Documentation ¶
Index ¶
- Constants
- func GetAccountId(metaEndPoint string, useRegionalSTS bool, region string) (string, error)
- func GetInstanceTagValue(metaEndPoint, tagKey string) (string, error)
- func GetRunsAsUidGid(opts *Options) (int, int)
- func GetSvcNames(svcs []Service) string
- func InitCredsConfig(roleSuffix, accessProfileSeparator string, useRegionalSTS bool, region string) (*ConfigAccount, *AccessProfileConfig, error)
- func InitEnvConfig(config *Config, provider provider.Provider) (*Config, *ConfigAccount, error)
- func InitFileConfig(fileName, metaEndPoint string, useRegionalSTS bool, region, account string, ...) (*Config, *ConfigAccount, error)
- func InitGenericProfileConfig(metaEndPoint, roleSuffix, accessProfileSeparator string, ...) (*Config, *AccessProfileConfig, error)
- func InitProfileConfig(metaEndPoint, roleSuffix, accessProfileSeparator string) (*ConfigAccount, *AccessProfileConfig, error)
- func LegacyOptions(opts *Options) *legacy.Options
- type AccessProfileConfig
- type Config
- type ConfigAccount
- type ConfigRole
- type ConfigService
- type MockAWSProvider
- func (tp MockAWSProvider) AttestationData(string, crypto.PrivateKey, *signature.SignatureInfo) (string, error)
- func (tp MockAWSProvider) CloudAttestationData(string, string, string) (string, error)
- func (tp MockAWSProvider) GetAccessManagementProfileFromMeta(string) (string, error)
- func (tp MockAWSProvider) GetAccountDomainServiceFromMeta(string) (string, string, string, error)
- func (tp MockAWSProvider) GetAdditionalSshHostPrincipals(string) (string, error)
- func (tp MockAWSProvider) GetCsrDn() pkix.Name
- func (tp MockAWSProvider) GetEmail(string) []string
- func (tp MockAWSProvider) GetHostname(bool) string
- func (tp MockAWSProvider) GetName() string
- func (tp MockAWSProvider) GetRoleDnsNames(*x509.Certificate, string) []string
- func (tp MockAWSProvider) GetSanDns(string, bool, bool, []string) []string
- func (tp MockAWSProvider) GetSanIp(map[string]bool, []net.IP, ip.Opts) []net.IP
- func (tp MockAWSProvider) GetSanUri(string, ip.Opts, string, string) []*url.URL
- func (tp MockAWSProvider) GetSuffixes() []string
- func (tp MockAWSProvider) PrepareKey(string) (crypto.PrivateKey, error)
- type MockGCPProvider
- func (tp MockGCPProvider) AttestationData(svc string, key crypto.PrivateKey, sigInfo *signature.SignatureInfo) (string, error)
- func (tp MockGCPProvider) CloudAttestationData(base, svc, ztsServerName string) (string, error)
- func (tp MockGCPProvider) GetAccessManagementProfileFromMeta(base string) (string, error)
- func (tp MockGCPProvider) GetAccountDomainServiceFromMeta(base string) (string, string, string, error)
- func (tp MockGCPProvider) GetAdditionalSshHostPrincipals(base string) (string, error)
- func (tp MockGCPProvider) GetCsrDn() pkix.Name
- func (tp MockGCPProvider) GetEmail(service string) []string
- func (tp MockGCPProvider) GetHostname(bool) string
- func (tp MockGCPProvider) GetName() string
- func (tp MockGCPProvider) GetRoleDnsNames(cert *x509.Certificate, service string) []string
- func (tp MockGCPProvider) GetSanDns(service string, includeHost bool, wildcard bool, cnames []string) []string
- func (tp MockGCPProvider) GetSanIp(docIp map[string]bool, ips []net.IP, opts ip.Opts) []net.IP
- func (tp MockGCPProvider) GetSanUri(svc string, opts ip.Opts, spiffeTrustDomain, spiffeNamespace string) []*url.URL
- func (tp MockGCPProvider) GetSuffixes() []string
- func (tp MockGCPProvider) PrepareKey(file string) (crypto.PrivateKey, error)
- type Options
- type Role
- type Service
Constants ¶
const ( DefaultTokenExpiry = 28800 // 8 hrs DefaultThreshold = float64(15) // 15 days )
Variables ¶
This section is empty.
Functions ¶
func GetAccountId ¶
func GetInstanceTagValue ¶
func GetRunsAsUidGid ¶
GetRunsAsUidGid returns the uid/gid that the tool should continue to run as based on the configured setup. For example, if all services have been configured to have the same uid/gid for keys and certs, then the tool can drop its access from root to the specified user. If they're multiple users defined then the return values would be -1/-1
func GetSvcNames ¶
GetSvcNames returns comma separated list of service names
func InitCredsConfig ¶
func InitCredsConfig(roleSuffix, accessProfileSeparator string, useRegionalSTS bool, region string) (*ConfigAccount, *AccessProfileConfig, error)
func InitEnvConfig ¶
func InitFileConfig ¶
func InitProfileConfig ¶
func InitProfileConfig(metaEndPoint, roleSuffix, accessProfileSeparator string) (*ConfigAccount, *AccessProfileConfig, error)
func LegacyOptions ¶
Types ¶
type AccessProfileConfig ¶
type AccessProfileConfig struct { Profile string `json:"profile,omitempty"` ProfileRestrictTo string `json:"profile_restrict_to,omitempty"` }
func InitAccessProfileEnvConfig ¶
func InitAccessProfileEnvConfig() (*AccessProfileConfig, error)
func InitAccessProfileFileConfig ¶
func InitAccessProfileFileConfig(fileName string) (*AccessProfileConfig, error)
type Config ¶
type Config struct { Version string `json:"version,omitempty"` //config version Domain string `json:"domain,omitempty"` //name of the domain for the identity Service string `json:"service,omitempty"` //name of the service for the identity Services map[string]ConfigService `json:"services,omitempty"` //names of the multiple services for the identity Ssh *bool `json:"ssh,omitempty"` //ssh certificate support SshHostKeyType hostkey.KeyType `json:"ssh_host_key_type,omitempty"` //ssh host key type - rsa, ecdsa, etc SshPrincipals string `json:"ssh_principals,omitempty"` //ssh additional principals SanDnsWildcard bool `json:"sandns_wildcard,omitempty"` //san dns wildcard support SanDnsHostname bool `json:"sandns_hostname,omitempty"` //san dns hostname support SanDnsX509Cnames string `json:"sandns_x509_cnames,omitempty"` //additional san dns entries to be added to the CSR UseRegionalSTS bool `json:"regionalsts,omitempty"` //whether to use a regional STS endpoint (default is false) Account string `json:"aws_account,omitempty"` //name of the AWS account for the identity ( only applicable in AWS environment ) Accounts []ConfigAccount `json:"accounts,omitempty"` //array of configured accounts ( kept for backward compatibility sake ) GenerateRoleKey bool `json:"generate_role_key,omitempty"` //private key to be generated for role certificate RotateKey bool `json:"rotate_key,omitempty"` //rotate private key support User string `json:"user,omitempty"` //the username to chown the cert/key dirs to. If absent, then root Group string `json:"group,omitempty"` //the group name to chown the cert/key dirs to. If absent, then athenz SDSUdsPath string `json:"sds_uds_path,omitempty"` //uds path if the agent should support uds connections SDSUdsUid int `json:"sds_uds_uid,omitempty"` //uds connections must be from the given user uid ExpiryTime int `json:"expiry_time,omitempty"` //service and role certificate expiry in minutes RefreshInterval int `json:"refresh_interval,omitempty"` //specifies refresh interval in minutes ZTSRegion string `json:"zts_region,omitempty"` //specifies zts region for the requests DropPrivileges bool `json:"drop_privileges,omitempty"` //drop privileges to configured user instead of running as root AccessTokens map[string]ac.Role `json:"access_tokens,omitempty"` //map of role name to token attributes FileDirectUpdate bool `json:"file_direct_update,omitempty"` //update key/cert files directly instead of using rename SiaKeyDir string `json:"sia_key_dir,omitempty"` //sia keys directory to override /var/lib/sia/keys SiaCertDir string `json:"sia_cert_dir,omitempty"` //sia certs directory to override /var/lib/sia/certs SiaTokenDir string `json:"sia_token_dir,omitempty"` //sia tokens directory to override /var/lib/sia/tokens SiaBackupDir string `json:"sia_backup_dir,omitempty"` //sia backup directory to override /var/lib/sia/backup HostnameSuffix string `json:"hostname_suffix,omitempty"` //hostname suffix in case we need to auto-generate hostname Zts string `json:"zts,omitempty"` //the ZTS to contact Roles map[string]ConfigRole `json:"roles,omitempty"` //map of roles to retrieve certificates for Threshold float64 `json:"cert_threshold_to_check,omitempty"` //threshold to verify for all certs SshThreshold float64 `json:"sshcert_threshold_to_check,omitempty"` //threshold to verify for ssh certs AccessManagement bool `json:"access_management,omitempty"` //access management support FailCountForExit int `json:"fail_count_for_exit,omitempty"` //number of failed counts before exiting program RunAfter string `json:"run_after,omitempty"` //execute the command mentioned after certs are created RunAfterTokens string `json:"run_after_tokens,omitempty"` //execute the command mentioned after tokens are created SpiffeTrustDomain string `json:"spiffe_trust_domain,omitempty"` //spiffe trust domain - if configured generate full spiffe uri with namespace StoreTokenOption *int `json:"store_token_option,omitempty"` //store access token option RunAfterFailExit bool `json:"run_after_fail_exit,omitempty"` //exit process if run_after script fails }
Config represents entire sia_config file
type ConfigAccount ¶
type ConfigAccount struct { Name string `json:"name,omitempty"` //name of the service identity User string `json:"user,omitempty"` //the username to chown the cert/key dirs to. If absent, then root. Group string `json:"group,omitempty"` //the group name to chown the cert/key dirs to. If absent, then athenz. Domain string `json:"domain,omitempty"` //name of the domain for the identity Account string `json:"account,omitempty"` //name of the account Service string `json:"service,omitempty"` //name of the service for the identity Zts string `json:"zts,omitempty"` //the ZTS to contact Roles map[string]ConfigRole `json:"roles,omitempty"` //map of roles to retrieve certificates for Version string `json:"version,omitempty"` //sia version number Threshold float64 `json:"cert_threshold_to_check,omitempty"` //Threshold to verify for all certs SshThreshold float64 `json:"sshcert_threshold_to_check,omitempty"` //Threshold to verify for ssh certs OmitDomain bool `json:"omit_domain,omitempty"` //attestation role only includes service name }
ConfigAccount represents each of the accounts that can be specified in the config file
type ConfigRole ¶
type ConfigRole struct { Filename string `json:"filename,omitempty"` //filename for the generated role certificate file ExpiryTime int `json:"expiry_time,omitempty"` //requested expiry time for the role certificate Service string `json:"service,omitempty"` //principal with role access User string `json:"user,omitempty"` //user owner on the role identity key Group string `json:"group,omitempty"` //group owner on the role identity key Threshold float64 `json:"cert_threshold_to_check,omitempty"` }
ConfigRole represents a role to be specified by user, and specify attributes for the role
type ConfigService ¶
type ConfigService struct { KeyFilename string `json:"key_filename,omitempty"` CertFilename string `json:"cert_filename,omitempty"` User string `json:"user,omitempty"` Group string `json:"group,omitempty"` ExpiryTime int `json:"expiry_time,omitempty"` SDSUdsUid int `json:"sds_uds_uid,omitempty"` SDSNodeId string `json:"sds_node_id,omitempty"` SDSNodeCluster string `json:"sds_node_cluster,omitempty"` Threshold float64 `json:"cert_threshold_to_check,omitempty"` }
ConfigService represents a service to be specified by user, and specify User/Group attributes for the service
type MockAWSProvider ¶
func (MockAWSProvider) AttestationData ¶
func (tp MockAWSProvider) AttestationData(string, crypto.PrivateKey, *signature.SignatureInfo) (string, error)
func (MockAWSProvider) CloudAttestationData ¶
func (MockAWSProvider) GetAccessManagementProfileFromMeta ¶
func (tp MockAWSProvider) GetAccessManagementProfileFromMeta(string) (string, error)
func (MockAWSProvider) GetAccountDomainServiceFromMeta ¶
func (MockAWSProvider) GetAdditionalSshHostPrincipals ¶ added in v1.11.31
func (tp MockAWSProvider) GetAdditionalSshHostPrincipals(string) (string, error)
func (MockAWSProvider) GetCsrDn ¶
func (tp MockAWSProvider) GetCsrDn() pkix.Name
func (MockAWSProvider) GetEmail ¶
func (tp MockAWSProvider) GetEmail(string) []string
func (MockAWSProvider) GetHostname ¶
func (tp MockAWSProvider) GetHostname(bool) string
GetHostname returns the hostname as per the provider
func (MockAWSProvider) GetName ¶
func (tp MockAWSProvider) GetName() string
GetName returns the name of the current provider
func (MockAWSProvider) GetRoleDnsNames ¶
func (tp MockAWSProvider) GetRoleDnsNames(*x509.Certificate, string) []string
func (MockAWSProvider) GetSuffixes ¶ added in v1.11.54
func (tp MockAWSProvider) GetSuffixes() []string
func (MockAWSProvider) PrepareKey ¶
func (tp MockAWSProvider) PrepareKey(string) (crypto.PrivateKey, error)
type MockGCPProvider ¶
func (MockGCPProvider) AttestationData ¶
func (tp MockGCPProvider) AttestationData(svc string, key crypto.PrivateKey, sigInfo *signature.SignatureInfo) (string, error)
func (MockGCPProvider) CloudAttestationData ¶
func (tp MockGCPProvider) CloudAttestationData(base, svc, ztsServerName string) (string, error)
func (MockGCPProvider) GetAccessManagementProfileFromMeta ¶
func (tp MockGCPProvider) GetAccessManagementProfileFromMeta(base string) (string, error)
func (MockGCPProvider) GetAccountDomainServiceFromMeta ¶
func (MockGCPProvider) GetAdditionalSshHostPrincipals ¶ added in v1.11.31
func (tp MockGCPProvider) GetAdditionalSshHostPrincipals(base string) (string, error)
func (MockGCPProvider) GetCsrDn ¶
func (tp MockGCPProvider) GetCsrDn() pkix.Name
func (MockGCPProvider) GetEmail ¶
func (tp MockGCPProvider) GetEmail(service string) []string
func (MockGCPProvider) GetHostname ¶
func (tp MockGCPProvider) GetHostname(bool) string
GetHostname returns the hostname as per the provider
func (MockGCPProvider) GetName ¶
func (tp MockGCPProvider) GetName() string
GetName returns the name of the current provider
func (MockGCPProvider) GetRoleDnsNames ¶
func (tp MockGCPProvider) GetRoleDnsNames(cert *x509.Certificate, service string) []string
func (MockGCPProvider) GetSuffixes ¶ added in v1.11.54
func (tp MockGCPProvider) GetSuffixes() []string
func (MockGCPProvider) PrepareKey ¶
func (tp MockGCPProvider) PrepareKey(file string) (crypto.PrivateKey, error)
type Options ¶
type Options struct { Provider provider.Provider //provider instance MetaEndPoint string //meta data service endpoint Name string //name of the service identity User string //the username to chown the cert/key dirs to. If absent, then root Group string //the group name to chown the cert/key dirs to. If absent, then athenz Domain string //name of the domain for the identity Account string //name of the account Service string //name of the service for the identity Zts string //the ZTS to contact InstanceId string //instance id if ec2/vm, task id if running within eks/ecs/gke InstanceName string //instance name if ec2/vm Roles []Role //map of roles to retrieve certificates for Region string //region name SanDnsWildcard bool //san dns wildcard support SanDnsHostname bool //san dns hostname support Version string //sia version number ZTSDomains []string //zts domain prefixes Services []Service //array of configured services Ssh bool //ssh certificate support UseRegionalSTS bool //use regional sts endpoint KeyDir string //private key directory path CertDir string //x.509 certificate directory path AthenzCACertFile string //filename to store Athenz CA certs ZTSCACertFile string //filename for CA certs when communicating with ZTS ZTSServerName string //ZTS server name, if necessary for tls ZTSAWSDomains []string //list of domain prefixes for sanDNS entries GenerateRoleKey bool //option to generate a separate key for role certificates RotateKey bool //rotate the private key when refreshing certificates BackupDir string //backup directory for key/cert rotation CertCountryName string //generated x.509 certificate country name CertOrgName string //generated x.509 certificate organization name SshPubKeyFile string //ssh host public key file path SshCertFile string //ssh host certificate file path SshConfigFile string //sshd config file path SshHostKeyType hostkey.KeyType //ssh host key type - rsa or ecdsa PrivateIp string //instance private ip EC2Document string //EC2 instance identity document EC2Signature string //EC2 instance identity document pkcs7 signature EC2StartTime *time.Time //EC2 instance start time InstanceIdSanDNS bool //include instance id in a san dns entry (backward compatible option) RolePrincipalEmail bool //include role principal in a san email field (backward compatible option) SDSUdsPath string //UDS path if the agent should support uds connections SDSUdsUid int //UDS connections must be from the given user uid RefreshInterval int //refresh interval for certificates - default 24 hours ZTSRegion string //ZTS region in case the client needs this information DropPrivileges bool //Drop privileges to configured user instead of running as root TokenDir string //Access tokens directory AccessTokens []ac.AccessToken //Access tokens object Profile string //Access profile name ProfileRestrictTo string //Tag associated with access profile roles Threshold float64 //threshold in number of days for cert expiry checks SshThreshold float64 //threshold in number of days for ssh cert expiry checks FileDirectUpdate bool //update key/cert files directly instead of using rename HostnameSuffix string //hostname suffix in case we need to auto-generate hostname SshPrincipals string //ssh additional principals AccessManagement bool //access management support ZTSCloudDomains []string //list of domain prefixes for sanDNS entries AddlSanDNSEntries []string //additional san dns entries to be added to the CSR FailCountForExit int //number of failed counts before exiting program RunAfterParts []string //run after parsed parts RunAfterTokensParts []string //run after token parsed parts SpiffeTrustDomain string //spiffe uri trust domain SpiffeNamespace string //spiffe uri namespace OmitDomain bool //attestation role only includes service name StoreTokenOption *int //store access token option RunAfterFailExit bool //exit process if run_after script fails }
Options represents settings that are derived from config file and application defaults
func NewOptions ¶
func NewOptions(config *Config, configAccount *ConfigAccount, profileConfig *AccessProfileConfig, siaDir, siaVersion string, useRegionalSTS bool, region string) (*Options, error)
type Role ¶
type Role struct { Name string Service string SvcKeyFilename string SvcCertFilename string ExpiryTime int RoleCertFilename string RoleKeyFilename string User string Uid int Gid int FileMode int Threshold float64 }
Role contains role details. Attributes are set based on the config values
type Service ¶
type Service struct { Name string KeyFilename string CertFilename string User string Group string Uid int Gid int FileMode int ExpiryTime int SDSUdsUid int SDSNodeId string SDSNodeCluster string Threshold float64 }
Service represents service details. Attributes are filled in based on the config values