filesec

package
v0.28.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 3, 2024 License: Apache-2.0 Imports: 25 Imported by: 1

Documentation

Overview

Package filesec provides a manually configurable security Provider it allows you set every parameter like key paths etc manually without making any assumptions about your system

It does not support any enrollment

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func MatchAnyRegex 

func MatchAnyRegex(str string, regex []string) bool

MatchAnyRegex checks str against a list of possible regex, if any match true is returned

Types

type BuildInfoProvider added in v0.23.0 

type BuildInfoProvider interface {
	ClientIdentitySuffix() string
}

BuildInfoProvider provides info about the build

type Config 

type Config struct {
	// Identity when not empty will force the identity to be used for validations etc
	Identity string

	// Certificate is the path to the public certificate
	Certificate string

	// Key is the path to the private key
	Key string

	// CA is the path to the Certificate Authority
	CA string

	// PrivilegedUsers is a list of regular expressions that identity privileged users
	PrivilegedUsers []string

	// AllowList is a list of regular expressions that identity valid users to allow in
	AllowList []string

	// DisableTLSVerify disables TLS verify in HTTP clients etc
	DisableTLSVerify bool

	// Is a URL where a remote signer is running
	RemoteSignerURL string

	// RemoteSignerTokenFile is a file with a token for access to the remote signer
	RemoteSignerTokenFile string

	// RemoteSignerSeedFile is a file with a seed related to RemoteSignerTokenFile
	RemoteSignerSeedFile string

	// TLSSetup is the shared TLS configuration state between security providers
	TLSConfig *tlssetup.Config

	// BackwardCompatVerification enables custom verification that allows legacy certificates without SANs
	BackwardCompatVerification bool

	// IdentitySuffix is the suffix to append to usernames when creating certnames and identities
	IdentitySuffix string

	// RemoteSigner is the signer used to sign requests using a remote like AAA Service
	RemoteSigner inter.RequestSigner
}

Config is the configuration for FileSecurity

type FileSecurity 

type FileSecurity struct {
	// contains filtered or unexported fields
}

FileSecurity implements SecurityProvider using files on disk

func New 

func New(opts ...Option) (*FileSecurity, error)

New creates a new instance of the File Security provider

func (*FileSecurity) BackingTechnology added in v0.26.2 

func (s *FileSecurity) BackingTechnology() inter.SecurityTechnology

func (*FileSecurity) CallerIdentity 

func (s *FileSecurity) CallerIdentity(caller string) (string, error)

CallerIdentity extracts the identity from a choria like caller name in the form of choria=identity

func (*FileSecurity) CallerName 

func (s *FileSecurity) CallerName() string

CallerName creates a choria like caller name in the form of choria=identity

func (*FileSecurity) ChecksumBytes 

func (s *FileSecurity) ChecksumBytes(data []byte) []byte

ChecksumBytes calculates a sha256 checksum for data

func (*FileSecurity) ClientTLSConfig added in v0.21.0 

func (s *FileSecurity) ClientTLSConfig() (*tls.Config, error)

func (*FileSecurity) Enroll 

func (s *FileSecurity) Enroll(ctx context.Context, wait time.Duration, cb func(digest string, try int)) error

Enroll is not supported

func (*FileSecurity) HTTPClient 

func (s *FileSecurity) HTTPClient(secure bool) (*http.Client, error)

HTTPClient creates a standard HTTP client with optional security, it will be set to use the CA and client certs for auth. servername should match the remote hosts name for SNI

func (*FileSecurity) Identity 

func (s *FileSecurity) Identity() string

Identity determines the choria certname

func (*FileSecurity) IsRemoteSigning added in v0.24.0 

func (s *FileSecurity) IsRemoteSigning() bool

IsRemoteSigning determines if remote signer is set

func (*FileSecurity) Provider 

func (s *FileSecurity) Provider() string

Provider reports the name of the security provider

func (*FileSecurity) PublicCert added in v0.23.0 

func (s *FileSecurity) PublicCert() (*x509.Certificate, error)

PublicCert is the parsed public certificate

func (*FileSecurity) PublicCertBytes added in v0.26.2 

func (s *FileSecurity) PublicCertBytes() ([]byte, error)

PublicCertBytes retrieves pem data in textual form for the public certificate of the current identity

func (*FileSecurity) RemoteSignRequest 

func (s *FileSecurity) RemoteSignRequest(ctx context.Context, request []byte) (signed []byte, err error)

RemoteSignRequest signs a choria request using a remote signer and returns a secure request

func (*FileSecurity) RemoteSignerSeedFile added in v0.27.0 

func (s *FileSecurity) RemoteSignerSeedFile() (string, error)

func (*FileSecurity) RemoteSignerToken added in v0.24.0 

func (s *FileSecurity) RemoteSignerToken() ([]byte, error)

func (*FileSecurity) RemoteSignerURL added in v0.24.0 

func (s *FileSecurity) RemoteSignerURL() (*url.URL, error)

func (*FileSecurity) SSLContext 

func (s *FileSecurity) SSLContext() (*http.Transport, error)

SSLContext creates a SSL context loaded with our certs and ca

func (*FileSecurity) ShouldAllowCaller added in v0.26.2 

func (s *FileSecurity) ShouldAllowCaller(name string, callers ...[]byte) (privileged bool, err error)

func (*FileSecurity) ShouldSignReplies added in v0.27.0 

func (s *FileSecurity) ShouldSignReplies() bool

func (*FileSecurity) SignBytes 

func (s *FileSecurity) SignBytes(str []byte) ([]byte, error)

SignBytes signs a message using a SHA256 PKCS1v15 protocol

func (*FileSecurity) TLSConfig 

func (s *FileSecurity) TLSConfig() (*tls.Config, error)

TLSConfig creates a TLS configuration for use by NATS, HTTPS etc

func (*FileSecurity) TokenBytes added in v0.27.0 

func (s *FileSecurity) TokenBytes() ([]byte, error)

func (*FileSecurity) Validate 

func (s *FileSecurity) Validate() ([]string, bool)

Validate determines if the node represents a valid SSL configuration

func (*FileSecurity) VerifyCertificate 

func (s *FileSecurity) VerifyCertificate(certpem []byte, name string) error

VerifyCertificate verifies a certificate is signed with the configured CA and if name is not "" that it matches the name given

func (*FileSecurity) VerifySignatureBytes added in v0.26.2 

func (s *FileSecurity) VerifySignatureBytes(dat []byte, sig []byte, public ...[]byte) (should bool, signer string)

VerifyByteSignature verify that dat matches signature sig made by the key, if pub cert is empty the active public key will be used

type Option 

type Option func(*FileSecurity) error

Option is a function that can configure the File Security Provider

func WithChoriaConfig 

func WithChoriaConfig(bi BuildInfoProvider, c *config.Config) Option

WithChoriaConfig optionally configures the File Security Provider from settings found in a typical Choria configuration

func WithConfig 

func WithConfig(c *Config) Option

WithConfig optionally configures the File Security Provider using its native configuration format

func WithLog 

func WithLog(l *logrus.Entry) Option

WithLog configures a logger for the File Security Provider

func WithSigner added in v0.24.0 

func WithSigner(signer inter.RequestSigner) Option

WithSigner configures a remote request signer

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.