provisioner

package
v0.11.0-rc.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 7, 2019 License: Apache-2.0 Imports: 27 Imported by: 51

Documentation

Index

Constants

View Source 
const DefaultProvisionersLimit = 20

DefaultProvisionersLimit is the default limit for listing provisioners.

View Source 
const DefaultProvisionersMax = 100

DefaultProvisionersMax is the maximum limit for listing provisioners.

Variables

This section is empty.

Functions

This section is empty.

Types

type AWS added in v0.11.0 

type AWS struct {
	Type                   string   `json:"type"`
	Name                   string   `json:"name"`
	Accounts               []string `json:"accounts"`
	DisableCustomSANs      bool     `json:"disableCustomSANs"`
	DisableTrustOnFirstUse bool     `json:"disableTrustOnFirstUse"`
	InstanceAge            Duration `json:"instanceAge,omitempty"`
	Claims                 *Claims  `json:"claims,omitempty"`
	// contains filtered or unexported fields
}

AWS is the provisioner that supports identity tokens created from the Amazon Web Services Instance Identity Documents.

If DisableCustomSANs is true, only the internal DNS and IP will be added as a SAN. By default it will accept any SAN in the CSR.

If DisableTrustOnFirstUse is true, multiple sign request for this provisioner with the same instance will be accepted. By default only the first request will be accepted.

If InstanceAge is set, only the instances with a pendingTime within the given period will be accepted.

Amazon Identity docs are available at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html

func (*AWS) AuthorizeRenewal added in v0.11.0 

func (p *AWS) AuthorizeRenewal(cert *x509.Certificate) error

AuthorizeRenewal returns an error if the renewal is disabled.

func (*AWS) AuthorizeRevoke added in v0.11.0 

func (p *AWS) AuthorizeRevoke(token string) error

AuthorizeRevoke returns an error because revoke is not supported on AWS provisioners.

func (*AWS) AuthorizeSign added in v0.11.0 

func (p *AWS) AuthorizeSign(token string) ([]SignOption, error)

AuthorizeSign validates the given token and returns the sign options that will be used on certificate creation.

func (*AWS) GetEncryptedKey added in v0.11.0 

func (p *AWS) GetEncryptedKey() (kid string, key string, ok bool)

GetEncryptedKey is not available in an AWS provisioner.

func (*AWS) GetID added in v0.11.0 

func (p *AWS) GetID() string

GetID returns the provisioner unique identifier.

func (*AWS) GetIdentityToken added in v0.11.0 

func (p *AWS) GetIdentityToken(caURL string) (string, error)

GetIdentityToken retrieves the identity document and it's signature and generates a token with them.

func (*AWS) GetName added in v0.11.0 

func (p *AWS) GetName() string

GetName returns the name of the provisioner.

func (*AWS) GetTokenID added in v0.11.0 

func (p *AWS) GetTokenID(token string) (string, error)

GetTokenID returns the identifier of the token.

func (*AWS) GetType added in v0.11.0 

func (p *AWS) GetType() Type

GetType returns the type of provisioner.

func (*AWS) Init added in v0.11.0 

func (p *AWS) Init(config Config) (err error)

Init validates and initializes the AWS provisioner.

type Audiences added in v0.10.0 

type Audiences struct {
	Sign   []string
	Revoke []string
}

Audiences stores all supported audiences by request type.

func (Audiences) All added in v0.10.0 

func (a Audiences) All() []string

All returns all supported audiences across all request types in one list.

func (Audiences) WithFragment added in v0.11.0 

func (a Audiences) WithFragment(fragment string) Audiences

WithFragment returns a copy of audiences where the url audiences contains the given fragment.

type Azure added in v0.11.0 

type Azure struct {
	Type                   string   `json:"type"`
	Name                   string   `json:"name"`
	TenantID               string   `json:"tenantId"`
	ResourceGroups         []string `json:"resourceGroups"`
	Audience               string   `json:"audience,omitempty"`
	DisableCustomSANs      bool     `json:"disableCustomSANs"`
	DisableTrustOnFirstUse bool     `json:"disableTrustOnFirstUse"`
	Claims                 *Claims  `json:"claims,omitempty"`
	// contains filtered or unexported fields
}

Azure is the provisioner that supports identity tokens created from the Microsoft Azure Instance Metadata service.

The default audience is "https://management.azure.com/".

If DisableCustomSANs is true, only the internal DNS and IP will be added as a SAN. By default it will accept any SAN in the CSR.

If DisableTrustOnFirstUse is true, multiple sign request for this provisioner with the same instance will be accepted. By default only the first request will be accepted.

Microsoft Azure identity docs are available at https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token and https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service

func (*Azure) AuthorizeRenewal added in v0.11.0 

func (p *Azure) AuthorizeRenewal(cert *x509.Certificate) error

AuthorizeRenewal returns an error if the renewal is disabled.

func (*Azure) AuthorizeRevoke added in v0.11.0 

func (p *Azure) AuthorizeRevoke(token string) error

AuthorizeRevoke returns an error because revoke is not supported on Azure provisioners.

func (*Azure) AuthorizeSign added in v0.11.0 

func (p *Azure) AuthorizeSign(token string) ([]SignOption, error)

AuthorizeSign validates the given token and returns the sign options that will be used on certificate creation.

func (*Azure) GetEncryptedKey added in v0.11.0 

func (p *Azure) GetEncryptedKey() (kid string, key string, ok bool)

GetEncryptedKey is not available in an Azure provisioner.

func (*Azure) GetID added in v0.11.0 

func (p *Azure) GetID() string

GetID returns the provisioner unique identifier.

func (*Azure) GetIdentityToken added in v0.11.0 

func (p *Azure) GetIdentityToken() (string, error)

GetIdentityToken retrieves from the metadata service the identity token and returns it.

func (*Azure) GetName added in v0.11.0 

func (p *Azure) GetName() string

GetName returns the name of the provisioner.

func (*Azure) GetTokenID added in v0.11.0 

func (p *Azure) GetTokenID(token string) (string, error)

GetTokenID returns the identifier of the token. The default value for Azure the SHA256 of "xms_mirid", but if DisableTrustOnFirstUse is set to true, then it will be the token kid.

func (*Azure) GetType added in v0.11.0 

func (p *Azure) GetType() Type

GetType returns the type of provisioner.

func (*Azure) Init added in v0.11.0 

func (p *Azure) Init(config Config) (err error)

Init validates and initializes the Azure provisioner.

type CertificateRequestValidator 

type CertificateRequestValidator interface {
	SignOption
	Valid(req *x509.CertificateRequest) error
}

CertificateRequestValidator is the interface used to validate a X.509 certificate request.

type CertificateValidator 

type CertificateValidator interface {
	SignOption
	Valid(crt *x509.Certificate) error
}

CertificateValidator is the interface used to validate a X.509 certificate.

type Claimer 

type Claimer struct {
	// contains filtered or unexported fields
}

Claimer is the type that controls claims. It provides an interface around the current claim and the global one.

func NewClaimer 

func NewClaimer(claims *Claims, global Claims) (*Claimer, error)

NewClaimer initializes a new claimer with the given claims.

func (*Claimer) Claims 

func (c *Claimer) Claims() Claims

Claims returns the merge of the inner and global claims.

func (*Claimer) DefaultTLSCertDuration 

func (c *Claimer) DefaultTLSCertDuration() time.Duration

DefaultTLSCertDuration returns the default TLS cert duration for the provisioner. If the default is not set within the provisioner, then the global default from the authority configuration will be used.

func (*Claimer) IsDisableRenewal 

func (c *Claimer) IsDisableRenewal() bool

IsDisableRenewal returns if the renewal flow is disabled for the provisioner. If the property is not set within the provisioner, then the global value from the authority configuration will be used.

func (*Claimer) MaxTLSCertDuration 

func (c *Claimer) MaxTLSCertDuration() time.Duration

MaxTLSCertDuration returns the maximum TLS cert duration for the provisioner. If the maximum is not set within the provisioner, then the global maximum from the authority configuration will be used.

func (*Claimer) MinTLSCertDuration 

func (c *Claimer) MinTLSCertDuration() time.Duration

MinTLSCertDuration returns the minimum TLS cert duration for the provisioner. If the minimum is not set within the provisioner, then the global minimum from the authority configuration will be used.

func (*Claimer) Validate 

func (c *Claimer) Validate() error

Validate validates and modifies the Claims with default values.

type Claims 

type Claims struct {
	MinTLSDur      *Duration `json:"minTLSCertDuration,omitempty"`
	MaxTLSDur      *Duration `json:"maxTLSCertDuration,omitempty"`
	DefaultTLSDur  *Duration `json:"defaultTLSCertDuration,omitempty"`
	DisableRenewal *bool     `json:"disableRenewal,omitempty"`
}

Claims so that individual provisioners can override global claims.

type Collection 

type Collection struct {
	// contains filtered or unexported fields
}

Collection is a memory map of provisioners.

func NewCollection 

func NewCollection(audiences Audiences) *Collection

NewCollection initializes a collection of provisioners. The given list of audiences are the audiences used by the JWT provisioner.

func (*Collection) Find 

func (c *Collection) Find(cursor string, limit int) (List, string)

Find implements pagination on a list of sorted provisioners.

func (*Collection) Load 

func (c *Collection) Load(id string) (Interface, bool)

Load a provisioner by the ID.

func (*Collection) LoadByCertificate 

func (c *Collection) LoadByCertificate(cert *x509.Certificate) (Interface, bool)

LoadByCertificate looks for the provisioner extension and extracts the proper id to load the provisioner.

func (*Collection) LoadByToken 

func (c *Collection) LoadByToken(token *jose.JSONWebToken, claims *jose.Claims) (Interface, bool)

LoadByToken parses the token claims and loads the provisioner associated.

func (*Collection) LoadEncryptedKey 

func (c *Collection) LoadEncryptedKey(keyID string) (string, bool)

LoadEncryptedKey returns an encrypted key by indexed by KeyID. At this moment only JWK encrypted keys are indexed by KeyID.

func (*Collection) Store 

func (c *Collection) Store(p Interface) error

Store adds a provisioner to the collection and enforces the uniqueness of provisioner IDs.

type Config 

type Config struct {
	// Claims are the default claims.
	Claims Claims
	// Audiences are the audiences used in the default provisioner, (JWK).
	Audiences Audiences
}

Config defines the default parameters used in the initialization of provisioners.

type Duration 

type Duration struct {
	time.Duration
}

Duration is a wrapper around Time.Duration to aid with marshal/unmarshal.

func NewDuration added in v0.11.0 

func NewDuration(s string) (*Duration, error)

NewDuration parses a duration string and returns a Duration type or an error if the given string is not a duration.

func (*Duration) MarshalJSON 

func (d *Duration) MarshalJSON() ([]byte, error)

MarshalJSON parses a duration string and sets it to the duration.

A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

func (*Duration) UnmarshalJSON 

func (d *Duration) UnmarshalJSON(data []byte) (err error)

UnmarshalJSON parses a duration string and sets it to the duration.

A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

func (*Duration) Value added in v0.11.0 

func (d *Duration) Value() time.Duration

Value returns 0 if the duration is null, the inner duration otherwise.

type GCP added in v0.11.0 

type GCP struct {
	Type                   string   `json:"type"`
	Name                   string   `json:"name"`
	ServiceAccounts        []string `json:"serviceAccounts"`
	ProjectIDs             []string `json:"projectIDs"`
	DisableCustomSANs      bool     `json:"disableCustomSANs"`
	DisableTrustOnFirstUse bool     `json:"disableTrustOnFirstUse"`
	InstanceAge            Duration `json:"instanceAge,omitempty"`
	Claims                 *Claims  `json:"claims,omitempty"`
	// contains filtered or unexported fields
}

GCP is the provisioner that supports identity tokens created by the Google Cloud Platform metadata API.

If DisableCustomSANs is true, only the internal DNS and IP will be added as a SAN. By default it will accept any SAN in the CSR.

If DisableTrustOnFirstUse is true, multiple sign request for this provisioner with the same instance will be accepted. By default only the first request will be accepted.

If InstanceAge is set, only the instances with an instance_creation_timestamp within the given period will be accepted.

Google Identity docs are available at https://cloud.google.com/compute/docs/instances/verifying-instance-identity

func (*GCP) AuthorizeRenewal added in v0.11.0 

func (p *GCP) AuthorizeRenewal(cert *x509.Certificate) error

AuthorizeRenewal returns an error if the renewal is disabled.

func (*GCP) AuthorizeRevoke added in v0.11.0 

func (p *GCP) AuthorizeRevoke(token string) error

AuthorizeRevoke returns an error because revoke is not supported on GCP provisioners.

func (*GCP) AuthorizeSign added in v0.11.0 

func (p *GCP) AuthorizeSign(token string) ([]SignOption, error)

AuthorizeSign validates the given token and returns the sign options that will be used on certificate creation.

func (*GCP) GetEncryptedKey added in v0.11.0 

func (p *GCP) GetEncryptedKey() (kid string, key string, ok bool)

GetEncryptedKey is not available in a GCP provisioner.

func (*GCP) GetID added in v0.11.0 

func (p *GCP) GetID() string

GetID returns the provisioner unique identifier. The name should uniquely identify any GCP provisioner.

func (*GCP) GetIdentityToken added in v0.11.0 

func (p *GCP) GetIdentityToken(caURL string) (string, error)

GetIdentityToken does an HTTP request to the identity url.

func (*GCP) GetIdentityURL added in v0.11.0 

func (p *GCP) GetIdentityURL(audience string) string

GetIdentityURL returns the url that generates the GCP token.

func (*GCP) GetName added in v0.11.0 

func (p *GCP) GetName() string

GetName returns the name of the provisioner.

func (*GCP) GetTokenID added in v0.11.0 

func (p *GCP) GetTokenID(token string) (string, error)

GetTokenID returns the identifier of the token. The default value for GCP the SHA256 of "provisioner_id.instance_id", but if DisableTrustOnFirstUse is set to true, then it will be the SHA256 of the token.

func (*GCP) GetType added in v0.11.0 

func (p *GCP) GetType() Type

GetType returns the type of provisioner.

func (*GCP) Init added in v0.11.0 

func (p *GCP) Init(config Config) error

Init validates and initializes the GCP provisioner.

type Interface 

type Interface interface {
	GetID() string
	GetTokenID(token string) (string, error)
	GetName() string
	GetType() Type
	GetEncryptedKey() (kid string, key string, ok bool)
	Init(config Config) error
	AuthorizeSign(token string) ([]SignOption, error)
	AuthorizeRenewal(cert *x509.Certificate) error
	AuthorizeRevoke(token string) error
}

Interface is the interface that all provisioner types must implement.

type JWK 

type JWK struct {
	Type         string           `json:"type"`
	Name         string           `json:"name"`
	Key          *jose.JSONWebKey `json:"key"`
	EncryptedKey string           `json:"encryptedKey,omitempty"`
	Claims       *Claims          `json:"claims,omitempty"`
	// contains filtered or unexported fields
}

JWK is the default provisioner, an entity that can sign tokens necessary for signature requests.

func (*JWK) AuthorizeRenewal 

func (p *JWK) AuthorizeRenewal(cert *x509.Certificate) error

AuthorizeRenewal returns an error if the renewal is disabled.

func (*JWK) AuthorizeRevoke 

func (p *JWK) AuthorizeRevoke(token string) error

AuthorizeRevoke returns an error if the provisioner does not have rights to revoke the certificate with serial number in the `sub` property.

func (*JWK) AuthorizeSign added in v0.10.0 

func (p *JWK) AuthorizeSign(token string) ([]SignOption, error)

AuthorizeSign validates the given token.

func (*JWK) GetEncryptedKey 

func (p *JWK) GetEncryptedKey() (string, string, bool)

GetEncryptedKey returns the base provisioner encrypted key if it's defined.

func (*JWK) GetID 

func (p *JWK) GetID() string

GetID returns the provisioner unique identifier. The name and credential id should uniquely identify any JWK provisioner.

func (*JWK) GetName 

func (p *JWK) GetName() string

GetName returns the name of the provisioner.

func (*JWK) GetTokenID added in v0.10.0 

func (p *JWK) GetTokenID(ott string) (string, error)

GetTokenID returns the identifier of the token.

func (*JWK) GetType 

func (p *JWK) GetType() Type

GetType returns the type of provisioner.

func (*JWK) Init 

func (p *JWK) Init(config Config) (err error)

Init initializes and validates the fields of a JWK type.

type List 

type List []Interface

List represents a list of provisioners.

func (*List) UnmarshalJSON 

func (l *List) UnmarshalJSON(data []byte) error

UnmarshalJSON implements json.Unmarshaler and allows to unmarshal a list of a interfaces into the right type.

type OIDC 

type OIDC struct {
	Type                  string   `json:"type"`
	Name                  string   `json:"name"`
	ClientID              string   `json:"clientID"`
	ClientSecret          string   `json:"clientSecret"`
	ConfigurationEndpoint string   `json:"configurationEndpoint"`
	Admins                []string `json:"admins,omitempty"`
	Domains               []string `json:"domains,omitempty"`
	Claims                *Claims  `json:"claims,omitempty"`
	// contains filtered or unexported fields
}

OIDC represents an OAuth 2.0 OpenID Connect provider.

ClientSecret is mandatory, but it can be an empty string.

func (*OIDC) AuthorizeRenewal 

func (o *OIDC) AuthorizeRenewal(cert *x509.Certificate) error

AuthorizeRenewal returns an error if the renewal is disabled.

func (*OIDC) AuthorizeRevoke 

func (o *OIDC) AuthorizeRevoke(token string) error

AuthorizeRevoke returns an error if the provisioner does not have rights to revoke the certificate with serial number in the `sub` property. Only tokens generated by an admin have the right to revoke a certificate.

func (*OIDC) AuthorizeSign added in v0.10.0 

func (o *OIDC) AuthorizeSign(token string) ([]SignOption, error)

AuthorizeSign validates the given token.

func (*OIDC) GetEncryptedKey 

func (o *OIDC) GetEncryptedKey() (kid string, key string, ok bool)

GetEncryptedKey is not available in an OIDC provisioner.

func (*OIDC) GetID 

func (o *OIDC) GetID() string

GetID returns the provisioner unique identifier, the OIDC provisioner the uses the clientID for this.

func (*OIDC) GetName 

func (o *OIDC) GetName() string

GetName returns the name of the provisioner.

func (*OIDC) GetTokenID added in v0.10.0 

func (o *OIDC) GetTokenID(ott string) (string, error)

GetTokenID returns the provisioner unique identifier, the OIDC provisioner the uses the clientID for this.

func (*OIDC) GetType 

func (o *OIDC) GetType() Type

GetType returns the type of provisioner.

func (*OIDC) Init 

func (o *OIDC) Init(config Config) (err error)

Init validates and initializes the OIDC provider.

func (*OIDC) IsAdmin 

func (o *OIDC) IsAdmin(email string) bool

IsAdmin returns true if the given email is in the Admins whitelist, false otherwise.

func (*OIDC) ValidatePayload 

func (o *OIDC) ValidatePayload(p openIDPayload) error

ValidatePayload validates the given token payload.

type Options 

type Options struct {
	NotAfter  TimeDuration `json:"notAfter"`
	NotBefore TimeDuration `json:"notBefore"`
}

Options contains the options that can be passed to the Sign method.

type ProfileModifier 

type ProfileModifier interface {
	SignOption
	Option(o Options) x509util.WithOption
}

ProfileModifier is the interface used to add custom options to the profile constructor. The options are used to modify the final certificate.

type SignOption 

type SignOption interface{}

SignOption is the interface used to collect all extra options used in the Sign method.

type TimeDuration 

type TimeDuration struct {
	// contains filtered or unexported fields
}

TimeDuration is a type that represents a time but the JSON unmarshaling can use a time using the RFC 3339 format or a time.Duration string. If a duration is used, the time will be set on the first call to TimeDuration.Time.

func NewTimeDuration 

func NewTimeDuration(t time.Time) TimeDuration

NewTimeDuration returns a TimeDuration with the defined time.

func ParseTimeDuration 

func ParseTimeDuration(s string) (TimeDuration, error)

ParseTimeDuration returns a new TimeDuration parsing the RFC 3339 time or time.Duration string.

func (TimeDuration) MarshalJSON 

func (t TimeDuration) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface. If the time is set it will return the time in RFC 3339 format if not it will return the duration string.

func (*TimeDuration) SetDuration 

func (t *TimeDuration) SetDuration(d time.Duration)

SetDuration initializes the TimeDuration with the given duration string. If the time was set it will re-set to zero.

func (*TimeDuration) SetTime 

func (t *TimeDuration) SetTime(tt time.Time)

SetTime initializes the TimeDuration with the given time. If the duration is set it will be re-set to zero.

func (*TimeDuration) String 

func (t *TimeDuration) String() string

String implements the fmt.Stringer interface.

func (*TimeDuration) Time 

func (t *TimeDuration) Time() time.Time

Time calculates the embedded time.Time, sets it if necessary, and returns it.

func (*TimeDuration) UnmarshalJSON 

func (t *TimeDuration) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface. The time is expected to be a quoted string in RFC 3339 format or a quoted time.Duration string.

type Type 

type Type int

Type indicates the provisioner Type. 

const (

	// TypeJWK is used to indicate the JWK provisioners.
	TypeJWK Type = 1
	// TypeOIDC is used to indicate the OIDC provisioners.
	TypeOIDC Type = 2
	// TypeGCP is used to indicate the GCP provisioners.
	TypeGCP Type = 3
	// TypeAWS is used to indicate the AWS provisioners.
	TypeAWS Type = 4
	// TypeAzure is used to indicate the Azure provisioners.
	TypeAzure Type = 5

	// RevokeAudienceKey is the key for the 'revoke' audiences in the audiences map.
	RevokeAudienceKey = "revoke"
	// SignAudienceKey is the key for the 'sign' audiences in the audiences map.
	SignAudienceKey = "sign"
)

func (Type) String added in v0.11.0 

func (t Type) String() string

String returns the string representation of the type.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.