puppetsec

package

v0.6.0 Latest Latest Go to latest Published: Jan 12, 2020 License: Apache-2.0 Imports: 22 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/choria-io/go-security

Links

Open Source Insights

Documentation ¶

Overview ¶

Package puppetsec provides a Puppet compatable Security Provider

The provider supports enrolling into a Puppet CA by creating a key and csr, sending it to the PuppetCA and waiting for it to be signed and later it will download the certificate once signed

Index ¶

type Config
type Option
type PuppetSecurity
- func New(opts ...Option) (*PuppetSecurity, error)
type Resolver

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Config ¶

type Config struct {
	// Identity when not empty will force the identity to be used for validations etc
	Identity string

	// SSLDir is the directory where Puppet stores it's SSL
	SSLDir string

	// PrivilegedUsers is a list of regular expressions that identity privilged users
	PrivilegedUsers []string

	// AllowList is a list of regular expressions that identity valid users to allow in
	AllowList []string

	// DisableTLSVerify disables TLS verify in HTTP clients etc
	DisableTLSVerify bool

	// PuppetCAHost is the hostname of the PuppetCA
	PuppetCAHost string

	// PuppetCAPort is the port of the PuppetCA
	PuppetCAPort int

	// DisableSRV prevents SRV lookups
	DisableSRV bool

	// Is a URL where a remote signer is running
	RemoteSignerURL string

	// RemoteSignerTokenFile is a file with a token for access to the remote signer
	RemoteSignerTokenFile string

	// RemoteSignerTokenEnvironment is an environment variable that will hold the signer token
	RemoteSignerTokenEnvironment string

	// AlwaysOverwriteCache supports always overwriting the local filesystem cache
	AlwaysOverwriteCache bool
	// contains filtered or unexported fields
}

Config is the configuration for PuppetSecurity

type Option ¶

type Option func(*PuppetSecurity) error

Option is a function that can configure the Puppet Security Provider

func WithChoriaConfig ¶

func WithChoriaConfig(c *config.Config) Option

WithChoriaConfig optionally configures the Puppet Security Provider from settings found in a typical Choria configuration

func WithConfig ¶

func WithConfig(c *Config) Option

WithConfig optionally configures the Puppet Security Provider using its native configuration format

func WithLog ¶

func WithLog(l *logrus.Entry) Option

WithLog configures a logger for the Puppet Security Provider

func WithResolver ¶

func WithResolver(r Resolver) Option

WithResolver configures a SRV resolver for the Puppet Security Provider

type PuppetSecurity ¶

type PuppetSecurity struct {
	// contains filtered or unexported fields
}

PuppetSecurity implements SecurityProvider reusing AIO Puppet settings it supports enrollment the same way `puppet agent --waitforcert 10` does

func New ¶

func New(opts ...Option) (*PuppetSecurity, error)

New creates a new instance of the Puppet Security Provider

func (*PuppetSecurity) CachePublicData ¶

func (s *PuppetSecurity) CachePublicData(data []byte, identity string) error

CachePublicData caches the public key for a identity

func (*PuppetSecurity) CachedPublicData ¶

func (s *PuppetSecurity) CachedPublicData(identity string) ([]byte, error)

CachedPublicData retrieves the previously cached public data for a given identity

func (*PuppetSecurity) CallerIdentity ¶

func (s *PuppetSecurity) CallerIdentity(caller string) (string, error)

CallerIdentity extracts the identity from a choria like caller name in the form of choria=identity

func (*PuppetSecurity) CallerName ¶

func (s *PuppetSecurity) CallerName() string

CallerName creates a choria like caller name in the form of choria=identity

func (*PuppetSecurity) ChecksumBytes ¶

func (s *PuppetSecurity) ChecksumBytes(data []byte) []byte

ChecksumBytes calculates a sha256 checksum for data

func (*PuppetSecurity) ChecksumString ¶

func (s *PuppetSecurity) ChecksumString(data string) []byte

ChecksumString calculates a sha256 checksum for data

func (*PuppetSecurity) Enroll ¶

func (s *PuppetSecurity) Enroll(ctx context.Context, wait time.Duration, cb func(int)) error

Enroll sends a CSR to the PuppetCA and wait for it to be signed

func (*PuppetSecurity) HTTPClient ¶

func (s *PuppetSecurity) HTTPClient(secure bool) (*http.Client, error)

HTTPClient creates a standard HTTP client with optional security, it will be set to use the CA and client certs for auth. servername should match the remote hosts name for SNI

func (*PuppetSecurity) Identity ¶

func (s *PuppetSecurity) Identity() string

Identity determines the choria certname

func (*PuppetSecurity) PrivilegedVerifyByteSignature ¶

func (s *PuppetSecurity) PrivilegedVerifyByteSignature(dat []byte, sig []byte, identity string) bool

PrivilegedVerifyByteSignature verifies if the signature received is from any of the privileged certs or the given identity

func (*PuppetSecurity) PrivilegedVerifyStringSignature ¶

func (s *PuppetSecurity) PrivilegedVerifyStringSignature(dat string, sig []byte, identity string) bool

PrivilegedVerifyStringSignature verifies if the signature received is from any of the privilged certs or the given identity

func (*PuppetSecurity) Provider ¶

func (s *PuppetSecurity) Provider() string

Provider reports the name of the security provider

func (*PuppetSecurity) PublicCertPem ¶

func (s *PuppetSecurity) PublicCertPem() (*pem.Block, error)

PublicCertPem retrieves the public certificate for this instance

func (*PuppetSecurity) PublicCertTXT ¶

func (s *PuppetSecurity) PublicCertTXT() ([]byte, error)

PublicCertTXT retrieves pem data in textual form for the public certificate of the current identity

func (*PuppetSecurity) RemoteSignRequest ¶ added in v0.6.0

func (s *PuppetSecurity) RemoteSignRequest(str []byte) (signed []byte, err error)

RemoteSignRequest signs a choria request using a remote signer and returns a secure request

func (*PuppetSecurity) SSLContext ¶

func (s *PuppetSecurity) SSLContext() (*http.Transport, error)

SSLContext creates a SSL context loaded with our certs and ca

func (*PuppetSecurity) SignBytes ¶

func (s *PuppetSecurity) SignBytes(str []byte) ([]byte, error)

SignBytes signs a message using a SHA256 PKCS1v15 protocol

func (*PuppetSecurity) SignString ¶

func (s *PuppetSecurity) SignString(str string) ([]byte, error)

SignString signs a message using a SHA256 PKCS1v15 protocol

func (*PuppetSecurity) TLSConfig ¶

func (s *PuppetSecurity) TLSConfig() (*tls.Config, error)

TLSConfig creates a TLS configuration for use by NATS, HTTPS etc

func (*PuppetSecurity) Validate ¶

func (s *PuppetSecurity) Validate() ([]string, bool)

Validate determines if the node represents a valid SSL configuration

func (*PuppetSecurity) VerifyByteSignature ¶

func (s *PuppetSecurity) VerifyByteSignature(dat []byte, sig []byte, identity string) bool

VerifyByteSignature verify that dat matches signature sig made by the key of identity if identity is "" the active public key will be used

func (*PuppetSecurity) VerifyCertificate ¶

func (s *PuppetSecurity) VerifyCertificate(certpem []byte, name string) error

VerifyCertificate verifies a certificate is signed with the configured CA and if name is not "" that it matches the name given

func (*PuppetSecurity) VerifyStringSignature ¶

func (s *PuppetSecurity) VerifyStringSignature(str string, sig []byte, identity string) bool

VerifyStringSignature verify that str matches signature sig made by the key of identity

type Resolver ¶

type Resolver interface {
	QuerySrvRecords(records []string) (srvcache.Servers, error)
}

Resolver provides DNS lookup facilities

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL