Documentation ¶
Index ¶
- Constants
- Variables
- func CreateFirstProvisioner(ctx context.Context, adminDB admin.DB, password string) (*linkedca.Provisioner, error)
- func IsValidForAddUser(cert *ssh.Certificate) error
- func NewContext(ctx context.Context, a *Authority) context.Context
- func NewContextWithSkipTokenReuse(ctx context.Context) context.Context
- func NewTokenContext(ctx context.Context, token string) context.Context
- func ProvisionerToCertificates(p *linkedca.Provisioner) (provisioner.Interface, error)
- func ProvisionerToLinkedca(p provisioner.Interface) (*linkedca.Provisioner, error)
- func SkipTokenReuseFromContext(ctx context.Context) bool
- func TokenFromContext(ctx context.Context) (token string, ok bool)
- func ValidateClaims(c *linkedca.Claims) error
- func ValidateDurations(d *linkedca.Durations) error
- type ASN1DN
- type AuthConfig
- type Authority
- func (a *Authority) AreSANsAllowed(_ context.Context, sans []string) error
- func (a *Authority) Authorize(ctx context.Context, token string) ([]provisioner.SignOption, error)
- func (a *Authority) AuthorizeAdminToken(r *http.Request, token string) (*linkedca.Admin, error)
- func (a *Authority) AuthorizeRenewToken(_ context.Context, ott string) (*x509.Certificate, error)
- func (a *Authority) AuthorizeSign(token string) ([]provisioner.SignOption, error)deprecated
- func (a *Authority) CheckSSHHost(ctx context.Context, principal, token string) (bool, error)
- func (a *Authority) CloseForReload()
- func (a *Authority) CreateAuthorityPolicy(ctx context.Context, adm *linkedca.Admin, p *linkedca.Policy) (*linkedca.Policy, error)
- func (a *Authority) Export() (c *linkedca.Configuration, err error)
- func (a *Authority) GenerateCertificateRevocationList() error
- func (a *Authority) GetAdminDatabase() admin.DB
- func (a *Authority) GetAdmins(cursor string, limit int) ([]*linkedca.Admin, string, error)
- func (a *Authority) GetAuthorityPolicy(ctx context.Context) (*linkedca.Policy, error)
- func (a *Authority) GetCertificateRevocationList() (*CertificateRevocationListInfo, error)
- func (a *Authority) GetConfig() *config.Config
- func (a *Authority) GetDatabase() db.AuthDB
- func (a *Authority) GetEncryptedKey(kid string) (string, error)
- func (a *Authority) GetFederation() (federation []*x509.Certificate, err error)
- func (a *Authority) GetID() string
- func (a *Authority) GetInfo() Info
- func (a *Authority) GetProvisioners(cursor string, limit int) (provisioner.List, string, error)
- func (a *Authority) GetRootCertificate() *x509.Certificate
- func (a *Authority) GetRootCertificates() []*x509.Certificate
- func (a *Authority) GetRoots() ([]*x509.Certificate, error)
- func (a *Authority) GetSCEP() *scep.Authority
- func (a *Authority) GetSSHBastion(ctx context.Context, user, hostname string) (*config.Bastion, error)
- func (a *Authority) GetSSHConfig(_ context.Context, typ string, data map[string]string) ([]templates.Output, error)
- func (a *Authority) GetSSHFederation(context.Context) (*config.SSHKeys, error)
- func (a *Authority) GetSSHHosts(ctx context.Context, cert *x509.Certificate) ([]config.Host, error)
- func (a *Authority) GetSSHRoots(context.Context) (*config.SSHKeys, error)
- func (a *Authority) GetTLSCertificate() (*tls.Certificate, error)
- func (a *Authority) GetTLSOptions() *config.TLSOptions
- func (a *Authority) IsAdminAPIEnabled() bool
- func (a *Authority) IsRevoked(sn string) (bool, error)
- func (a *Authority) LoadAdminByID(id string) (*linkedca.Admin, bool)
- func (a *Authority) LoadAdminBySubProv(subject, prov string) (*linkedca.Admin, bool)
- func (a *Authority) LoadProvisionerByCertificate(crt *x509.Certificate) (provisioner.Interface, error)
- func (a *Authority) LoadProvisionerByID(id string) (provisioner.Interface, error)
- func (a *Authority) LoadProvisionerByName(name string) (provisioner.Interface, error)
- func (a *Authority) LoadProvisionerByToken(token *jose.JSONWebToken, claims *jose.Claims) (provisioner.Interface, error)
- func (a *Authority) Rekey(oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error)
- func (a *Authority) RekeySSH(ctx context.Context, oldCert *ssh.Certificate, pub ssh.PublicKey, ...) (*ssh.Certificate, error)
- func (a *Authority) ReloadAdminResources(ctx context.Context) error
- func (a *Authority) RemoveAdmin(ctx context.Context, id string) error
- func (a *Authority) RemoveAuthorityPolicy(ctx context.Context) error
- func (a *Authority) RemoveProvisioner(ctx context.Context, id string) error
- func (a *Authority) Renew(oldCert *x509.Certificate) ([]*x509.Certificate, error)
- func (a *Authority) RenewContext(ctx context.Context, oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error)
- func (a *Authority) RenewSSH(ctx context.Context, oldCert *ssh.Certificate) (*ssh.Certificate, error)
- func (a *Authority) Revoke(ctx context.Context, revokeOpts *RevokeOptions) error
- func (a *Authority) Root(sum string) (*x509.Certificate, error)
- func (a *Authority) Shutdown() error
- func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.SignOptions, ...) ([]*x509.Certificate, error)deprecated
- func (a *Authority) SignSSH(ctx context.Context, key ssh.PublicKey, opts provisioner.SignSSHOptions, ...) (*ssh.Certificate, error)
- func (a *Authority) SignSSHAddUser(ctx context.Context, key ssh.PublicKey, subject *ssh.Certificate) (*ssh.Certificate, error)
- func (a *Authority) SignWithContext(ctx context.Context, csr *x509.CertificateRequest, ...) ([]*x509.Certificate, error)
- func (a *Authority) StoreAdmin(ctx context.Context, adm *linkedca.Admin, prov provisioner.Interface) error
- func (a *Authority) StoreProvisioner(ctx context.Context, prov *linkedca.Provisioner) error
- func (a *Authority) UpdateAdmin(ctx context.Context, id string, nu *linkedca.Admin) (*linkedca.Admin, error)
- func (a *Authority) UpdateAuthorityPolicy(ctx context.Context, adm *linkedca.Admin, p *linkedca.Policy) (*linkedca.Policy, error)
- func (a *Authority) UpdateProvisioner(ctx context.Context, nu *linkedca.Provisioner) error
- func (a *Authority) UseToken(token string, prov provisioner.Interface) error
- func (a *Authority) Version() Version
- type Bastion
- type CertificateRevocationListInfo
- type CipherSuites
- type Claims
- type Config
- type Host
- type HostTag
- type Info
- type Meter
- type Option
- func WithAdminDB(d admin.DB) Option
- func WithAuthorizeRenewFunc(...) Option
- func WithAuthorizeSSHRenewFunc(...) Option
- func WithConfig(cfg *config.Config) Option
- func WithConfigFile(filename string) Option
- func WithDatabase(d db.AuthDB) Option
- func WithFullSCEPOptions(options *scep.Options) Option
- func WithGetIdentityFunc(...) Option
- func WithIssuerPassword(password []byte) Option
- func WithKeyManager(k kms.KeyManager) Option
- func WithLinkedCAToken(token string) Option
- func WithMeter(m Meter) Option
- func WithPassword(password []byte) Option
- func WithProvisioners(ps *provisioner.Collection) Optiondeprecated
- func WithQuietInit() Option
- func WithSCEPKeyManager(skm provisioner.SCEPKeyManager) Option
- func WithSSHBastionFunc(fn func(ctx context.Context, user, host string) (*config.Bastion, error)) Option
- func WithSSHCheckHost(...) Option
- func WithSSHGetHosts(fn func(ctx context.Context, cert *x509.Certificate) ([]config.Host, error)) Option
- func WithSSHHostPassword(password []byte) Option
- func WithSSHHostSigner(s crypto.Signer) Option
- func WithSSHUserPassword(password []byte) Option
- func WithSSHUserSigner(s crypto.Signer) Option
- func WithSkipInit() Option
- func WithWebhookClient(c *http.Client) Option
- func WithX509CAService(svc casapi.CertificateAuthorityService) Option
- func WithX509Enforcers(ces ...provisioner.CertificateEnforcer) Option
- func WithX509FederatedBundle(pemCerts []byte) Option
- func WithX509FederatedCerts(certs ...*x509.Certificate) Option
- func WithX509IntermediateCerts(intermediateCerts ...*x509.Certificate) Option
- func WithX509RootBundle(pemCerts []byte) Option
- func WithX509RootCerts(rootCerts ...*x509.Certificate) Option
- func WithX509Signer(crt *x509.Certificate, s crypto.Signer) Option
- func WithX509SignerChain(issuerChain []*x509.Certificate, s crypto.Signer) Option
- func WithX509SignerFunc(fn func() ([]*x509.Certificate, crypto.Signer, error)) Option
- type PolicyError
- type RevokeOptions
- type SSHConfig
- type SSHKeys
- type SSHPublicKey
- type TLSOptions
- type Version
Constants ¶
const ( AdminLockOut policyErrorType = iota + 1 StoreFailure ReloadFailure ConfigurationFailure EvaluationFailure InternalFailure )
const ( // SSHAddUserPrincipal is the principal that will run the add user command. // Defaults to "provisioner" but it can be changed in the configuration. SSHAddUserPrincipal = "provisioner" // SSHAddUserCommand is the default command to run to add a new user. // Defaults to "sudo useradd -m <principal>; nc -q0 localhost 22" but it can be changed in the // configuration. The string "<principal>" will be replace by the new // principal to add. SSHAddUserCommand = "sudo useradd -m <principal>; nc -q0 localhost 22" )
Variables ¶
var DefaultTLSOptions = config.DefaultTLSOptions
DefaultTLSOptions is an alias to support older APIs.
var GlobalVersion = Version{
Version: "0.0.0",
}
GlobalVersion stores the version information of the server.
var LoadConfiguration = config.LoadConfiguration
LoadConfiguration is an alias to support older APIs.
Functions ¶
func CreateFirstProvisioner ¶
func CreateFirstProvisioner(ctx context.Context, adminDB admin.DB, password string) (*linkedca.Provisioner, error)
CreateFirstProvisioner creates and stores the first provisioner when using admin database provisioner storage.
func IsValidForAddUser ¶
func IsValidForAddUser(cert *ssh.Certificate) error
IsValidForAddUser checks if a user provisioner certificate can be issued to the given certificate.
func NewContext ¶
NewContext adds the given authority to the context.
func NewContextWithSkipTokenReuse ¶
NewContextWithSkipTokenReuse creates a new context from ctx and attaches a value to skip the token reuse.
func NewTokenContext ¶
NewTokenContext adds the given token to the context.
func ProvisionerToCertificates ¶
func ProvisionerToCertificates(p *linkedca.Provisioner) (provisioner.Interface, error)
ProvisionerToCertificates converts the linkedca provisioner type to the certificates provisioner interface.
func ProvisionerToLinkedca ¶
func ProvisionerToLinkedca(p provisioner.Interface) (*linkedca.Provisioner, error)
ProvisionerToLinkedca converts a provisioner.Interface to a linkedca.Provisioner type.
func SkipTokenReuseFromContext ¶
SkipTokenReuseFromContext returns if the token reuse needs to be ignored.
func TokenFromContext ¶
TokenFromContext returns the token from the given context.
func ValidateClaims ¶
ValidateClaims validates the Claims type.
func ValidateDurations ¶
ValidateDurations validates the Durations type.
Types ¶
type Authority ¶
type Authority struct {
// contains filtered or unexported fields
}
Authority implements the Certificate Authority internal interface.
func FromContext ¶
FromContext returns the current authority from the given context.
func MustFromContext ¶
MustFromContext returns the current authority from the given context. It will panic if the authority is not in the context.
func NewEmbedded ¶
NewEmbedded initializes an authority that can be embedded in a different project without the limitations of the config.
func (*Authority) AreSANsAllowed ¶
AreSANsAllowed evaluates the provided sans against the authority X.509 policy.
func (*Authority) Authorize ¶
func (a *Authority) Authorize(ctx context.Context, token string) ([]provisioner.SignOption, error)
Authorize grabs the method from the context and authorizes the request by validating the one-time-token.
func (*Authority) AuthorizeAdminToken ¶
AuthorizeAdminToken authorize an Admin token.
func (*Authority) AuthorizeRenewToken ¶
AuthorizeRenewToken validates the renew token and returns the leaf certificate in the x5cInsecure header.
func (*Authority) AuthorizeSign
deprecated
func (a *Authority) AuthorizeSign(token string) ([]provisioner.SignOption, error)
AuthorizeSign authorizes a signature request by validating and authenticating a token that must be sent w/ the request.
Deprecated: Use Authorize(context.Context, string) ([]provisioner.SignOption, error).
func (*Authority) CheckSSHHost ¶
CheckSSHHost checks the given principal has been registered before.
func (*Authority) CloseForReload ¶
func (a *Authority) CloseForReload()
CloseForReload closes internal services, to allow a safe reload.
func (*Authority) CreateAuthorityPolicy ¶
func (*Authority) Export ¶
func (a *Authority) Export() (c *linkedca.Configuration, err error)
Export creates a linkedca configuration form the current ca.json and loaded authorities.
Note that export will not export neither the pki password nor the certificate issuer password.
func (*Authority) GenerateCertificateRevocationList ¶
GenerateCertificateRevocationList generates a DER representation of a signed CRL and stores it in the database. Returns nil if CRL generation has been disabled in the config
func (*Authority) GetAdminDatabase ¶
GetAdminDatabase returns the admin database, if one exists.
func (*Authority) GetAdmins ¶
GetAdmins returns a map listing each provisioner and the JWK Key Set with their public keys.
func (*Authority) GetAuthorityPolicy ¶
func (*Authority) GetCertificateRevocationList ¶
func (a *Authority) GetCertificateRevocationList() (*CertificateRevocationListInfo, error)
GetCertificateRevocationList will return the currently generated CRL from the DB, or a not implemented error if the underlying AuthDB does not support CRLs
func (*Authority) GetDatabase ¶
GetDatabase returns the authority database. If the configuration does not define a database, GetDatabase will return a db.SimpleDB instance.
func (*Authority) GetEncryptedKey ¶
GetEncryptedKey returns the JWE key corresponding to the given kid argument.
func (*Authority) GetFederation ¶
func (a *Authority) GetFederation() (federation []*x509.Certificate, err error)
GetFederation returns all the root certificates in the federation. This method implements the Authority interface.
func (*Authority) GetProvisioners ¶
GetProvisioners returns a map listing each provisioner and the JWK Key Set with their public keys.
func (*Authority) GetRootCertificate ¶
func (a *Authority) GetRootCertificate() *x509.Certificate
GetRootCertificate returns the server root certificate.
func (*Authority) GetRootCertificates ¶
func (a *Authority) GetRootCertificates() []*x509.Certificate
GetRootCertificates returns the server root certificates.
In the Authority interface we also have a similar method, GetRoots, at the moment the functionality of these two methods are almost identical, but this method is intended to be used internally by CA HTTP server to load the roots that will be set in the tls.Config while GetRoots will be used by the Authority interface and might have extra checks in the future.
func (*Authority) GetRoots ¶
func (a *Authority) GetRoots() ([]*x509.Certificate, error)
GetRoots returns all the root certificates for this CA. This method implements the Authority interface.
func (*Authority) GetSSHBastion ¶
func (a *Authority) GetSSHBastion(ctx context.Context, user, hostname string) (*config.Bastion, error)
GetSSHBastion returns the bastion configuration, for the given pair user, hostname.
func (*Authority) GetSSHConfig ¶
func (a *Authority) GetSSHConfig(_ context.Context, typ string, data map[string]string) ([]templates.Output, error)
GetSSHConfig returns rendered templates for clients (user) or servers (host).
func (*Authority) GetSSHFederation ¶
GetSSHFederation returns the public keys for federated SSH signers.
func (*Authority) GetSSHHosts ¶
GetSSHHosts returns a list of valid host principals.
func (*Authority) GetSSHRoots ¶
GetSSHRoots returns the SSH User and Host public keys.
func (*Authority) GetTLSCertificate ¶
func (a *Authority) GetTLSCertificate() (*tls.Certificate, error)
GetTLSCertificate creates a new leaf certificate to be used by the CA HTTPS server.
func (*Authority) GetTLSOptions ¶
func (a *Authority) GetTLSOptions() *config.TLSOptions
GetTLSOptions returns the tls options configured.
func (*Authority) IsAdminAPIEnabled ¶
IsAdminAPIEnabled returns a boolean indicating whether the Admin API has been enabled.
func (*Authority) IsRevoked ¶
IsRevoked returns whether or not a certificate has been revoked before.
func (*Authority) LoadAdminByID ¶
LoadAdminByID returns an *linkedca.Admin with the given ID.
func (*Authority) LoadAdminBySubProv ¶
LoadAdminBySubProv returns an *linkedca.Admin with the given ID.
func (*Authority) LoadProvisionerByCertificate ¶
func (a *Authority) LoadProvisionerByCertificate(crt *x509.Certificate) (provisioner.Interface, error)
LoadProvisionerByCertificate returns an interface to the provisioner that provisioned the certificate.
func (*Authority) LoadProvisionerByID ¶
func (a *Authority) LoadProvisionerByID(id string) (provisioner.Interface, error)
LoadProvisionerByID returns an interface to the provisioner with the given ID.
func (*Authority) LoadProvisionerByName ¶
func (a *Authority) LoadProvisionerByName(name string) (provisioner.Interface, error)
LoadProvisionerByName returns an interface to the provisioner with the given Name.
func (*Authority) LoadProvisionerByToken ¶
func (a *Authority) LoadProvisionerByToken(token *jose.JSONWebToken, claims *jose.Claims) (provisioner.Interface, error)
LoadProvisionerByToken returns an interface to the provisioner that provisioned the token.
func (*Authority) Rekey ¶
func (a *Authority) Rekey(oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error)
Rekey is used for rekeying and renewing based on the public key. If the public key is 'nil' then it's assumed that the cert should be renewed using the existing public key. If the public key is not 'nil' then it's assumed that the cert should be rekeyed.
For both Rekey and Renew all other attributes of the new certificate should match the old certificate. The exceptions are 'AuthorityKeyId' (which may have changed), 'SubjectKeyId' (different in case of rekey), and 'NotBefore/NotAfter' (the validity duration of the new certificate should be equal to the old one, but starting 'now').
func (*Authority) RekeySSH ¶
func (a *Authority) RekeySSH(ctx context.Context, oldCert *ssh.Certificate, pub ssh.PublicKey, signOpts ...provisioner.SignOption) (*ssh.Certificate, error)
RekeySSH creates a signed SSH certificate using the old SSH certificate as a template.
func (*Authority) ReloadAdminResources ¶
ReloadAdminResources reloads admins and provisioners from the DB.
func (*Authority) RemoveAdmin ¶
RemoveAdmin removes an *linkedca.Admin from the authority.
func (*Authority) RemoveAuthorityPolicy ¶
func (*Authority) RemoveProvisioner ¶
RemoveProvisioner removes an provisioner.Interface from the authority.
func (*Authority) Renew ¶
func (a *Authority) Renew(oldCert *x509.Certificate) ([]*x509.Certificate, error)
Renew creates a new Certificate identical to the old certificate, except with a validity window that begins 'now'.
func (*Authority) RenewContext ¶
func (a *Authority) RenewContext(ctx context.Context, oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error)
RenewContext creates a new certificate identical to the old one, but it can optionally replace the public key with the given one. When running on RA mode, it can only renew a certificate using a renew token instead.
For both rekey and renew operations, all other attributes of the new certificate should match the old certificate. The exceptions are 'AuthorityKeyId' (which may have changed), 'SubjectKeyId' (different in case of rekey), and 'NotBefore/NotAfter' (the validity duration of the new certificate should be equal to the old one, but starting 'now').
func (*Authority) RenewSSH ¶
func (a *Authority) RenewSSH(ctx context.Context, oldCert *ssh.Certificate) (*ssh.Certificate, error)
RenewSSH creates a signed SSH certificate using the old SSH certificate as a template.
func (*Authority) Revoke ¶
func (a *Authority) Revoke(ctx context.Context, revokeOpts *RevokeOptions) error
Revoke revokes a certificate.
NOTE: Only supports passive revocation - prevent existing certificates from being renewed.
TODO: Add OCSP and CRL support.
func (*Authority) Root ¶
func (a *Authority) Root(sum string) (*x509.Certificate, error)
Root returns the certificate corresponding to the given SHA sum argument.
func (*Authority) Shutdown ¶
Shutdown safely shuts down any clients, databases, etc. held by the Authority.
func (*Authority) Sign
deprecated
func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
Sign creates a signed certificate from a certificate signing request. It creates a new context.Context, and calls into SignWithContext.
Deprecated: Use authority.SignWithContext with an actual context.Context.
func (*Authority) SignSSH ¶
func (a *Authority) SignSSH(ctx context.Context, key ssh.PublicKey, opts provisioner.SignSSHOptions, signOpts ...provisioner.SignOption) (*ssh.Certificate, error)
SignSSH creates a signed SSH certificate with the given public key and options.
func (*Authority) SignSSHAddUser ¶
func (a *Authority) SignSSHAddUser(ctx context.Context, key ssh.PublicKey, subject *ssh.Certificate) (*ssh.Certificate, error)
SignSSHAddUser signs a certificate that provisions a new user in a server.
func (*Authority) SignWithContext ¶
func (a *Authority) SignWithContext(ctx context.Context, csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
SignWithContext creates a signed certificate from a certificate signing request, taking the provided context.Context.
func (*Authority) StoreAdmin ¶
func (a *Authority) StoreAdmin(ctx context.Context, adm *linkedca.Admin, prov provisioner.Interface) error
StoreAdmin stores an *linkedca.Admin to the authority.
func (*Authority) StoreProvisioner ¶
StoreProvisioner stores a provisioner to the authority.
func (*Authority) UpdateAdmin ¶
func (a *Authority) UpdateAdmin(ctx context.Context, id string, nu *linkedca.Admin) (*linkedca.Admin, error)
UpdateAdmin stores an *linkedca.Admin to the authority.
func (*Authority) UpdateAuthorityPolicy ¶
func (*Authority) UpdateProvisioner ¶
UpdateProvisioner stores an provisioner.Interface to the authority.
func (*Authority) UseToken ¶
func (a *Authority) UseToken(token string, prov provisioner.Interface) error
UseToken stores the token to protect against reuse.
This method currently ignores any error coming from the GetTokenID, but it should specifically ignore the error provisioner.ErrAllowTokenReuse.
type CertificateRevocationListInfo ¶
type CertificateRevocationListInfo struct { Number int64 ExpiresAt time.Time Duration time.Duration Data []byte }
CertificateRevocationListInfo contains a CRL in DER format and associated metadata.
type CipherSuites ¶
type CipherSuites = config.CipherSuites
CipherSuites is an alias to support older APIs.
type Claims ¶
type Claims struct { jose.Claims SANs []string `json:"sans,omitempty"` Email string `json:"email,omitempty"` Nonce string `json:"nonce,omitempty"` }
Claims extends jose.Claims with step attributes.
type Info ¶
type Info struct { StartTime time.Time RootX509Certs []*x509.Certificate SSHCAUserPublicKey []byte SSHCAHostPublicKey []byte DNSNames []string }
Info contains information about the authority.
type Meter ¶
type Meter interface { // X509Signed is called whenever an X509 certificate is signed. X509Signed(provisioner.Interface, error) // X509Renewed is called whenever an X509 certificate is renewed. X509Renewed(provisioner.Interface, error) // X509Rekeyed is called whenever an X509 certificate is rekeyed. X509Rekeyed(provisioner.Interface, error) // X509WebhookAuthorized is called whenever an X509 authoring webhook is called. X509WebhookAuthorized(provisioner.Interface, error) // X509WebhookEnriched is called whenever an X509 enriching webhook is called. X509WebhookEnriched(provisioner.Interface, error) // SSHSigned is called whenever an SSH certificate is signed. SSHSigned(provisioner.Interface, error) // SSHRenewed is called whenever an SSH certificate is renewed. SSHRenewed(provisioner.Interface, error) // SSHRekeyed is called whenever an SSH certificate is rekeyed. SSHRekeyed(provisioner.Interface, error) // SSHWebhookAuthorized is called whenever an SSH authoring webhook is called. SSHWebhookAuthorized(provisioner.Interface, error) // SSHWebhookEnriched is called whenever an SSH enriching webhook is called. SSHWebhookEnriched(provisioner.Interface, error) // KMSSigned is called per KMS signer signature. KMSSigned(error) }
Meter wraps the set of defined callbacks for metrics gatherers.
type Option ¶
Option sets options to the Authority.
func WithAdminDB ¶
WithAdminDB is an option to set the database backing the admin APIs.
func WithAuthorizeRenewFunc ¶
func WithAuthorizeRenewFunc(fn func(ctx context.Context, p *provisioner.Controller, cert *x509.Certificate) error) Option
WithAuthorizeRenewFunc sets a custom function that authorizes the renewal of an X.509 certificate.
func WithAuthorizeSSHRenewFunc ¶
func WithAuthorizeSSHRenewFunc(fn func(ctx context.Context, p *provisioner.Controller, cert *ssh.Certificate) error) Option
WithAuthorizeSSHRenewFunc sets a custom function that authorizes the renewal of a SSH certificate.
func WithConfig ¶
WithConfig replaces the current config with the given one. No validation is performed in the given value.
func WithConfigFile ¶
WithConfigFile reads the given filename as a configuration file and replaces the current one. No validation is performed in the given configuration.
func WithDatabase ¶
WithDatabase sets an already initialized authority database to a new authority. This option is intended to be use on graceful reloads.
func WithFullSCEPOptions ¶
WithFullSCEPOptions defines the options used for SCEP support.
This feature is EXPERIMENTAL and might change at any time.
func WithGetIdentityFunc ¶
func WithGetIdentityFunc(fn func(ctx context.Context, p provisioner.Interface, email string) (*provisioner.Identity, error)) Option
WithGetIdentityFunc sets a custom function to retrieve the identity from an external resource.
func WithIssuerPassword ¶
WithIssuerPassword set the password to decrypt the certificate issuer private key used in RA mode.
func WithKeyManager ¶
func WithKeyManager(k kms.KeyManager) Option
WithKeyManager defines the key manager used to get and create keys, and sign certificates.
func WithLinkedCAToken ¶
WithLinkedCAToken is an option to set the authentication token used to enable linked ca.
func WithPassword ¶
WithPassword set the password to decrypt the intermediate key as well as the ssh host and user keys if they are not overridden by other options.
func WithProvisioners
deprecated
func WithProvisioners(ps *provisioner.Collection) Option
WithProvisioners is an option to set the provisioner collection.
Deprecated: provisioner collections will likely change
func WithQuietInit ¶
func WithQuietInit() Option
WithQuietInit disables log output when the authority is initialized.
func WithSCEPKeyManager ¶
func WithSCEPKeyManager(skm provisioner.SCEPKeyManager) Option
WithSCEPKeyManager defines the key manager used on SCEP provisioners.
This feature is EXPERIMENTAL and might change at any time.
func WithSSHBastionFunc ¶
func WithSSHBastionFunc(fn func(ctx context.Context, user, host string) (*config.Bastion, error)) Option
WithSSHBastionFunc sets a custom function to get the bastion for a given user-host pair.
func WithSSHCheckHost ¶
func WithSSHCheckHost(fn func(ctx context.Context, principal string, tok string, roots []*x509.Certificate) (bool, error)) Option
WithSSHCheckHost sets a custom function to check whether a given host is step ssh enabled. The token is used to validate the request, while the roots are used to validate the token.
func WithSSHGetHosts ¶
func WithSSHGetHosts(fn func(ctx context.Context, cert *x509.Certificate) ([]config.Host, error)) Option
WithSSHGetHosts sets a custom function to return a list of step ssh enabled hosts.
func WithSSHHostPassword ¶
WithSSHHostPassword set the password to decrypt the key used to sign SSH host certificates.
func WithSSHHostSigner ¶
WithSSHHostSigner defines the signer used to sign SSH host certificates.
func WithSSHUserPassword ¶
WithSSHUserPassword set the password to decrypt the key used to sign SSH user certificates.
func WithSSHUserSigner ¶
WithSSHUserSigner defines the signer used to sign SSH user certificates.
func WithSkipInit ¶
func WithSkipInit() Option
WithSkipInit is an option that allows the constructor to skip initializtion of the authority.
func WithWebhookClient ¶
WithWebhookClient sets the http.Client to be used for outbound requests.
func WithX509CAService ¶
func WithX509CAService(svc casapi.CertificateAuthorityService) Option
WithX509CAService allows the consumer to provide an externally implemented API implementation of apiv1.CertificateAuthorityService
func WithX509Enforcers ¶
func WithX509Enforcers(ces ...provisioner.CertificateEnforcer) Option
WithX509Enforcers is an option that allows to define custom certificate modifiers that will be processed just before the signing of the certificate.
func WithX509FederatedBundle ¶
WithX509FederatedBundle is an option that allows to define the list of federated certificates. This option will replace any federated certificate defined before.
func WithX509FederatedCerts ¶
func WithX509FederatedCerts(certs ...*x509.Certificate) Option
WithX509FederatedCerts is an option that allows to define the list of federated certificates. This option will replace any federated certificate defined before.
func WithX509IntermediateCerts ¶
func WithX509IntermediateCerts(intermediateCerts ...*x509.Certificate) Option
WithX509IntermediateCerts is an option that allows to define the list of intermediate certificates that the CA will be using. This option will replace any intermediate certificate defined before.
Note that these certificates will not be bundled with the certificates signed by the CA, because the CAS service will take care of that. They should match, but that's not guaranteed. These certificates will be mainly used for name constraint validation before a certificate is issued.
This option should only be used on specific configurations, for example when WithX509SignerFunc is used, as we don't know the list of intermediates in advance.
func WithX509RootBundle ¶
WithX509RootBundle is an option that allows to define the list of root certificates. This option will replace any root certificate defined before.
func WithX509RootCerts ¶
func WithX509RootCerts(rootCerts ...*x509.Certificate) Option
WithX509RootCerts is an option that allows to define the list of root certificates to use. This option will replace any root certificate defined before.
func WithX509Signer ¶
func WithX509Signer(crt *x509.Certificate, s crypto.Signer) Option
WithX509Signer defines the signer used to sign X509 certificates.
func WithX509SignerChain ¶
func WithX509SignerChain(issuerChain []*x509.Certificate, s crypto.Signer) Option
WithX509SignerChain defines the signer used to sign X509 certificates. This option is similar to WithX509Signer but it supports a chain of intermediates.
func WithX509SignerFunc ¶
WithX509SignerFunc defines the function used to get the chain of certificates and signer used when we sign X.509 certificates.
type PolicyError ¶
type PolicyError struct { Typ policyErrorType Err error }
func (*PolicyError) Error ¶
func (p *PolicyError) Error() string
type RevokeOptions ¶
type RevokeOptions struct { Serial string Reason string ReasonCode int PassiveOnly bool MTLS bool ACME bool Crt *x509.Certificate OTT string }
RevokeOptions are the options for the Revoke API.
type SSHPublicKey ¶
type SSHPublicKey = config.SSHPublicKey
SSHPublicKey is an alias to support older APIs.