Update keystore client

3a27b01f · ale · bcc3b0e8 · 3a27b01f · 3a27b01f · 3a27b01f
Commit 3a27b01f authored Feb 16, 2018 by ale
4 changed files
--- a/vendor/git.autistici.org/id/keystore/LICENSE
+++ b/vendor/git.autistici.org/id/keystore/LICENSE
--- a/vendor/git.autistici.org/id/keystore/README.md
+++ b/vendor/git.autistici.org/id/keystore/README.md
@@ -27,14 +27,17 @@ similarly JSON-encoded.
 Retrieve the encrypted key for a user, decrypt it with the provided
 password, and store it in memory.

-OpenRequest is an object with the
-following attributes:
+OpenRequest is an object with the following attributes:

 * `username`
 * `password` to decrypt the user's key with
 * `ttl` (seconds) time after which the credentials are automatically
  forgotten

+If the user has no encrypted keys in the database, the request will
+still return successfully: no action will be performed, and no errors
+will be returned.
+
 `/api/get` (*GetRequest*) -> *GetResponse*

 Retrieve the key for a user. GetRequest must contain the following
@@ -49,3 +52,65 @@ a single attribute *key*.
 `/api/close` (*CloseRequest*)

 Forget the key for a given user.
+
+# Dovecot integration
+
+The final consumer for user encryption keys is the Dovecot
+service. The *dovecot-keylookupd* daemon can read the user public and
+private keys from LDAP, and serve the *unencrypted* keys to Dovecot
+using its [dict proxy
+protocol](https://wiki2.dovecot.org/AuthDatabase/Dict).
+
+TODO: explain the lookup protocol.
+
+# Configuration
+
+The *keystored* daemon loads its configuration from a YAML-encoded
+file, */etc/keystore/config.yml* by default. It can contain the
+following attributes:
+
+* `sso_public_key_file`: path to the SSO Ed25519 public key
+* `sso_service`: SSO service for this application
+* `sso_domain`: SSO domain
+* `ldap`: LDAP backend configuration
+  * `uri`: LDAP server URI
+  * `bind_dn`: bind DN (for simple bind, SASL is not supported)
+  * `bind_pw`: bind password
+  * `bind_pw_file`: bind password (load from this file), in
+    alternative to *bind_pw*
+  * `query`: Parameters for the LDAP search query
+    * `search_base`: base DN for the search
+    * `search_filter`: search filter. The filter string may contain a
+      literal `%s` token somewhere, that will be replaced with the
+      (escaped) username.
+    * `scope`: search scope, one of *sub* (default), *one* or *base*
+    * `public_key_attr`: attribute that contains the user's public key
+    * `private_key_attr`: attribute that contains the user's encrypted
+      key(s)
+* `http_server`: HTTP server configuration
+  * `tls`: contains the server-side TLS configuration:
+    * `cert`: path to the server certificate
+    * `key`: path to the server's private key
+    * `ca`: path to the CA used to validate clients
+    * `acl`: specifies TLS-based access controls, a list of entries
+      with the following attributes:
+      * `path`: regular expression to match the request URL path
+      * `cn`: regular expression that must match the CommonName part
+        of the subject of the client certificate
+  * `max_inflight_requests`: maximum number of in-flight requests to
+    allow before server-side throttling kicks in
+
+The *dovecot-keylookupd* daemon uses a similar configuration, read by
+default from */etc/keystore/dovecot.yml*:
+
+* `ldap`: LDAP backend configuration, see above
+* `keystore`: configures the connection to the keystore service
+  * `url`: URL for the keystore service
+  * `sharded`: if true, requests to the keystore service will be
+    partitioned according to the user's *shard* attribute
+  * `tls_config`: client TLS configuration
+    * `cert`: path to the client certificate
+    * `key`: path to the private key
+    * `ca`: path to the CA used to validate the server
+* `shard`: shard identifier for the local host. Must be set if
+  keystore.sharded is true.
--- a/vendor/git.autistici.org/id/keystore/client/client.go
+++ b/vendor/git.autistici.org/id/keystore/client/client.go
@@ -45,7 +45,7 @@ func (c *ksClient) Get(ctx context.Context, shard, username, ssoTicket string) (
 		SSOTicket: ssoTicket,
 	}
 	var resp keystore.GetResponse
-	err := clientutil.DoJSONHTTPRequest(ctx, c.be.Client(shard), c.be.URL(shard)+"/api/get", &req, &resp)
+	err := clientutil.DoJSONHTTPRequest(ctx, c.be.Client(shard), c.be.URL(shard)+"/api/get_key", &req, &resp)
 	return resp.Key, err
 }


--- a/vendor/vendor.json
+++ b/vendor/vendor.json
@@ -33,16 +33,16 @@
 			"revisionTime": "2017-12-17T09:15:51Z"
 		},
 		{
-			"checksumSHA1": "3alRLG3a43ORlVZyfQc/JsT0KtI=",
+			"checksumSHA1": "Byt5J619jXGr+VBTp6HlFQybWM4=",
 			"path": "git.autistici.org/id/keystore",
-			"revision": "b09f1210471f6a60402e8ced4783be3889a4074f",
-			"revisionTime": "2017-12-15T13:50:57Z"
+			"revision": "3396b96b8dac3be8ea1718b89d6e6678daa75eb5",
+			"revisionTime": "2018-02-16T18:04:07Z"
 		},
 		{
-			"checksumSHA1": "MgtHklQMI/3fNcZZzkg+fmQUrCQ=",
+			"checksumSHA1": "VlEW+yMUPGk0Fc5PKfya2kXwHWo=",
 			"path": "git.autistici.org/id/keystore/client",
-			"revision": "ae260514708a9eb3e81b554e1b7b2c65ef802584",
-			"revisionTime": "2017-12-17T21:51:41Z"
+			"revision": "3396b96b8dac3be8ea1718b89d6e6678daa75eb5",
+			"revisionTime": "2018-02-16T18:04:07Z"
 		},
 		{
 			"checksumSHA1": "usT4LCSQItkFvFOQT7cBlkCuGaE=",