Documentation
¶
Index ¶
- Constants
- type NonceRecorder
- type SSHSigner
- func (s *SSHSigner) HostSigners(ctx context.Context, _ *empty.Empty) (*sshsigner.HostSignersResponse, error)
- func (s *SSHSigner) SignHostKey(ctx context.Context, req *sshsigner.SignHostKeyRequest) (*sshsigner.SignHostKeyResponse, error)
- func (s *SSHSigner) SignUserKey(ctx context.Context, req *sshsigner.SignUserKeyRequest) (*sshsigner.SignUserKeyResponse, error)
- func (s *SSHSigner) UserSigners(ctx context.Context, _ *empty.Empty) (*sshsigner.UserSignersResponse, error)
- type SignerOpt
- type SignerSource
- type TokenVerifier
Constants ¶
const ( ACRMultiFactor string = "http://schemas.openid.net/pape/policies/2007/06/multi-factor" ACRMultiFactorPhysical string = "http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical" AMROTP string = "otp" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type NonceRecorder ¶
type NonceRecorder interface {
// RecordNonce should note that a given nonce was used, and indicate if it
// has already been used.
RecordNonce(ctx context.Context, nonce string, expires time.Time) (used bool, err error)
}
NonceRecorder is used to avoid replays
type SSHSigner ¶
type SSHSigner struct {
Log logrus.FieldLogger
NonceRec NonceRecorder
Verifier TokenVerifier
Audience string
ValidAWSAccounts []string
// contains filtered or unexported fields
}
func New ¶
func New(l logrus.FieldLogger, userSigner SignerSource, hostSigner SignerSource, nonceRec NonceRecorder, v TokenVerifier, aud string, validAWSAccounts []string, opts ...SignerOpt) (*SSHSigner, error)
func (*SSHSigner) HostSigners ¶
func (*SSHSigner) SignHostKey ¶
func (s *SSHSigner) SignHostKey(ctx context.Context, req *sshsigner.SignHostKeyRequest) (*sshsigner.SignHostKeyResponse, error)
func (*SSHSigner) SignUserKey ¶
func (s *SSHSigner) SignUserKey(ctx context.Context, req *sshsigner.SignUserKeyRequest) (*sshsigner.SignUserKeyResponse, error)
func (*SSHSigner) UserSigners ¶
type SignerOpt ¶
type SignerOpt func(s *SSHSigner)
func WithCacheControl ¶
WithCacheControl will return a Cache-Control header on requests to the user/host signing keys endpoint. This can be used for server control of how often the client fetches keys. The header is marked private, so intermediate proxies will ignore this. Max-Age will be set to the maxAge value, plus up to splay time.
func WithHostCertValidityPeriod ¶
WithHostCertValidityPeriod sets the duration that host certs are valid for, after signing time. The default is 24 hours.
func WithMaxUserCertValidityPeriod ¶
WithMaxUserCertValidityPeriod sets the maximum duration that user certs are valid for, after signing time. The default is 15 minutes. If the submitted claims expire in a time less than this, that time will be used instead.
func WithSignersCache ¶
WithSignersCache will cache results for public key lookups for a fixed time. This can be used to reduce load for the public key endpoints
type SignerSource ¶
type SignerSource interface {
// Signer should return a usable crypto.Signer, that will be used for a
// signing operations.
Signer(context.Context) (crypto.Signer, error)
// PublicKeys returns a list of all public keys that should be considered
// valid for this source.
PublicKeys(context.Context) ([]crypto.PublicKey, error)
}
SignerSource is used to retrieve a signer for signing operations, and information about public keys considered valid for this source. This can be used to wrap multiple signers / other keysets for use by this service
func NewStaticSignerSource ¶
func NewStaticSignerSource(s crypto.Signer, addlKeys ...crypto.PublicKey) SignerSource
NewStaticSignerSource returns a simple SignerSource that is bound to a single key
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
proto
|
|
|
sshsigner/v1alpha1
Package sshsigner is a reverse proxy.
|
Package sshsigner is a reverse proxy. |