Documentation
¶
Index ¶
- Constants
- Variables
- func CloneGitRepository(target string, branch string, depth int) (string, string, error)
- func ComputeFingerprint(args ...interface{}) string
- func GenerateGithubURL(target string, branch string, file string, line int) string
- func IsAWSAccReachable(accARN, assumeRoleURL, role string, sessDuration int) (bool, *credentials.Credentials, error)
- func IsDockerImgReachable(target, user, pass string) (bool, error)
- func IsDomainReachable(target string) (bool, error)
- func IsGCPProjReachable(gcpProject, endpoint, saCreds string) (bool, error)
- func IsGitRepoReachable(target, user, pass string) bool
- func IsHostnameReachable(target string) bool
- func IsReachable(target, assetType string, creds ServiceCreds) (bool, error)
- func IsRedirectingTo(url, domain string) (res bool, lastHostname string, err error)
- func IsScannable(asset string) bool
- func IsWebAddrsReachable(target string) bool
- type AWSCreds
- type DockerCreds
- type GCPCreds
- type GitCreds
- type ServiceCreds
Constants ¶
const (
// OKTADomain contains the domainname of OKTA service.
OKTADomain = "okta.com"
)
Variables ¶
var ( // ErrFailedToGetDNSAnswer represents error returned // when unable to get a valid answer from the current // configured dns servers. ErrFailedToGetDNSAnswer = errors.New("failed to get a valid answer") NotScannableNetsIPV4 []*net.IPNet NotScannableNetsIPV6 []*net.IPNet )
var DockerHubCreds = &DockerCreds{}
DockerHubCreds represents a void DockerCreds struct allowed to be used with Docker Hub registry.
Functions ¶
func CloneGitRepository ¶
CloneGitRepository clones a Git repository into a temporary directory and returns the path and branch name. If a branch is not specified, the default branch will be used and its name will be returned.
func ComputeFingerprint ¶
func ComputeFingerprint(args ...interface{}) string
func GenerateGithubURL ¶
GenerateGithubURL returns a URL poiting to a line of a file on a specific branch in the Github web application.
func IsAWSAccReachable ¶
func IsAWSAccReachable(accARN, assumeRoleURL, role string, sessDuration int) (bool, *credentials.Credentials, error)
IsAWSAccReachable returns whether the AWS account associated with the input ARN allows to assume role with the given params through the vulcan-assume-role service. If role is assumed correctly for the given account, STS credentials are returned.
If the environment variable VULCAN_SKIP_REACHABILITY is true according to strconv.ParseBool, then the reachability test is skipped and IsAWSAccReachable returns true and no STS credentials.
func IsDockerImgReachable ¶
IsDockerImgReachable returns whether the input Docker image exists in the registry. Void user and pass does not produce an error as long as a token can be generated without authentication.
In order to verify if the Docker image exists, we perform a request to registry API endpoint to get data for given image and tag. This functionality at the moment of this writing is still not implemented in Docker client, so we have to contact registry's REST API directly. Reference: https://github.com/moby/moby/issues/14254
If the environment variable VULCAN_SKIP_REACHABILITY is true according to strconv.ParseBool, then the reachability test is skipped and IsDockerImgReachable returns true.
func IsDomainReachable ¶
IsDomainReachable returns whether the input target is a reachable Domain Name. The criteria to determine a target as a Domain is the existence of a SOA record.
If the environment variable VULCAN_SKIP_REACHABILITY is true according to strconv.ParseBool, then the reachability test is skipped and IsDomainReachable returns true.
func IsGCPProjReachable ¶ added in v1.3.0
IsGCPProjReachable returns whether the GCP project is reachable.
If the environment variable VULCAN_SKIP_REACHABILITY is true according to strconv.ParseBool, then the reachability test is skipped and IsGCPProjReachable returns true.
func IsGitRepoReachable ¶
IsGitRepoReachable returns whether the input Git repository is reachable by performing a ls-remote. If no authentication is required, user and pass parameters can be void.
If the environment variable VULCAN_SKIP_REACHABILITY is true according to strconv.ParseBool, then the reachability test is skipped and IsGitRepoReachable returns true.
func IsHostnameReachable ¶
IsHostnameReachable returns whether the input hostname target can be resolved.
If the environment variable VULCAN_SKIP_REACHABILITY is true according to strconv.ParseBool, then the reachability test is skipped and IsHostnameReachable returns true.
func IsReachable ¶
func IsReachable(target, assetType string, creds ServiceCreds) (bool, error)
IsReachable returns whether target is reachable so the check execution can be performed.
ServiceCredentials are required for AWS, GCP, Docker and Git types. Constructors for AWS, GCP, Docker and Git credentials can be found in this same package.
Verifications made depend on the asset type:
- IP: None.
- IPRange: None.
- Hostname: NS Lookup resolution.
- WebAddress: HTTP GET request.
- DomainName: NS Lookup checking SOA record.
- AWSAccount: Assume Role.
- GCPProject: GCP Get Project.
- DockerImage: Check image exists in registry.
- GitRepository: Git ls-remote.
This function does not return any output related to the process in order to verify the target's reachability. This output can be useful for some cases in order to not repeat work in the check execution (e.g.: Obtaining the Assume Role token). For this purpose other individual methods can be called from this same package with further options for AWS, GCP, Docker and Git types.
If the environment variable VULCAN_SKIP_REACHABILITY is true according to strconv.ParseBool, then the reachability test is skipped and IsReachable returns true.
func IsRedirectingTo ¶
IsRedirectingTo checks if the url that the url param is pointing to is redirecting to a given domain name.
func IsScannable ¶
IsScannable tells you whether an asset can be scanned or not, based in its type and value. The goal it's to prevent scanning hosts that are not public. Limitation: as the asset type is not available the function tries to guess the asset type, and that can lead to the scenario where we want to scan a domain that also is a hostname which resolves to a private IP. In that case the domain won't be scanned while it should.
func IsWebAddrsReachable ¶
IsWebAddrsReachable returns whether the input web address accepts HTTP requests.
If the environment variable VULCAN_SKIP_REACHABILITY is true according to strconv.ParseBool, then the reachability test is skipped and IsWebAddrsReachable returns true.
Types ¶
type AWSCreds ¶
AWSCreds holds data required to perform an assume role request.
func NewAWSCreds ¶
NewAWSCreds creates a new AWS Credentials for Assume Role.
type DockerCreds ¶
func NewDockerCreds ¶
func NewDockerCreds(user, pass string) *DockerCreds
NewDockerCreds creates a new Docker Credentials struct.
func (*DockerCreds) Password ¶
func (c *DockerCreds) Password() string
func (*DockerCreds) URL ¶
func (c *DockerCreds) URL() string
func (*DockerCreds) Username ¶
func (c *DockerCreds) Username() string
type GCPCreds ¶ added in v1.3.0
type GCPCreds struct {
SACreds string
}
GCPCreds holds data required to perform a `describe project` request.
func NewGCPCreds ¶ added in v1.3.0
NewGCPCreds creates a new GCP Credentials object for Service Account.
type GitCreds ¶
func NewGitCreds ¶
NewGitCreds creates a new Git Credentials struct. User and pass can be void if no auth is required.
type ServiceCreds ¶
ServiceCreds represents the credentials necessary to access an authenticated service. There are constructors available in this same package for:
- AWS Assume role through vulcan-assume-role svc.
- GCP Service Account.
- Docker registry.
- Github repository.
Source Files
Directories