struct {
	Address string `help:"address of the certificate signing rpc service"`
	TLS     tlsopts.Config
}

CertClientConfig is a config struct for use with a certificate signing service client

func (CertClientConfig) Sign 

func (c CertClientConfig) Sign(ctx context.Context, ident *identity.FullIdentity, authToken string) ([][]byte, error)

Sign submits a certificate signing request given the config

type CertServerConfig 

type CertServerConfig struct {
	Overwrite          bool   `default:"false" help:"if true, overwrites config AND authorization db is truncated" setup:"true"`
	AuthorizationDBURL string `default:"bolt://$CONFDIR/authorizations.db" help:"url to the certificate signing authorization database"`
	MinDifficulty      uint   `default:"30" help:"minimum difficulty of the requester's identity required to claim an authorization"`
	CA                 identity.FullCAConfig
}

CertServerConfig is a config struct for use with a certificate signing service server

func (CertServerConfig) NewAuthDB 

func (c CertServerConfig) NewAuthDB() (*AuthorizationDB, error)

NewAuthDB creates or opens the authorization database specified by the config

func (CertServerConfig) Run 

func (c CertServerConfig) Run(ctx context.Context, srv *server.Server) (err error)

Run implements the responsibility interface, starting a certificate signing server.

type CertificateSigner 

type CertificateSigner struct {
	// contains filtered or unexported fields
}

CertificateSigner implements pb.CertificatesServer

func NewServer 

func NewServer(log *zap.Logger, signer *identity.FullCertificateAuthority, authDB *AuthorizationDB, minDifficulty uint16) *CertificateSigner

NewServer creates a new certificate signing grpc server

func (CertificateSigner) Sign 

func (c CertificateSigner) Sign(ctx context.Context, req *pb.SigningRequest) (*pb.SigningResponse, error)

Sign signs the CA certificate of the remote peer's identity with the signer's certificate. Returns a certificate chain consisting of the remote peer's CA followed by the signer's chain.

type Claim 

type Claim struct {
	Addr             string
	Timestamp        int64
	Identity         *identity.PeerIdentity
	SignedChainBytes [][]byte
}

Claim holds information about the circumstances under which an authorization token was claimed.

type ClaimOpts 

type ClaimOpts struct {
	Req           *pb.SigningRequest
	Peer          *peer.Peer
	ChainBytes    [][]byte
	MinDifficulty uint16
}

ClaimOpts hold parameters for claiming an authorization

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client implements pb.CertificateClient

func NewClient 

func NewClient(ctx context.Context, tc transport.Client, address string) (*Client, error)

NewClient creates a new certificate signing grpc client

func NewClientFrom 

func NewClientFrom(client pb.CertificatesClient) (*Client, error)

NewClientFrom creates a new certificate signing grpc client from an existing grpc cert signing client

func (*Client) Close 

func (c *Client) Close() error

Close closes the client

func (*Client) Sign 

func (c *Client) Sign(ctx context.Context, tokenStr string) ([][]byte, error)

Sign claims an authorization using the token string and returns a signed copy of the client's CA certificate

type Token 

type Token struct {
	// NB: currently email address for convenience
	UserID string
	Data   [tokenDataLength]byte
}

Token is a userID and a random byte array, when serialized, can be used like a pre-shared key for claiming certificate signatures.

func ParseToken 

func ParseToken(tokenString string) (*Token, error)

ParseToken splits the token string on the delimiter to get a userID and data for a token and base58 decodes the data.

func (*Token) Equal 

func (t *Token) Equal(cmpToken *Token) bool

Equal checks if two tokens have equal user IDs and data

func (*Token) String 

func (t *Token) String() string

String implements the stringer interface. Base68 w/ version and checksum bytes are used for easy and reliable human transport.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.