puppetsec

package
v0.29.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 29, 2024 License: Apache-2.0 Imports: 26 Imported by: 2

Documentation

Overview

Package puppetsec provides a Puppet compatable Security Provider

The provider supports enrolling into a Puppet CA by creating a key and csr, sending it to the PuppetCA and waiting for it to be signed and later it will download the certificate once signed

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type BuildInfoProvider added in v0.23.0

type BuildInfoProvider interface {
	ClientIdentitySuffix() string
}

BuildInfoProvider provides info about the build

type Config

type Config struct {
	// Identity when not empty will force the identity to be used for validations etc
	Identity string

	// SSLDir is the directory where Puppet stores it's SSL
	SSLDir string

	// PrivilegedUsers is a list of regular expressions that identity privilged users
	PrivilegedUsers []string

	// AllowList is a list of regular expressions that identity valid users to allow in
	AllowList []string

	// DisableTLSVerify disables TLS verify in HTTP clients etc
	DisableTLSVerify bool

	// PuppetCAHost is the hostname of the PuppetCA
	PuppetCAHost string

	// PuppetCAPort is the port of the PuppetCA
	PuppetCAPort int

	// DisableSRV prevents SRV lookups
	DisableSRV bool

	// Is a URL where a remote signer is running
	RemoteSignerURL string

	// RemoteSignerTokenFile is a file with a token for access to the remote signer
	RemoteSignerTokenFile string

	// RemoteSignerTokenEnvironment is an environment variable that will hold the signer token
	RemoteSignerTokenEnvironment string

	// TLSConfig is the shared TLS configuration
	TLSConfig *tlssetup.Config

	// AltNames are additional names to add to the CSR
	AltNames []string

	// IdentitySuffix is the suffix to append to user names when creating certnames and identities
	IdentitySuffix string

	// RemoteSigner is the signer used to sign requests using a remote like AAA Service
	RemoteSigner inter.RequestSigner
	// contains filtered or unexported fields
}

Config is the configuration for PuppetSecurity

type Option

type Option func(*PuppetSecurity) error

Option is a function that can configure the Puppet Security Provider

func WithChoriaConfig

func WithChoriaConfig(bi BuildInfoProvider, c *config.Config) Option

WithChoriaConfig optionally configures the Security Provider from settings found in a typical Choria configuration

func WithConfig

func WithConfig(c *Config) Option

WithConfig optionally configures the Puppet Security Provider using its native configuration format

func WithLog

func WithLog(l *logrus.Entry) Option

WithLog configures a logger for the Puppet Security Provider

func WithResolver

func WithResolver(r Resolver) Option

WithResolver configures a SRV resolver for the Puppet Security Provider

func WithSigner added in v0.24.0

func WithSigner(signer inter.RequestSigner) Option

WithSigner configures a remote request signer

type PuppetSecurity

type PuppetSecurity struct {
	// contains filtered or unexported fields
}

PuppetSecurity implements SecurityProvider reusing AIO Puppet settings it supports enrollment the same way `puppet agent --waitforcert 10` does

func New

func New(opts ...Option) (*PuppetSecurity, error)

New creates a new instance of the Puppet Security Provider

func (*PuppetSecurity) BackingTechnology added in v0.26.2

func (s *PuppetSecurity) BackingTechnology() inter.SecurityTechnology

func (*PuppetSecurity) CallerIdentity

func (s *PuppetSecurity) CallerIdentity(caller string) (string, error)

CallerIdentity extracts the identity from a choria like caller name in the form of choria=identity

func (*PuppetSecurity) CallerName

func (s *PuppetSecurity) CallerName() string

CallerName creates a choria like caller name in the form of choria=identity

func (*PuppetSecurity) ChecksumBytes

func (s *PuppetSecurity) ChecksumBytes(data []byte) []byte

ChecksumBytes calculates a sha256 checksum for data

func (*PuppetSecurity) ClientTLSConfig added in v0.21.0

func (s *PuppetSecurity) ClientTLSConfig() (*tls.Config, error)

ClientTLSConfig creates a TLS configuration for use by NATS, HTTPS etc

func (*PuppetSecurity) Enroll

func (s *PuppetSecurity) Enroll(ctx context.Context, wait time.Duration, cb func(digest string, try int)) error

Enroll sends a CSR to the PuppetCA and wait for it to be signed

func (*PuppetSecurity) HTTPClient

func (s *PuppetSecurity) HTTPClient(secure bool) (*http.Client, error)

HTTPClient creates a standard HTTP client with optional security, it will be set to use the CA and client certs for auth. servername should match the remote hosts name for SNI

func (*PuppetSecurity) Identity

func (s *PuppetSecurity) Identity() string

Identity determines the choria certname

func (*PuppetSecurity) IsRemoteSigning added in v0.24.0

func (s *PuppetSecurity) IsRemoteSigning() bool

func (*PuppetSecurity) Provider

func (s *PuppetSecurity) Provider() string

Provider reports the name of the security provider

func (*PuppetSecurity) PublicCert added in v0.23.0

func (s *PuppetSecurity) PublicCert() (*x509.Certificate, error)

PublicCert is the parsed public certificate

func (*PuppetSecurity) PublicCertBytes added in v0.26.2

func (s *PuppetSecurity) PublicCertBytes() ([]byte, error)

PublicCertBytes retrieves pem data in textual form for the public certificate of the current identity

func (*PuppetSecurity) RemoteSignRequest

func (s *PuppetSecurity) RemoteSignRequest(ctx context.Context, str []byte) (signed []byte, err error)

RemoteSignRequest signs a choria request using a remote signer and returns a secure request

func (*PuppetSecurity) SSLContext

func (s *PuppetSecurity) SSLContext() (*http.Transport, error)

SSLContext creates a SSL context loaded with our certs and ca

func (*PuppetSecurity) ShouldAllowCaller added in v0.26.2

func (s *PuppetSecurity) ShouldAllowCaller(name string, callers ...[]byte) (privileged bool, err error)

ShouldAllowCaller verifies the public data

func (*PuppetSecurity) ShouldSignReplies added in v0.27.0

func (s *PuppetSecurity) ShouldSignReplies() bool

func (*PuppetSecurity) SignBytes

func (s *PuppetSecurity) SignBytes(str []byte) ([]byte, error)

SignBytes signs a message using a SHA256 PKCS1v15 protocol

func (*PuppetSecurity) TLSConfig

func (s *PuppetSecurity) TLSConfig() (*tls.Config, error)

TLSConfig creates a TLS configuration for use by NATS, HTTPS etc

func (*PuppetSecurity) TokenBytes added in v0.27.0

func (s *PuppetSecurity) TokenBytes() ([]byte, error)

func (*PuppetSecurity) Validate

func (s *PuppetSecurity) Validate() ([]string, bool)

Validate determines if the node represents a valid SSL configuration

func (*PuppetSecurity) VerifyCertificate

func (s *PuppetSecurity) VerifyCertificate(certpem []byte, name string) error

VerifyCertificate verifies a certificate is signed with the configured CA and if name is not "" that it matches the name given

func (*PuppetSecurity) VerifySignatureBytes added in v0.26.2

func (s *PuppetSecurity) VerifySignatureBytes(dat []byte, sig []byte, public ...[]byte) (should bool, signer string)

VerifyByteSignature verify that dat matches signature sig made by the key, if pub cert is empty the active public key will be used

type Resolver

type Resolver interface {
	QuerySrvRecords(records []string) (srvcache.Servers, error)
}

Resolver provides DNS lookup facilities

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL