Documentation ¶
Overview ¶
Package mtls facilitates Mutual TLS authentication for SansShell.
Index ¶
- func LoadClientCredentials(ctx context.Context, loaderName string) (credentials.TransportCredentials, error)
- func LoadClientTLS(clientCertFile, clientKeyFile string, CAPool *x509.CertPool) (credentials.TransportCredentials, error)
- func LoadRootOfTrust(path string) (*x509.CertPool, error)
- func LoadServerCredentials(ctx context.Context, loaderName string) (credentials.TransportCredentials, error)
- func LoadServerCredentialsWithForceRefresh(ctx context.Context, loaderName string) (credentials.TransportCredentials, func() error, error)
- func LoadServerTLS(clientCertFile, clientKeyFile string, CAPool *x509.CertPool) (credentials.TransportCredentials, error)
- func Loaders() []string
- func NewClientCredentials(cert tls.Certificate, CAPool *x509.CertPool) credentials.TransportCredentials
- func NewServerCredentials(cert tls.Certificate, CAPool *x509.CertPool) credentials.TransportCredentials
- func Register(name string, loader CredentialsLoader) error
- type CredentialsLoader
- type WrappedTransportCredentials
- func (w *WrappedTransportCredentials) ClientHandshake(ctx context.Context, s string, n net.Conn) (net.Conn, credentials.AuthInfo, error)
- func (w *WrappedTransportCredentials) Clone() credentials.TransportCredentials
- func (w *WrappedTransportCredentials) Info() credentials.ProtocolInfo
- func (w *WrappedTransportCredentials) OverrideServerName(s string) error
- func (w *WrappedTransportCredentials) ServerHandshake(n net.Conn) (net.Conn, credentials.AuthInfo, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func LoadClientCredentials ¶
func LoadClientCredentials(ctx context.Context, loaderName string) (credentials.TransportCredentials, error)
LoadClientCredentials returns transport credentials for SansShell clients, based on the provided `loaderName`
func LoadClientTLS ¶
func LoadClientTLS(clientCertFile, clientKeyFile string, CAPool *x509.CertPool) (credentials.TransportCredentials, error)
LoadClientTLS reads the certificates and keys from disk at the supplied paths, and assembles them into a set of TransportCredentials for the gRPC client.
func LoadRootOfTrust ¶
LoadRootOfTrust will load an CA root of trust(s) from the given file and return a CertPool to use in validating certificates. All CA's to validate against must be presented together in the PEM file. If the file is a directory, LoadRootOfTrust will load all files in that directory.
func LoadServerCredentials ¶
func LoadServerCredentials(ctx context.Context, loaderName string) (credentials.TransportCredentials, error)
LoadServerCredentials returns transport credentials for a SansShell server as retrieved from the specified `loaderName`. This should be the most commonly used method to generate credentials as this will support reloadable credentials as the TransportCredentials returned are a WrappedTransportCredentials which will check at call time if new certificates are available.
func LoadServerCredentialsWithForceRefresh ¶ added in v1.30.0
func LoadServerCredentialsWithForceRefresh(ctx context.Context, loaderName string) (credentials.TransportCredentials, func() error, error)
LoadServerCredentialsWithForceRefresh returns transport credentials along with a function that allows immediately refreshing the credentials
func LoadServerTLS ¶
func LoadServerTLS(clientCertFile, clientKeyFile string, CAPool *x509.CertPool) (credentials.TransportCredentials, error)
LoadServerTLS reads the certificates and keys from disk at the supplied paths, and assembles them into a set of TransportCredentials for the gRPC server. NOTE: This doesn't support reloadable credentials.
func Loaders ¶
func Loaders() []string
Loaders returns the names of all currently registered CredentialLoader implementations as a sorted list of strings.
func NewClientCredentials ¶
func NewClientCredentials(cert tls.Certificate, CAPool *x509.CertPool) credentials.TransportCredentials
NewClientCredentials returns transport credentials for SansShell clients.
func NewServerCredentials ¶
func NewServerCredentials(cert tls.Certificate, CAPool *x509.CertPool) credentials.TransportCredentials
NewServerCredentials creates transport credentials for a SansShell server. NOTE: This doesn't support reloadable credentials.
func Register ¶
func Register(name string, loader CredentialsLoader) error
Register associates a name with a mechanism for loading credentials. Implementations of CredentialsLoader will typically call Register during init()
Types ¶
type CredentialsLoader ¶
type CredentialsLoader interface { // LoadClientCA returns a CertPool which should be used by a server to // validate client certificates. // NOTE: The pool returned here will be the only pool used to validate certificates. // Inclusion of system certificates should be done by copying from x509.SystemCertPool(), // with any custom certificates appended. LoadClientCA(context.Context) (*x509.CertPool, error) // LoadRootCA returns a CertPool which should be used by clients to // validate server certificates. // NOTE: The pool returned here will be the only pool used to validate certificates. // Inclusion of system certificates should be done by copying from x509.SystemCertPool(), // with any custom certificates appended. LoadRootCA(context.Context) (*x509.CertPool, error) // LoadClientCertificates returns the certificate that should be presented // by the client when connecting to a server. LoadClientCertificate(context.Context) (tls.Certificate, error) // LoadServerCertificate returns the certificate that should be presented // by the server to incoming clients. LoadServerCertificate(context.Context) (tls.Certificate, error) // CertRefreshed indicates if internally any of the cert data has // been refreshed and should be reloaded. This will depend on the // implementation to support but allows for dynamic refresh of certificates // without a server restart. CertsRefreshed() bool }
A CredentialsLoader loads mTLS credential data.
func Loader ¶
func Loader(name string) (CredentialsLoader, error)
Loader returns the CredentialsLoader associated with `name` or an error if no such implementation is registered.
type WrappedTransportCredentials ¶ added in v1.1.0
type WrappedTransportCredentials struct {
// contains filtered or unexported fields
}
WrappedTransportCredentials wraps a credentials.TransportCredentials and monitors any access to the underlying credentials are up to date by calling CertsRefreshed before continuing.
func (*WrappedTransportCredentials) ClientHandshake ¶ added in v1.1.0
func (w *WrappedTransportCredentials) ClientHandshake(ctx context.Context, s string, n net.Conn) (net.Conn, credentials.AuthInfo, error)
ClientHandshake -- see credentials.ClientHandshake
func (*WrappedTransportCredentials) Clone ¶ added in v1.1.0
func (w *WrappedTransportCredentials) Clone() credentials.TransportCredentials
Clone -- see credentials.Clone
func (*WrappedTransportCredentials) Info ¶ added in v1.1.0
func (w *WrappedTransportCredentials) Info() credentials.ProtocolInfo
Info -- see credentials.Info
func (*WrappedTransportCredentials) OverrideServerName ¶ added in v1.1.0
func (w *WrappedTransportCredentials) OverrideServerName(s string) error
OverrideServerName -- see credentials.OverrideServerName
func (*WrappedTransportCredentials) ServerHandshake ¶ added in v1.1.0
func (w *WrappedTransportCredentials) ServerHandshake(n net.Conn) (net.Conn, credentials.AuthInfo, error)
ServerHandshake -- see credentials.ServerHandshake