Documentation ¶
Index ¶
- Constants
- func EnforcePolicies(roles *Roles, f http.HandlerFunc) http.HandlerFunc
- func HandleAssignIdentity(roles *Roles) http.HandlerFunc
- func HandleCreateKey(store Store) http.HandlerFunc
- func HandleDecryptKey(store Store) http.HandlerFunc
- func HandleDeleteKey(store Store) http.HandlerFunc
- func HandleDeletePolicy(roles *Roles) http.HandlerFunc
- func HandleForgetIdentity(roles *Roles) http.HandlerFunc
- func HandleGenerateKey(store Store) http.HandlerFunc
- func HandleListIdentities(roles *Roles) http.HandlerFunc
- func HandleListPolicies(roles *Roles) http.HandlerFunc
- func HandleReadPolicy(roles *Roles) http.HandlerFunc
- func HandleWritePolicy(roles *Roles) http.HandlerFunc
- func LimitRequestBody(n int64, f http.HandlerFunc) http.HandlerFunc
- func NewError(status int, text string) error
- func RequireMethod(method string, f http.HandlerFunc) http.HandlerFunc
- type Client
- func (c *Client) AssignIdentity(policy string, id Identity) error
- func (c *Client) CreateKey(name string, key []byte) error
- func (c *Client) DecryptDataKey(name string, ciphertext, context []byte) ([]byte, error)
- func (c *Client) DeleteKey(name string) error
- func (c *Client) DeletePolicy(name string) error
- func (c *Client) ForgetIdentity(id Identity) error
- func (c *Client) GenerateDataKey(name string, context []byte) ([]byte, []byte, error)
- func (c *Client) ListIdentities(pattern string) (map[Identity]string, error)
- func (c *Client) ListPolicies(pattern string) ([]string, error)
- func (c *Client) ReadPolicy(name string) (*Policy, error)
- func (c *Client) Transport(transport http.RoundTripper)
- func (c *Client) WritePolicy(name string, policy *Policy) error
- type Identity
- type IdentityFunc
- type Policy
- type Roles
- func (r *Roles) Assign(name string, id Identity) error
- func (r *Roles) Delete(name string)
- func (r *Roles) Forget(id Identity)
- func (r *Roles) Get(name string) (*Policy, bool)
- func (r *Roles) Identities() map[Identity]string
- func (r *Roles) IsAssigned(id Identity) bool
- func (r *Roles) Policies() (names []string)
- func (r *Roles) Set(name string, policy *Policy)
- type Secret
- type Store
Constants ¶
const ( ErrKeyNotFound errorType = "key does not exist" ErrKeyExists errorType = "key does already exist" ErrStoreSealed errorType = "key store is sealed" )
Variables ¶
This section is empty.
Functions ¶
func EnforcePolicies ¶
func EnforcePolicies(roles *Roles, f http.HandlerFunc) http.HandlerFunc
func HandleAssignIdentity ¶
func HandleAssignIdentity(roles *Roles) http.HandlerFunc
func HandleCreateKey ¶
func HandleCreateKey(store Store) http.HandlerFunc
func HandleDecryptKey ¶
func HandleDecryptKey(store Store) http.HandlerFunc
func HandleDeleteKey ¶
func HandleDeleteKey(store Store) http.HandlerFunc
func HandleDeletePolicy ¶
func HandleDeletePolicy(roles *Roles) http.HandlerFunc
func HandleForgetIdentity ¶
func HandleForgetIdentity(roles *Roles) http.HandlerFunc
func HandleGenerateKey ¶
func HandleGenerateKey(store Store) http.HandlerFunc
func HandleListIdentities ¶
func HandleListIdentities(roles *Roles) http.HandlerFunc
func HandleListPolicies ¶
func HandleListPolicies(roles *Roles) http.HandlerFunc
func HandleReadPolicy ¶
func HandleReadPolicy(roles *Roles) http.HandlerFunc
func HandleWritePolicy ¶
func HandleWritePolicy(roles *Roles) http.HandlerFunc
func LimitRequestBody ¶
func LimitRequestBody(n int64, f http.HandlerFunc) http.HandlerFunc
func NewError ¶
NewError returns an error that formats as the given text.
It's guaranteed that the returned error has an additional
Status() int
method that returns the given status code. Code that handles HTTP requests may type-check whether an error value provides this method by:
if err, ok := err.(interface{ Status() int }); ok { }
and set the status code of the response accordingly.
NewError should not be used to create internal errors, like when running out-of-entropy while reading from a PRNG.
Each call to NewError returns a distinct error value even if the status and text are identical.
func RequireMethod ¶
func RequireMethod(method string, f http.HandlerFunc) http.HandlerFunc
Types ¶
type Client ¶
type Client struct {
// contains filtered or unexported fields
}
func (*Client) DecryptDataKey ¶
func (*Client) DeletePolicy ¶
func (*Client) ForgetIdentity ¶
func (*Client) GenerateDataKey ¶
func (*Client) ListIdentities ¶
func (*Client) Transport ¶
func (c *Client) Transport(transport http.RoundTripper)
type Identity ¶
type Identity string
An Identity should uniquely identify a client and is computed from the X.509 certificate presented by the client during the TLS handshake using an IdentityFunc.
const IdentityUnknown Identity = ""
IdentityUnknown is the identity returned by an IdentityFunc if it cannot map a particular X.509 certificate to an actual identity.
func Identify ¶
func Identify(req *http.Request, f IdentityFunc) Identity
Identify computes the idenitiy of the X.509 certificate presented by the peer who sent the request.
It returns IdentityUnknown if no TLS connection state is present, more than one certificate is present or when f returns IdentityUnknown.
type IdentityFunc ¶
type IdentityFunc func(*x509.Certificate) Identity
IdentityFunc maps a X.509 certificate to an Identity. This mapping should be deterministic and unique in the sense that:
- The same certificate always gets mapped to same identity.
- There is only one (valid / non-expired) certificate that gets mapped to a particular (known) identity.
If no certificate is provided or an identity cannot be computed - e.g. because the certificate does not contain enough information - the IdentityFunc should return IdentityUnknown.
func HashPublicKey ¶
func HashPublicKey(hash crypto.Hash) IdentityFunc
HashPublicKey returns an IdentityFunc that computes an identity as the cryptographic hash of the certificate's public key.
If the hash function is not available it uses crypto.SHA256.
type Policy ¶
type Policy struct {
// contains filtered or unexported fields
}
func (Policy) MarshalJSON ¶
func (Policy) MarshalTOML ¶
func (*Policy) UnmarshalJSON ¶
func (*Policy) UnmarshalTOML ¶
type Roles ¶
type Roles struct { Root Identity Identify IdentityFunc // contains filtered or unexported fields }
func (*Roles) Identities ¶
func (*Roles) IsAssigned ¶
type Secret ¶
type Secret [32]byte
Secret is a 256 bit secret key. It can wrap and unwrap session or data keys.
func (Secret) Unwrap ¶
Unwrap decrypts and verifies the ciphertext, verifies the associated data and, if successful, returns the resuting plaintext. It returns an error if ciphertext is malformed or not authentic.
func (Secret) Wrap ¶
Wrap encrypts and authenticates the plaintext, authenticates the associatedData and returns the resulting ciphertext.
It should be used to encrypt a session or data key provided as plaintext.
If the executing CPU provides AES hardware support, Wrap derives keys using AES and encrypts plaintexts using AES-GCM. Otherwise, Wrap derives keys using HChaCha20 and encrypts plaintexts using ChaCha20-Poly1305.
Directories ¶
Path | Synopsis |
---|---|
cmd
|
|
Package fs implements a secret key store that stores secret keys as files on the file system.
|
Package fs implements a secret key store that stores secret keys as files on the file system. |
internal
|
|
cache
Package cache implements an in-memory cache for secret keys.
|
Package cache implements an in-memory cache for secret keys. |
Package mem implements an in-memory secret key store.
|
Package mem implements an in-memory secret key store. |
Package vault implements a secret key store that stores secret keys as key-value entries on the Hashicorp Vault K/V secret backend.
|
Package vault implements a secret key store that stores secret keys as key-value entries on the Hashicorp Vault K/V secret backend. |