-
Notifications
You must be signed in to change notification settings - Fork 47
/
policy.go
166 lines (149 loc) · 6.46 KB
/
policy.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
package appencryption
import (
"time"
)
// Default values for CryptoPolicy if not overridden.
const (
DefaultExpireAfter = time.Hour * 24 * 90 // 90 days
DefaultRevokedCheckInterval = time.Minute * 60
DefaultCreateDatePrecision = time.Minute
DefaultKeyCacheMaxSize = 1000
DefaultSessionCacheMaxSize = 1000
DefaultSessionCacheDuration = time.Hour * 2
DefaultSessionCacheEngine = "default"
)
// CryptoPolicy contains options to customize various behaviors in the SDK.
type CryptoPolicy struct {
// ExpireKeyAfter is used to determine when a key is considered expired based on its creation time
// (regularly-scheduled rotation).
ExpireKeyAfter time.Duration
// RevokeCheckInterval controls the cache TTL (if caching is enabled) to check if a cached key has been marked as
// revoked (irregularly-scheduled rotation).
RevokeCheckInterval time.Duration
// CreateDatePrecision is used to truncate a new key's creation timestamp to avoid concurrent callers from
// excessively creating keys in race condition scenarios.
CreateDatePrecision time.Duration
// CacheIntermediateKeys determines whether Intermediate Keys will be cached.
CacheIntermediateKeys bool
// IntermediateKeyCacheMaxSize controls the maximum size of the cache if intermediate key caching is enabled.
//
// This value is ignored if IntermediateKeyCacheEvictionPolicy is set to "simple".
IntermediateKeyCacheMaxSize int
// IntermediateKeyCacheEvictionPolicy controls the eviction policy to use for the shared cache.
// Supported values are "simple", "lru", "lfu", "slru", and "tinylfu". Default is "simple".
IntermediateKeyCacheEvictionPolicy string
// SharedIntermediateKeyCache determines whether Intermediate Keys will use a single shared cache. If enabled,
// Intermediate Keys will share a single cache across all sessions for a given factory.
// This option is useful if you have a large number of sessions and want to reduce the memory footprint of the
// cache.
//
// This option is ignored if CacheIntermediateKeys is disabled.
SharedIntermediateKeyCache bool
// CacheSystemKeys determines whether System Keys will be cached.
CacheSystemKeys bool
// SystemKeyCacheMaxSize controls the maximum size of the cache if system key caching is enabled. If
// SharedKeyCache is enabled, this value will determine the maximum size of the shared cache.
//
// This value is ignored if SystemKeyCacheEvictionPolicy is set to "simple".
SystemKeyCacheMaxSize int
// SystemKeyCacheEvictionPolicy controls the eviction policy to use for the shared cache.
// Supported values are "simple", "lru", "lfu", "slru", and "tinylfu". Default is "simple".
SystemKeyCacheEvictionPolicy string
// CacheSessions determines whether sessions will be cached.
CacheSessions bool
// SessionCacheMaxSize controls the maximum size of the cache if session caching is enabled.
SessionCacheMaxSize int
// SessionCacheDuration controls the amount of time a session will remain cached without being accessed
// if session caching is enabled.
SessionCacheDuration time.Duration
// SessionCacheEvictionPolicy controls the eviction policy to use for the shared cache.
// Supported values are "lru", "lfu", "slru", and "tinylfu". Default is "slru".
SessionCacheEvictionPolicy string
}
// PolicyOption is used to configure a CryptoPolicy.
type PolicyOption func(*CryptoPolicy)
// WithRevokeCheckInterval sets the interval to check for revoked keys in the cache.
func WithRevokeCheckInterval(d time.Duration) PolicyOption {
return func(policy *CryptoPolicy) {
policy.RevokeCheckInterval = d
}
}
// WithExpireAfterDuration sets amount of time a key is considered valid.
func WithExpireAfterDuration(d time.Duration) PolicyOption {
return func(policy *CryptoPolicy) {
policy.ExpireKeyAfter = d
}
}
// WithNoCache disables caching of both System and Intermediate Keys.
func WithNoCache() PolicyOption {
return func(policy *CryptoPolicy) {
policy.CacheSystemKeys = false
policy.CacheIntermediateKeys = false
}
}
// WithSharedIntermediateKeyCache enables a shared cache for Intermediate Keys with the provided capacity. The shared
// cache will be used by all sessions for a given factory.
func WithSharedIntermediateKeyCache(capacity int) PolicyOption {
return func(policy *CryptoPolicy) {
policy.SharedIntermediateKeyCache = true
policy.IntermediateKeyCacheMaxSize = capacity
}
}
// WithSessionCache enables session caching. When used all sessions for a given partition will share underlying
// System and Intermediate Key caches.
func WithSessionCache() PolicyOption {
return func(policy *CryptoPolicy) {
policy.CacheSessions = true
}
}
// WithSessionCacheMaxSize specifies the session cache max size to use if session caching is enabled.
func WithSessionCacheMaxSize(size int) PolicyOption {
return func(policy *CryptoPolicy) {
policy.SessionCacheMaxSize = size
}
}
// WithSessionCacheDuration specifies the amount of time a session will remain cached without being accessed
// if session caching is enabled.
func WithSessionCacheDuration(d time.Duration) PolicyOption {
return func(policy *CryptoPolicy) {
policy.SessionCacheDuration = d
}
}
// NewCryptoPolicy returns a new CryptoPolicy with default values.
func NewCryptoPolicy(opts ...PolicyOption) *CryptoPolicy {
policy := &CryptoPolicy{
ExpireKeyAfter: DefaultExpireAfter,
RevokeCheckInterval: DefaultRevokedCheckInterval,
CreateDatePrecision: DefaultCreateDatePrecision,
CacheSystemKeys: true,
CacheIntermediateKeys: true,
IntermediateKeyCacheMaxSize: DefaultKeyCacheMaxSize,
SystemKeyCacheMaxSize: DefaultKeyCacheMaxSize,
SharedIntermediateKeyCache: false,
CacheSessions: false,
SessionCacheMaxSize: DefaultSessionCacheMaxSize,
SessionCacheDuration: DefaultSessionCacheDuration,
}
for _, opt := range opts {
opt(policy)
}
return policy
}
// newKeyTimestamp returns a unix timestamp in seconds truncated to the provided Duration.
func newKeyTimestamp(truncate time.Duration) int64 {
if truncate > 0 {
return time.Now().Truncate(truncate).Unix()
}
return time.Now().Unix()
}
// Config contains the required information to setup and use this library.
type Config struct {
// Service is the identifier for this service.
Service string
// Product is the identifier for the team or group that owns the calling service.
Product string
// Policy contains the information on when to expire keys.
// If no policy is provided, 90 days rotations will be set
// as defaults.
Policy *CryptoPolicy
}