Documentation
¶
Overview ¶
Package s3 defines the shared wire types for the Hilt S3 tenant-management UCAN API (the `/s3/...` commands). The individual commands live in the request and bucket subpackages; this package holds the types shared across them.
PermissionSet, KeySet and ProofSet carry maps whose values are lists (e.g. map[did.DID][]string). The cbor-gen / dag-json-gen code generators do not support slice-valued maps, so these three types have hand-written codecs (see codec.go). They are defined as structs wrapping a map so that structs embedding them (AuthorizeOK, InfoOK) can still be generated as usual.
Index ¶
Constants ¶
const ( KeyKindSigV4 = "sigv4" KeyKindSigV4a = "sigv4a" )
KeyKind identifies the signing scheme of a derived VerificationKey.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type KeySet ¶
type KeySet struct {
Entries map[did.DID][]VerificationKey
}
KeySet maps an access key DID to its derived signing keys. Hilt returns the key kind matching the request signature and MAY include the other kind. The DID is encoded as the (string) map key on the wire. See PermissionSet for why this is a struct wrapping a map.
type PermissionSet ¶
PermissionSet maps an access key DID to the list of S3 permission strings (e.g. "s3:GetObject") granted to it. The DID is encoded as the (string) map key on the wire.
It is a struct wrapping the map (rather than a named map type) so that structs embedding it can be generated by cbor-gen / dag-json-gen, which delegate to a struct field's MarshalCBOR but cannot generate a (slice-valued) map field inline. On the wire it encodes as the bare map, not as an object with an "entries" key.
func (PermissionSet) MarshalCBOR ¶
func (t PermissionSet) MarshalCBOR(w io.Writer) error
func (PermissionSet) MarshalDagJSON ¶
func (t PermissionSet) MarshalDagJSON(w io.Writer) error
func (*PermissionSet) UnmarshalCBOR ¶
func (t *PermissionSet) UnmarshalCBOR(r io.Reader) error
func (*PermissionSet) UnmarshalDagJSON ¶
func (t *PermissionSet) UnmarshalDagJSON(r io.Reader) error
type ProofSet ¶
ProofSet maps a delegation CID to a proof chain: the list of delegation CIDs that make up the chain. In the initial implementation a chain holds a single delegation, but it is modeled as a list to allow more in the future. The CID is encoded as the (string) map key on the wire; the chain entries are encoded as CID links. See PermissionSet for why this is a struct wrapping a map.
type Request ¶
type Request struct {
Method string `cborgen:"method" dagjsongen:"method"`
Headers map[string]string `cborgen:"headers" dagjsongen:"headers"`
URL string `cborgen:"url" dagjsongen:"url"`
}
Request is an AWS S3 API request as forwarded by Ingot to Hilt. It carries enough of the original HTTP request (method, headers and URL) for Hilt to verify the SigV4/SigV4a signature and determine the requested S3 action.
type VerificationKey ¶
type VerificationKey struct {
Kind string `cborgen:"kind" dagjsongen:"kind"`
Data []byte `cborgen:"data" dagjsongen:"data"`
}
VerificationKey is a SigV4/SigV4a derived signing key returned by Hilt so that Ingot can verify request signatures locally. Kind is one of KeyKindSigV4 or KeyKindSigV4a.
func (*VerificationKey) MarshalCBOR ¶
func (t *VerificationKey) MarshalCBOR(w io.Writer) error
func (*VerificationKey) MarshalDagJSON ¶
func (t *VerificationKey) MarshalDagJSON(w io.Writer) error
func (*VerificationKey) UnmarshalCBOR ¶
func (t *VerificationKey) UnmarshalCBOR(r io.Reader) (err error)
func (*VerificationKey) UnmarshalDagJSON ¶
func (t *VerificationKey) UnmarshalDagJSON(r io.Reader) (err error)