security

package
v1.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 9, 2020 License: Apache-2.0 Imports: 19 Imported by: 0

README

Certificate Management

Documentation

Index

Constants

View Source 
const (
	MaxKeyPerm  os.FileMode = 0700
	MaxCertPerm os.FileMode = 0664
	MaxDirPerm  os.FileMode = 0700
)

Variables

This section is empty.

Functions

func DialOptionForTransportConfig 

func DialOptionForTransportConfig(cfg *TransportConfig) (grpc.DialOption, error)

func GetClientTransportCredentials 

func GetClientTransportCredentials(cfg *TransportConfig) (credentials.TransportCredentials, error)

func GetServerTransportCredentials 

func GetServerTransportCredentials(cfg *TransportConfig) (credentials.TransportCredentials, error)

func LoadCertificate 

func LoadCertificate(certPath string) (*x509.Certificate, error)

LoadCertificate loads the certificate specified at the given path into an x509 Certificate object

func LoadPEMData 

func LoadPEMData(filePath string, perms os.FileMode) ([]byte, error)

LoadPEMData handles security checking on the PEM file based on perms and returns the bytes in the PEM file

func LoadPrivateKey 

func LoadPrivateKey(keyPath string) (crypto.PrivateKey, error)

LoadPrivateKey loads the private key specified at the given path into an crypto.PrivateKey interface compliant object.

func ServerOptionForTransportConfig 

func ServerOptionForTransportConfig(cfg *TransportConfig) (grpc.ServerOption, error)

func ValidateCertDirectory 

func ValidateCertDirectory(certDir string) error

ValidateCertDirectory ensures the certificate directory has safe permissions set on it.

Types

type CertificateConfig 

type CertificateConfig struct {
	ServerName      string `yaml:"server_name,omitempty"`
	ClientCertDir   string `yaml:"client_cert_dir,omitempty"`
	CARootPath      string `yaml:"ca_cert"`
	CertificatePath string `yaml:"cert"`
	PrivateKeyPath  string `yaml:"key"`
	// contains filtered or unexported fields
}

CertificateConfig contains the specific certificate information for the daos component. ServerName is only needed if the config is being used as a transport credential for a gRPC tls client.

type Component added in v0.9.0 

type Component int

Component represents the DAOS component being granted authorization. 

const (
	ComponentUndefined Component = iota
	ComponentAdmin
	ComponentAgent
	ComponentServer
)

func CommonNameToComponent added in v0.9.0 

func CommonNameToComponent(commonname string) Component

CommonNameToComponent returns the correct component based on the CommonName

func (Component) HasAccess added in v0.9.0 

func (c Component) HasAccess(FullMethod string) bool

HasAccess check if the given component has access to method given in FullMethod

func (Component) String added in v0.9.0 

func (c Component) String() string

type DomainInfo 

type DomainInfo struct {
	// contains filtered or unexported fields
}

DomainInfo holds our socket credentials to be used by the DomainSocketServer

func DomainInfoFromUnixConn 

func DomainInfoFromUnixConn(log logging.Logger, sock *net.UnixConn) (*DomainInfo, error)

DomainInfoFromUnixConn determines credentials from a unix socket.

func InitDomainInfo 

func InitDomainInfo(creds *syscall.Ucred, ctx string) *DomainInfo

InitDomainInfo returns an initialized DomainInfo structure

func (*DomainInfo) Ctx 

func (d *DomainInfo) Ctx() string

Ctx returns the additional security information obtained from the domain socket

func (*DomainInfo) Gid 

func (d *DomainInfo) Gid() uint32

Gid returns the GID obtained from the domain socket

func (*DomainInfo) Uid 

func (d *DomainInfo) Uid() uint32

Uid returns the UID obtained from the domain socket

type TokenSigner 

type TokenSigner struct {
	// contains filtered or unexported fields
}

TokenSigner serves to encapsulate the functionality needed to sign and verify auth token signatures.

func DefaultTokenSigner 

func DefaultTokenSigner() *TokenSigner

DefaultTokenSigner creates a TokenSigner with an instantiated entropy pool.

func (*TokenSigner) Hash 

func (s *TokenSigner) Hash(data []byte) ([]byte, error)

Hash returns the SHA-512 hash of the byte array passed in.

func (*TokenSigner) Sign 

func (s *TokenSigner) Sign(key crypto.PrivateKey, data []byte) ([]byte, error)

Sign takes an unhashed set of bytes and hashes and signs the result with the key passed in.

func (*TokenSigner) Verify 

func (s *TokenSigner) Verify(key crypto.PublicKey, data []byte, sig []byte) error

Verify takes an unhashed set of bytes and hashes the data and verifies the signature against the hash and the publickey passed in.

type TransportConfig 

type TransportConfig struct {
	AllowInsecure     bool `yaml:"allow_insecure"`
	CertificateConfig `yaml:",inline"`
}

TransportConfig contains all the information on whether or not to use certificates and their location if their use is specified.

func DefaultClientTransportConfig 

func DefaultClientTransportConfig() *TransportConfig

DefaultClientTransportConfig provides a default transport config disabling certificate usage and specifying certificates located under .daos. As this credential is meant to be used as a client credential it specifies a default ServerName as well.

func DefaultServerTransportConfig 

func DefaultServerTransportConfig() *TransportConfig

DefaultServerTransportConfig provides a default transport config disabling certificate usage and specifying certificates located under .daos.

func (*TransportConfig) PreLoadCertData 

func (cfg *TransportConfig) PreLoadCertData() error

PreLoadCertData reads the certificate files in and parses them into TLS key pair and Certificate pool to provide a mechanism for detecting certificate/ error before first use.

func (*TransportConfig) PrivateKey 

func (cfg *TransportConfig) PrivateKey() (crypto.PrivateKey, error)

PrivateKey returns the private key stored in the certificates loaded into the TransportConfig

func (*TransportConfig) PublicKey 

func (cfg *TransportConfig) PublicKey() (crypto.PublicKey, error)

PublicKey returns the private key stored in the certificates loaded into the TransportConfig

func (*TransportConfig) ReloadCertData 

func (cfg *TransportConfig) ReloadCertData() error

ReloadCertData reloads and stores the certificate data in the case when certificate data has changed since initial loading.

func (*TransportConfig) String added in v0.9.0 

func (tc *TransportConfig) String() string

type UnsupportedKeyError 

type UnsupportedKeyError struct{}

UnsupportedKeyError is a structured error used to indicate that the PublicKey or PrivateKey interface passed in represents a key type we do not support.

func (*UnsupportedKeyError) Error 

func (err *UnsupportedKeyError) Error() string

Error is the implementation of the error interface.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.