provisioner

package
v0.0.0-...-748217a Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 20, 2024 License: Apache-2.0 Imports: 57 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// K8sSAName is the default name used for kubernetes service account provisioners.
	K8sSAName = "k8sSA-default"
	// K8sSAID is the default ID for kubernetes service account provisioners.
	K8sSAID = "k8ssa/" + K8sSAName
)
View Source 
const (
	// SSHUserCert is the string used to represent ssh.UserCert.
	SSHUserCert = "user"

	// SSHHostCert is the string used to represent ssh.HostCert.
	SSHHostCert = "host"
)
View Source 
const DefaultCertValidity = 24 * time.Hour

DefaultCertValidity is the default validity for a certificate if none is specified.

View Source 
const DefaultProvisionersLimit = 20

DefaultProvisionersLimit is the default limit for listing provisioners.

View Source 
const DefaultProvisionersMax = 100

DefaultProvisionersMax is the maximum limit for listing provisioners.

View Source 
const (
	// NebulaCertHeader is the token header that contains a Nebula certificate.
	NebulaCertHeader jose.HeaderKey = "nebula"
)

Variables

View Source 
var (
	// StepOIDRoot is the root OID for smallstep.
	StepOIDRoot = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37476, 9000, 64}

	// StepOIDProvisioner is the OID for the provisioner extension.
	StepOIDProvisioner = append(asn1.ObjectIdentifier(nil), append(StepOIDRoot, 1)...)
)
View Source 
var (
	ErrSCEPChallengeInvalid   = errors.New("webhook server did not allow request")
	ErrSCEPNotificationFailed = errors.New("scep notification failed")
)
View Source 
var ErrAllowTokenReuse = stderrors.New("allow token reuse")

ErrAllowTokenReuse is an error that is returned by provisioners that allows the reuse of tokens.

This is, for example, returned by the Azure provisioner when DisableTrustOnFirstUse is set to true. Azure caches tokens for up to 24hr and has no mechanism for getting a different token - this can be an issue when rebooting a VM. In contrast, AWS and GCP have facilities for requesting a new token. Therefore, for the Azure provisioner we are enabling token reuse, with the understanding that we are not following security best practices

View Source 
var ErrWebhookDenied = errors.New("webhook server did not allow request")

Functions

func DefaultAuthorizeRenew 

func DefaultAuthorizeRenew(_ context.Context, p *Controller, cert *x509.Certificate) error

DefaultAuthorizeRenew is the default implementation of AuthorizeRenew. It will return an error if the provisioner has the renewal disabled, if the certificate is not yet valid or if the certificate is expired and renew after expiry is disabled.

func DefaultAuthorizeSSHRenew 

func DefaultAuthorizeSSHRenew(_ context.Context, p *Controller, cert *ssh.Certificate) error

DefaultAuthorizeSSHRenew is the default implementation of AuthorizeSSHRenew. It will return an error if the provisioner has the renewal disabled, if the certificate is not yet valid or if the certificate is expired and renew after expiry is disabled.

func ExtractSSHPOPCert 

func ExtractSSHPOPCert(token string) (*ssh.Certificate, *jose.JSONWebToken, error)

ExtractSSHPOPCert parses a JWT and extracts and loads the SSH Certificate in the sshpop header. If the header is missing, an error is returned.

func NewContextWithMethod 

func NewContextWithMethod(ctx context.Context, method Method) context.Context

NewContextWithMethod creates a new context from ctx and attaches method to it.

func NewContextWithToken 

func NewContextWithToken(ctx context.Context, token string) context.Context

NewContextWithToken creates a new context with the given token.

func SanitizeSSHUserPrincipal 

func SanitizeSSHUserPrincipal(email string) string

SanitizeSSHUserPrincipal grabs an email or a string with the format local@domain and returns a sanitized version of the local, valid to be used as a user name. If the email starts with a letter between a and z, the resulting string will match the regular expression `^[a-z][-a-z0-9_]*$`.

func SanitizeStringSlices 

func SanitizeStringSlices(original []string) []string

SanitizeStringSlices removes duplicated an empty strings.

func TokenFromContext 

func TokenFromContext(ctx context.Context) (string, bool)

TokenFromContext returns the token stored in the given context.

Types

type ACME 

type ACME struct {
	ID      string `json:"-"`
	Type    string `json:"type"`
	Name    string `json:"name"`
	ForceCN bool   `json:"forceCN,omitempty"`
	// TermsOfService contains a URL pointing to the ACME server's
	// terms of service. Defaults to empty.
	TermsOfService string `json:"termsOfService,omitempty"`
	// Website contains an URL pointing to more information about
	// the ACME server. Defaults to empty.
	Website string `json:"website,omitempty"`
	// CaaIdentities is an array of hostnames that the ACME server
	// identifies itself with. These hostnames can be used by ACME
	// clients to determine the correct issuer domain name to use
	// when configuring CAA records. Defaults to empty array.
	CaaIdentities []string `json:"caaIdentities,omitempty"`
	// RequireEAB makes the provisioner require ACME EAB to be provided
	// by clients when creating a new Account. If set to true, the provided
	// EAB will be verified. If set to false and an EAB is provided, it is
	// not verified. Defaults to false.
	RequireEAB bool `json:"requireEAB,omitempty"`
	// Challenges contains the enabled challenges for this provisioner. If this
	// value is not set the default http-01, dns-01 and tls-alpn-01 challenges
	// will be enabled, device-attest-01 will be disabled.
	Challenges []ACMEChallenge `json:"challenges,omitempty"`
	// AttestationFormats contains the enabled attestation formats for this
	// provisioner. If this value is not set the default apple, step and tpm
	// will be used.
	AttestationFormats []ACMEAttestationFormat `json:"attestationFormats,omitempty"`
	// AttestationRoots contains a bundle of root certificates in PEM format
	// that will be used to verify the attestation certificates. If provided,
	// this bundle will be used even for well-known CAs like Apple and Yubico.
	AttestationRoots []byte   `json:"attestationRoots,omitempty"`
	Claims           *Claims  `json:"claims,omitempty"`
	Options          *Options `json:"options,omitempty"`
	// contains filtered or unexported fields
}

ACME is the acme provisioner type, an entity that can authorize the ACME provisioning flow.

func (*ACME) AuthorizeOrderIdentifier 

func (p *ACME) AuthorizeOrderIdentifier(_ context.Context, identifier ACMEIdentifier) error

AuthorizeOrderIdentifier verifies the provisioner is allowed to issue a certificate for an ACME Order Identifier.

func (*ACME) AuthorizeRenew 

func (p *ACME) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error

AuthorizeRenew returns an error if the renewal is disabled. NOTE: This method does not actually validate the certificate or check its revocation status. Just confirms that the provisioner that created the certificate was configured to allow renewals.

func (*ACME) AuthorizeRevoke 

func (p *ACME) AuthorizeRevoke(context.Context, string) error

AuthorizeRevoke is called just before the certificate is to be revoked by the CA. It can be used to authorize revocation of a certificate. With the ACME protocol, revocation authorization is specified and performed as part of the client/server interaction, so this is a no-op.

func (ACME) AuthorizeSSHRekey 

func (b ACME) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)

AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for rekeying SSH Certificates.

func (ACME) AuthorizeSSHRenew 

func (b ACME) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error)

AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing SSH Certificates.

func (ACME) AuthorizeSSHRevoke 

func (b ACME) AuthorizeSSHRevoke(context.Context, string) error

AuthorizeSSHRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking SSH Certificates.

func (ACME) AuthorizeSSHSign 

func (b ACME) AuthorizeSSHSign(context.Context, string) ([]SignOption, error)

AuthorizeSSHSign returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for signing SSH Certificates.

func (*ACME) AuthorizeSign 

func (p *ACME) AuthorizeSign(context.Context, string) ([]SignOption, error)

AuthorizeSign does not do any validation, because all validation is handled in the ACME protocol. This method returns a list of modifiers / constraints on the resulting certificate.

func (*ACME) DefaultTLSCertDuration 

func (p *ACME) DefaultTLSCertDuration() time.Duration

DefaultTLSCertDuration returns the default TLS cert duration enforced by the provisioner.

func (*ACME) GetAttestationRoots 

func (p *ACME) GetAttestationRoots() (*x509.CertPool, bool)

GetAttestationRoots returns certificate pool with the configured attestation roots and reports if the pool contains at least one certificate.

TODO(hs): we may not want to expose the root pool like this; call into an interface function instead to authorize?

func (*ACME) GetEncryptedKey 

func (p *ACME) GetEncryptedKey() (string, string, bool)

GetEncryptedKey returns the base provisioner encrypted key if it's defined.

func (ACME) GetID 

func (p ACME) GetID() string

GetID returns the provisioner unique identifier.

func (*ACME) GetIDForToken 

func (p *ACME) GetIDForToken() string

GetIDForToken returns an identifier that will be used to load the provisioner from a token.

func (*ACME) GetName 

func (p *ACME) GetName() string

GetName returns the name of the provisioner.

func (*ACME) GetOptions 

func (p *ACME) GetOptions() *Options

GetOptions returns the configured provisioner options.

func (*ACME) GetTokenID 

func (p *ACME) GetTokenID(string) (string, error)

GetTokenID returns the identifier of the token.

func (*ACME) GetType 

func (p *ACME) GetType() Type

GetType returns the type of provisioner.

func (*ACME) Init 

func (p *ACME) Init(config Config) (err error)

Init initializes and validates the fields of an ACME type.

func (*ACME) IsAttestationFormatEnabled 

func (p *ACME) IsAttestationFormatEnabled(_ context.Context, format ACMEAttestationFormat) bool

IsAttestationFormatEnabled checks if the given attestation format is enabled. By default apple, step and tpm are enabled, to disable any of them the AttestationFormat provisioner property should have at least one element.

func (*ACME) IsChallengeEnabled 

func (p *ACME) IsChallengeEnabled(_ context.Context, challenge ACMEChallenge) bool

IsChallengeEnabled checks if the given challenge is enabled. By default http-01, dns-01 and tls-alpn-01 are enabled, to disable any of them the Challenge provisioner property should have at least one element.

type ACMEAttestationFormat 

type ACMEAttestationFormat string

ACMEAttestationFormat represents the format used on a device-attest-01 challenge. 

const (
	// APPLE is the format used to enable device-attest-01 on Apple devices.
	APPLE ACMEAttestationFormat = "apple"

	// STEP is the format used to enable device-attest-01 on devices that
	// provide attestation certificates like the PIV interface on YubiKeys.
	//
	// TODO(mariano): should we rename this to something else.
	STEP ACMEAttestationFormat = "step"

	// TPM is the format used to enable device-attest-01 with TPMs.
	TPM ACMEAttestationFormat = "tpm"
)

func (ACMEAttestationFormat) String 

func (f ACMEAttestationFormat) String() string

String returns a normalized version of the attestation format.

func (ACMEAttestationFormat) Validate 

func (f ACMEAttestationFormat) Validate() error

Validate returns an error if the attestation format is not a valid one.

type ACMEChallenge 

type ACMEChallenge string

ACMEChallenge represents the supported acme challenges. 

const (
	// HTTP_01 is the http-01 ACME challenge.
	HTTP_01 ACMEChallenge = "http-01"
	// DNS_01 is the dns-01 ACME challenge.
	DNS_01 ACMEChallenge = "dns-01"
	// TLS_ALPN_01 is the tls-alpn-01 ACME challenge.
	TLS_ALPN_01 ACMEChallenge = "tls-alpn-01"
	// DEVICE_ATTEST_01 is the device-attest-01 ACME challenge.
	DEVICE_ATTEST_01 ACMEChallenge = "device-attest-01"
)

func (ACMEChallenge) String 

func (c ACMEChallenge) String() string

String returns a normalized version of the challenge.

func (ACMEChallenge) Validate 

func (c ACMEChallenge) Validate() error

Validate returns an error if the acme challenge is not a valid one.

type ACMEIdentifier 

type ACMEIdentifier struct {
	Type  ACMEIdentifierType
	Value string
}

ACMEIdentifier encodes ACME Order Identifiers

type ACMEIdentifierType 

type ACMEIdentifierType string

ACMEIdentifierType encodes ACME Identifier types 

const (
	// IP is the ACME ip identifier type
	IP ACMEIdentifierType = "ip"
	// DNS is the ACME dns identifier type
	DNS ACMEIdentifierType = "dns"
)

type AWS 

type AWS struct {
	ID                     string   `json:"-"`
	Type                   string   `json:"type"`
	Name                   string   `json:"name"`
	Accounts               []string `json:"accounts"`
	DisableCustomSANs      bool     `json:"disableCustomSANs"`
	DisableTrustOnFirstUse bool     `json:"disableTrustOnFirstUse"`
	IMDSVersions           []string `json:"imdsVersions"`
	InstanceAge            Duration `json:"instanceAge,omitempty"`
	IIDRoots               string   `json:"iidRoots,omitempty"`
	Claims                 *Claims  `json:"claims,omitempty"`
	Options                *Options `json:"options,omitempty"`
	// contains filtered or unexported fields
}

AWS is the provisioner that supports identity tokens created from the Amazon Web Services Instance Identity Documents.

If DisableCustomSANs is true, only the internal DNS and IP will be added as a SAN. By default it will accept any SAN in the CSR.

If DisableTrustOnFirstUse is true, multiple sign request for this provisioner with the same instance will be accepted. By default only the first request will be accepted.

If InstanceAge is set, only the instances with a pendingTime within the given period will be accepted.

IIDRoots can be used to specify a path to the certificates used to verify the identity certificate signature.

Amazon Identity docs are available at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html

func (*AWS) AuthorizeRenew 

func (p *AWS) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error

AuthorizeRenew returns an error if the renewal is disabled. NOTE: This method does not actually validate the certificate or check it's revocation status. Just confirms that the provisioner that created the certificate was configured to allow renewals.

func (AWS) AuthorizeRevoke 

func (b AWS) AuthorizeRevoke(context.Context, string) error

AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking x509 Certificates.

func (AWS) AuthorizeSSHRekey 

func (b AWS) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)

AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for rekeying SSH Certificates.

func (AWS) AuthorizeSSHRenew 

func (b AWS) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error)

AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing SSH Certificates.

func (AWS) AuthorizeSSHRevoke 

func (b AWS) AuthorizeSSHRevoke(context.Context, string) error

AuthorizeSSHRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking SSH Certificates.

func (*AWS) AuthorizeSSHSign 

func (p *AWS) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error)

AuthorizeSSHSign returns the list of SignOption for a SignSSH request.

func (*AWS) AuthorizeSign 

func (p *AWS) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)

AuthorizeSign validates the given token and returns the sign options that will be used on certificate creation.

func (*AWS) GetEncryptedKey 

func (p *AWS) GetEncryptedKey() (kid, key string, ok bool)

GetEncryptedKey is not available in an AWS provisioner.

func (*AWS) GetID 

func (p *AWS) GetID() string

GetID returns the provisioner unique identifier.

func (*AWS) GetIDForToken 

func (p *AWS) GetIDForToken() string

GetIDForToken returns an identifier that will be used to load the provisioner from a token.

func (*AWS) GetIdentityToken 

func (p *AWS) GetIdentityToken(subject, caURL string) (string, error)

GetIdentityToken retrieves the identity document and it's signature and generates a token with them.

func (*AWS) GetName 

func (p *AWS) GetName() string

GetName returns the name of the provisioner.

func (*AWS) GetTokenID 

func (p *AWS) GetTokenID(token string) (string, error)

GetTokenID returns the identifier of the token.

func (*AWS) GetType 

func (p *AWS) GetType() Type

GetType returns the type of provisioner.

func (*AWS) Init 

func (p *AWS) Init(config Config) (err error)

Init validates and initializes the AWS provisioner.

type AttestationData 

type AttestationData struct {
	PermanentIdentifier string
}

AttestationData is a SignOption used to pass attestation information to the sign methods.

type Audiences 

type Audiences struct {
	Sign      []string
	Renew     []string
	Revoke    []string
	SSHSign   []string
	SSHRevoke []string
	SSHRenew  []string
	SSHRekey  []string
}

Audiences stores all supported audiences by request type.

func (Audiences) All 

func (a Audiences) All() (auds []string)

All returns all supported audiences across all request types in one list.

func (Audiences) WithFragment 

func (a Audiences) WithFragment(fragment string) Audiences

WithFragment returns a copy of audiences where the url audiences contains the given fragment.

type AuthorizeRenewFunc 

type AuthorizeRenewFunc func(ctx context.Context, p *Controller, cert *x509.Certificate) error

AuthorizeRenewFunc is a function that returns nil if the renewal of a certificate is enabled.

type AuthorizeSSHRenewFunc 

type AuthorizeSSHRenewFunc func(ctx context.Context, p *Controller, cert *ssh.Certificate) error

AuthorizeSSHRenewFunc is a function that returns nil if the renewal of the given SSH certificate is enabled.

type Azure 

type Azure struct {
	ID                     string   `json:"-"`
	Type                   string   `json:"type"`
	Name                   string   `json:"name"`
	TenantID               string   `json:"tenantID"`
	ResourceGroups         []string `json:"resourceGroups"`
	SubscriptionIDs        []string `json:"subscriptionIDs"`
	ObjectIDs              []string `json:"objectIDs"`
	Audience               string   `json:"audience,omitempty"`
	DisableCustomSANs      bool     `json:"disableCustomSANs"`
	DisableTrustOnFirstUse bool     `json:"disableTrustOnFirstUse"`
	Claims                 *Claims  `json:"claims,omitempty"`
	Options                *Options `json:"options,omitempty"`
	// contains filtered or unexported fields
}

Azure is the provisioner that supports identity tokens created from the Microsoft Azure Instance Metadata service.

The default audience is "https://management.azure.com/".

If DisableCustomSANs is true, only the internal DNS and IP will be added as a SAN. By default it will accept any SAN in the CSR.

If DisableTrustOnFirstUse is true, multiple sign request for this provisioner with the same instance will be accepted. By default only the first request will be accepted.

Microsoft Azure identity docs are available at https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token and https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service

func (*Azure) AuthorizeRenew 

func (p *Azure) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error

AuthorizeRenew returns an error if the renewal is disabled. NOTE: This method does not actually validate the certificate or check it's revocation status. Just confirms that the provisioner that created the certificate was configured to allow renewals.

func (Azure) AuthorizeRevoke 

func (b Azure) AuthorizeRevoke(context.Context, string) error

AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking x509 Certificates.

func (Azure) AuthorizeSSHRekey 

func (b Azure) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)

AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for rekeying SSH Certificates.

func (Azure) AuthorizeSSHRenew 

func (b Azure) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error)

AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing SSH Certificates.

func (Azure) AuthorizeSSHRevoke 

func (b Azure) AuthorizeSSHRevoke(context.Context, string) error

AuthorizeSSHRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking SSH Certificates.

func (*Azure) AuthorizeSSHSign 

func (p *Azure) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error)

AuthorizeSSHSign returns the list of SignOption for a SignSSH request.

func (*Azure) AuthorizeSign 

func (p *Azure) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)

AuthorizeSign validates the given token and returns the sign options that will be used on certificate creation.

func (*Azure) GetEncryptedKey 

func (p *Azure) GetEncryptedKey() (kid, key string, ok bool)

GetEncryptedKey is not available in an Azure provisioner.

func (*Azure) GetID 

func (p *Azure) GetID() string

GetID returns the provisioner unique identifier.

func (*Azure) GetIDForToken 

func (p *Azure) GetIDForToken() string

GetIDForToken returns an identifier that will be used to load the provisioner from a token.

func (*Azure) GetIdentityToken 

func (p *Azure) GetIdentityToken(subject, caURL string) (string, error)

GetIdentityToken retrieves from the metadata service the identity token and returns it.

func (*Azure) GetName 

func (p *Azure) GetName() string

GetName returns the name of the provisioner.

func (*Azure) GetTokenID 

func (p *Azure) GetTokenID(token string) (string, error)

GetTokenID returns the identifier of the token. The default value for Azure the SHA256 of "xms_mirid", but if DisableTrustOnFirstUse is set to true, then it will be the token kid.

func (*Azure) GetType 

func (p *Azure) GetType() Type

GetType returns the type of provisioner.

func (*Azure) Init 

func (p *Azure) Init(config Config) (err error)

Init validates and initializes the Azure provisioner.

type CertificateEnforcer 

type CertificateEnforcer interface {
	Enforce(cert *x509.Certificate) error
}

CertificateEnforcer is an interface used to modify a given X.509 certificate. Types implemented this interface will NOT be validated with a CertificateValidator.

type CertificateEnforcerFunc 

type CertificateEnforcerFunc func(cert *x509.Certificate) error

CertificateEnforcerFunc allows to create simple certificate enforcer just with a function.

func (CertificateEnforcerFunc) Enforce 

func (fn CertificateEnforcerFunc) Enforce(cert *x509.Certificate) error

Enforce implements CertificateEnforcer and just calls the defined function.

type CertificateModifier 

type CertificateModifier interface {
	Modify(cert *x509.Certificate, opts SignOptions) error
}

CertificateModifier is an interface used to modify a given X.509 certificate. Types implementing this interface will be validated with a CertificateValidator.

type CertificateModifierFunc 

type CertificateModifierFunc func(cert *x509.Certificate, opts SignOptions) error

CertificateModifierFunc allows to create simple certificate modifiers just with a function.

func (CertificateModifierFunc) Modify 

func (fn CertificateModifierFunc) Modify(cert *x509.Certificate, opts SignOptions) error

Modify implements CertificateModifier and just calls the defined function.

type CertificateOptions 

type CertificateOptions interface {
	Options(SignOptions) []x509util.Option
}

CertificateOptions is an interface that returns a list of options passed when creating a new certificate.

func CustomTemplateOptions 

func CustomTemplateOptions(o *Options, data x509util.TemplateData, defaultTemplate string) (CertificateOptions, error)

CustomTemplateOptions generates a CertificateOptions with the template, data defined in the ProvisionerOptions, the provisioner generated data and the user data provided in the request. If no template has been provided in the ProvisionerOptions, the given template will be used.

func TemplateOptions 

func TemplateOptions(o *Options, data x509util.TemplateData) (CertificateOptions, error)

TemplateOptions generates a CertificateOptions with the template and data defined in the ProvisionerOptions, the provisioner generated data, and the user data provided in the request. If no template has been provided, x509util.DefaultLeafTemplate will be used.

type CertificateRequestValidator 

type CertificateRequestValidator interface {
	Valid(cr *x509.CertificateRequest) error
}

CertificateRequestValidator is an interface used to validate a given X.509 certificate request.

type CertificateValidator 

type CertificateValidator interface {
	Valid(cert *x509.Certificate, opts SignOptions) error
}

CertificateValidator is an interface used to validate a given X.509 certificate.

type Claimer 

type Claimer struct {
	// contains filtered or unexported fields
}

Claimer is the type that controls claims. It provides an interface around the current claim and the global one.

func NewClaimer 

func NewClaimer(claims *Claims, global Claims) (*Claimer, error)

NewClaimer initializes a new claimer with the given claims.

func (*Claimer) AllowRenewalAfterExpiry 

func (c *Claimer) AllowRenewalAfterExpiry() bool

AllowRenewalAfterExpiry returns if the renewal flow is authorized if the certificate is expired. If the property is not set within the provisioner then the global value from the authority configuration will be used.

func (*Claimer) Claims 

func (c *Claimer) Claims() Claims

Claims returns the merge of the inner and global claims.

func (*Claimer) DefaultHostSSHCertDuration 

func (c *Claimer) DefaultHostSSHCertDuration() time.Duration

DefaultHostSSHCertDuration returns the default SSH host cert duration for the provisioner. If the default is not set within the provisioner, then the global default from the authority configuration will be used.

func (*Claimer) DefaultSSHCertDuration 

func (c *Claimer) DefaultSSHCertDuration(certType uint32) (time.Duration, error)

DefaultSSHCertDuration returns the default SSH certificate duration for the given certificate type.

func (*Claimer) DefaultTLSCertDuration 

func (c *Claimer) DefaultTLSCertDuration() time.Duration

DefaultTLSCertDuration returns the default TLS cert duration for the provisioner. If the default is not set within the provisioner, then the global default from the authority configuration will be used.

func (*Claimer) DefaultUserSSHCertDuration 

func (c *Claimer) DefaultUserSSHCertDuration() time.Duration

DefaultUserSSHCertDuration returns the default SSH user cert duration for the provisioner. If the default is not set within the provisioner, then the global default from the authority configuration will be used.

func (*Claimer) IsDisableRenewal 

func (c *Claimer) IsDisableRenewal() bool

IsDisableRenewal returns if the renewal flow is disabled for the provisioner. If the property is not set within the provisioner, then the global value from the authority configuration will be used.

func (*Claimer) IsDisableSmallstepExtensions 

func (c *Claimer) IsDisableSmallstepExtensions() bool

IsDisableSmallstepExtensions returns whether Smallstep extensions, such as the provisioner extension, should be excluded from the certificate.

func (*Claimer) IsSSHCAEnabled 

func (c *Claimer) IsSSHCAEnabled() bool

IsSSHCAEnabled returns if the SSH CA is enabled for the provisioner. If the property is not set within the provisioner, then the global value from the authority configuration will be used.

func (*Claimer) MaxHostSSHCertDuration 

func (c *Claimer) MaxHostSSHCertDuration() time.Duration

MaxHostSSHCertDuration returns the maximum SSH Host cert duration for the provisioner. If the maximum is not set within the provisioner, then the global maximum from the authority configuration will be used.

func (*Claimer) MaxTLSCertDuration 

func (c *Claimer) MaxTLSCertDuration() time.Duration

MaxTLSCertDuration returns the maximum TLS cert duration for the provisioner. If the maximum is not set within the provisioner, then the global maximum from the authority configuration will be used.

func (*Claimer) MaxUserSSHCertDuration 

func (c *Claimer) MaxUserSSHCertDuration() time.Duration

MaxUserSSHCertDuration returns the maximum SSH user cert duration for the provisioner. If the maximum is not set within the provisioner, then the global maximum from the authority configuration will be used.

func (*Claimer) MinHostSSHCertDuration 

func (c *Claimer) MinHostSSHCertDuration() time.Duration

MinHostSSHCertDuration returns the minimum SSH host cert duration for the provisioner. If the minimum is not set within the provisioner, then the global minimum from the authority configuration will be used.

func (*Claimer) MinTLSCertDuration 

func (c *Claimer) MinTLSCertDuration() time.Duration

MinTLSCertDuration returns the minimum TLS cert duration for the provisioner. If the minimum is not set within the provisioner, then the global minimum from the authority configuration will be used.

func (*Claimer) MinUserSSHCertDuration 

func (c *Claimer) MinUserSSHCertDuration() time.Duration

MinUserSSHCertDuration returns the minimum SSH user cert duration for the provisioner. If the minimum is not set within the provisioner, then the global minimum from the authority configuration will be used.

func (*Claimer) Validate 

func (c *Claimer) Validate() error

Validate validates and modifies the Claims with default values.

type Claims 

type Claims struct {
	// TLS CA properties
	MinTLSDur     *Duration `json:"minTLSCertDuration,omitempty"`
	MaxTLSDur     *Duration `json:"maxTLSCertDuration,omitempty"`
	DefaultTLSDur *Duration `json:"defaultTLSCertDuration,omitempty"`

	// SSH CA properties
	MinUserSSHDur     *Duration `json:"minUserSSHCertDuration,omitempty"`
	MaxUserSSHDur     *Duration `json:"maxUserSSHCertDuration,omitempty"`
	DefaultUserSSHDur *Duration `json:"defaultUserSSHCertDuration,omitempty"`
	MinHostSSHDur     *Duration `json:"minHostSSHCertDuration,omitempty"`
	MaxHostSSHDur     *Duration `json:"maxHostSSHCertDuration,omitempty"`
	DefaultHostSSHDur *Duration `json:"defaultHostSSHCertDuration,omitempty"`
	EnableSSHCA       *bool     `json:"enableSSHCA,omitempty"`

	// Renewal properties
	DisableRenewal          *bool `json:"disableRenewal,omitempty"`
	AllowRenewalAfterExpiry *bool `json:"allowRenewalAfterExpiry,omitempty"`

	// Other properties
	DisableSmallstepExtensions *bool `json:"disableSmallstepExtensions,omitempty"`
}

Claims so that individual provisioners can override global claims.

type Collection 

type Collection struct {
	// contains filtered or unexported fields
}

Collection is a memory map of provisioners.

func NewCollection 

func NewCollection(audiences Audiences) *Collection

NewCollection initializes a collection of provisioners. The given list of audiences are the audiences used by the JWT provisioner.

func (*Collection) Find 

func (c *Collection) Find(cursor string, limit int) (List, string)

Find implements pagination on a list of sorted provisioners.

func (*Collection) Load 

func (c *Collection) Load(id string) (Interface, bool)

Load a provisioner by the ID.

func (*Collection) LoadByCertificate 

func (c *Collection) LoadByCertificate(cert *x509.Certificate) (Interface, bool)

LoadByCertificate looks for the provisioner extension and extracts the proper id to load the provisioner.

func (*Collection) LoadByName 

func (c *Collection) LoadByName(name string) (Interface, bool)

LoadByName a provisioner by name.

func (*Collection) LoadByToken 

func (c *Collection) LoadByToken(token *jose.JSONWebToken, claims *jose.Claims) (Interface, bool)

LoadByToken parses the token claims and loads the provisioner associated.

func (*Collection) LoadByTokenID 

func (c *Collection) LoadByTokenID(tokenProvisionerID string) (Interface, bool)

LoadByTokenID a provisioner by identifier found in token. For different provisioner types this identifier may be found in in different attributes of the token.

func (*Collection) LoadEncryptedKey 

func (c *Collection) LoadEncryptedKey(keyID string) (string, bool)

LoadEncryptedKey returns an encrypted key by indexed by KeyID. At this moment only JWK encrypted keys are indexed by KeyID.

func (*Collection) Remove 

func (c *Collection) Remove(id string) error

Remove deletes an provisioner from all associated collections and lists.

func (*Collection) Store 

func (c *Collection) Store(p Interface) error

Store adds a provisioner to the collection and enforces the uniqueness of provisioner IDs.

func (*Collection) Update 

func (c *Collection) Update(nu Interface) error

Update updates the given provisioner in all related lists and collections.

type Config 

type Config struct {
	// Claims are the default claims.
	Claims Claims
	// Audiences are the audiences used in the default provisioner, (JWK).
	Audiences Audiences
	// SSHKeys are the root SSH public keys
	SSHKeys *SSHKeys
	// GetIdentityFunc is a function that returns an identity that will be
	// used by the provisioner to populate certificate attributes.
	GetIdentityFunc GetIdentityFunc
	// AuthorizeRenewFunc is a function that returns nil if a given X.509
	// certificate can be renewed.
	AuthorizeRenewFunc AuthorizeRenewFunc
	// AuthorizeSSHRenewFunc is a function that returns nil if a given SSH
	// certificate can be renewed.
	AuthorizeSSHRenewFunc AuthorizeSSHRenewFunc
	// WebhookClient is an http client to use in webhook request
	WebhookClient *http.Client
	// SCEPKeyManager, if defined, is the interface used by SCEP provisioners.
	SCEPKeyManager SCEPKeyManager
}

Config defines the default parameters used in the initialization of provisioners.

type Controller 

type Controller struct {
	Interface
	Audiences             *Audiences
	Claimer               *Claimer
	IdentityFunc          GetIdentityFunc
	AuthorizeRenewFunc    AuthorizeRenewFunc
	AuthorizeSSHRenewFunc AuthorizeSSHRenewFunc
	// contains filtered or unexported fields
}

Controller wraps a provisioner with other attributes useful in callback functions.

func NewController 

func NewController(p Interface, claims *Claims, config Config, options *Options) (*Controller, error)

NewController initializes a new provisioner controller.

func (*Controller) AuthorizeRenew 

func (c *Controller) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error

AuthorizeRenew returns nil if the given cert can be renewed, returns an error otherwise.

func (*Controller) AuthorizeSSHRenew 

func (c *Controller) AuthorizeSSHRenew(ctx context.Context, cert *ssh.Certificate) error

AuthorizeSSHRenew returns nil if the given cert can be renewed, returns an error otherwise.

func (*Controller) GetIdentity 

func (c *Controller) GetIdentity(ctx context.Context, email string) (*Identity, error)

GetIdentity returns the identity for a given email.

type Duration 

type Duration struct {
	time.Duration
}

Duration is a wrapper around Time.Duration to aid with marshal/unmarshal.

func NewDuration 

func NewDuration(s string) (*Duration, error)

NewDuration parses a duration string and returns a Duration type or an error if the given string is not a duration.

func (*Duration) MarshalJSON 

func (d *Duration) MarshalJSON() ([]byte, error)

MarshalJSON parses a duration string and sets it to the duration.

A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

func (*Duration) UnmarshalJSON 

func (d *Duration) UnmarshalJSON(data []byte) (err error)

UnmarshalJSON parses a duration string and sets it to the duration.

A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

func (*Duration) Value 

func (d *Duration) Value() time.Duration

Value returns 0 if the duration is null, the inner duration otherwise.

type Extension 

type Extension struct {
	Type          Type
	Name          string
	CredentialID  string
	KeyValuePairs []string
}

Extension is the Go representation of the provisioner extension.

func GetProvisionerExtension 

func GetProvisionerExtension(cert *x509.Certificate) (*Extension, bool)

GetProvisionerExtension goes through all the certificate extensions and returns the provisioner extension (1.3.6.1.4.1.37476.9000.64.1).

func (*Extension) Marshal 

func (e *Extension) Marshal() ([]byte, error)

Marshal marshals the extension using encoding/asn1.

func (*Extension) ToExtension 

func (e *Extension) ToExtension() (pkix.Extension, error)

ToExtension returns the pkix.Extension representation of the provisioner extension.

type GCP 

type GCP struct {
	ID                     string   `json:"-"`
	Type                   string   `json:"type"`
	Name                   string   `json:"name"`
	ServiceAccounts        []string `json:"serviceAccounts"`
	ProjectIDs             []string `json:"projectIDs"`
	DisableCustomSANs      bool     `json:"disableCustomSANs"`
	DisableTrustOnFirstUse bool     `json:"disableTrustOnFirstUse"`
	InstanceAge            Duration `json:"instanceAge,omitempty"`
	Claims                 *Claims  `json:"claims,omitempty"`
	Options                *Options `json:"options,omitempty"`
	// contains filtered or unexported fields
}

GCP is the provisioner that supports identity tokens created by the Google Cloud Platform metadata API.

If DisableCustomSANs is true, only the internal DNS and IP will be added as a SAN. By default it will accept any SAN in the CSR.

If DisableTrustOnFirstUse is true, multiple sign request for this provisioner with the same instance will be accepted. By default only the first request will be accepted.

If InstanceAge is set, only the instances with an instance_creation_timestamp within the given period will be accepted.

Google Identity docs are available at https://cloud.google.com/compute/docs/instances/verifying-instance-identity

func (*GCP) AuthorizeRenew 

func (p *GCP) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error

AuthorizeRenew returns an error if the renewal is disabled.

func (GCP) AuthorizeRevoke 

func (b GCP) AuthorizeRevoke(context.Context, string) error

AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking x509 Certificates.

func (GCP) AuthorizeSSHRekey 

func (b GCP) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)

AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for rekeying SSH Certificates.

func (GCP) AuthorizeSSHRenew 

func (b GCP) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error)

AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing SSH Certificates.

func (GCP) AuthorizeSSHRevoke 

func (b GCP) AuthorizeSSHRevoke(context.Context, string) error

AuthorizeSSHRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking SSH Certificates.

func (*GCP) AuthorizeSSHSign 

func (p *GCP) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error)

AuthorizeSSHSign returns the list of SignOption for a SignSSH request.

func (*GCP) AuthorizeSign 

func (p *GCP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)

AuthorizeSign validates the given token and returns the sign options that will be used on certificate creation.

func (*GCP) GetEncryptedKey 

func (p *GCP) GetEncryptedKey() (kid, key string, ok bool)

GetEncryptedKey is not available in a GCP provisioner.

func (*GCP) GetID 

func (p *GCP) GetID() string

GetID returns the provisioner unique identifier. The name should uniquely identify any GCP provisioner.

func (*GCP) GetIDForToken 

func (p *GCP) GetIDForToken() string

GetIDForToken returns an identifier that will be used to load the provisioner from a token.

func (*GCP) GetIdentityToken 

func (p *GCP) GetIdentityToken(subject, caURL string) (string, error)

GetIdentityToken does an HTTP request to the identity url.

func (*GCP) GetIdentityURL 

func (p *GCP) GetIdentityURL(audience string) string

GetIdentityURL returns the url that generates the GCP token.

func (*GCP) GetName 

func (p *GCP) GetName() string

GetName returns the name of the provisioner.

func (*GCP) GetTokenID 

func (p *GCP) GetTokenID(token string) (string, error)

GetTokenID returns the identifier of the token. The default value for GCP the SHA256 of "provisioner_id.instance_id", but if DisableTrustOnFirstUse is set to true, then it will be the SHA256 of the token.

func (*GCP) GetType 

func (p *GCP) GetType() Type

GetType returns the type of provisioner.

func (*GCP) Init 

func (p *GCP) Init(config Config) (err error)

Init validates and initializes the GCP provisioner.

type GetIdentityFunc 

type GetIdentityFunc func(ctx context.Context, p Interface, email string) (*Identity, error)

GetIdentityFunc is a function that returns an identity.

type Identity 

type Identity struct {
	Usernames   []string `json:"usernames"`
	Permissions `json:"permissions"`
}

Identity is the type representing an externally supplied identity that is used by provisioners to populate certificate fields.

func DefaultIdentityFunc 

func DefaultIdentityFunc(_ context.Context, p Interface, email string) (*Identity, error)

DefaultIdentityFunc return a default identity depending on the provisioner type. For OIDC email is always present and the usernames might contain empty strings.

type Interface 

type Interface interface {
	GetID() string
	GetIDForToken() string
	GetTokenID(token string) (string, error)
	GetName() string
	GetType() Type
	GetEncryptedKey() (kid string, key string, ok bool)
	Init(config Config) error
	AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)
	AuthorizeRevoke(ctx context.Context, token string) error
	AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error
	AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error)
	AuthorizeSSHRevoke(ctx context.Context, token string) error
	AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error)
	AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error)
}

Interface is the interface that all provisioner types must implement.

type JWK 

type JWK struct {
	ID           string           `json:"-"`
	Type         string           `json:"type"`
	Name         string           `json:"name"`
	Key          *jose.JSONWebKey `json:"key"`
	EncryptedKey string           `json:"encryptedKey,omitempty"`
	Claims       *Claims          `json:"claims,omitempty"`
	Options      *Options         `json:"options,omitempty"`
	// contains filtered or unexported fields
}

JWK is the default provisioner, an entity that can sign tokens necessary for signature requests.

func (*JWK) AuthorizeRenew 

func (p *JWK) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error

AuthorizeRenew returns an error if the renewal is disabled. NOTE: This method does not actually validate the certificate or check it's revocation status. Just confirms that the provisioner that created the certificate was configured to allow renewals.

func (*JWK) AuthorizeRevoke 

func (p *JWK) AuthorizeRevoke(_ context.Context, token string) error

AuthorizeRevoke returns an error if the provisioner does not have rights to revoke the certificate with serial number in the `sub` property.

func (JWK) AuthorizeSSHRekey 

func (b JWK) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)

AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for rekeying SSH Certificates.

func (JWK) AuthorizeSSHRenew 

func (b JWK) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error)

AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing SSH Certificates.

func (*JWK) AuthorizeSSHRevoke 

func (p *JWK) AuthorizeSSHRevoke(_ context.Context, token string) error

AuthorizeSSHRevoke returns nil if the token is valid, false otherwise.

func (*JWK) AuthorizeSSHSign 

func (p *JWK) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error)

AuthorizeSSHSign returns the list of SignOption for a SignSSH request.

func (*JWK) AuthorizeSign 

func (p *JWK) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)

AuthorizeSign validates the given token.

func (*JWK) GetEncryptedKey 

func (p *JWK) GetEncryptedKey() (string, string, bool)

GetEncryptedKey returns the base provisioner encrypted key if it's defined.

func (*JWK) GetID 

func (p *JWK) GetID() string

GetID returns the provisioner unique identifier. The name and credential id should uniquely identify any JWK provisioner.

func (*JWK) GetIDForToken 

func (p *JWK) GetIDForToken() string

GetIDForToken returns an identifier that will be used to load the provisioner from a token.

func (*JWK) GetName 

func (p *JWK) GetName() string

GetName returns the name of the provisioner.

func (*JWK) GetTokenID 

func (p *JWK) GetTokenID(ott string) (string, error)

GetTokenID returns the identifier of the token.

func (*JWK) GetType 

func (p *JWK) GetType() Type

GetType returns the type of provisioner.

func (*JWK) Init 

func (p *JWK) Init(config Config) (err error)

Init initializes and validates the fields of a JWK type.

type K8sSA 

type K8sSA struct {
	ID      string   `json:"-"`
	Type    string   `json:"type"`
	Name    string   `json:"name"`
	PubKeys []byte   `json:"publicKeys,omitempty"`
	Claims  *Claims  `json:"claims,omitempty"`
	Options *Options `json:"options,omitempty"`
	// contains filtered or unexported fields
}

K8sSA represents a Kubernetes ServiceAccount provisioner; an entity trusted to make signature requests.

func (*K8sSA) AuthorizeRenew 

func (p *K8sSA) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error

AuthorizeRenew returns an error if the renewal is disabled.

func (*K8sSA) AuthorizeRevoke 

func (p *K8sSA) AuthorizeRevoke(_ context.Context, token string) error

AuthorizeRevoke returns an error if the provisioner does not have rights to revoke the certificate with serial number in the `sub` property.

func (K8sSA) AuthorizeSSHRekey 

func (b K8sSA) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)

AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for rekeying SSH Certificates.

func (K8sSA) AuthorizeSSHRenew 

func (b K8sSA) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error)

AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing SSH Certificates.

func (K8sSA) AuthorizeSSHRevoke 

func (b K8sSA) AuthorizeSSHRevoke(context.Context, string) error

AuthorizeSSHRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking SSH Certificates.

func (*K8sSA) AuthorizeSSHSign 

func (p *K8sSA) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error)

AuthorizeSSHSign validates an request for an SSH certificate.

func (*K8sSA) AuthorizeSign 

func (p *K8sSA) AuthorizeSign(_ context.Context, token string) ([]SignOption, error)

AuthorizeSign validates the given token.

func (*K8sSA) GetEncryptedKey 

func (p *K8sSA) GetEncryptedKey() (string, string, bool)

GetEncryptedKey returns false, because the kubernetes provisioner does not have access to the private key.

func (*K8sSA) GetID 

func (p *K8sSA) GetID() string

GetID returns the provisioner unique identifier. The name and credential id should uniquely identify any K8sSA provisioner.

func (*K8sSA) GetIDForToken 

func (p *K8sSA) GetIDForToken() string

GetIDForToken returns an identifier that will be used to load the provisioner from a token.

func (*K8sSA) GetName 

func (p *K8sSA) GetName() string

GetName returns the name of the provisioner.

func (*K8sSA) GetTokenID 

func (p *K8sSA) GetTokenID(string) (string, error)

GetTokenID returns an unimplemented error and does not use the input ott.

func (*K8sSA) GetType 

func (p *K8sSA) GetType() Type

GetType returns the type of provisioner.

func (*K8sSA) Init 

func (p *K8sSA) Init(config Config) (err error)

Init initializes and validates the fields of a K8sSA type.

type List 

type List []Interface

List represents a list of provisioners.

func (*List) UnmarshalJSON 

func (l *List) UnmarshalJSON(data []byte) error

UnmarshalJSON implements json.Unmarshaler and allows to unmarshal a list of a interfaces into the right type.

type Method 

type Method int

Method indicates the action to action that we will perform, it's used as part of the context in the call to authorize. It defaults to Sing. 

const (
	// SignMethod is the method used to sign X.509 certificates.
	SignMethod Method = iota
	// SignIdentityMethod is the method used to sign X.509 identity certificates.
	SignIdentityMethod
	// RevokeMethod is the method used to revoke X.509 certificates.
	RevokeMethod
	// RenewMethod is the method used to renew X.509 certificates.
	RenewMethod
	// SSHSignMethod is the method used to sign SSH certificates.
	SSHSignMethod
	// SSHRenewMethod is the method used to renew SSH certificates.
	SSHRenewMethod
	// SSHRevokeMethod is the method used to revoke SSH certificates.
	SSHRevokeMethod
	// SSHRekeyMethod is the method used to rekey SSH certificates.
	SSHRekeyMethod
)

func MethodFromContext 

func MethodFromContext(ctx context.Context) Method

MethodFromContext returns the Method saved in ctx.

func (Method) String 

func (m Method) String() string

String returns a string representation of the context method.

type MockProvisioner 

type MockProvisioner struct {
	Mret1, Mret2, Mret3 interface{}
	Merr                error
	MgetID              func() string
	MgetIDForToken      func() string
	MgetTokenID         func(string) (string, error)
	MgetName            func() string
	MgetType            func() Type
	MgetEncryptedKey    func() (string, string, bool)
	Minit               func(Config) error
	MauthorizeSign      func(ctx context.Context, ott string) ([]SignOption, error)
	MauthorizeRenew     func(ctx context.Context, cert *x509.Certificate) error
	MauthorizeRevoke    func(ctx context.Context, ott string) error
	MauthorizeSSHSign   func(ctx context.Context, ott string) ([]SignOption, error)
	MauthorizeSSHRenew  func(ctx context.Context, ott string) (*ssh.Certificate, error)
	MauthorizeSSHRekey  func(ctx context.Context, ott string) (*ssh.Certificate, []SignOption, error)
	MauthorizeSSHRevoke func(ctx context.Context, ott string) error
}

MockProvisioner for testing

func (*MockProvisioner) AuthorizeRenew 

func (m *MockProvisioner) AuthorizeRenew(ctx context.Context, c *x509.Certificate) error

AuthorizeRenew mock

func (*MockProvisioner) AuthorizeRevoke 

func (m *MockProvisioner) AuthorizeRevoke(ctx context.Context, ott string) error

AuthorizeRevoke mock

func (*MockProvisioner) AuthorizeSSHRekey 

func (m *MockProvisioner) AuthorizeSSHRekey(ctx context.Context, ott string) (*ssh.Certificate, []SignOption, error)

AuthorizeSSHRekey mock

func (*MockProvisioner) AuthorizeSSHRenew 

func (m *MockProvisioner) AuthorizeSSHRenew(ctx context.Context, ott string) (*ssh.Certificate, error)

AuthorizeSSHRenew mock

func (*MockProvisioner) AuthorizeSSHRevoke 

func (m *MockProvisioner) AuthorizeSSHRevoke(ctx context.Context, ott string) error

AuthorizeSSHRevoke mock

func (*MockProvisioner) AuthorizeSSHSign 

func (m *MockProvisioner) AuthorizeSSHSign(ctx context.Context, ott string) ([]SignOption, error)

AuthorizeSSHSign mock

func (*MockProvisioner) AuthorizeSign 

func (m *MockProvisioner) AuthorizeSign(ctx context.Context, ott string) ([]SignOption, error)

AuthorizeSign mock

func (*MockProvisioner) GetEncryptedKey 

func (m *MockProvisioner) GetEncryptedKey() (string, string, bool)

GetEncryptedKey mock

func (*MockProvisioner) GetID 

func (m *MockProvisioner) GetID() string

GetID mock

func (*MockProvisioner) GetIDForToken 

func (m *MockProvisioner) GetIDForToken() string

GetIDForToken mock

func (*MockProvisioner) GetName 

func (m *MockProvisioner) GetName() string

GetName mock

func (*MockProvisioner) GetTokenID 

func (m *MockProvisioner) GetTokenID(token string) (string, error)

GetTokenID mock

func (*MockProvisioner) GetType 

func (m *MockProvisioner) GetType() Type

GetType mock

func (*MockProvisioner) Init 

func (m *MockProvisioner) Init(c Config) error

Init mock

type Nebula 

type Nebula struct {
	ID      string   `json:"-"`
	Type    string   `json:"type"`
	Name    string   `json:"name"`
	Roots   []byte   `json:"roots"`
	Claims  *Claims  `json:"claims,omitempty"`
	Options *Options `json:"options,omitempty"`
	// contains filtered or unexported fields
}

Nebula is a provisioner that verifies tokens signed using Nebula private keys. The tokens contain a Nebula certificate in the header, which can be used to verify the token signature. The certificates are themselves verified using the Nebula CA certificates encoded in Roots. The verification process is similar to the process for X5C tokens.

Because Nebula "leaf" certificates use X25519 keys, the tokens are signed using XEd25519 defined at https://signal.org/docs/specifications/xeddsa/#xeddsa and implemented by go.step.sm/crypto/x25519.

func (*Nebula) AuthorizeRenew 

func (p *Nebula) AuthorizeRenew(ctx context.Context, crt *x509.Certificate) error

AuthorizeRenew returns an error if the renewal is disabled.

func (*Nebula) AuthorizeRevoke 

func (p *Nebula) AuthorizeRevoke(_ context.Context, token string) error

AuthorizeRevoke returns an error if the token is not valid.

func (*Nebula) AuthorizeSSHRekey 

func (p *Nebula) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)

AuthorizeSSHRekey returns an unauthorized error.

func (*Nebula) AuthorizeSSHRenew 

func (p *Nebula) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error)

AuthorizeSSHRenew returns an unauthorized error.

func (*Nebula) AuthorizeSSHRevoke 

func (p *Nebula) AuthorizeSSHRevoke(_ context.Context, token string) error

AuthorizeSSHRevoke returns an error if SSH is disabled or the token is invalid.

func (*Nebula) AuthorizeSSHSign 

func (p *Nebula) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error)

AuthorizeSSHSign returns the list of SignOption for a SignSSH request. Currently the Nebula provisioner only grants host SSH certificates.

func (*Nebula) AuthorizeSign 

func (p *Nebula) AuthorizeSign(_ context.Context, token string) ([]SignOption, error)

AuthorizeSign returns the list of SignOption for a Sign request.

func (*Nebula) GetEncryptedKey 

func (p *Nebula) GetEncryptedKey() (kid, key string, ok bool)

GetEncryptedKey returns the base provisioner encrypted key if it's defined.

func (*Nebula) GetID 

func (p *Nebula) GetID() string

GetID returns the provisioner id.

func (*Nebula) GetIDForToken 

func (p *Nebula) GetIDForToken() string

GetIDForToken returns an identifier that will be used to load the provisioner from a token.

func (*Nebula) GetName 

func (p *Nebula) GetName() string

GetName returns the name of the provisioner.

func (*Nebula) GetTokenID 

func (p *Nebula) GetTokenID(token string) (string, error)

GetTokenID returns the identifier of the token.

func (*Nebula) GetType 

func (p *Nebula) GetType() Type

GetType returns the type of provisioner.

func (*Nebula) Init 

func (p *Nebula) Init(config Config) (err error)

Init verifies and initializes the Nebula provisioner.

type OIDC 

type OIDC struct {
	ID                    string   `json:"-"`
	Type                  string   `json:"type"`
	Name                  string   `json:"name"`
	ClientID              string   `json:"clientID"`
	ClientSecret          string   `json:"clientSecret"`
	ConfigurationEndpoint string   `json:"configurationEndpoint"`
	TenantID              string   `json:"tenantID,omitempty"`
	Admins                []string `json:"admins,omitempty"`
	Domains               []string `json:"domains,omitempty"`
	Groups                []string `json:"groups,omitempty"`
	ListenAddress         string   `json:"listenAddress,omitempty"`
	Claims                *Claims  `json:"claims,omitempty"`
	Options               *Options `json:"options,omitempty"`
	// contains filtered or unexported fields
}

OIDC represents an OAuth 2.0 OpenID Connect provider.

ClientSecret is mandatory, but it can be an empty string.

func (*OIDC) AuthorizeRenew 

func (o *OIDC) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error

AuthorizeRenew returns an error if the renewal is disabled. NOTE: This method does not actually validate the certificate or check it's revocation status. Just confirms that the provisioner that created the certificate was configured to allow renewals.

func (*OIDC) AuthorizeRevoke 

func (o *OIDC) AuthorizeRevoke(_ context.Context, token string) error

AuthorizeRevoke returns an error if the provisioner does not have rights to revoke the certificate with serial number in the `sub` property. Only tokens generated by an admin have the right to revoke a certificate.

func (OIDC) AuthorizeSSHRekey 

func (b OIDC) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)

AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for rekeying SSH Certificates.

func (OIDC) AuthorizeSSHRenew 

func (b OIDC) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error)

AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing SSH Certificates.

func (*OIDC) AuthorizeSSHRevoke 

func (o *OIDC) AuthorizeSSHRevoke(_ context.Context, token string) error

AuthorizeSSHRevoke returns nil if the token is valid, false otherwise.

func (*OIDC) AuthorizeSSHSign 

func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error)

AuthorizeSSHSign returns the list of SignOption for a SignSSH request.

func (*OIDC) AuthorizeSign 

func (o *OIDC) AuthorizeSign(_ context.Context, token string) ([]SignOption, error)

AuthorizeSign validates the given token.

func (*OIDC) GetEncryptedKey 

func (o *OIDC) GetEncryptedKey() (kid, key string, ok bool)

GetEncryptedKey is not available in an OIDC provisioner.

func (*OIDC) GetID 

func (o *OIDC) GetID() string

GetID returns the provisioner unique identifier, the OIDC provisioner the uses the clientID for this.

func (*OIDC) GetIDForToken 

func (o *OIDC) GetIDForToken() string

GetIDForToken returns an identifier that will be used to load the provisioner from a token.

func (*OIDC) GetName 

func (o *OIDC) GetName() string

GetName returns the name of the provisioner.

func (*OIDC) GetTokenID 

func (o *OIDC) GetTokenID(ott string) (string, error)

GetTokenID returns the provisioner unique identifier, the OIDC provisioner the uses the clientID for this.

func (*OIDC) GetType 

func (o *OIDC) GetType() Type

GetType returns the type of provisioner.

func (*OIDC) Init 

func (o *OIDC) Init(config Config) (err error)

Init validates and initializes the OIDC provider.

func (*OIDC) ValidatePayload 

func (o *OIDC) ValidatePayload(p openIDPayload) error

ValidatePayload validates the given token payload.

type Options 

type Options struct {
	X509 *X509Options `json:"x509,omitempty"`
	SSH  *SSHOptions  `json:"ssh,omitempty"`

	// Webhooks is a list of webhooks that can augment template data
	Webhooks []*Webhook `json:"webhooks,omitempty"`
}

Options are a collection of custom options that can be added to each provisioner.

func (*Options) GetSSHOptions 

func (o *Options) GetSSHOptions() *SSHOptions

GetSSHOptions returns the SSH options.

func (*Options) GetWebhooks 

func (o *Options) GetWebhooks() []*Webhook

GetWebhooks returns the webhooks options.

func (*Options) GetX509Options 

func (o *Options) GetX509Options() *X509Options

GetX509Options returns the X.509 options.

type Permissions 

type Permissions struct {
	Extensions      map[string]string `json:"extensions"`
	CriticalOptions map[string]string `json:"criticalOptions"`
}

Permissions defines extra extensions and critical options to grant to an SSH certificate.

type RAInfo 

type RAInfo struct {
	AuthorityID     string `json:"authorityId,omitempty"`
	EndpointID      string `json:"endpointId,omitempty"`
	ProvisionerID   string `json:"provisionerId,omitempty"`
	ProvisionerType string `json:"provisionerType,omitempty"`
	ProvisionerName string `json:"provisionerName,omitempty"`
}

RAInfo is the information about a provisioner present in RA tokens generated by StepCAS.

type SCEP 

type SCEP struct {
	ID                string   `json:"-"`
	Type              string   `json:"type"`
	Name              string   `json:"name"`
	ForceCN           bool     `json:"forceCN,omitempty"`
	ChallengePassword string   `json:"challenge,omitempty"`
	Capabilities      []string `json:"capabilities,omitempty"`

	// IncludeRoot makes the provisioner return the CA root in addition to the
	// intermediate in the GetCACerts response
	IncludeRoot bool `json:"includeRoot,omitempty"`

	// ExcludeIntermediate makes the provisioner skip the intermediate CA in the
	// GetCACerts response
	ExcludeIntermediate bool `json:"excludeIntermediate,omitempty"`

	// MinimumPublicKeyLength is the minimum length for public keys in CSRs
	MinimumPublicKeyLength int `json:"minimumPublicKeyLength,omitempty"`

	// TODO(hs): also support a separate signer configuration?
	DecrypterCertificate []byte `json:"decrypterCertificate,omitempty"`
	DecrypterKeyPEM      []byte `json:"decrypterKeyPEM,omitempty"`
	DecrypterKeyURI      string `json:"decrypterKey,omitempty"`
	DecrypterKeyPassword string `json:"decrypterKeyPassword,omitempty"`

	// Numerical identifier for the ContentEncryptionAlgorithm as defined in github.com/mozilla-services/pkcs7
	// at https://github.com/mozilla-services/pkcs7/blob/33d05740a3526e382af6395d3513e73d4e66d1cb/encrypt.go#L63
	// Defaults to 0, being DES-CBC
	EncryptionAlgorithmIdentifier int      `json:"encryptionAlgorithmIdentifier,omitempty"`
	Options                       *Options `json:"options,omitempty"`
	Claims                        *Claims  `json:"claims,omitempty"`
	// contains filtered or unexported fields
}

SCEP is the SCEP provisioner type, an entity that can authorize the SCEP provisioning flow

func (SCEP) AuthorizeRenew 

func (b SCEP) AuthorizeRenew(context.Context, *x509.Certificate) error

AuthorizeRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing x509 Certificates.

func (SCEP) AuthorizeRevoke 

func (b SCEP) AuthorizeRevoke(context.Context, string) error

AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking x509 Certificates.

func (SCEP) AuthorizeSSHRekey 

func (b SCEP) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)

AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for rekeying SSH Certificates.

func (SCEP) AuthorizeSSHRenew 

func (b SCEP) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error)

AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing SSH Certificates.

func (SCEP) AuthorizeSSHRevoke 

func (b SCEP) AuthorizeSSHRevoke(context.Context, string) error

AuthorizeSSHRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking SSH Certificates.

func (SCEP) AuthorizeSSHSign 

func (b SCEP) AuthorizeSSHSign(context.Context, string) ([]SignOption, error)

AuthorizeSSHSign returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for signing SSH Certificates.

func (*SCEP) AuthorizeSign 

func (s *SCEP) AuthorizeSign(context.Context, string) ([]SignOption, error)

AuthorizeSign does not do any verification, because all verification is handled in the SCEP protocol. This method returns a list of modifiers / constraints on the resulting certificate.

func (*SCEP) DefaultTLSCertDuration 

func (s *SCEP) DefaultTLSCertDuration() time.Duration

DefaultTLSCertDuration returns the default TLS cert duration enforced by the provisioner.

func (*SCEP) GetCapabilities 

func (s *SCEP) GetCapabilities() []string

GetCapabilities returns the CA capabilities

func (*SCEP) GetContentEncryptionAlgorithm 

func (s *SCEP) GetContentEncryptionAlgorithm() int

GetContentEncryptionAlgorithm returns the numeric identifier for the pkcs7 package encryption algorithm to use.

func (*SCEP) GetDecrypter 

func (s *SCEP) GetDecrypter() (*x509.Certificate, crypto.Decrypter)

GetDecrypter returns the provisioner specific decrypter, used to decrypt SCEP request messages sent by a SCEP client. The decrypter consists of a crypto.Decrypter (a private key) and a certificate for the public key corresponding to the private key.

func (*SCEP) GetEncryptedKey 

func (s *SCEP) GetEncryptedKey() (string, string, bool)

GetEncryptedKey returns the base provisioner encrypted key if it's defined.

func (*SCEP) GetID 

func (s *SCEP) GetID() string

GetID returns the provisioner unique identifier.

func (*SCEP) GetIDForToken 

func (s *SCEP) GetIDForToken() string

GetIDForToken returns an identifier that will be used to load the provisioner from a token.

func (*SCEP) GetName 

func (s *SCEP) GetName() string

GetName returns the name of the provisioner.

func (*SCEP) GetOptions 

func (s *SCEP) GetOptions() *Options

GetOptions returns the configured provisioner options.

func (*SCEP) GetSigner 

func (s *SCEP) GetSigner() (*x509.Certificate, crypto.Signer)

GetSigner returns the provisioner specific signer, used to sign SCEP response messages for the client. The signer consists of a crypto.Signer and a certificate for the public key corresponding to the private key.

func (*SCEP) GetTokenID 

func (s *SCEP) GetTokenID(string) (string, error)

GetTokenID returns the identifier of the token.

func (*SCEP) GetType 

func (s *SCEP) GetType() Type

GetType returns the type of provisioner.

func (*SCEP) Init 

func (s *SCEP) Init(config Config) (err error)

Init initializes and validates the fields of a SCEP type.

func (*SCEP) NotifyFailure 

func (s *SCEP) NotifyFailure(ctx context.Context, csr *x509.CertificateRequest, transactionID string, errorCode int, errorDescription string) error

func (*SCEP) NotifySuccess 

func (s *SCEP) NotifySuccess(ctx context.Context, csr *x509.CertificateRequest, cert *x509.Certificate, transactionID string) error

func (*SCEP) ShouldIncludeIntermediateInChain 

func (s *SCEP) ShouldIncludeIntermediateInChain() bool

ShouldIncludeIntermediateInChain indicates if the CA should include the intermediate CA certificate in the GetCACerts response. This is true by default, but can be overridden through configuration in case SCEP clients don't pick the right recipient.

func (*SCEP) ShouldIncludeRootInChain 

func (s *SCEP) ShouldIncludeRootInChain() bool

ShouldIncludeRootInChain indicates if the CA should return its intermediate, which is currently used for both signing and decryption, as well as the root in its chain.

func (*SCEP) ValidateChallenge 

func (s *SCEP) ValidateChallenge(ctx context.Context, csr *x509.CertificateRequest, challenge, transactionID string) error

ValidateChallenge validates the provided challenge. It starts by selecting the validation method to use, then performs validation according to that method.

type SCEPKeyManager 

type SCEPKeyManager interface {
	kmsapi.KeyManager
	kmsapi.Decrypter
}

SCEPKeyManager is a KMS interface that combines a KeyManager with a Decrypter.

type SSHCertModifier 

type SSHCertModifier interface {
	SignOption
	Modify(cert *ssh.Certificate, opts SignSSHOptions) error
}

SSHCertModifier is the interface used to change properties in an SSH certificate.

type SSHCertOptionsValidator 

type SSHCertOptionsValidator interface {
	SignOption
	Valid(got SignSSHOptions) error
}

SSHCertOptionsValidator is the interface used to validate the custom options used to modify the SSH certificate.

type SSHCertValidator 

type SSHCertValidator interface {
	SignOption
	Valid(cert *ssh.Certificate, opts SignSSHOptions) error
}

SSHCertValidator is the interface used to validate an SSH certificate.

type SSHCertificateOptions 

type SSHCertificateOptions interface {
	Options(SignSSHOptions) []sshutil.Option
}

SSHCertificateOptions is an interface that returns a list of options passed when creating a new certificate.

func CustomSSHTemplateOptions 

func CustomSSHTemplateOptions(o *Options, data sshutil.TemplateData, defaultTemplate string) (SSHCertificateOptions, error)

CustomSSHTemplateOptions generates a CertificateOptions with the template, data defined in the ProvisionerOptions, the provisioner generated data and the user data provided in the request. If no template has been provided in the ProvisionerOptions, the given template will be used.

func TemplateSSHOptions 

func TemplateSSHOptions(o *Options, data sshutil.TemplateData) (SSHCertificateOptions, error)

TemplateSSHOptions generates a SSHCertificateOptions with the template and data defined in the ProvisionerOptions, the provisioner generated data, and the user data provided in the request. If no template has been provided, x509util.DefaultLeafTemplate will be used.

type SSHKeys 

type SSHKeys struct {
	UserKeys []ssh.PublicKey
	HostKeys []ssh.PublicKey
}

SSHKeys represents the SSH User and Host public keys.

type SSHOptions 

type SSHOptions struct {
	// Template contains an SSH certificate template. It can be a JSON template
	// escaped in a string or it can be also encoded in base64.
	Template string `json:"template,omitempty"`

	// TemplateFile points to a file containing a SSH certificate template.
	TemplateFile string `json:"templateFile,omitempty"`

	// TemplateData is a JSON object with variables that can be used in custom
	// templates.
	TemplateData json.RawMessage `json:"templateData,omitempty"`

	// User contains SSH user certificate options.
	User *policy.SSHUserCertificateOptions `json:"-"`

	// Host contains SSH host certificate options.
	Host *policy.SSHHostCertificateOptions `json:"-"`
}

SSHOptions are a collection of custom options that can be added to each provisioner.

func (*SSHOptions) GetAllowedHostNameOptions 

func (o *SSHOptions) GetAllowedHostNameOptions() *policy.SSHNameOptions

GetAllowedHostNameOptions returns the SSHNameOptions that are allowed when SSH host certificates are requested.

func (*SSHOptions) GetAllowedUserNameOptions 

func (o *SSHOptions) GetAllowedUserNameOptions() *policy.SSHNameOptions

GetAllowedUserNameOptions returns the SSHNameOptions that are allowed when SSH User certificates are requested.

func (*SSHOptions) GetDeniedHostNameOptions 

func (o *SSHOptions) GetDeniedHostNameOptions() *policy.SSHNameOptions

GetDeniedHostNameOptions returns the SSHNameOptions that are denied when SSH host certificates are requested.

func (*SSHOptions) GetDeniedUserNameOptions 

func (o *SSHOptions) GetDeniedUserNameOptions() *policy.SSHNameOptions

GetDeniedUserNameOptions returns the SSHNameOptions that are denied when SSH user certificates are requested.

func (*SSHOptions) HasTemplate 

func (o *SSHOptions) HasTemplate() bool

HasTemplate returns true if a template is defined in the provisioner options.

type SSHPOP 

type SSHPOP struct {
	ID     string  `json:"-"`
	Type   string  `json:"type"`
	Name   string  `json:"name"`
	Claims *Claims `json:"claims,omitempty"`
	// contains filtered or unexported fields
}

SSHPOP is the default provisioner, an entity that can sign tokens necessary for signature requests.

func (SSHPOP) AuthorizeRenew 

func (b SSHPOP) AuthorizeRenew(context.Context, *x509.Certificate) error

AuthorizeRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing x509 Certificates.

func (SSHPOP) AuthorizeRevoke 

func (b SSHPOP) AuthorizeRevoke(context.Context, string) error

AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking x509 Certificates.

func (*SSHPOP) AuthorizeSSHRekey 

func (p *SSHPOP) AuthorizeSSHRekey(_ context.Context, token string) (*ssh.Certificate, []SignOption, error)

AuthorizeSSHRekey validates the authorization token and extracts/validates the SSH certificate from the ssh-pop header.

func (*SSHPOP) AuthorizeSSHRenew 

func (p *SSHPOP) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error)

AuthorizeSSHRenew validates the authorization token and extracts/validates the SSH certificate from the ssh-pop header.

func (*SSHPOP) AuthorizeSSHRevoke 

func (p *SSHPOP) AuthorizeSSHRevoke(_ context.Context, token string) error

AuthorizeSSHRevoke validates the authorization token and extracts/validates the SSH certificate from the ssh-pop header.

func (SSHPOP) AuthorizeSSHSign 

func (b SSHPOP) AuthorizeSSHSign(context.Context, string) ([]SignOption, error)

AuthorizeSSHSign returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for signing SSH Certificates.

func (SSHPOP) AuthorizeSign 

func (b SSHPOP) AuthorizeSign(context.Context, string) ([]SignOption, error)

AuthorizeSign returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for signing x509 Certificates.

func (*SSHPOP) GetEncryptedKey 

func (p *SSHPOP) GetEncryptedKey() (string, string, bool)

GetEncryptedKey returns the base provisioner encrypted key if it's defined.

func (*SSHPOP) GetID 

func (p *SSHPOP) GetID() string

GetID returns the provisioner unique identifier. The name and credential id should uniquely identify any SSH-POP provisioner.

func (*SSHPOP) GetIDForToken 

func (p *SSHPOP) GetIDForToken() string

GetIDForToken returns an identifier that will be used to load the provisioner from a token.

func (*SSHPOP) GetName 

func (p *SSHPOP) GetName() string

GetName returns the name of the provisioner.

func (*SSHPOP) GetTokenID 

func (p *SSHPOP) GetTokenID(ott string) (string, error)

GetTokenID returns the identifier of the token.

func (*SSHPOP) GetType 

func (p *SSHPOP) GetType() Type

GetType returns the type of provisioner.

func (*SSHPOP) Init 

func (p *SSHPOP) Init(config Config) (err error)

Init initializes and validates the fields of a SSHPOP type.

type SignOption 

type SignOption interface{}

SignOption is the interface used to collect all extra options used in the Sign method.

type SignOptions 

type SignOptions struct {
	NotAfter     TimeDuration    `json:"notAfter"`
	NotBefore    TimeDuration    `json:"notBefore"`
	TemplateData json.RawMessage `json:"templateData"`
	Backdate     time.Duration   `json:"-"`
}

SignOptions contains the options that can be passed to the Sign method. Backdate is automatically filled and can only be configured in the CA.

type SignSSHOptions 

type SignSSHOptions struct {
	CertType     string          `json:"certType"`
	KeyID        string          `json:"keyID"`
	Principals   []string        `json:"principals"`
	ValidAfter   TimeDuration    `json:"validAfter,omitempty"`
	ValidBefore  TimeDuration    `json:"validBefore,omitempty"`
	TemplateData json.RawMessage `json:"templateData,omitempty"`
	Backdate     time.Duration   `json:"-"`
}

SignSSHOptions contains the options that can be passed to the SignSSH method.

func (SignSSHOptions) Modify 

func (o SignSSHOptions) Modify(cert *ssh.Certificate, _ SignSSHOptions) error

Modify implements SSHCertModifier and sets the SSHOption in the ssh.Certificate.

func (SignSSHOptions) ModifyValidity 

func (o SignSSHOptions) ModifyValidity(cert *ssh.Certificate) error

ModifyValidity modifies only the ValidAfter and ValidBefore on the given ssh.Certificate.

func (SignSSHOptions) Type 

func (o SignSSHOptions) Type() uint32

Type returns the uint32 representation of the CertType.

func (SignSSHOptions) Validate 

func (o SignSSHOptions) Validate() error

Validate validates the given SignSSHOptions.

type TimeDuration 

type TimeDuration struct {
	// contains filtered or unexported fields
}

TimeDuration is a type that represents a time but the JSON unmarshaling can use a time using the RFC 3339 format or a time.Duration string. If a duration is used, the time will be set on the first call to TimeDuration.Time.

func NewTimeDuration 

func NewTimeDuration(t time.Time) TimeDuration

NewTimeDuration returns a TimeDuration with the defined time.

func ParseTimeDuration 

func ParseTimeDuration(s string) (TimeDuration, error)

ParseTimeDuration returns a new TimeDuration parsing the RFC 3339 time or time.Duration string.

func (*TimeDuration) Equal 

func (t *TimeDuration) Equal(other *TimeDuration) bool

Equal returns if t and other are equal.

func (*TimeDuration) IsZero 

func (t *TimeDuration) IsZero() bool

IsZero returns true the TimeDuration represents the zero value, false otherwise.

func (TimeDuration) MarshalJSON 

func (t TimeDuration) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface. If the time is set it will return the time in RFC 3339 format if not it will return the duration string.

func (*TimeDuration) RelativeTime 

func (t *TimeDuration) RelativeTime(base time.Time) time.Time

RelativeTime returns the embedded time.Time or the base time plus the duration if this is not zero.

func (*TimeDuration) SetDuration 

func (t *TimeDuration) SetDuration(d time.Duration)

SetDuration initializes the TimeDuration with the given duration string. If the time was set it will re-set to zero.

func (*TimeDuration) SetTime 

func (t *TimeDuration) SetTime(tt time.Time)

SetTime initializes the TimeDuration with the given time. If the duration is set it will be re-set to zero.

func (*TimeDuration) String 

func (t *TimeDuration) String() string

String implements the fmt.Stringer interface.

func (*TimeDuration) Time 

func (t *TimeDuration) Time() time.Time

Time calculates the time if needed and returns it.

func (*TimeDuration) Unix 

func (t *TimeDuration) Unix() int64

Unix calculates the time if needed it and returns the Unix time in seconds.

func (*TimeDuration) UnmarshalJSON 

func (t *TimeDuration) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface. The time is expected to be a quoted string in RFC 3339 format or a quoted time.Duration string.

type Type 

type Type int

Type indicates the provisioner Type. 

const (

	// TypeJWK is used to indicate the JWK provisioners.
	TypeJWK Type = 1
	// TypeOIDC is used to indicate the OIDC provisioners.
	TypeOIDC Type = 2
	// TypeGCP is used to indicate the GCP provisioners.
	TypeGCP Type = 3
	// TypeAWS is used to indicate the AWS provisioners.
	TypeAWS Type = 4
	// TypeAzure is used to indicate the Azure provisioners.
	TypeAzure Type = 5
	// TypeACME is used to indicate the ACME provisioners.
	TypeACME Type = 6
	// TypeX5C is used to indicate the X5C provisioners.
	TypeX5C Type = 7
	// TypeK8sSA is used to indicate the X5C provisioners.
	TypeK8sSA Type = 8
	// TypeSSHPOP is used to indicate the SSHPOP provisioners.
	TypeSSHPOP Type = 9
	// TypeSCEP is used to indicate the SCEP provisioners
	TypeSCEP Type = 10
	// TypeNebula is used to indicate the Nebula provisioners
	TypeNebula Type = 11
)

func (Type) String 

func (t Type) String() string

String returns the string representation of the type.

type Webhook 

type Webhook struct {
	ID                   string `json:"id"`
	Name                 string `json:"name"`
	URL                  string `json:"url"`
	Kind                 string `json:"kind"`
	DisableTLSClientAuth bool   `json:"disableTLSClientAuth,omitempty"`
	CertType             string `json:"certType"`
	Secret               string `json:"-"`
	BearerToken          string `json:"-"`
	BasicAuth            struct {
		Username string
		Password string
	} `json:"-"`
}

func (*Webhook) DoWithContext 

func (w *Webhook) DoWithContext(ctx context.Context, client *http.Client, reqBody *webhook.RequestBody, data any) (*webhook.ResponseBody, error)

type WebhookController 

type WebhookController struct {
	TemplateData WebhookSetter
	// contains filtered or unexported fields
}

func (*WebhookController) Authorize 

func (wc *WebhookController) Authorize(ctx context.Context, req *webhook.RequestBody) error

Authorize checks that all remote servers allow the request

func (*WebhookController) Enrich 

func (wc *WebhookController) Enrich(ctx context.Context, req *webhook.RequestBody) error

Enrich fetches data from remote servers and adds returned data to the templateData

type WebhookSetter 

type WebhookSetter interface {
	SetWebhook(string, any)
}

type X509Options 

type X509Options struct {
	// Template contains a X.509 certificate template. It can be a JSON template
	// escaped in a string or it can be also encoded in base64.
	Template string `json:"template,omitempty"`

	// TemplateFile points to a file containing a X.509 certificate template.
	TemplateFile string `json:"templateFile,omitempty"`

	// TemplateData is a JSON object with variables that can be used in custom
	// templates.
	TemplateData json.RawMessage `json:"templateData,omitempty"`

	// AllowedNames contains the SANs the provisioner is authorized to sign
	AllowedNames *policy.X509NameOptions `json:"-"`

	// DeniedNames contains the SANs the provisioner is not authorized to sign
	DeniedNames *policy.X509NameOptions `json:"-"`

	// AllowWildcardNames indicates if literal wildcard names
	// like *.example.com are allowed. Defaults to false.
	AllowWildcardNames bool `json:"-"`
}

X509Options contains specific options for X.509 certificates.

func (*X509Options) AreWildcardNamesAllowed 

func (o *X509Options) AreWildcardNamesAllowed() bool

func (*X509Options) GetAllowedNameOptions 

func (o *X509Options) GetAllowedNameOptions() *policy.X509NameOptions

GetAllowedNameOptions returns the AllowedNames, which models the SANs that a provisioner is authorized to sign x509 certificates for.

func (*X509Options) GetDeniedNameOptions 

func (o *X509Options) GetDeniedNameOptions() *policy.X509NameOptions

GetDeniedNameOptions returns the DeniedNames, which models the SANs that a provisioner is NOT authorized to sign x509 certificates for.

func (*X509Options) HasTemplate 

func (o *X509Options) HasTemplate() bool

HasTemplate returns true if a template is defined in the provisioner options.

type X5C 

type X5C struct {
	ID      string   `json:"-"`
	Type    string   `json:"type"`
	Name    string   `json:"name"`
	Roots   []byte   `json:"roots"`
	Claims  *Claims  `json:"claims,omitempty"`
	Options *Options `json:"options,omitempty"`
	// contains filtered or unexported fields
}

X5C is the default provisioner, an entity that can sign tokens necessary for signature requests.

func (*X5C) AuthorizeRenew 

func (p *X5C) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error

AuthorizeRenew returns an error if the renewal is disabled.

func (*X5C) AuthorizeRevoke 

func (p *X5C) AuthorizeRevoke(_ context.Context, token string) error

AuthorizeRevoke returns an error if the provisioner does not have rights to revoke the certificate with serial number in the `sub` property.

func (X5C) AuthorizeSSHRekey 

func (b X5C) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)

AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for rekeying SSH Certificates.

func (X5C) AuthorizeSSHRenew 

func (b X5C) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error)

AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing SSH Certificates.

func (X5C) AuthorizeSSHRevoke 

func (b X5C) AuthorizeSSHRevoke(context.Context, string) error

AuthorizeSSHRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking SSH Certificates.

func (*X5C) AuthorizeSSHSign 

func (p *X5C) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error)

AuthorizeSSHSign returns the list of SignOption for a SignSSH request.

func (*X5C) AuthorizeSign 

func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)

AuthorizeSign validates the given token.

func (*X5C) GetEncryptedKey 

func (p *X5C) GetEncryptedKey() (string, string, bool)

GetEncryptedKey returns the base provisioner encrypted key if it's defined.

func (*X5C) GetID 

func (p *X5C) GetID() string

GetID returns the provisioner unique identifier. The name and credential id should uniquely identify any X5C provisioner.

func (*X5C) GetIDForToken 

func (p *X5C) GetIDForToken() string

GetIDForToken returns an identifier that will be used to load the provisioner from a token.

func (*X5C) GetName 

func (p *X5C) GetName() string

GetName returns the name of the provisioner.

func (*X5C) GetTokenID 

func (p *X5C) GetTokenID(ott string) (string, error)

GetTokenID returns the identifier of the token.

func (*X5C) GetType 

func (p *X5C) GetType() Type

GetType returns the type of provisioner.

func (*X5C) Init 

func (p *X5C) Init(config Config) (err error)

Init initializes and validates the fields of a X5C type.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.