requestorserver

package
Version: v0.11.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 19, 2023 License: Apache-2.0 Imports: 20 Imported by: 1

Documentation

Overview

Package requestorserver is a server allowing IRMA verifiers, issuers or attribute-based signature applications (the requestor) to perform IRMA sessions with irmaclient instances (i.e. the IRMA app). It exposes a RESTful protocol with which the requestor can start and manage the session as well as HTTP endpoints for the irmaclient.

Index

Constants

View Source
const (
	AuthenticationMethodHmac      = "hmac"
	AuthenticationMethodPublicKey = "publickey"
	AuthenticationMethodToken     = "token"
	AuthenticationMethodNone      = "none"
)

Currently supported requestor authentication methods

Variables

This section is empty.

Functions

This section is empty.

Types

type AuthenticationMethod

type AuthenticationMethod string

type Authenticator

type Authenticator interface {
	// Initialize is called once on server startup for each requestor that uses this authentication method.
	// Used to parse keys or populate caches for later use.
	Initialize(name string, requestor Requestor) error

	// AuthenticateSession checks, given the HTTP header and POST body, if the authenticator is known
	// and allowed to submit session requests. It returns whether or not the current authenticator
	// is applicable to this sesion requests; the request itself; the name of the requestor;
	// or an error (which is only non-nil if applies is true; i.e. this authenticator applies but
	// it was not able to successfully authenticate the request).
	AuthenticateSession(
		headers http.Header, body []byte,
	) (applies bool, request irma.RequestorRequest, requestor string, err *irma.RemoteError)

	AuthenticateRevocation(
		headers http.Header, body []byte,
	) (applies bool, request *irma.RevocationRequest, requestor string, err *irma.RemoteError)
}

Authenticator instances authenticate incoming session requests. Given details of the HTTP post done by the requestor, it is checked whether or not the requestor is known and allowed to submit session requests.

type Configuration

type Configuration struct {
	*server.Configuration `mapstructure:",squash"`

	// Disclosing, signing or issuance permissions that apply to all requestors
	Permissions          `mapstructure:",squash"`
	SkipPrivateKeysCheck bool `json:"skip_private_keys_check" mapstructure:"skip_private_keys_check"`

	// Whether or not incoming session requests should be authenticated. If false, anyone
	// can submit session requests. If true, the request is first authenticated against the
	// server configuration before the server accepts it.
	DisableRequestorAuthentication bool `json:"no_auth" mapstructure:"no_auth"`

	// Address to listen at
	ListenAddress string `json:"listen_addr" mapstructure:"listen_addr"`
	// Port to listen at
	Port int `json:"port" mapstructure:"port"`
	// Route requests via this path, so instead of POST /session, it will
	// be POST {ApiPrefix}/session.  Should start with a "/".
	ApiPrefix string `json:"api_prefix" mapstructure:"api_prefix"`
	// TLS configuration
	TlsCertificate     string `json:"tls_cert" mapstructure:"tls_cert"`
	TlsCertificateFile string `json:"tls_cert_file" mapstructure:"tls_cert_file"`
	TlsPrivateKey      string `json:"tls_privkey" mapstructure:"tls_privkey"`
	TlsPrivateKeyFile  string `json:"tls_privkey_file" mapstructure:"tls_privkey_file"`

	// If specified, start a separate server for the IRMA app at his port
	ClientPort int `json:"client_port" mapstructure:"client_port"`
	// If clientport is specified, the server for the IRMA app listens at this address
	ClientListenAddress string `json:"client_listen_addr" mapstructure:"client_listen_addr"`
	// TLS configuration for irmaclient HTTP API
	ClientTlsCertificate     string `json:"client_tls_cert" mapstructure:"client_tls_cert"`
	ClientTlsCertificateFile string `json:"client_tls_cert_file" mapstructure:"client_tls_cert_file"`
	ClientTlsPrivateKey      string `json:"client_tls_privkey" mapstructure:"client_tls_privkey"`
	ClientTlsPrivateKeyFile  string `json:"client_tls_privkey_file" mapstructure:"client_tls_privkey_file"`

	// Requestor-specific permission and authentication configuration
	Requestors map[string]Requestor `json:"requestors"`

	// Max age in seconds of a session request JWT (using iat field)
	MaxRequestAge int `json:"max_request_age" mapstructure:"max_request_age"`

	// Host files under this path as static files (leave empty to disable)
	StaticPath string `json:"static_path" mapstructure:"static_path"`
	// Host static files under this URL prefix
	StaticPrefix string `json:"static_prefix" mapstructure:"static_prefix"`
}

func (*Configuration) CanIssue

func (conf *Configuration) CanIssue(requestor string, creds []*irma.CredentialRequest) (bool, string)

CanIssue returns whether or not the specified requestor may issue the specified credentials. (In case of combined issuance/disclosure sessions, this method does not check whether or not the identity provider is allowed to verify the attributes being verified; use CanVerifyOrSign for that).

func (*Configuration) CanRevoke added in v0.5.0

func (conf *Configuration) CanRevoke(requestor string, cred irma.CredentialTypeIdentifier) (bool, string)

func (*Configuration) CanVerifyOrSign

func (conf *Configuration) CanVerifyOrSign(requestor string, action irma.Action, disjunctions irma.AttributeConDisCon) (bool, string)

CanVerifyOrSign returns whether or not the specified requestor may use the selected attributes in any of the supported session types.

type HmacAuthenticator

type HmacAuthenticator struct {
	// contains filtered or unexported fields
}

func (*HmacAuthenticator) AuthenticateRevocation added in v0.5.0

func (hauth *HmacAuthenticator) AuthenticateRevocation(headers http.Header, body []byte) (bool, *irma.RevocationRequest, string, *irma.RemoteError)

func (*HmacAuthenticator) AuthenticateSession added in v0.5.0

func (hauth *HmacAuthenticator) AuthenticateSession(
	headers http.Header, body []byte,
) (applies bool, request irma.RequestorRequest, requestor string, err *irma.RemoteError)

func (*HmacAuthenticator) Initialize

func (hauth *HmacAuthenticator) Initialize(name string, requestor Requestor) error

type NilAuthenticator

type NilAuthenticator struct{}

func (NilAuthenticator) AuthenticateRevocation added in v0.5.0

func (NilAuthenticator) AuthenticateRevocation(headers http.Header, body []byte) (bool, *irma.RevocationRequest, string, *irma.RemoteError)

func (NilAuthenticator) AuthenticateSession added in v0.5.0

func (NilAuthenticator) AuthenticateSession(
	headers http.Header, body []byte,
) (bool, irma.RequestorRequest, string, *irma.RemoteError)

func (NilAuthenticator) Initialize

func (NilAuthenticator) Initialize(name string, requestor Requestor) error

type Permissions

type Permissions struct {
	Disclosing []string `json:"disclose_perms" mapstructure:"disclose_perms"`
	Signing    []string `json:"sign_perms" mapstructure:"sign_perms"`
	Issuing    []string `json:"issue_perms" mapstructure:"issue_perms"`
	Revoking   []string `json:"revoke_perms" mapstructure:"revoke_perms"`
}

Permissions specify which attributes or credential a requestor may verify or issue.

type PresharedKeyAuthenticator

type PresharedKeyAuthenticator struct {
	// contains filtered or unexported fields
}

func (*PresharedKeyAuthenticator) AuthenticateRevocation added in v0.5.0

func (pskauth *PresharedKeyAuthenticator) AuthenticateRevocation(headers http.Header, body []byte) (bool, *irma.RevocationRequest, string, *irma.RemoteError)

func (*PresharedKeyAuthenticator) AuthenticateSession added in v0.5.0

func (pskauth *PresharedKeyAuthenticator) AuthenticateSession(
	headers http.Header, body []byte,
) (bool, irma.RequestorRequest, string, *irma.RemoteError)

func (*PresharedKeyAuthenticator) Initialize

func (pskauth *PresharedKeyAuthenticator) Initialize(name string, requestor Requestor) error

type PublicKeyAuthenticator

type PublicKeyAuthenticator struct {
	// contains filtered or unexported fields
}

func (*PublicKeyAuthenticator) AuthenticateRevocation added in v0.5.0

func (pkauth *PublicKeyAuthenticator) AuthenticateRevocation(headers http.Header, body []byte) (bool, *irma.RevocationRequest, string, *irma.RemoteError)

func (*PublicKeyAuthenticator) AuthenticateSession added in v0.5.0

func (pkauth *PublicKeyAuthenticator) AuthenticateSession(
	headers http.Header, body []byte,
) (bool, irma.RequestorRequest, string, *irma.RemoteError)

func (*PublicKeyAuthenticator) Initialize

func (pkauth *PublicKeyAuthenticator) Initialize(name string, requestor Requestor) error

type Requestor

type Requestor struct {
	Permissions `mapstructure:",squash"`

	AuthenticationMethod  AuthenticationMethod `json:"auth_method" mapstructure:"auth_method"`
	AuthenticationKey     string               `json:"key" mapstructure:"key"`
	AuthenticationKeyFile string               `json:"key_file" mapstructure:"key_file"`
}

Requestor contains all configuration (disclosure or verification permissions and authentication) for a requestor.

type Server

type Server struct {
	// contains filtered or unexported fields
}

Server is a requestor server instance.

func New

func New(config *Configuration) (*Server, error)

func (*Server) ClientHandler

func (s *Server) ClientHandler() http.Handler

func (*Server) Handler

func (s *Server) Handler() http.Handler

Handler returns a http.Handler that handles all IRMA requestor messages and IRMA client messages.

func (*Server) Start

func (s *Server) Start(config *Configuration) error

Start the server. If successful then it will not return until Stop() is called.

func (*Server) StaticFilesHandler

func (s *Server) StaticFilesHandler() http.Handler

func (*Server) Stop

func (s *Server) Stop()

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL