options

package
v1.11.28 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 29, 2023 License: Apache-2.0 Imports: 26 Imported by: 0

Documentation

Index

Constants

View Source
const (
	DefaultTokenExpiry = 28800       // 8 hrs
	DefaultThreshold   = float64(15) // 15 days
)

Variables

This section is empty.

Functions

func GetAccountId

func GetAccountId(metaEndPoint string, useRegionalSTS bool, region string) (string, error)

func GetInstanceTagValue

func GetInstanceTagValue(metaEndPoint, tagKey string) (string, error)

func GetRunsAsUidGid

func GetRunsAsUidGid(opts *Options) (int, int)

GetRunsAsUidGid returns the uid/gid that the tool should continue to run as based on the configured setup. For example, if all services have been configured to have the same uid/gid for keys and certs, then the tool can drop its access from root to the specified user. If they're multiple users defined then the return values would be -1/-1

func GetSvcNames

func GetSvcNames(svcs []Service) string

GetSvcNames returns comma separated list of service names

func InitCredsConfig

func InitCredsConfig(roleSuffix, accessProfileSeparator string, useRegionalSTS bool, region string) (*ConfigAccount, *AccessProfileConfig, error)

func InitEnvConfig

func InitEnvConfig(config *Config, provider provider.Provider) (*Config, *ConfigAccount, error)

func InitFileConfig

func InitFileConfig(fileName, metaEndPoint string, useRegionalSTS bool, region, account string, provider provider.Provider) (*Config, *ConfigAccount, error)

func InitGenericProfileConfig

func InitGenericProfileConfig(metaEndPoint, roleSuffix, accessProfileSeparator string, provider provider.Provider) (*Config, *AccessProfileConfig, error)

func InitProfileConfig

func InitProfileConfig(metaEndPoint, roleSuffix, accessProfileSeparator string) (*ConfigAccount, *AccessProfileConfig, error)

func LegacyOptions

func LegacyOptions(opts *Options) *legacy.Options

Types

type AccessProfileConfig

type AccessProfileConfig struct {
	Profile           string `json:"profile,omitempty"`
	ProfileRestrictTo string `json:"profile_restrict_to,omitempty"`
}

func InitAccessProfileEnvConfig

func InitAccessProfileEnvConfig() (*AccessProfileConfig, error)

func InitAccessProfileFileConfig

func InitAccessProfileFileConfig(fileName string) (*AccessProfileConfig, error)

type Config

type Config struct {
	Version          string                   `json:"version,omitempty"`                    //config version
	Domain           string                   `json:"domain,omitempty"`                     //name of the domain for the identity
	Service          string                   `json:"service,omitempty"`                    //name of the service for the identity
	Services         map[string]ConfigService `json:"services,omitempty"`                   //names of the multiple services for the identity
	Ssh              *bool                    `json:"ssh,omitempty"`                        //ssh certificate support
	SshHostKeyType   hostkey.KeyType          `json:"ssh_host_key_type,omitempty"`          //ssh host key type - rsa, ecdsa, etc
	SshPrincipals    string                   `json:"ssh_principals,omitempty"`             //ssh additional principals
	SanDnsWildcard   bool                     `json:"sandns_wildcard,omitempty"`            //san dns wildcard support
	SanDnsHostname   bool                     `json:"sandns_hostname,omitempty"`            //san dns hostname support
	UseRegionalSTS   bool                     `json:"regionalsts,omitempty"`                //whether to use a regional STS endpoint (default is false)
	Account          string                   `json:"aws_account,omitempty"`                //name of the AWS account for the identity ( only applicable in AWS environment )
	Accounts         []ConfigAccount          `json:"accounts,omitempty"`                   //array of configured accounts ( kept for backward compatibility sake )
	GenerateRoleKey  bool                     `json:"generate_role_key,omitempty"`          //private key to be generated for role certificate
	RotateKey        bool                     `json:"rotate_key,omitempty"`                 //rotate private key support
	User             string                   `json:"user,omitempty"`                       //the username to chown the cert/key dirs to. If absent, then root
	Group            string                   `json:"group,omitempty"`                      //the group name to chown the cert/key dirs to. If absent, then athenz
	SDSUdsPath       string                   `json:"sds_uds_path,omitempty"`               //uds path if the agent should support uds connections
	SDSUdsUid        int                      `json:"sds_uds_uid,omitempty"`                //uds connections must be from the given user uid
	ExpiryTime       int                      `json:"expiry_time,omitempty"`                //service and role certificate expiry in minutes
	RefreshInterval  int                      `json:"refresh_interval,omitempty"`           //specifies refresh interval in minutes
	ZTSRegion        string                   `json:"zts_region,omitempty"`                 //specifies zts region for the requests
	DropPrivileges   bool                     `json:"drop_privileges,omitempty"`            //drop privileges to configured user instead of running as root
	AccessTokens     map[string]ac.Role       `json:"access_tokens,omitempty"`              //map of role name to token attributes
	FileDirectUpdate bool                     `json:"file_direct_update,omitempty"`         //update key/cert files directly instead of using rename
	SiaKeyDir        string                   `json:"sia_key_dir,omitempty"`                //sia keys directory to override /var/lib/sia/keys
	SiaCertDir       string                   `json:"sia_cert_dir,omitempty"`               //sia certs directory to override /var/lib/sia/certs
	SiaTokenDir      string                   `json:"sia_token_dir,omitempty"`              //sia tokens directory to override /var/lib/sia/tokens
	SiaBackupDir     string                   `json:"sia_backup_dir,omitempty"`             //sia backup directory to override /var/lib/sia/backup
	HostnameSuffix   string                   `json:"hostname_suffix,omitempty"`            //hostname suffix in case we need to auto-generate hostname
	Zts              string                   `json:"zts,omitempty"`                        //the ZTS to contact
	Roles            map[string]ConfigRole    `json:"roles,omitempty"`                      //map of roles to retrieve certificates for
	Threshold        float64                  `json:"cert_threshold_to_check,omitempty"`    //threshold to verify for all certs
	SshThreshold     float64                  `json:"sshcert_threshold_to_check,omitempty"` //threshold to verify for ssh certs
	AccessManagement bool                     `json:"access_management,omitempty"`          //access management support
	FailCountForExit int                      `json:"fail_count_for_exit,omitempty"`        //number of failed counts before exiting program
}

Config represents entire sia_config file

type ConfigAccount

type ConfigAccount struct {
	Name         string                `json:"name,omitempty"`                       //name of the service identity
	User         string                `json:"user,omitempty"`                       //the username to chown the cert/key dirs to. If absent, then root.
	Group        string                `json:"group,omitempty"`                      //the group name to chown the cert/key dirs to. If absent, then athenz.
	Domain       string                `json:"domain,omitempty"`                     //name of the domain for the identity
	Account      string                `json:"account,omitempty"`                    //name of the account
	Service      string                `json:"service,omitempty"`                    //name of the service for the identity
	Zts          string                `json:"zts,omitempty"`                        //the ZTS to contact
	Roles        map[string]ConfigRole `json:"roles,omitempty"`                      //map of roles to retrieve certificates for
	Version      string                `json:"version,omitempty"`                    //sia version number
	Threshold    float64               `json:"cert_threshold_to_check,omitempty"`    //Threshold to verify for all certs
	SshThreshold float64               `json:"sshcert_threshold_to_check,omitempty"` //Threshold to verify for ssh certs
}

ConfigAccount represents each of the accounts that can be specified in the config file

type ConfigRole

type ConfigRole struct {
	Filename   string  `json:"filename,omitempty"`    //filename for the generated role certificate file
	ExpiryTime int     `json:"expiry_time,omitempty"` //requested expiry time for the role certificate
	Service    string  `json:"service,omitempty"`     //principal with role access
	User       string  `json:"user,omitempty"`        //user owner on the role identity key
	Group      string  `json:"group,omitempty"`       //group owner on the role identity key
	Threshold  float64 `json:"cert_threshold_to_check,omitempty"`
}

ConfigRole represents a role to be specified by user, and specify attributes for the role

type ConfigService

type ConfigService struct {
	KeyFilename    string  `json:"key_filename,omitempty"`
	CertFilename   string  `json:"cert_filename,omitempty"`
	User           string  `json:"user,omitempty"`
	Group          string  `json:"group,omitempty"`
	ExpiryTime     int     `json:"expiry_time,omitempty"`
	SDSUdsUid      int     `json:"sds_uds_uid,omitempty"`
	SDSNodeId      string  `json:"sds_node_id,omitempty"`
	SDSNodeCluster string  `json:"sds_node_cluster,omitempty"`
	Threshold      float64 `json:"cert_threshold_to_check,omitempty"`
}

ConfigService represents a service to be specified by user, and specify User/Group attributes for the service

type MockAWSProvider

type MockAWSProvider struct {
	Name     string
	Hostname string
}

func (MockAWSProvider) AttestationData

func (MockAWSProvider) CloudAttestationData

func (tp MockAWSProvider) CloudAttestationData(string, string, string) (string, error)

func (MockAWSProvider) GetAccessManagementProfileFromMeta

func (tp MockAWSProvider) GetAccessManagementProfileFromMeta(string) (string, error)

func (MockAWSProvider) GetAccountDomainServiceFromMeta

func (tp MockAWSProvider) GetAccountDomainServiceFromMeta(string) (string, string, string, error)

func (MockAWSProvider) GetCsrDn

func (tp MockAWSProvider) GetCsrDn() pkix.Name

func (MockAWSProvider) GetEmail

func (tp MockAWSProvider) GetEmail(string) []string

func (MockAWSProvider) GetHostname

func (tp MockAWSProvider) GetHostname(bool) string

GetHostname returns the hostname as per the provider

func (MockAWSProvider) GetName

func (tp MockAWSProvider) GetName() string

GetName returns the name of the current provider

func (MockAWSProvider) GetRoleDnsNames

func (tp MockAWSProvider) GetRoleDnsNames(*x509.Certificate, string) []string

func (MockAWSProvider) GetSanDns

func (tp MockAWSProvider) GetSanDns(string, bool, bool, []string) []string

func (MockAWSProvider) GetSanIp

func (tp MockAWSProvider) GetSanIp(map[string]bool, []net.IP, ip.Opts) []net.IP

func (MockAWSProvider) GetSanUri

func (tp MockAWSProvider) GetSanUri(string, ip.Opts) []*url.URL

func (MockAWSProvider) GetSuffix

func (tp MockAWSProvider) GetSuffix() string

func (MockAWSProvider) PrepareKey

func (tp MockAWSProvider) PrepareKey(string) (crypto.PrivateKey, error)

type MockGCPProvider

type MockGCPProvider struct {
	Name     string
	Hostname string
}

func (MockGCPProvider) AttestationData

func (tp MockGCPProvider) AttestationData(svc string, key crypto.PrivateKey, sigInfo *signature.SignatureInfo) (string, error)

func (MockGCPProvider) CloudAttestationData

func (tp MockGCPProvider) CloudAttestationData(base, svc, ztsServerName string) (string, error)

func (MockGCPProvider) GetAccessManagementProfileFromMeta

func (tp MockGCPProvider) GetAccessManagementProfileFromMeta(base string) (string, error)

func (MockGCPProvider) GetAccountDomainServiceFromMeta

func (tp MockGCPProvider) GetAccountDomainServiceFromMeta(base string) (string, string, string, error)

func (MockGCPProvider) GetCsrDn

func (tp MockGCPProvider) GetCsrDn() pkix.Name

func (MockGCPProvider) GetEmail

func (tp MockGCPProvider) GetEmail(service string) []string

func (MockGCPProvider) GetHostname

func (tp MockGCPProvider) GetHostname() string

GetHostname returns the hostname as per the provider

func (MockGCPProvider) GetName

func (tp MockGCPProvider) GetName() string

GetName returns the name of the current provider

func (MockGCPProvider) GetRoleDnsNames

func (tp MockGCPProvider) GetRoleDnsNames(cert *x509.Certificate, service string) []string

func (MockGCPProvider) GetSanDns

func (tp MockGCPProvider) GetSanDns(service string, includeHost bool, wildcard bool, cnames []string) []string

func (MockGCPProvider) GetSanIp

func (tp MockGCPProvider) GetSanIp(docIp map[string]bool, ips []net.IP, opts ip.Opts) []net.IP

func (MockGCPProvider) GetSanUri

func (tp MockGCPProvider) GetSanUri(svc string, opts ip.Opts) []*url.URL

func (MockGCPProvider) GetSuffix

func (tp MockGCPProvider) GetSuffix() string

func (MockGCPProvider) PrepareKey

func (tp MockGCPProvider) PrepareKey(file string) (crypto.PrivateKey, error)

type Options

type Options struct {
	Provider           provider.Provider //provider instance
	Name               string            //name of the service identity
	User               string            //the username to chown the cert/key dirs to. If absent, then root
	Group              string            //the group name to chown the cert/key dirs to. If absent, then athenz
	Domain             string            //name of the domain for the identity
	Account            string            //name of the account
	Service            string            //name of the service for the identity
	Zts                string            //the ZTS to contact
	InstanceId         string            //instance id if ec2, task id if running within eks/ecs
	Roles              []Role            //map of roles to retrieve certificates for
	Region             string            //region name
	SanDnsWildcard     bool              //san dns wildcard support
	SanDnsHostname     bool              //san dns hostname support
	Version            string            //sia version number
	ZTSDomains         []string          //zts domain prefixes
	Services           []Service         //array of configured services
	Ssh                bool              //ssh certificate support
	UseRegionalSTS     bool              //use regional sts endpoint
	KeyDir             string            //private key directory path
	CertDir            string            //x.509 certificate directory path
	AthenzCACertFile   string            //filename to store Athenz CA certs
	ZTSCACertFile      string            //filename for CA certs when communicating with ZTS
	ZTSServerName      string            //ZTS server name, if necessary for tls
	ZTSAWSDomains      []string          //list of domain prefixes for sanDNS entries
	GenerateRoleKey    bool              //option to generate a separate key for role certificates
	RotateKey          bool              //rotate the private key when refreshing certificates
	BackupDir          string            //backup directory for key/cert rotation
	CertCountryName    string            //generated x.509 certificate country name
	CertOrgName        string            //generated x.509 certificate organization name
	SshPubKeyFile      string            //ssh host public key file path
	SshCertFile        string            //ssh host certificate file path
	SshConfigFile      string            //sshd config file path
	SshHostKeyType     hostkey.KeyType   //ssh host key type - rsa or ecdsa
	PrivateIp          string            //instance private ip
	EC2Document        string            //EC2 instance identity document
	EC2Signature       string            //EC2 instance identity document pkcs7 signature
	EC2StartTime       *time.Time        //EC2 instance start time
	InstanceIdSanDNS   bool              //include instance id in a san dns entry (backward compatible option)
	RolePrincipalEmail bool              //include role principal in a san email field (backward compatible option)
	SDSUdsPath         string            //UDS path if the agent should support uds connections
	SDSUdsUid          int               //UDS connections must be from the given user uid
	RefreshInterval    int               //refresh interval for certificates - default 24 hours
	ZTSRegion          string            //ZTS region in case the client needs this information
	DropPrivileges     bool              //Drop privileges to configured user instead of running as root
	TokenDir           string            //Access tokens directory
	AccessTokens       []ac.AccessToken  //Access tokens object
	Profile            string            //Access profile name
	ProfileRestrictTo  string            //Tag associated with access profile roles
	Threshold          float64           //threshold in number of days for cert expiry checks
	SshThreshold       float64           //threshold in number of days for ssh cert expiry checks
	FileDirectUpdate   bool              //update key/cert files directly instead of using rename
	HostnameSuffix     string            //hostname suffix in case we need to auto-generate hostname
	SshPrincipals      string            //ssh additional principals
	AccessManagement   bool              //access management support
	ZTSCloudDomains    []string          //list of domain prefixes for sanDNS entries
	AddlSanDNSEntries  []string          //additional san dns entries to be added to the CSR
	FailCountForExit   int               //number of failed counts before exiting program
}

Options represents settings that are derived from config file and application defaults

func NewOptions

func NewOptions(config *Config, configAccount *ConfigAccount, profileConfig *AccessProfileConfig, siaDir, siaVersion string, useRegionalSTS bool, region string) (*Options, error)

type Role

type Role struct {
	Name            string
	Service         string
	SvcKeyFilename  string
	SvcCertFilename string
	ExpiryTime      int
	Filename        string
	User            string
	Uid             int
	Gid             int
	FileMode        int
	Threshold       float64
}

Role contains role details. Attributes are set based on the config values

type Service

type Service struct {
	Name           string
	KeyFilename    string
	CertFilename   string
	User           string
	Group          string
	Uid            int
	Gid            int
	FileMode       int
	ExpiryTime     int
	SDSUdsUid      int
	SDSNodeId      string
	SDSNodeCluster string
	Threshold      float64
}

Service represents service details. Attributes are filled in based on the config values

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL