[global] server_version = "Secret/0.0.7" debug = True #[auth:simple] #handler = custodia.httpd.authenticators.SimpleCredsAuth #uid = 48 #gid = 48 [auth:header] handler = custodia.httpd.authenticators.SimpleHeaderAuth name = REMOTE_USER [authz:paths] handler = custodia.httpd.authorizers.SimplePathAuthz paths = /. [authz:namespaces] handler = custodia.httpd.authorizers.UserNameSpace path = /secrets/ store = simple [store:simple] handler = custodia.store.sqlite.SqliteStore dburi = secrets.db table = secrets [/] handler = custodia.root.Root store = simple # Multi-tenant example [store:tenant1] handler = custodia.store.sqlite.SqliteStore dburi = secrets.db table = tenant1 [authz:tenant1] handler = custodia.httpd.authorizers.UserNameSpace path = /tenant1/secrets/ store = tenant1 [/tenant1/secrets] handler = custodia.root.Secrets store = tenant1 # Encstore example [store:encrypted] handler = custodia.store.enclite.EncryptedStore dburi = examples/enclite.db table = enclite master_key = examples/enclite.sample.key master_enctype = A128CBC-HS256 [auth:sak] handler = custodia.httpd.authenticators.SimpleAuthKeys store = encrypted # sample key: test=foo-host-key [authz:encrypted] handler = custodia.httpd.authorizers.UserNameSpace path = /enc/secrets/ store = encrypted [store:kemkeys] handler = custodia.store.enclite.EncryptedStore dburi = examples/enclite.db table = enclite master_key = examples/enclite.sample.key master_enctype = A128CBC-HS256 [authz:kkstore] handler = custodia.message.kem.KEMKeysStore path = /enc/secrets/ store = kemkeys [/enc/secrets] handler = custodia.root.Secrets allowed_keytypes = simple kem store = encrypted # Forward [authz:forwarders] handler = custodia.httpd.authorizers.SimplePathAuthz paths = /forwarder /forwarder_loop [/forwarder] handler = custodia.forwarder.Forwarder forward_uri = http+unix://%2e%2fserver_socket/secrets forward_headers = {"CUSTODIA_AUTH_ID": "test", "CUSTODIA_AUTH_KEY": "foo-host-key"} [/forwarder_loop] handler = custodia.forwarder.Forwarder forward_uri = http+unix://%2e%2fserver_socket/forwarder_loop forward_headers = {"REMOTE_USER": "test"}