github.com/zntrio/harp/v2@v2.0.9/pkg/container/seal/api.go (about) 1 // Licensed to Elasticsearch B.V. under one or more contributor 2 // license agreements. See the NOTICE file distributed with 3 // this work for additional information regarding copyright 4 // ownership. Elasticsearch B.V. licenses this file to you under 5 // the Apache License, Version 2.0 (the "License"); you may 6 // not use this file except in compliance with the License. 7 // You may obtain a copy of the License at 8 // 9 // http://www.apache.org/licenses/LICENSE-2.0 10 // 11 // Unless required by applicable law or agreed to in writing, 12 // software distributed under the License is distributed on an 13 // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 14 // KIND, either express or implied. See the License for the 15 // specific language governing permissions and limitations 16 // under the License. 17 18 package seal 19 20 import ( 21 "io" 22 23 "github.com/awnumar/memguard" 24 25 containerv1 "github.com/zntrio/harp/v2/api/gen/go/harp/container/v1" 26 ) 27 28 // Streategy describes the sealing/unsealing contract. 29 type Strategy interface { 30 // CenerateKey create an key pair used as container identifier. 31 GenerateKey(...GenerateOption) (publicKey, privateKey string, err error) 32 // Seal the given container using the implemented algorithm. 33 Seal(io.Reader, *containerv1.Container, ...string) (*containerv1.Container, error) 34 // Seal the given container using the implemented algorithm. 35 SealWithPSK(io.Reader, *containerv1.Container, *memguard.LockedBuffer, ...string) (*containerv1.Container, error) 36 // Unseal the given container using the given identity. 37 Unseal(c *containerv1.Container, id *memguard.LockedBuffer) (*containerv1.Container, error) 38 // UnsealWithPSK unseals the given container using the given identity and the gievn preshared key. 39 UnsealWithPSK(c *containerv1.Container, id *memguard.LockedBuffer, psk *memguard.LockedBuffer) (*containerv1.Container, error) 40 } 41 42 // GenerateOptions represents container key generation options. 43 type GenerateOptions struct { 44 DCKDMasterKey *memguard.LockedBuffer 45 DCKDTarget string 46 RandomSource io.Reader 47 } 48 49 // GenerateOption represents functional pattern builder for optional parameters. 50 type GenerateOption func(o *GenerateOptions) 51 52 // WithDeterministicKey enables deterministic container key generation. 53 func WithDeterministicKey(masterKey *memguard.LockedBuffer, target string) GenerateOption { 54 return func(o *GenerateOptions) { 55 o.DCKDMasterKey = masterKey 56 o.DCKDTarget = target 57 } 58 } 59 60 // WithRandom provides the random source for key generation. 61 func WithRandom(random io.Reader) GenerateOption { 62 return func(o *GenerateOptions) { 63 o.RandomSource = random 64 } 65 }