credentials

package

v0.0.0-...-0b08f29 Latest Latest Go to latest Published: Apr 29, 2024 License: MIT Imports: 19 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/relabs-tech/kurbisio

Links

Open Source Insights

Documentation ¶

Overview ¶

Package credentials implements a REST interface which provides device credentials to things

The package generates a single endpoint where things can download credentials which allow them to authenticate as a device. The credentials include the thing's device id, device-specific X.509 certificates to authenticate with the IoT MQTT broker, and a bearer token to be used with REST APIs.

The API provides the following REST route:

GET /certificates

A thing must authenticate by providing a secret key as header "Kurbisio-Thing-Key" and its own thing identifier as header "Kurbisio-Thing-Identifier".

The returned credentials are

device_id:	the device id for this thing
cert:		the X.509 certificate for the MQTT client
key: 		the X.509 private key for the MQTT client
token: 		a bearer token for HTTPS requests

Note that credentials are returned only once for security purposes. Subsequent requests by the same thing result in in 204 No Content or - in case the thing's device authorization has been withdrawn - 401 Unauthorized. Clients can always call this endpoint during startup to validate that their authorization has not been withdrawn.

Database Requirements ¶

The service assumes that the database manages a resource "device", with an external index "thing" and a static resource "provisioning_status", like this:

  {
	"resource": "device",
	"external_indices": ["thing"],
	"static_properties": ["provisioning_status"]
  }

Credentials can be downloaded if and only if the provisioning status is "waiting". After a successful download, the status is automatically set to "provisioned".

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type API ¶

type API struct {
	// contains filtered or unexported fields
}

API is the IoT appliance RESTful interface for providing device credentials to things

func NewAPI ¶

func NewAPI(b *Builder) *API

NewAPI realizes the credentials service. It creates the sql relations for the device twin (if they do not exist) and adds the /credentials route to the router. It also installs thing authorization middleware on the router.

type Builder ¶

type Builder struct {
	// DB is a postgres database. This is mandatory.
	DB *csql.DB
	// Router is a mux router. This is mandatory.
	Router *mux.Router
	// CACertFile is the file path to the X509 certificate of the certificate authority.
	// This is mandatory
	CACertFile string
	// CAKeyFile is the file path to the X509 private key of the certificate authority.
	// This is mandatory
	CAKeyFile string
	// KurbisioThingKey is a key used as shared secret for thing authentication.
	KurbisioThingKey string
}

Builder is a builder helper for the API

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL