caf_security/plug_security

Security plug for authentication.

Properties:

  {keysDir: string=, trustedPubKeyFile: string, privateKeyFile: string=,
   publicKeyFile: string=, accountsURL: string, allowNobodyUser: boolean,
   quotaApp: string=}

where:

keysDir: directory for all key material.
trustedPubKeyFile: trusted public key that verifies tokens. Uses a self-signed certificate in PEM format, see openssl.
privateKeyFile and publicKeyFile: optional asymetric keys to weaken tokens. Typically we use a remote service instead.
accountsURL: URL of the accounts service.
allowNobodyUser: whether to allow the json_rpc.DEFAULT_FROM client to authenticate without credentials.
quotaApp: the name of the app managing user quotas, or missing if service off.

Source:

plug_security.js, line 19

Extends

external:caf_components/gen_plug

Methods

__ca_attenuateToken__(megaTokenStr, constraints, cb0)

Source:

plug_security.js, line 343

See:

module:caf_security/proxy_security#attenuateToken

Weakens an authentication token generating generating one (or many) token(s).

Parameters:

Name	Type	Description
`megaTokenStr`	string	A serialized token.
`constraints`	tkDescArray	A description of the new token(s).
`cb0`	cbType	A callback to return the new token(s) or an error.

__ca_authenticate__(from, tokenStr, cb0)

Source:

plug_security.js, line 203

Authenticates the incoming request.

Parameters:

Name	Type	Description
`from`	string	Principal sending this request.
`tokenStr`	string	Token to authenticate the principal.
`cb0`	cbType	A callback with an error or the authenticated token.

__ca_blockCreate__(from, to) → {boolean}

Source:

plug_security.js, line 262

Whether we should block attempts to create a missing CA.

Only the owner should be allowed to create new CAs, i.e., from === to.

Parameters:

Name	Type	Description
`from`	string	Source of the request.
`to`	string	Target CA to be created if missing.

Returns:

True if we should only allow returning a reference to an existing CA.

Type: boolean

__ca_pulse__(cb0)

Source:

plug_security.js, line 130

Cleans up token caches.

Called by cron_security periodically to force token re-validation.

Parameters:

Name	Type	Description
`cb0`	cbType	A callback to continue after cleaning.

__ca_quotaCheck__(caId, cb0)

Source:

plug_security.js, line 420

Checks the quota of a CA with the Quota service.

Parameters:

Name	Type	Description
`caId`	string	A target CA identifier, e.g., `foo-ca1`.
`cb0`	cbType	A callback to return an error, or extra CA info (second argument). If the error is not a system error, i.e., we accessed the quota service and there was no balance, the error field `quotaExceeded` is set to `true`.

__ca_quotaRenew__(tokenStr, cb0)

Source:

plug_security.js, line 394

Registers a new CA with the Quota service.

Parameters:

Name	Type	Description
`tokenStr`	string	An encoded token. This token was originally used to create the CA.
`cb0`	cbType	A callback to return an error, or extra CA info (second argument). If the error is not a system error, i.e., we accessed the quota service and there was no balance, the error field `quotaExceeded` is set to `true`.

__ca_verifyToken__(tokenStr) → {tokenType|null}

Source:

plug_security.js, line 188

Verifies the provided serialized token is trusted

Parameters:

Name	Type	Description
`tokenStr`	string	A serialized token to validate.

Returns:

A parsed, validated token, or null if token invalid.

Type: tokenType | null