authorizedprincipals

package module
v0.0.0-...-8df540d Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 28, 2023 License: MIT Imports: 15 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func DefaultFetchEC2TagValueMatchingKey 

func DefaultFetchEC2TagValueMatchingKey(key string, metadataClient EC2MetadataClient, ec2Service ec2iface.EC2API) (string, error)

func DefaultPosixHostAddMissingGroupsFromCert 

func DefaultPosixHostAddMissingGroupsFromCert(principal string, cert sshcert.Cert, host PosixHost, groupAddCmdOptions *DefaultPosixAddGroupOptions) error

func DefaultPosixHostAddUserToSystem 

func DefaultPosixHostAddUserToSystem(userLogin string, cert sshcert.Cert,
	host PosixHost, disableNewAccountAuthorization bool, userAddCmdOptions *DefaultPosixAddUserOptions) error

DefaultPosixAddUserToSystem

func DefaultPosixHostAssociateUserToSecondaryGroup 

func DefaultPosixHostAssociateUserToSecondaryGroup(user string, group string, host PosixHostOSExec) error

func DefaultPosixHostCreateGroupIfNotExists 

func DefaultPosixHostCreateGroupIfNotExists(group group.PosixGroup, host PosixHost,
	groupAddCmdOptions *DefaultPosixAddGroupOptions, usrgrpsLookup UsrsGrpsLookUp) error

func DefaultPosixHostCreateMissingGroups 

func DefaultPosixHostCreateMissingGroups(host *DefaultPosixtHost) bool

func DefaultPosixHostCreateUserIfNotExists 

func DefaultPosixHostCreateUserIfNotExists(host *DefaultPosixtHost) bool

func DefaultPosixHostGetSSHCmdTargetUser 

func DefaultPosixHostGetSSHCmdTargetUser(host *DefaultPosixtHost) string

func DefaultPosixHostMatchCertClaimToAnExistingAccount 

func DefaultPosixHostMatchCertClaimToAnExistingAccount(cert sshcert.Cert, host PosixHost, resetPasswdWithLatestFromCert bool, usrgrpsLookup UsrsGrpsLookUp) (bool, string, error)

DefaultPosixMatchCertClaimToAnExistingAccount

func DefaultPosixHostOSExec 

func DefaultPosixHostOSExec(host PosixHost, exec OSExec, stdInput []byte, cmdAndArgs ...string) (string, error)

func DefaultPosixHostOwnershipEntitlements 

func DefaultPosixHostOwnershipEntitlements(host PosixHost, envLookup OSEnvLookUp, ec2TagFetcherForKey Ec2TagFetcherMatchingKey) []string

func DefaultPosixHostPosixHostOwnershipEntitlementsKey 

func DefaultPosixHostPosixHostOwnershipEntitlementsKey(host *DefaultPosixtHost) string

func DefaultPosixHostPrintAuthorizedPrincipalsFile 

func DefaultPosixHostPrintAuthorizedPrincipalsFile(user string, cert sshcert.Cert, host PosixHost) error

DefaultPosixPrintAuthorizedPrincipalsFile

func DefaultPosixHostResetPasswd 

func DefaultPosixHostResetPasswd(user string, passwdHash string, host PosixHost) error

func DefaultPosixHostUserAuthorize 

func DefaultPosixHostUserAuthorize(user string, cert sshcert.CertPosixAccount, host PosixHost) (bool, error)

Types

type AddMissingGroups 

type AddMissingGroups interface {
	AddMissingGroups(principal string, cert sshcert.Cert) error
}

type AddSudoCmd 

type AddSudoCmd interface {
	AddSudoCmd() bool
}

type AddUserToSystem 

type AddUserToSystem interface {
	AddUserToSystem(userLogin string, cert sshcert.Cert) error
}

type AppendSudoCmd 

type AppendSudoCmd interface {
	AppendSudoCmd(principal string, cert sshcert.Cert) error
}

type Authorizer 

type Authorizer interface {
	AuthorizeUser() error
}

Authorizer is the meta interface that needs to be implemented by anyone that wants to plug in their custom authorization logic Any implementation must authorize the principal presented in the SSH certificate and eventually print the principal to standard output as per the https://man.openbsd.org/sshd_config#AuthorizedPrincipalsCommand

type CreateMissingGroups 

type CreateMissingGroups interface {
	CreateMissingGroups() bool
}

type CreateUserIfNotExists 

type CreateUserIfNotExists interface {
	CreateUserIfNotExists() bool
}

type DefaultAuthorizer 

type DefaultAuthorizer struct {
	CertClaims sshcert.Cert
	Host       Host
}

DefaultAuthorizer is the default implementation of the authorizer interface. certClaims is a type that implements the Cert interface host is a type that implements the Host interface

func (*DefaultAuthorizer) AuthorizeUser 

func (c *DefaultAuthorizer) AuthorizeUser() error

AuthorizeUser is the default implementation

type DefaultPosixAddGroupOptions 

type DefaultPosixAddGroupOptions struct {
	ForceOption  bool
	NonUniqueGID bool
	PasswdHash   string
	SystemGroup  bool
	ChrootDir    string
}

AddPosixGroupOptions as per the Posix groupAdd command force option causes to exit with success if group already exists. Any GID passed is ignored. nonUniqueGID allows to add group with non-unique GID, false by default passwdHash allows to set a password for the group, default is disabled systemGroup when true will create the GID within the system group ID ranges chrootDir is for applying changes in this chrooted dir path

type DefaultPosixAddUserOptions 

type DefaultPosixAddUserOptions struct {
	DefaultPasswdHash *string //this is not a very secure option. Use this at own risk
	CreateHome        bool
	BaseHomeDir       string
	ExpireDate        *time.Time
	LoginShell        string
	SystemAccount     bool
}

AddPosixUserOptions allows to set options as per the useradd utility. userID (UID) for the user account. If not set, the system will assign one automatically primaryGroupID (gid). If not set, the system will assign one automatically defaultPasswdHash is the default password hash for each account. defaultPasswdHash value is overridden by that fetched from cert's GetLatestPasswdHash implementation. Please note that accounts created without passwd might have constraints with login. Cert based SSH should work though. createHome is a flag to instruct whether to create home dir or not. If createHome is set to true, the baseDir for the user needs to be set. expireData allows to set to occur when the user account needs to be expired loginShell is the shell for the user. If none is specified, the system default will be applied. systemAccount allows to specify if the user account is a system account

type DefaultPosixtHost 

type DefaultPosixtHost struct {
	CreateUserIfNotExistsOption    bool
	DisableNewAccountAuthorization bool
	HostOwnershipEntitlementsKey   string
	SSHCmdTargetUser               string
	ResetPasswdWithLatestFromCert  bool
	UserAddCmdOptions              *DefaultPosixAddUserOptions
	AddMissingGroupsFromCert       bool
	GroupAddCmdOptions             *DefaultPosixAddGroupOptions
	OSLookup                       UsrsGrpsLookUp
	Exec                           OSExec
	EnvLookUp                      OSEnvLookUp
	Ec2TagFetcherForKey            Ec2TagFetcherMatchingKey
}

DefaulPosixtHost creates a Host implementation tuned for POSIX systems. createUserIfNotExistsOption for whether to create user or not if the user account is not created already at the time of login disableNewAccountAuthorization is a flag instructing whether the new user needs to be authorized before adding to the system hostOwnershipEntitlementsKey is the string key to lookup for ownership entitlement values available to the host. ex: {"team":"website"} or {"group":"sre/prod"} resetPasswdWithLatestFromCert is a flag which instructs to reset the password with the latest value from the certificate userAddCmdOptions are options as per the useradd posix system utility createMissingGroups option to allow creating any missing groups from the system

func (*DefaultPosixtHost) AddMissingGroups 

func (c *DefaultPosixtHost) AddMissingGroups(principal string, cert sshcert.Cert) error

func (*DefaultPosixtHost) AddUserToSystem 

func (c *DefaultPosixtHost) AddUserToSystem(userLogin string, cert sshcert.Cert) error

func (*DefaultPosixtHost) CreateMissingGroups 

func (c *DefaultPosixtHost) CreateMissingGroups() bool

func (*DefaultPosixtHost) CreateUserIfNotExists 

func (c *DefaultPosixtHost) CreateUserIfNotExists() bool

func (*DefaultPosixtHost) GetSSHCmdTargetUser 

func (c *DefaultPosixtHost) GetSSHCmdTargetUser() string

func (*DefaultPosixtHost) MatchUserClaimToExistingAccount 

func (c *DefaultPosixtHost) MatchUserClaimToExistingAccount(cert sshcert.Cert) (bool, string, error)

func (*DefaultPosixtHost) PosixHostCreateGroupIfNotExists 

func (c *DefaultPosixtHost) PosixHostCreateGroupIfNotExists(group group.PosixGroup) error

func (*DefaultPosixtHost) PosixHostOSExec 

func (c *DefaultPosixtHost) PosixHostOSExec(stdInput []byte, cmdAndArgs ...string) (string, error)

func (*DefaultPosixtHost) PosixHostOwnershipEntitlements 

func (c *DefaultPosixtHost) PosixHostOwnershipEntitlements() []string

func (*DefaultPosixtHost) PosixHostOwnershipEntitlementsKey 

func (c *DefaultPosixtHost) PosixHostOwnershipEntitlementsKey() string

func (*DefaultPosixtHost) PosixHostResetPasswd 

func (c *DefaultPosixtHost) PosixHostResetPasswd(user string, passwdHash string) error

func (*DefaultPosixtHost) PosixHostUserAuthorize 

func (c *DefaultPosixtHost) PosixHostUserAuthorize(user string, cert sshcert.CertPosixAccount) (bool, error)

func (*DefaultPosixtHost) PrintAuthorizedPrincipalsFile 

func (c *DefaultPosixtHost) PrintAuthorizedPrincipalsFile(user string, cert sshcert.Cert) error

type DefaultSudoCmd 

type DefaultSudoCmd struct {
}

type EC2MetadataClient 

type EC2MetadataClient interface {
	Available() bool
	GetMetadata(p string) (string, error)
}

type Ec2TagFetcherMatchingKey 

type Ec2TagFetcherMatchingKey interface {
	FetchEC2TagValueMatchingKey(key string, metadataClient EC2MetadataClient, ec2Service ec2iface.EC2API) (string, error)
}

type Host 

type Host interface {
	PrintAuthorizedPrincipalsFile
	SSHCmdTargetUser
}

type MatchCertClaimToAnExistingAccount 

type MatchCertClaimToAnExistingAccount interface {
	MatchUserClaimToExistingAccount(cert sshcert.Cert) (bool, string, error)
}

type ModifySudoRules 

type ModifySudoRules interface {
	ModifySudoRules(principal string, cert sshcert.Cert) error
}

type OSEnvLookUp 

type OSEnvLookUp interface {
	LookupEnv(key string) (string, bool)
}

type OSExec 

type OSExec interface {
	Command(name string, arg ...string) *exec.Cmd
}

type PosixHost 

type PosixHost interface {
	Host
}

type PosixHostCreateGroupIfNotExists 

type PosixHostCreateGroupIfNotExists interface {
	PosixHostCreateGroupIfNotExists(group.PosixGroup) error
}

type PosixHostOSExec 

type PosixHostOSExec interface {
	PosixHostOSExec(stdInput []byte, cmdAndArgs ...string) (string, error)
}

type PosixHostOwnershipEntitlements 

type PosixHostOwnershipEntitlements interface {
	PosixHostOwnershipEntitlements() []string
}

type PosixHostOwnershipEntitlementsKey 

type PosixHostOwnershipEntitlementsKey interface {
	PosixHostOwnershipEntitlementsKey() string
}

type PosixHostResetPasswd 

type PosixHostResetPasswd interface {
	PosixHostResetPasswd(user string, passwdHash string) error
}

type PosixHostUserAuthorize 

type PosixHostUserAuthorize interface {
	PosixHostUserAuthorize(user string, cert sshcert.CertPosixAccount) (bool, error)
}

type PrintAuthorizedPrincipalsFile 

type PrintAuthorizedPrincipalsFile interface {
	PrintAuthorizedPrincipalsFile(user string, cert sshcert.Cert) error
}

type SSHCmdTargetUser 

type SSHCmdTargetUser interface {
	GetSSHCmdTargetUser() string
}

type SudoCmd 

type SudoCmd interface {
	// contains filtered or unexported methods
}

type SyncUserSudoRules 

type SyncUserSudoRules interface {
	SyncUserSudoRules() bool
}

type SyncUsersGroupMemberships 

type SyncUsersGroupMemberships interface {
	SyncUsersGroupMemberships() bool
}

type TreatMissingPrincpalInCertAsLocalUser 

type TreatMissingPrincpalInCertAsLocalUser interface {
	TreatMissingPrincpalInCertAsLocalUser() string
}

type UserGroupMembershipModify 

type UserGroupMembershipModify interface {
	UserGroupMembershipModify(principal string, cert sshcert.Cert) error
}

type UsrsGrpsLookUp 

type UsrsGrpsLookUp interface {
	Lookup(username string) (*osuser.User, error)
	LookupGroupId(gid string) (*osuser.Group, error)
	LookupGroup(name string) (*osuser.Group, error)
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.