Documentation ¶
Index ¶
- Variables
- type ASN1DN
- type AuthConfig
- type Bastion
- type CRLConfig
- type CipherSuites
- type Config
- func (c *Config) Audience(path string) []string
- func (c *Config) Commit() error
- func (c *Config) Filepath() string
- func (c *Config) GetAudiences() provisioner.Audiences
- func (c *Config) Init()
- func (c *Config) Save(filename string) error
- func (c *Config) Validate() error
- func (c *Config) WasLoadedFromFile() bool
- type Host
- type HostTag
- type SSHConfig
- type SSHKeys
- type SSHPublicKey
- type TLSOptions
- type TLSVersion
Constants ¶
This section is empty.
Variables ¶
var ( // DefaultBackdate length of time to backdate certificates to avoid // clock skew validation issues. DefaultBackdate = time.Minute // DefaultDisableRenewal disables renewals per provisioner. DefaultDisableRenewal = false // DefaultAllowRenewalAfterExpiry allows renewals even if the certificate is // expired. DefaultAllowRenewalAfterExpiry = false // DefaultEnableSSHCA enable SSH CA features per provisioner or globally // for all provisioners. DefaultEnableSSHCA = false // DefaultCRLCacheDuration is the default cache duration for the CRL. DefaultCRLCacheDuration = &provisioner.Duration{Duration: 24 * time.Hour} // DefaultCRLExpiredDuration is the default duration in which expired // certificates will remain in the CRL after expiration. DefaultCRLExpiredDuration = time.Hour // GlobalProvisionerClaims is the default duration that expired certificates // remain in the CRL after expiration. GlobalProvisionerClaims = provisioner.Claims{ MinTLSDur: &provisioner.Duration{Duration: 5 * time.Minute}, MaxTLSDur: &provisioner.Duration{Duration: 24 * time.Hour}, DefaultTLSDur: &provisioner.Duration{Duration: 24 * time.Hour}, MinUserSSHDur: &provisioner.Duration{Duration: 5 * time.Minute}, MaxUserSSHDur: &provisioner.Duration{Duration: 24 * time.Hour}, DefaultUserSSHDur: &provisioner.Duration{Duration: 16 * time.Hour}, MinHostSSHDur: &provisioner.Duration{Duration: 5 * time.Minute}, MaxHostSSHDur: &provisioner.Duration{Duration: 30 * 24 * time.Hour}, DefaultHostSSHDur: &provisioner.Duration{Duration: 30 * 24 * time.Hour}, EnableSSHCA: &DefaultEnableSSHCA, DisableRenewal: &DefaultDisableRenewal, AllowRenewalAfterExpiry: &DefaultAllowRenewalAfterExpiry, } )
var ( // DefaultTLSMinVersion default minimum version of TLS. DefaultTLSMinVersion = TLSVersion(1.2) // DefaultTLSMaxVersion default maximum version of TLS. DefaultTLSMaxVersion = TLSVersion(1.3) // DefaultTLSRenegotiation default TLS connection renegotiation policy. DefaultTLSRenegotiation = false // Never regnegotiate. // DefaultTLSCipherSuites specifies default step ciphersuite(s). // These are TLS 1.0 - 1.2 cipher suites. DefaultTLSCipherSuites = CipherSuites{ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", } // ApprovedTLSCipherSuites smallstep approved ciphersuites. ApprovedTLSCipherSuites = CipherSuites{ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", } // DefaultTLSOptions represents the default TLS version as well as the cipher // suites used in the TLS certificates. DefaultTLSOptions = TLSOptions{ CipherSuites: DefaultTLSCipherSuites, MinVersion: DefaultTLSMinVersion, MaxVersion: DefaultTLSMaxVersion, Renegotiation: DefaultTLSRenegotiation, } )
Functions ¶
This section is empty.
Types ¶
type ASN1DN ¶
type ASN1DN struct { Country string `json:"country,omitempty"` Organization string `json:"organization,omitempty"` OrganizationalUnit string `json:"organizationalUnit,omitempty"` Locality string `json:"locality,omitempty"` Province string `json:"province,omitempty"` StreetAddress string `json:"streetAddress,omitempty"` SerialNumber string `json:"serialNumber,omitempty"` CommonName string `json:"commonName,omitempty"` }
ASN1DN contains ASN1.DN attributes that are used in Subject and Issuer x509 Certificate blocks.
type AuthConfig ¶
type AuthConfig struct { *cas.Options AuthorityID string `json:"authorityId,omitempty"` DeploymentType string `json:"deploymentType,omitempty"` Provisioners provisioner.List `json:"provisioners,omitempty"` Admins []*linkedca.Admin `json:"-"` Template *ASN1DN `json:"template,omitempty"` Claims *provisioner.Claims `json:"claims,omitempty"` Policy *policy.Options `json:"policy,omitempty"` DisableIssuedAtCheck bool `json:"disableIssuedAtCheck,omitempty"` Backdate *provisioner.Duration `json:"backdate,omitempty"` EnableAdmin bool `json:"enableAdmin,omitempty"` DisableGetSSHHosts bool `json:"disableGetSSHHosts,omitempty"` }
AuthConfig represents the configuration options for the authority. An underlaying registration authority can also be configured using the cas.Options.
func (*AuthConfig) Validate ¶
func (c *AuthConfig) Validate(audiences provisioner.Audiences) error
Validate validates the authority configuration.
type Bastion ¶
type Bastion struct { Hostname string `json:"hostname"` User string `json:"user,omitempty"` Port string `json:"port,omitempty"` Command string `json:"cmd,omitempty"` Flags string `json:"flags,omitempty"` }
Bastion contains the custom properties used on bastion.
type CRLConfig ¶ added in v0.23.0
type CRLConfig struct { Enabled bool `json:"enabled"` GenerateOnRevoke bool `json:"generateOnRevoke,omitempty"` CacheDuration *provisioner.Duration `json:"cacheDuration,omitempty"` RenewPeriod *provisioner.Duration `json:"renewPeriod,omitempty"` }
CRLConfig represents config options for CRL generation
func (*CRLConfig) TickerDuration ¶ added in v0.23.0
TickerDuration the renewal ticker duration. This is set by renewPeriod, of it is not set is ~2/3 of cacheDuration.
type CipherSuites ¶
type CipherSuites []string
CipherSuites represents an array of string codes representing the cipher suites.
func (CipherSuites) Validate ¶
func (c CipherSuites) Validate() error
Validate implements models.Validator and checks that a cipher suite is valid.
func (CipherSuites) Value ¶
func (c CipherSuites) Value() []uint16
Value returns an []uint16 for the cipher suites.
type Config ¶
type Config struct { Root multiString `json:"root"` FederatedRoots []string `json:"federatedRoots"` IntermediateCert string `json:"crt"` IntermediateKey string `json:"key"` Address string `json:"address"` InsecureAddress string `json:"insecureAddress"` DNSNames []string `json:"dnsNames"` KMS *kms.Options `json:"kms,omitempty"` SSH *SSHConfig `json:"ssh,omitempty"` Logger json.RawMessage `json:"logger,omitempty"` DB *db.Config `json:"db,omitempty"` Monitoring json.RawMessage `json:"monitoring,omitempty"` AuthorityConfig *AuthConfig `json:"authority,omitempty"` TLS *TLSOptions `json:"tls,omitempty"` Password string `json:"password,omitempty"` Templates *templates.Templates `json:"templates,omitempty"` CommonName string `json:"commonName,omitempty"` CRL *CRLConfig `json:"crl,omitempty"` SkipValidation bool `json:"-"` // contains filtered or unexported fields }
Config represents the CA configuration and it's mapped to a JSON object.
func LoadConfiguration ¶
LoadConfiguration parses the given filename in JSON format and returns the configuration struct.
func (*Config) Commit ¶ added in v0.23.0
Commit saves the current configuration to the same file it was initially loaded from.
TODO(hs): rename Save() to WriteTo() and replace this with Save()? Or is Commit clear enough.
func (*Config) Filepath ¶ added in v0.23.0
Filepath returns the path to the file the Config was loaded from.
func (*Config) GetAudiences ¶
func (c *Config) GetAudiences() provisioner.Audiences
GetAudiences returns the legacy and possible urls without the ports that will be used as the default provisioner audiences. The CA might have proxies in front so we cannot rely on the port.
func (*Config) Init ¶
func (c *Config) Init()
Init initializes the minimal configuration required to create an authority. This is mainly used on embedded authorities.
func (*Config) WasLoadedFromFile ¶ added in v0.23.0
WasLoadedFromFile returns whether or not the Config was loaded from a file.
type Host ¶
type Host struct { HostID string `json:"hid"` HostTags []HostTag `json:"host_tags"` Hostname string `json:"hostname"` }
Host defines expected attributes for an ssh host.
type HostTag ¶
HostTag are tagged with k,v pairs. These tags are how a user is ultimately associated with a host.
type SSHConfig ¶
type SSHConfig struct { HostKey string `json:"hostKey"` UserKey string `json:"userKey"` Keys []*SSHPublicKey `json:"keys,omitempty"` AddUserPrincipal string `json:"addUserPrincipal,omitempty"` AddUserCommand string `json:"addUserCommand,omitempty"` Bastion *Bastion `json:"bastion,omitempty"` }
SSHConfig contains the user and host keys.
type SSHPublicKey ¶
type SSHPublicKey struct { Type string `json:"type"` Federated bool `json:"federated"` Key jose.JSONWebKey `json:"key"` // contains filtered or unexported fields }
SSHPublicKey contains a public key used by federated CAs to keep old signing keys for this ca.
func (*SSHPublicKey) PublicKey ¶
func (k *SSHPublicKey) PublicKey() ssh.PublicKey
PublicKey returns the ssh public key.
func (*SSHPublicKey) Validate ¶
func (k *SSHPublicKey) Validate() error
Validate checks the fields in SSHPublicKey.
type TLSOptions ¶
type TLSOptions struct { CipherSuites CipherSuites `json:"cipherSuites"` MinVersion TLSVersion `json:"minVersion"` MaxVersion TLSVersion `json:"maxVersion"` Renegotiation bool `json:"renegotiation"` }
TLSOptions represents the TLS options that can be specified on *tls.Config types to configure HTTPS servers and clients.
func (*TLSOptions) TLSConfig ¶
func (t *TLSOptions) TLSConfig() *tls.Config
TLSConfig returns the tls.Config equivalent of the TLSOptions.
type TLSVersion ¶
type TLSVersion float64
TLSVersion represents a TLS version number.
func (TLSVersion) String ¶
func (v TLSVersion) String() string
String returns the Go constant for the TLSVersion.
func (TLSVersion) Validate ¶
func (v TLSVersion) Validate() error
Validate implements models.Validator and checks that a cipher suite is valid.
func (TLSVersion) Value ¶
func (v TLSVersion) Value() uint16
Value returns the Go constant for the TLSVersion.