security
Enterprise Plugin
Version |
Language |
1.0.0 |
Go |
This plugin implementation provides the following enterprise features to geth
JSON RPC server:
- Providing TLS configuration to HTTP and WS transports
- Enabling
geth
JSON RPC (HTTP/WS) server to be an OAuth2-compliant resource server
Configuration
{
"tls": object(TLSConfiguration),
"tokenValidation": object(TokenValidationConfiguration)
}
Fields |
Description |
tls |
(Optional) If provided, serve the TLS configuration. See TLSConfiguration for more details |
tokenValidation |
(Required) Configuration to verify access token and extract granted authorities from the token. See TokenValidationConfiguration for more details |
TLSConfiguration
{
"auto": bool,
"certFile": EnvironmentAwaredValue,
"keyFile": EnvironmentAwaredValue,
"advanced": object(TLSAdvancedConfiguration)
}
Fields |
Description |
auto |
If true, generate a self-signed TLS certificate. Then save the generated certificate and private key in PEM format in certFile and keyFile respectively If false, use values from certFile and keyFile |
certFile |
Location to a file storing certificate in PEM format. Default is cert.pem |
keyFile |
Location to a file storing private key in PEM format. Default is key.pem |
advanced |
Additional TLS configuration |
TLSAdvancedConfiguration
{
"cipherSuites": array,
}
Fields |
Description |
cipherSuites |
List of cipher suites to be enforced. Default to TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Go here to view all supported cipher suites |
TokenValidationConfiguration
{
"issuers": array,
"cache": object(CacheConfiguration),
"introspect": object(IntrospectionConfiguration),
"jws": object(JWSConfiguration),
"jwt": object(JWTConfiguration),
}
Fields |
Description |
issuers |
Array of strings specifying approved entities who issue tokens |
cache |
Configuration of a token cache |
introspect |
Configuration of how to connect to introspection API |
jws |
Configuration of how to obtain JSON Web Keyset in order to validate JSON Web Signature |
jwt |
Configuration of how to handle JSON Web Token |
CacheConfiguration
An LRU cache which also checks for expiration before returning the value.
Below is the default configuration if not specified
{
"limit": 80,
"expirationInSeconds": 3600
}
Fields |
Description |
limit |
Max number of items in the cache |
expirationInSeconds |
Expiry time for a cache item |
IntrospectionConfiguration
{
"endpoint": string,
"authentication": object(AuthenticationConfiguration),
"tlsConnection": object(TLSConnectionConfiguration)
}
Fields |
Description |
endpoint |
Introspection API endpoint |
authentication |
Configuration of how to authenticate when invoking endpoint |
tlsConnection |
Configuration of TLS when connecting to endpoint |
AuthenticationConfiguration
{
"method": string,
"credentials": map(string->EnvironmentAwaredValue)
}
Fields |
Description |
method |
Defines authentication mechanism. Supported values are client_secret_basic : basic authenticationclient_secret_form : form authenticationprivate_key : mutual TLS authentication
|
credentials |
Defines key value pair used for the given authentication mechanism above. See below for the supported keys |
Method |
Keys |
client_secret_basic |
clientId , clientSecret |
client_secret_form |
clientId , clientSecret |
private_key |
certFile , keyFile |
TLSConnectionConfiguration
{
"insecureSkipVerify": bool,
"certFile": EnvironmentAwaredValue,
"caFile": EnvironmentAwaredValue
}
Fields |
Description |
insecureSkipVerify |
If true, do not verify server TLS certificate |
certFile |
Location to a file storing server certificate in PEM format. Default is server.crt |
caFile |
Location to a file storing server CA certificate in PEM format. Default is server.ca.cert |
JWSConfiguration
{
"endpoint": string,
"tlsConnection": object(TLSConnectionConfiguration)
}
Fields |
Description |
endpoint |
API endpoint to obtain JSON Web Keyset |
tlsConnection |
Configuration of TLS when connecting to endpoint |
JWTConfiguration
{
"authorizationField": string,
"preferIntrospection": bool
}
Fields |
Description |
authorizationField |
Claim field name that is used to extract scopes for authorization. Default to scope |
preferIntrospection |
If true, introspection (if defined) result is used |
EnvironmentAwaredValue
A regular string which allows value being read from an environment variable
by specifying an URI with env
scheme. For example: env://MY_VAR
will return
value from MY_VAR
environment variable.
Supported Cipher Suites
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
OAuth2 Authz Server Integration
Examples on how to integrate Quorum Security Plugin with an OAuth2 Authorization Server are here.
OAuth2 Scopes
Scope is a mechanism to limit a client’s access to protected resources
in Quorum Client RPC server. A client can request one ore more scopes
from a token endpoint of an OAuth2 Provider. The access token issued to
the client will be limited to the scopes granted.
The scope syntax is as follow:
scope := "rpc://"rpc-string
rpc-string := service-name delimiter method-name
service-name := string
delimiter := "." or "_"
method-name := string
Examples
Protecting APIs
Scope |
Description |
rpc://web3.clientVersion |
Allow access to web3_clientVersion API |
rpc://eth_* or rpc://eth_ |
Allow access to all APIs under eth namespace |
rpc://*_version or rpc://_version |
Allow access to version method of all namespaces. E.g.: net_version , ssh_version |
Change Log
v1.0.0
Initial release