Documentation
¶
Overview ¶
Package cryptokeys provides an abstraction for fetching internally used cryptographic keys mainly for JWT signing and verification.
Index ¶
Constants ¶
Variables ¶
Functions ¶
func StartRotator ¶
func StartRotator(ctx context.Context, logger slog.Logger, db database.Store, opts ...RotatorOption)
StartRotator starts a background process that rotates keys in the database. It ensures there's at least one valid key per feature prior to returning. Canceling the provided context will stop the background process.
Types ¶
type CacheOption ¶
type CacheOption func(*cache)
func WithCacheClock ¶
func WithCacheClock(clock quartz.Clock) CacheOption
type EncryptionKeycache ¶
type EncryptionKeycache interface {
// EncryptingKey returns the latest valid key for encrypting payloads. A valid
// key is one that is both past its start time and before its deletion time.
EncryptingKey(ctx context.Context) (id string, key interface{}, err error)
// DecryptingKey returns the key with the provided id which maps to its sequence
// number. The key is valid for decryption as long as it is not deleted or past
// its deletion date. We must allow for keys prior to their start time to
// account for clock skew between peers (one key may be past its start time on
// one machine while another is not).
DecryptingKey(ctx context.Context, id string) (key interface{}, err error)
io.Closer
}
func NewEncryptionCache ¶
func NewEncryptionCache(ctx context.Context, logger slog.Logger, fetcher Fetcher, feature codersdk.CryptoKeyFeature, opts ...func(*cache), ) (EncryptionKeycache, error)
type RotatorOption ¶
type RotatorOption func(*rotator)
func WithClock ¶
func WithClock(clock quartz.Clock) RotatorOption
func WithKeyDuration ¶
func WithKeyDuration(keyDuration time.Duration) RotatorOption
type SigningKeycache ¶
type SigningKeycache interface {
// SigningKey returns the latest valid key for signing. A valid key is one
// that is both past its start time and before its deletion time.
SigningKey(ctx context.Context) (id string, key interface{}, err error)
// VerifyingKey returns the key with the provided id which should map to its
// sequence number. The key is valid for verifying as long as it is not deleted
// or past its deletion date. We must allow for keys prior to their start time
// to account for clock skew between peers (one key may be past its start time
// on one machine while another is not).
VerifyingKey(ctx context.Context, id string) (key interface{}, err error)
io.Closer
}
func NewSigningCache ¶
func NewSigningCache(ctx context.Context, logger slog.Logger, fetcher Fetcher, feature codersdk.CryptoKeyFeature, opts ...func(*cache), ) (SigningKeycache, error)
NewSigningCache instantiates a cache. Close should be called to release resources associated with its internal timer.
Source Files
Click to show internal directories.
Click to hide internal directories.