endpoint

package
v5.8.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 11, 2024 License: Apache-2.0 Imports: 15 Imported by: 10

Documentation

Index

Constants

View Source
const SDKName = "Venafi VCert-Go"

Variables

View Source
var LocalIP string

Functions

This section is empty.

Types

type AllowedKeyConfiguration

type AllowedKeyConfiguration struct {
	KeyType   certificate.KeyType
	KeySizes  []int
	KeyCurves []certificate.EllipticCurve
}

AllowedKeyConfiguration contains an allowed key type with its sizes or curves

type Authentication

type Authentication struct {
	// TPP Auth methods
	// user and password
	User     string `yaml:"user,omitempty"`     //**DEPRECATED** Use access/refresh token or client certificate instead
	Password string `yaml:"password,omitempty"` //**DEPRECATED** Use access/refresh token or client certificate instead
	// tokens
	AccessToken  string `yaml:"accessToken,omitempty"`
	RefreshToken string `yaml:"refreshToken,omitempty"`
	// client certificate
	ClientPKCS12 bool `yaml:"-"`

	// VCP Auth methods
	// API key
	APIKey string `yaml:"apiKey,omitempty"`
	// Service account
	TokenURL    string `yaml:"tokenURL,omitempty"`
	ExternalJWT string `yaml:"externalJWT,omitempty"`

	// OIDC Auth methods
	ClientId     string `yaml:"clientId,omitempty"`
	ClientSecret string `yaml:"clientSecret,omitempty"`
	Scope        string `yaml:"scope,omitempty"`
	// IdentityProvider specify the OAuth 2.0 which VCert will be working for authorization purposes
	IdentityProvider *OAuthProvider `yaml:"idP,omitempty"`
}

Authentication provides a struct for authentication data. Either specify User and Password for Trust Protection Platform or Firefly or ClientId and ClientSecret for Firefly or specify an APIKey for TLS Protect Cloud.

type Connector

type Connector interface {
	// GetType returns a connector type (cloud/TPP/fake). Can be useful because some features are not supported by a Cloud connection.
	GetType() ConnectorType
	// SetZone sets a zone (by name) for requests with this connector.
	SetZone(z string)
	// SetHTTPClient allows to set custom http.Client to this Connector.
	SetHTTPClient(client *http.Client)
	Ping() (err error)
	// Authenticate is usually called by NewClient and it is not required that you manually call it.
	Authenticate(auth *Authentication) (err error)

	// ReadPolicyConfiguration returns information about zone policies. It can be used for checking request compatibility with policies.
	ReadPolicyConfiguration() (policy *Policy, err error)
	// ReadZoneConfiguration returns the zone configuration. A zone configuration includes zone policy and additional zone information.
	ReadZoneConfiguration() (config *ZoneConfiguration, err error)
	// GetZonesByParent returns a list of valid zones specified by parent
	GetZonesByParent(parent string) ([]string, error)
	// GenerateRequest update certificate.Request with data from zone configuration.
	GenerateRequest(config *ZoneConfiguration, req *certificate.Request) (err error)

	// ResetCertificate resets the state of a certificate.
	// This function is idempotent, i.e., it won't fail if there is nothing to be reset.
	ResetCertificate(req *certificate.Request, restart bool) (err error)
	// RequestCertificate makes a request to the server with data for enrolling the certificate.
	RequestCertificate(req *certificate.Request) (requestID string, err error)
	// RetrieveCertificate immediately returns an enrolled certificate. Otherwise, RetrieveCertificate waits and retries during req.Timeout.
	RetrieveCertificate(req *certificate.Request) (certificates *certificate.PEMCollection, err error)
	ProvisionCertificate(req *domain.ProvisioningRequest, options *domain.ProvisioningOptions) (*domain.ProvisioningMetadata, error)
	IsCSRServiceGenerated(req *certificate.Request) (bool, error)
	RevokeCertificate(req *certificate.RevocationRequest) error
	RenewCertificate(req *certificate.RenewalRequest) (requestID string, err error)
	RetireCertificate(req *certificate.RetireRequest) error
	// ImportCertificate adds an existing certificate to Venafi Platform even if the certificate was not issued by Venafi Cloud or Venafi Platform. For information purposes.
	ImportCertificate(req *certificate.ImportRequest) (*certificate.ImportResponse, error)
	// ListCertificates returns a list of certificates from inventory that matches the filter
	ListCertificates(filter Filter) ([]certificate.CertificateInfo, error)
	SearchCertificates(req *certificate.SearchRequest) (*certificate.CertSearchResponse, error)
	// SearchCertificate returns a valid certificate
	//
	// If it returns no error, the certificate returned should be the latest [1]
	// exact matching zone [2], CN and sans.DNS [3] provided, with a minimum
	// validity of `certMinTimeLeft`
	//
	// [1] the one with the longest validity; field named ValidTo for TPP and
	// validityEnd for VaaS
	// [2] application name for VaaS
	// [3] an array of strings representing the DNS names
	SearchCertificate(zone string, cn string, sans *certificate.Sans, certMinTimeLeft time.Duration) (*certificate.CertificateInfo, error)
	RetrieveCertificateMetaData(dn string) (*certificate.CertificateMetaData, error)

	SetPolicy(name string, ps *policy.PolicySpecification) (string, error)
	GetPolicy(name string) (*policy.PolicySpecification, error)

	RequestSSHCertificate(req *certificate.SshCertRequest) (response *certificate.SshCertificateObject, err error)
	RetrieveSSHCertificate(req *certificate.SshCertRequest) (response *certificate.SshCertificateObject, err error)
	RetrieveSshConfig(ca *certificate.SshCaTemplateRequest) (*certificate.SshConfig, error)
	RetrieveAvailableSSHTemplates() ([]certificate.SshAvaliableTemplate, error)

	// SynchronousRequestCertificate makes a request to the server with data for enrolling the certificate and returns the enrolled certificate.
	SynchronousRequestCertificate(req *certificate.Request) (certificates *certificate.PEMCollection, err error)
	// SupportSynchronousRequestCertificate returns if the connector support synchronous calls to request a certificate.
	SupportSynchronousRequestCertificate() bool

	RetrieveSystemVersion() (string, error)
	WriteLog(req *LogRequest) error
	// SetUserAgent sets the value of the UserAgent header in HTTP requests to
	// Venafi API endpoints by this connector.
	// The default is `vcert/v5`.
	// Further reading: https://www.rfc-editor.org/rfc/rfc9110#field.user-agent
	SetUserAgent(userAgent string)
}

Connector provides a common interface for external communications with TPP or Venafi Cloud

type ConnectorType

type ConnectorType int

ConnectorType represents the available connectors

const (
	ConnectorTypeUndefined ConnectorType = iota
	// ConnectorTypeFake is a fake connector for tests
	ConnectorTypeFake
	// ConnectorTypeCloud represents the Cloud connector type
	ConnectorTypeCloud
	// ConnectorTypeTPP represents the TPP connector type
	ConnectorTypeTPP
	// ConnectorTypeFirefly represents the Firefly connector type
	ConnectorTypeFirefly
)

func (ConnectorType) String

func (t ConnectorType) String() string

type ErrCertificatePending

type ErrCertificatePending struct {
	CertificateID string
	Status        string
}

todo: replace with verror ErrCertificatePending provides a common error structure for a timeout while retrieving a certificate

func (ErrCertificatePending) Error

func (err ErrCertificatePending) Error() string

type ErrCertificateRejected

type ErrCertificateRejected struct {
	CertificateID string
	Status        string
}

func (ErrCertificateRejected) Error

func (err ErrCertificateRejected) Error() string

type ErrRetrieveCertificateTimeout

type ErrRetrieveCertificateTimeout struct {
	CertificateID string
}

todo: replace with verror ErrRetrieveCertificateTimeout provides a common error structure for a timeout while retrieving a certificate

func (ErrRetrieveCertificateTimeout) Error

type Filter

type Filter struct {
	Limit       *int
	WithExpired bool
}

type LogRequest

type LogRequest struct {
	LogID     string `json:"ID,omitempty"`
	Component string `json:",omitempty"`
	Text1     string `json:",omitempty"`
	Text2     string `json:",omitempty"`
	Value1    string `json:",omitempty"`
	Value2    string `json:",omitempty"`
	SourceIp  string `json:",omitempty"`
	Severity  string `json:",omitempty"`
}

type OAuthProvider added in v5.1.0

type OAuthProvider struct {
	// OIDC Auth methods
	DeviceURL string `yaml:"-"`
	TokenURL  string `yaml:"tokenURL,omitempty"`
	Audience  string `yaml:"audience,omitempty"`
}

OAuthProvider provides a struct for the OAuth 2.0 providers information

type Policy

type Policy struct {
	SubjectCNRegexes []string
	SubjectORegexes  []string
	SubjectOURegexes []string
	SubjectSTRegexes []string
	SubjectLRegexes  []string
	SubjectCRegexes  []string
	// AllowedKeyConfigurations lists all allowed key configurations. Certificate key configuration have to be listed in this list.
	// For example: If key has type RSA and length 2048 bit for satisfying the policy, that list must contain AT LEAST ONE configuration with type RSA and value 2048 in KeySizes list of this configuration.
	AllowedKeyConfigurations []AllowedKeyConfiguration
	// DnsSanRegExs is a list of regular expressions that show allowable DNS names in SANs.
	DnsSanRegExs []string
	// IpSanRegExs is a list of regular expressions that show allowable DNS names in SANs.
	IpSanRegExs    []string
	EmailSanRegExs []string
	UriSanRegExs   []string
	UpnSanRegExs   []string
	AllowWildcards bool
	AllowKeyReuse  bool
}

Policy is struct that contains restrictions for certificates. Most of the fields contains list of regular expression. For satisfying policies, all values in the certificate field must match AT LEAST ONE regular expression in corresponding policy field.

func (*Policy) SimpleValidateCertificateRequest

func (p *Policy) SimpleValidateCertificateRequest(request certificate.Request) error

SimpleValidateCertificateRequest functions just check Common Name and SANs mathching with policies

func (*Policy) ValidateCertificateRequest

func (p *Policy) ValidateCertificateRequest(request *certificate.Request) error

ValidateCertificateRequest validates the request against the Policy

type ZoneConfiguration

type ZoneConfiguration struct {
	Organization       string
	OrganizationalUnit []string
	Country            string
	Province           string
	Locality           string
	Policy
	HashAlgorithm         x509.SignatureAlgorithm
	CustomAttributeValues map[string]string
	KeyConfiguration      *AllowedKeyConfiguration
}

ZoneConfiguration provides a common structure for certificate request data provided by the remote endpoint

func NewZoneConfiguration

func NewZoneConfiguration() *ZoneConfiguration

NewZoneConfiguration creates a new zone configuration which creates the map used in the configuration

func (*ZoneConfiguration) UpdateCertificateRequest

func (z *ZoneConfiguration) UpdateCertificateRequest(request *certificate.Request)

UpdateCertificateRequest updates a certificate request based on the zone configuration retrieved from the remote endpoint

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL