authority

package
v0.13.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 18, 2019 License: Apache-2.0 Imports: 27 Imported by: 38

Documentation

Index

Constants

View Source 
const (
	// SSHAddUserPrincipal is the principal that will run the add user command.
	// Defaults to "provisioner" but it can be changed in the configuration.
	SSHAddUserPrincipal = "provisioner"

	// SSHAddUserCommand is the default command to run to add a new user.
	// Defaults to "sudo useradd -m <principal>; nc -q0 localhost 22" but it can be changed in the
	// configuration. The string "<principal>" will be replace by the new
	// principal to add.
	SSHAddUserCommand = "sudo useradd -m <principal>; nc -q0 localhost 22"
)

Variables

View Source 
var (
	// DefaultTLSOptions represents the default TLS version as well as the cipher
	// suites used in the TLS certificates.
	DefaultTLSOptions = tlsutil.TLSOptions{
		CipherSuites: x509util.CipherSuites{
			"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
			"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
			"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
		},
		MinVersion:    1.2,
		MaxVersion:    1.2,
		Renegotiation: false,
	}
)

Functions

This section is empty.

Types

type AuthConfig 

type AuthConfig struct {
	Provisioners         provisioner.List    `json:"provisioners"`
	Template             *x509util.ASN1DN    `json:"template,omitempty"`
	Claims               *provisioner.Claims `json:"claims,omitempty"`
	DisableIssuedAtCheck bool                `json:"disableIssuedAtCheck,omitempty"`
}

AuthConfig represents the configuration options for the authority.

func (*AuthConfig) Validate 

func (c *AuthConfig) Validate(audiences provisioner.Audiences) error

Validate validates the authority configuration.

type Authority 

type Authority struct {
	// contains filtered or unexported fields
}

Authority implements the Certificate Authority internal interface.

func New 

func New(config *Config, opts ...Option) (*Authority, error)

New creates and initiates a new Authority type.

func (*Authority) Authorize 

func (a *Authority) Authorize(ctx context.Context, ott string) ([]provisioner.SignOption, error)

Authorize grabs the method from the context and authorizes a signature request by validating the one-time-token.

func (*Authority) AuthorizeSign added in v0.10.0 

func (a *Authority) AuthorizeSign(ott string) ([]provisioner.SignOption, error)

AuthorizeSign authorizes a signature request by validating and authenticating a OTT that must be sent w/ the request.

NOTE: This method is deprecated and should not be used. We make it available in the short term os as not to break existing clients.

func (*Authority) GetDatabase added in v0.11.0 

func (a *Authority) GetDatabase() db.AuthDB

GetDatabase returns the authority database. If the configuration does not define a database, GetDatabase will return a db.SimpleDB instance.

func (*Authority) GetEncryptedKey 

func (a *Authority) GetEncryptedKey(kid string) (string, error)

GetEncryptedKey returns the JWE key corresponding to the given kid argument.

func (*Authority) GetFederation added in v0.8.3 

func (a *Authority) GetFederation() (federation []*x509.Certificate, err error)

GetFederation returns all the root certificates in the federation. This method implements the Authority interface.

func (*Authority) GetProvisioners 

func (a *Authority) GetProvisioners(cursor string, limit int) (provisioner.List, string, error)

GetProvisioners returns a map listing each provisioner and the JWK Key Set with their public keys.

func (*Authority) GetRootCertificate 

func (a *Authority) GetRootCertificate() *x509.Certificate

GetRootCertificate returns the server root certificate.

func (*Authority) GetRootCertificates added in v0.8.3 

func (a *Authority) GetRootCertificates() []*x509.Certificate

GetRootCertificates returns the server root certificates.

In the Authority interface we also have a similar method, GetRoots, at the moment the functionality of these two methods are almost identical, but this method is intended to be used internally by CA HTTP server to load the roots that will be set in the tls.Config while GetRoots will be used by the Authority interface and might have extra checks in the future.

func (*Authority) GetRoots added in v0.8.3 

func (a *Authority) GetRoots() ([]*x509.Certificate, error)

GetRoots returns all the root certificates for this CA. This method implements the Authority interface.

func (*Authority) GetTLSCertificate 

func (a *Authority) GetTLSCertificate() (*tls.Certificate, error)

GetTLSCertificate creates a new leaf certificate to be used by the CA HTTPS server.

func (*Authority) GetTLSOptions 

func (a *Authority) GetTLSOptions() *tlsutil.TLSOptions

GetTLSOptions returns the tls options configured.

func (*Authority) LoadProvisionerByCertificate added in v0.10.0 

func (a *Authority) LoadProvisionerByCertificate(crt *x509.Certificate) (provisioner.Interface, error)

LoadProvisionerByCertificate returns an interface to the provisioner that provisioned the certificate.

func (*Authority) LoadProvisionerByID added in v0.13.0 

func (a *Authority) LoadProvisionerByID(id string) (provisioner.Interface, error)

LoadProvisionerByID returns an interface to the provisioner with the given ID.

func (*Authority) Renew 

func (a *Authority) Renew(oldCert *x509.Certificate) (*x509.Certificate, *x509.Certificate, error)

Renew creates a new Certificate identical to the old certificate, except with a validity window that begins 'now'.

func (*Authority) Revoke added in v0.10.0 

func (a *Authority) Revoke(opts *RevokeOptions) error

Revoke revokes a certificate.

NOTE: Only supports passive revocation - prevent existing certificates from being renewed.

TODO: Add OCSP and CRL support.

func (*Authority) Root 

func (a *Authority) Root(sum string) (*x509.Certificate, error)

Root returns the certificate corresponding to the given SHA sum argument.

func (*Authority) Shutdown added in v0.10.0 

func (a *Authority) Shutdown() error

Shutdown safely shuts down any clients, databases, etc. held by the Authority.

func (*Authority) Sign 

func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Options, extraOpts ...provisioner.SignOption) (*x509.Certificate, *x509.Certificate, error)

Sign creates a signed certificate from a certificate signing request.

func (*Authority) SignSSH added in v0.12.0 

func (a *Authority) SignSSH(key ssh.PublicKey, opts provisioner.SSHOptions, signOpts ...provisioner.SignOption) (*ssh.Certificate, error)

SignSSH creates a signed SSH certificate with the given public key and options.

func (*Authority) SignSSHAddUser added in v0.12.0 

func (a *Authority) SignSSHAddUser(key ssh.PublicKey, subject *ssh.Certificate) (*ssh.Certificate, error)

SignSSHAddUser signs a certificate that provisions a new user in a server.

type Claims added in v0.8.4 

type Claims struct {
	jose.Claims
	SANs  []string `json:"sans,omitempty"`
	Email string   `json:"email,omitempty"`
	Nonce string   `json:"nonce,omitempty"`
}

Claims extends jose.Claims with step attributes.

type Config 

type Config struct {
	Root             multiString         `json:"root"`
	FederatedRoots   []string            `json:"federatedRoots"`
	IntermediateCert string              `json:"crt"`
	IntermediateKey  string              `json:"key"`
	Address          string              `json:"address"`
	DNSNames         []string            `json:"dnsNames"`
	SSH              *SSHConfig          `json:"ssh,omitempty"`
	Logger           json.RawMessage     `json:"logger,omitempty"`
	DB               *db.Config          `json:"db,omitempty"`
	Monitoring       json.RawMessage     `json:"monitoring,omitempty"`
	AuthorityConfig  *AuthConfig         `json:"authority,omitempty"`
	TLS              *tlsutil.TLSOptions `json:"tls,omitempty"`
	Password         string              `json:"password,omitempty"`
}

Config represents the CA configuration and it's mapped to a JSON object.

func LoadConfiguration 

func LoadConfiguration(filename string) (*Config, error)

LoadConfiguration parses the given filename in JSON format and returns the configuration struct.

func (*Config) Save 

func (c *Config) Save(filename string) error

Save saves the configuration to the given filename.

func (*Config) Validate 

func (c *Config) Validate() error

Validate validates the configuration.

type ErrorResponse added in v0.13.0 

type ErrorResponse struct {
	Status  int    `json:"status"`
	Message string `json:"message"`
}

ErrorResponse represents an error in JSON format.

type Option added in v0.11.0 

type Option func(*Authority)

Option sets options to the Authority.

func WithDatabase added in v0.11.0 

func WithDatabase(db db.AuthDB) Option

WithDatabase sets an already initialized authority database to a new authority. This option is intended to be use on graceful reloads.

type RevokeOptions added in v0.10.0 

type RevokeOptions struct {
	Serial      string
	Reason      string
	ReasonCode  int
	PassiveOnly bool
	MTLS        bool
	Crt         *x509.Certificate
	OTT         string
	// contains filtered or unexported fields
}

RevokeOptions are the options for the Revoke API.

type SSHConfig added in v0.12.0 

type SSHConfig struct {
	HostKey          string `json:"hostKey"`
	UserKey          string `json:"userKey"`
	AddUserPrincipal string `json:"addUserPrincipal"`
	AddUserCommand   string `json:"addUserCommand"`
}

SSHConfig contains the user and host keys.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.