Documentation ¶
Index ¶
- func CRL(w http.ResponseWriter, r *http.Request)
- func Federation(w http.ResponseWriter, r *http.Request)
- func Health(w http.ResponseWriter, _ *http.Request)
- func LogCertificate(w http.ResponseWriter, cert *x509.Certificate)
- func LogSSHCertificate(w http.ResponseWriter, cert *ssh.Certificate)
- func ParseCursor(r *http.Request) (cursor string, limit int, err error)
- func ProvisionerKey(w http.ResponseWriter, r *http.Request)
- func Provisioners(w http.ResponseWriter, r *http.Request)
- func Rekey(w http.ResponseWriter, r *http.Request)
- func Renew(w http.ResponseWriter, r *http.Request)
- func Revoke(w http.ResponseWriter, r *http.Request)
- func Root(w http.ResponseWriter, r *http.Request)
- func Roots(w http.ResponseWriter, r *http.Request)
- func RootsPEM(w http.ResponseWriter, r *http.Request)
- func Route(r Router)
- func SSHBastion(w http.ResponseWriter, r *http.Request)
- func SSHCheckHost(w http.ResponseWriter, r *http.Request)
- func SSHConfig(w http.ResponseWriter, r *http.Request)
- func SSHFederation(w http.ResponseWriter, r *http.Request)
- func SSHGetHosts(w http.ResponseWriter, r *http.Request)
- func SSHRekey(w http.ResponseWriter, r *http.Request)
- func SSHRenew(w http.ResponseWriter, r *http.Request)
- func SSHRevoke(w http.ResponseWriter, r *http.Request)
- func SSHRoots(w http.ResponseWriter, r *http.Request)
- func SSHSign(w http.ResponseWriter, r *http.Request)
- func Sign(w http.ResponseWriter, r *http.Request)
- func Version(w http.ResponseWriter, r *http.Request)
- type Authority
- type Certificate
- type CertificateRequest
- type FederationResponse
- type HealthResponse
- type ProvisionerKeyResponse
- type ProvisionersResponse
- type RekeyRequest
- type RevokeRequest
- type RevokeResponse
- type RootResponse
- type RootsResponse
- type Router
- type RouterHandler
- func New(Authority) RouterHandlerdeprecated
- type SSHAuthority
- type SSHBastionRequest
- type SSHBastionResponse
- type SSHCertificate
- type SSHCheckPrincipalRequest
- type SSHCheckPrincipalResponse
- type SSHConfigRequest
- type SSHConfigResponse
- type SSHGetHostsResponse
- type SSHPublicKey
- type SSHRekeyRequest
- type SSHRekeyResponse
- type SSHRenewRequest
- type SSHRenewResponse
- type SSHRevokeRequest
- type SSHRevokeResponse
- type SSHRootsResponse
- type SSHSignRequest
- type SSHSignResponse
- type SignRequest
- type SignResponse
- type Template
- type TimeDuration
- type VersionResponse
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CRL ¶
func CRL(w http.ResponseWriter, r *http.Request)
CRL is an HTTP handler that returns the current CRL in DER or PEM format
func Federation ¶
func Federation(w http.ResponseWriter, r *http.Request)
Federation returns all the public certificates in the federation.
func Health ¶
func Health(w http.ResponseWriter, _ *http.Request)
Health is an HTTP handler that returns the status of the server.
func LogCertificate ¶
func LogCertificate(w http.ResponseWriter, cert *x509.Certificate)
LogCertificate adds certificate fields to the log message.
func LogSSHCertificate ¶
func LogSSHCertificate(w http.ResponseWriter, cert *ssh.Certificate)
LogSSHCertificate adds SSH certificate fields to the log message.
func ParseCursor ¶
ParseCursor parses the cursor and limit from the request query params.
func ProvisionerKey ¶
func ProvisionerKey(w http.ResponseWriter, r *http.Request)
ProvisionerKey returns the encrypted key of a provisioner by it's key id.
func Provisioners ¶
func Provisioners(w http.ResponseWriter, r *http.Request)
Provisioners returns the list of provisioners configured in the authority.
func Rekey ¶
func Rekey(w http.ResponseWriter, r *http.Request)
Rekey is similar to renew except that the certificate will be renewed with new key from csr.
func Renew ¶
func Renew(w http.ResponseWriter, r *http.Request)
Renew uses the information of certificate in the TLS connection to create a new one.
func Revoke ¶
func Revoke(w http.ResponseWriter, r *http.Request)
Revoke supports handful of different methods that revoke a Certificate.
NOTE: currently only Passive revocation is supported.
TODO: Add CRL and OCSP support.
func Root ¶
func Root(w http.ResponseWriter, r *http.Request)
Root is an HTTP handler that using the SHA256 from the URL, returns the root certificate for the given SHA256.
func Roots ¶
func Roots(w http.ResponseWriter, r *http.Request)
Roots returns all the root certificates for the CA.
func RootsPEM ¶
func RootsPEM(w http.ResponseWriter, r *http.Request)
RootsPEM returns all the root certificates for the CA in PEM format.
func SSHBastion ¶
func SSHBastion(w http.ResponseWriter, r *http.Request)
SSHBastion provides returns the bastion configured if any.
func SSHCheckHost ¶
func SSHCheckHost(w http.ResponseWriter, r *http.Request)
SSHCheckHost is the HTTP handler that returns if a hosts certificate exists or not.
func SSHConfig ¶
func SSHConfig(w http.ResponseWriter, r *http.Request)
SSHConfig is an HTTP handler that returns rendered templates for ssh clients and servers.
func SSHFederation ¶
func SSHFederation(w http.ResponseWriter, r *http.Request)
SSHFederation is an HTTP handler that returns the federated SSH public keys for user and host certificates.
func SSHGetHosts ¶
func SSHGetHosts(w http.ResponseWriter, r *http.Request)
SSHGetHosts is the HTTP handler that returns a list of valid ssh hosts.
func SSHRekey ¶
func SSHRekey(w http.ResponseWriter, r *http.Request)
SSHRekey is an HTTP handler that reads an RekeySSHRequest with a one-time-token (ott) from the body and creates a new SSH certificate with the information in the request.
func SSHRenew ¶
func SSHRenew(w http.ResponseWriter, r *http.Request)
SSHRenew is an HTTP handler that reads an RenewSSHRequest with a one-time-token (ott) from the body and creates a new SSH certificate with the information in the request.
func SSHRevoke ¶
func SSHRevoke(w http.ResponseWriter, r *http.Request)
Revoke supports handful of different methods that revoke a Certificate.
NOTE: currently only Passive revocation is supported.
func SSHRoots ¶
func SSHRoots(w http.ResponseWriter, r *http.Request)
SSHRoots is an HTTP handler that returns the SSH public keys for user and host certificates.
func SSHSign ¶
func SSHSign(w http.ResponseWriter, r *http.Request)
SSHSign is an HTTP handler that reads an SignSSHRequest with a one-time-token (ott) from the body and creates a new SSH certificate with the information in the request.
Types ¶
type Authority ¶
type Authority interface { SSHAuthority // context specifies the Authorize[Sign|Revoke|etc.] method. Authorize(ctx context.Context, ott string) ([]provisioner.SignOption, error) AuthorizeRenewToken(ctx context.Context, ott string) (*x509.Certificate, error) GetTLSOptions() *config.TLSOptions Root(shasum string) (*x509.Certificate, error) SignWithContext(ctx context.Context, cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error) Renew(peer *x509.Certificate) ([]*x509.Certificate, error) RenewContext(ctx context.Context, peer *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error) Rekey(peer *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error) LoadProvisionerByCertificate(*x509.Certificate) (provisioner.Interface, error) LoadProvisionerByName(string) (provisioner.Interface, error) GetProvisioners(cursor string, limit int) (provisioner.List, string, error) Revoke(context.Context, *authority.RevokeOptions) error GetEncryptedKey(kid string) (string, error) GetRoots() ([]*x509.Certificate, error) GetFederation() ([]*x509.Certificate, error) Version() authority.Version GetCertificateRevocationList() (*authority.CertificateRevocationListInfo, error) }
Authority is the interface implemented by a CA authority.
type Certificate ¶
type Certificate struct {
*x509.Certificate
}
Certificate wraps a *x509.Certificate and adds the json.Marshaler interface.
func NewCertificate ¶
func NewCertificate(cr *x509.Certificate) Certificate
NewCertificate is a helper method that returns a Certificate from a *x509.Certificate.
func (Certificate) MarshalJSON ¶
func (c Certificate) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface. The certificate is quoted string using the PEM encoding.
func (*Certificate) UnmarshalJSON ¶
func (c *Certificate) UnmarshalJSON(data []byte) error
UnmarshalJSON implements the json.Unmarshaler interface. The certificate is expected to be a quoted string using the PEM encoding.
type CertificateRequest ¶
type CertificateRequest struct {
*x509.CertificateRequest
}
CertificateRequest wraps a *x509.CertificateRequest and adds the json.Unmarshaler interface.
func NewCertificateRequest ¶
func NewCertificateRequest(cr *x509.CertificateRequest) CertificateRequest
NewCertificateRequest is a helper method that returns a CertificateRequest from a *x509.CertificateRequest.
func (CertificateRequest) MarshalJSON ¶
func (c CertificateRequest) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface. The certificate request is a quoted string using the PEM encoding.
func (*CertificateRequest) UnmarshalJSON ¶
func (c *CertificateRequest) UnmarshalJSON(data []byte) error
UnmarshalJSON implements the json.Unmarshaler interface. The certificate request is expected to be a quoted string using the PEM encoding.
type FederationResponse ¶
type FederationResponse struct {
Certificates []Certificate `json:"crts"`
}
FederationResponse is the response object of the federation request.
type HealthResponse ¶
type HealthResponse struct {
Status string `json:"status"`
}
HealthResponse is the response object that returns the health of the server.
type ProvisionerKeyResponse ¶
type ProvisionerKeyResponse struct {
Key string `json:"key"`
}
ProvisionerKeyResponse is the response object that returns the encrypted key of a provisioner.
type ProvisionersResponse ¶
type ProvisionersResponse struct { Provisioners provisioner.List NextCursor string }
ProvisionersResponse is the response object that returns the list of provisioners.
func (ProvisionersResponse) MarshalJSON ¶
func (p ProvisionersResponse) MarshalJSON() ([]byte, error)
MarshalJSON implements json.Marshaler. It marshals the ProvisionersResponse into a byte slice.
Special treatment is given to the SCEP provisioner, as it contains a challenge secret that MUST NOT be leaked in (public) HTTP responses. The challenge value is thus redacted in HTTP responses.
type RekeyRequest ¶
type RekeyRequest struct {
CsrPEM CertificateRequest `json:"csr"`
}
RekeyRequest is the request body for a certificate rekey request.
func (*RekeyRequest) Validate ¶
func (s *RekeyRequest) Validate() error
Validate checks the fields of the RekeyRequest and returns nil if they are ok or an error if something is wrong.
type RevokeRequest ¶
type RevokeRequest struct { Serial string `json:"serial"` OTT string `json:"ott"` ReasonCode int `json:"reasonCode"` Reason string `json:"reason"` Passive bool `json:"passive"` }
RevokeRequest is the request body for a revocation request.
func (*RevokeRequest) Validate ¶
func (r *RevokeRequest) Validate() (err error)
Validate checks the fields of the RevokeRequest and returns nil if they are ok or an error if something is wrong.
type RevokeResponse ¶
type RevokeResponse struct {
Status string `json:"status"`
}
RevokeResponse is the response object that returns the health of the server.
type RootResponse ¶
type RootResponse struct {
RootPEM Certificate `json:"ca"`
}
RootResponse is the response object that returns the PEM of a root certificate.
type RootsResponse ¶
type RootsResponse struct {
Certificates []Certificate `json:"crts"`
}
RootsResponse is the response object of the roots request.
type Router ¶
type Router interface { // MethodFunc adds routes for `pattern` that matches // the `method` HTTP method. MethodFunc(method, pattern string, h http.HandlerFunc) }
Router defines a common router interface.
type RouterHandler ¶
type RouterHandler interface {
Route(r Router)
}
RouterHandler is the interface that a HTTP handler that manages multiple endpoints will implement.
func New
deprecated
func New(Authority) RouterHandler
New creates a new RouterHandler with the CA endpoints.
Deprecated: Use api.Route(r Router)
type SSHAuthority ¶
type SSHAuthority interface { SignSSH(ctx context.Context, key ssh.PublicKey, opts provisioner.SignSSHOptions, signOpts ...provisioner.SignOption) (*ssh.Certificate, error) RenewSSH(ctx context.Context, cert *ssh.Certificate) (*ssh.Certificate, error) RekeySSH(ctx context.Context, cert *ssh.Certificate, key ssh.PublicKey, signOpts ...provisioner.SignOption) (*ssh.Certificate, error) SignSSHAddUser(ctx context.Context, key ssh.PublicKey, cert *ssh.Certificate) (*ssh.Certificate, error) GetSSHRoots(ctx context.Context) (*config.SSHKeys, error) GetSSHFederation(ctx context.Context) (*config.SSHKeys, error) GetSSHConfig(ctx context.Context, typ string, data map[string]string) ([]templates.Output, error) CheckSSHHost(ctx context.Context, principal string, token string) (bool, error) GetSSHHosts(ctx context.Context, cert *x509.Certificate) ([]config.Host, error) GetSSHBastion(ctx context.Context, user string, hostname string) (*config.Bastion, error) }
SSHAuthority is the interface implemented by a SSH CA authority.
type SSHBastionRequest ¶
SSHBastionRequest is the request body used to get the bastion for a given host.
func (*SSHBastionRequest) Validate ¶
func (r *SSHBastionRequest) Validate() error
Validate checks the values of the SSHBastionRequest.
type SSHBastionResponse ¶
type SSHBastionResponse struct { Hostname string `json:"hostname"` Bastion *config.Bastion `json:"bastion,omitempty"` }
SSHBastionResponse is the response body used to return the bastion for a given host.
type SSHCertificate ¶
type SSHCertificate struct {
*ssh.Certificate `json:"omitempty"`
}
SSHCertificate represents the response SSH certificate.
func (SSHCertificate) MarshalJSON ¶
func (c SSHCertificate) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface. Returns a quoted, base64 encoded, openssh wire format version of the certificate.
func (*SSHCertificate) UnmarshalJSON ¶
func (c *SSHCertificate) UnmarshalJSON(data []byte) error
UnmarshalJSON implements the json.Unmarshaler interface. The certificate is expected to be a quoted, base64 encoded, openssh wire formatted block of bytes.
type SSHCheckPrincipalRequest ¶
type SSHCheckPrincipalRequest struct { Type string `json:"type"` Principal string `json:"principal"` Token string `json:"token,omitempty"` }
SSHCheckPrincipalRequest is the request body used to check if a principal certificate has been created. Right now it only supported for hosts certificates.
func (*SSHCheckPrincipalRequest) Validate ¶
func (r *SSHCheckPrincipalRequest) Validate() error
Validate checks the check principal request.
type SSHCheckPrincipalResponse ¶
type SSHCheckPrincipalResponse struct {
Exists bool `json:"exists"`
}
SSHCheckPrincipalResponse is the response body used to check if a principal exists.
type SSHConfigRequest ¶
SSHConfigRequest is the request body used to get the SSH configuration templates.
func (*SSHConfigRequest) Validate ¶
func (r *SSHConfigRequest) Validate() error
Validate checks the values of the SSHConfigurationRequest.
type SSHConfigResponse ¶
type SSHConfigResponse struct { UserTemplates []Template `json:"userTemplates,omitempty"` HostTemplates []Template `json:"hostTemplates,omitempty"` }
SSHConfigResponse is the response that returns the rendered templates.
type SSHGetHostsResponse ¶
SSHGetHostsResponse is the response object that returns the list of valid hosts for SSH.
type SSHPublicKey ¶
SSHPublicKey represents a public key in a response object.
func (*SSHPublicKey) MarshalJSON ¶
func (p *SSHPublicKey) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface. Returns a quoted, base64 encoded, openssh wire format version of the public key.
func (*SSHPublicKey) UnmarshalJSON ¶
func (p *SSHPublicKey) UnmarshalJSON(data []byte) error
UnmarshalJSON implements the json.Unmarshaler interface. The public key is expected to be a quoted, base64 encoded, openssh wire formatted block of bytes.
type SSHRekeyRequest ¶
type SSHRekeyRequest struct { OTT string `json:"ott"` PublicKey []byte `json:"publicKey"` //base64 encoded }
SSHRekeyRequest is the request body of an SSH certificate request.
func (*SSHRekeyRequest) Validate ¶
func (s *SSHRekeyRequest) Validate() error
Validate validates the SSHSignRekey.
type SSHRekeyResponse ¶
type SSHRekeyResponse struct { Certificate SSHCertificate `json:"crt"` IdentityCertificate []Certificate `json:"identityCrt,omitempty"` }
SSHRekeyResponse is the response object that returns the SSH certificate.
type SSHRenewRequest ¶
type SSHRenewRequest struct {
OTT string `json:"ott"`
}
SSHRenewRequest is the request body of an SSH certificate request.
func (*SSHRenewRequest) Validate ¶
func (s *SSHRenewRequest) Validate() error
Validate validates the SSHSignRequest.
type SSHRenewResponse ¶
type SSHRenewResponse struct { Certificate SSHCertificate `json:"crt"` IdentityCertificate []Certificate `json:"identityCrt,omitempty"` }
SSHRenewResponse is the response object that returns the SSH certificate.
type SSHRevokeRequest ¶
type SSHRevokeRequest struct { Serial string `json:"serial"` OTT string `json:"ott"` ReasonCode int `json:"reasonCode"` Reason string `json:"reason"` Passive bool `json:"passive"` }
SSHRevokeRequest is the request body for a revocation request.
func (*SSHRevokeRequest) Validate ¶
func (r *SSHRevokeRequest) Validate() (err error)
Validate checks the fields of the RevokeRequest and returns nil if they are ok or an error if something is wrong.
type SSHRevokeResponse ¶
type SSHRevokeResponse struct {
Status string `json:"status"`
}
SSHRevokeResponse is the response object that returns the health of the server.
type SSHRootsResponse ¶
type SSHRootsResponse struct { UserKeys []SSHPublicKey `json:"userKey,omitempty"` HostKeys []SSHPublicKey `json:"hostKey,omitempty"` }
SSHRootsResponse represents the response object that returns the SSH user and host keys.
type SSHSignRequest ¶
type SSHSignRequest struct { PublicKey []byte `json:"publicKey"` // base64 encoded OTT string `json:"ott"` CertType string `json:"certType,omitempty"` KeyID string `json:"keyID,omitempty"` Principals []string `json:"principals,omitempty"` ValidAfter TimeDuration `json:"validAfter,omitempty"` ValidBefore TimeDuration `json:"validBefore,omitempty"` AddUserPublicKey []byte `json:"addUserPublicKey,omitempty"` IdentityCSR CertificateRequest `json:"identityCSR,omitempty"` TemplateData json.RawMessage `json:"templateData,omitempty"` }
SSHSignRequest is the request body of an SSH certificate request.
func (*SSHSignRequest) Validate ¶
func (s *SSHSignRequest) Validate() error
Validate validates the SSHSignRequest.
type SSHSignResponse ¶
type SSHSignResponse struct { Certificate SSHCertificate `json:"crt"` AddUserCertificate *SSHCertificate `json:"addUserCrt,omitempty"` IdentityCertificate []Certificate `json:"identityCrt,omitempty"` }
SSHSignResponse is the response object that returns the SSH certificate.
type SignRequest ¶
type SignRequest struct { CsrPEM CertificateRequest `json:"csr"` OTT string `json:"ott"` NotAfter TimeDuration `json:"notAfter,omitempty"` NotBefore TimeDuration `json:"notBefore,omitempty"` TemplateData json.RawMessage `json:"templateData,omitempty"` }
SignRequest is the request body for a certificate signature request.
func (*SignRequest) Validate ¶
func (s *SignRequest) Validate() error
Validate checks the fields of the SignRequest and returns nil if they are ok or an error if something is wrong.
type SignResponse ¶
type SignResponse struct { ServerPEM Certificate `json:"crt"` CaPEM Certificate `json:"ca"` CertChainPEM []Certificate `json:"certChain"` TLSOptions *config.TLSOptions `json:"tlsOptions,omitempty"` TLS *tls.ConnectionState `json:"-"` }
SignResponse is the response object of the certificate signature request.
type TimeDuration ¶
type TimeDuration = provisioner.TimeDuration
TimeDuration is an alias of provisioner.TimeDuration
func NewTimeDuration ¶
func NewTimeDuration(t time.Time) TimeDuration
NewTimeDuration returns a TimeDuration with the defined time.
func ParseTimeDuration ¶
func ParseTimeDuration(s string) (TimeDuration, error)
ParseTimeDuration returns a new TimeDuration parsing the RFC 3339 time or time.Duration string.
type VersionResponse ¶
type VersionResponse struct { Version string `json:"version"` RequireClientAuthentication bool `json:"requireClientAuthentication,omitempty"` }
VersionResponse is the response object that returns the version of the server.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package log implements API-related logging helpers.
|
Package log implements API-related logging helpers. |
Package read implements request object readers.
|
Package read implements request object readers. |
Package render implements functionality related to response rendering.
|
Package render implements functionality related to response rendering. |