-
Notifications
You must be signed in to change notification settings - Fork 9
ScopeCookie
OpenDiamond uses scope cookies to define what objects are going to be searched. The scope cookie contains one or more URLs which diamondd uses to contact a dataretriever which returns a list of objects. Each object in this list is again identified by a URL which is used to retrieve the object before it is passed to a searchlet.
To control access to both diamondd and searched objects a cookie is only accepted when it
- has been signed by a trusted certificate
- is addressed to the local server
- the signature has not expired
diamondd reads trusted certificates from the file specified by the CERTFILE
option in the .diamond/diamond_config
file, or .diamond/CERTS
by default. The server name is derived by reverse DNS resolution on the address of the local interfaces. If this fails to get the correct hostname the value can be overridden by specifying one or more SERVERID
options in the .diamond/diamond_config
file.
Cookies are generated by the cookiecutter
utility which is distributed as part of OpenDiamond, or natively from Python code using the functions in the opendiamond.scope
module. By default cookies will be signed using a private keyfile found in ~/.diamond/key.pem
. Because we don't use delegation a simple self-signed public/private key pair is sufficient and can be generated as follows with certtool
from the gnutls package:
certtool --generate-privkey --outfile key.pem
certtool --generate-self-signed --load-privkey key.pem --outfile crt.pem
Cookies are typically created by the OpenDiamond Scopeserver, but cookiecutter
can also be manually used to generate a long lived token that can be saved to the desktop.