forked from latchset/custodia
-
Notifications
You must be signed in to change notification settings - Fork 0
/
custodia.conf
134 lines (110 loc) · 2.63 KB
/
custodia.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
# This config file supports extended interpolations
# https://docs.python.org/3/library/configparser.html#configparser.ExtendedInterpolation
# Environment variables can be references from the ENV section:
#
# Example:
# [DEFAULT]
# cafile = 'path/to/ca.pem'
# [global]
# tls_cafile = ${DEFAULT:cafile}
# server_socket = ${ENV:HOME}/server_socket
[global]
server_version = "Secret/0.0.7"
debug = True
#server_url = https://0.0.0.0:10443
server_socket = ./server_socket
auditlog = ${configdir}/custodia.audit.log
tls_certfile = tests/ca/custodia-server.pem
tls_keyfile = tests/ca/custodia-server.key
tls_cafile = tests/ca/custodia-ca.pem
tls_verify_client = true
umask = 027
#[auth:simple]
#handler = SimpleCredsAuth
#uid = 48
#gid = 48
[auth:header]
handler = SimpleHeaderAuth
header = REMOTE_USER
[authz:paths]
handler = SimplePathAuthz
paths = /.
[authz:namespaces]
handler = UserNameSpace
path = /secrets/
store = simple
[store:simple]
handler = SqliteStore
dburi = secrets.db
table = secrets
filemode = 640
[/]
handler = Root
store = simple
# Multi-tenant example
[store:tenant1]
handler = SqliteStore
dburi = secrets.db
table = tenant1
[authz:tenant1]
handler = UserNameSpace
path = /tenant1/secrets/
store = tenant1
[/tenant1/secrets]
handler = Secrets
store = tenant1
# Encstore example
[store:encrypted]
handler = EncryptedStore
dburi = examples/enclite.db
table = enclite
master_key = examples/enclite.sample.key
master_enctype = A128CBC-HS256
[auth:sak]
handler = SimpleAuthKeys
store = encrypted
# sample key: test=foo-host-key
[authz:encrypted]
handler = UserNameSpace
path = /enc/secrets/
store = encrypted
[store:kemkeys]
handler = EncryptedStore
dburi = examples/enclite.db
table = enclite
master_key = examples/enclite.sample.key
master_enctype = A128CBC-HS256
[authz:kkstore]
handler = KEMKeysStore
path = /enc/secrets/
store = kemkeys
[/enc/secrets]
handler = Secrets
allowed_keytypes = simple kem
store = encrypted
# Forward
[authz:forwarders]
handler = SimplePathAuthz
paths = /forwarder /forwarder_loop
[/forwarder]
handler = Forwarder
forward_uri = http+unix://%2e%2fserver_socket/secrets
forward_headers = {"CUSTODIA_AUTH_ID": "test", "CUSTODIA_AUTH_KEY": "foo-host-key"}
[/forwarder_loop]
handler = Forwarder
forward_uri = http+unix://%2e%2fserver_socket/forwarder_loop
forward_headers = {"REMOTE_USER": "test"}
# Encgen example
[store:backing]
handler = SqliteStore
dburi = examples/enclite.db
table = enclite
[store:overlay]
handler = EncryptedOverlay
backing_store = backing
master_key = examples/enclite.sample.key
master_enctype = A128CBC-HS256
[authz:kemgen]
handler = KEMKeysStore
path = /encgen/secrets/
store = overlay