security

package
v0.0.0-...-0a6799f Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 30, 2016 License: Apache-2.0 Imports: 22 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// NodeUser is used by nodes for intra-cluster traffic.
	NodeUser = "node"
	// RootUser is the default cluster administrator.
	RootUser = "root"
)
View Source 
const (
	EmbeddedCertsDir     = "test_certs"
	EmbeddedCACert       = "ca.crt"
	EmbeddedCAKey        = "ca.key"
	EmbeddedNodeCert     = "node.crt"
	EmbeddedNodeKey      = "node.key"
	EmbeddedRootCert     = "root.crt"
	EmbeddedRootKey      = "root.key"
	EmbeddedTestUserCert = "testuser.crt"
	EmbeddedTestUserKey  = "testuser.key"
)

EmbeddedCertsDir is the certs directory inside embedded assets. Embedded*{Cert,Key} are the filenames for embedded certs.

Variables

View Source 
var ErrEmptyPassword = errors.New("empty passwords are not permitted")

ErrEmptyPassword indicates that an empty password was attempted to be set.

Functions

func GenerateCA 

func GenerateCA(keySize int) ([]byte, crypto.PrivateKey, error)

GenerateCA generates a CA certificate and returns the cert bytes as well as the private key used to generate the certificate.

func GenerateClientCert 

func GenerateClientCert(
	caCert *x509.Certificate, caKey crypto.PrivateKey, keySize int, name string,
) ([]byte, crypto.PrivateKey, error)

GenerateClientCert generates a client certificate and returns the cert bytes as well as the private key used to generate the certificate. The CA cert and private key should be passed in. 'user' is the unique username stored in the Subject.CommonName field.

func GenerateServerCert 

func GenerateServerCert(
	caCert *x509.Certificate, caKey crypto.PrivateKey, keySize int, hosts []string,
) ([]byte, crypto.PrivateKey, error)

GenerateServerCert generates a server certificate and returns the cert bytes as well as the private key used to generate the certificate. Takes in the CA cert and key, the size of the key to generate, and the list of hosts/ip addresses this certificate applies to.

func GetCertificateUser 

func GetCertificateUser(tlsState *tls.ConnectionState) (string, error)

GetCertificateUser extract the username from a client certificate.

func HashPassword 

func HashPassword(password string) ([]byte, error)

HashPassword takes a raw password and returns a bcrypt hashed password.

func LoadClientTLSConfig 

func LoadClientTLSConfig(sslCA, sslCert, sslCertKey string) (*tls.Config, error)

LoadClientTLSConfig creates a client TLSConfig by loading the CA and client certs. The following paths must be passed: - sslCA: path to the CA certificate - sslCert: path to the client certificate - sslCertKey: path to the client key If the path is prefixed with "embedded=", load the embedded certs.

func LoadServerTLSConfig 

func LoadServerTLSConfig(sslCA, sslCert, sslCertKey string) (*tls.Config, error)

LoadServerTLSConfig creates a server TLSConfig by loading the CA and server certs. The following paths must be passed: - sslCA: path to the CA certificate - sslCert: path to the server certificate - sslCertKey: path to the server key If the path is prefixed with "embedded=", load the embedded certs.

func PromptForPassword 

func PromptForPassword() (string, error)

PromptForPassword prompts for a password twice, returning the read string if they match, or an error.

func PromptForPasswordAndHash 

func PromptForPasswordAndHash() ([]byte, error)

PromptForPasswordAndHash prompts for a password twice and returns the bcrypt hash.

func ProtoAuthHook 

func ProtoAuthHook(
	insecureMode bool, tlsState *tls.ConnectionState,
) (func(proto.Message, bool) error, error)

ProtoAuthHook builds an authentication hook based on the security mode and client certificate. The proto.Message passed to the hook must implement RequestWithUser.

func ResetReadFileFn 

func ResetReadFileFn()

ResetReadFileFn is the counterpart to SetReadFileFn, restoring the original behaviour for loading certificate related data from disk.

func RunCreateCACert 

func RunCreateCACert(sslCA, sslCAKey string, keySize int) error

RunCreateCACert is the entry-point from the command-line interface to generate CA cert and key. Takes in: - sslCA: path to the CA certificate - sslCAKey: path to the CA key

func RunCreateClientCert 

func RunCreateClientCert(
	sslCA, sslCAKey, sslCert, sslCertKey string, keySize int, username string,
) error

RunCreateClientCert is the entry-point from the command-line interface to generate a client cert and key. - sslCA: path to the CA certificate - sslCAKey: path to the CA key - sslCert: path to the node certificate - sslCertKey: path to the node key

func RunCreateNodeCert 

func RunCreateNodeCert(
	sslCA, sslCAKey, sslCert, sslCertKey string, keySize int, hosts []string,
) error

RunCreateNodeCert is the entry-point from the command-line interface to generate node certs and keys: - sslCA: path to the CA certificate - sslCAKey: path to the CA key - sslCert: path to the node certificate - sslCertKey: path to the node key

func SetReadFileFn 

func SetReadFileFn(f func(string) ([]byte, error))

SetReadFileFn allows to switch out ioutil.ReadFile by a mock for testing purposes.

Types

type RequestWithUser 

type RequestWithUser interface {
	GetUser() string
}

RequestWithUser must be implemented by `roachpb.Request`s which are arguments to methods that are not permitted to skip user checks.

type UserAuthHook 

type UserAuthHook func(string, bool) error

UserAuthHook authenticates a user based on their username and whether their connection originates from a client or another node in the cluster.

func UserAuthCertHook 

func UserAuthCertHook(insecureMode bool, tlsState *tls.ConnectionState) (UserAuthHook, error)

UserAuthCertHook builds an authentication hook based on the security mode and client certificate.

func UserAuthPasswordHook 

func UserAuthPasswordHook(insecureMode bool, password string, hashedPassword []byte) UserAuthHook

UserAuthPasswordHook builds an authentication hook based on the security mode, password, and its potentially matching hash.

Source Files

View all Source files

Directories

Path Synopsis
Package securitytest embeds the TLS test certificates.
 Package securitytest embeds the TLS test certificates.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.