security

package
v0.2.9 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 13, 2022 License: Apache-2.0 Imports: 24 Imported by: 9

README

Security

Certificates

Gaia, when first started will create a signed certificate in a location defined by the user under gaia.Cfg.CAPath which can be set by the runtime flag -capath=/etc/gaia/cert for example. It is recommended that the certificate is kept separate from the main Gaia work folder and in a secure location.

This certificate is used in two places. First, in the communication between the admin portal and the back-end. Second, by the Vault.

The Vault

The Vault is a secure storage for secret values like, password, tokens and other things that the user would like to pass securly into a Pipeline. The Vault is encrypted using AES cipher technology where the key is derived from the above certificate and the IV is included in the encrypted content.

The Vault file's location can be configured through the runtime variable called VaultPath. For maximum security it is recommended that this file is kept on an encrypted, mounted drive. In case there is a breach the drive can be quickly removed and the file deleted, thus rotating all of the secrets at once, under Gaia.

To create an encrypted MacOSX image follow this guide: Encrypted Secure Disk Image on Mac.

To create an encrypted disk on Linux follow this guide: Encrypted Disk Image on Linux.

The admin will never see the secure values, not when editing, not when adding and not when looking at the list of secrets. Only the Key names are displayed at all times.

It's possible to Add, Delete, Update and List secrets in the system.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GenerateRandomUUIDV5 added in v0.2.3 

func GenerateRandomUUIDV5() string

GenerateRandomUUIDV5 will return a 32bit random seeded UUID based on a randomly generated UUID v4.

Types

type CA 

type CA struct {
	// contains filtered or unexported fields
}

CA represents one generated CA.

func InitCA 

func InitCA() (*CA, error)

InitCA setups a new instance of CA and generates a new CA if not already exists.

func (*CA) CleanupCerts 

func (c *CA) CleanupCerts(crt, key string) error

CleanupCerts removes certificates at the given path.

func (*CA) CreateSignedCert 

func (c *CA) CreateSignedCert() (string, string, error)

CreateSignedCert creates a new key pair which is signed by the CA.

func (*CA) CreateSignedCertWithValidOpts added in v0.2.4 

func (c *CA) CreateSignedCertWithValidOpts(hostname string, hoursBeforeValid, hoursAfterValid time.Duration) (string, string, error)

CreateSignedCertWithValidOpts creates a signed certificate by the CA. It accepts hoursBeforeValid and hoursAfterValid.

func (*CA) GenerateTLSConfig 

func (c *CA) GenerateTLSConfig(certPath, keyPath string) (*tls.Config, error)

GenerateTLSConfig generates a new TLS config based on given certificate path and key path.

func (*CA) GetCACertPath 

func (c *CA) GetCACertPath() (string, string)

GetCACertPath returns the path to the cert and key from the root CA.

type CAAPI 

type CAAPI interface {
	// CreateSignedCert creates a new signed certificate.
	// First return param is the public cert.
	// Second return param is the private key.
	CreateSignedCert() (string, string, error)

	// CreateSignedCertWithValidOpts create a new signed certificate
	// with the given options.
	// First return param is the public cert.
	// Second return param is the private key.
	CreateSignedCertWithValidOpts(hostname string, hoursBeforeValid, hoursAfterValid time.Duration) (string, string, error)

	// GenerateTLSConfig generates a TLS config.
	// It requires the path to the cert and the key.
	GenerateTLSConfig(certPath, keyPath string) (*tls.Config, error)

	// CleanupCerts cleans up the certs at the given path.
	CleanupCerts(crt, key string) error

	// GetCACertPath returns the public cert and private key
	// of the CA.
	GetCACertPath() (string, string)
}

CAAPI represents the interface used to handle certificates.

type FileVaultStorer 

type FileVaultStorer struct {
	// contains filtered or unexported fields
}

FileVaultStorer implements VaultStorer as a simple file based storage device.

func (*FileVaultStorer) Init 

func (fvs *FileVaultStorer) Init() error

Init initializes the FileVaultStorer.

func (*FileVaultStorer) Read 

func (fvs *FileVaultStorer) Read() ([]byte, error)

Read defines a read for the FileVaultStorer.

func (*FileVaultStorer) Write 

func (fvs *FileVaultStorer) Write(data []byte) error

Write defines a read for the FileVaultStorer.

type GaiaVault added in v0.2.4 

type GaiaVault interface {
	LoadSecrets() error
	GetAll() []string
	SaveSecrets() error
	Add(key string, value []byte)
	Remove(key string)
	Get(key string) ([]byte, error)
}

GaiaVault defines a set of apis that a Vault must provide in order to be a Gaia Vault.

type Vault 

type Vault struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

Vault is a secret storage for data that gaia needs to store encrypted.

func NewVault 

func NewVault(ca CAAPI, storer VaultStorer) (*Vault, error)

NewVault creates a vault which is a simple k/v storage medium with AES encryption. The format is: KEY=VALUE KEY2=VALUE2 NewVault also can take a storer which is an implementation of VaultStorer. This defines a storage medium for the vault. If it's left to nil the vault will use a default FileVaultStorer.

func (*Vault) Add 

func (v *Vault) Add(key string, value []byte)

Add adds a value to the vault. This operation is safe to use concurrently. Add will overwrite if the key already exists and not warn.

func (*Vault) Get 

func (v *Vault) Get(key string) ([]byte, error)

Get returns a value for a key. This operation is safe to use concurrently. Get will return an error if the data doesn't exist.

func (*Vault) GetAll 

func (v *Vault) GetAll() []string

GetAll returns all keys and values in a copy of the internal data.

func (*Vault) LoadSecrets 

func (v *Vault) LoadSecrets() error

LoadSecrets decrypts the contents of the vault and fills up a map of data to work with.

func (*Vault) Remove 

func (v *Vault) Remove(key string)

Remove removes a key from the vault. This operation is safe to use concurrently. Remove is a no-op if the data doesn't exist.

func (*Vault) SaveSecrets 

func (v *Vault) SaveSecrets() error

SaveSecrets encrypts data passed to the vault in a k/v format and saves it to the vault file.

type VaultStorer 

type VaultStorer interface {
	// Init initializes the medium by creating the file, or bootstrapping the
	// db or simply setting up an in-memory mock storage device. The Init
	// function of a storage medium should be idempotent. Meaning it should
	// be callable multiple times without changing the underlying medium.
	Init() error
	// Read will read bytes from the storage medium and return it to the caller.
	Read() (data []byte, err error)
	// Write will store the passed in encrypted data. How, is up to the implementor.
	Write(data []byte) error
}

VaultStorer defines a storage medium for the Vault.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.