Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
What's new
10
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Open sidebar
id
go-sso
Commits
3a27b01f
Commit
3a27b01f
authored
Feb 16, 2018
by
ale
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Update keystore client
parent
bcc3b0e8
Pipeline
#889
passed with stages
in 1 minute and 8 seconds
Changes
4
Pipelines
1
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
748 additions
and
9 deletions
+748
-9
vendor/git.autistici.org/id/keystore/LICENSE
vendor/git.autistici.org/id/keystore/LICENSE
+674
-0
vendor/git.autistici.org/id/keystore/README.md
vendor/git.autistici.org/id/keystore/README.md
+67
-2
vendor/git.autistici.org/id/keystore/client/client.go
vendor/git.autistici.org/id/keystore/client/client.go
+1
-1
vendor/vendor.json
vendor/vendor.json
+6
-6
No files found.
vendor/git.autistici.org/id/keystore/LICENSE
0 → 100644
View file @
3a27b01f
This diff is collapsed.
Click to expand it.
vendor/git.autistici.org/id/keystore/README.md
View file @
3a27b01f
...
...
@@ -27,14 +27,17 @@ similarly JSON-encoded.
Retrieve the encrypted key for a user, decrypt it with the provided
password, and store it in memory.
OpenRequest is an object with the
following attributes:
OpenRequest is an object with the following attributes:
*
`username`
*
`password`
to decrypt the user's key with
*
`ttl`
(seconds) time after which the credentials are automatically
forgotten
If the user has no encrypted keys in the database, the request will
still return successfully: no action will be performed, and no errors
will be returned.
`/api/get`
(
*GetRequest*
) ->
*GetResponse*
Retrieve the key for a user. GetRequest must contain the following
...
...
@@ -49,3 +52,65 @@ a single attribute *key*.
`/api/close`
(
*CloseRequest*
)
Forget the key for a given user.
# Dovecot integration
The final consumer for user encryption keys is the Dovecot
service. The
*dovecot-keylookupd*
daemon can read the user public and
private keys from LDAP, and serve the
*unencrypted*
keys to Dovecot
using its
[
dict proxy
protocol
](
https://wiki2.dovecot.org/AuthDatabase/Dict
)
.
TODO: explain the lookup protocol.
# Configuration
The
*keystored*
daemon loads its configuration from a YAML-encoded
file,
*/etc/keystore/config.yml*
by default. It can contain the
following attributes:
*
`sso_public_key_file`
: path to the SSO Ed25519 public key
*
`sso_service`
: SSO service for this application
*
`sso_domain`
: SSO domain
*
`ldap`
: LDAP backend configuration
*
`uri`
: LDAP server URI
*
`bind_dn`
: bind DN (for simple bind, SASL is not supported)
*
`bind_pw`
: bind password
*
`bind_pw_file`
: bind password (load from this file), in
alternative to
*bind_pw*
*
`query`
: Parameters for the LDAP search query
*
`search_base`
: base DN for the search
*
`search_filter`
: search filter. The filter string may contain a
literal
`%s`
token somewhere, that will be replaced with the
(escaped) username.
*
`scope`
: search scope, one of
*sub*
(default),
*one*
or
*base*
*
`public_key_attr`
: attribute that contains the user's public key
*
`private_key_attr`
: attribute that contains the user's encrypted
key(s)
*
`http_server`
: HTTP server configuration
*
`tls`
: contains the server-side TLS configuration:
*
`cert`
: path to the server certificate
*
`key`
: path to the server's private key
*
`ca`
: path to the CA used to validate clients
*
`acl`
: specifies TLS-based access controls, a list of entries
with the following attributes:
*
`path`
: regular expression to match the request URL path
*
`cn`
: regular expression that must match the CommonName part
of the subject of the client certificate
*
`max_inflight_requests`
: maximum number of in-flight requests to
allow before server-side throttling kicks in
The
*dovecot-keylookupd*
daemon uses a similar configuration, read by
default from
*/etc/keystore/dovecot.yml*
:
*
`ldap`
: LDAP backend configuration, see above
*
`keystore`
: configures the connection to the keystore service
*
`url`
: URL for the keystore service
*
`sharded`
: if true, requests to the keystore service will be
partitioned according to the user's
*shard*
attribute
*
`tls_config`
: client TLS configuration
*
`cert`
: path to the client certificate
*
`key`
: path to the private key
*
`ca`
: path to the CA used to validate the server
*
`shard`
: shard identifier for the local host. Must be set if
keystore.sharded is true.
vendor/git.autistici.org/id/keystore/client/client.go
View file @
3a27b01f
...
...
@@ -45,7 +45,7 @@ func (c *ksClient) Get(ctx context.Context, shard, username, ssoTicket string) (
SSOTicket
:
ssoTicket
,
}
var
resp
keystore
.
GetResponse
err
:=
clientutil
.
DoJSONHTTPRequest
(
ctx
,
c
.
be
.
Client
(
shard
),
c
.
be
.
URL
(
shard
)
+
"/api/get"
,
&
req
,
&
resp
)
err
:=
clientutil
.
DoJSONHTTPRequest
(
ctx
,
c
.
be
.
Client
(
shard
),
c
.
be
.
URL
(
shard
)
+
"/api/get
_key
"
,
&
req
,
&
resp
)
return
resp
.
Key
,
err
}
...
...
vendor/vendor.json
View file @
3a27b01f
...
...
@@ -33,16 +33,16 @@
"revisionTime"
:
"2017-12-17T09:15:51Z"
},
{
"checksumSHA1"
:
"
3alRLG3a43ORlVZyfQc/JsT0KtI
="
,
"checksumSHA1"
:
"
Byt5J619jXGr+VBTp6HlFQybWM4
="
,
"path"
:
"git.autistici.org/id/keystore"
,
"revision"
:
"
b09f1210471f6a60402e8ced4783be3889a4074f
"
,
"revisionTime"
:
"201
7-1
2-1
5
T1
3:50:5
7Z"
"revision"
:
"
3396b96b8dac3be8ea1718b89d6e6678daa75eb5
"
,
"revisionTime"
:
"201
8-0
2-1
6
T1
8:04:0
7Z"
},
{
"checksumSHA1"
:
"
MgtHklQMI/3fNcZZzkg+fmQUrCQ
="
,
"checksumSHA1"
:
"
VlEW+yMUPGk0Fc5PKfya2kXwHWo
="
,
"path"
:
"git.autistici.org/id/keystore/client"
,
"revision"
:
"
ae260514708a9eb3e81b554e1b7b2c65ef802584
"
,
"revisionTime"
:
"201
7-12-17T21:51:41
Z"
"revision"
:
"
3396b96b8dac3be8ea1718b89d6e6678daa75eb5
"
,
"revisionTime"
:
"201
8-02-16T18:04:07
Z"
},
{
"checksumSHA1"
:
"usT4LCSQItkFvFOQT7cBlkCuGaE="
,
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment