mirror of
https://github.com/lightninglabs/aperture.git
synced 2025-12-17 00:54:20 +01:00
a4431801ef
auth: LsatAuthenticator -> L402Authenticator sed -i 's/LsatAuthenticator/L402Authenticator/g' aperture.go auth/authenticator.go auth/authenticator_test.go rename package lsat to l402 git mv lsat/ l402 sed 's@aperture/lsat@aperture/l402@g' -i `git grep -l aperture/lsat` sed -i 's@package lsat@package l402@' `git grep -l 'package lsat'` sed -i 's@lsat\.@l402.@g' -i `git grep -l 'lsat\.'` sed 's@l402.Id@lsat.Id@' -i mint/mint_test.go replace lsat with l402 in the code sed 's@lsat@l402@' -i mint/mint_test.go sed 's@Lsat@L402@' -i l402/client_interceptor.go sed 's@lsatstore@l402store@' -i l402/store_test.go replace LSAT to L402 in comments sed '/\/\//s@LSAT@L402@g' -i `git grep -l '//.*LSAT'` replace LSAT -> L402 in the code, skip when a string starts with it sed 's@\([^"/]\)LSAT@\1L402@g' -i `git grep -l LSAT`
93 lines
2.6 KiB
Go
93 lines
2.6 KiB
Go
package aperture
|
|
|
|
import (
|
|
"context"
|
|
"crypto/rand"
|
|
"crypto/sha256"
|
|
"encoding/hex"
|
|
"fmt"
|
|
"strings"
|
|
|
|
"github.com/lightninglabs/aperture/l402"
|
|
"github.com/lightninglabs/aperture/mint"
|
|
clientv3 "go.etcd.io/etcd/client/v3"
|
|
)
|
|
|
|
var (
|
|
// secretsPrefix is the key we'll use to prefix all L402 identifiers
|
|
// with when storing secrets in an etcd cluster.
|
|
secretsPrefix = "secrets"
|
|
)
|
|
|
|
// idKey returns the full key to store in the database for an L402 identifier.
|
|
// The identifier is hex-encoded in order to prevent conflicts with the etcd key
|
|
// delimeter.
|
|
//
|
|
// The resulting path of the identifier bff4ee83 within etcd would look like:
|
|
// lsat/proxy/secrets/bff4ee83
|
|
func idKey(id [sha256.Size]byte) string {
|
|
return strings.Join(
|
|
[]string{topLevelKey, secretsPrefix, hex.EncodeToString(id[:])},
|
|
etcdKeyDelimeter,
|
|
)
|
|
}
|
|
|
|
// secretStore is a store of L402 secrets backed by an etcd cluster.
|
|
type secretStore struct {
|
|
*clientv3.Client
|
|
}
|
|
|
|
// A compile-time constraint to ensure secretStore implements mint.SecretStore.
|
|
var _ mint.SecretStore = (*secretStore)(nil)
|
|
|
|
// newSecretStore instantiates a new L402 secrets store backed by an etcd
|
|
// cluster.
|
|
func newSecretStore(client *clientv3.Client) *secretStore {
|
|
return &secretStore{Client: client}
|
|
}
|
|
|
|
// NewSecret creates a new cryptographically random secret which is keyed by the
|
|
// given hash.
|
|
func (s *secretStore) NewSecret(ctx context.Context,
|
|
id [sha256.Size]byte) ([l402.SecretSize]byte, error) {
|
|
|
|
var secret [l402.SecretSize]byte
|
|
if _, err := rand.Read(secret[:]); err != nil {
|
|
return secret, err
|
|
}
|
|
|
|
_, err := s.Put(ctx, idKey(id), string(secret[:]))
|
|
return secret, err
|
|
}
|
|
|
|
// GetSecret returns the cryptographically random secret that corresponds to the
|
|
// given hash. If there is no secret, then mint.ErrSecretNotFound is returned.
|
|
func (s *secretStore) GetSecret(ctx context.Context,
|
|
id [sha256.Size]byte) ([l402.SecretSize]byte, error) {
|
|
|
|
resp, err := s.Get(ctx, idKey(id))
|
|
if err != nil {
|
|
return [l402.SecretSize]byte{}, err
|
|
}
|
|
if len(resp.Kvs) == 0 {
|
|
return [l402.SecretSize]byte{}, mint.ErrSecretNotFound
|
|
}
|
|
if len(resp.Kvs[0].Value) != l402.SecretSize {
|
|
return [l402.SecretSize]byte{}, fmt.Errorf("invalid secret "+
|
|
"size %v", len(resp.Kvs[0].Value))
|
|
}
|
|
|
|
var secret [l402.SecretSize]byte
|
|
copy(secret[:], resp.Kvs[0].Value)
|
|
return secret, nil
|
|
}
|
|
|
|
// RevokeSecret removes the cryptographically random secret that corresponds to
|
|
// the given hash. This acts as a NOP if the secret does not exist.
|
|
func (s *secretStore) RevokeSecret(ctx context.Context,
|
|
id [sha256.Size]byte) error {
|
|
|
|
_, err := s.Delete(ctx, idKey(id))
|
|
return err
|
|
}
|