api

package
v0.28.1-rc1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 19, 2024 License: Apache-2.0 Imports: 36 Imported by: 22

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CRL added in v0.23.0

func CRL(w http.ResponseWriter, r *http.Request)

CRL is an HTTP handler that returns the current CRL in DER or PEM format

func Federation added in v0.20.0

func Federation(w http.ResponseWriter, r *http.Request)

Federation returns all the public certificates in the federation.

func Health added in v0.20.0

func Health(w http.ResponseWriter, r *http.Request)

Health is an HTTP handler that returns the status of the server.

func Intermediates added in v0.27.3

func Intermediates(w http.ResponseWriter, r *http.Request)

Intermediates returns all the intermediate certificates of the CA.

func IntermediatesPEM added in v0.27.3

func IntermediatesPEM(w http.ResponseWriter, r *http.Request)

IntermediatesPEM returns all the intermediate certificates for the CA in PEM format.

func LogCertificate added in v0.15.0

func LogCertificate(w http.ResponseWriter, cert *x509.Certificate)

LogCertificate adds certificate fields to the log message.

func LogSSHCertificate added in v0.24.2

func LogSSHCertificate(w http.ResponseWriter, cert *ssh.Certificate)

LogSSHCertificate adds SSH certificate fields to the log message.

func ParseCursor added in v0.16.0

func ParseCursor(r *http.Request) (cursor string, limit int, err error)

ParseCursor parses the cursor and limit from the request query params.

func ProvisionerKey added in v0.20.0

func ProvisionerKey(w http.ResponseWriter, r *http.Request)

ProvisionerKey returns the encrypted key of a provisioner by it's key id.

func Provisioners added in v0.20.0

func Provisioners(w http.ResponseWriter, r *http.Request)

Provisioners returns the list of provisioners configured in the authority.

func Rekey added in v0.20.0

func Rekey(w http.ResponseWriter, r *http.Request)

Rekey is similar to renew except that the certificate will be renewed with new key from csr.

func Renew added in v0.20.0

func Renew(w http.ResponseWriter, r *http.Request)

Renew uses the information of certificate in the TLS connection to create a new one.

func Revoke added in v0.20.0

func Revoke(w http.ResponseWriter, r *http.Request)

Revoke supports handful of different methods that revoke a Certificate.

NOTE: currently only Passive revocation is supported.

TODO: Add CRL and OCSP support.

func Root added in v0.20.0

func Root(w http.ResponseWriter, r *http.Request)

Root is an HTTP handler that using the SHA256 from the URL, returns the root certificate for the given SHA256.

func Roots added in v0.20.0

func Roots(w http.ResponseWriter, r *http.Request)

Roots returns all the root certificates for the CA.

func RootsPEM added in v0.20.0

func RootsPEM(w http.ResponseWriter, r *http.Request)

RootsPEM returns all the root certificates for the CA in PEM format.

func Route added in v0.20.0

func Route(r Router)

func SSHBastion added in v0.20.0

func SSHBastion(w http.ResponseWriter, r *http.Request)

SSHBastion provides returns the bastion configured if any.

func SSHCheckHost added in v0.20.0

func SSHCheckHost(w http.ResponseWriter, r *http.Request)

SSHCheckHost is the HTTP handler that returns if a hosts certificate exists or not.

func SSHConfig added in v0.20.0

func SSHConfig(w http.ResponseWriter, r *http.Request)

SSHConfig is an HTTP handler that returns rendered templates for ssh clients and servers.

func SSHFederation added in v0.20.0

func SSHFederation(w http.ResponseWriter, r *http.Request)

SSHFederation is an HTTP handler that returns the federated SSH public keys for user and host certificates.

func SSHGetHosts added in v0.20.0

func SSHGetHosts(w http.ResponseWriter, r *http.Request)

SSHGetHosts is the HTTP handler that returns a list of valid ssh hosts.

func SSHRekey added in v0.20.0

func SSHRekey(w http.ResponseWriter, r *http.Request)

SSHRekey is an HTTP handler that reads an RekeySSHRequest with a one-time-token (ott) from the body and creates a new SSH certificate with the information in the request.

func SSHRenew added in v0.20.0

func SSHRenew(w http.ResponseWriter, r *http.Request)

SSHRenew is an HTTP handler that reads an RenewSSHRequest with a one-time-token (ott) from the body and creates a new SSH certificate with the information in the request.

func SSHRevoke added in v0.20.0

func SSHRevoke(w http.ResponseWriter, r *http.Request)

Revoke supports handful of different methods that revoke a Certificate.

NOTE: currently only Passive revocation is supported.

func SSHRoots added in v0.20.0

func SSHRoots(w http.ResponseWriter, r *http.Request)

SSHRoots is an HTTP handler that returns the SSH public keys for user and host certificates.

func SSHSign added in v0.20.0

func SSHSign(w http.ResponseWriter, r *http.Request)

SSHSign is an HTTP handler that reads an SignSSHRequest with a one-time-token (ott) from the body and creates a new SSH certificate with the information in the request.

func Sign added in v0.20.0

func Sign(w http.ResponseWriter, r *http.Request)

Sign is an HTTP handler that reads a certificate request and an one-time-token (ott) from the body and creates a new certificate with the information in the certificate request.

func Version added in v0.20.0

func Version(w http.ResponseWriter, r *http.Request)

Version is an HTTP handler that returns the version of the server.

Types

type Authority

type Authority interface {
	SSHAuthority
	// context specifies the Authorize[Sign|Revoke|etc.] method.
	Authorize(ctx context.Context, ott string) ([]provisioner.SignOption, error)
	AuthorizeRenewToken(ctx context.Context, ott string) (*x509.Certificate, error)
	GetTLSOptions() *config.TLSOptions
	Root(shasum string) (*x509.Certificate, error)
	SignWithContext(ctx context.Context, cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
	Renew(peer *x509.Certificate) ([]*x509.Certificate, error)
	RenewContext(ctx context.Context, peer *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error)
	Rekey(peer *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error)
	LoadProvisionerByCertificate(*x509.Certificate) (provisioner.Interface, error)
	LoadProvisionerByName(string) (provisioner.Interface, error)
	GetProvisioners(cursor string, limit int) (provisioner.List, string, error)
	Revoke(context.Context, *authority.RevokeOptions) error
	GetEncryptedKey(kid string) (string, error)
	GetRoots() ([]*x509.Certificate, error)
	GetIntermediateCertificates() []*x509.Certificate
	GetFederation() ([]*x509.Certificate, error)
	Version() authority.Version
	GetCertificateRevocationList() (*authority.CertificateRevocationListInfo, error)
}

Authority is the interface implemented by a CA authority.

type Certificate

type Certificate struct {
	*x509.Certificate
}

Certificate wraps a *x509.Certificate and adds the json.Marshaler interface.

func NewCertificate

func NewCertificate(cr *x509.Certificate) Certificate

NewCertificate is a helper method that returns a Certificate from a *x509.Certificate.

func (Certificate) MarshalJSON

func (c Certificate) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface. The certificate is quoted string using the PEM encoding.

func (*Certificate) UnmarshalJSON

func (c *Certificate) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface. The certificate is expected to be a quoted string using the PEM encoding.

type CertificateRequest

type CertificateRequest struct {
	*x509.CertificateRequest
}

CertificateRequest wraps a *x509.CertificateRequest and adds the json.Unmarshaler interface.

func NewCertificateRequest

func NewCertificateRequest(cr *x509.CertificateRequest) CertificateRequest

NewCertificateRequest is a helper method that returns a CertificateRequest from a *x509.CertificateRequest.

func (CertificateRequest) MarshalJSON

func (c CertificateRequest) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface. The certificate request is a quoted string using the PEM encoding.

func (*CertificateRequest) UnmarshalJSON

func (c *CertificateRequest) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface. The certificate request is expected to be a quoted string using the PEM encoding.

type FederationResponse added in v0.8.3

type FederationResponse struct {
	Certificates []Certificate `json:"crts"`
}

FederationResponse is the response object of the federation request.

type HealthResponse

type HealthResponse struct {
	Status string `json:"status"`
}

HealthResponse is the response object that returns the health of the server.

type IntermediatesResponse added in v0.27.3

type IntermediatesResponse struct {
	Certificates []Certificate `json:"crts"`
}

IntermediatesResponse is the response object of the intermediates request.

type ProvisionerKeyResponse

type ProvisionerKeyResponse struct {
	Key string `json:"key"`
}

ProvisionerKeyResponse is the response object that returns the encrypted key of a provisioner.

type ProvisionersResponse

type ProvisionersResponse struct {
	Provisioners provisioner.List
	NextCursor   string
}

ProvisionersResponse is the response object that returns the list of provisioners.

func (ProvisionersResponse) MarshalJSON added in v0.24.2

func (p ProvisionersResponse) MarshalJSON() ([]byte, error)

MarshalJSON implements json.Marshaler. It marshals the ProvisionersResponse into a byte slice.

Special treatment is given to the SCEP provisioner, as it contains a challenge secret that MUST NOT be leaked in (public) HTTP responses. The challenge value is thus redacted in HTTP responses.

type RekeyRequest added in v0.15.0

type RekeyRequest struct {
	CsrPEM CertificateRequest `json:"csr"`
}

RekeyRequest is the request body for a certificate rekey request.

func (*RekeyRequest) Validate added in v0.15.0

func (s *RekeyRequest) Validate() error

Validate checks the fields of the RekeyRequest and returns nil if they are ok or an error if something is wrong.

type RevokeRequest added in v0.10.0

type RevokeRequest struct {
	Serial     string `json:"serial"`
	OTT        string `json:"ott"`
	ReasonCode int    `json:"reasonCode"`
	Reason     string `json:"reason"`
	Passive    bool   `json:"passive"`
}

RevokeRequest is the request body for a revocation request.

func (*RevokeRequest) Validate added in v0.10.0

func (r *RevokeRequest) Validate() (err error)

Validate checks the fields of the RevokeRequest and returns nil if they are ok or an error if something is wrong.

type RevokeResponse added in v0.10.0

type RevokeResponse struct {
	Status string `json:"status"`
}

RevokeResponse is the response object that returns the health of the server.

type RootResponse

type RootResponse struct {
	RootPEM Certificate `json:"ca"`
}

RootResponse is the response object that returns the PEM of a root certificate.

type RootsResponse added in v0.8.3

type RootsResponse struct {
	Certificates []Certificate `json:"crts"`
}

RootsResponse is the response object of the roots request.

type Router

type Router interface {
	// MethodFunc adds routes for `pattern` that matches
	// the `method` HTTP method.
	MethodFunc(method, pattern string, h http.HandlerFunc)
}

Router defines a common router interface.

type RouterHandler

type RouterHandler interface {
	Route(r Router)
}

RouterHandler is the interface that a HTTP handler that manages multiple endpoints will implement.

func New deprecated

New creates a new RouterHandler with the CA endpoints.

Deprecated: Use api.Route(r Router)

type SSHAuthority added in v0.12.0

type SSHAuthority interface {
	SignSSH(ctx context.Context, key ssh.PublicKey, opts provisioner.SignSSHOptions, signOpts ...provisioner.SignOption) (*ssh.Certificate, error)
	RenewSSH(ctx context.Context, cert *ssh.Certificate) (*ssh.Certificate, error)
	RekeySSH(ctx context.Context, cert *ssh.Certificate, key ssh.PublicKey, signOpts ...provisioner.SignOption) (*ssh.Certificate, error)
	SignSSHAddUser(ctx context.Context, key ssh.PublicKey, cert *ssh.Certificate) (*ssh.Certificate, error)
	GetSSHRoots(ctx context.Context) (*config.SSHKeys, error)
	GetSSHFederation(ctx context.Context) (*config.SSHKeys, error)
	GetSSHConfig(ctx context.Context, typ string, data map[string]string) ([]templates.Output, error)
	CheckSSHHost(ctx context.Context, principal string, token string) (bool, error)
	GetSSHHosts(ctx context.Context, cert *x509.Certificate) ([]config.Host, error)
	GetSSHBastion(ctx context.Context, user string, hostname string) (*config.Bastion, error)
}

SSHAuthority is the interface implemented by a SSH CA authority.

type SSHBastionRequest added in v0.14.0

type SSHBastionRequest struct {
	User     string `json:"user"`
	Hostname string `json:"hostname"`
}

SSHBastionRequest is the request body used to get the bastion for a given host.

func (*SSHBastionRequest) Validate added in v0.14.0

func (r *SSHBastionRequest) Validate() error

Validate checks the values of the SSHBastionRequest.

type SSHBastionResponse added in v0.14.0

type SSHBastionResponse struct {
	Hostname string          `json:"hostname"`
	Bastion  *config.Bastion `json:"bastion,omitempty"`
}

SSHBastionResponse is the response body used to return the bastion for a given host.

type SSHCertificate added in v0.12.0

type SSHCertificate struct {
	*ssh.Certificate `json:"omitempty"`
}

SSHCertificate represents the response SSH certificate.

func (SSHCertificate) MarshalJSON added in v0.12.0

func (c SSHCertificate) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface. Returns a quoted, base64 encoded, openssh wire format version of the certificate.

func (*SSHCertificate) UnmarshalJSON added in v0.12.0

func (c *SSHCertificate) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface. The certificate is expected to be a quoted, base64 encoded, openssh wire formatted block of bytes.

type SSHCheckPrincipalRequest added in v0.14.0

type SSHCheckPrincipalRequest struct {
	Type      string `json:"type"`
	Principal string `json:"principal"`
	Token     string `json:"token,omitempty"`
}

SSHCheckPrincipalRequest is the request body used to check if a principal certificate has been created. Right now it only supported for hosts certificates.

func (*SSHCheckPrincipalRequest) Validate added in v0.14.0

func (r *SSHCheckPrincipalRequest) Validate() error

Validate checks the check principal request.

type SSHCheckPrincipalResponse added in v0.14.0

type SSHCheckPrincipalResponse struct {
	Exists bool `json:"exists"`
}

SSHCheckPrincipalResponse is the response body used to check if a principal exists.

type SSHConfigRequest added in v0.14.0

type SSHConfigRequest struct {
	Type string            `json:"type"`
	Data map[string]string `json:"data"`
}

SSHConfigRequest is the request body used to get the SSH configuration templates.

func (*SSHConfigRequest) Validate added in v0.14.0

func (r *SSHConfigRequest) Validate() error

Validate checks the values of the SSHConfigurationRequest.

type SSHConfigResponse added in v0.14.0

type SSHConfigResponse struct {
	UserTemplates []Template `json:"userTemplates,omitempty"`
	HostTemplates []Template `json:"hostTemplates,omitempty"`
}

SSHConfigResponse is the response that returns the rendered templates.

type SSHGetHostsResponse added in v0.14.0

type SSHGetHostsResponse struct {
	Hosts []config.Host `json:"hosts"`
}

SSHGetHostsResponse is the response object that returns the list of valid hosts for SSH.

type SSHPublicKey added in v0.14.0

type SSHPublicKey struct {
	ssh.PublicKey
}

SSHPublicKey represents a public key in a response object.

func (*SSHPublicKey) MarshalJSON added in v0.14.0

func (p *SSHPublicKey) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface. Returns a quoted, base64 encoded, openssh wire format version of the public key.

func (*SSHPublicKey) UnmarshalJSON added in v0.14.0

func (p *SSHPublicKey) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface. The public key is expected to be a quoted, base64 encoded, openssh wire formatted block of bytes.

type SSHRekeyRequest added in v0.14.0

type SSHRekeyRequest struct {
	OTT       string `json:"ott"`
	PublicKey []byte `json:"publicKey"` //base64 encoded
}

SSHRekeyRequest is the request body of an SSH certificate request.

func (*SSHRekeyRequest) Validate added in v0.14.0

func (s *SSHRekeyRequest) Validate() error

Validate validates the SSHSignRekey.

type SSHRekeyResponse added in v0.14.0

type SSHRekeyResponse struct {
	Certificate         SSHCertificate `json:"crt"`
	IdentityCertificate []Certificate  `json:"identityCrt,omitempty"`
}

SSHRekeyResponse is the response object that returns the SSH certificate.

type SSHRenewRequest added in v0.14.0

type SSHRenewRequest struct {
	OTT string `json:"ott"`
}

SSHRenewRequest is the request body of an SSH certificate request.

func (*SSHRenewRequest) Validate added in v0.14.0

func (s *SSHRenewRequest) Validate() error

Validate validates the SSHSignRequest.

type SSHRenewResponse added in v0.14.0

type SSHRenewResponse struct {
	Certificate         SSHCertificate `json:"crt"`
	IdentityCertificate []Certificate  `json:"identityCrt,omitempty"`
}

SSHRenewResponse is the response object that returns the SSH certificate.

type SSHRevokeRequest added in v0.14.0

type SSHRevokeRequest struct {
	Serial     string `json:"serial"`
	OTT        string `json:"ott"`
	ReasonCode int    `json:"reasonCode"`
	Reason     string `json:"reason"`
	Passive    bool   `json:"passive"`
}

SSHRevokeRequest is the request body for a revocation request.

func (*SSHRevokeRequest) Validate added in v0.14.0

func (r *SSHRevokeRequest) Validate() (err error)

Validate checks the fields of the RevokeRequest and returns nil if they are ok or an error if something is wrong.

type SSHRevokeResponse added in v0.14.0

type SSHRevokeResponse struct {
	Status string `json:"status"`
}

SSHRevokeResponse is the response object that returns the health of the server.

type SSHRootsResponse added in v0.14.0

type SSHRootsResponse struct {
	UserKeys []SSHPublicKey `json:"userKey,omitempty"`
	HostKeys []SSHPublicKey `json:"hostKey,omitempty"`
}

SSHRootsResponse represents the response object that returns the SSH user and host keys.

type SSHSignRequest added in v0.14.0

type SSHSignRequest struct {
	PublicKey        []byte             `json:"publicKey"` // base64 encoded
	OTT              string             `json:"ott"`
	CertType         string             `json:"certType,omitempty"`
	KeyID            string             `json:"keyID,omitempty"`
	Principals       []string           `json:"principals,omitempty"`
	ValidAfter       TimeDuration       `json:"validAfter,omitempty"`
	ValidBefore      TimeDuration       `json:"validBefore,omitempty"`
	AddUserPublicKey []byte             `json:"addUserPublicKey,omitempty"`
	IdentityCSR      CertificateRequest `json:"identityCSR,omitempty"`
	TemplateData     json.RawMessage    `json:"templateData,omitempty"`
}

SSHSignRequest is the request body of an SSH certificate request.

func (*SSHSignRequest) Validate added in v0.14.0

func (s *SSHSignRequest) Validate() error

Validate validates the SSHSignRequest.

type SSHSignResponse added in v0.14.0

type SSHSignResponse struct {
	Certificate         SSHCertificate  `json:"crt"`
	AddUserCertificate  *SSHCertificate `json:"addUserCrt,omitempty"`
	IdentityCertificate []Certificate   `json:"identityCrt,omitempty"`
}

SSHSignResponse is the response object that returns the SSH certificate.

type SignRequest

type SignRequest struct {
	CsrPEM       CertificateRequest `json:"csr"`
	OTT          string             `json:"ott"`
	NotAfter     TimeDuration       `json:"notAfter,omitempty"`
	NotBefore    TimeDuration       `json:"notBefore,omitempty"`
	TemplateData json.RawMessage    `json:"templateData,omitempty"`
}

SignRequest is the request body for a certificate signature request.

func (*SignRequest) Validate

func (s *SignRequest) Validate() error

Validate checks the fields of the SignRequest and returns nil if they are ok or an error if something is wrong.

type SignResponse

type SignResponse struct {
	ServerPEM    Certificate          `json:"crt"`
	CaPEM        Certificate          `json:"ca"`
	CertChainPEM []Certificate        `json:"certChain"`
	TLSOptions   *config.TLSOptions   `json:"tlsOptions,omitempty"`
	TLS          *tls.ConnectionState `json:"-"`
}

SignResponse is the response object of the certificate signature request.

type Template added in v0.14.0

type Template = templates.Output

Template represents the output of a template.

type TimeDuration added in v0.9.0

type TimeDuration = provisioner.TimeDuration

TimeDuration is an alias of provisioner.TimeDuration

func NewTimeDuration added in v0.9.0

func NewTimeDuration(t time.Time) TimeDuration

NewTimeDuration returns a TimeDuration with the defined time.

func ParseTimeDuration added in v0.9.0

func ParseTimeDuration(s string) (TimeDuration, error)

ParseTimeDuration returns a new TimeDuration parsing the RFC 3339 time or time.Duration string.

type VersionResponse added in v0.14.0

type VersionResponse struct {
	Version                     string `json:"version"`
	RequireClientAuthentication bool   `json:"requireClientAuthentication,omitempty"`
}

VersionResponse is the response object that returns the version of the server.

Directories

Path Synopsis
Package log implements API-related logging helpers.
Package log implements API-related logging helpers.
Package read implements request object readers.
Package read implements request object readers.
Package render implements functionality related to response rendering.
Package render implements functionality related to response rendering.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL