Sign upLogin

xmidt-org/themis

View on GitHub
Star
README.md

Summary

Maintainability
Test Coverage
# Themis

[![Build Status](https://travis-ci.com/xmidt-org/themis.svg?branch=master)](https://travis-ci.com/xmidt-org/themis)
[![codecov.io](http://codecov.io/github/xmidt-org/themis/coverage.svg?branch=master)](http://codecov.io/github/xmidt-org/themis?branch=master)
[![Code Climate](https://codeclimate.com/github/xmidt-org/themis/badges/gpa.svg)](https://codeclimate.com/github/xmidt-org/themis)
[![Issue Count](https://codeclimate.com/github/xmidt-org/themis/badges/issue_count.svg)](https://codeclimate.com/github/xmidt-org/themis)
[![Go Report Card](https://goreportcard.com/badge/github.com/xmidt-org/themis)](https://goreportcard.com/report/github.com/xmidt-org/themis)
[![Apache V2 License](http://img.shields.io/badge/license-Apache%20V2-blue.svg)](https://github.com/xmidt-org/themis/blob/master/LICENSE)
[![GitHub release](https://img.shields.io/github/v/release/xmidt-org/themis?include_prereleases)](CHANGELOG.md)

## Summary

A JWT token issuer for devices that connect to the XMiDT cluster.

## Table of Contents

- [Code of Conduct](#code-of-conduct)
- [Details](#details)
- [Build](#build)
- [Deploy](#deploy)
- [Contributing](#contributing)

## Code of Conduct

This project and everyone participating in it are governed by the [XMiDT Code Of Conduct](https://xmidt.io/code_of_conduct/). 
By participating, you agree to this Code.

## Details
Themis provides a flexible strategy to issue [JWT tokens](https://jwt.io/) to devices that need to connect to the XMiDT cluster. 

### Endpoints
There are three main endpoints (directly mapped to servers `key`, `issuer` and `claims` in configuration) this service provides:

- GET `/keys/{KID}`           - PEM format
- GET `/keys/{KID}/jwk.json`  - JWK format

This endpoint allows fetching the public portion of the key that themis uses to sign JWT tokens. For example, [Talaria](https://github.com/xmidt-org/talaria) can use this endpoint to verify the signature of tokens which devices present when they attempt to connect to XMiDT.

Configuration for this endpoint is required when the `issue` endpoint is configured and vice versa.

- GET `/issue`

This is the main and most compute intensive Themis endpoint as it creates JWT tokens based on configuration. 

- GET `/claims`

Configuring this endpoint is required if no configuration is provided for the previous two.


### JWT Claims Configuration
Claims can be configured through the `token.claims`, `partnerID` and `remote` configuration elements. The claim values themselves can come from multiple sources.

#### Fixed values in configuration
```
token:
  ...

  claims:
    capabilities
      value:
        - capability0
        - capability1

```
The above config would create the claim: 
``` 
"capabilities":  ["capability0", "capability1"]
```
#### HTTP Header or Parameter 
```
token:  
  ...

  claims:
    mac:
      header: X-Midt-Mac-Address
      parameter: mac
```
The value of the `mac` claim would come from the specified header or parameter name of the request to the `/issue` endpoint.

#### PartnerID
Although it is configured separately, it behaves very similarly to the previous source type.

```
partnerID:
  claim: partner-id
  metadata: pid # only needed when a remote claims server needs this value
  header: X-Midt-Partner-ID
  parameter: pid
  default: comcast
```

#### Remote claims

```
remote:
  method: "POST"
  url: "http://remote-claims-server.example.com/claims"
```
For more informatiom on how to configure Themis to run as your remote claims server, read the next section on Remote Server Claims Configuration.


### Remote Server Claims Configuration

#### Using Themis as the remote claims server
You can do this by configuring only the `claims` server in your configuration file. 
Claims are configured exactly the same as explained above.

#### Sending data to remote server
Suppose the remote claims server needs the ID of the device requesting a token in the form of an HTTP Header named `X-Midt-Device-Id`. The `token.metadata` configuration element allows you to specify which values are sent to the remote claims server.

```
token:
  ...
  metadata:
    ID:
      header: X-Midt-Device-Id
```

## Build
There is a single binary for themis and its execution is fully driven by configuration.

### Makefile

The Makefile has the following options you may find helpful:
* `make build`: builds the Themis binary
* `make docker`: builds a docker image for themis
* `make local-docker`: builds a docker image for themis with the `local` version tag
* `make test`: runs unit tests with coverage for Themis 
* `make clean`: deletes previously-built binaries and object files

## Deploy
At the simplest form, run the binary with the flag specifying the configuration file
```
./themis -f themis.yaml
``` 

### Docker
We recommend using docker for local development.

```
# Build docker image for themis
# themis.yaml specifies the static claims which will be returned in the JWT
make local-docker

# Run container service
docker run -p 6501:6501 themis:local

# Request a JWT token
curl http://localhost:6501/issue -H 'X-Midt-Mac-Address: mac:1122334455'
```


## Contributing

Refer to [CONTRIBUTING.md](CONTRIBUTING.md).