authority

package
v0.18.3-rc4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 19, 2022 License: Apache-2.0 Imports: 56 Imported by: 38

Documentation

Index

Constants

View Source
const (
	// SSHAddUserPrincipal is the principal that will run the add user command.
	// Defaults to "provisioner" but it can be changed in the configuration.
	SSHAddUserPrincipal = "provisioner"

	// SSHAddUserCommand is the default command to run to add a new user.
	// Defaults to "sudo useradd -m <principal>; nc -q0 localhost 22" but it can be changed in the
	// configuration. The string "<principal>" will be replace by the new
	// principal to add.
	SSHAddUserCommand = "sudo useradd -m <principal>; nc -q0 localhost 22"
)

Variables

View Source
var DefaultTLSOptions = config.DefaultTLSOptions

DefaultTLSOptions is an alias to support older APIs.

View Source
var GlobalVersion = Version{
	Version: "0.0.0",
}

GlobalVersion stores the version information of the server.

View Source
var LoadConfiguration = config.LoadConfiguration

LoadConfiguration is an alias to support older APIs.

Functions

func CreateFirstProvisioner added in v0.16.0

func CreateFirstProvisioner(ctx context.Context, adminDB admin.DB, password string) (*linkedca.Provisioner, error)

CreateFirstProvisioner creates and stores the first provisioner when using admin database provisioner storage.

func IsValidForAddUser added in v0.14.4

func IsValidForAddUser(cert *ssh.Certificate) error

IsValidForAddUser checks if a user provisioner certificate can be issued to the given certificate.

func NewContextWithSkipTokenReuse added in v0.14.0

func NewContextWithSkipTokenReuse(ctx context.Context) context.Context

NewContextWithSkipTokenReuse creates a new context from ctx and attaches a value to skip the token reuse.

func ProvisionerToCertificates added in v0.16.0

func ProvisionerToCertificates(p *linkedca.Provisioner) (provisioner.Interface, error)

ProvisionerToCertificates converts the linkedca provisioner type to the certificates provisioner interface.

func ProvisionerToLinkedca added in v0.17.0

func ProvisionerToLinkedca(p provisioner.Interface) (*linkedca.Provisioner, error)

ProvisionerToLinkedca converts a provisioner.Interface to a linkedca.Provisioner type.

func SkipTokenReuseFromContext added in v0.14.0

func SkipTokenReuseFromContext(ctx context.Context) bool

SkipTokenReuseFromContext returns if the token reuse needs to be ignored.

func ValidateClaims added in v0.16.0

func ValidateClaims(c *linkedca.Claims) error

ValidateClaims validates the Claims type.

func ValidateDurations added in v0.16.0

func ValidateDurations(d *linkedca.Durations) error

ValidateDurations validates the Durations type.

Types

type ASN1DN added in v0.15.2

type ASN1DN = config.ASN1DN

ASN1DN is an alias to support older APIs.

type AuthConfig

type AuthConfig = config.AuthConfig

AuthConfig is an alias to support older APIs.

type Authority

type Authority struct {
	// contains filtered or unexported fields
}

Authority implements the Certificate Authority internal interface.

func New

func New(cfg *config.Config, opts ...Option) (*Authority, error)

New creates and initiates a new Authority type.

func NewEmbedded added in v0.14.5

func NewEmbedded(opts ...Option) (*Authority, error)

NewEmbedded initializes an authority that can be embedded in a different project without the limitations of the config.

func (*Authority) Authorize

func (a *Authority) Authorize(ctx context.Context, token string) ([]provisioner.SignOption, error)

Authorize grabs the method from the context and authorizes the request by validating the one-time-token.

func (*Authority) AuthorizeAdminToken added in v0.16.0

func (a *Authority) AuthorizeAdminToken(r *http.Request, token string) (*linkedca.Admin, error)

AuthorizeAdminToken authorize an Admin token.

func (*Authority) AuthorizeRenewToken added in v0.19.0

func (a *Authority) AuthorizeRenewToken(ctx context.Context, ott string) (*x509.Certificate, error)

AuthorizeRenewToken validates the renew token and returns the leaf certificate in the x5cInsecure header.

func (*Authority) AuthorizeSign added in v0.10.0

func (a *Authority) AuthorizeSign(token string) ([]provisioner.SignOption, error)

AuthorizeSign authorizes a signature request by validating and authenticating a token that must be sent w/ the request.

NOTE: This method is deprecated and should not be used. We make it available in the short term os as not to break existing clients.

func (*Authority) CheckSSHHost added in v0.14.0

func (a *Authority) CheckSSHHost(ctx context.Context, principal, token string) (bool, error)

CheckSSHHost checks the given principal has been registered before.

func (*Authority) CloseForReload added in v0.15.7

func (a *Authority) CloseForReload()

CloseForReload closes internal services, to allow a safe reload.

func (*Authority) Export added in v0.17.0

func (a *Authority) Export() (c *linkedca.Configuration, err error)

Export creates a linkedca configuration form the current ca.json and loaded authorities.

Note that export will not export neither the pki password nor the certificate issuer password.

func (*Authority) GetAdminDatabase added in v0.16.0

func (a *Authority) GetAdminDatabase() admin.DB

GetAdminDatabase returns the admin database, if one exists.

func (*Authority) GetAdmins added in v0.16.0

func (a *Authority) GetAdmins(cursor string, limit int) ([]*linkedca.Admin, string, error)

GetAdmins returns a map listing each provisioner and the JWK Key Set with their public keys.

func (*Authority) GetDatabase added in v0.11.0

func (a *Authority) GetDatabase() db.AuthDB

GetDatabase returns the authority database. If the configuration does not define a database, GetDatabase will return a db.SimpleDB instance.

func (*Authority) GetEncryptedKey

func (a *Authority) GetEncryptedKey(kid string) (string, error)

GetEncryptedKey returns the JWE key corresponding to the given kid argument.

func (*Authority) GetFederation added in v0.8.3

func (a *Authority) GetFederation() (federation []*x509.Certificate, err error)

GetFederation returns all the root certificates in the federation. This method implements the Authority interface.

func (*Authority) GetInfo added in v0.19.0

func (a *Authority) GetInfo() Info

func (*Authority) GetProvisioners

func (a *Authority) GetProvisioners(cursor string, limit int) (provisioner.List, string, error)

GetProvisioners returns a map listing each provisioner and the JWK Key Set with their public keys.

func (*Authority) GetRootCertificate

func (a *Authority) GetRootCertificate() *x509.Certificate

GetRootCertificate returns the server root certificate.

func (*Authority) GetRootCertificates added in v0.8.3

func (a *Authority) GetRootCertificates() []*x509.Certificate

GetRootCertificates returns the server root certificates.

In the Authority interface we also have a similar method, GetRoots, at the moment the functionality of these two methods are almost identical, but this method is intended to be used internally by CA HTTP server to load the roots that will be set in the tls.Config while GetRoots will be used by the Authority interface and might have extra checks in the future.

func (*Authority) GetRoots added in v0.8.3

func (a *Authority) GetRoots() ([]*x509.Certificate, error)

GetRoots returns all the root certificates for this CA. This method implements the Authority interface.

func (*Authority) GetSCEPService added in v0.15.16

func (a *Authority) GetSCEPService() *scep.Service

GetSCEPService returns the configured SCEP Service TODO: this function is intended to exist temporarily in order to make SCEP work more easily. It can be made more correct by using the right interfaces/abstractions after it works as expected.

func (*Authority) GetSSHBastion added in v0.14.0

func (a *Authority) GetSSHBastion(ctx context.Context, user, hostname string) (*config.Bastion, error)

GetSSHBastion returns the bastion configuration, for the given pair user, hostname.

func (*Authority) GetSSHConfig added in v0.14.0

func (a *Authority) GetSSHConfig(ctx context.Context, typ string, data map[string]string) ([]templates.Output, error)

GetSSHConfig returns rendered templates for clients (user) or servers (host).

func (*Authority) GetSSHFederation added in v0.14.0

func (a *Authority) GetSSHFederation(context.Context) (*config.SSHKeys, error)

GetSSHFederation returns the public keys for federated SSH signers.

func (*Authority) GetSSHHosts added in v0.14.0

func (a *Authority) GetSSHHosts(ctx context.Context, cert *x509.Certificate) ([]config.Host, error)

GetSSHHosts returns a list of valid host principals.

func (*Authority) GetSSHRoots added in v0.14.0

func (a *Authority) GetSSHRoots(context.Context) (*config.SSHKeys, error)

GetSSHRoots returns the SSH User and Host public keys.

func (*Authority) GetTLSCertificate

func (a *Authority) GetTLSCertificate() (*tls.Certificate, error)

GetTLSCertificate creates a new leaf certificate to be used by the CA HTTPS server.

func (*Authority) GetTLSOptions

func (a *Authority) GetTLSOptions() *config.TLSOptions

GetTLSOptions returns the tls options configured.

func (*Authority) IsAdminAPIEnabled added in v0.16.0

func (a *Authority) IsAdminAPIEnabled() bool

IsAdminAPIEnabled returns a boolean indicating whether the Admin API has been enabled.

func (*Authority) IsRevoked added in v0.18.1

func (a *Authority) IsRevoked(sn string) (bool, error)

IsRevoked returns whether or not a certificate has been revoked before.

func (*Authority) LoadAdminByID added in v0.16.0

func (a *Authority) LoadAdminByID(id string) (*linkedca.Admin, bool)

LoadAdminByID returns an *linkedca.Admin with the given ID.

func (*Authority) LoadAdminBySubProv added in v0.16.0

func (a *Authority) LoadAdminBySubProv(subject, prov string) (*linkedca.Admin, bool)

LoadAdminBySubProv returns an *linkedca.Admin with the given ID.

func (*Authority) LoadProvisionerByCertificate added in v0.10.0

func (a *Authority) LoadProvisionerByCertificate(crt *x509.Certificate) (provisioner.Interface, error)

LoadProvisionerByCertificate returns an interface to the provisioner that provisioned the certificate.

func (*Authority) LoadProvisionerByID added in v0.13.0

func (a *Authority) LoadProvisionerByID(id string) (provisioner.Interface, error)

LoadProvisionerByID returns an interface to the provisioner with the given ID.

func (*Authority) LoadProvisionerByName added in v0.16.0

func (a *Authority) LoadProvisionerByName(name string) (provisioner.Interface, error)

LoadProvisionerByName returns an interface to the provisioner with the given Name.

func (*Authority) LoadProvisionerByToken added in v0.16.0

func (a *Authority) LoadProvisionerByToken(token *jwt.JSONWebToken, claims *jwt.Claims) (provisioner.Interface, error)

LoadProvisionerByToken returns an interface to the provisioner that provisioned the token.

func (*Authority) Rekey added in v0.15.0

func (a *Authority) Rekey(oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error)

Rekey is used for rekeying and renewing based on the public key. If the public key is 'nil' then it's assumed that the cert should be renewed using the existing public key. If the public key is not 'nil' then it's assumed that the cert should be rekeyed. For both Rekey and Renew all other attributes of the new certificate should match the old certificate. The exceptions are 'AuthorityKeyId' (which may have changed), 'SubjectKeyId' (different in case of rekey), and 'NotBefore/NotAfter' (the validity duration of the new certificate should be equal to the old one, but starting 'now').

func (*Authority) RekeySSH added in v0.14.0

func (a *Authority) RekeySSH(ctx context.Context, oldCert *ssh.Certificate, pub ssh.PublicKey, signOpts ...provisioner.SignOption) (*ssh.Certificate, error)

RekeySSH creates a signed SSH certificate using the old SSH certificate as a template.

func (*Authority) RemoveAdmin added in v0.16.0

func (a *Authority) RemoveAdmin(ctx context.Context, id string) error

RemoveAdmin removes an *linkedca.Admin from the authority.

func (*Authority) RemoveProvisioner added in v0.16.0

func (a *Authority) RemoveProvisioner(ctx context.Context, id string) error

RemoveProvisioner removes an provisioner.Interface from the authority.

func (*Authority) Renew

func (a *Authority) Renew(oldCert *x509.Certificate) ([]*x509.Certificate, error)

Renew creates a new Certificate identical to the old certificate, except with a validity window that begins 'now'.

func (*Authority) RenewSSH added in v0.14.0

func (a *Authority) RenewSSH(ctx context.Context, oldCert *ssh.Certificate) (*ssh.Certificate, error)

RenewSSH creates a signed SSH certificate using the old SSH certificate as a template.

func (*Authority) Revoke added in v0.10.0

func (a *Authority) Revoke(ctx context.Context, revokeOpts *RevokeOptions) error

Revoke revokes a certificate.

NOTE: Only supports passive revocation - prevent existing certificates from being renewed.

TODO: Add OCSP and CRL support.

func (*Authority) Root

func (a *Authority) Root(sum string) (*x509.Certificate, error)

Root returns the certificate corresponding to the given SHA sum argument.

func (*Authority) Shutdown added in v0.10.0

func (a *Authority) Shutdown() error

Shutdown safely shuts down any clients, databases, etc. held by the Authority.

func (*Authority) Sign

Sign creates a signed certificate from a certificate signing request.

func (*Authority) SignSSH added in v0.12.0

SignSSH creates a signed SSH certificate with the given public key and options.

func (*Authority) SignSSHAddUser added in v0.12.0

func (a *Authority) SignSSHAddUser(ctx context.Context, key ssh.PublicKey, subject *ssh.Certificate) (*ssh.Certificate, error)

SignSSHAddUser signs a certificate that provisions a new user in a server.

func (*Authority) StoreAdmin added in v0.16.0

func (a *Authority) StoreAdmin(ctx context.Context, adm *linkedca.Admin, prov provisioner.Interface) error

StoreAdmin stores an *linkedca.Admin to the authority.

func (*Authority) StoreProvisioner added in v0.16.0

func (a *Authority) StoreProvisioner(ctx context.Context, prov *linkedca.Provisioner) error

StoreProvisioner stores an provisioner.Interface to the authority.

func (*Authority) UpdateAdmin added in v0.16.0

func (a *Authority) UpdateAdmin(ctx context.Context, id string, nu *linkedca.Admin) (*linkedca.Admin, error)

UpdateAdmin stores an *linkedca.Admin to the authority.

func (*Authority) UpdateProvisioner added in v0.16.0

func (a *Authority) UpdateProvisioner(ctx context.Context, nu *linkedca.Provisioner) error

UpdateProvisioner stores an provisioner.Interface to the authority.

func (*Authority) UseToken added in v0.16.0

func (a *Authority) UseToken(token string, prov provisioner.Interface) error

UseToken stores the token to protect against reuse.

This method currently ignores any error coming from the GetTokenID, but it should specifically ignore the error provisioner.ErrAllowTokenReuse.

func (*Authority) Version added in v0.14.0

func (a *Authority) Version() Version

Version returns the version information of the server.

type Bastion added in v0.14.0

type Bastion = config.Bastion

Bastion is an alias to support older APIs.

type CipherSuites added in v0.15.2

type CipherSuites = config.CipherSuites

CipherSuites is an alias to support older APIs.

type Claims added in v0.8.4

type Claims struct {
	jose.Claims
	SANs  []string `json:"sans,omitempty"`
	Email string   `json:"email,omitempty"`
	Nonce string   `json:"nonce,omitempty"`
}

Claims extends jose.Claims with step attributes.

type Config

type Config = config.Config

Config is an alias to support older APIs.

type Host added in v0.15.2

type Host = config.Host

Host is an alias to support older APIs.

type HostTag added in v0.15.2

type HostTag = config.HostTag

HostTag is an alias to support older APIs.

type Info added in v0.19.0

type Info struct {
	StartTime          time.Time
	RootX509Certs      []*x509.Certificate
	SSHCAUserPublicKey []byte
	SSHCAHostPublicKey []byte
	DNSNames           []string
}

type Option added in v0.11.0

type Option func(*Authority) error

Option sets options to the Authority.

func WithAdminDB added in v0.16.0

func WithAdminDB(d admin.DB) Option

WithAdminDB is an option to set the database backing the admin APIs.

func WithAuthorizeRenewFunc added in v0.19.0

func WithAuthorizeRenewFunc(fn func(ctx context.Context, p *provisioner.Controller, cert *x509.Certificate) error) Option

WithAuthorizeRenewFunc sets a custom function that authorizes the renewal of an X.509 certificate.

func WithAuthorizeSSHRenewFunc added in v0.19.0

func WithAuthorizeSSHRenewFunc(fn func(ctx context.Context, p *provisioner.Controller, cert *ssh.Certificate) error) Option

WithAuthorizeSSHRenewFunc sets a custom function that authorizes the renewal of a SSH certificate.

func WithConfig added in v0.14.5

func WithConfig(cfg *config.Config) Option

WithConfig replaces the current config with the given one. No validation is performed in the given value.

func WithConfigFile added in v0.14.5

func WithConfigFile(filename string) Option

WithConfigFile reads the given filename as a configuration file and replaces the current one. No validation is performed in the given configuration.

func WithDatabase added in v0.11.0

func WithDatabase(d db.AuthDB) Option

WithDatabase sets an already initialized authority database to a new authority. This option is intended to be use on graceful reloads.

func WithGetIdentityFunc added in v0.14.0

func WithGetIdentityFunc(fn func(ctx context.Context, p provisioner.Interface, email string) (*provisioner.Identity, error)) Option

WithGetIdentityFunc sets a custom function to retrieve the identity from an external resource.

func WithIssuerPassword added in v0.17.3

func WithIssuerPassword(password []byte) Option

WithIssuerPassword set the password to decrypt the certificate issuer private key used in RA mode.

func WithKeyManager added in v0.14.0

func WithKeyManager(k kms.KeyManager) Option

WithKeyManager defines the key manager used to get and create keys, and sign certificates.

func WithLinkedCAToken added in v0.17.0

func WithLinkedCAToken(token string) Option

WithLinkedCAToken is an option to set the authentication token used to enable linked ca.

func WithPassword added in v0.17.3

func WithPassword(password []byte) Option

WithPassword set the password to decrypt the intermediate key as well as the ssh host and user keys if they are not overridden by other options.

func WithSSHBastionFunc added in v0.14.0

func WithSSHBastionFunc(fn func(ctx context.Context, user, host string) (*config.Bastion, error)) Option

WithSSHBastionFunc sets a custom function to get the bastion for a given user-host pair.

func WithSSHCheckHost added in v0.14.0

func WithSSHCheckHost(fn func(ctx context.Context, principal string, tok string, roots []*x509.Certificate) (bool, error)) Option

WithSSHCheckHost sets a custom function to check whether a given host is step ssh enabled. The token is used to validate the request, while the roots are used to validate the token.

func WithSSHGetHosts added in v0.14.0

func WithSSHGetHosts(fn func(ctx context.Context, cert *x509.Certificate) ([]config.Host, error)) Option

WithSSHGetHosts sets a custom function to return a list of step ssh enabled hosts.

func WithSSHHostPassword added in v0.17.3

func WithSSHHostPassword(password []byte) Option

WithSSHHostPassword set the password to decrypt the key used to sign SSH host certificates.

func WithSSHHostSigner added in v0.14.0

func WithSSHHostSigner(s crypto.Signer) Option

WithSSHHostSigner defines the signer used to sign SSH host certificates.

func WithSSHUserPassword added in v0.17.3

func WithSSHUserPassword(password []byte) Option

WithSSHUserPassword set the password to decrypt the key used to sign SSH user certificates.

func WithSSHUserSigner added in v0.14.0

func WithSSHUserSigner(s crypto.Signer) Option

WithSSHUserSigner defines the signer used to sign SSH user certificates.

func WithX509Enforcers added in v0.18.1

func WithX509Enforcers(ces ...provisioner.CertificateEnforcer) Option

WithX509Enforcers is an option that allows to define custom certificate modifiers that will be processed just before the signing of the certificate.

func WithX509FederatedBundle added in v0.14.0

func WithX509FederatedBundle(pemCerts []byte) Option

WithX509FederatedBundle is an option that allows to define the list of federated certificates. This option will replace any federated certificate defined before.

func WithX509FederatedCerts added in v0.14.0

func WithX509FederatedCerts(certs ...*x509.Certificate) Option

WithX509FederatedCerts is an option that allows to define the list of federated certificates. This option will replace any federated certificate defined before.

func WithX509RootBundle added in v0.14.0

func WithX509RootBundle(pemCerts []byte) Option

WithX509RootBundle is an option that allows to define the list of root certificates. This option will replace any root certificate defined before.

func WithX509RootCerts added in v0.14.0

func WithX509RootCerts(rootCerts ...*x509.Certificate) Option

WithX509RootCerts is an option that allows to define the list of root certificates to use. This option will replace any root certificate defined before.

func WithX509Signer added in v0.14.0

func WithX509Signer(crt *x509.Certificate, s crypto.Signer) Option

WithX509Signer defines the signer used to sign X509 certificates.

func WithX509SignerFunc added in v0.19.0

func WithX509SignerFunc(fn func() ([]*x509.Certificate, crypto.Signer, error)) Option

WithX509SignerFunc defines the function used to get the chain of certificates and signer used when we sign X.509 certificates.

type RevokeOptions added in v0.10.0

type RevokeOptions struct {
	Serial      string
	Reason      string
	ReasonCode  int
	PassiveOnly bool
	MTLS        bool
	ACME        bool
	Crt         *x509.Certificate
	OTT         string
}

RevokeOptions are the options for the Revoke API.

type SSHConfig added in v0.12.0

type SSHConfig = config.SSHConfig

SSHConfig is an alias to support older APIs.

type SSHKeys added in v0.14.0

type SSHKeys = config.SSHKeys

SSHKeys is an alias to support older APIs.

type SSHPublicKey added in v0.14.0

type SSHPublicKey = config.SSHPublicKey

SSHPublicKey is an alias to support older APIs.

type TLSOptions added in v0.15.2

type TLSOptions = config.TLSOptions

TLSOptions is an alias to support older APIs.

type Version added in v0.14.0

type Version struct {
	Version                     string
	RequireClientAuthentication bool
}

Version defines the

Directories

Path Synopsis
api

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL