security

package

v0.2.9 Latest Latest Go to latest Published: Jan 13, 2022 License: Apache-2.0 Imports: 24 Imported by: 9

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/gaia-pipeline/gaia

Links

Open Source Insights

README ¶

Security

Certificates

Gaia, when first started will create a signed certificate in a location defined by the user under gaia.Cfg.CAPath which can be set by the runtime flag -capath=/etc/gaia/cert for example. It is recommended that the certificate is kept separate from the main Gaia work folder and in a secure location.

This certificate is used in two places. First, in the communication between the admin portal and the back-end. Second, by the Vault.

The Vault

The Vault is a secure storage for secret values like, password, tokens and other things that the user would like to pass securly into a Pipeline. The Vault is encrypted using AES cipher technology where the key is derived from the above certificate and the IV is included in the encrypted content.

The Vault file's location can be configured through the runtime variable called VaultPath. For maximum security it is recommended that this file is kept on an encrypted, mounted drive. In case there is a breach the drive can be quickly removed and the file deleted, thus rotating all of the secrets at once, under Gaia.

To create an encrypted MacOSX image follow this guide: Encrypted Secure Disk Image on Mac.

To create an encrypted disk on Linux follow this guide: Encrypted Disk Image on Linux.

The admin will never see the secure values, not when editing, not when adding and not when looking at the list of secrets. Only the Key names are displayed at all times.

It's possible to Add, Delete, Update and List secrets in the system.

Documentation ¶

Index ¶

func GenerateRandomUUIDV5() string
type CA
- func InitCA() (*CA, error)
type CAAPI
type FileVaultStorer
type GaiaVault
type Vault
- func NewVault(ca CAAPI, storer VaultStorer) (*Vault, error)
type VaultStorer

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func GenerateRandomUUIDV5 ¶ added in v0.2.3

func GenerateRandomUUIDV5() string

GenerateRandomUUIDV5 will return a 32bit random seeded UUID based on a randomly generated UUID v4.

Types ¶

type CA ¶

type CA struct {
	// contains filtered or unexported fields
}

CA represents one generated CA.

func InitCA ¶

func InitCA() (*CA, error)

InitCA setups a new instance of CA and generates a new CA if not already exists.

func (*CA) CleanupCerts ¶

func (c *CA) CleanupCerts(crt, key string) error

CleanupCerts removes certificates at the given path.

func (*CA) CreateSignedCert ¶

func (c *CA) CreateSignedCert() (string, string, error)

CreateSignedCert creates a new key pair which is signed by the CA.

func (*CA) CreateSignedCertWithValidOpts ¶ added in v0.2.4

func (c *CA) CreateSignedCertWithValidOpts(hostname string, hoursBeforeValid, hoursAfterValid time.Duration) (string, string, error)

CreateSignedCertWithValidOpts creates a signed certificate by the CA. It accepts hoursBeforeValid and hoursAfterValid.

func (*CA) GenerateTLSConfig ¶

func (c *CA) GenerateTLSConfig(certPath, keyPath string) (*tls.Config, error)

GenerateTLSConfig generates a new TLS config based on given certificate path and key path.

func (*CA) GetCACertPath ¶

func (c *CA) GetCACertPath() (string, string)

GetCACertPath returns the path to the cert and key from the root CA.

type CAAPI ¶

type CAAPI interface {
	// CreateSignedCert creates a new signed certificate.
	// First return param is the public cert.
	// Second return param is the private key.
	CreateSignedCert() (string, string, error)

	// CreateSignedCertWithValidOpts create a new signed certificate
	// with the given options.
	// First return param is the public cert.
	// Second return param is the private key.
	CreateSignedCertWithValidOpts(hostname string, hoursBeforeValid, hoursAfterValid time.Duration) (string, string, error)

	// GenerateTLSConfig generates a TLS config.
	// It requires the path to the cert and the key.
	GenerateTLSConfig(certPath, keyPath string) (*tls.Config, error)

	// CleanupCerts cleans up the certs at the given path.
	CleanupCerts(crt, key string) error

	// GetCACertPath returns the public cert and private key
	// of the CA.
	GetCACertPath() (string, string)
}

CAAPI represents the interface used to handle certificates.

type FileVaultStorer ¶

type FileVaultStorer struct {
	// contains filtered or unexported fields
}

FileVaultStorer implements VaultStorer as a simple file based storage device.

func (*FileVaultStorer) Init ¶

func (fvs *FileVaultStorer) Init() error

Init initializes the FileVaultStorer.

func (*FileVaultStorer) Read ¶

func (fvs *FileVaultStorer) Read() ([]byte, error)

Read defines a read for the FileVaultStorer.

func (*FileVaultStorer) Write ¶

func (fvs *FileVaultStorer) Write(data []byte) error

Write defines a read for the FileVaultStorer.

type GaiaVault ¶ added in v0.2.4

type GaiaVault interface {
	LoadSecrets() error
	GetAll() []string
	SaveSecrets() error
	Add(key string, value []byte)
	Remove(key string)
	Get(key string) ([]byte, error)
}

GaiaVault defines a set of apis that a Vault must provide in order to be a Gaia Vault.

type Vault ¶

type Vault struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

Vault is a secret storage for data that gaia needs to store encrypted.

func NewVault ¶

func NewVault(ca CAAPI, storer VaultStorer) (*Vault, error)

NewVault creates a vault which is a simple k/v storage medium with AES encryption. The format is: KEY=VALUE KEY2=VALUE2 NewVault also can take a storer which is an implementation of VaultStorer. This defines a storage medium for the vault. If it's left to nil the vault will use a default FileVaultStorer.

func (*Vault) Add ¶

func (v *Vault) Add(key string, value []byte)

Add adds a value to the vault. This operation is safe to use concurrently. Add will overwrite if the key already exists and not warn.

func (*Vault) Get ¶

func (v *Vault) Get(key string) ([]byte, error)

Get returns a value for a key. This operation is safe to use concurrently. Get will return an error if the data doesn't exist.

func (*Vault) GetAll ¶

func (v *Vault) GetAll() []string

GetAll returns all keys and values in a copy of the internal data.

func (*Vault) LoadSecrets ¶

func (v *Vault) LoadSecrets() error

LoadSecrets decrypts the contents of the vault and fills up a map of data to work with.

func (*Vault) Remove ¶

func (v *Vault) Remove(key string)

Remove removes a key from the vault. This operation is safe to use concurrently. Remove is a no-op if the data doesn't exist.

func (*Vault) SaveSecrets ¶

func (v *Vault) SaveSecrets() error

SaveSecrets encrypts data passed to the vault in a k/v format and saves it to the vault file.

type VaultStorer ¶

type VaultStorer interface {
	// Init initializes the medium by creating the file, or bootstrapping the
	// db or simply setting up an in-memory mock storage device. The Init
	// function of a storage medium should be idempotent. Meaning it should
	// be callable multiple times without changing the underlying medium.
	Init() error
	// Read will read bytes from the storage medium and return it to the caller.
	Read() (data []byte, err error)
	// Write will store the passed in encrypted data. How, is up to the implementor.
	Write(data []byte) error
}

VaultStorer defines a storage medium for the Vault.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
rbac

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL