Safe Haskell | None |
---|---|
Language | Haskell2010 |
- data SECTIONS h s k = SECTIONS
- class (Bounded a, Enum a, Eq a, Ord a, Show a) => Code a where
- class (Code h, Code s, Code k) => Sections h s k | s -> h, k -> h, h -> s, k -> s, s -> k, h -> k where
- hostDeploySection :: h -> s
- sectionType :: s -> SectionType
- superSections :: s -> [s]
- keyIsHostIndexed :: k -> Maybe (h -> Bool)
- keyIsInSection :: k -> s -> Bool
- getKeyData :: Maybe h -> s -> k -> IO KeyData
- sectionSettings :: Maybe s -> IO Settings
- describeKey :: k -> String
- describeSection :: s -> String
- sectionPWEnvVar :: s -> EnvVar
- data SectionType
- = ST_top
- | ST_signing
- | ST_keys
- data KeyData = KeyData {}
- type KeyPredicate h s k = Maybe h -> s -> k -> Bool
- data RetrieveDg
- initialise :: Sections h s k => CtxParams -> KeyPredicate h s k -> IO ()
- rotate :: Sections h s k => IC -> KeyPredicate h s k -> IO ()
- rotateIfChanged :: Sections h s k => IC -> KeyPredicate h s k -> IO ()
- retrieve :: Sections h s k => IC -> h -> k -> IO (Retrieve [Key])
- signKeystore :: Sections h s k => IC -> SECTIONS h s k -> IO ByteString
- verifyKeystore :: Sections h s k => IC -> SECTIONS h s k -> ByteString -> IO Bool
- noKeys :: KeyPredicate h s k
- allKeys :: KeyPredicate h s k
- keyPrededicate :: Sections h s k => Maybe h -> Maybe s -> Maybe k -> KeyPredicate h s k
- keyHelp :: Sections h s k => Maybe k -> Text
- sectionHelp :: Sections h s k => Maybe s -> IO Text
- secretKeySummary :: Sections h s k => IC -> SECTIONS h s k -> IO Text
- publicKeySummary :: Sections h s k => IC -> SECTIONS h s k -> FilePath -> IO Text
- locateKeys :: Sections h s k => IC -> SECTIONS h s k -> Name -> IO [Key]
- keyName :: Sections h s k => h -> k -> Retrieve Name
- passwordName :: Sections h s k => s -> Name
Documentation
class (Code h, Code s, Code k) => Sections h s k | s -> h, k -> h, h -> s, k -> s, s -> k, h -> k where Source
This class describes the relationship between the host-id, section-id and key-id types used to build a hierarchical deployment model for a keystore. A minimal instance would have to define hostDeploySection. The deploy example program contains a fairly thorough example of this class being used to implement a quite realitic deploymrnt scenario.
:: h | |
-> s | the deployment section: for a given host,
the starting section for locating the keys
during a deployment ( |
:: s | |
-> SectionType | whether the section holds the top key for the keystore (i.e., keystore master key), the signing key for the keystore or is a normal section containing deployment keys |
:: s | |
-> [s] | the sections that get a copy of the master for this section (making all of its keys available to them); N.B., the graph formed by this this relationship over the sections must be acyclic |
:: k | |
-> Maybe (h -> Bool) | if the key is host-indexed then the predicate specifies the hosts that use this key |
:: k | |
-> s | |
-> Bool | specifies which sections a key is resident in |
:: k | |
-> String | describes the key (for the ks help command) |
:: s | |
-> String | describes the section (for the ks help command) |
:: s | |
-> EnvVar | secifies the environment variable containing the ^ master password/provate key for for the given section |
data SectionType Source
Sections are used to hold the top (master) key for the keystore, its signing key, or deployment keys
A key is triple containing some (plain-text) identity information for the key, some comment text and the secret text to be encrypted. Note that the keystore doesn't rely on this information but merely stores it. (They can be empty.) The identity field will often be used to storte the key's identity within the system that generates and uses it, ofor example.
type KeyPredicate h s k = Maybe h -> s -> k -> Bool Source
One, many or all of the keys in a store may be rotated at a time. we use one of these to specify which keys are to be rotated.
data RetrieveDg Source
This type specifies the reasons that an attempt to access a key from the store has failed. This kind of failure suggests an inconsistent model and will be raised regardless of which keys have been stored in the store.
initialise :: Sections h s k => CtxParams -> KeyPredicate h s k -> IO () Source
Here we create the store and rotate in a buch of keys. N.B. All of the section passwords must be bound in the process environment before calling procedure.
rotate :: Sections h s k => IC -> KeyPredicate h s k -> IO () Source
Rotate in a set of keys specified by the predicate.
rotateIfChanged :: Sections h s k => IC -> KeyPredicate h s k -> IO () Source
Rotate in a set of keys specified by the predicate, rotating each key only if it has changed: NB the check is contingent on the secret text being accessible; if the secret text is not accessible then the rotation will happen.
retrieve :: Sections h s k => IC -> h -> k -> IO (Retrieve [Key]) Source
Retrieve the keys for a given host from the store. Note that the whole history for the given key is returned.
Note also that the secret text may not be present if it is not accessible (depnding upon hwich section passwords
are correctly bound in the process environment). Note also that the Retrieve
diagnostic should not fail if a
coherent model has been ddefined for Sections
.
signKeystore :: Sections h s k => IC -> SECTIONS h s k -> IO ByteString Source
Sign the keystore. (Requites the password for the signing section to be correctly bound in the environment)
verifyKeystore :: Sections h s k => IC -> SECTIONS h s k -> ByteString -> IO Bool Source
noKeys :: KeyPredicate h s k Source
A predicate specifying all of the keys in the store.
allKeys :: KeyPredicate h s k Source
A predicate specifying none of the keys in the keystore.
keyPrededicate :: Sections h s k => Maybe h -> Maybe s -> Maybe k -> KeyPredicate h s k Source
A utility for specifing a slice of the keys in the store, optionally specifying host section and key that should belong to the slice. (If the host is specified then the resulting predicate will only include host-indexed keys belonging to the given host.)
secretKeySummary :: Sections h s k => IC -> SECTIONS h s k -> IO Text Source
List a shell script for establishing all of the keys in the environment. NB For this to work the password for the top section (or the passwords for all of the sections must be bound if the store does not maintain a top key).
publicKeySummary :: Sections h s k => IC -> SECTIONS h s k -> FilePath -> IO Text Source
List a shell script for storing the public signing key for the store.
locateKeys :: Sections h s k => IC -> SECTIONS h s k -> Name -> IO [Key] Source
List all of the keys that have the given name as their prefix. If the generic name of a key is given then it will list the complete history for the key, the current (or most recent) entry first.
keyName :: Sections h s k => h -> k -> Retrieve Name Source
Return the generic name for a given key thst is used by the specified host, returning a failure diagnostic if the host does not have such a key on the given Section model.
passwordName :: Sections h s k => s -> Name Source
The name of the key that stores the password for a given sections.