sshca

package module
v0.0.0-...-b2c496c Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 12, 2021 License: Apache-2.0 Imports: 19 Imported by: 2

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var File_ssh_signer_proto protoreflect.FileDescriptor
View Source 
var GetConf func(string, string) string = func(k string, d string) string {
	v := os.Getenv(k)
	if v != "" {
		return v
	}
	return d
}
View Source 
var SSHCertificateService_ServiceDesc = grpc.ServiceDesc{
	ServiceName: "ssh.SSHCertificateService",
	HandlerType: (*SSHCertificateServiceServer)(nil),
	Methods: []grpc.MethodDesc{
		{
			MethodName: "CreateCertificate",
			Handler:    _SSHCertificateService_CreateCertificate_Handler,
		},
	},
	Streams:  []grpc.StreamDesc{},
	Metadata: "ssh-signer.proto",
}

SSHCertificateService_ServiceDesc is the grpc.ServiceDesc for SSHCertificateService service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)

Functions

func ParseXFCC 

func ParseXFCC(val string) map[string]string

ParseXFCC is a minimal (and probably buggy) parser for XFCC envoy header. It does not deal with quoted strings including special chars (,;=). Istio certs are safe.

func RegisterSSHCertificateServiceServer 

func RegisterSSHCertificateServiceServer(s grpc.ServiceRegistrar, srv SSHCertificateServiceServer)

Types

type RemoteID 

type RemoteID struct {
	TrustDomain    string
	Namespace      string
	ServiceAccount string
}

func RemoteIDmTLS 

func RemoteIDmTLS(xfcc string) *RemoteID

type SSHCertificateRequest 

type SSHCertificateRequest struct {

	// Public key to sign
	Public string `protobuf:"bytes,1,opt,name=public,proto3" json:"public,omitempty"`
	// hostname to sign. Namespace and domain will be added
	Hostname []string `protobuf:"bytes,2,rep,name=hostname,proto3" json:"hostname,omitempty"`
	User     string   `protobuf:"bytes,3,opt,name=user,proto3" json:"user,omitempty"`
	KeyId    string   `protobuf:"bytes,5,opt,name=keyId,proto3" json:"keyId,omitempty"`
	// Optional: requested certificate validity period, in seconds.
	ValidityDuration int64             `protobuf:"varint,4,opt,name=validity_duration,json=validityDuration,proto3" json:"validity_duration,omitempty"`
	CriticalOptions  map[string]string `` /* 194-byte string literal not displayed */
	Extensions       map[string]string `` /* 161-byte string literal not displayed */
	// contains filtered or unexported fields
}

Certificate request message. In SSH, the user certificate includes:

  • public key and nonce
  • CertType = 1
  • KeyId - optional
  • ValidPrincipals[] - matched against user

func (*SSHCertificateRequest) Descriptor deprecated 

func (*SSHCertificateRequest) Descriptor() ([]byte, []int)

Deprecated: Use SSHCertificateRequest.ProtoReflect.Descriptor instead.

func (*SSHCertificateRequest) GetCriticalOptions 

func (x *SSHCertificateRequest) GetCriticalOptions() map[string]string

func (*SSHCertificateRequest) GetExtensions 

func (x *SSHCertificateRequest) GetExtensions() map[string]string

func (*SSHCertificateRequest) GetHostname 

func (x *SSHCertificateRequest) GetHostname() []string

func (*SSHCertificateRequest) GetKeyId 

func (x *SSHCertificateRequest) GetKeyId() string

func (*SSHCertificateRequest) GetPublic 

func (x *SSHCertificateRequest) GetPublic() string

func (*SSHCertificateRequest) GetUser 

func (x *SSHCertificateRequest) GetUser() string

func (*SSHCertificateRequest) GetValidityDuration 

func (x *SSHCertificateRequest) GetValidityDuration() int64

func (*SSHCertificateRequest) ProtoMessage 

func (*SSHCertificateRequest) ProtoMessage()

func (*SSHCertificateRequest) ProtoReflect 

func (x *SSHCertificateRequest) ProtoReflect() protoreflect.Message

func (*SSHCertificateRequest) Reset 

func (x *SSHCertificateRequest) Reset()

func (*SSHCertificateRequest) String 

func (x *SSHCertificateRequest) String() string

type SSHCertificateResponse 

type SSHCertificateResponse struct {
	Host string `protobuf:"bytes,1,opt,name=host,proto3" json:"host,omitempty"`
	User string `protobuf:"bytes,2,opt,name=user,proto3" json:"user,omitempty"`
	Root string `protobuf:"bytes,3,opt,name=root,proto3" json:"root,omitempty"`
	// contains filtered or unexported fields
}

Certificate response message.

func (*SSHCertificateResponse) Descriptor deprecated 

func (*SSHCertificateResponse) Descriptor() ([]byte, []int)

Deprecated: Use SSHCertificateResponse.ProtoReflect.Descriptor instead.

func (*SSHCertificateResponse) GetHost 

func (x *SSHCertificateResponse) GetHost() string

func (*SSHCertificateResponse) GetRoot 

func (x *SSHCertificateResponse) GetRoot() string

func (*SSHCertificateResponse) GetUser 

func (x *SSHCertificateResponse) GetUser() string

func (*SSHCertificateResponse) ProtoMessage 

func (*SSHCertificateResponse) ProtoMessage()

func (*SSHCertificateResponse) ProtoReflect 

func (x *SSHCertificateResponse) ProtoReflect() protoreflect.Message

func (*SSHCertificateResponse) Reset 

func (x *SSHCertificateResponse) Reset()

func (*SSHCertificateResponse) String 

func (x *SSHCertificateResponse) String() string

type SSHCertificateServiceClient 

type SSHCertificateServiceClient interface {
	CreateCertificate(ctx context.Context, in *SSHCertificateRequest, opts ...grpc.CallOption) (*SSHCertificateResponse, error)
}

SSHCertificateServiceClient is the client API for SSHCertificateService service.

For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.

func NewSSHCertificateServiceClient 

func NewSSHCertificateServiceClient(cc grpc.ClientConnInterface) SSHCertificateServiceClient

type SSHCertificateServiceServer 

type SSHCertificateServiceServer interface {
	CreateCertificate(context.Context, *SSHCertificateRequest) (*SSHCertificateResponse, error)
	// contains filtered or unexported methods
}

SSHCertificateServiceServer is the server API for SSHCertificateService service. All implementations must embed UnimplementedSSHCertificateServiceServer for forward compatibility

type SSHSigner 

type SSHSigner struct {
	UnimplementedSSHCertificateServiceServer
	Root   string
	Signer gossh.Signer
	Domain string
}

func (*SSHSigner) CreateCertificate 

func (s *SSHSigner) CreateCertificate(ctx context.Context, in *SSHCertificateRequest) (*SSHCertificateResponse, error)

func (*SSHSigner) Init 

func (s *SSHSigner) Init() error

Init will load the private key By default will use ./var/run/secrets/ssh-ca This can be overridden using SSH_CA_DIR env.

func (*SSHSigner) SignHost 

func (s *SSHSigner) SignHost(pub gossh.PublicKey, names []string) []byte

func (*SSHSigner) SignUser 

func (s *SSHSigner) SignUser(pub gossh.PublicKey, name string) []byte

type UnimplementedSSHCertificateServiceServer 

type UnimplementedSSHCertificateServiceServer struct {
}

UnimplementedSSHCertificateServiceServer must be embedded to have forward compatible implementations.

func (UnimplementedSSHCertificateServiceServer) CreateCertificate 

func (UnimplementedSSHCertificateServiceServer) CreateCertificate(context.Context, *SSHCertificateRequest) (*SSHCertificateResponse, error)

type UnsafeSSHCertificateServiceServer 

type UnsafeSSHCertificateServiceServer interface {
	// contains filtered or unexported methods
}

UnsafeSSHCertificateServiceServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to SSHCertificateServiceServer will result in compilation errors.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.