policy

package
v0.24.3-rc.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 15, 2023 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Overview

Copyright 2011 The Go Authors. All rights reserved. Use of this source code is governed by a BSD-style license that can be found in the LICENSE file.

The code in this file is an adapted version of the code in https://cs.opensource.google/go/go/+/refs/tags/go1.17.5:src/crypto/x509/verify.go

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type NamePolicyEngine

type NamePolicyEngine struct {
	// contains filtered or unexported fields
}

func New

func New(opts ...NamePolicyOption) (*NamePolicyEngine, error)

NewNamePolicyEngine creates a new NamePolicyEngine with NamePolicyOptions

func (*NamePolicyEngine) AreSANsAllowed

func (e *NamePolicyEngine) AreSANsAllowed(sans []string) error

AreSANsAllowed verifies that all names in the slice of SANs are allowed. The SANs are first split into DNS names, IPs, email addresses and URIs.

func (*NamePolicyEngine) IsDNSAllowed

func (e *NamePolicyEngine) IsDNSAllowed(dns string) error

IsDNSAllowed verifies a single DNS domain is allowed.

func (*NamePolicyEngine) IsIPAllowed

func (e *NamePolicyEngine) IsIPAllowed(ip net.IP) error

IsIPAllowed verifies a single IP domain is allowed.

func (*NamePolicyEngine) IsSSHCertificateAllowed

func (e *NamePolicyEngine) IsSSHCertificateAllowed(cert *ssh.Certificate) error

IsSSHCertificateAllowed verifies that all principals in an SSH certificate are allowed.

func (*NamePolicyEngine) IsX509CertificateAllowed

func (e *NamePolicyEngine) IsX509CertificateAllowed(cert *x509.Certificate) error

IsX509CertificateAllowed verifies that all SANs in a Certificate are allowed.

func (*NamePolicyEngine) IsX509CertificateRequestAllowed

func (e *NamePolicyEngine) IsX509CertificateRequestAllowed(csr *x509.CertificateRequest) error

IsX509CertificateRequestAllowed verifies that all names in the CSR are allowed.

type NamePolicyError

type NamePolicyError struct {
	Reason   NamePolicyReason
	NameType NameType
	Name     string
	// contains filtered or unexported fields
}

func (*NamePolicyError) As added in v0.23.0

func (e *NamePolicyError) As(v any) bool

As implements the As(any) bool interface and allows to use "errors.As()" to convert a NotAllowed NamePolicyError to an errs.Error.

func (*NamePolicyError) Detail

func (e *NamePolicyError) Detail() string

func (*NamePolicyError) Error

func (e *NamePolicyError) Error() string

type NamePolicyOption

type NamePolicyOption func(e *NamePolicyEngine) error

func WithAllowLiteralWildcardNames

func WithAllowLiteralWildcardNames() NamePolicyOption

func WithExcludedCIDRs

func WithExcludedCIDRs(cidrs ...string) NamePolicyOption

func WithExcludedCommonNames

func WithExcludedCommonNames(commonNames ...string) NamePolicyOption

func WithExcludedDNSDomains

func WithExcludedDNSDomains(domains ...string) NamePolicyOption

func WithExcludedEmailAddresses

func WithExcludedEmailAddresses(emailAddresses ...string) NamePolicyOption

func WithExcludedIPRanges

func WithExcludedIPRanges(ipRanges ...*net.IPNet) NamePolicyOption

func WithExcludedIPsOrCIDRs

func WithExcludedIPsOrCIDRs(ipsOrCIDRs ...string) NamePolicyOption

func WithExcludedPrincipals

func WithExcludedPrincipals(principals ...string) NamePolicyOption

func WithExcludedURIDomains

func WithExcludedURIDomains(domains ...string) NamePolicyOption

func WithPermittedCIDRs

func WithPermittedCIDRs(cidrs ...string) NamePolicyOption

func WithPermittedCommonNames

func WithPermittedCommonNames(commonNames ...string) NamePolicyOption

func WithPermittedDNSDomains

func WithPermittedDNSDomains(domains ...string) NamePolicyOption

func WithPermittedEmailAddresses

func WithPermittedEmailAddresses(emailAddresses ...string) NamePolicyOption

func WithPermittedIPRanges

func WithPermittedIPRanges(ipRanges ...*net.IPNet) NamePolicyOption

func WithPermittedIPsOrCIDRs

func WithPermittedIPsOrCIDRs(ipsOrCIDRs ...string) NamePolicyOption

func WithPermittedPrincipals

func WithPermittedPrincipals(principals ...string) NamePolicyOption

func WithPermittedURIDomains

func WithPermittedURIDomains(uriDomains ...string) NamePolicyOption

func WithSubjectCommonNameVerification

func WithSubjectCommonNameVerification() NamePolicyOption

type NamePolicyReason

type NamePolicyReason int
const (
	// NotAllowed results when an instance of NamePolicyEngine
	// determines that there's a constraint which doesn't permit
	// a DNS or another type of SAN to be signed (or otherwise used).
	NotAllowed NamePolicyReason = iota + 1
	// CannotParseDomain is returned when an error occurs
	// when parsing the domain part of SAN or subject.
	CannotParseDomain
	// CannotParseRFC822Name is returned when an error
	// occurs when parsing an email address.
	CannotParseRFC822Name
	// CannotMatch is the type of error returned when
	// an error happens when matching SAN types.
	CannotMatchNameToConstraint
)

type NameType

type NameType string
const (
	CNNameType        NameType = "cn"
	DNSNameType       NameType = "dns"
	IPNameType        NameType = "ip"
	EmailNameType     NameType = "email"
	URINameType       NameType = "uri"
	PrincipalNameType NameType = "principal"
)

type SSHNamePolicyEngine

type SSHNamePolicyEngine interface {
	IsSSHCertificateAllowed(cert *ssh.Certificate) error
}

type X509NamePolicyEngine

type X509NamePolicyEngine interface {
	IsX509CertificateAllowed(cert *x509.Certificate) error
	IsX509CertificateRequestAllowed(csr *x509.CertificateRequest) error
	AreSANsAllowed(sans []string) error
	IsDNSAllowed(dns string) error
	IsIPAllowed(ip net.IP) error
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL