github.com/zntrio/harp/v2@v2.0.9/pkg/container/seal/api.go (about)

     1  // Licensed to Elasticsearch B.V. under one or more contributor
     2  // license agreements. See the NOTICE file distributed with
     3  // this work for additional information regarding copyright
     4  // ownership. Elasticsearch B.V. licenses this file to you under
     5  // the Apache License, Version 2.0 (the "License"); you may
     6  // not use this file except in compliance with the License.
     7  // You may obtain a copy of the License at
     8  //
     9  //     http://www.apache.org/licenses/LICENSE-2.0
    10  //
    11  // Unless required by applicable law or agreed to in writing,
    12  // software distributed under the License is distributed on an
    13  // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    14  // KIND, either express or implied.  See the License for the
    15  // specific language governing permissions and limitations
    16  // under the License.
    17  
    18  package seal
    19  
    20  import (
    21  	"io"
    22  
    23  	"github.com/awnumar/memguard"
    24  
    25  	containerv1 "github.com/zntrio/harp/v2/api/gen/go/harp/container/v1"
    26  )
    27  
    28  // Streategy describes the sealing/unsealing contract.
    29  type Strategy interface {
    30  	// CenerateKey create an key pair used as container identifier.
    31  	GenerateKey(...GenerateOption) (publicKey, privateKey string, err error)
    32  	// Seal the given container using the implemented algorithm.
    33  	Seal(io.Reader, *containerv1.Container, ...string) (*containerv1.Container, error)
    34  	// Seal the given container using the implemented algorithm.
    35  	SealWithPSK(io.Reader, *containerv1.Container, *memguard.LockedBuffer, ...string) (*containerv1.Container, error)
    36  	// Unseal the given container using the given identity.
    37  	Unseal(c *containerv1.Container, id *memguard.LockedBuffer) (*containerv1.Container, error)
    38  	// UnsealWithPSK unseals the given container using the given identity and the gievn preshared key.
    39  	UnsealWithPSK(c *containerv1.Container, id *memguard.LockedBuffer, psk *memguard.LockedBuffer) (*containerv1.Container, error)
    40  }
    41  
    42  // GenerateOptions represents container key generation options.
    43  type GenerateOptions struct {
    44  	DCKDMasterKey *memguard.LockedBuffer
    45  	DCKDTarget    string
    46  	RandomSource  io.Reader
    47  }
    48  
    49  // GenerateOption represents functional pattern builder for optional parameters.
    50  type GenerateOption func(o *GenerateOptions)
    51  
    52  // WithDeterministicKey enables deterministic container key generation.
    53  func WithDeterministicKey(masterKey *memguard.LockedBuffer, target string) GenerateOption {
    54  	return func(o *GenerateOptions) {
    55  		o.DCKDMasterKey = masterKey
    56  		o.DCKDTarget = target
    57  	}
    58  }
    59  
    60  // WithRandom provides the random source for key generation.
    61  func WithRandom(random io.Reader) GenerateOption {
    62  	return func(o *GenerateOptions) {
    63  		o.RandomSource = random
    64  	}
    65  }