Documentation

Overview

    Package revision defines the internal structure of the revision token and utilities for marshal/unmarshal which also encrypts/decrypts the payload.

    Package revision defines the internal structure of the revision token and utilities for marshal/unmarshal which also encrypts/decrypts the payload.

    Index

    Constants

    This section is empty.

    Variables

    This section is empty.

    Functions

    This section is empty.

    Types

    type Base64Bytes

    type Base64Bytes []byte

      Base64Bytes is a type that parses a base64-encoded string into a []byte.

      func (*Base64Bytes) EnvDecode

      func (b *Base64Bytes) EnvDecode(val string) error

        EnvDecode implements envconfig.Decoder to decode a base64 value into a []byte. If an error occurs, it is returned.

        type Config

        type Config struct {
        	// Crypto key to use for wrapping/unwrapping the revision token cipher blocks.
        	KeyID     string      `env:"REVISION_TOKEN_KEY_ID"`
        	AAD       Base64Bytes `env:"REVISION_TOKEN_AAD"` // must be base64 encoded, may come from secret://
        	MinLength uint        `env:"REVISION_TOKEN_MIN_LENGTH, default=28"`
        }

          Config represents the configuration and associated environment variables for handling revision tokens.

          type TokenManager

          type TokenManager struct {
          	// contains filtered or unexported fields
          }

            TokenManager is responsible for creating and unlocking revision tokens.

            func New

            func New(ctx context.Context, db *database.RevisionDB, cacheDuration time.Duration, minTokenSize uint) (*TokenManager, error)

              New creates a new TokenManager that uses a database handle to manage a cache of allowed revision keys.

              func (*TokenManager) MakeRevisionToken

              func (tm *TokenManager) MakeRevisionToken(ctx context.Context, previous *pb.RevisionTokenData, eKeys []*model.Exposure, aad []byte) ([]byte, error)

                MakeRevisionToken turns the TEK data from a given publish request into an encrypted protocol buffer revision token. This is using envelope encryption, based on the currently active revision key.

                func (*TokenManager) UnmarshalRevisionToken

                func (tm *TokenManager) UnmarshalRevisionToken(ctx context.Context, tokenBytes []byte, aad []byte) (*pb.RevisionTokenData, error)

                  UnmarshalRevisionToken unmarshals a revision token, decrypts the payload, and returns the TEK data that was contained in the token if valid.

                  The incoming key ID is used to determine if this token can still be unlocked.

                  Directories

                  Path Synopsis
                  Package database contains the management of interactions with the database for createion and storage of the wrapped keys that encrypet revision certificates.
                  Package database contains the management of interactions with the database for createion and storage of the wrapped keys that encrypet revision certificates.