Documentation
¶
Index ¶
- Constants
- Variables
- func ConvertToAuditKasPolicy(policy Policy) audit.KasPolicy
- type AdditionalRewrapContext
- type Attribute
- type CurrentKeyFor
- type Error
- type KASConfig
- type KeyAccess
- type ObligationCtx
- type PDPAccessResult
- type Policy
- type PolicyBody
- type Preview
- type Provider
- func (p *Provider) ApplyConfig(cfg KASConfig, securityCfg *config.SecurityConfig)
- func (p *Provider) IsReady(ctx context.Context) error
- func (p *Provider) LegacyPublicKey(ctx context.Context, req *connect.Request[kaspb.LegacyPublicKeyRequest]) (*connect.Response[wrapperspb.StringValue], error)
- func (p *Provider) PublicKey(ctx context.Context, req *connect.Request[kaspb.PublicKeyRequest]) (*connect.Response[kaspb.PublicKeyResponse], error)
- func (p *Provider) Rewrap(ctx context.Context, req *connect.Request[kaspb.RewrapRequest]) (*connect.Response[kaspb.RewrapResponse], error)
- func (p *Provider) SecurityConfig() *config.SecurityConfig
- type RequestBody
- type SignedRequestBody
Constants ¶
View Source
const ( ErrPolicyDissemInvalid = Error("policy dissem invalid") ErrDecisionUnexpected = Error("authorization decision unexpected") ErrDecisionCountUnexpected = Error("authorization decision count unexpected") )
View Source
const ( ErrHSM = Error("hsm unexpected") ErrConfig = Error("invalid config") )
View Source
const ( ErrCertificateEncode = Error("certificate encode error") ErrPublicKeyMarshal = Error("public key marshal error") )
View Source
const ( ErrUser = Error("request error") ErrInternal = Error("internal error") ErrNanoTDFPolicyModeUnsupported = Error("unsupported policy mode") )
Variables ¶
View Source
var ( ErrDecodingRewrapContext = errors.New("failed to decode additional rewrap context") ErrUnmarshalingRewrapContext = errors.New("failed to unmarshal additional rewrap context") )
Functions ¶
func ConvertToAuditKasPolicy ¶ added in v0.4.6
Audit helper methods
Types ¶
type AdditionalRewrapContext ¶ added in v0.11.0
type AdditionalRewrapContext struct {
Obligations ObligationCtx `json:"obligations"`
}
type CurrentKeyFor ¶ added in v0.4.7
type CurrentKeyFor struct {
Algorithm string `mapstructure:"alg" json:"alg"`
KID string `mapstructure:"kid" json:"kid"`
// Indicates that the key should not be serves by default,
// but instead is allowed for legacy reasons on decrypt (rewrap) only
Legacy bool `mapstructure:"legacy" json:"legacy"`
}
Specifies the preferred/default key for a given algorithm type.
type KASConfig ¶ added in v0.4.7
type KASConfig struct {
// Which keys are currently the default.
Keyring []CurrentKeyFor `mapstructure:"keyring" json:"keyring"`
// Deprecated
ECCertID string `mapstructure:"eccertid" json:"eccertid"`
// Deprecated
RSACertID string `mapstructure:"rsacertid" json:"rsacertid"`
RootKey string `mapstructure:"root_key" json:"root_key"`
KeyCacheExpiration time.Duration `mapstructure:"key_cache_expiration" json:"key_cache_expiration"`
// Deprecated
// Enables experimental EC rewrap support in TDFs
// Enabling is required to parse KAOs with the `ec-wrapped` type,
// and (currently) also enables responding with ECIES encrypted responses.
ECTDFEnabled bool `mapstructure:"ec_tdf_enabled" json:"ec_tdf_enabled"`
Preview Preview `mapstructure:"preview" json:"preview"`
RegisteredKASURI string `mapstructure:"registered_kas_uri" json:"registered_kas_uri"`
}
func (*KASConfig) UpgradeMapToKeyring ¶ added in v0.4.39
func (kasCfg *KASConfig) UpgradeMapToKeyring(c *security.StandardCrypto)
type KeyAccess ¶ added in v0.4.7
type KeyAccess struct {
EncryptedMetadata string `json:"encryptedMetadata,omitempty"`
PolicyBinding interface{} `json:"policyBinding,omitempty"`
Protocol string `json:"protocol"`
Type string `json:"type"`
URL string `json:"url"`
KID string `json:"kid,omitempty"`
SID string `json:"sid,omitempty"`
WrappedKey []byte `json:"wrappedKey,omitempty"`
Header []byte `json:"header,omitempty"`
Algorithm string `json:"algorithm,omitempty"`
EphemeralPublicKey string `json:"ephemeralPublicKey,omitempty"`
}
type ObligationCtx ¶ added in v0.11.0
type ObligationCtx struct {
FulfillableFQNs []string `json:"fulfillableFQNs,omitempty"`
}
type PDPAccessResult ¶ added in v0.4.38
type Policy ¶
type Policy struct {
UUID uuid.UUID `json:"uuid"`
Body PolicyBody `json:"body"`
}
type PolicyBody ¶
type Provider ¶
type Provider struct {
kaspb.AccessServiceServer
SDK *otdf.SDK
AttributeSvc *url.URL
KeyDelegator *trust.DelegatingKeyService
// Deprecated: Use SecurityProvider instead
CryptoProvider *security.StandardCrypto // Kept for backward compatibility
Logger *logger.Logger
Config *config.ServiceConfig
KASConfig
trace.Tracer
// contains filtered or unexported fields
}
func (*Provider) ApplyConfig ¶ added in v0.11.4
func (p *Provider) ApplyConfig(cfg KASConfig, securityCfg *config.SecurityConfig)
ApplyConfig stores the latest KAS configuration, tracks the associated security overrides, and emits a warning when the configured clock skew exceeds the default.
func (*Provider) LegacyPublicKey ¶
func (p *Provider) LegacyPublicKey(ctx context.Context, req *connect.Request[kaspb.LegacyPublicKeyRequest]) (*connect.Response[wrapperspb.StringValue], error)
func (*Provider) SecurityConfig ¶ added in v0.11.4
func (p *Provider) SecurityConfig() *config.SecurityConfig
SecurityConfig exposes the most recent security configuration captured via ApplyConfig.
type RequestBody ¶
type RequestBody struct {
AuthToken string `json:"authToken"`
KeyAccess KeyAccess `json:"keyAccess"`
Policy string `json:"policy,omitempty"`
Algorithm string `json:"algorithm,omitempty"`
ClientPublicKey string `json:"clientPublicKey"`
PublicKey interface{} `json:"-"`
SchemaVersion string `json:"schemaVersion,omitempty"`
}
type SignedRequestBody ¶ added in v0.4.1
type SignedRequestBody struct {
RequestBody string `json:"requestBody"`
}
Source Files
Click to show internal directories.
Click to hide internal directories.