security

package module

v0.6.0 Latest Latest Go to latest Published: Jan 12, 2020 License: Apache-2.0 Imports: 5 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/choria-io/go-security

Links

Open Source Insights

README ¶

Choria Security Providers

This provides a unified interface to PKI systems that all the Choria eco system projects can use to present a more unified UI / UX.

Providers

At present there are only 2 providers - file and puppet - in future we'll support a Choria specific CA and others like Vault and perhaps those provided by public Clouds.

Provider	Description
Puppet	Understands the structure of SSL files maintained by `puppet agent`, supports enrolling into a PuppetCA
File	Accepts a fully manual configuration with paths to all the major needed files, does not support enrollment

CLI

You can do arbitrary enrolls using the CLI provided here:

$ pki-enroll --help
usage: pki-enroll [<flags>] <identity>

Enrolls with various PKI systems using the Choria framework

Flags:
  --help                     Show context-sensitive help (also try --help-long and --help-man).
  --version                  Show application version.
  --scheme=puppet            Provider to enroll with, only support 'puppet'
  --wait=30m                 How long to wait for the certificate to be signed
  --puppet-ssldir=PATH       The directory to write the Puppet compatible SSL structure
  --puppet-ca="puppet:8140"  PuppetCA in host:port format
  --verbose                  Verbose logging

Args:
  <identity>  Identity to enroll as

Enrolling into a PuppetCA entails the following:

Create a private key
Create a CSR
Download the CA
Submit the CSR
Repeatedly attempt to download the signed certificate until someone issues puppet cert sign on the CA

Here we use the pki-enroll command to perform this task with the resulting SSL tree created in /tmp/ssl.

$ pki-enroll bob --puppet-ssldir /tmp/ssl
Attempting to download certificate for bob, try 1.
Attempting to download certificate for bob, try 2.
Attempting to download certificate for bob, try 3.

Documentation ¶

Index ¶

type Provider

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Provider ¶

type Provider interface {
	// Provider reports the name of the current security provider
	Provider() string

	// Validate that the security provider is functional
	Validate() ([]string, bool)

	// Identity from the active certificates
	Identity() string

	// CallerName is a valid choria like foo=bar style caller name from the identity
	CallerName() string

	// CallerIdentity extracts the Identity from a caller name
	CallerIdentity(caller string) (string, error)

	// SignBytes signs bytes using the current active certificate
	SignBytes(b []byte) (signature []byte, err error)

	// VerifyByteSignature verifies that str when signed by identity would match signature.
	// The certificate for identity should previously have been saved into the cache
	VerifyByteSignature(str []byte, signature []byte, identity string) bool

	// SignString signs a string using the current active certificate
	SignString(s string) (signature []byte, err error)

	// RemoteSignRequest signs a choria request using a remote signer and returns a secure request
	RemoteSignRequest(str []byte) (signed []byte, err error)

	// VerifyStringSignature verifies that str when signed by identity would match signature.
	// The certificate for identity should previously have been saved into the cache
	VerifyStringSignature(str string, signature []byte, identity string) bool

	// PrivilegedVerifyByteSignature verifies that dat is a valid signature for identity
	// or any of the privileged certificates
	PrivilegedVerifyByteSignature(dat []byte, sig []byte, identity string) bool

	// PrivilegedVerifyStringSignature verifies that dat is a valid signature for identity
	// or any of the privileged certificates
	PrivilegedVerifyStringSignature(dat string, sig []byte, identity string) bool

	// ChecksumBytes produce a crypto checksum for data
	ChecksumBytes(data []byte) []byte

	// ChecksumString produce a crypto checksum for data
	ChecksumString(data string) []byte

	// TLSConfig produce a tls.Config for the current identity using it's certificates etc
	TLSConfig() (*tls.Config, error)

	// SSLContext produce a http.Transport for the current identity using it's certificates etc
	SSLContext() (*http.Transport, error)

	// HTTPClient creates a standard HTTP client with optional security, it will
	// be set to use the CA and client certs for auth.
	HTTPClient(secure bool) (*http.Client, error)

	// VerifyCertificate validates that a certificate is signed by a known CA
	VerifyCertificate(certpem []byte, identity string) error

	// PublicCertPem retrieves pem data for the public certificate of the current identity
	PublicCertPem() (*pem.Block, error)

	// PublicCertTXT retrieves pem data in textual form for the public certificate of the current identity
	PublicCertTXT() ([]byte, error)

	// CachePublicData when given a pem encoded certificate and expected identity should validate
	// the cert and then check against things like the certificate allow lists, privilege lists
	// etc and only cache certificates that is completely acceptable by us
	CachePublicData(data []byte, identity string) error

	// CachedPublicData retrieves a previously cached certificate
	CachedPublicData(identity string) ([]byte, error)

	// Enroll creates a new cert with the active identity and attempt to enroll it with the security system
	// if there's a process of waiting for the certificate to be signed for example this should wait
	// no more than wait.  cb gets called on every attempt to download a cert with the attempt number
	// as argument
	Enroll(ctx context.Context, wait time.Duration, cb func(int)) error
}

Provider provides a security plugin for the choria subsystem

Source Files ¶

View all Source files

provider.go

Directories ¶

Path	Synopsis
enroll
filesec Package filesec provides a manually configurable security Provider it allows you set every parameter like key paths etc manually without making any assumptions about your system It does not support any enrollment	Package filesec provides a manually configurable security Provider it allows you set every parameter like key paths etc manually without making any assumptions about your system It does not support any enrollment
opa
pkcs11sec
puppetsec Package puppetsec provides a Puppet compatable Security Provider The provider supports enrolling into a Puppet CA by creating a key and csr, sending it to the PuppetCA and waiting for it to be signed and later it will download the certificate once signed	Package puppetsec provides a Puppet compatable Security Provider The provider supports enrolling into a Puppet CA by creating a key and csr, sending it to the PuppetCA and waiting for it to be signed and later it will download the certificate once signed

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL