filesec

package

v0.6.0 Latest Latest Go to latest Published: Jan 12, 2020 License: Apache-2.0 Imports: 26 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/choria-io/go-security

Links

Open Source Insights

Documentation ¶

Overview ¶

Package filesec provides a manually configurable security Provider it allows you set every parameter like key paths etc manually without making any assumptions about your system

It does not support any enrollment

Index ¶

func MatchAnyRegex(str []byte, regex []string) bool
type Config
type FileSecurity
- func New(opts ...Option) (*FileSecurity, error)
type Option

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func MatchAnyRegex ¶

func MatchAnyRegex(str []byte, regex []string) bool

MatchAnyRegex checks str against a list of possible regex, if any match true is returned

Types ¶

type Config ¶

type Config struct {
	// Identity when not empty will force the identity to be used for validations etc
	Identity string

	// Certificate is the path to the public certificate
	Certificate string

	// Key is the path to the private key
	Key string

	// CA is the path to the Certificate Authority
	CA string

	// Cache is where known client certificates will be stored
	Cache string

	// PrivilegedUsers is a list of regular expressions that identity privileged users
	PrivilegedUsers []string

	// AllowList is a list of regular expressions that identity valid users to allow in
	AllowList []string

	// DisableTLSVerify disables TLS verify in HTTP clients etc
	DisableTLSVerify bool

	// AlwaysOverwriteCache supports always overwriting the local filesystem cache
	AlwaysOverwriteCache bool

	// Is a URL where a remote signer is running
	RemoteSignerURL string

	// RemoteSignerTokenFile is a file with a token for access to the remote signer
	RemoteSignerTokenFile string

	// RemoteSignerTokenEnvironment is an environment variable that will hold the signer token
	RemoteSignerTokenEnvironment string
}

Config is the configuration for FileSecurity

type FileSecurity ¶

type FileSecurity struct {
	// contains filtered or unexported fields
}

FileSecurity implements SecurityProvider using files on disk

func New ¶

func New(opts ...Option) (*FileSecurity, error)

New creates a new instance of the File Security provider

func (*FileSecurity) CachePublicData ¶

func (s *FileSecurity) CachePublicData(data []byte, identity string) error

CachePublicData caches the public key for a identity

func (*FileSecurity) CachedPublicData ¶

func (s *FileSecurity) CachedPublicData(identity string) ([]byte, error)

CachedPublicData retrieves the previously cached public data for a given identity

func (*FileSecurity) CallerIdentity ¶

func (s *FileSecurity) CallerIdentity(caller string) (string, error)

CallerIdentity extracts the identity from a choria like caller name in the form of choria=identity

func (*FileSecurity) CallerName ¶

func (s *FileSecurity) CallerName() string

CallerName creates a choria like caller name in the form of choria=identity

func (*FileSecurity) ChecksumBytes ¶

func (s *FileSecurity) ChecksumBytes(data []byte) []byte

ChecksumBytes calculates a sha256 checksum for data

func (*FileSecurity) ChecksumString ¶

func (s *FileSecurity) ChecksumString(data string) []byte

ChecksumString calculates a sha256 checksum for data

func (*FileSecurity) Enroll ¶

func (s *FileSecurity) Enroll(ctx context.Context, wait time.Duration, cb func(int)) error

Enroll is not supported

func (*FileSecurity) HTTPClient ¶

func (s *FileSecurity) HTTPClient(secure bool) (*http.Client, error)

HTTPClient creates a standard HTTP client with optional security, it will be set to use the CA and client certs for auth. servername should match the remote hosts name for SNI

func (*FileSecurity) Identity ¶

func (s *FileSecurity) Identity() string

Identity determines the choria certname

func (*FileSecurity) PrivilegedVerifyByteSignature ¶

func (s *FileSecurity) PrivilegedVerifyByteSignature(dat []byte, sig []byte, identity string) bool

PrivilegedVerifyByteSignature verifies if the signature received is from any of the privileged certs or the given identity

func (*FileSecurity) PrivilegedVerifyStringSignature ¶

func (s *FileSecurity) PrivilegedVerifyStringSignature(dat string, sig []byte, identity string) bool

PrivilegedVerifyStringSignature verifies if the signature received is from any of the privileged certs or the given identity

func (*FileSecurity) Provider ¶

func (s *FileSecurity) Provider() string

Provider reports the name of the security provider

func (*FileSecurity) PublicCertPem ¶

func (s *FileSecurity) PublicCertPem() (*pem.Block, error)

PublicCertPem retrieves the public certificate for this instance

func (*FileSecurity) PublicCertTXT ¶

func (s *FileSecurity) PublicCertTXT() ([]byte, error)

PublicCertTXT retrieves pem data in textual form for the public certificate of the current identity

func (*FileSecurity) RemoteSignRequest ¶ added in v0.6.0

func (s *FileSecurity) RemoteSignRequest(str []byte) (signed []byte, err error)

RemoteSignRequest signs a choria request using a remote signer and returns a secure request

func (*FileSecurity) SSLContext ¶

func (s *FileSecurity) SSLContext() (*http.Transport, error)

SSLContext creates a SSL context loaded with our certs and ca

func (*FileSecurity) SignBytes ¶

func (s *FileSecurity) SignBytes(str []byte) ([]byte, error)

SignBytes signs a message using a SHA256 PKCS1v15 protocol

func (*FileSecurity) SignString ¶

func (s *FileSecurity) SignString(str string) ([]byte, error)

SignString signs a message using a SHA256 PKCS1v15 protocol

func (*FileSecurity) TLSConfig ¶

func (s *FileSecurity) TLSConfig() (*tls.Config, error)

TLSConfig creates a TLS configuration for use by NATS, HTTPS etc

func (*FileSecurity) Validate ¶

func (s *FileSecurity) Validate() ([]string, bool)

Validate determines if the node represents a valid SSL configuration

func (*FileSecurity) VerifyByteSignature ¶

func (s *FileSecurity) VerifyByteSignature(dat []byte, sig []byte, identity string) bool

VerifyByteSignature verify that dat matches signature sig made by the key of identity if identity is "" the active public key will be used

func (*FileSecurity) VerifyCertificate ¶

func (s *FileSecurity) VerifyCertificate(certpem []byte, name string) error

VerifyCertificate verifies a certificate is signed with the configured CA and if name is not "" that it matches the name given

func (*FileSecurity) VerifyStringSignature ¶

func (s *FileSecurity) VerifyStringSignature(str string, sig []byte, identity string) bool

VerifyStringSignature verify that str matches signature sig made by the key of identity

type Option ¶

type Option func(*FileSecurity) error

Option is a function that can configure the File Security Provider

func WithChoriaConfig ¶

func WithChoriaConfig(c *config.Config) Option

WithChoriaConfig optionally configures the File Security Provider from settings found in a typical Choria configuration

func WithConfig ¶

func WithConfig(c *Config) Option

WithConfig optionally configures the File Security Provider using its native configuration format

func WithLog ¶

func WithLog(l *logrus.Entry) Option

WithLog configures a logger for the File Security Provider

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL