server

package

v0.0.0-...-63f23c4 Latest Latest Go to latest Published: Sep 1, 2023 License: GPL-3.0 Imports: 17 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

git.autistici.org/id/keystore

Links

Open Source Insights

Documentation ¶

Index ¶

func NewKeystoreCollector(ks *KeyStore) prometheus.Collector
func NewServer(ks *KeyStore) http.Handler
type Config
type KeyStore
- func NewKeyStore(config *Config) (*KeyStore, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func NewKeystoreCollector ¶

func NewKeystoreCollector(ks *KeyStore) prometheus.Collector

NewKeystoreCollector returns a prometheus.Collector that will export metrics for the given KeyStore instance.

func NewServer ¶

func NewServer(ks *KeyStore) http.Handler

NewServer wraps the HTTP API around a KeyStore.

Types ¶

type KeyStore ¶

type KeyStore struct {
	// contains filtered or unexported fields
}

KeyStore holds decrypted secrets for users in memory for a short time (of the order of a SSO session lifespan). User secrets can be opened with a password (used to decrypt the key, which is stored encrypted in a database), queried, and closed (forgotten).

The database can provide multiple versions of the encrypted key (to support multiple decryption passwords), in which case we'll try them all sequentially until one of them decrypts successfully with the provided password.

In order to query the KeyStore, you need to present a valid SSO token for the user whose secrets you would like to obtain.

func NewKeyStore ¶

func NewKeyStore(config *Config) (*KeyStore, error)

NewKeyStore creates a new KeyStore with the given config and returns it.

func (*KeyStore) Close ¶

func (s *KeyStore) Close(username, sessionID string) bool

Close the user's key store and wipe the associated unencrypted key from memory. Returns true if a key was actually discarded.

func (*KeyStore) Get ¶

func (s *KeyStore) Get(username, ssoTicket string) ([]byte, error)

Get the unencrypted key for the specified user. The caller needs to provide a valid SSO ticket for the user.

func (*KeyStore) Open ¶

func (s *KeyStore) Open(ctx context.Context, username, password, sessionID string, ttlSeconds int) error

Open the user's key store with the given password. If successful, the unencrypted user key will be stored for at most ttlSeconds, or until Close is called with the same session ID.

Note that the key is fetched from the backend and decrypted even if we already have it in memory (for instance belonging to a separate session), because this acts as an implicit ACL check: does the user have access to the key because it can decrypt it with the provided credentials?

A Context is needed because this method might issue an RPC.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL