veil

package
v0.0.0-...-abf550e Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 2, 2020 License: MPL-2.0 Imports: 16 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	HeaderMetadataVersion   = "KV-Version"
	HeaderMetadataCreatedAt = "KV-CreatedAt"
)

kv headers

View Source 
const (
	GrantRead   string = "read"
	GrantWrite  string = "write"
	GrantDelete string = "delete"
	GrantAdmin  string = "admin"
)

Constants used for policies

View Source 
const (
	LoginStrategyAPI string = "api"
	LoginStrategyAD  string = "ad"
)

Login Strategies constants

View Source 
const (
	PeerLeader  = "leader"
	PeerMember  = "member"
	PeerOffline = "offline"
)

Peer statuses

View Source 
const (
	KVTypeRaw  int = iota // one value, password, string, etc
	KVTypeMap             // map[string]interface{}
	KVTypeFile            // []byte
)

Types of values

View Source 
const (
	HeaderSessionToken = "X-Session-Token"
)

session headers

Variables

View Source 
var (
	ErrBadRequest       = errors.New(http.StatusText(http.StatusBadRequest))
	ErrUnauthorized     = errors.New(http.StatusText(http.StatusUnauthorized))
	ErrNotFound         = errors.New(http.StatusText(http.StatusNotFound))
	ErrMethodNotAllowed = errors.New(http.StatusText(http.StatusMethodNotAllowed))
	ErrConflict         = errors.New(http.StatusText(http.StatusConflict))
)

HTTP Errors returns if found

Functions

This section is empty.

Types

type APIError 

type APIError struct {
	Code    int    `json:"code"`
	Message string `json:"message"`
	Reason  string `json:"reason,omitempty"`
	// contains filtered or unexported fields
}

APIError is error returned by the API when an error is returned we add more information on the error responses by wrapping it it complies with the error interface

func (APIError) Error 

func (a APIError) Error() string

Error returns the error as string

type Admin 

type Admin struct {
	// contains filtered or unexported fields
}

Admin is the struct that have the client for the administration tasks.

func (*Admin) ClientCertificatesDelete 

func (a *Admin) ClientCertificatesDelete(key string, dn bool) (err error)

ClientCertificatesDelete removes the policies attached to a client certificate

func (*Admin) ClientCertificatesGet 

func (a *Admin) ClientCertificatesGet(key string, dn bool) (response LoginCertificate, err error)

ClientCertificatesGet returns the policies attached to a client certificate

func (*Admin) ClientCertificatesList 

func (a *Admin) ClientCertificatesList() (response map[string]LoginCertificate, err error)

ClientCertificatesList returns the certificates ID and the policies attached

func (*Admin) ClientCertificatesSet 

func (a *Admin) ClientCertificatesSet(key string, dn bool, loginCertificate LoginCertificate) (err error)

ClientCertificatesSet creates/updates the policies attached to a client certificate

func (*Admin) LoginStrategiesDelete 

func (a *Admin) LoginStrategiesDelete(id string) (err error)

LoginStrategiesDelete removes a login strategy. NOTE: This won't delete its users

func (*Admin) LoginStrategiesGet 

func (a *Admin) LoginStrategiesGet(id string) (response LoginStrategy, err error)

LoginStrategiesGet returns a login policy and its configuration

func (*Admin) LoginStrategiesList 

func (a *Admin) LoginStrategiesList() (response map[string]LoginStrategy, err error)

LoginStrategiesList returns the defined login strategies

func (*Admin) LoginStrategiesSet 

func (a *Admin) LoginStrategiesSet(strategy LoginStrategy) (err error)

LoginStrategiesSet creates/updates a login policy

func (*Admin) PoliciesDelete 

func (a *Admin) PoliciesDelete(id string) (err error)

PoliciesDelete removes a login policy. NOTE: This won't delete its users

func (*Admin) PoliciesGet 

func (a *Admin) PoliciesGet(id string) (response Policy, err error)

PoliciesGet returns a login policy and its configuration

func (*Admin) PoliciesList 

func (a *Admin) PoliciesList() (response map[string]Policy, err error)

PoliciesList returns the defined login strategies

func (*Admin) PoliciesSet 

func (a *Admin) PoliciesSet(policy Policy) (err error)

PoliciesSet creates/updates a login policy

func (*Admin) UsersDelete 

func (a *Admin) UsersDelete(strategy, id string) (err error)

UsersDelete removes a user from a strategy

func (*Admin) UsersGet 

func (a *Admin) UsersGet(strategy, id string) (response User, err error)

UsersGet returns a user

func (*Admin) UsersList 

func (a *Admin) UsersList(strategy string) (response map[string]User, err error)

UsersList returns the defined users

func (*Admin) UsersSet 

func (a *Admin) UsersSet(strategy string, user User) (err error)

UsersSet creates/updates a user

type Config 

type Config struct {
	RemoteURLs           []string
	Certificate          string
	Key                  string
	CACertificate        string
	TimeoutDialer        int64
	TimeoutTLSHandshake  int64
	TimeoutGlobal        int64
	AllowReadFromBackups bool
}

Config is the struct used to set the configuration of the Veil client

func NewConfig 

func NewConfig() Config

NewConfig returns a config with sane defaults

type KVEntry 

type KVEntry struct {
	Version      uint16 `json:"version"`
	CreationDate int64  `json:"creation_date"`
	Data         []byte `json:"data"`
}

KVEntry is the struct that holds the data to return via API

type KVMetadata 

type KVMetadata struct {
	Type     int                `json:"type"`
	Current  uint16             `json:"current"`
	Versions map[uint16]Version `json:"versions"` // up to 65536 versions
}

KVMetadata contains the information about the key

type LoginCertificate 

type LoginCertificate struct {
	DN       string   `json:"dn" yaml:"dn" validate:"required"`
	Policies []string `json:"policies" yaml:"policies"`
}

LoginCertificate is the struct that maps a client certificate with its policies. This struct is used for configure via API

type LoginStrategy 

type LoginStrategy struct {
	Name          string                 `json:"name" yaml:"name" validate:"required"`
	Type          string                 `json:"type" yaml:"type" validate:"required"`       // strategy type: current: 'api', 'ad'
	MaxTTL        int64                  `json:"max_ttl" yaml:"max_ttl" validate:"required"` // maximum time to live a session can be, in seconds, user can ask for less time on session creation
	Policy        LoginStrategyPolicy    `json:"policy" yaml:"policy"`                       // password complexity policy
	Configuration map[string]interface{} `json:"conf" yaml:"conf"`                           // required configuration for the strategy
}

LoginStrategy is the representation of the configuration data for a strategy

func (*LoginStrategy) ValidName 

func (l *LoginStrategy) ValidName() bool

ValidName returns the validity of a strategy name

type LoginStrategyPolicy 

type LoginStrategyPolicy struct {
	MinLength    int  `json:"min_length" yaml:"min_length"`
	MaxLength    int  `json:"max_length" yaml:"max_length"`
	Mixedcase    bool `json:"mixedcase" yaml:"mixedcase"`
	Digits       bool `json:"digits" yaml:"digits"`
	Symbols      bool `json:"symbols" yaml:"symbols"`
	NoRepetition bool `json:"no_repetition" yaml:"no_repetition"`
}

LoginStrategyPolicy contains the requirements defined for the strategy

type Peer 

type Peer struct {
	Endpoint   string `json:"endpoint"`
	State      string `json:"state"`
	LastUpdate int64  `json:"last_update"`
}

Peer is the struct that holds the information about the endpoints on the cluster

type Policy 

type Policy struct {
	Name   string        `json:"name" yaml:"name" validate:"required"`
	Locked bool          `json:"locked" yaml:"locked"`
	Rules  []PolicyRules `json:"rules" yaml:"rules"`
}

Policy represents a policy that per path grants permissions Every policy have many rules

func (*Policy) ValidName 

func (p *Policy) ValidName() bool

ValidName returns the validity of a policy name

type PolicyRules 

type PolicyRules struct {
	Path   string   `json:"path" yaml:"path"`
	Grants []string `json:"grants" yaml:"grants"`
}

PolicyRules defines every rule that a policy match

func (*PolicyRules) Valid 

func (pr *PolicyRules) Valid() bool

Valid returns true if grants are correct

type ReqBootstrap 

type ReqBootstrap struct {
	Username string `json:"username"`
	Name     string `json:"name"`
	Desc     string `json:"desc"`
	Password string `json:"password"`
}

ReqBootstrap is the request expected by the API

type ReqSession 

type ReqSession struct {
	Entity   string `json:"entity"`
	Username string `json:"username"`
	Password string `json:"password"`
	TTL      int64  `json:"ttl"`
}

ReqSession is the data the API expects to receive to create a new session

type ReqUnseal 

type ReqUnseal struct {
	Key string `json:"key"`
}

ReqUnseal request expected by the API. It contains one of the key parts that build the master key

type ResBootstrap 

type ResBootstrap struct {
	Masterkey string   `json:"masterkey"`
	Shares    []string `json:"shares"`
}

ResBootstrap response for bootstrap

type ResKVEntry 

type ResKVEntry struct {
	Version      uint16 `json:"version"`
	CreationDate int64  `json:"creation_date"`
	Data         []byte `json:"data"`
}

ResKVEntry is the struct that holds the data to return via API

type ResSession 

type ResSession struct {
	Token     string `json:"token"`
	ExpiresAt int64  `json:"expires_at"`
}

ResSession response for a session

type ResStatus 

type ResStatus struct {
	Sealed     bool   `json:"sealed"`
	Version    string `json:"version"`
	APIVersion int    `json:"api_version"`
	Peers      []Peer `json:"peers"`
}

ResStatus response status of the API

type ResTemporal 

type ResTemporal struct {
	Key string `json:"key"`
}

ResTemporal is the struct returned after a successful creation of a temporal KV it only returns the new key where the data was stored.

type TemporalConfiguration 

type TemporalConfiguration struct {
	TTL int64 `json:"ttl"`
}

TemporalConfiguration is the struct with the data exchanged on the API

type TransitCiphered 

type TransitCiphered struct {
	Data string `json:"ciphered"`
}

TransitCiphered is used to send and retrieve the ciphered data (string to send to decrypt, string to retrieve data encrypted)

type TransitValue 

type TransitValue struct {
	Data []byte `json:"data"`
}

TransitValue is used to send and retrieve the value to cipher (raw to send to encrypt, raw to retrieve data decrypted)

type User 

type User struct {
	Username    string   `json:"username" yaml:"username" validate:"required"` // (required) Username
	Name        string   `json:"name" yaml:"name" validate:"required"`         // (required) Name of the user
	Description string   `json:"desc,omitempty" yaml:"desc,omitempty"`         // (optional) Description
	Password    string   `json:"password,omitempty" yaml:"password,omitempty"` // (optional) Password is used to set the password via API, also used to retrieve a generated password
	Policies    []string `json:"policies" yaml:"policies"`                     // Policies for the user
}

User is the representation User in API

func (*User) ValidUsername 

func (u *User) ValidUsername() bool

ValidUsername returns the username validation

type Veil 

type Veil struct {
	// contains filtered or unexported fields
}

Veil holds all the functions to interact with veil servers

func New 

func New(config Config) *Veil

New returns a configured Veil client

func (*Veil) Admin 

func (v *Veil) Admin() *Admin

Admin returns the admin functions

func (*Veil) Bootstrap 

func (v *Veil) Bootstrap(request ReqBootstrap) (response ResBootstrap, err error)

Bootstrap sends a bootstrap request to the server. If operation is done correctly it returns a set of keys to unseal the database. This endpoint must be hidden from the outside world.

func (*Veil) Delete 

func (v *Veil) Delete(parts []string, queryOptions, response interface{}, headers map[string]string, expectedErrorCode int, secure bool) error

Delete sends a delete request to the API parts = parts of the path of the request on the API queryOptions = params to pass on the URL. nil if none response = pointer to object to fill with the answer, if any headers = map of headers to send expectedErrorCode = what the server must return to us to know the response is the expected one

func (*Veil) Get 

func (v *Veil) Get(parts []string, queryOptions, response interface{}, headers map[string]string, expectedErrorCode int, secure bool) error

Get sends a GET request to the API parts = parts of the path of the request on the API queryOptions = params to pass on the URL. nil if none response = pointer to object to fill with the answer, if any headers = map of headers to send expectedErrorCode = what the server must return to us to know the response is the expected one

func (*Veil) KVDelete 

func (v *Veil) KVDelete(bucket, key string, version uint16) error

KVDelete removes an entry on the key/value storage

func (*Veil) KVGet 

func (v *Veil) KVGet(bucket, key string, version uint16, overlayArr []string, resolve bool) (response ResKVEntry, err error)

KVGet returns the entry in the key/value storage

func (*Veil) KVList 

func (v *Veil) KVList(bucket, prefix string) (response map[string]KVMetadata, err error)

KVList returns the entries found under <bucket>:<prefix> in the key/value storage

func (*Veil) KVSet 

func (v *Veil) KVSet(bucket, key string, request interface{}) (err error)

KVSet creates/updates an entry on the key/value storage

func (*Veil) Login 

func (v *Veil) Login(entity, username, password string, ttl int64) error

Login send a login request to the API, saving the session token if correct credentials are found

func (*Veil) Logoff 

func (v *Veil) Logoff() (err error)

Logoff removes the session from the API and the token from the client if successful

func (*Veil) Seal 

func (v *Veil) Seal() error

Seal sends a seal request to the API to close the database. It will need to be unsealed to make the server usable again. This endpoint must be hidden from the outside world.

func (*Veil) SessionExpiresAt 

func (v *Veil) SessionExpiresAt() int64

SessionExpiresAt returns current token expiration

func (*Veil) SessionExpiresAtSet 

func (v *Veil) SessionExpiresAtSet(expiresAt int64)

SessionExpiresAtSet allows to set a token expiration directly

func (*Veil) SessionToken 

func (v *Veil) SessionToken() string

SessionToken returns current token if any

func (*Veil) SessionTokenSet 

func (v *Veil) SessionTokenSet(token string)

SessionTokenSet allows to set a token directly

func (*Veil) Set 

func (v *Veil) Set(isPost bool, parts []string, queryOptions, request, response interface{}, headers map[string]string, expectedErrorCode int, secure bool) (location string, err error)

Set allows to post/put data on the API isPost = true for post data, false for put parts = parts of the path of the request on the API queryOptions = params to pass on the URL. nil if none request = object to send response = pointer to object to fill with the answer, if any headers = map of headers to send expectedErrorCode = what the server must return to us to know the response is the expected one

func (*Veil) SetConnectionTimeouts 

func (v *Veil) SetConnectionTimeouts(certificate, key, caCertificate string, dialer, tlsHandshake, timeout int64) error

SetConnectionTimeouts allows to change the client timeouts (in seconds) and configures the httpclient: * Dialer. Timeout for reach the server * TLS Handshake. Timeout for exchanging keys * HTTP Timeout. HTTP timeout, how much time a request can stand for.

func (*Veil) Status 

func (v *Veil) Status(remoteURL string) (response ResStatus, err error)

Status returns the current status of the API

func (*Veil) TemporalConfigurationDelete 

func (v *Veil) TemporalConfigurationDelete(bucket string) error

TemporalConfigurationDelete deletes a temporal store

func (*Veil) TemporalConfigurationGet 

func (v *Veil) TemporalConfigurationGet(bucket string) (temporalConfiguration TemporalConfiguration, err error)

TemporalConfigurationGet retrieves a temporal store configuration

func (*Veil) TemporalConfigurationSet 

func (v *Veil) TemporalConfigurationSet(bucket string, temporalConfiguration TemporalConfiguration) (err error)

TemporalConfigurationSet creates/updates a temporal store configuration

func (*Veil) TemporalCreate 

func (v *Veil) TemporalCreate(bucket string, data []byte) (id string, err error)

TemporalCreate creates a new entry on a temporal store, returns id (from location) and error (if any)

func (*Veil) TemporalGet 

func (v *Veil) TemporalGet(bucket, id string) (data []byte, err error)

TemporalGet gets a temporal item knowing bucket and id

func (*Veil) TransitDecrypt 

func (v *Veil) TransitDecrypt(bucket, value string) (response TransitValue, err error)

TransitDecrypt sends the value to encrypt, returning it ciphered

func (*Veil) TransitEncrypt 

func (v *Veil) TransitEncrypt(bucket string, value []byte) (response TransitCiphered, err error)

TransitEncrypt retrieves the value that was encrypted previously

func (*Veil) Unseal 

func (v *Veil) Unseal(request ReqUnseal, response *ResStatus) (err error)

Unseal request to unseal the database by sending one of the shared keys that will create the master key to start operating the database and the API. A server needs to be unsealed to open the encrypted database.. This endpoint must be hidden from the outside world.

type Version 

type Version struct {
	CreationDate int64 `json:"creation_date"`
	Deleted      bool  `json:"deleted"`
}

Version contains the information of a version of a value

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.