options

package
v1.12.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 8, 2024 License: Apache-2.0 Imports: 26 Imported by: 0

Documentation

Index

Constants

View Source
const (
	DefaultTokenExpiry = 28800       // 8 hrs
	DefaultThreshold   = float64(15) // 15 days
)

Variables

This section is empty.

Functions

func GetAccountId

func GetAccountId(metaEndPoint string, useRegionalSTS bool, region string) (string, error)

func GetInstanceTagValue

func GetInstanceTagValue(metaEndPoint, tagKey string) (string, error)

func GetRunsAsUidGid

func GetRunsAsUidGid(opts *Options) (int, int)

GetRunsAsUidGid returns the uid/gid that the tool should continue to run as based on the configured setup. For example, if all services have been configured to have the same uid/gid for keys and certs, then the tool can drop its access from root to the specified user. If they're multiple users defined then the return values would be -1/-1

func GetSvcNames

func GetSvcNames(svcs []Service) string

GetSvcNames returns comma separated list of service names

func InitCredsConfig

func InitCredsConfig(roleSuffix, accessProfileSeparator string, useRegionalSTS bool, region string) (*ConfigAccount, *AccessProfileConfig, error)

func InitEnvConfig

func InitEnvConfig(config *Config, provider provider.Provider) (*Config, *ConfigAccount, error)

func InitFileConfig

func InitFileConfig(fileName, metaEndPoint string, useRegionalSTS bool, region, account string, provider provider.Provider) (*Config, *ConfigAccount, error)

func InitGenericProfileConfig

func InitGenericProfileConfig(metaEndPoint, roleSuffix, accessProfileSeparator string, provider provider.Provider) (*Config, *AccessProfileConfig, error)

func InitProfileConfig

func InitProfileConfig(metaEndPoint, roleSuffix, accessProfileSeparator string) (*ConfigAccount, *AccessProfileConfig, error)

func LegacyOptions

func LegacyOptions(opts *Options) *legacy.Options

Types

type AccessProfileConfig

type AccessProfileConfig struct {
	Profile           string `json:"profile,omitempty"`
	ProfileRestrictTo string `json:"profile_restrict_to,omitempty"`
}

func InitAccessProfileEnvConfig

func InitAccessProfileEnvConfig() (*AccessProfileConfig, error)

func InitAccessProfileFileConfig

func InitAccessProfileFileConfig(fileName string) (*AccessProfileConfig, error)

type Config

type Config struct {
	Version           string                   `json:"version,omitempty"`                    //config version
	Domain            string                   `json:"domain,omitempty"`                     //name of the domain for the identity
	Service           string                   `json:"service,omitempty"`                    //name of the service for the identity
	Services          map[string]ConfigService `json:"services,omitempty"`                   //names of the multiple services for the identity
	Ssh               *bool                    `json:"ssh,omitempty"`                        //ssh certificate support
	SshHostKeyType    hostkey.KeyType          `json:"ssh_host_key_type,omitempty"`          //ssh host key type - rsa, ecdsa, etc
	SshPrincipals     string                   `json:"ssh_principals,omitempty"`             //ssh additional principals
	SanDnsWildcard    bool                     `json:"sandns_wildcard,omitempty"`            //san dns wildcard support
	SanDnsHostname    bool                     `json:"sandns_hostname,omitempty"`            //san dns hostname support
	SanDnsX509Cnames  string                   `json:"sandns_x509_cnames,omitempty"`         //additional san dns entries to be added to the CSR
	UseRegionalSTS    bool                     `json:"regionalsts,omitempty"`                //whether to use a regional STS endpoint (default is false)
	Account           string                   `json:"aws_account,omitempty"`                //name of the AWS account for the identity ( only applicable in AWS environment )
	Accounts          []ConfigAccount          `json:"accounts,omitempty"`                   //array of configured accounts ( kept for backward compatibility sake )
	GenerateRoleKey   bool                     `json:"generate_role_key,omitempty"`          //private key to be generated for role certificate
	RotateKey         bool                     `json:"rotate_key,omitempty"`                 //rotate private key support
	User              string                   `json:"user,omitempty"`                       //the username to chown the cert/key dirs to. If absent, then root
	Group             string                   `json:"group,omitempty"`                      //the group name to chown the cert/key dirs to. If absent, then athenz
	SDSUdsPath        string                   `json:"sds_uds_path,omitempty"`               //uds path if the agent should support uds connections
	SDSUdsUid         int                      `json:"sds_uds_uid,omitempty"`                //uds connections must be from the given user uid
	ExpiryTime        int                      `json:"expiry_time,omitempty"`                //service and role certificate expiry in minutes
	RefreshInterval   int                      `json:"refresh_interval,omitempty"`           //specifies refresh interval in minutes
	ZTSRegion         string                   `json:"zts_region,omitempty"`                 //specifies zts region for the requests
	DropPrivileges    bool                     `json:"drop_privileges,omitempty"`            //drop privileges to configured user instead of running as root
	AccessTokens      map[string]ac.Role       `json:"access_tokens,omitempty"`              //map of role name to token attributes
	FileDirectUpdate  bool                     `json:"file_direct_update,omitempty"`         //update key/cert files directly instead of using rename
	SiaKeyDir         string                   `json:"sia_key_dir,omitempty"`                //sia keys directory to override /var/lib/sia/keys
	SiaCertDir        string                   `json:"sia_cert_dir,omitempty"`               //sia certs directory to override /var/lib/sia/certs
	SiaTokenDir       string                   `json:"sia_token_dir,omitempty"`              //sia tokens directory to override /var/lib/sia/tokens
	SiaBackupDir      string                   `json:"sia_backup_dir,omitempty"`             //sia backup directory to override /var/lib/sia/backup
	HostnameSuffix    string                   `json:"hostname_suffix,omitempty"`            //hostname suffix in case we need to auto-generate hostname
	Zts               string                   `json:"zts,omitempty"`                        //the ZTS to contact
	Roles             map[string]ConfigRole    `json:"roles,omitempty"`                      //map of roles to retrieve certificates for
	Threshold         float64                  `json:"cert_threshold_to_check,omitempty"`    //threshold to verify for all certs
	SshThreshold      float64                  `json:"sshcert_threshold_to_check,omitempty"` //threshold to verify for ssh certs
	AccessManagement  bool                     `json:"access_management,omitempty"`          //access management support
	FailCountForExit  int                      `json:"fail_count_for_exit,omitempty"`        //number of failed counts before exiting program
	RunAfterCerts     string                   `json:"run_after,omitempty"`                  //execute the command mentioned after certs are created
	RunAfterCertsErr  string                   `json:"run_after_certs_err,omitempty"`        //execute the command mentioned after role certs fail to refresh
	RunAfterTokens    string                   `json:"run_after_tokens,omitempty"`           //execute the command mentioned after tokens are created
	RunAfterTokensErr string                   `json:"run_after_tokens_err,omitempty"`       //execute the command mentioned after tokens fail to refresh
	SpiffeTrustDomain string                   `json:"spiffe_trust_domain,omitempty"`        //spiffe trust domain - if configured generate full spiffe uri with namespace
	StoreTokenOption  *int                     `json:"store_token_option,omitempty"`         //store access token option
	RunAfterFailExit  bool                     `json:"run_after_fail_exit,omitempty"`        //exit process if run_after script fails
}

Config represents entire sia_config file

type ConfigAccount

type ConfigAccount struct {
	Name         string                `json:"name,omitempty"`                       //name of the service identity
	User         string                `json:"user,omitempty"`                       //the username to chown the cert/key dirs to. If absent, then root.
	Group        string                `json:"group,omitempty"`                      //the group name to chown the cert/key dirs to. If absent, then athenz.
	Domain       string                `json:"domain,omitempty"`                     //name of the domain for the identity
	Account      string                `json:"account,omitempty"`                    //name of the account
	Service      string                `json:"service,omitempty"`                    //name of the service for the identity
	Zts          string                `json:"zts,omitempty"`                        //the ZTS to contact
	Roles        map[string]ConfigRole `json:"roles,omitempty"`                      //map of roles to retrieve certificates for
	Version      string                `json:"version,omitempty"`                    //sia version number
	Threshold    float64               `json:"cert_threshold_to_check,omitempty"`    //Threshold to verify for all certs
	SshThreshold float64               `json:"sshcert_threshold_to_check,omitempty"` //Threshold to verify for ssh certs
	OmitDomain   bool                  `json:"omit_domain,omitempty"`                //attestation role only includes service name
}

ConfigAccount represents each of the accounts that can be specified in the config file

type ConfigRole

type ConfigRole struct {
	Filename   string  `json:"filename,omitempty"`    //filename for the generated role certificate file
	ExpiryTime int     `json:"expiry_time,omitempty"` //requested expiry time for the role certificate
	Service    string  `json:"service,omitempty"`     //principal with role access
	User       string  `json:"user,omitempty"`        //user owner on the role identity key
	Group      string  `json:"group,omitempty"`       //group owner on the role identity key
	Threshold  float64 `json:"cert_threshold_to_check,omitempty"`
}

ConfigRole represents a role to be specified by user, and specify attributes for the role

type ConfigService

type ConfigService struct {
	KeyFilename    string  `json:"key_filename,omitempty"`
	CertFilename   string  `json:"cert_filename,omitempty"`
	User           string  `json:"user,omitempty"`
	Group          string  `json:"group,omitempty"`
	ExpiryTime     int     `json:"expiry_time,omitempty"`
	SDSUdsUid      int     `json:"sds_uds_uid,omitempty"`
	SDSNodeId      string  `json:"sds_node_id,omitempty"`
	SDSNodeCluster string  `json:"sds_node_cluster,omitempty"`
	Threshold      float64 `json:"cert_threshold_to_check,omitempty"`
}

ConfigService represents a service to be specified by user, and specify User/Group attributes for the service

type MockAWSProvider

type MockAWSProvider struct {
	Name     string
	Hostname string
}

func (MockAWSProvider) AttestationData

func (MockAWSProvider) CloudAttestationData

func (tp MockAWSProvider) CloudAttestationData(string, string, string) (string, error)

func (MockAWSProvider) GetAccessManagementProfileFromMeta

func (tp MockAWSProvider) GetAccessManagementProfileFromMeta(string) (string, error)

func (MockAWSProvider) GetAccountDomainServiceFromMeta

func (tp MockAWSProvider) GetAccountDomainServiceFromMeta(string) (string, string, string, error)

func (MockAWSProvider) GetAdditionalSshHostPrincipals added in v1.11.31

func (tp MockAWSProvider) GetAdditionalSshHostPrincipals(string) (string, error)

func (MockAWSProvider) GetCsrDn

func (tp MockAWSProvider) GetCsrDn() pkix.Name

func (MockAWSProvider) GetEmail

func (tp MockAWSProvider) GetEmail(string) []string

func (MockAWSProvider) GetHostname

func (tp MockAWSProvider) GetHostname(bool) string

GetHostname returns the hostname as per the provider

func (MockAWSProvider) GetName

func (tp MockAWSProvider) GetName() string

GetName returns the name of the current provider

func (MockAWSProvider) GetRoleDnsNames

func (tp MockAWSProvider) GetRoleDnsNames(*x509.Certificate, string) []string

func (MockAWSProvider) GetSanDns

func (tp MockAWSProvider) GetSanDns(string, bool, bool, []string) []string

func (MockAWSProvider) GetSanIp

func (tp MockAWSProvider) GetSanIp(map[string]bool, []net.IP, ip.Opts) []net.IP

func (MockAWSProvider) GetSanUri

func (tp MockAWSProvider) GetSanUri(string, ip.Opts, string, string) []*url.URL

func (MockAWSProvider) GetSuffixes added in v1.11.54

func (tp MockAWSProvider) GetSuffixes() []string

func (MockAWSProvider) PrepareKey

func (tp MockAWSProvider) PrepareKey(string) (crypto.PrivateKey, error)

type MockGCPProvider

type MockGCPProvider struct {
	Name     string
	Hostname string
}

func (MockGCPProvider) AttestationData

func (tp MockGCPProvider) AttestationData(svc string, key crypto.PrivateKey, sigInfo *signature.SignatureInfo) (string, error)

func (MockGCPProvider) CloudAttestationData

func (tp MockGCPProvider) CloudAttestationData(base, svc, ztsServerName string) (string, error)

func (MockGCPProvider) GetAccessManagementProfileFromMeta

func (tp MockGCPProvider) GetAccessManagementProfileFromMeta(base string) (string, error)

func (MockGCPProvider) GetAccountDomainServiceFromMeta

func (tp MockGCPProvider) GetAccountDomainServiceFromMeta(base string) (string, string, string, error)

func (MockGCPProvider) GetAdditionalSshHostPrincipals added in v1.11.31

func (tp MockGCPProvider) GetAdditionalSshHostPrincipals(base string) (string, error)

func (MockGCPProvider) GetCsrDn

func (tp MockGCPProvider) GetCsrDn() pkix.Name

func (MockGCPProvider) GetEmail

func (tp MockGCPProvider) GetEmail(service string) []string

func (MockGCPProvider) GetHostname

func (tp MockGCPProvider) GetHostname(bool) string

GetHostname returns the hostname as per the provider

func (MockGCPProvider) GetName

func (tp MockGCPProvider) GetName() string

GetName returns the name of the current provider

func (MockGCPProvider) GetRoleDnsNames

func (tp MockGCPProvider) GetRoleDnsNames(cert *x509.Certificate, service string) []string

func (MockGCPProvider) GetSanDns

func (tp MockGCPProvider) GetSanDns(service string, includeHost bool, wildcard bool, cnames []string) []string

func (MockGCPProvider) GetSanIp

func (tp MockGCPProvider) GetSanIp(docIp map[string]bool, ips []net.IP, opts ip.Opts) []net.IP

func (MockGCPProvider) GetSanUri

func (tp MockGCPProvider) GetSanUri(svc string, opts ip.Opts, spiffeTrustDomain, spiffeNamespace string) []*url.URL

func (MockGCPProvider) GetSuffixes added in v1.11.54

func (tp MockGCPProvider) GetSuffixes() []string

func (MockGCPProvider) PrepareKey

func (tp MockGCPProvider) PrepareKey(file string) (crypto.PrivateKey, error)

type Options

type Options struct {
	Provider               provider.Provider //provider instance
	MetaEndPoint           string            //meta data service endpoint
	Name                   string            //name of the service identity
	User                   string            //the username to chown the cert/key dirs to. If absent, then root
	Group                  string            //the group name to chown the cert/key dirs to. If absent, then athenz
	Domain                 string            //name of the domain for the identity
	Account                string            //name of the account
	Service                string            //name of the service for the identity
	Zts                    string            //the ZTS to contact
	InstanceId             string            //instance id if ec2/vm, task id if running within eks/ecs/gke
	InstanceName           string            //instance name if ec2/vm
	Roles                  []Role            //map of roles to retrieve certificates for
	Region                 string            //region name
	SanDnsWildcard         bool              //san dns wildcard support
	SanDnsHostname         bool              //san dns hostname support
	Version                string            //sia version number
	ZTSDomains             []string          //zts domain prefixes
	Services               []Service         //array of configured services
	Ssh                    bool              //ssh certificate support
	UseRegionalSTS         bool              //use regional sts endpoint
	KeyDir                 string            //private key directory path
	CertDir                string            //x.509 certificate directory path
	AthenzCACertFile       string            //filename to store Athenz CA certs
	ZTSCACertFile          string            //filename for CA certs when communicating with ZTS
	ZTSServerName          string            //ZTS server name, if necessary for tls
	ZTSAWSDomains          []string          //list of domain prefixes for sanDNS entries
	GenerateRoleKey        bool              //option to generate a separate key for role certificates
	RotateKey              bool              //rotate the private key when refreshing certificates
	BackupDir              string            //backup directory for key/cert rotation
	CertCountryName        string            //generated x.509 certificate country name
	CertOrgName            string            //generated x.509 certificate organization name
	SshPubKeyFile          string            //ssh host public key file path
	SshCertFile            string            //ssh host certificate file path
	SshConfigFile          string            //sshd config file path
	SshHostKeyType         hostkey.KeyType   //ssh host key type - rsa or ecdsa
	PrivateIp              string            //instance private ip
	EC2Document            string            //EC2 instance identity document
	EC2Signature           string            //EC2 instance identity document pkcs7 signature
	EC2StartTime           *time.Time        //EC2 instance start time
	InstanceIdSanDNS       bool              //include instance id in a san dns entry (backward compatible option)
	RolePrincipalEmail     bool              //include role principal in a san email field (backward compatible option)
	SDSUdsPath             string            //UDS path if the agent should support uds connections
	SDSUdsUid              int               //UDS connections must be from the given user uid
	RefreshInterval        int               //refresh interval for certificates - default 24 hours
	ZTSRegion              string            //ZTS region in case the client needs this information
	DropPrivileges         bool              //Drop privileges to configured user instead of running as root
	TokenDir               string            //Access tokens directory
	AccessTokens           []ac.AccessToken  //Access tokens object
	Profile                string            //Access profile name
	ProfileRestrictTo      string            //Tag associated with access profile roles
	Threshold              float64           //threshold in number of days for cert expiry checks
	SshThreshold           float64           //threshold in number of days for ssh cert expiry checks
	FileDirectUpdate       bool              //update key/cert files directly instead of using rename
	HostnameSuffix         string            //hostname suffix in case we need to auto-generate hostname
	SshPrincipals          string            //ssh additional principals
	AccessManagement       bool              //access management support
	ZTSCloudDomains        []string          //list of domain prefixes for sanDNS entries
	AddlSanDNSEntries      []string          //additional san dns entries to be added to the CSR
	FailCountForExit       int               //number of failed counts before exiting program
	RunAfterCertsOkParts   []string          //run after certificate parsed parts for success
	RunAfterCertsErrParts  []string          //run after certificate parsed parts for errors
	RunAfterTokensOkParts  []string          //run after token parsed parts for success
	RunAfterTokensErrParts []string          //run after token parsed parts for errors
	SpiffeTrustDomain      string            //spiffe uri trust domain
	SpiffeNamespace        string            //spiffe uri namespace
	OmitDomain             bool              //attestation role only includes service name
	StoreTokenOption       *int              //store access token option
	RunAfterFailExit       bool              //exit process if run_after script fails
}

Options represents settings that are derived from config file and application defaults

func NewOptions

func NewOptions(config *Config, configAccount *ConfigAccount, profileConfig *AccessProfileConfig, siaDir, siaVersion string, useRegionalSTS bool, region string) (*Options, error)

type Role

type Role struct {
	Name             string
	Service          string
	SvcKeyFilename   string
	SvcCertFilename  string
	ExpiryTime       int
	RoleCertFilename string
	RoleKeyFilename  string
	User             string
	Uid              int
	Gid              int
	FileMode         int
	Threshold        float64
}

Role contains role details. Attributes are set based on the config values

type Service

type Service struct {
	Name           string
	KeyFilename    string
	CertFilename   string
	User           string
	Group          string
	Uid            int
	Gid            int
	FileMode       int
	ExpiryTime     int
	SDSUdsUid      int
	SDSNodeId      string
	SDSNodeCluster string
	Threshold      float64
}

Service represents service details. Attributes are filled in based on the config values

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL