connect

package
v1.4.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 20, 2019 License: MPL-2.0 Imports: 21 Imported by: 0

Documentation

Index

Constants

View Source 
const TestClusterID = "11111111-2222-3333-4444-555555555555"

TestClusterID is the Consul cluster ID for testing.

Variables

This section is empty.

Functions

func CalculateCertFingerprint 

func CalculateCertFingerprint(pemValue string) (string, error)

CalculateCertFingerprint parses the x509 certificate from a PEM-encoded value and calculates the SHA-1 fingerprint.

func CreateCACSR added in v1.3.0 

func CreateCACSR(uri CertURI, privateKey crypto.Signer) (string, error)

CreateCSR returns a CA CSR to sign the given service along with the PEM-encoded private key for this certificate.

func CreateCAExtension added in v1.3.0 

func CreateCAExtension() (pkix.Extension, error)

CreateCAExtension creates a pkix.Extension for the x509 Basic Constraints IsCA field ()

func CreateCSR 

func CreateCSR(uri CertURI, privateKey crypto.Signer, extensions ...pkix.Extension) (string, error)

CreateCSR returns a CSR to sign the given service along with the PEM-encoded private key for this certificate.

func GeneratePrivateKey 

func GeneratePrivateKey() (crypto.Signer, string, error)

GeneratePrivateKey generates a new Private key

func HexString 

func HexString(input []byte) string

HexString returns a standard colon-separated hex value for the input byte slice. This should be used with cert serial numbers and so on.

func KeyId 

func KeyId(raw interface{}) ([]byte, error)

KeyId returns a x509 KeyId from the given signing key. The key must be an *ecdsa.PublicKey currently, but may support more types in the future.

func ParseCSR 

func ParseCSR(pemValue string) (*x509.CertificateRequest, error)

ParseCSR parses a CSR from a PEM-encoded value. The certificate request must be the the first block in the PEM value.

func ParseCert 

func ParseCert(pemValue string) (*x509.Certificate, error)

ParseCert parses the x509 certificate from a PEM-encoded value.

func ParseSigner 

func ParseSigner(pemValue string) (crypto.Signer, error)

ParseSigner parses a crypto.Signer from a PEM-encoded key. The private key is expected to be the first block in the PEM value.

func TestCA 

func TestCA(t testing.T, xc *structs.CARoot) *structs.CARoot

TestCA creates a test CA certificate and signing key and returns it in the CARoot structure format. The returned CA will be set as Active = true.

If xc is non-nil, then the returned certificate will have a signing cert that is cross-signed with the previous cert, and this will be set as SigningCert.

func TestCAConfigSet 

func TestCAConfigSet(t testing.T, a TestAgentRPC,
	ca *structs.CARoot) *structs.CARoot

TestCAConfigSet sets a CARoot returned by TestCA into the TestAgent state. It requires that TestAgent had connect enabled in it's config. If ca is nil, a new CA is created.

It returns the CARoot passed or created.

Note that we have to use an interface for the TestAgent.RPC method since we can't introduce an import cycle by importing `agent.TestAgent` here directly. It also means this will work in a few other places we mock that method.

func TestCSR 

func TestCSR(t testing.T, uri CertURI) (string, string)

TestCSR returns a CSR to sign the given service along with the PEM-encoded private key for this certificate.

func TestLeaf 

func TestLeaf(t testing.T, service string, root *structs.CARoot) (string, string)

TestLeaf returns a valid leaf certificate and it's private key for the named service with the given CA Root.

Types

type CertURI 

type CertURI interface {
	// Authorize tests the authorization for this URI as a client
	// for the given intention. The return value `auth` is only valid if
	// the second value `match` is true. If the second value `match` is
	// false, then the intention doesn't match this client and any
	// result should be ignored.
	Authorize(*structs.Intention) (auth bool, match bool)

	// URI is the valid URI value used in the cert.
	URI() *url.URL
}

CertURI represents a Connect-valid URI value for a TLS certificate. The user should type switch on the various implementations in this package to determine the type of URI and the data encoded within it.

Note that the current implementations of this are all also SPIFFE IDs. However, we anticipate that we may accept URIs that are also not SPIFFE compliant and therefore the interface is named as such.

func ParseCertURI 

func ParseCertURI(input *url.URL) (CertURI, error)

ParseCertURI parses a the URI value from a TLS certificate.

func ParseCertURIFromString added in v1.3.0 

func ParseCertURIFromString(input string) (CertURI, error)

ParseCertURIFromString attempts to parse a string representation of a certificate URI as a convenience helper around ParseCertURI.

type SpiffeIDService 

type SpiffeIDService struct {
	Host       string
	Namespace  string
	Datacenter string
	Service    string
}

SpiffeIDService is the structure to represent the SPIFFE ID for a service.

func TestSpiffeIDService 

func TestSpiffeIDService(t testing.T, service string) *SpiffeIDService

TestSpiffeIDService returns a SPIFFE ID representing a service.

func TestSpiffeIDServiceWithHost 

func TestSpiffeIDServiceWithHost(t testing.T, service, host string) *SpiffeIDService

TestSpiffeIDServiceWithHost returns a SPIFFE ID representing a service with the specified trust domain.

func (*SpiffeIDService) Authorize 

func (id *SpiffeIDService) Authorize(ixn *structs.Intention) (bool, bool)

CertURI impl.

func (*SpiffeIDService) URI 

func (id *SpiffeIDService) URI() *url.URL

URI returns the *url.URL for this SPIFFE ID.

type SpiffeIDSigning 

type SpiffeIDSigning struct {
	ClusterID string // Unique cluster ID
	Domain    string // The domain, usually "consul"
}

SpiffeIDSigning is the structure to represent the SPIFFE ID for a signing certificate (not a leaf service).

func SpiffeIDSigningForCluster 

func SpiffeIDSigningForCluster(config *structs.CAConfiguration) *SpiffeIDSigning

SpiffeIDSigningForCluster returns the SPIFFE signing identifier (trust domain) representation of the given CA config. If config is nil this function will panic.

NOTE(banks): we intentionally fix the tld `.consul` for now rather than tie this to the `domain` config used for DNS because changing DNS domain can't break all certificate validation. That does mean that DNS prefix might not match the identity URIs and so the trust domain might not actually resolve which we would like but don't actually need.

func (*SpiffeIDSigning) Authorize 

func (id *SpiffeIDSigning) Authorize(ixn *structs.Intention) (bool, bool)

CertURI impl.

func (*SpiffeIDSigning) CanSign 

func (id *SpiffeIDSigning) CanSign(cu CertURI) bool

CanSign takes any CertURI and returns whether or not this signing entity is allowed to sign CSRs for that entity (i.e. represents the trust domain for that entity).

I choose to make this a fixed centralized method here for now rather than a method on CertURI interface since we don't intend this to be extensible outside and it's easier to reason about the security properties when they are all in one place with "whitelist" semantics.

func (*SpiffeIDSigning) Host 

func (id *SpiffeIDSigning) Host() string

Host is the canonical representation as a DNS-compatible hostname.

func (*SpiffeIDSigning) URI 

func (id *SpiffeIDSigning) URI() *url.URL

URI returns the *url.URL for this SPIFFE ID.

type TestAgentRPC 

type TestAgentRPC interface {
	RPC(method string, args interface{}, reply interface{}) error
}

TestAgentRPC is an interface that an RPC client must implement. This is a helper interface that is implemented by the agent delegate so that test helpers can make RPCs without introducing an import cycle on `agent`.

Source Files

View all Source files

Directories

Path Synopsis
ca
plugin

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.