securecouchbase

package module
v0.0.0-...-ee0c1fb Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 20, 2017 License: MIT Imports: 11 Imported by: 0

README

securecouchbase Build Status

Secure Couchbase Project Requirments

  • In some cases it is not acceptable to allow a couchbase administrator to edit JSON entries
  • In some cases it is not acceptable to allow a couchbase read-only administrator to read confidential entries

Secure couchbase uses OpenPGP to wrap bucket calls with encrypted or sign variants of Set and Get operations

Getting started

Create a GPG key ring
$gpg2 --batch --gen-key --armor gpg.batch
Create your own security provider - or use the OpenPGP default
func NewSecurityProvider() (securecouchbase.SecurityProvider, error) {
  privateKeyRingReader, err := os.Open(secretKeyring)
  if err != nil {
    return nil, err
  }

  publicKeyRingReader, err := os.Open(publicKeyring)
  if err != nil {
    return nil, err
  }

  return securecouchbase.NewOpenPGPSecurityProvider(privateKeyRingReader, publicKeyRingReader)
}
Start writing to a bucket
type TestStructure struct {
  Message         string
  NestedStructure NestedStructure
}

type NestedStructure struct {
  Number int
}

func TestEncryptionBucket(t *testing.T) {
  provider, err := NewSecurityProvider()
  if err != nil {
    t.Fatal(err)
  }

  bucket := walrus.NewBucket("bucketname")
  var testBucket securecouchbase.Bucket
  testBucket = bucket

  structure := TestStructure{"bar", NestedStructure{46}}
  err = securecouchbase.SetWithEncryption("foo", 0, structure, testBucket, provider)
  if err != nil {
    t.Fatal(err)
  }

  var result TestStructure
  err = securecouchbase.GetWithEncryption("foo", &result, testBucket, provider)
  if err != nil {
    t.Fatal(err)
  }

  if result.Message != structure.Message {
    t.Fatal("Expected Message to be same")
  }

  if result.NestedStructure.Number != structure.NestedStructure.Number {
    t.Fatal("Expected nested structure number to be equal")
  }
}

Documentation

Index

Constants

View Source 
const NotFound string = "Not found"

NotFound error string returned from couchbase when a key cannot be found

Variables

This section is empty.

Functions

func AddWithEncryption 

func AddWithEncryption(id string, exp int, object interface{}, connection Bucket, provider SecurityProvider) (bool, error)

AddWithEncryption encrypts data before sending it to couchbase

func AddWithSignature 

func AddWithSignature(id string, exp int, object interface{}, connection Bucket, provider SecurityProvider) (bool, error)

AddWithSignature signs json structure before putting it in couchbase

func ArmorDecode 

func ArmorDecode(reader io.Reader) (io.Reader, error)

ArmorDecode decodes a preivously encoded armor encoded stream

func ArmorEncoder 

func ArmorEncoder(writer io.Writer) (io.WriteCloser, error)

ArmorEncoder encodes to a text friendly format

func Decrypt 

func Decrypt(reader io.Reader, secertKeyring openpgp.EntityList) (io.ReadCloser, error)

Decrypt decrypts data that has been encrypted and compressed

func Encrypt 

func Encrypt(reader io.Reader, writer io.Writer, publicKeyRing openpgp.EntityList) error

Encrypt compresses data and then encrypts it data is encrypted with all public keys found in the supplied keyring.

func GetWithEncryption 

func GetWithEncryption(id string, object interface{}, connection Bucket, provider SecurityProvider) error

GetWithEncryption decrypts encrypted data given a key in couchbase

func GetWithSignature 

func GetWithSignature(id string, object interface{}, connection Bucket, provider SecurityProvider) error

GetWithSignature verifys a json object with a detached signature

func IsNotFoundError 

func IsNotFoundError(err error) bool

IsNotFoundError checks if we get a key not found error from couchbase

func SetWithEncryption 

func SetWithEncryption(id string, exp uint32, object interface{}, connection Bucket, provider SecurityProvider) error

SetWithEncryption encrypts data before sending it to couchbase

func SetWithSignature 

func SetWithSignature(id string, exp uint32, object interface{}, connection Bucket, provider SecurityProvider) error

SetWithSignature signs json structure before putting it in couchbase

func Sign 

func Sign(reader io.Reader, writer io.Writer, privateKeyring openpgp.EntityList) error

Sign signs data and creates a clear sign armor encoded message

func SignDetached 

func SignDetached(reader io.Reader, writer io.Writer, privateKeyring openpgp.EntityList) error

SignDetached signs data and writes the raw signature to the writer

func Verify 

func Verify(signed io.Reader, publicKeyRing openpgp.EntityList) ([]byte, error)

Verify reads a clear signed message returning the body of the messages after verification has been successful

func VerifyDetached 

func VerifyDetached(signed, signature io.Reader, publicKeyRing openpgp.EntityList) error

VerifyDetached verifies a seperate signature against a source

Types

type Bucket 

type Bucket interface {
	Get(k string, rv interface{}) (gocb.Cas, error)
	Counter(key string, delta, initial int64, expiry uint32) (uint64, gocb.Cas, error)
	Upsert(string, interface{}, uint32) (gocb.Cas, error)
	// Add(k string, exp int, v interface{}) (bool, error)
	SetAdd(key string, value interface{}, createSet bool) (gocb.Cas, error)
	Remove(key string, cas gocb.Cas) (gocb.Cas, error)
}

Bucket an interface for go-couchbase bucket

type EncryptedData 

type EncryptedData struct {
	EncryptedAndSigned []byte
}

EncryptedData a container for encrypted and signed data

type OpenPGPSecurityProvider 

type OpenPGPSecurityProvider struct {
	// contains filtered or unexported fields
}

OpenPGPSecurityProvider is a OpenPGP implementation of the security provider interface

func NewOpenPGPSecurityProvider 

func NewOpenPGPSecurityProvider(privateKeyRingReader, publicKeyRingReader io.Reader) (*OpenPGPSecurityProvider, error)

NewOpenPGPSecurityProvider creates a new OpenPGPSecurityProvider given a private and public key ring

func (*OpenPGPSecurityProvider) Decrypt 

func (p *OpenPGPSecurityProvider) Decrypt(reader io.Reader) (io.ReadCloser, error)

Decrypt decrypts the contents of a reader

func (*OpenPGPSecurityProvider) Encrypt 

func (p *OpenPGPSecurityProvider) Encrypt(reader io.Reader, writer io.Writer) error

Encrypt encrypts the contents of a reader

func (*OpenPGPSecurityProvider) Sign 

func (p *OpenPGPSecurityProvider) Sign(reader io.Reader, writer io.Writer) error

Sign signs the contents of a reader and writes the signature to the writer

func (*OpenPGPSecurityProvider) SignDetached 

func (p *OpenPGPSecurityProvider) SignDetached(reader io.Reader, writer io.Writer) error

SignDetached signs the contents of a reader and writes the detached signature to the writer

func (*OpenPGPSecurityProvider) Verify 

func (p *OpenPGPSecurityProvider) Verify(signed io.Reader) ([]byte, error)

Verify validates a reader with signature within the contents of the reader

func (*OpenPGPSecurityProvider) VerifyDetached 

func (p *OpenPGPSecurityProvider) VerifyDetached(signed, signature io.Reader) error

VerifyDetached validates the contents of signed with a seperate signature

type ProtectedDataRead 

type ProtectedDataRead struct {
	Data      json.RawMessage
	Signature []byte
}

ProtectedDataRead a json.RawMessage wrapper for protected data

type ProtectedDataSet 

type ProtectedDataSet struct {
	Data      interface{}
	Signature []byte
}

ProtectedDataSet a container for signed data

type SecurityProvider 

type SecurityProvider interface {
	Decrypt(reader io.Reader) (io.ReadCloser, error)
	Encrypt(reader io.Reader, writer io.Writer) error
	Sign(reader io.Reader, writer io.Writer) error
	SignDetached(reader io.Reader, writer io.Writer) error
	Verify(signed io.Reader) ([]byte, error)
	VerifyDetached(signed, signature io.Reader) error
}

SecurityProvider is an interface around encryption and verification implementations

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.