policy

package
v0.21.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 6, 2022 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Overview

Copyright 2011 The Go Authors. All rights reserved. Use of this source code is governed by a BSD-style license that can be found in the LICENSE file.

The code in this file is an adapted version of the code in https://cs.opensource.google/go/go/+/refs/tags/go1.17.5:src/crypto/x509/verify.go

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type NamePolicyEngine 

type NamePolicyEngine struct {
	// contains filtered or unexported fields
}

func New 

func New(opts ...NamePolicyOption) (*NamePolicyEngine, error)

NewNamePolicyEngine creates a new NamePolicyEngine with NamePolicyOptions

func (*NamePolicyEngine) AreSANsAllowed 

func (e *NamePolicyEngine) AreSANsAllowed(sans []string) error

AreSANSAllowed verifies that all names in the slice of SANs are allowed. The SANs are first split into DNS names, IPs, email addresses and URIs.

func (*NamePolicyEngine) IsDNSAllowed 

func (e *NamePolicyEngine) IsDNSAllowed(dns string) error

IsDNSAllowed verifies a single DNS domain is allowed.

func (*NamePolicyEngine) IsIPAllowed 

func (e *NamePolicyEngine) IsIPAllowed(ip net.IP) error

IsIPAllowed verifies a single IP domain is allowed.

func (*NamePolicyEngine) IsSSHCertificateAllowed 

func (e *NamePolicyEngine) IsSSHCertificateAllowed(cert *ssh.Certificate) error

IsSSHCertificateAllowed verifies that all principals in an SSH certificate are allowed.

func (*NamePolicyEngine) IsX509CertificateAllowed 

func (e *NamePolicyEngine) IsX509CertificateAllowed(cert *x509.Certificate) error

IsX509CertificateAllowed verifies that all SANs in a Certificate are allowed.

func (*NamePolicyEngine) IsX509CertificateRequestAllowed 

func (e *NamePolicyEngine) IsX509CertificateRequestAllowed(csr *x509.CertificateRequest) error

IsX509CertificateRequestAllowed verifies that all names in the CSR are allowed.

type NamePolicyError 

type NamePolicyError struct {
	Reason   NamePolicyReason
	NameType NameType
	Name     string
	// contains filtered or unexported fields
}

func (*NamePolicyError) Detail 

func (e *NamePolicyError) Detail() string

func (*NamePolicyError) Error 

func (e *NamePolicyError) Error() string

type NamePolicyOption 

type NamePolicyOption func(e *NamePolicyEngine) error

func WithAllowLiteralWildcardNames 

func WithAllowLiteralWildcardNames() NamePolicyOption

func WithExcludedCIDRs 

func WithExcludedCIDRs(cidrs ...string) NamePolicyOption

func WithExcludedCommonNames 

func WithExcludedCommonNames(commonNames ...string) NamePolicyOption

func WithExcludedDNSDomains 

func WithExcludedDNSDomains(domains ...string) NamePolicyOption

func WithExcludedEmailAddresses 

func WithExcludedEmailAddresses(emailAddresses ...string) NamePolicyOption

func WithExcludedIPRanges 

func WithExcludedIPRanges(ipRanges ...*net.IPNet) NamePolicyOption

func WithExcludedIPsOrCIDRs 

func WithExcludedIPsOrCIDRs(ipsOrCIDRs ...string) NamePolicyOption

func WithExcludedPrincipals 

func WithExcludedPrincipals(principals ...string) NamePolicyOption

func WithExcludedURIDomains 

func WithExcludedURIDomains(domains ...string) NamePolicyOption

func WithPermittedCIDRs 

func WithPermittedCIDRs(cidrs ...string) NamePolicyOption

func WithPermittedCommonNames 

func WithPermittedCommonNames(commonNames ...string) NamePolicyOption

func WithPermittedDNSDomains 

func WithPermittedDNSDomains(domains ...string) NamePolicyOption

func WithPermittedEmailAddresses 

func WithPermittedEmailAddresses(emailAddresses ...string) NamePolicyOption

func WithPermittedIPRanges 

func WithPermittedIPRanges(ipRanges ...*net.IPNet) NamePolicyOption

func WithPermittedIPsOrCIDRs 

func WithPermittedIPsOrCIDRs(ipsOrCIDRs ...string) NamePolicyOption

func WithPermittedPrincipals 

func WithPermittedPrincipals(principals ...string) NamePolicyOption

func WithPermittedURIDomains 

func WithPermittedURIDomains(uriDomains ...string) NamePolicyOption

func WithSubjectCommonNameVerification 

func WithSubjectCommonNameVerification() NamePolicyOption

type NamePolicyReason 

type NamePolicyReason int
const (
	// NotAllowed results when an instance of NamePolicyEngine
	// determines that there's a constraint which doesn't permit
	// a DNS or another type of SAN to be signed (or otherwise used).
	NotAllowed NamePolicyReason = iota + 1
	// CannotParseDomain is returned when an error occurs
	// when parsing the domain part of SAN or subject.
	CannotParseDomain
	// CannotParseRFC822Name is returned when an error
	// occurs when parsing an email address.
	CannotParseRFC822Name
	// CannotMatch is the type of error returned when
	// an error happens when matching SAN types.
	CannotMatchNameToConstraint
)

type NameType 

type NameType string
const (
	CNNameType        NameType = "cn"
	DNSNameType       NameType = "dns"
	IPNameType        NameType = "ip"
	EmailNameType     NameType = "email"
	URINameType       NameType = "uri"
	PrincipalNameType NameType = "principal"
)

type SSHNamePolicyEngine 

type SSHNamePolicyEngine interface {
	IsSSHCertificateAllowed(cert *ssh.Certificate) error
}

type X509NamePolicyEngine 

type X509NamePolicyEngine interface {
	IsX509CertificateAllowed(cert *x509.Certificate) error
	IsX509CertificateRequestAllowed(csr *x509.CertificateRequest) error
	AreSANsAllowed(sans []string) error
	IsDNSAllowed(dns string) error
	IsIPAllowed(ip net.IP) error
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.