provisioner

package
v0.0.0-...-03b241a Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 25, 2020 License: Apache-2.0 Imports: 38 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// K8sSAName is the default name used for kubernetes service account provisioners.
	K8sSAName = "k8sSA-default"
	// K8sSAID is the default ID for kubernetes service account provisioners.
	K8sSAID = "k8ssa/" + K8sSAName
)
View Source
const (
	// SSHUserCert is the string used to represent ssh.UserCert.
	SSHUserCert = "user"

	// SSHHostCert is the string used to represent ssh.HostCert.
	SSHHostCert = "host"
)
View Source
const DefaultCertValidity = 24 * time.Hour

DefaultCertValidity is the default validity for a certificate if none is specified.

View Source
const DefaultProvisionersLimit = 20

DefaultProvisionersLimit is the default limit for listing provisioners.

View Source
const DefaultProvisionersMax = 100

DefaultProvisionersMax is the maximum limit for listing provisioners.

Variables

This section is empty.

Functions

func ExtractSSHPOPCert

func ExtractSSHPOPCert(token string) (*ssh.Certificate, *jose.JSONWebToken, error)

ExtractSSHPOPCert parses a JWT and extracts and loads the SSH Certificate in the sshpop header. If the header is missing, an error is returned.

func NewContextWithMethod

func NewContextWithMethod(ctx context.Context, method Method) context.Context

NewContextWithMethod creates a new context from ctx and attaches method to it.

func SanitizeSSHUserPrincipal

func SanitizeSSHUserPrincipal(email string) string

SanitizeSSHUserPrincipal grabs an email or a string with the format local@domain and returns a sanitized version of the local, valid to be used as a user name. If the email starts with a letter between a and z, the resulting string will match the regular expression `^[a-z][-a-z0-9_]*$`.

Types

type ACME

type ACME struct {
	Type    string   `json:"type"`
	Name    string   `json:"name"`
	ForceCN bool     `json:"forceCN,omitempty"`
	Claims  *Claims  `json:"claims,omitempty"`
	Options *Options `json:"options,omitempty"`
	// contains filtered or unexported fields
}

ACME is the acme provisioner type, an entity that can authorize the ACME provisioning flow.

func (*ACME) AuthorizeRenew

func (p *ACME) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error

AuthorizeRenew returns an error if the renewal is disabled. NOTE: This method does not actually validate the certificate or check it's revocation status. Just confirms that the provisioner that created the certificate was configured to allow renewals.

func (ACME) AuthorizeRevoke

func (b ACME) AuthorizeRevoke(ctx context.Context, token string) error

AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking x509 Certificates.

func (ACME) AuthorizeSSHRekey

func (b ACME) AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error)

AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for rekeying SSH Certificates.

func (ACME) AuthorizeSSHRenew

func (b ACME) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error)

AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing SSH Certificates.

func (ACME) AuthorizeSSHRevoke

func (b ACME) AuthorizeSSHRevoke(ctx context.Context, token string) error

AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking SSH Certificates.

func (ACME) AuthorizeSSHSign

func (b ACME) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error)

AuthorizeSSHSign returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for signing SSH Certificates.

func (*ACME) AuthorizeSign

func (p *ACME) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)

AuthorizeSign does not do any validation, because all validation is handled in the ACME protocol. This method returns a list of modifiers / constraints on the resulting certificate.

func (*ACME) DefaultTLSCertDuration

func (p *ACME) DefaultTLSCertDuration() time.Duration

DefaultTLSCertDuration returns the default TLS cert duration enforced by the provisioner.

func (*ACME) GetEncryptedKey

func (p *ACME) GetEncryptedKey() (string, string, bool)

GetEncryptedKey returns the base provisioner encrypted key if it's defined.

func (ACME) GetID

func (p ACME) GetID() string

GetID returns the provisioner unique identifier.

func (*ACME) GetName

func (p *ACME) GetName() string

GetName returns the name of the provisioner.

func (*ACME) GetOptions

func (p *ACME) GetOptions() *Options

GetOptions returns the configured provisioner options.

func (*ACME) GetTokenID

func (p *ACME) GetTokenID(ott string) (string, error)

GetTokenID returns the identifier of the token.

func (*ACME) GetType

func (p *ACME) GetType() Type

GetType returns the type of provisioner.

func (*ACME) Init

func (p *ACME) Init(config Config) (err error)

Init initializes and validates the fields of a JWK type.

type AWS

type AWS struct {
	Type                   string   `json:"type"`
	Name                   string   `json:"name"`
	Accounts               []string `json:"accounts"`
	DisableCustomSANs      bool     `json:"disableCustomSANs"`
	DisableTrustOnFirstUse bool     `json:"disableTrustOnFirstUse"`
	IMDSVersions           []string `json:"imdsVersions"`
	InstanceAge            Duration `json:"instanceAge,omitempty"`
	Claims                 *Claims  `json:"claims,omitempty"`
	Options                *Options `json:"options,omitempty"`
	// contains filtered or unexported fields
}

AWS is the provisioner that supports identity tokens created from the Amazon Web Services Instance Identity Documents.

If DisableCustomSANs is true, only the internal DNS and IP will be added as a SAN. By default it will accept any SAN in the CSR.

If DisableTrustOnFirstUse is true, multiple sign request for this provisioner with the same instance will be accepted. By default only the first request will be accepted.

If InstanceAge is set, only the instances with a pendingTime within the given period will be accepted.

Amazon Identity docs are available at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html

func (*AWS) AuthorizeRenew

func (p *AWS) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error

AuthorizeRenew returns an error if the renewal is disabled. NOTE: This method does not actually validate the certificate or check it's revocation status. Just confirms that the provisioner that created the certificate was configured to allow renewals.

func (AWS) AuthorizeRevoke

func (b AWS) AuthorizeRevoke(ctx context.Context, token string) error

AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking x509 Certificates.

func (AWS) AuthorizeSSHRekey

func (b AWS) AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error)

AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for rekeying SSH Certificates.

func (AWS) AuthorizeSSHRenew

func (b AWS) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error)

AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing SSH Certificates.

func (AWS) AuthorizeSSHRevoke

func (b AWS) AuthorizeSSHRevoke(ctx context.Context, token string) error

AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking SSH Certificates.

func (*AWS) AuthorizeSSHSign

func (p *AWS) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error)

AuthorizeSSHSign returns the list of SignOption for a SignSSH request.

func (*AWS) AuthorizeSign

func (p *AWS) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)

AuthorizeSign validates the given token and returns the sign options that will be used on certificate creation.

func (*AWS) GetEncryptedKey

func (p *AWS) GetEncryptedKey() (kid string, key string, ok bool)

GetEncryptedKey is not available in an AWS provisioner.

func (*AWS) GetID

func (p *AWS) GetID() string

GetID returns the provisioner unique identifier.

func (*AWS) GetIdentityToken

func (p *AWS) GetIdentityToken(subject, caURL string) (string, error)

GetIdentityToken retrieves the identity document and it's signature and generates a token with them.

func (*AWS) GetName

func (p *AWS) GetName() string

GetName returns the name of the provisioner.

func (*AWS) GetTokenID

func (p *AWS) GetTokenID(token string) (string, error)

GetTokenID returns the identifier of the token.

func (*AWS) GetType

func (p *AWS) GetType() Type

GetType returns the type of provisioner.

func (*AWS) Init

func (p *AWS) Init(config Config) (err error)

Init validates and initializes the AWS provisioner.

type Audiences

type Audiences struct {
	Sign      []string
	Revoke    []string
	SSHSign   []string
	SSHRevoke []string
	SSHRenew  []string
	SSHRekey  []string
}

Audiences stores all supported audiences by request type.

func (Audiences) All

func (a Audiences) All() (auds []string)

All returns all supported audiences across all request types in one list.

func (Audiences) WithFragment

func (a Audiences) WithFragment(fragment string) Audiences

WithFragment returns a copy of audiences where the url audiences contains the given fragment.

type Azure

type Azure struct {
	Type                   string   `json:"type"`
	Name                   string   `json:"name"`
	TenantID               string   `json:"tenantID"`
	ResourceGroups         []string `json:"resourceGroups"`
	Audience               string   `json:"audience,omitempty"`
	DisableCustomSANs      bool     `json:"disableCustomSANs"`
	DisableTrustOnFirstUse bool     `json:"disableTrustOnFirstUse"`
	Claims                 *Claims  `json:"claims,omitempty"`
	Options                *Options `json:"options,omitempty"`
	// contains filtered or unexported fields
}

Azure is the provisioner that supports identity tokens created from the Microsoft Azure Instance Metadata service.

The default audience is "https://management.azure.com/".

If DisableCustomSANs is true, only the internal DNS and IP will be added as a SAN. By default it will accept any SAN in the CSR.

If DisableTrustOnFirstUse is true, multiple sign request for this provisioner with the same instance will be accepted. By default only the first request will be accepted.

Microsoft Azure identity docs are available at https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token and https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service

func (*Azure) AuthorizeRenew

func (p *Azure) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error

AuthorizeRenew returns an error if the renewal is disabled. NOTE: This method does not actually validate the certificate or check it's revocation status. Just confirms that the provisioner that created the certificate was configured to allow renewals.

func (Azure) AuthorizeRevoke

func (b Azure) AuthorizeRevoke(ctx context.Context, token string) error

AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking x509 Certificates.

func (Azure) AuthorizeSSHRekey

func (b Azure) AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error)

AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for rekeying SSH Certificates.

func (Azure) AuthorizeSSHRenew

func (b Azure) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error)

AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing SSH Certificates.

func (Azure) AuthorizeSSHRevoke

func (b Azure) AuthorizeSSHRevoke(ctx context.Context, token string) error

AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking SSH Certificates.

func (*Azure) AuthorizeSSHSign

func (p *Azure) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error)

AuthorizeSSHSign returns the list of SignOption for a SignSSH request.

func (*Azure) AuthorizeSign

func (p *Azure) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)

AuthorizeSign validates the given token and returns the sign options that will be used on certificate creation.

func (*Azure) GetEncryptedKey

func (p *Azure) GetEncryptedKey() (kid string, key string, ok bool)

GetEncryptedKey is not available in an Azure provisioner.

func (*Azure) GetID

func (p *Azure) GetID() string

GetID returns the provisioner unique identifier.

func (*Azure) GetIdentityToken

func (p *Azure) GetIdentityToken(subject, caURL string) (string, error)

GetIdentityToken retrieves from the metadata service the identity token and returns it.

func (*Azure) GetName

func (p *Azure) GetName() string

GetName returns the name of the provisioner.

func (*Azure) GetTokenID

func (p *Azure) GetTokenID(token string) (string, error)

GetTokenID returns the identifier of the token. The default value for Azure the SHA256 of "xms_mirid", but if DisableTrustOnFirstUse is set to true, then it will be the token kid.

func (*Azure) GetType

func (p *Azure) GetType() Type

GetType returns the type of provisioner.

func (*Azure) Init

func (p *Azure) Init(config Config) (err error)

Init validates and initializes the Azure provisioner.

type CertificateEnforcer

type CertificateEnforcer interface {
	Enforce(cert *x509.Certificate) error
}

CertificateEnforcer is an interface used to modify a given X.509 certificate. Types implemented this interface will NOT be validated with a CertificateValidator.

type CertificateEnforcerFunc

type CertificateEnforcerFunc func(cert *x509.Certificate) error

CertificateEnforcerFunc allows to create simple certificate enforcer just with a function.

func (CertificateEnforcerFunc) Enforce

func (fn CertificateEnforcerFunc) Enforce(cert *x509.Certificate) error

Enforce implements CertificateEnforcer and just calls the defined function.

type CertificateModifier

type CertificateModifier interface {
	Modify(cert *x509.Certificate, opts SignOptions) error
}

CertificateModifier is an interface used to modify a given X.509 certificate. Types implementing this interface will be validated with a CertificateValidator.

type CertificateModifierFunc

type CertificateModifierFunc func(cert *x509.Certificate, opts SignOptions) error

CertificateModifierFunc allows to create simple certificate modifiers just with a function.

func (CertificateModifierFunc) Modify

func (fn CertificateModifierFunc) Modify(cert *x509.Certificate, opts SignOptions) error

Modify implements CertificateModifier and just calls the defined function.

type CertificateOptions

type CertificateOptions interface {
	Options(SignOptions) []x509util.Option
}

CertificateOptions is an interface that returns a list of options passed when creating a new certificate.

func CustomTemplateOptions

func CustomTemplateOptions(o *Options, data x509util.TemplateData, defaultTemplate string) (CertificateOptions, error)

CustomTemplateOptions generates a CertificateOptions with the template, data defined in the ProvisionerOptions, the provisioner generated data and the user data provided in the request. If no template has been provided in the ProvisionerOptions, the given template will be used.

func TemplateOptions

func TemplateOptions(o *Options, data x509util.TemplateData) (CertificateOptions, error)

TemplateOptions generates a CertificateOptions with the template and data defined in the ProvisionerOptions, the provisioner generated data, and the user data provided in the request. If no template has been provided, x509util.DefaultLeafTemplate will be used.

type CertificateRequestValidator

type CertificateRequestValidator interface {
	Valid(cr *x509.CertificateRequest) error
}

CertificateRequestValidator is an interface used to validate a given X.509 certificate request.

type CertificateValidator

type CertificateValidator interface {
	Valid(cert *x509.Certificate, opts SignOptions) error
}

CertificateValidator is an interface used to validate a given X.509 certificate.

type Claimer

type Claimer struct {
	// contains filtered or unexported fields
}

Claimer is the type that controls claims. It provides an interface around the current claim and the global one.

func NewClaimer

func NewClaimer(claims *Claims, global Claims) (*Claimer, error)

NewClaimer initializes a new claimer with the given claims.

func (*Claimer) Claims

func (c *Claimer) Claims() Claims

Claims returns the merge of the inner and global claims.

func (*Claimer) DefaultHostSSHCertDuration

func (c *Claimer) DefaultHostSSHCertDuration() time.Duration

DefaultHostSSHCertDuration returns the default SSH host cert duration for the provisioner. If the default is not set within the provisioner, then the global default from the authority configuration will be used.

func (*Claimer) DefaultSSHCertDuration

func (c *Claimer) DefaultSSHCertDuration(certType uint32) (time.Duration, error)

DefaultSSHCertDuration returns the default SSH certificate duration for the given certificate type.

func (*Claimer) DefaultTLSCertDuration

func (c *Claimer) DefaultTLSCertDuration() time.Duration

DefaultTLSCertDuration returns the default TLS cert duration for the provisioner. If the default is not set within the provisioner, then the global default from the authority configuration will be used.

func (*Claimer) DefaultUserSSHCertDuration

func (c *Claimer) DefaultUserSSHCertDuration() time.Duration

DefaultUserSSHCertDuration returns the default SSH user cert duration for the provisioner. If the default is not set within the provisioner, then the global default from the authority configuration will be used.

func (*Claimer) IsDisableRenewal

func (c *Claimer) IsDisableRenewal() bool

IsDisableRenewal returns if the renewal flow is disabled for the provisioner. If the property is not set within the provisioner, then the global value from the authority configuration will be used.

func (*Claimer) IsSSHCAEnabled

func (c *Claimer) IsSSHCAEnabled() bool

IsSSHCAEnabled returns if the SSH CA is enabled for the provisioner. If the property is not set within the provisioner, then the global value from the authority configuration will be used.

func (*Claimer) MaxHostSSHCertDuration

func (c *Claimer) MaxHostSSHCertDuration() time.Duration

MaxHostSSHCertDuration returns the maximum SSH Host cert duration for the provisioner. If the maximum is not set within the provisioner, then the global maximum from the authority configuration will be used.

func (*Claimer) MaxTLSCertDuration

func (c *Claimer) MaxTLSCertDuration() time.Duration

MaxTLSCertDuration returns the maximum TLS cert duration for the provisioner. If the maximum is not set within the provisioner, then the global maximum from the authority configuration will be used.

func (*Claimer) MaxUserSSHCertDuration

func (c *Claimer) MaxUserSSHCertDuration() time.Duration

MaxUserSSHCertDuration returns the maximum SSH user cert duration for the provisioner. If the maximum is not set within the provisioner, then the global maximum from the authority configuration will be used.

func (*Claimer) MinHostSSHCertDuration

func (c *Claimer) MinHostSSHCertDuration() time.Duration

MinHostSSHCertDuration returns the minimum SSH host cert duration for the provisioner. If the minimum is not set within the provisioner, then the global minimum from the authority configuration will be used.

func (*Claimer) MinTLSCertDuration

func (c *Claimer) MinTLSCertDuration() time.Duration

MinTLSCertDuration returns the minimum TLS cert duration for the provisioner. If the minimum is not set within the provisioner, then the global minimum from the authority configuration will be used.

func (*Claimer) MinUserSSHCertDuration

func (c *Claimer) MinUserSSHCertDuration() time.Duration

MinUserSSHCertDuration returns the minimum SSH user cert duration for the provisioner. If the minimum is not set within the provisioner, then the global minimum from the authority configuration will be used.

func (*Claimer) Validate

func (c *Claimer) Validate() error

Validate validates and modifies the Claims with default values.

type Claims

type Claims struct {
	// TLS CA properties
	MinTLSDur      *Duration `json:"minTLSCertDuration,omitempty"`
	MaxTLSDur      *Duration `json:"maxTLSCertDuration,omitempty"`
	DefaultTLSDur  *Duration `json:"defaultTLSCertDuration,omitempty"`
	DisableRenewal *bool     `json:"disableRenewal,omitempty"`
	// SSH CA properties
	MinUserSSHDur     *Duration `json:"minUserSSHCertDuration,omitempty"`
	MaxUserSSHDur     *Duration `json:"maxUserSSHCertDuration,omitempty"`
	DefaultUserSSHDur *Duration `json:"defaultUserSSHCertDuration,omitempty"`
	MinHostSSHDur     *Duration `json:"minHostSSHCertDuration,omitempty"`
	MaxHostSSHDur     *Duration `json:"maxHostSSHCertDuration,omitempty"`
	DefaultHostSSHDur *Duration `json:"defaultHostSSHCertDuration,omitempty"`
	EnableSSHCA       *bool     `json:"enableSSHCA,omitempty"`
}

Claims so that individual provisioners can override global claims.

type Collection

type Collection struct {
	// contains filtered or unexported fields
}

Collection is a memory map of provisioners.

func NewCollection

func NewCollection(audiences Audiences) *Collection

NewCollection initializes a collection of provisioners. The given list of audiences are the audiences used by the JWT provisioner.

func (*Collection) Find

func (c *Collection) Find(cursor string, limit int) (List, string)

Find implements pagination on a list of sorted provisioners.

func (*Collection) Load

func (c *Collection) Load(id string) (Interface, bool)

Load a provisioner by the ID.

func (*Collection) LoadByCertificate

func (c *Collection) LoadByCertificate(cert *x509.Certificate) (Interface, bool)

LoadByCertificate looks for the provisioner extension and extracts the proper id to load the provisioner.

func (*Collection) LoadByToken

func (c *Collection) LoadByToken(token *jose.JSONWebToken, claims *jose.Claims) (Interface, bool)

LoadByToken parses the token claims and loads the provisioner associated.

func (*Collection) LoadEncryptedKey

func (c *Collection) LoadEncryptedKey(keyID string) (string, bool)

LoadEncryptedKey returns an encrypted key by indexed by KeyID. At this moment only JWK encrypted keys are indexed by KeyID.

func (*Collection) Store

func (c *Collection) Store(p Interface) error

Store adds a provisioner to the collection and enforces the uniqueness of provisioner IDs.

type Config

type Config struct {
	// Claims are the default claims.
	Claims Claims
	// Audiences are the audiences used in the default provisioner, (JWK).
	Audiences Audiences
	// DB is the interface to the authority DB client.
	DB db.AuthDB
	// SSHKeys are the root SSH public keys
	SSHKeys *SSHKeys
	// GetIdentityFunc is a function that returns an identity that will be
	// used by the provisioner to populate certificate attributes.
	GetIdentityFunc GetIdentityFunc
}

Config defines the default parameters used in the initialization of provisioners.

type Duration

type Duration struct {
	time.Duration
}

Duration is a wrapper around Time.Duration to aid with marshal/unmarshal.

func NewDuration

func NewDuration(s string) (*Duration, error)

NewDuration parses a duration string and returns a Duration type or an error if the given string is not a duration.

func (*Duration) MarshalJSON

func (d *Duration) MarshalJSON() ([]byte, error)

MarshalJSON parses a duration string and sets it to the duration.

A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

func (*Duration) UnmarshalJSON

func (d *Duration) UnmarshalJSON(data []byte) (err error)

UnmarshalJSON parses a duration string and sets it to the duration.

A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

func (*Duration) Value

func (d *Duration) Value() time.Duration

Value returns 0 if the duration is null, the inner duration otherwise.

type GCP

type GCP struct {
	Type                   string   `json:"type"`
	Name                   string   `json:"name"`
	ServiceAccounts        []string `json:"serviceAccounts"`
	ProjectIDs             []string `json:"projectIDs"`
	DisableCustomSANs      bool     `json:"disableCustomSANs"`
	DisableTrustOnFirstUse bool     `json:"disableTrustOnFirstUse"`
	InstanceAge            Duration `json:"instanceAge,omitempty"`
	Claims                 *Claims  `json:"claims,omitempty"`
	Options                *Options `json:"options,omitempty"`
	// contains filtered or unexported fields
}

GCP is the provisioner that supports identity tokens created by the Google Cloud Platform metadata API.

If DisableCustomSANs is true, only the internal DNS and IP will be added as a SAN. By default it will accept any SAN in the CSR.

If DisableTrustOnFirstUse is true, multiple sign request for this provisioner with the same instance will be accepted. By default only the first request will be accepted.

If InstanceAge is set, only the instances with an instance_creation_timestamp within the given period will be accepted.

Google Identity docs are available at https://cloud.google.com/compute/docs/instances/verifying-instance-identity

func (*GCP) AuthorizeRenew

func (p *GCP) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error

AuthorizeRenew returns an error if the renewal is disabled.

func (GCP) AuthorizeRevoke

func (b GCP) AuthorizeRevoke(ctx context.Context, token string) error

AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking x509 Certificates.

func (GCP) AuthorizeSSHRekey

func (b GCP) AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error)

AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for rekeying SSH Certificates.

func (GCP) AuthorizeSSHRenew

func (b GCP) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error)

AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing SSH Certificates.

func (GCP) AuthorizeSSHRevoke

func (b GCP) AuthorizeSSHRevoke(ctx context.Context, token string) error

AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking SSH Certificates.

func (*GCP) AuthorizeSSHSign

func (p *GCP) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error)

AuthorizeSSHSign returns the list of SignOption for a SignSSH request.

func (*GCP) AuthorizeSign

func (p *GCP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)

AuthorizeSign validates the given token and returns the sign options that will be used on certificate creation.

func (*GCP) GetEncryptedKey

func (p *GCP) GetEncryptedKey() (kid string, key string, ok bool)

GetEncryptedKey is not available in a GCP provisioner.

func (*GCP) GetID

func (p *GCP) GetID() string

GetID returns the provisioner unique identifier. The name should uniquely identify any GCP provisioner.

func (*GCP) GetIdentityToken

func (p *GCP) GetIdentityToken(subject, caURL string) (string, error)

GetIdentityToken does an HTTP request to the identity url.

func (*GCP) GetIdentityURL

func (p *GCP) GetIdentityURL(audience string) string

GetIdentityURL returns the url that generates the GCP token.

func (*GCP) GetName

func (p *GCP) GetName() string

GetName returns the name of the provisioner.

func (*GCP) GetTokenID

func (p *GCP) GetTokenID(token string) (string, error)

GetTokenID returns the identifier of the token. The default value for GCP the SHA256 of "provisioner_id.instance_id", but if DisableTrustOnFirstUse is set to true, then it will be the SHA256 of the token.

func (*GCP) GetType

func (p *GCP) GetType() Type

GetType returns the type of provisioner.

func (*GCP) Init

func (p *GCP) Init(config Config) error

Init validates and initializes the GCP provisioner.

type GetIdentityFunc

type GetIdentityFunc func(ctx context.Context, p Interface, email string) (*Identity, error)

GetIdentityFunc is a function that returns an identity.

type Identity

type Identity struct {
	Usernames []string `json:"usernames"`
}

Identity is the type representing an externally supplied identity that is used by provisioners to populate certificate fields.

func DefaultIdentityFunc

func DefaultIdentityFunc(ctx context.Context, p Interface, email string) (*Identity, error)

DefaultIdentityFunc return a default identity depending on the provisioner type.

type Interface

type Interface interface {
	GetID() string
	GetTokenID(token string) (string, error)
	GetName() string
	GetType() Type
	GetEncryptedKey() (kid string, key string, ok bool)
	Init(config Config) error
	AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)
	AuthorizeRevoke(ctx context.Context, token string) error
	AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error
	AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error)
	AuthorizeSSHRevoke(ctx context.Context, token string) error
	AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error)
	AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error)
}

Interface is the interface that all provisioner types must implement.

type JWK

type JWK struct {
	Type         string           `json:"type"`
	Name         string           `json:"name"`
	Key          *jose.JSONWebKey `json:"key"`
	EncryptedKey string           `json:"encryptedKey,omitempty"`
	Claims       *Claims          `json:"claims,omitempty"`
	Options      *Options         `json:"options,omitempty"`
	// contains filtered or unexported fields
}

JWK is the default provisioner, an entity that can sign tokens necessary for signature requests.

func (*JWK) AuthorizeRenew

func (p *JWK) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error

AuthorizeRenew returns an error if the renewal is disabled. NOTE: This method does not actually validate the certificate or check it's revocation status. Just confirms that the provisioner that created the certificate was configured to allow renewals.

func (*JWK) AuthorizeRevoke

func (p *JWK) AuthorizeRevoke(ctx context.Context, token string) error

AuthorizeRevoke returns an error if the provisioner does not have rights to revoke the certificate with serial number in the `sub` property.

func (JWK) AuthorizeSSHRekey

func (b JWK) AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error)

AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for rekeying SSH Certificates.

func (JWK) AuthorizeSSHRenew

func (b JWK) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error)

AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing SSH Certificates.

func (*JWK) AuthorizeSSHRevoke

func (p *JWK) AuthorizeSSHRevoke(ctx context.Context, token string) error

AuthorizeSSHRevoke returns nil if the token is valid, false otherwise.

func (*JWK) AuthorizeSSHSign

func (p *JWK) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error)

AuthorizeSSHSign returns the list of SignOption for a SignSSH request.

func (*JWK) AuthorizeSign

func (p *JWK) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)

AuthorizeSign validates the given token.

func (*JWK) GetEncryptedKey

func (p *JWK) GetEncryptedKey() (string, string, bool)

GetEncryptedKey returns the base provisioner encrypted key if it's defined.

func (*JWK) GetID

func (p *JWK) GetID() string

GetID returns the provisioner unique identifier. The name and credential id should uniquely identify any JWK provisioner.

func (*JWK) GetName

func (p *JWK) GetName() string

GetName returns the name of the provisioner.

func (*JWK) GetTokenID

func (p *JWK) GetTokenID(ott string) (string, error)

GetTokenID returns the identifier of the token.

func (*JWK) GetType

func (p *JWK) GetType() Type

GetType returns the type of provisioner.

func (*JWK) Init

func (p *JWK) Init(config Config) (err error)

Init initializes and validates the fields of a JWK type.

type K8sSA

type K8sSA struct {
	Type    string   `json:"type"`
	Name    string   `json:"name"`
	PubKeys []byte   `json:"publicKeys,omitempty"`
	Claims  *Claims  `json:"claims,omitempty"`
	Options *Options `json:"options,omitempty"`
	// contains filtered or unexported fields
}

K8sSA represents a Kubernetes ServiceAccount provisioner; an entity trusted to make signature requests.

func (*K8sSA) AuthorizeRenew

func (p *K8sSA) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error

AuthorizeRenew returns an error if the renewal is disabled.

func (*K8sSA) AuthorizeRevoke

func (p *K8sSA) AuthorizeRevoke(ctx context.Context, token string) error

AuthorizeRevoke returns an error if the provisioner does not have rights to revoke the certificate with serial number in the `sub` property.

func (K8sSA) AuthorizeSSHRekey

func (b K8sSA) AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error)

AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for rekeying SSH Certificates.

func (K8sSA) AuthorizeSSHRenew

func (b K8sSA) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error)

AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing SSH Certificates.

func (K8sSA) AuthorizeSSHRevoke

func (b K8sSA) AuthorizeSSHRevoke(ctx context.Context, token string) error

AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking SSH Certificates.

func (*K8sSA) AuthorizeSSHSign

func (p *K8sSA) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error)

AuthorizeSSHSign validates an request for an SSH certificate.

func (*K8sSA) AuthorizeSign

func (p *K8sSA) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)

AuthorizeSign validates the given token.

func (*K8sSA) GetEncryptedKey

func (p *K8sSA) GetEncryptedKey() (string, string, bool)

GetEncryptedKey returns false, because the kubernetes provisioner does not have access to the private key.

func (*K8sSA) GetID

func (p *K8sSA) GetID() string

GetID returns the provisioner unique identifier. The name and credential id should uniquely identify any K8sSA provisioner.

func (*K8sSA) GetName

func (p *K8sSA) GetName() string

GetName returns the name of the provisioner.

func (*K8sSA) GetTokenID

func (p *K8sSA) GetTokenID(ott string) (string, error)

GetTokenID returns an unimplemented error and does not use the input ott.

func (*K8sSA) GetType

func (p *K8sSA) GetType() Type

GetType returns the type of provisioner.

func (*K8sSA) Init

func (p *K8sSA) Init(config Config) (err error)

Init initializes and validates the fields of a K8sSA type.

type List

type List []Interface

List represents a list of provisioners.

func (*List) UnmarshalJSON

func (l *List) UnmarshalJSON(data []byte) error

UnmarshalJSON implements json.Unmarshaler and allows to unmarshal a list of a interfaces into the right type.

type Method

type Method int

Method indicates the action to action that we will perform, it's used as part of the context in the call to authorize. It defaults to Sing.

const (
	// SignMethod is the method used to sign X.509 certificates.
	SignMethod Method = iota
	// RevokeMethod is the method used to revoke X.509 certificates.
	RevokeMethod
	// RenewMethod is the method used to renew X.509 certificates.
	RenewMethod
	// SSHSignMethod is the method used to sign SSH certificates.
	SSHSignMethod
	// SSHRenewMethod is the method used to renew SSH certificates.
	SSHRenewMethod
	// SSHRevokeMethod is the method used to revoke SSH certificates.
	SSHRevokeMethod
	// SSHRekeyMethod is the method used to rekey SSH certificates.
	SSHRekeyMethod
)

func MethodFromContext

func MethodFromContext(ctx context.Context) Method

MethodFromContext returns the Method saved in ctx. Returns Sign if the given context has no Method associated with it.

func (Method) String

func (m Method) String() string

String returns a string representation of the context method.

type MockProvisioner

type MockProvisioner struct {
	Mret1, Mret2, Mret3 interface{}
	Merr                error
	MgetID              func() string
	MgetTokenID         func(string) (string, error)
	MgetName            func() string
	MgetType            func() Type
	MgetEncryptedKey    func() (string, string, bool)
	Minit               func(Config) error
	MauthorizeSign      func(ctx context.Context, ott string) ([]SignOption, error)
	MauthorizeRenew     func(ctx context.Context, cert *x509.Certificate) error
	MauthorizeRevoke    func(ctx context.Context, ott string) error
	MauthorizeSSHSign   func(ctx context.Context, ott string) ([]SignOption, error)
	MauthorizeSSHRenew  func(ctx context.Context, ott string) (*ssh.Certificate, error)
	MauthorizeSSHRekey  func(ctx context.Context, ott string) (*ssh.Certificate, []SignOption, error)
	MauthorizeSSHRevoke func(ctx context.Context, ott string) error
}

MockProvisioner for testing

func (*MockProvisioner) AuthorizeRenew

func (m *MockProvisioner) AuthorizeRenew(ctx context.Context, c *x509.Certificate) error

AuthorizeRenew mock

func (*MockProvisioner) AuthorizeRevoke

func (m *MockProvisioner) AuthorizeRevoke(ctx context.Context, ott string) error

AuthorizeRevoke mock

func (*MockProvisioner) AuthorizeSSHRekey

func (m *MockProvisioner) AuthorizeSSHRekey(ctx context.Context, ott string) (*ssh.Certificate, []SignOption, error)

AuthorizeSSHRekey mock

func (*MockProvisioner) AuthorizeSSHRenew

func (m *MockProvisioner) AuthorizeSSHRenew(ctx context.Context, ott string) (*ssh.Certificate, error)

AuthorizeSSHRenew mock

func (*MockProvisioner) AuthorizeSSHRevoke

func (m *MockProvisioner) AuthorizeSSHRevoke(ctx context.Context, ott string) error

AuthorizeSSHRevoke mock

func (*MockProvisioner) AuthorizeSSHSign

func (m *MockProvisioner) AuthorizeSSHSign(ctx context.Context, ott string) ([]SignOption, error)

AuthorizeSSHSign mock

func (*MockProvisioner) AuthorizeSign

func (m *MockProvisioner) AuthorizeSign(ctx context.Context, ott string) ([]SignOption, error)

AuthorizeSign mock

func (*MockProvisioner) GetEncryptedKey

func (m *MockProvisioner) GetEncryptedKey() (string, string, bool)

GetEncryptedKey mock

func (*MockProvisioner) GetID

func (m *MockProvisioner) GetID() string

GetID mock

func (*MockProvisioner) GetName

func (m *MockProvisioner) GetName() string

GetName mock

func (*MockProvisioner) GetTokenID

func (m *MockProvisioner) GetTokenID(token string) (string, error)

GetTokenID mock

func (*MockProvisioner) GetType

func (m *MockProvisioner) GetType() Type

GetType mock

func (*MockProvisioner) Init

func (m *MockProvisioner) Init(c Config) error

Init mock

type OIDC

type OIDC struct {
	Type                  string   `json:"type"`
	Name                  string   `json:"name"`
	ClientID              string   `json:"clientID"`
	ClientSecret          string   `json:"clientSecret"`
	ConfigurationEndpoint string   `json:"configurationEndpoint"`
	TenantID              string   `json:"tenantID,omitempty"`
	Admins                []string `json:"admins,omitempty"`
	Domains               []string `json:"domains,omitempty"`
	Groups                []string `json:"groups,omitempty"`
	ListenAddress         string   `json:"listenAddress,omitempty"`
	Claims                *Claims  `json:"claims,omitempty"`
	Options               *Options `json:"options,omitempty"`
	// contains filtered or unexported fields
}

OIDC represents an OAuth 2.0 OpenID Connect provider.

ClientSecret is mandatory, but it can be an empty string.

func (*OIDC) AuthorizeRenew

func (o *OIDC) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error

AuthorizeRenew returns an error if the renewal is disabled. NOTE: This method does not actually validate the certificate or check it's revocation status. Just confirms that the provisioner that created the certificate was configured to allow renewals.

func (*OIDC) AuthorizeRevoke

func (o *OIDC) AuthorizeRevoke(ctx context.Context, token string) error

AuthorizeRevoke returns an error if the provisioner does not have rights to revoke the certificate with serial number in the `sub` property. Only tokens generated by an admin have the right to revoke a certificate.

func (OIDC) AuthorizeSSHRekey

func (b OIDC) AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error)

AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for rekeying SSH Certificates.

func (OIDC) AuthorizeSSHRenew

func (b OIDC) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error)

AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing SSH Certificates.

func (*OIDC) AuthorizeSSHRevoke

func (o *OIDC) AuthorizeSSHRevoke(ctx context.Context, token string) error

AuthorizeSSHRevoke returns nil if the token is valid, false otherwise.

func (*OIDC) AuthorizeSSHSign

func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error)

AuthorizeSSHSign returns the list of SignOption for a SignSSH request.

func (*OIDC) AuthorizeSign

func (o *OIDC) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)

AuthorizeSign validates the given token.

func (*OIDC) GetEncryptedKey

func (o *OIDC) GetEncryptedKey() (kid string, key string, ok bool)

GetEncryptedKey is not available in an OIDC provisioner.

func (*OIDC) GetID

func (o *OIDC) GetID() string

GetID returns the provisioner unique identifier, the OIDC provisioner the uses the clientID for this.

func (*OIDC) GetName

func (o *OIDC) GetName() string

GetName returns the name of the provisioner.

func (*OIDC) GetTokenID

func (o *OIDC) GetTokenID(ott string) (string, error)

GetTokenID returns the provisioner unique identifier, the OIDC provisioner the uses the clientID for this.

func (*OIDC) GetType

func (o *OIDC) GetType() Type

GetType returns the type of provisioner.

func (*OIDC) Init

func (o *OIDC) Init(config Config) (err error)

Init validates and initializes the OIDC provider.

func (*OIDC) IsAdmin

func (o *OIDC) IsAdmin(email string) bool

IsAdmin returns true if the given email is in the Admins allowlist, false otherwise.

func (*OIDC) ValidatePayload

func (o *OIDC) ValidatePayload(p openIDPayload) error

ValidatePayload validates the given token payload.

type Options

type Options struct {
	X509 *X509Options `json:"x509,omitempty"`
}

Options are a collection of custom options that can be added to each provisioner.

func (*Options) GetX509Options

func (o *Options) GetX509Options() *X509Options

GetX509Options returns the X.509Options

type SSHCertModifier

type SSHCertModifier interface {
	SignOption
	Modify(cert *ssh.Certificate) error
}

SSHCertModifier is the interface used to change properties in an SSH certificate.

type SSHCertOptionModifier

type SSHCertOptionModifier interface {
	SignOption
	Option(o SignSSHOptions) SSHCertModifier
}

SSHCertOptionModifier is the interface used to add custom options used to modify the SSH certificate.

type SSHCertOptionsValidator

type SSHCertOptionsValidator interface {
	SignOption
	Valid(got SignSSHOptions) error
}

SSHCertOptionsValidator is the interface used to validate the custom options used to modify the SSH certificate.

type SSHCertValidator

type SSHCertValidator interface {
	SignOption
	Valid(cert *ssh.Certificate, opts SignSSHOptions) error
}

SSHCertValidator is the interface used to validate an SSH certificate.

type SSHKeys

type SSHKeys struct {
	UserKeys []ssh.PublicKey
	HostKeys []ssh.PublicKey
}

SSHKeys represents the SSH User and Host public keys.

type SSHPOP

type SSHPOP struct {
	Type   string  `json:"type"`
	Name   string  `json:"name"`
	Claims *Claims `json:"claims,omitempty"`
	// contains filtered or unexported fields
}

SSHPOP is the default provisioner, an entity that can sign tokens necessary for signature requests.

func (SSHPOP) AuthorizeRenew

func (b SSHPOP) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error

AuthorizeRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing x509 Certificates.

func (SSHPOP) AuthorizeRevoke

func (b SSHPOP) AuthorizeRevoke(ctx context.Context, token string) error

AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking x509 Certificates.

func (*SSHPOP) AuthorizeSSHRekey

func (p *SSHPOP) AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error)

AuthorizeSSHRekey validates the authorization token and extracts/validates the SSH certificate from the ssh-pop header.

func (*SSHPOP) AuthorizeSSHRenew

func (p *SSHPOP) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error)

AuthorizeSSHRenew validates the authorization token and extracts/validates the SSH certificate from the ssh-pop header.

func (*SSHPOP) AuthorizeSSHRevoke

func (p *SSHPOP) AuthorizeSSHRevoke(ctx context.Context, token string) error

AuthorizeSSHRevoke validates the authorization token and extracts/validates the SSH certificate from the ssh-pop header.

func (SSHPOP) AuthorizeSSHSign

func (b SSHPOP) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error)

AuthorizeSSHSign returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for signing SSH Certificates.

func (SSHPOP) AuthorizeSign

func (b SSHPOP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)

AuthorizeSign returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for signing x509 Certificates.

func (*SSHPOP) GetEncryptedKey

func (p *SSHPOP) GetEncryptedKey() (string, string, bool)

GetEncryptedKey returns the base provisioner encrypted key if it's defined.

func (*SSHPOP) GetID

func (p *SSHPOP) GetID() string

GetID returns the provisioner unique identifier. The name and credential id should uniquely identify any SSH-POP provisioner.

func (*SSHPOP) GetName

func (p *SSHPOP) GetName() string

GetName returns the name of the provisioner.

func (*SSHPOP) GetTokenID

func (p *SSHPOP) GetTokenID(ott string) (string, error)

GetTokenID returns the identifier of the token.

func (*SSHPOP) GetType

func (p *SSHPOP) GetType() Type

GetType returns the type of provisioner.

func (*SSHPOP) Init

func (p *SSHPOP) Init(config Config) error

Init initializes and validates the fields of a SSHPOP type.

type SignOption

type SignOption interface{}

SignOption is the interface used to collect all extra options used in the Sign method.

type SignOptions

type SignOptions struct {
	NotAfter     TimeDuration    `json:"notAfter"`
	NotBefore    TimeDuration    `json:"notBefore"`
	TemplateData json.RawMessage `json:"templateData"`
	Backdate     time.Duration   `json:"-"`
}

SignOptions contains the options that can be passed to the Sign method. Backdate is automatically filled and can only be configured in the CA.

type SignSSHOptions

type SignSSHOptions struct {
	CertType    string        `json:"certType"`
	KeyID       string        `json:"keyID"`
	Principals  []string      `json:"principals"`
	ValidAfter  TimeDuration  `json:"validAfter,omitempty"`
	ValidBefore TimeDuration  `json:"validBefore,omitempty"`
	Backdate    time.Duration `json:"-"`
}

SignSSHOptions contains the options that can be passed to the SignSSH method.

func (SignSSHOptions) Modify

func (o SignSSHOptions) Modify(cert *ssh.Certificate) error

Modify implements SSHCertModifier and sets the SSHOption in the ssh.Certificate.

func (SignSSHOptions) Type

func (o SignSSHOptions) Type() uint32

Type returns the uint32 representation of the CertType.

type TimeDuration

type TimeDuration struct {
	// contains filtered or unexported fields
}

TimeDuration is a type that represents a time but the JSON unmarshaling can use a time using the RFC 3339 format or a time.Duration string. If a duration is used, the time will be set on the first call to TimeDuration.Time.

func NewTimeDuration

func NewTimeDuration(t time.Time) TimeDuration

NewTimeDuration returns a TimeDuration with the defined time.

func ParseTimeDuration

func ParseTimeDuration(s string) (TimeDuration, error)

ParseTimeDuration returns a new TimeDuration parsing the RFC 3339 time or time.Duration string.

func (*TimeDuration) Equal

func (t *TimeDuration) Equal(other *TimeDuration) bool

Equal returns if t and other are equal.

func (*TimeDuration) IsZero

func (t *TimeDuration) IsZero() bool

IsZero returns true the TimeDuration represents the zero value, false otherwise.

func (TimeDuration) MarshalJSON

func (t TimeDuration) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface. If the time is set it will return the time in RFC 3339 format if not it will return the duration string.

func (*TimeDuration) RelativeTime

func (t *TimeDuration) RelativeTime(base time.Time) time.Time

RelativeTime returns the embedded time.Time or the base time plus the duration if this is not zero.

func (*TimeDuration) SetDuration

func (t *TimeDuration) SetDuration(d time.Duration)

SetDuration initializes the TimeDuration with the given duration string. If the time was set it will re-set to zero.

func (*TimeDuration) SetTime

func (t *TimeDuration) SetTime(tt time.Time)

SetTime initializes the TimeDuration with the given time. If the duration is set it will be re-set to zero.

func (*TimeDuration) String

func (t *TimeDuration) String() string

String implements the fmt.Stringer interface.

func (*TimeDuration) Time

func (t *TimeDuration) Time() time.Time

Time calculates the time if needed and returns it.

func (*TimeDuration) Unix

func (t *TimeDuration) Unix() int64

Unix calculates the time if needed it and returns the Unix time in seconds.

func (*TimeDuration) UnmarshalJSON

func (t *TimeDuration) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface. The time is expected to be a quoted string in RFC 3339 format or a quoted time.Duration string.

type Type

type Type int

Type indicates the provisioner Type.

const (

	// TypeJWK is used to indicate the JWK provisioners.
	TypeJWK Type = 1
	// TypeOIDC is used to indicate the OIDC provisioners.
	TypeOIDC Type = 2
	// TypeGCP is used to indicate the GCP provisioners.
	TypeGCP Type = 3
	// TypeAWS is used to indicate the AWS provisioners.
	TypeAWS Type = 4
	// TypeAzure is used to indicate the Azure provisioners.
	TypeAzure Type = 5
	// TypeACME is used to indicate the ACME provisioners.
	TypeACME Type = 6
	// TypeX5C is used to indicate the X5C provisioners.
	TypeX5C Type = 7
	// TypeK8sSA is used to indicate the X5C provisioners.
	TypeK8sSA Type = 8
	// TypeSSHPOP is used to indicate the SSHPOP provisioners.
	TypeSSHPOP Type = 9
)

func (Type) String

func (t Type) String() string

String returns the string representation of the type.

type X509Options

type X509Options struct {
	// Template contains a X.509 certificate template. It can be a JSON template
	// escaped in a string or it can be also encoded in base64.
	Template string `json:"template"`

	// TemplateFile points to a file containing a X.509 certificate template.
	TemplateFile string `json:"templateFile"`

	// TemplateData is a JSON object with variables that can be used in custom
	// templates.
	TemplateData json.RawMessage `json:"templateData"`
}

X509Options contains specific options for X.509 certificates.

func (*X509Options) HasTemplate

func (o *X509Options) HasTemplate() bool

HasTemplate returns true if a template is defined in the provisioner options.

type X5C

type X5C struct {
	Type    string   `json:"type"`
	Name    string   `json:"name"`
	Roots   []byte   `json:"roots"`
	Claims  *Claims  `json:"claims,omitempty"`
	Options *Options `json:"options,omitempty"`
	// contains filtered or unexported fields
}

X5C is the default provisioner, an entity that can sign tokens necessary for signature requests.

func (*X5C) AuthorizeRenew

func (p *X5C) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error

AuthorizeRenew returns an error if the renewal is disabled.

func (*X5C) AuthorizeRevoke

func (p *X5C) AuthorizeRevoke(ctx context.Context, token string) error

AuthorizeRevoke returns an error if the provisioner does not have rights to revoke the certificate with serial number in the `sub` property.

func (X5C) AuthorizeSSHRekey

func (b X5C) AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error)

AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for rekeying SSH Certificates.

func (X5C) AuthorizeSSHRenew

func (b X5C) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error)

AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing SSH Certificates.

func (X5C) AuthorizeSSHRevoke

func (b X5C) AuthorizeSSHRevoke(ctx context.Context, token string) error

AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking SSH Certificates.

func (*X5C) AuthorizeSSHSign

func (p *X5C) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error)

AuthorizeSSHSign returns the list of SignOption for a SignSSH request.

func (*X5C) AuthorizeSign

func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)

AuthorizeSign validates the given token.

func (*X5C) GetEncryptedKey

func (p *X5C) GetEncryptedKey() (string, string, bool)

GetEncryptedKey returns the base provisioner encrypted key if it's defined.

func (*X5C) GetID

func (p *X5C) GetID() string

GetID returns the provisioner unique identifier. The name and credential id should uniquely identify any X5C provisioner.

func (*X5C) GetName

func (p *X5C) GetName() string

GetName returns the name of the provisioner.

func (*X5C) GetTokenID

func (p *X5C) GetTokenID(ott string) (string, error)

GetTokenID returns the identifier of the token.

func (*X5C) GetType

func (p *X5C) GetType() Type

GetType returns the type of provisioner.

func (*X5C) Init

func (p *X5C) Init(config Config) error

Init initializes and validates the fields of a X5C type.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL