Documentation
¶
Index ¶
- Constants
- type CertificateRequestValidator
- type CertificateValidator
- type Claimer
- type Claims
- type Collection
- func (c *Collection) Find(cursor string, limit int) (List, string)
- func (c *Collection) Load(id string) (Interface, bool)
- func (c *Collection) LoadByCertificate(cert *x509.Certificate) (Interface, bool)
- func (c *Collection) LoadByToken(token *jose.JSONWebToken, claims *jose.Claims) (Interface, bool)
- func (c *Collection) LoadEncryptedKey(keyID string) (string, bool)
- func (c *Collection) Store(p Interface) error
- type Config
- type Duration
- type Interface
- type JWK
- func (p *JWK) Authorize(token string) ([]SignOption, error)
- func (p *JWK) AuthorizeRenewal(cert *x509.Certificate) error
- func (p *JWK) AuthorizeRevoke(token string) error
- func (p *JWK) GetEncryptedKey() (string, string, bool)
- func (p *JWK) GetID() string
- func (p *JWK) GetName() string
- func (p *JWK) GetType() Type
- func (p *JWK) Init(config Config) (err error)
- type List
- type OIDC
- func (o *OIDC) Authorize(token string) ([]SignOption, error)
- func (o *OIDC) AuthorizeRenewal(cert *x509.Certificate) error
- func (o *OIDC) AuthorizeRevoke(token string) error
- func (o *OIDC) GetEncryptedKey() (kid string, key string, ok bool)
- func (o *OIDC) GetID() string
- func (o *OIDC) GetName() string
- func (o *OIDC) GetType() Type
- func (o *OIDC) Init(config Config) (err error)
- func (o *OIDC) IsAdmin(email string) bool
- func (o *OIDC) ValidatePayload(p openIDPayload) error
- type Options
- type ProfileModifier
- type SignOption
- type TimeDuration
- type Type
Constants ¶
const DefaultProvisionersLimit = 20
DefaultProvisionersLimit is the default limit for listing provisioners.
const DefaultProvisionersMax = 100
DefaultProvisionersMax is the maximum limit for listing provisioners.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CertificateRequestValidator ¶
type CertificateRequestValidator interface {
SignOption
Valid(req *x509.CertificateRequest) error
}
CertificateRequestValidator is the interface used to validate a X.509 certificate request.
type CertificateValidator ¶
type CertificateValidator interface {
SignOption
Valid(crt *x509.Certificate) error
}
CertificateValidator is the interface used to validate a X.509 certificate.
type Claimer ¶
type Claimer struct {
// contains filtered or unexported fields
}
Claimer is the type that controls claims. It provides an interface around the current claim and the global one.
func NewClaimer ¶
NewClaimer initializes a new claimer with the given claims.
func (*Claimer) DefaultTLSCertDuration ¶
DefaultTLSCertDuration returns the default TLS cert duration for the provisioner. If the default is not set within the provisioner, then the global default from the authority configuration will be used.
func (*Claimer) IsDisableRenewal ¶
IsDisableRenewal returns if the renewal flow is disabled for the provisioner. If the property is not set within the provisioner, then the global value from the authority configuration will be used.
func (*Claimer) MaxTLSCertDuration ¶
MaxTLSCertDuration returns the maximum TLS cert duration for the provisioner. If the maximum is not set within the provisioner, then the global maximum from the authority configuration will be used.
func (*Claimer) MinTLSCertDuration ¶
MinTLSCertDuration returns the minimum TLS cert duration for the provisioner. If the minimum is not set within the provisioner, then the global minimum from the authority configuration will be used.
type Claims ¶
type Claims struct {
MinTLSDur *Duration `json:"minTLSCertDuration,omitempty"`
MaxTLSDur *Duration `json:"maxTLSCertDuration,omitempty"`
DefaultTLSDur *Duration `json:"defaultTLSCertDuration,omitempty"`
DisableRenewal *bool `json:"disableRenewal,omitempty"`
}
Claims so that individual provisioners can override global claims.
type Collection ¶
type Collection struct {
// contains filtered or unexported fields
}
Collection is a memory map of provisioners.
func NewCollection ¶
func NewCollection(audiences []string) *Collection
NewCollection initializes a collection of provisioners. The given list of audiences are the audiences used by the JWT provisioner.
func (*Collection) Find ¶
func (c *Collection) Find(cursor string, limit int) (List, string)
Find implements pagination on a list of sorted provisioners.
func (*Collection) Load ¶
func (c *Collection) Load(id string) (Interface, bool)
Load a provisioner by the ID.
func (*Collection) LoadByCertificate ¶
func (c *Collection) LoadByCertificate(cert *x509.Certificate) (Interface, bool)
LoadByCertificate looks for the provisioner extension and extracts the proper id to load the provisioner.
func (*Collection) LoadByToken ¶
func (c *Collection) LoadByToken(token *jose.JSONWebToken, claims *jose.Claims) (Interface, bool)
LoadByToken parses the token claims and loads the provisioner associated.
func (*Collection) LoadEncryptedKey ¶
func (c *Collection) LoadEncryptedKey(keyID string) (string, bool)
LoadEncryptedKey returns an encrypted key by indexed by KeyID. At this moment only JWK encrypted keys are indexed by KeyID.
func (*Collection) Store ¶
func (c *Collection) Store(p Interface) error
Store adds a provisioner to the collection and enforces the uniqueness of provisioner IDs.
type Config ¶
type Config struct {
// Claims are the default claims.
Claims Claims
// Audiences are the audiences used in the default provisioner, (JWK).
Audiences []string
}
Config defines the default parameters used in the initialization of provisioners.
type Duration ¶
Duration is a wrapper around Time.Duration to aid with marshal/unmarshal.
func (*Duration) MarshalJSON ¶
MarshalJSON parses a duration string and sets it to the duration.
A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
func (*Duration) UnmarshalJSON ¶
UnmarshalJSON parses a duration string and sets it to the duration.
A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
type Interface ¶
type Interface interface {
GetID() string
GetName() string
GetType() Type
GetEncryptedKey() (kid string, key string, ok bool)
Init(config Config) error
Authorize(token string) ([]SignOption, error)
AuthorizeRenewal(cert *x509.Certificate) error
AuthorizeRevoke(token string) error
}
Interface is the interface that all provisioner types must implement.
type JWK ¶
type JWK struct {
Type string `json:"type"`
Name string `json:"name"`
Key *jose.JSONWebKey `json:"key"`
EncryptedKey string `json:"encryptedKey,omitempty"`
Claims *Claims `json:"claims,omitempty"`
// contains filtered or unexported fields
}
JWK is the default provisioner, an entity that can sign tokens necessary for signature requests.
func (*JWK) Authorize ¶
func (p *JWK) Authorize(token string) ([]SignOption, error)
Authorize validates the given token.
func (*JWK) AuthorizeRenewal ¶
func (p *JWK) AuthorizeRenewal(cert *x509.Certificate) error
AuthorizeRenewal returns an error if the renewal is disabled.
func (*JWK) AuthorizeRevoke ¶
AuthorizeRevoke returns an error if the provisioner does not have rights to revoke the certificate with serial number in the `sub` property.
func (*JWK) GetEncryptedKey ¶
GetEncryptedKey returns the base provisioner encrypted key if it's defined.
type List ¶
type List []Interface
List represents a list of provisioners.
func (*List) UnmarshalJSON ¶
UnmarshalJSON implements json.Unmarshaler and allows to unmarshal a list of a interfaces into the right type.
type OIDC ¶
type OIDC struct {
Type string `json:"type"`
Name string `json:"name"`
ClientID string `json:"clientID"`
ClientSecret string `json:"clientSecret"`
ConfigurationEndpoint string `json:"configurationEndpoint"`
Admins []string `json:"admins,omitempty"`
Domains []string `json:"domains,omitempty"`
Claims *Claims `json:"claims,omitempty"`
// contains filtered or unexported fields
}
OIDC represents an OAuth 2.0 OpenID Connect provider.
ClientSecret is mandatory, but it can be an empty string.
func (*OIDC) Authorize ¶
func (o *OIDC) Authorize(token string) ([]SignOption, error)
Authorize validates the given token.
func (*OIDC) AuthorizeRenewal ¶
func (o *OIDC) AuthorizeRenewal(cert *x509.Certificate) error
AuthorizeRenewal returns an error if the renewal is disabled.
func (*OIDC) AuthorizeRevoke ¶
AuthorizeRevoke returns an error if the provisioner does not have rights to revoke the certificate with serial number in the `sub` property.
func (*OIDC) GetEncryptedKey ¶
GetEncryptedKey is not available in an OIDC provisioner.
func (*OIDC) GetID ¶
GetID returns the provisioner unique identifier, the OIDC provisioner the uses the clientID for this.
func (*OIDC) IsAdmin ¶
IsAdmin returns true if the given email is in the Admins whitelist, false otherwise.
func (*OIDC) ValidatePayload ¶
ValidatePayload validates the given token payload.
type Options ¶
type Options struct {
NotAfter TimeDuration `json:"notAfter"`
NotBefore TimeDuration `json:"notBefore"`
}
Options contains the options that can be passed to the Sign method.
type ProfileModifier ¶
type ProfileModifier interface {
SignOption
Option(o Options) x509util.WithOption
}
ProfileModifier is the interface used to add custom options to the profile constructor. The options are used to modify the final certificate.
type SignOption ¶
type SignOption interface{}
SignOption is the interface used to collect all extra options used in the Sign method.
type TimeDuration ¶
type TimeDuration struct {
// contains filtered or unexported fields
}
TimeDuration is a type that represents a time but the JSON unmarshaling can use a time using the RFC 3339 format or a time.Duration string. If a duration is used, the time will be set on the first call to TimeDuration.Time.
func NewTimeDuration ¶
func NewTimeDuration(t time.Time) TimeDuration
NewTimeDuration returns a TimeDuration with the defined time.
func ParseTimeDuration ¶
func ParseTimeDuration(s string) (TimeDuration, error)
ParseTimeDuration returns a new TimeDuration parsing the RFC 3339 time or time.Duration string.
func (TimeDuration) MarshalJSON ¶
func (t TimeDuration) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface. If the time is set it will return the time in RFC 3339 format if not it will return the duration string.
func (*TimeDuration) SetDuration ¶
func (t *TimeDuration) SetDuration(d time.Duration)
SetDuration initializes the TimeDuration with the given duration string. If the time was set it will re-set to zero.
func (*TimeDuration) SetTime ¶
func (t *TimeDuration) SetTime(tt time.Time)
SetTime initializes the TimeDuration with the given time. If the duration is set it will be re-set to zero.
func (*TimeDuration) String ¶
func (t *TimeDuration) String() string
String implements the fmt.Stringer interface.
func (*TimeDuration) Time ¶
func (t *TimeDuration) Time() time.Time
Time calculates the embedded time.Time, sets it if necessary, and returns it.
func (*TimeDuration) UnmarshalJSON ¶
func (t *TimeDuration) UnmarshalJSON(data []byte) error
UnmarshalJSON implements the json.Unmarshaler interface. The time is expected to be a quoted string in RFC 3339 format or a quoted time.Duration string.
Source Files