Documentation
¶
Index ¶
- Constants
- func NewContextWithMethod(ctx context.Context, method Method) context.Context
- func SanitizeSSHUserPrincipal(email string) string
- type ACME
- func (p *ACME) AuthorizeRenewal(cert *x509.Certificate) error
- func (p *ACME) AuthorizeRevoke(token string) error
- func (p *ACME) AuthorizeSign(ctx context.Context, _ string) ([]SignOption, error)
- func (p *ACME) GetEncryptedKey() (string, string, bool)
- func (p ACME) GetID() string
- func (p *ACME) GetName() string
- func (p *ACME) GetTokenID(ott string) (string, error)
- func (p *ACME) GetType() Type
- func (p *ACME) Init(config Config) (err error)
- type AWS
- func (p *AWS) AuthorizeRenewal(cert *x509.Certificate) error
- func (p *AWS) AuthorizeRevoke(token string) error
- func (p *AWS) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)
- func (p *AWS) GetEncryptedKey() (kid string, key string, ok bool)
- func (p *AWS) GetID() string
- func (p *AWS) GetIdentityToken(subject, caURL string) (string, error)
- func (p *AWS) GetName() string
- func (p *AWS) GetTokenID(token string) (string, error)
- func (p *AWS) GetType() Type
- func (p *AWS) Init(config Config) (err error)
- type Audiences
- type Azure
- func (p *Azure) AuthorizeRenewal(cert *x509.Certificate) error
- func (p *Azure) AuthorizeRevoke(token string) error
- func (p *Azure) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)
- func (p *Azure) GetEncryptedKey() (kid string, key string, ok bool)
- func (p *Azure) GetID() string
- func (p *Azure) GetIdentityToken(subject, caURL string) (string, error)
- func (p *Azure) GetName() string
- func (p *Azure) GetTokenID(token string) (string, error)
- func (p *Azure) GetType() Type
- func (p *Azure) Init(config Config) (err error)
- type CertificateRequestValidator
- type CertificateValidator
- type Claimer
- func (c *Claimer) Claims() Claims
- func (c *Claimer) DefaultHostSSHCertDuration() time.Duration
- func (c *Claimer) DefaultTLSCertDuration() time.Duration
- func (c *Claimer) DefaultUserSSHCertDuration() time.Duration
- func (c *Claimer) IsDisableRenewal() bool
- func (c *Claimer) IsSSHCAEnabled() bool
- func (c *Claimer) MaxHostSSHCertDuration() time.Duration
- func (c *Claimer) MaxTLSCertDuration() time.Duration
- func (c *Claimer) MaxUserSSHCertDuration() time.Duration
- func (c *Claimer) MinHostSSHCertDuration() time.Duration
- func (c *Claimer) MinTLSCertDuration() time.Duration
- func (c *Claimer) MinUserSSHCertDuration() time.Duration
- func (c *Claimer) Validate() error
- type Claims
- type Collection
- func (c *Collection) Find(cursor string, limit int) (List, string)
- func (c *Collection) Load(id string) (Interface, bool)
- func (c *Collection) LoadByCertificate(cert *x509.Certificate) (Interface, bool)
- func (c *Collection) LoadByToken(token *jose.JSONWebToken, claims *jose.Claims) (Interface, bool)
- func (c *Collection) LoadEncryptedKey(keyID string) (string, bool)
- func (c *Collection) Store(p Interface) error
- type Config
- type Duration
- type GCP
- func (p *GCP) AuthorizeRenewal(cert *x509.Certificate) error
- func (p *GCP) AuthorizeRevoke(token string) error
- func (p *GCP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)
- func (p *GCP) GetEncryptedKey() (kid string, key string, ok bool)
- func (p *GCP) GetID() string
- func (p *GCP) GetIdentityToken(subject, caURL string) (string, error)
- func (p *GCP) GetIdentityURL(audience string) string
- func (p *GCP) GetName() string
- func (p *GCP) GetTokenID(token string) (string, error)
- func (p *GCP) GetType() Type
- func (p *GCP) Init(config Config) error
- type Interface
- type JWK
- func (p *JWK) AuthorizeRenewal(cert *x509.Certificate) error
- func (p *JWK) AuthorizeRevoke(token string) error
- func (p *JWK) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)
- func (p *JWK) GetEncryptedKey() (string, string, bool)
- func (p *JWK) GetID() string
- func (p *JWK) GetName() string
- func (p *JWK) GetTokenID(ott string) (string, error)
- func (p *JWK) GetType() Type
- func (p *JWK) Init(config Config) (err error)
- type List
- type Method
- type MockProvisioner
- func (m *MockProvisioner) AuthorizeRenewal(c *x509.Certificate) error
- func (m *MockProvisioner) AuthorizeRevoke(ott string) error
- func (m *MockProvisioner) AuthorizeSign(ctx context.Context, ott string) ([]SignOption, error)
- func (m *MockProvisioner) GetEncryptedKey() (string, string, bool)
- func (m *MockProvisioner) GetID() string
- func (m *MockProvisioner) GetName() string
- func (m *MockProvisioner) GetTokenID(token string) (string, error)
- func (m *MockProvisioner) GetType() Type
- func (m *MockProvisioner) Init(c Config) error
- type OIDC
- func (o *OIDC) AuthorizeRenewal(cert *x509.Certificate) error
- func (o *OIDC) AuthorizeRevoke(token string) error
- func (o *OIDC) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)
- func (o *OIDC) GetEncryptedKey() (kid string, key string, ok bool)
- func (o *OIDC) GetID() string
- func (o *OIDC) GetName() string
- func (o *OIDC) GetTokenID(ott string) (string, error)
- func (o *OIDC) GetType() Type
- func (o *OIDC) Init(config Config) (err error)
- func (o *OIDC) IsAdmin(email string) bool
- func (o *OIDC) ValidatePayload(p openIDPayload) error
- type Options
- type ProfileModifier
- type SSHCertificateModifier
- type SSHCertificateOptionModifier
- type SSHCertificateOptionsValidator
- type SSHCertificateValidator
- type SSHOptions
- type SignOption
- type TimeDuration
- func (t *TimeDuration) Equal(other *TimeDuration) bool
- func (t *TimeDuration) IsZero() bool
- func (t TimeDuration) MarshalJSON() ([]byte, error)
- func (t *TimeDuration) RelativeTime(base time.Time) time.Time
- func (t *TimeDuration) SetDuration(d time.Duration)
- func (t *TimeDuration) SetTime(tt time.Time)
- func (t *TimeDuration) String() string
- func (t *TimeDuration) Time() time.Time
- func (t *TimeDuration) Unix() int64
- func (t *TimeDuration) UnmarshalJSON(data []byte) error
- type Type
Constants ¶
const ( // SSHUserCert is the string used to represent ssh.UserCert. SSHUserCert = "user" // SSHHostCert is the string used to represent ssh.HostCert. SSHHostCert = "host" )
const DefaultProvisionersLimit = 20
DefaultProvisionersLimit is the default limit for listing provisioners.
const DefaultProvisionersMax = 100
DefaultProvisionersMax is the maximum limit for listing provisioners.
Variables ¶
This section is empty.
Functions ¶
func NewContextWithMethod ¶ added in v0.12.0
NewContextWithMethod creates a new context from ctx and attaches method to it.
func SanitizeSSHUserPrincipal ¶ added in v0.12.0
SanitizeSSHUserPrincipal grabs an email or a string with the format local@domain and returns a sanitized version of the local, valid to be used as a user name. If the email starts with a letter between a and z, the resulting string will match the regular expression `^[a-z][-a-z0-9_]*$`.
Types ¶
type ACME ¶ added in v0.13.0
type ACME struct {
Type string `json:"type"`
Name string `json:"name"`
Claims *Claims `json:"claims,omitempty"`
// contains filtered or unexported fields
}
ACME is the acme provisioner type, an entity that can authorize the ACME provisioning flow.
func (*ACME) AuthorizeRenewal ¶ added in v0.13.0
func (p *ACME) AuthorizeRenewal(cert *x509.Certificate) error
AuthorizeRenewal is not implemented for the ACME provisioner.
func (*ACME) AuthorizeRevoke ¶ added in v0.13.0
AuthorizeRevoke is not implemented yet for the ACME provisioner.
func (*ACME) AuthorizeSign ¶ added in v0.13.0
AuthorizeSign validates the given token.
func (*ACME) GetEncryptedKey ¶ added in v0.13.0
GetEncryptedKey returns the base provisioner encrypted key if it's defined.
func (*ACME) GetTokenID ¶ added in v0.13.0
GetTokenID returns the identifier of the token.
type AWS ¶ added in v0.11.0
type AWS struct {
Type string `json:"type"`
Name string `json:"name"`
Accounts []string `json:"accounts"`
DisableCustomSANs bool `json:"disableCustomSANs"`
DisableTrustOnFirstUse bool `json:"disableTrustOnFirstUse"`
InstanceAge Duration `json:"instanceAge,omitempty"`
Claims *Claims `json:"claims,omitempty"`
// contains filtered or unexported fields
}
AWS is the provisioner that supports identity tokens created from the Amazon Web Services Instance Identity Documents.
If DisableCustomSANs is true, only the internal DNS and IP will be added as a SAN. By default it will accept any SAN in the CSR.
If DisableTrustOnFirstUse is true, multiple sign request for this provisioner with the same instance will be accepted. By default only the first request will be accepted.
If InstanceAge is set, only the instances with a pendingTime within the given period will be accepted.
Amazon Identity docs are available at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
func (*AWS) AuthorizeRenewal ¶ added in v0.11.0
func (p *AWS) AuthorizeRenewal(cert *x509.Certificate) error
AuthorizeRenewal returns an error if the renewal is disabled.
func (*AWS) AuthorizeRevoke ¶ added in v0.11.0
AuthorizeRevoke returns an error because revoke is not supported on AWS provisioners.
func (*AWS) AuthorizeSign ¶ added in v0.11.0
AuthorizeSign validates the given token and returns the sign options that will be used on certificate creation.
func (*AWS) GetEncryptedKey ¶ added in v0.11.0
GetEncryptedKey is not available in an AWS provisioner.
func (*AWS) GetIdentityToken ¶ added in v0.11.0
GetIdentityToken retrieves the identity document and it's signature and generates a token with them.
func (*AWS) GetTokenID ¶ added in v0.11.0
GetTokenID returns the identifier of the token.
type Audiences ¶ added in v0.10.0
Audiences stores all supported audiences by request type.
func (Audiences) All ¶ added in v0.10.0
All returns all supported audiences across all request types in one list.
func (Audiences) WithFragment ¶ added in v0.11.0
WithFragment returns a copy of audiences where the url audiences contains the given fragment.
type Azure ¶ added in v0.11.0
type Azure struct {
Type string `json:"type"`
Name string `json:"name"`
TenantID string `json:"tenantId"`
ResourceGroups []string `json:"resourceGroups"`
Audience string `json:"audience,omitempty"`
DisableCustomSANs bool `json:"disableCustomSANs"`
DisableTrustOnFirstUse bool `json:"disableTrustOnFirstUse"`
Claims *Claims `json:"claims,omitempty"`
// contains filtered or unexported fields
}
Azure is the provisioner that supports identity tokens created from the Microsoft Azure Instance Metadata service.
The default audience is "https://management.azure.com/".
If DisableCustomSANs is true, only the internal DNS and IP will be added as a SAN. By default it will accept any SAN in the CSR.
If DisableTrustOnFirstUse is true, multiple sign request for this provisioner with the same instance will be accepted. By default only the first request will be accepted.
Microsoft Azure identity docs are available at https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token and https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service
func (*Azure) AuthorizeRenewal ¶ added in v0.11.0
func (p *Azure) AuthorizeRenewal(cert *x509.Certificate) error
AuthorizeRenewal returns an error if the renewal is disabled.
func (*Azure) AuthorizeRevoke ¶ added in v0.11.0
AuthorizeRevoke returns an error because revoke is not supported on Azure provisioners.
func (*Azure) AuthorizeSign ¶ added in v0.11.0
AuthorizeSign validates the given token and returns the sign options that will be used on certificate creation.
func (*Azure) GetEncryptedKey ¶ added in v0.11.0
GetEncryptedKey is not available in an Azure provisioner.
func (*Azure) GetIdentityToken ¶ added in v0.11.0
GetIdentityToken retrieves from the metadata service the identity token and returns it.
func (*Azure) GetTokenID ¶ added in v0.11.0
GetTokenID returns the identifier of the token. The default value for Azure the SHA256 of "xms_mirid", but if DisableTrustOnFirstUse is set to true, then it will be the token kid.
type CertificateRequestValidator ¶
type CertificateRequestValidator interface {
SignOption
Valid(req *x509.CertificateRequest) error
}
CertificateRequestValidator is the interface used to validate a X.509 certificate request.
type CertificateValidator ¶
type CertificateValidator interface {
SignOption
Valid(crt *x509.Certificate) error
}
CertificateValidator is the interface used to validate a X.509 certificate.
type Claimer ¶
type Claimer struct {
// contains filtered or unexported fields
}
Claimer is the type that controls claims. It provides an interface around the current claim and the global one.
func NewClaimer ¶
NewClaimer initializes a new claimer with the given claims.
func (*Claimer) DefaultHostSSHCertDuration ¶ added in v0.12.0
DefaultHostSSHCertDuration returns the default SSH host cert duration for the provisioner. If the default is not set within the provisioner, then the global default from the authority configuration will be used.
func (*Claimer) DefaultTLSCertDuration ¶
DefaultTLSCertDuration returns the default TLS cert duration for the provisioner. If the default is not set within the provisioner, then the global default from the authority configuration will be used.
func (*Claimer) DefaultUserSSHCertDuration ¶ added in v0.12.0
DefaultUserSSHCertDuration returns the default SSH user cert duration for the provisioner. If the default is not set within the provisioner, then the global default from the authority configuration will be used.
func (*Claimer) IsDisableRenewal ¶
IsDisableRenewal returns if the renewal flow is disabled for the provisioner. If the property is not set within the provisioner, then the global value from the authority configuration will be used.
func (*Claimer) IsSSHCAEnabled ¶ added in v0.12.0
IsSSHCAEnabled returns if the SSH CA is enabled for the provisioner. If the property is not set within the provisioner, then the global value from the authority configuration will be used.
func (*Claimer) MaxHostSSHCertDuration ¶ added in v0.12.0
MaxHostSSHCertDuration returns the maximum SSH Host cert duration for the provisioner. If the maximum is not set within the provisioner, then the global maximum from the authority configuration will be used.
func (*Claimer) MaxTLSCertDuration ¶
MaxTLSCertDuration returns the maximum TLS cert duration for the provisioner. If the maximum is not set within the provisioner, then the global maximum from the authority configuration will be used.
func (*Claimer) MaxUserSSHCertDuration ¶ added in v0.12.0
MaxUserSSHCertDuration returns the maximum SSH user cert duration for the provisioner. If the maximum is not set within the provisioner, then the global maximum from the authority configuration will be used.
func (*Claimer) MinHostSSHCertDuration ¶ added in v0.12.0
MinHostSSHCertDuration returns the minimum SSH host cert duration for the provisioner. If the minimum is not set within the provisioner, then the global minimum from the authority configuration will be used.
func (*Claimer) MinTLSCertDuration ¶
MinTLSCertDuration returns the minimum TLS cert duration for the provisioner. If the minimum is not set within the provisioner, then the global minimum from the authority configuration will be used.
func (*Claimer) MinUserSSHCertDuration ¶ added in v0.12.0
MinUserSSHCertDuration returns the minimum SSH user cert duration for the provisioner. If the minimum is not set within the provisioner, then the global minimum from the authority configuration will be used.
type Claims ¶
type Claims struct {
// TLS CA properties
MinTLSDur *Duration `json:"minTLSCertDuration,omitempty"`
MaxTLSDur *Duration `json:"maxTLSCertDuration,omitempty"`
DefaultTLSDur *Duration `json:"defaultTLSCertDuration,omitempty"`
DisableRenewal *bool `json:"disableRenewal,omitempty"`
// SSH CA properties
MinUserSSHDur *Duration `json:"minUserSSHCertDuration,omitempty"`
MaxUserSSHDur *Duration `json:"maxUserSSHCertDuration,omitempty"`
DefaultUserSSHDur *Duration `json:"defaultUserSSHCertDuration,omitempty"`
MinHostSSHDur *Duration `json:"minHostSSHCertDuration,omitempty"`
MaxHostSSHDur *Duration `json:"maxHostSSHCertDuration,omitempty"`
DefaultHostSSHDur *Duration `json:"defaultHostSSHCertDuration,omitempty"`
EnableSSHCA *bool `json:"enableSSHCA,omitempty"`
}
Claims so that individual provisioners can override global claims.
type Collection ¶
type Collection struct {
// contains filtered or unexported fields
}
Collection is a memory map of provisioners.
func NewCollection ¶
func NewCollection(audiences Audiences) *Collection
NewCollection initializes a collection of provisioners. The given list of audiences are the audiences used by the JWT provisioner.
func (*Collection) Find ¶
func (c *Collection) Find(cursor string, limit int) (List, string)
Find implements pagination on a list of sorted provisioners.
func (*Collection) Load ¶
func (c *Collection) Load(id string) (Interface, bool)
Load a provisioner by the ID.
func (*Collection) LoadByCertificate ¶
func (c *Collection) LoadByCertificate(cert *x509.Certificate) (Interface, bool)
LoadByCertificate looks for the provisioner extension and extracts the proper id to load the provisioner.
func (*Collection) LoadByToken ¶
func (c *Collection) LoadByToken(token *jose.JSONWebToken, claims *jose.Claims) (Interface, bool)
LoadByToken parses the token claims and loads the provisioner associated.
func (*Collection) LoadEncryptedKey ¶
func (c *Collection) LoadEncryptedKey(keyID string) (string, bool)
LoadEncryptedKey returns an encrypted key by indexed by KeyID. At this moment only JWK encrypted keys are indexed by KeyID.
func (*Collection) Store ¶
func (c *Collection) Store(p Interface) error
Store adds a provisioner to the collection and enforces the uniqueness of provisioner IDs.
type Config ¶
type Config struct {
// Claims are the default claims.
Claims Claims
// Audiences are the audiences used in the default provisioner, (JWK).
Audiences Audiences
}
Config defines the default parameters used in the initialization of provisioners.
type Duration ¶
Duration is a wrapper around Time.Duration to aid with marshal/unmarshal.
func NewDuration ¶ added in v0.11.0
NewDuration parses a duration string and returns a Duration type or an error if the given string is not a duration.
func (*Duration) MarshalJSON ¶
MarshalJSON parses a duration string and sets it to the duration.
A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
func (*Duration) UnmarshalJSON ¶
UnmarshalJSON parses a duration string and sets it to the duration.
A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
type GCP ¶ added in v0.11.0
type GCP struct {
Type string `json:"type"`
Name string `json:"name"`
ServiceAccounts []string `json:"serviceAccounts"`
ProjectIDs []string `json:"projectIDs"`
DisableCustomSANs bool `json:"disableCustomSANs"`
DisableTrustOnFirstUse bool `json:"disableTrustOnFirstUse"`
InstanceAge Duration `json:"instanceAge,omitempty"`
Claims *Claims `json:"claims,omitempty"`
// contains filtered or unexported fields
}
GCP is the provisioner that supports identity tokens created by the Google Cloud Platform metadata API.
If DisableCustomSANs is true, only the internal DNS and IP will be added as a SAN. By default it will accept any SAN in the CSR.
If DisableTrustOnFirstUse is true, multiple sign request for this provisioner with the same instance will be accepted. By default only the first request will be accepted.
If InstanceAge is set, only the instances with an instance_creation_timestamp within the given period will be accepted.
Google Identity docs are available at https://cloud.google.com/compute/docs/instances/verifying-instance-identity
func (*GCP) AuthorizeRenewal ¶ added in v0.11.0
func (p *GCP) AuthorizeRenewal(cert *x509.Certificate) error
AuthorizeRenewal returns an error if the renewal is disabled.
func (*GCP) AuthorizeRevoke ¶ added in v0.11.0
AuthorizeRevoke returns an error because revoke is not supported on GCP provisioners.
func (*GCP) AuthorizeSign ¶ added in v0.11.0
AuthorizeSign validates the given token and returns the sign options that will be used on certificate creation.
func (*GCP) GetEncryptedKey ¶ added in v0.11.0
GetEncryptedKey is not available in a GCP provisioner.
func (*GCP) GetID ¶ added in v0.11.0
GetID returns the provisioner unique identifier. The name should uniquely identify any GCP provisioner.
func (*GCP) GetIdentityToken ¶ added in v0.11.0
GetIdentityToken does an HTTP request to the identity url.
func (*GCP) GetIdentityURL ¶ added in v0.11.0
GetIdentityURL returns the url that generates the GCP token.
func (*GCP) GetTokenID ¶ added in v0.11.0
GetTokenID returns the identifier of the token. The default value for GCP the SHA256 of "provisioner_id.instance_id", but if DisableTrustOnFirstUse is set to true, then it will be the SHA256 of the token.
type Interface ¶
type Interface interface {
GetID() string
GetTokenID(token string) (string, error)
GetName() string
GetType() Type
GetEncryptedKey() (kid string, key string, ok bool)
Init(config Config) error
AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)
AuthorizeRenewal(cert *x509.Certificate) error
AuthorizeRevoke(token string) error
}
Interface is the interface that all provisioner types must implement.
type JWK ¶
type JWK struct {
Type string `json:"type"`
Name string `json:"name"`
Key *jose.JSONWebKey `json:"key"`
EncryptedKey string `json:"encryptedKey,omitempty"`
Claims *Claims `json:"claims,omitempty"`
// contains filtered or unexported fields
}
JWK is the default provisioner, an entity that can sign tokens necessary for signature requests.
func (*JWK) AuthorizeRenewal ¶
func (p *JWK) AuthorizeRenewal(cert *x509.Certificate) error
AuthorizeRenewal returns an error if the renewal is disabled.
func (*JWK) AuthorizeRevoke ¶
AuthorizeRevoke returns an error if the provisioner does not have rights to revoke the certificate with serial number in the `sub` property.
func (*JWK) AuthorizeSign ¶ added in v0.10.0
AuthorizeSign validates the given token.
func (*JWK) GetEncryptedKey ¶
GetEncryptedKey returns the base provisioner encrypted key if it's defined.
func (*JWK) GetID ¶
GetID returns the provisioner unique identifier. The name and credential id should uniquely identify any JWK provisioner.
func (*JWK) GetTokenID ¶ added in v0.10.0
GetTokenID returns the identifier of the token.
type List ¶
type List []Interface
List represents a list of provisioners.
func (*List) UnmarshalJSON ¶
UnmarshalJSON implements json.Unmarshaler and allows to unmarshal a list of a interfaces into the right type.
type Method ¶ added in v0.12.0
type Method int
Method indicates the action to action that we will perform, it's used as part of the context in the call to authorize. It defaults to Sing.
func MethodFromContext ¶ added in v0.12.0
MethodFromContext returns the Method saved in ctx. Returns Sign if the given context has no Method associated with it.
type MockProvisioner ¶ added in v0.13.0
type MockProvisioner struct {
Mret1, Mret2, Mret3 interface{}
Merr error
MgetID func() string
MgetTokenID func(string) (string, error)
MgetName func() string
MgetType func() Type
MgetEncryptedKey func() (string, string, bool)
Minit func(Config) error
}
MockProvisioner for testing
func (*MockProvisioner) AuthorizeRenewal ¶ added in v0.13.0
func (m *MockProvisioner) AuthorizeRenewal(c *x509.Certificate) error
AuthorizeRenewal mock
func (*MockProvisioner) AuthorizeRevoke ¶ added in v0.13.0
func (m *MockProvisioner) AuthorizeRevoke(ott string) error
AuthorizeRevoke mock
func (*MockProvisioner) AuthorizeSign ¶ added in v0.13.0
func (m *MockProvisioner) AuthorizeSign(ctx context.Context, ott string) ([]SignOption, error)
AuthorizeSign mock
func (*MockProvisioner) GetEncryptedKey ¶ added in v0.13.0
func (m *MockProvisioner) GetEncryptedKey() (string, string, bool)
GetEncryptedKey mock
func (*MockProvisioner) GetID ¶ added in v0.13.0
func (m *MockProvisioner) GetID() string
GetID mock
func (*MockProvisioner) GetName ¶ added in v0.13.0
func (m *MockProvisioner) GetName() string
GetName mock
func (*MockProvisioner) GetTokenID ¶ added in v0.13.0
func (m *MockProvisioner) GetTokenID(token string) (string, error)
GetTokenID mock
func (*MockProvisioner) GetType ¶ added in v0.13.0
func (m *MockProvisioner) GetType() Type
GetType mock
func (*MockProvisioner) Init ¶ added in v0.13.0
func (m *MockProvisioner) Init(c Config) error
Init mock
type OIDC ¶
type OIDC struct {
Type string `json:"type"`
Name string `json:"name"`
ClientID string `json:"clientID"`
ClientSecret string `json:"clientSecret"`
ConfigurationEndpoint string `json:"configurationEndpoint"`
Admins []string `json:"admins,omitempty"`
Domains []string `json:"domains,omitempty"`
Groups []string `json:"groups,omitempty"`
ListenAddress string `json:"listenAddress,omitempty"`
Claims *Claims `json:"claims,omitempty"`
// contains filtered or unexported fields
}
OIDC represents an OAuth 2.0 OpenID Connect provider.
ClientSecret is mandatory, but it can be an empty string.
func (*OIDC) AuthorizeRenewal ¶
func (o *OIDC) AuthorizeRenewal(cert *x509.Certificate) error
AuthorizeRenewal returns an error if the renewal is disabled.
func (*OIDC) AuthorizeRevoke ¶
AuthorizeRevoke returns an error if the provisioner does not have rights to revoke the certificate with serial number in the `sub` property. Only tokens generated by an admin have the right to revoke a certificate.
func (*OIDC) AuthorizeSign ¶ added in v0.10.0
AuthorizeSign validates the given token.
func (*OIDC) GetEncryptedKey ¶
GetEncryptedKey is not available in an OIDC provisioner.
func (*OIDC) GetID ¶
GetID returns the provisioner unique identifier, the OIDC provisioner the uses the clientID for this.
func (*OIDC) GetTokenID ¶ added in v0.10.0
GetTokenID returns the provisioner unique identifier, the OIDC provisioner the uses the clientID for this.
func (*OIDC) IsAdmin ¶
IsAdmin returns true if the given email is in the Admins whitelist, false otherwise.
func (*OIDC) ValidatePayload ¶
ValidatePayload validates the given token payload.
type Options ¶
type Options struct {
NotAfter TimeDuration `json:"notAfter"`
NotBefore TimeDuration `json:"notBefore"`
}
Options contains the options that can be passed to the Sign method.
type ProfileModifier ¶
type ProfileModifier interface {
SignOption
Option(o Options) x509util.WithOption
}
ProfileModifier is the interface used to add custom options to the profile constructor. The options are used to modify the final certificate.
type SSHCertificateModifier ¶ added in v0.12.0
type SSHCertificateModifier interface {
SignOption
Modify(cert *ssh.Certificate) error
}
SSHCertificateModifier is the interface used to change properties in an SSH certificate.
type SSHCertificateOptionModifier ¶ added in v0.12.0
type SSHCertificateOptionModifier interface {
SignOption
Option(o SSHOptions) SSHCertificateModifier
}
SSHCertificateOptionModifier is the interface used to add custom options used to modify the SSH certificate.
type SSHCertificateOptionsValidator ¶ added in v0.12.0
type SSHCertificateOptionsValidator interface {
SignOption
Valid(got SSHOptions) error
}
SSHCertificateOptionsValidator is the interface used to validate the custom options used to modify the SSH certificate.
type SSHCertificateValidator ¶ added in v0.12.0
type SSHCertificateValidator interface {
SignOption
Valid(cert *ssh.Certificate) error
}
SSHCertificateValidator is the interface used to validate an SSH certificate.
type SSHOptions ¶ added in v0.12.0
type SSHOptions struct {
CertType string `json:"certType"`
Principals []string `json:"principals"`
ValidAfter TimeDuration `json:"validAfter,omitempty"`
ValidBefore TimeDuration `json:"validBefore,omitempty"`
}
SSHOptions contains the options that can be passed to the SignSSH method.
func (SSHOptions) Modify ¶ added in v0.12.0
func (o SSHOptions) Modify(cert *ssh.Certificate) error
Modify implements SSHCertificateModifier and sets the SSHOption in the ssh.Certificate.
func (SSHOptions) Type ¶ added in v0.12.0
func (o SSHOptions) Type() uint32
Type returns the uint32 representation of the CertType.
type SignOption ¶
type SignOption interface{}
SignOption is the interface used to collect all extra options used in the Sign method.
type TimeDuration ¶
type TimeDuration struct {
// contains filtered or unexported fields
}
TimeDuration is a type that represents a time but the JSON unmarshaling can use a time using the RFC 3339 format or a time.Duration string. If a duration is used, the time will be set on the first call to TimeDuration.Time.
func NewTimeDuration ¶
func NewTimeDuration(t time.Time) TimeDuration
NewTimeDuration returns a TimeDuration with the defined time.
func ParseTimeDuration ¶
func ParseTimeDuration(s string) (TimeDuration, error)
ParseTimeDuration returns a new TimeDuration parsing the RFC 3339 time or time.Duration string.
func (*TimeDuration) Equal ¶ added in v0.12.0
func (t *TimeDuration) Equal(other *TimeDuration) bool
Equal returns if t and other are equal.
func (*TimeDuration) IsZero ¶ added in v0.12.0
func (t *TimeDuration) IsZero() bool
IsZero returns true the TimeDuration represents the zero value, false otherwise.
func (TimeDuration) MarshalJSON ¶
func (t TimeDuration) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface. If the time is set it will return the time in RFC 3339 format if not it will return the duration string.
func (*TimeDuration) RelativeTime ¶ added in v0.11.0
func (t *TimeDuration) RelativeTime(base time.Time) time.Time
RelativeTime returns the embedded time.Time or the base time plus the duration if this is not zero.
func (*TimeDuration) SetDuration ¶
func (t *TimeDuration) SetDuration(d time.Duration)
SetDuration initializes the TimeDuration with the given duration string. If the time was set it will re-set to zero.
func (*TimeDuration) SetTime ¶
func (t *TimeDuration) SetTime(tt time.Time)
SetTime initializes the TimeDuration with the given time. If the duration is set it will be re-set to zero.
func (*TimeDuration) String ¶
func (t *TimeDuration) String() string
String implements the fmt.Stringer interface.
func (*TimeDuration) Time ¶
func (t *TimeDuration) Time() time.Time
Time calculates the time if needed and returns it.
func (*TimeDuration) Unix ¶ added in v0.12.0
func (t *TimeDuration) Unix() int64
Unix calculates the time if needed it and returns the Unix time in seconds.
func (*TimeDuration) UnmarshalJSON ¶
func (t *TimeDuration) UnmarshalJSON(data []byte) error
UnmarshalJSON implements the json.Unmarshaler interface. The time is expected to be a quoted string in RFC 3339 format or a quoted time.Duration string.
type Type ¶
type Type int
Type indicates the provisioner Type.
const ( // TypeJWK is used to indicate the JWK provisioners. TypeJWK Type = 1 // TypeOIDC is used to indicate the OIDC provisioners. TypeOIDC Type = 2 // TypeGCP is used to indicate the GCP provisioners. TypeGCP Type = 3 // TypeAWS is used to indicate the AWS provisioners. TypeAWS Type = 4 // TypeAzure is used to indicate the Azure provisioners. TypeAzure Type = 5 // TypeACME is used to indicate the ACME provisioners. TypeACME Type = 6 // RevokeAudienceKey is the key for the 'revoke' audiences in the audiences map. RevokeAudienceKey = "revoke" // SignAudienceKey is the key for the 'sign' audiences in the audiences map. SignAudienceKey = "sign" )
Source Files