keystore-0.7.0.0: Managing stores of secret things

Safe HaskellNone
LanguageHaskell2010

Data.KeyStore.Sections

Synopsis

Documentation

data SECTIONS h s k Source

Constructors

SECTIONS 

class (Bounded a, Enum a, Eq a, Ord a, Show a) => Code a where Source

Minimal complete definition

encode

Methods

encode :: a -> String Source

decode :: String -> Maybe a Source

class (Code h, Code s, Code k) => Sections h s k | s -> h, k -> h, h -> s, k -> s, s -> k, h -> k where Source

This class describes the relationship between the host-id, section-id and key-id types used to build a hierarchical deployment model for a keystore. A minimal instance would have to define hostDeploySection. The deploy example program contains a fairly thorough example of this class being used to implement a quite realitic deploymrnt scenario.

Minimal complete definition

hostDeploySection

Methods

hostDeploySection Source

Arguments

:: h 
-> s

the deployment section: for a given host, the starting section for locating the keys during a deployment (higher/closer sections taking priority)

sectionType Source

Arguments

:: s 
-> SectionType

whether the section holds the top key for the keystore (i.e., keystore master key), the signing key for the keystore or is a normal section containing deployment keys

superSections Source

Arguments

:: s 
-> [s]

the sections that get a copy of the master for this section (making all of its keys available to them); N.B., the graph formed by this this relationship over the sections must be acyclic

keyIsHostIndexed Source

Arguments

:: k 
-> Maybe (h -> Bool)

if the key is host-indexed then the predicate specifies the hosts that use this key

keyIsInSection Source

Arguments

:: k 
-> s 
-> Bool

specifies which sections a key is resident in

getKeyData Source

Arguments

:: Maybe h 
-> s 
-> k 
-> IO KeyData

loads the data for a particular key

getKeyDataWithMode Source

Arguments

:: Maybe h 
-> s 
-> k 
-> IO (KeyDataMode, KeyData)

loads the data for a particular key, returning mode

sectionSettings Source

Arguments

:: Maybe s 
-> IO Settings

loads the setting for a given settings

describeKey Source

Arguments

:: k 
-> String

describes the key (for the ks help command)

describeSection Source

Arguments

:: s 
-> String

describes the section (for the ks help command)

sectionPWEnvVar Source

Arguments

:: s 
-> EnvVar

secifies the environment variable containing the ^ master password/provate key for for the given section

data SectionType Source

Sections are used to hold the top (master) key for the keystore, its signing key, or deployment keys

Constructors

ST_top 
ST_signing 
ST_keys 

data KeyData Source

A key is triple containing some (plain-text) identity information for the key, some comment text and the secret text to be encrypted. Note that the keystore doesn't rely on this information but merely stores it. (They can be empty.) The identity field will often be used to storte the key's identity within the system that generates and uses it, ofor example.

Instances

type KeyPredicate h s k = Maybe h -> s -> k -> Bool Source

One, many or all of the keys in a store may be rotated at a time. we use one of these to specify which keys are to be rotated.

data RetrieveDg Source

This type specifies the reasons that an attempt to access a key from the store has failed. This kind of failure suggests an inconsistent model and will be raised regardless of which keys have been stored in the store.

initialise :: Sections h s k => CtxParams -> KeyPredicate h s k -> IO () Source

Here we create the store and rotate in a buch of keys. N.B. All of the section passwords must be bound in the process environment before calling procedure.

rotate :: Sections h s k => IC -> KeyPredicate h s k -> IO () Source

Rotate in a set of keys specified by the predicate.

rotateIfChanged :: Sections h s k => IC -> KeyPredicate h s k -> IO () Source

Rotate in a set of keys specified by the predicate, rotating each key only if it has changed: NB the check is contingent on the secret text being accessible; if the secret text is not accessible then the rotation will happen.

rotate_ :: Sections h s k => IC -> Maybe KeyDataMode -> Bool -> KeyPredicate h s k -> IO () Source

Rotate in a set of keys specified by the predicate with the first argument controlling whether to squash duplicate rotations

retrieve :: Sections h s k => IC -> h -> k -> IO (Retrieve [Key]) Source

Retrieve the keys for a given host from the store. Note that the whole history for the given key is returned. Note also that the secret text may not be present if it is not accessible (depnding upon hwich section passwords are correctly bound in the process environment). Note also that the Retrieve diagnostic should not fail if a coherent model has been ddefined for Sections.

signKeystore :: Sections h s k => IC -> SECTIONS h s k -> IO ByteString Source

Sign the keystore. (Requites the password for the signing section to be correctly bound in the environment)

noKeys :: KeyPredicate h s k Source

A predicate specifying all of the keys in the store.

allKeys :: KeyPredicate h s k Source

A predicate specifying none of the keys in the keystore.

listKeys :: Sections h s k => KeyPredicate h s k -> [(Maybe h, s, k)] Source

List all of the keys specified by a KeyPredicate

keyPrededicate :: Sections h s k => Maybe h -> Maybe s -> Maybe k -> KeyPredicate h s k Source

A utility for specifing a slice of the keys in the store, optionally specifying host section and key that should belong to the slice. (If the host is specified then the resulting predicate will only include host-indexed keys belonging to the given host.)

keyHelp :: Sections h s k => Maybe k -> Text Source

secretKeySummary :: Sections h s k => IC -> SECTIONS h s k -> IO Text Source

List a shell script for establishing all of the keys in the environment. NB For this to work the password for the top section (or the passwords for all of the sections must be bound if the store does not maintain a top key).

publicKeySummary :: Sections h s k => IC -> SECTIONS h s k -> FilePath -> IO Text Source

List a shell script for storing the public signing key for the store.

locateKeys :: Sections h s k => IC -> SECTIONS h s k -> Name -> IO [Key] Source

List all of the keys that have the given name as their prefix. If the generic name of a key is given then it will list the complete history for the key, the current (or most recent) entry first.

keyName :: Sections h s k => h -> k -> Retrieve Name Source

Return the generic name for a given key thst is used by the specified host, returning a failure diagnostic if the host does not have such a key on the given Section model.

keyName_ :: Sections h s k => Maybe h -> s -> k -> Name Source

Basic function for generating a key name from the host (if it is host indexex), section name and key id.

passwordName :: Sections h s k => s -> Name Source

The name of the key that stores the password for a given sections.