Documentation ¶
Index ¶
- Constants
- Variables
- func DefaultAuthorizeRenew(_ context.Context, p *Controller, cert *x509.Certificate) error
- func DefaultAuthorizeSSHRenew(_ context.Context, p *Controller, cert *ssh.Certificate) error
- func ExtractSSHPOPCert(token string) (*ssh.Certificate, *jose.JSONWebToken, error)
- func NewContextWithMethod(ctx context.Context, method Method) context.Context
- func NewContextWithToken(ctx context.Context, token string) context.Context
- func SanitizeSSHUserPrincipal(email string) string
- func SanitizeStringSlices(original []string) []string
- func TokenFromContext(ctx context.Context) (string, bool)
- type ACME
- func (p *ACME) AuthorizeOrderIdentifier(_ context.Context, identifier ACMEIdentifier) error
- func (p *ACME) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error
- func (p *ACME) AuthorizeRevoke(context.Context, string) error
- func (b ACME) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)
- func (b ACME) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error)
- func (b ACME) AuthorizeSSHRevoke(context.Context, string) error
- func (b ACME) AuthorizeSSHSign(context.Context, string) ([]SignOption, error)
- func (p *ACME) AuthorizeSign(context.Context, string) ([]SignOption, error)
- func (p *ACME) DefaultTLSCertDuration() time.Duration
- func (p *ACME) GetAttestationRoots() (*x509.CertPool, bool)
- func (p *ACME) GetEncryptedKey() (string, string, bool)
- func (p ACME) GetID() string
- func (p *ACME) GetIDForToken() string
- func (p *ACME) GetName() string
- func (p *ACME) GetOptions() *Options
- func (p *ACME) GetTokenID(string) (string, error)
- func (p *ACME) GetType() Type
- func (p *ACME) Init(config Config) (err error)
- func (p *ACME) IsAttestationFormatEnabled(_ context.Context, format ACMEAttestationFormat) bool
- func (p *ACME) IsChallengeEnabled(_ context.Context, challenge ACMEChallenge) bool
- type ACMEAttestationFormat
- type ACMEChallenge
- type ACMEIdentifier
- type ACMEIdentifierType
- type AWS
- func (p *AWS) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error
- func (b AWS) AuthorizeRevoke(context.Context, string) error
- func (b AWS) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)
- func (b AWS) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error)
- func (b AWS) AuthorizeSSHRevoke(context.Context, string) error
- func (p *AWS) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error)
- func (p *AWS) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)
- func (p *AWS) GetEncryptedKey() (kid, key string, ok bool)
- func (p *AWS) GetID() string
- func (p *AWS) GetIDForToken() string
- func (p *AWS) GetIdentityToken(subject, caURL string) (string, error)
- func (p *AWS) GetName() string
- func (p *AWS) GetTokenID(token string) (string, error)
- func (p *AWS) GetType() Type
- func (p *AWS) Init(config Config) (err error)
- type AttestationData
- type Audiences
- type AuthorizeRenewFunc
- type AuthorizeSSHRenewFunc
- type Azure
- func (p *Azure) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error
- func (b Azure) AuthorizeRevoke(context.Context, string) error
- func (b Azure) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)
- func (b Azure) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error)
- func (b Azure) AuthorizeSSHRevoke(context.Context, string) error
- func (p *Azure) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error)
- func (p *Azure) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)
- func (p *Azure) GetEncryptedKey() (kid, key string, ok bool)
- func (p *Azure) GetID() string
- func (p *Azure) GetIDForToken() string
- func (p *Azure) GetIdentityToken(subject, caURL string) (string, error)
- func (p *Azure) GetName() string
- func (p *Azure) GetTokenID(token string) (string, error)
- func (p *Azure) GetType() Type
- func (p *Azure) Init(config Config) (err error)
- type CertificateEnforcer
- type CertificateEnforcerFunc
- type CertificateModifier
- type CertificateModifierFunc
- type CertificateOptions
- type CertificateRequestValidator
- type CertificateValidator
- type Claimer
- func (c *Claimer) AllowRenewalAfterExpiry() bool
- func (c *Claimer) Claims() Claims
- func (c *Claimer) DefaultHostSSHCertDuration() time.Duration
- func (c *Claimer) DefaultSSHCertDuration(certType uint32) (time.Duration, error)
- func (c *Claimer) DefaultTLSCertDuration() time.Duration
- func (c *Claimer) DefaultUserSSHCertDuration() time.Duration
- func (c *Claimer) IsDisableRenewal() bool
- func (c *Claimer) IsDisableSmallstepExtensions() bool
- func (c *Claimer) IsSSHCAEnabled() bool
- func (c *Claimer) MaxHostSSHCertDuration() time.Duration
- func (c *Claimer) MaxTLSCertDuration() time.Duration
- func (c *Claimer) MaxUserSSHCertDuration() time.Duration
- func (c *Claimer) MinHostSSHCertDuration() time.Duration
- func (c *Claimer) MinTLSCertDuration() time.Duration
- func (c *Claimer) MinUserSSHCertDuration() time.Duration
- func (c *Claimer) Validate() error
- type Claims
- type Collection
- func (c *Collection) Find(cursor string, limit int) (List, string)
- func (c *Collection) Load(id string) (Interface, bool)
- func (c *Collection) LoadByCertificate(cert *x509.Certificate) (Interface, bool)
- func (c *Collection) LoadByName(name string) (Interface, bool)
- func (c *Collection) LoadByToken(token *jose.JSONWebToken, claims *jose.Claims) (Interface, bool)
- func (c *Collection) LoadByTokenID(tokenProvisionerID string) (Interface, bool)
- func (c *Collection) LoadEncryptedKey(keyID string) (string, bool)
- func (c *Collection) Remove(id string) error
- func (c *Collection) Store(p Interface) error
- func (c *Collection) Update(nu Interface) error
- type Config
- type Controller
- type Duration
- type Extension
- type GCP
- func (p *GCP) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error
- func (b GCP) AuthorizeRevoke(context.Context, string) error
- func (b GCP) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)
- func (b GCP) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error)
- func (b GCP) AuthorizeSSHRevoke(context.Context, string) error
- func (p *GCP) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error)
- func (p *GCP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)
- func (p *GCP) GetEncryptedKey() (kid, key string, ok bool)
- func (p *GCP) GetID() string
- func (p *GCP) GetIDForToken() string
- func (p *GCP) GetIdentityToken(subject, caURL string) (string, error)
- func (p *GCP) GetIdentityURL(audience string) string
- func (p *GCP) GetName() string
- func (p *GCP) GetTokenID(token string) (string, error)
- func (p *GCP) GetType() Type
- func (p *GCP) Init(config Config) (err error)
- type GetIdentityFunc
- type Identity
- type Interface
- type JWK
- func (p *JWK) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error
- func (p *JWK) AuthorizeRevoke(_ context.Context, token string) error
- func (b JWK) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)
- func (b JWK) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error)
- func (p *JWK) AuthorizeSSHRevoke(_ context.Context, token string) error
- func (p *JWK) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error)
- func (p *JWK) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)
- func (p *JWK) GetEncryptedKey() (string, string, bool)
- func (p *JWK) GetID() string
- func (p *JWK) GetIDForToken() string
- func (p *JWK) GetName() string
- func (p *JWK) GetTokenID(ott string) (string, error)
- func (p *JWK) GetType() Type
- func (p *JWK) Init(config Config) (err error)
- type K8sSA
- func (p *K8sSA) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error
- func (p *K8sSA) AuthorizeRevoke(_ context.Context, token string) error
- func (b K8sSA) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)
- func (b K8sSA) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error)
- func (b K8sSA) AuthorizeSSHRevoke(context.Context, string) error
- func (p *K8sSA) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error)
- func (p *K8sSA) AuthorizeSign(_ context.Context, token string) ([]SignOption, error)
- func (p *K8sSA) GetEncryptedKey() (string, string, bool)
- func (p *K8sSA) GetID() string
- func (p *K8sSA) GetIDForToken() string
- func (p *K8sSA) GetName() string
- func (p *K8sSA) GetTokenID(string) (string, error)
- func (p *K8sSA) GetType() Type
- func (p *K8sSA) Init(config Config) (err error)
- type List
- type Method
- type MockProvisioner
- func (m *MockProvisioner) AuthorizeRenew(ctx context.Context, c *x509.Certificate) error
- func (m *MockProvisioner) AuthorizeRevoke(ctx context.Context, ott string) error
- func (m *MockProvisioner) AuthorizeSSHRekey(ctx context.Context, ott string) (*ssh.Certificate, []SignOption, error)
- func (m *MockProvisioner) AuthorizeSSHRenew(ctx context.Context, ott string) (*ssh.Certificate, error)
- func (m *MockProvisioner) AuthorizeSSHRevoke(ctx context.Context, ott string) error
- func (m *MockProvisioner) AuthorizeSSHSign(ctx context.Context, ott string) ([]SignOption, error)
- func (m *MockProvisioner) AuthorizeSign(ctx context.Context, ott string) ([]SignOption, error)
- func (m *MockProvisioner) GetEncryptedKey() (string, string, bool)
- func (m *MockProvisioner) GetID() string
- func (m *MockProvisioner) GetIDForToken() string
- func (m *MockProvisioner) GetName() string
- func (m *MockProvisioner) GetTokenID(token string) (string, error)
- func (m *MockProvisioner) GetType() Type
- func (m *MockProvisioner) Init(c Config) error
- type Nebula
- func (p *Nebula) AuthorizeRenew(ctx context.Context, crt *x509.Certificate) error
- func (p *Nebula) AuthorizeRevoke(_ context.Context, token string) error
- func (p *Nebula) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)
- func (p *Nebula) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error)
- func (p *Nebula) AuthorizeSSHRevoke(_ context.Context, token string) error
- func (p *Nebula) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error)
- func (p *Nebula) AuthorizeSign(_ context.Context, token string) ([]SignOption, error)
- func (p *Nebula) GetEncryptedKey() (kid, key string, ok bool)
- func (p *Nebula) GetID() string
- func (p *Nebula) GetIDForToken() string
- func (p *Nebula) GetName() string
- func (p *Nebula) GetTokenID(token string) (string, error)
- func (p *Nebula) GetType() Type
- func (p *Nebula) Init(config Config) (err error)
- type OIDC
- func (o *OIDC) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error
- func (o *OIDC) AuthorizeRevoke(_ context.Context, token string) error
- func (b OIDC) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)
- func (b OIDC) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error)
- func (o *OIDC) AuthorizeSSHRevoke(_ context.Context, token string) error
- func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error)
- func (o *OIDC) AuthorizeSign(_ context.Context, token string) ([]SignOption, error)
- func (o *OIDC) GetEncryptedKey() (kid, key string, ok bool)
- func (o *OIDC) GetID() string
- func (o *OIDC) GetIDForToken() string
- func (o *OIDC) GetName() string
- func (o *OIDC) GetTokenID(ott string) (string, error)
- func (o *OIDC) GetType() Type
- func (o *OIDC) Init(config Config) (err error)
- func (o *OIDC) ValidatePayload(p openIDPayload) error
- type Options
- type Permissions
- type RAInfo
- type SCEP
- func (b SCEP) AuthorizeRenew(context.Context, *x509.Certificate) error
- func (b SCEP) AuthorizeRevoke(context.Context, string) error
- func (b SCEP) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)
- func (b SCEP) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error)
- func (b SCEP) AuthorizeSSHRevoke(context.Context, string) error
- func (b SCEP) AuthorizeSSHSign(context.Context, string) ([]SignOption, error)
- func (s *SCEP) AuthorizeSign(context.Context, string) ([]SignOption, error)
- func (s *SCEP) DefaultTLSCertDuration() time.Duration
- func (s *SCEP) GetCapabilities() []string
- func (s *SCEP) GetContentEncryptionAlgorithm() int
- func (s *SCEP) GetDecrypter() (*x509.Certificate, crypto.Decrypter)
- func (s *SCEP) GetEncryptedKey() (string, string, bool)
- func (s *SCEP) GetID() string
- func (s *SCEP) GetIDForToken() string
- func (s *SCEP) GetName() string
- func (s *SCEP) GetOptions() *Options
- func (s *SCEP) GetSigner() (*x509.Certificate, crypto.Signer)
- func (s *SCEP) GetTokenID(string) (string, error)
- func (s *SCEP) GetType() Type
- func (s *SCEP) Init(config Config) (err error)
- func (s *SCEP) NotifyFailure(ctx context.Context, csr *x509.CertificateRequest, transactionID string, ...) error
- func (s *SCEP) NotifySuccess(ctx context.Context, csr *x509.CertificateRequest, cert *x509.Certificate, ...) error
- func (s *SCEP) ShouldIncludeIntermediateInChain() bool
- func (s *SCEP) ShouldIncludeRootInChain() bool
- func (s *SCEP) ValidateChallenge(ctx context.Context, csr *x509.CertificateRequest, ...) error
- type SCEPKeyManager
- type SSHCertModifier
- type SSHCertOptionsValidator
- type SSHCertValidator
- type SSHCertificateOptions
- type SSHKeys
- type SSHOptions
- func (o *SSHOptions) GetAllowedHostNameOptions() *policy.SSHNameOptions
- func (o *SSHOptions) GetAllowedUserNameOptions() *policy.SSHNameOptions
- func (o *SSHOptions) GetDeniedHostNameOptions() *policy.SSHNameOptions
- func (o *SSHOptions) GetDeniedUserNameOptions() *policy.SSHNameOptions
- func (o *SSHOptions) HasTemplate() bool
- type SSHPOP
- func (b SSHPOP) AuthorizeRenew(context.Context, *x509.Certificate) error
- func (b SSHPOP) AuthorizeRevoke(context.Context, string) error
- func (p *SSHPOP) AuthorizeSSHRekey(_ context.Context, token string) (*ssh.Certificate, []SignOption, error)
- func (p *SSHPOP) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error)
- func (p *SSHPOP) AuthorizeSSHRevoke(_ context.Context, token string) error
- func (b SSHPOP) AuthorizeSSHSign(context.Context, string) ([]SignOption, error)
- func (b SSHPOP) AuthorizeSign(context.Context, string) ([]SignOption, error)
- func (p *SSHPOP) GetEncryptedKey() (string, string, bool)
- func (p *SSHPOP) GetID() string
- func (p *SSHPOP) GetIDForToken() string
- func (p *SSHPOP) GetName() string
- func (p *SSHPOP) GetTokenID(ott string) (string, error)
- func (p *SSHPOP) GetType() Type
- func (p *SSHPOP) Init(config Config) (err error)
- type SignOption
- type SignOptions
- type SignSSHOptions
- type TimeDuration
- func (t *TimeDuration) Equal(other *TimeDuration) bool
- func (t *TimeDuration) IsZero() bool
- func (t TimeDuration) MarshalJSON() ([]byte, error)
- func (t *TimeDuration) RelativeTime(base time.Time) time.Time
- func (t *TimeDuration) SetDuration(d time.Duration)
- func (t *TimeDuration) SetTime(tt time.Time)
- func (t *TimeDuration) String() string
- func (t *TimeDuration) Time() time.Time
- func (t *TimeDuration) Unix() int64
- func (t *TimeDuration) UnmarshalJSON(data []byte) error
- type Type
- type Uninitialized
- type Webhook
- type WebhookController
- type WebhookSetter
- type X509Options
- type X5C
- func (p *X5C) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error
- func (p *X5C) AuthorizeRevoke(_ context.Context, token string) error
- func (b X5C) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)
- func (b X5C) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error)
- func (b X5C) AuthorizeSSHRevoke(context.Context, string) error
- func (p *X5C) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error)
- func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)
- func (p *X5C) GetEncryptedKey() (string, string, bool)
- func (p *X5C) GetID() string
- func (p *X5C) GetIDForToken() string
- func (p *X5C) GetName() string
- func (p *X5C) GetTokenID(ott string) (string, error)
- func (p *X5C) GetType() Type
- func (p *X5C) Init(config Config) (err error)
Constants ¶
const ( // K8sSAName is the default name used for kubernetes service account provisioners. K8sSAName = "k8sSA-default" // K8sSAID is the default ID for kubernetes service account provisioners. K8sSAID = "k8ssa/" + K8sSAName )
const ( // SSHUserCert is the string used to represent ssh.UserCert. SSHUserCert = "user" // SSHHostCert is the string used to represent ssh.HostCert. SSHHostCert = "host" )
const DefaultCertValidity = 24 * time.Hour
DefaultCertValidity is the default validity for a certificate if none is specified.
const DefaultProvisionersLimit = 20
DefaultProvisionersLimit is the default limit for listing provisioners.
const DefaultProvisionersMax = 100
DefaultProvisionersMax is the maximum limit for listing provisioners.
const ( // NebulaCertHeader is the token header that contains a Nebula certificate. NebulaCertHeader jose.HeaderKey = "nebula" )
Variables ¶
var ( // StepOIDRoot is the root OID for smallstep. StepOIDRoot = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37476, 9000, 64} // StepOIDProvisioner is the OID for the provisioner extension. StepOIDProvisioner = append(asn1.ObjectIdentifier(nil), append(StepOIDRoot, 1)...) )
var ( ErrSCEPChallengeInvalid = errors.New("webhook server did not allow request") ErrSCEPNotificationFailed = errors.New("scep notification failed") )
var ErrAllowTokenReuse = stderrors.New("allow token reuse")
ErrAllowTokenReuse is an error that is returned by provisioners that allows the reuse of tokens.
This is, for example, returned by the Azure provisioner when DisableTrustOnFirstUse is set to true. Azure caches tokens for up to 24hr and has no mechanism for getting a different token - this can be an issue when rebooting a VM. In contrast, AWS and GCP have facilities for requesting a new token. Therefore, for the Azure provisioner we are enabling token reuse, with the understanding that we are not following security best practices
var ErrWebhookDenied = errors.New("webhook server did not allow request")
Functions ¶
func DefaultAuthorizeRenew ¶ added in v0.19.0
func DefaultAuthorizeRenew(_ context.Context, p *Controller, cert *x509.Certificate) error
DefaultAuthorizeRenew is the default implementation of AuthorizeRenew. It will return an error if the provisioner has the renewal disabled, if the certificate is not yet valid or if the certificate is expired and renew after expiry is disabled.
func DefaultAuthorizeSSHRenew ¶ added in v0.19.0
func DefaultAuthorizeSSHRenew(_ context.Context, p *Controller, cert *ssh.Certificate) error
DefaultAuthorizeSSHRenew is the default implementation of AuthorizeSSHRenew. It will return an error if the provisioner has the renewal disabled, if the certificate is not yet valid or if the certificate is expired and renew after expiry is disabled.
func ExtractSSHPOPCert ¶ added in v0.14.0
func ExtractSSHPOPCert(token string) (*ssh.Certificate, *jose.JSONWebToken, error)
ExtractSSHPOPCert parses a JWT and extracts and loads the SSH Certificate in the sshpop header. If the header is missing, an error is returned.
func NewContextWithMethod ¶ added in v0.12.0
NewContextWithMethod creates a new context from ctx and attaches method to it.
func NewContextWithToken ¶ added in v0.20.0
NewContextWithToken creates a new context with the given token.
func SanitizeSSHUserPrincipal ¶ added in v0.12.0
SanitizeSSHUserPrincipal grabs an email or a string with the format local@domain and returns a sanitized version of the local, valid to be used as a user name. If the email starts with a letter between a and z, the resulting string will match the regular expression `^[a-z][-a-z0-9_]*$`.
func SanitizeStringSlices ¶ added in v0.15.16
SanitizeStringSlices removes duplicated an empty strings.
Types ¶
type ACME ¶ added in v0.13.0
type ACME struct { ID string `json:"-"` Type string `json:"type"` Name string `json:"name"` ForceCN bool `json:"forceCN,omitempty"` // TermsOfService contains a URL pointing to the ACME server's // terms of service. Defaults to empty. TermsOfService string `json:"termsOfService,omitempty"` // Website contains an URL pointing to more information about // the ACME server. Defaults to empty. Website string `json:"website,omitempty"` // CaaIdentities is an array of hostnames that the ACME server // identifies itself with. These hostnames can be used by ACME // clients to determine the correct issuer domain name to use // when configuring CAA records. Defaults to empty array. CaaIdentities []string `json:"caaIdentities,omitempty"` // RequireEAB makes the provisioner require ACME EAB to be provided // by clients when creating a new Account. If set to true, the provided // EAB will be verified. If set to false and an EAB is provided, it is // not verified. Defaults to false. RequireEAB bool `json:"requireEAB,omitempty"` // Challenges contains the enabled challenges for this provisioner. If this // value is not set the default http-01, dns-01 and tls-alpn-01 challenges // will be enabled, device-attest-01 will be disabled. Challenges []ACMEChallenge `json:"challenges,omitempty"` // AttestationFormats contains the enabled attestation formats for this // provisioner. If this value is not set the default apple, step and tpm // will be used. AttestationFormats []ACMEAttestationFormat `json:"attestationFormats,omitempty"` // AttestationRoots contains a bundle of root certificates in PEM format // that will be used to verify the attestation certificates. If provided, // this bundle will be used even for well-known CAs like Apple and Yubico. AttestationRoots []byte `json:"attestationRoots,omitempty"` Claims *Claims `json:"claims,omitempty"` Options *Options `json:"options,omitempty"` // contains filtered or unexported fields }
ACME is the acme provisioner type, an entity that can authorize the ACME provisioning flow.
func (*ACME) AuthorizeOrderIdentifier ¶ added in v0.20.0
func (p *ACME) AuthorizeOrderIdentifier(_ context.Context, identifier ACMEIdentifier) error
AuthorizeOrderIdentifier verifies the provisioner is allowed to issue a certificate for an ACME Order Identifier.
func (*ACME) AuthorizeRenew ¶ added in v0.14.0
AuthorizeRenew returns an error if the renewal is disabled. NOTE: This method does not actually validate the certificate or check its revocation status. Just confirms that the provisioner that created the certificate was configured to allow renewals.
func (*ACME) AuthorizeRevoke ¶ added in v0.13.0
AuthorizeRevoke is called just before the certificate is to be revoked by the CA. It can be used to authorize revocation of a certificate. With the ACME protocol, revocation authorization is specified and performed as part of the client/server interaction, so this is a no-op.
func (ACME) AuthorizeSSHRekey ¶ added in v0.14.0
func (b ACME) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)
AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for rekeying SSH Certificates.
func (ACME) AuthorizeSSHRenew ¶ added in v0.14.0
AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing SSH Certificates.
func (ACME) AuthorizeSSHRevoke ¶ added in v0.14.0
AuthorizeSSHRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking SSH Certificates.
func (ACME) AuthorizeSSHSign ¶ added in v0.14.0
func (b ACME) AuthorizeSSHSign(context.Context, string) ([]SignOption, error)
AuthorizeSSHSign returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for signing SSH Certificates.
func (*ACME) AuthorizeSign ¶ added in v0.13.0
AuthorizeSign does not do any validation, because all validation is handled in the ACME protocol. This method returns a list of modifiers / constraints on the resulting certificate.
func (*ACME) DefaultTLSCertDuration ¶ added in v0.14.5
DefaultTLSCertDuration returns the default TLS cert duration enforced by the provisioner.
func (*ACME) GetAttestationRoots ¶ added in v0.23.0
GetAttestationRoots returns certificate pool with the configured attestation roots and reports if the pool contains at least one certificate.
TODO(hs): we may not want to expose the root pool like this; call into an interface function instead to authorize?
func (*ACME) GetEncryptedKey ¶ added in v0.13.0
GetEncryptedKey returns the base provisioner encrypted key if it's defined.
func (*ACME) GetIDForToken ¶ added in v0.16.0
GetIDForToken returns an identifier that will be used to load the provisioner from a token.
func (*ACME) GetOptions ¶ added in v0.15.0
GetOptions returns the configured provisioner options.
func (*ACME) GetTokenID ¶ added in v0.13.0
GetTokenID returns the identifier of the token.
func (*ACME) IsAttestationFormatEnabled ¶ added in v0.23.0
func (p *ACME) IsAttestationFormatEnabled(_ context.Context, format ACMEAttestationFormat) bool
IsAttestationFormatEnabled checks if the given attestation format is enabled. By default apple, step and tpm are enabled, to disable any of them the AttestationFormat provisioner property should have at least one element.
func (*ACME) IsChallengeEnabled ¶ added in v0.23.0
func (p *ACME) IsChallengeEnabled(_ context.Context, challenge ACMEChallenge) bool
IsChallengeEnabled checks if the given challenge is enabled. By default http-01, dns-01 and tls-alpn-01 are enabled, to disable any of them the Challenge provisioner property should have at least one element.
type ACMEAttestationFormat ¶ added in v0.23.0
type ACMEAttestationFormat string
ACMEAttestationFormat represents the format used on a device-attest-01 challenge.
const ( // APPLE is the format used to enable device-attest-01 on Apple devices. APPLE ACMEAttestationFormat = "apple" // STEP is the format used to enable device-attest-01 on devices that // provide attestation certificates like the PIV interface on YubiKeys. // // TODO(mariano): should we rename this to something else. STEP ACMEAttestationFormat = "step" // TPM is the format used to enable device-attest-01 with TPMs. TPM ACMEAttestationFormat = "tpm" )
func (ACMEAttestationFormat) String ¶ added in v0.23.0
func (f ACMEAttestationFormat) String() string
String returns a normalized version of the attestation format.
func (ACMEAttestationFormat) Validate ¶ added in v0.23.0
func (f ACMEAttestationFormat) Validate() error
Validate returns an error if the attestation format is not a valid one.
type ACMEChallenge ¶ added in v0.23.0
type ACMEChallenge string
ACMEChallenge represents the supported acme challenges.
const ( // HTTP_01 is the http-01 ACME challenge. HTTP_01 ACMEChallenge = "http-01" // DNS_01 is the dns-01 ACME challenge. DNS_01 ACMEChallenge = "dns-01" // TLS_ALPN_01 is the tls-alpn-01 ACME challenge. TLS_ALPN_01 ACMEChallenge = "tls-alpn-01" // DEVICE_ATTEST_01 is the device-attest-01 ACME challenge. DEVICE_ATTEST_01 ACMEChallenge = "device-attest-01" )
func (ACMEChallenge) String ¶ added in v0.23.0
func (c ACMEChallenge) String() string
String returns a normalized version of the challenge.
func (ACMEChallenge) Validate ¶ added in v0.23.0
func (c ACMEChallenge) Validate() error
Validate returns an error if the acme challenge is not a valid one.
type ACMEIdentifier ¶ added in v0.20.0
type ACMEIdentifier struct { Type ACMEIdentifierType Value string }
ACMEIdentifier encodes ACME Order Identifiers
type ACMEIdentifierType ¶ added in v0.20.0
type ACMEIdentifierType string
ACMEIdentifierType encodes ACME Identifier types
const ( // IP is the ACME ip identifier type IP ACMEIdentifierType = "ip" // DNS is the ACME dns identifier type DNS ACMEIdentifierType = "dns" )
type AWS ¶ added in v0.11.0
type AWS struct { ID string `json:"-"` Type string `json:"type"` Name string `json:"name"` Accounts []string `json:"accounts"` DisableCustomSANs bool `json:"disableCustomSANs"` DisableTrustOnFirstUse bool `json:"disableTrustOnFirstUse"` IMDSVersions []string `json:"imdsVersions"` InstanceAge Duration `json:"instanceAge,omitempty"` IIDRoots string `json:"iidRoots,omitempty"` Claims *Claims `json:"claims,omitempty"` Options *Options `json:"options,omitempty"` // contains filtered or unexported fields }
AWS is the provisioner that supports identity tokens created from the Amazon Web Services Instance Identity Documents.
If DisableCustomSANs is true, only the internal DNS and IP will be added as a SAN. By default it will accept any SAN in the CSR.
If DisableTrustOnFirstUse is true, multiple sign request for this provisioner with the same instance will be accepted. By default only the first request will be accepted.
If InstanceAge is set, only the instances with a pendingTime within the given period will be accepted.
IIDRoots can be used to specify a path to the certificates used to verify the identity certificate signature.
Amazon Identity docs are available at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
func (*AWS) AuthorizeRenew ¶ added in v0.14.0
AuthorizeRenew returns an error if the renewal is disabled. NOTE: This method does not actually validate the certificate or check it's revocation status. Just confirms that the provisioner that created the certificate was configured to allow renewals.
func (AWS) AuthorizeRevoke ¶ added in v0.11.0
AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking x509 Certificates.
func (AWS) AuthorizeSSHRekey ¶ added in v0.14.0
func (b AWS) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)
AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for rekeying SSH Certificates.
func (AWS) AuthorizeSSHRenew ¶ added in v0.14.0
AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing SSH Certificates.
func (AWS) AuthorizeSSHRevoke ¶ added in v0.14.0
AuthorizeSSHRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking SSH Certificates.
func (*AWS) AuthorizeSSHSign ¶ added in v0.14.0
AuthorizeSSHSign returns the list of SignOption for a SignSSH request.
func (*AWS) AuthorizeSign ¶ added in v0.11.0
AuthorizeSign validates the given token and returns the sign options that will be used on certificate creation.
func (*AWS) GetEncryptedKey ¶ added in v0.11.0
GetEncryptedKey is not available in an AWS provisioner.
func (*AWS) GetIDForToken ¶ added in v0.16.0
GetIDForToken returns an identifier that will be used to load the provisioner from a token.
func (*AWS) GetIdentityToken ¶ added in v0.11.0
GetIdentityToken retrieves the identity document and it's signature and generates a token with them.
func (*AWS) GetTokenID ¶ added in v0.11.0
GetTokenID returns the identifier of the token.
type AttestationData ¶ added in v0.23.0
type AttestationData struct {
PermanentIdentifier string
}
AttestationData is a SignOption used to pass attestation information to the sign methods.
type Audiences ¶ added in v0.10.0
type Audiences struct { Sign []string Renew []string Revoke []string SSHSign []string SSHRevoke []string SSHRenew []string SSHRekey []string }
Audiences stores all supported audiences by request type.
func (Audiences) All ¶ added in v0.10.0
All returns all supported audiences across all request types in one list.
func (Audiences) WithFragment ¶ added in v0.11.0
WithFragment returns a copy of audiences where the url audiences contains the given fragment.
type AuthorizeRenewFunc ¶ added in v0.19.0
type AuthorizeRenewFunc func(ctx context.Context, p *Controller, cert *x509.Certificate) error
AuthorizeRenewFunc is a function that returns nil if the renewal of a certificate is enabled.
type AuthorizeSSHRenewFunc ¶ added in v0.19.0
type AuthorizeSSHRenewFunc func(ctx context.Context, p *Controller, cert *ssh.Certificate) error
AuthorizeSSHRenewFunc is a function that returns nil if the renewal of the given SSH certificate is enabled.
type Azure ¶ added in v0.11.0
type Azure struct { ID string `json:"-"` Type string `json:"type"` Name string `json:"name"` TenantID string `json:"tenantID"` ResourceGroups []string `json:"resourceGroups"` SubscriptionIDs []string `json:"subscriptionIDs"` ObjectIDs []string `json:"objectIDs"` Audience string `json:"audience,omitempty"` DisableCustomSANs bool `json:"disableCustomSANs"` DisableTrustOnFirstUse bool `json:"disableTrustOnFirstUse"` Claims *Claims `json:"claims,omitempty"` Options *Options `json:"options,omitempty"` // contains filtered or unexported fields }
Azure is the provisioner that supports identity tokens created from the Microsoft Azure Instance Metadata service.
The default audience is "https://management.azure.com/".
If DisableCustomSANs is true, only the internal DNS and IP will be added as a SAN. By default it will accept any SAN in the CSR.
If DisableTrustOnFirstUse is true, multiple sign request for this provisioner with the same instance will be accepted. By default only the first request will be accepted.
Microsoft Azure identity docs are available at https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token and https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service
func (*Azure) AuthorizeRenew ¶ added in v0.14.0
AuthorizeRenew returns an error if the renewal is disabled. NOTE: This method does not actually validate the certificate or check it's revocation status. Just confirms that the provisioner that created the certificate was configured to allow renewals.
func (Azure) AuthorizeRevoke ¶ added in v0.11.0
AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking x509 Certificates.
func (Azure) AuthorizeSSHRekey ¶ added in v0.14.0
func (b Azure) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)
AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for rekeying SSH Certificates.
func (Azure) AuthorizeSSHRenew ¶ added in v0.14.0
AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing SSH Certificates.
func (Azure) AuthorizeSSHRevoke ¶ added in v0.14.0
AuthorizeSSHRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking SSH Certificates.
func (*Azure) AuthorizeSSHSign ¶ added in v0.14.0
AuthorizeSSHSign returns the list of SignOption for a SignSSH request.
func (*Azure) AuthorizeSign ¶ added in v0.11.0
AuthorizeSign validates the given token and returns the sign options that will be used on certificate creation.
func (*Azure) GetEncryptedKey ¶ added in v0.11.0
GetEncryptedKey is not available in an Azure provisioner.
func (*Azure) GetIDForToken ¶ added in v0.16.0
GetIDForToken returns an identifier that will be used to load the provisioner from a token.
func (*Azure) GetIdentityToken ¶ added in v0.11.0
GetIdentityToken retrieves from the metadata service the identity token and returns it.
func (*Azure) GetTokenID ¶ added in v0.11.0
GetTokenID returns the identifier of the token. The default value for Azure the SHA256 of "xms_mirid", but if DisableTrustOnFirstUse is set to true, then it will be the token kid.
type CertificateEnforcer ¶ added in v0.14.0
type CertificateEnforcer interface {
Enforce(cert *x509.Certificate) error
}
CertificateEnforcer is an interface used to modify a given X.509 certificate. Types implemented this interface will NOT be validated with a CertificateValidator.
type CertificateEnforcerFunc ¶ added in v0.15.0
type CertificateEnforcerFunc func(cert *x509.Certificate) error
CertificateEnforcerFunc allows to create simple certificate enforcer just with a function.
func (CertificateEnforcerFunc) Enforce ¶ added in v0.15.0
func (fn CertificateEnforcerFunc) Enforce(cert *x509.Certificate) error
Enforce implements CertificateEnforcer and just calls the defined function.
type CertificateModifier ¶ added in v0.15.0
type CertificateModifier interface {
Modify(cert *x509.Certificate, opts SignOptions) error
}
CertificateModifier is an interface used to modify a given X.509 certificate. Types implementing this interface will be validated with a CertificateValidator.
type CertificateModifierFunc ¶ added in v0.15.0
type CertificateModifierFunc func(cert *x509.Certificate, opts SignOptions) error
CertificateModifierFunc allows to create simple certificate modifiers just with a function.
func (CertificateModifierFunc) Modify ¶ added in v0.15.0
func (fn CertificateModifierFunc) Modify(cert *x509.Certificate, opts SignOptions) error
Modify implements CertificateModifier and just calls the defined function.
type CertificateOptions ¶ added in v0.15.0
type CertificateOptions interface {
Options(SignOptions) []x509util.Option
}
CertificateOptions is an interface that returns a list of options passed when creating a new certificate.
func CustomTemplateOptions ¶ added in v0.15.0
func CustomTemplateOptions(o *Options, data x509util.TemplateData, defaultTemplate string) (CertificateOptions, error)
CustomTemplateOptions generates a CertificateOptions with the template, data defined in the ProvisionerOptions, the provisioner generated data and the user data provided in the request. If no template has been provided in the ProvisionerOptions, the given template will be used.
func TemplateOptions ¶ added in v0.15.0
func TemplateOptions(o *Options, data x509util.TemplateData) (CertificateOptions, error)
TemplateOptions generates a CertificateOptions with the template and data defined in the ProvisionerOptions, the provisioner generated data, and the user data provided in the request. If no template has been provided, x509util.DefaultLeafTemplate will be used.
type CertificateRequestValidator ¶
type CertificateRequestValidator interface {
Valid(cr *x509.CertificateRequest) error
}
CertificateRequestValidator is an interface used to validate a given X.509 certificate request.
type CertificateValidator ¶
type CertificateValidator interface {
Valid(cert *x509.Certificate, opts SignOptions) error
}
CertificateValidator is an interface used to validate a given X.509 certificate.
type Claimer ¶
type Claimer struct {
// contains filtered or unexported fields
}
Claimer is the type that controls claims. It provides an interface around the current claim and the global one.
func NewClaimer ¶
NewClaimer initializes a new claimer with the given claims.
func (*Claimer) AllowRenewalAfterExpiry ¶ added in v0.19.0
AllowRenewalAfterExpiry returns if the renewal flow is authorized if the certificate is expired. If the property is not set within the provisioner then the global value from the authority configuration will be used.
func (*Claimer) DefaultHostSSHCertDuration ¶ added in v0.12.0
DefaultHostSSHCertDuration returns the default SSH host cert duration for the provisioner. If the default is not set within the provisioner, then the global default from the authority configuration will be used.
func (*Claimer) DefaultSSHCertDuration ¶ added in v0.14.0
DefaultSSHCertDuration returns the default SSH certificate duration for the given certificate type.
func (*Claimer) DefaultTLSCertDuration ¶
DefaultTLSCertDuration returns the default TLS cert duration for the provisioner. If the default is not set within the provisioner, then the global default from the authority configuration will be used.
func (*Claimer) DefaultUserSSHCertDuration ¶ added in v0.12.0
DefaultUserSSHCertDuration returns the default SSH user cert duration for the provisioner. If the default is not set within the provisioner, then the global default from the authority configuration will be used.
func (*Claimer) IsDisableRenewal ¶
IsDisableRenewal returns if the renewal flow is disabled for the provisioner. If the property is not set within the provisioner, then the global value from the authority configuration will be used.
func (*Claimer) IsDisableSmallstepExtensions ¶ added in v0.25.0
IsDisableSmallstepExtensions returns whether Smallstep extensions, such as the provisioner extension, should be excluded from the certificate.
func (*Claimer) IsSSHCAEnabled ¶ added in v0.12.0
IsSSHCAEnabled returns if the SSH CA is enabled for the provisioner. If the property is not set within the provisioner, then the global value from the authority configuration will be used.
func (*Claimer) MaxHostSSHCertDuration ¶ added in v0.12.0
MaxHostSSHCertDuration returns the maximum SSH Host cert duration for the provisioner. If the maximum is not set within the provisioner, then the global maximum from the authority configuration will be used.
func (*Claimer) MaxTLSCertDuration ¶
MaxTLSCertDuration returns the maximum TLS cert duration for the provisioner. If the maximum is not set within the provisioner, then the global maximum from the authority configuration will be used.
func (*Claimer) MaxUserSSHCertDuration ¶ added in v0.12.0
MaxUserSSHCertDuration returns the maximum SSH user cert duration for the provisioner. If the maximum is not set within the provisioner, then the global maximum from the authority configuration will be used.
func (*Claimer) MinHostSSHCertDuration ¶ added in v0.12.0
MinHostSSHCertDuration returns the minimum SSH host cert duration for the provisioner. If the minimum is not set within the provisioner, then the global minimum from the authority configuration will be used.
func (*Claimer) MinTLSCertDuration ¶
MinTLSCertDuration returns the minimum TLS cert duration for the provisioner. If the minimum is not set within the provisioner, then the global minimum from the authority configuration will be used.
func (*Claimer) MinUserSSHCertDuration ¶ added in v0.12.0
MinUserSSHCertDuration returns the minimum SSH user cert duration for the provisioner. If the minimum is not set within the provisioner, then the global minimum from the authority configuration will be used.
type Claims ¶
type Claims struct { // TLS CA properties MinTLSDur *Duration `json:"minTLSCertDuration,omitempty"` MaxTLSDur *Duration `json:"maxTLSCertDuration,omitempty"` DefaultTLSDur *Duration `json:"defaultTLSCertDuration,omitempty"` // SSH CA properties MinUserSSHDur *Duration `json:"minUserSSHCertDuration,omitempty"` MaxUserSSHDur *Duration `json:"maxUserSSHCertDuration,omitempty"` DefaultUserSSHDur *Duration `json:"defaultUserSSHCertDuration,omitempty"` MinHostSSHDur *Duration `json:"minHostSSHCertDuration,omitempty"` MaxHostSSHDur *Duration `json:"maxHostSSHCertDuration,omitempty"` DefaultHostSSHDur *Duration `json:"defaultHostSSHCertDuration,omitempty"` EnableSSHCA *bool `json:"enableSSHCA,omitempty"` // Renewal properties DisableRenewal *bool `json:"disableRenewal,omitempty"` AllowRenewalAfterExpiry *bool `json:"allowRenewalAfterExpiry,omitempty"` // Other properties DisableSmallstepExtensions *bool `json:"disableSmallstepExtensions,omitempty"` }
Claims so that individual provisioners can override global claims.
type Collection ¶
type Collection struct {
// contains filtered or unexported fields
}
Collection is a memory map of provisioners.
func NewCollection ¶
func NewCollection(audiences Audiences) *Collection
NewCollection initializes a collection of provisioners. The given list of audiences are the audiences used by the JWT provisioner.
func (*Collection) Find ¶
func (c *Collection) Find(cursor string, limit int) (List, string)
Find implements pagination on a list of sorted provisioners.
func (*Collection) Load ¶
func (c *Collection) Load(id string) (Interface, bool)
Load a provisioner by the ID.
func (*Collection) LoadByCertificate ¶
func (c *Collection) LoadByCertificate(cert *x509.Certificate) (Interface, bool)
LoadByCertificate looks for the provisioner extension and extracts the proper id to load the provisioner.
func (*Collection) LoadByName ¶ added in v0.16.0
func (c *Collection) LoadByName(name string) (Interface, bool)
LoadByName a provisioner by name.
func (*Collection) LoadByToken ¶
func (c *Collection) LoadByToken(token *jose.JSONWebToken, claims *jose.Claims) (Interface, bool)
LoadByToken parses the token claims and loads the provisioner associated.
func (*Collection) LoadByTokenID ¶ added in v0.16.0
func (c *Collection) LoadByTokenID(tokenProvisionerID string) (Interface, bool)
LoadByTokenID a provisioner by identifier found in token. For different provisioner types this identifier may be found in in different attributes of the token.
func (*Collection) LoadEncryptedKey ¶
func (c *Collection) LoadEncryptedKey(keyID string) (string, bool)
LoadEncryptedKey returns an encrypted key by indexed by KeyID. At this moment only JWK encrypted keys are indexed by KeyID.
func (*Collection) Remove ¶ added in v0.16.0
func (c *Collection) Remove(id string) error
Remove deletes an provisioner from all associated collections and lists.
func (*Collection) Store ¶
func (c *Collection) Store(p Interface) error
Store adds a provisioner to the collection and enforces the uniqueness of provisioner IDs.
func (*Collection) Update ¶ added in v0.16.0
func (c *Collection) Update(nu Interface) error
Update updates the given provisioner in all related lists and collections.
type Config ¶
type Config struct { // Claims are the default claims. Claims Claims // Audiences are the audiences used in the default provisioner, (JWK). Audiences Audiences // SSHKeys are the root SSH public keys SSHKeys *SSHKeys // GetIdentityFunc is a function that returns an identity that will be // used by the provisioner to populate certificate attributes. GetIdentityFunc GetIdentityFunc // AuthorizeRenewFunc is a function that returns nil if a given X.509 // certificate can be renewed. AuthorizeRenewFunc AuthorizeRenewFunc // AuthorizeSSHRenewFunc is a function that returns nil if a given SSH // certificate can be renewed. AuthorizeSSHRenewFunc AuthorizeSSHRenewFunc // WebhookClient is an http client to use in webhook request WebhookClient *http.Client // SCEPKeyManager, if defined, is the interface used by SCEP provisioners. SCEPKeyManager SCEPKeyManager }
Config defines the default parameters used in the initialization of provisioners.
type Controller ¶ added in v0.19.0
type Controller struct { Interface Audiences *Audiences Claimer *Claimer IdentityFunc GetIdentityFunc AuthorizeRenewFunc AuthorizeRenewFunc AuthorizeSSHRenewFunc AuthorizeSSHRenewFunc // contains filtered or unexported fields }
Controller wraps a provisioner with other attributes useful in callback functions.
func NewController ¶ added in v0.19.0
func NewController(p Interface, claims *Claims, config Config, options *Options) (*Controller, error)
NewController initializes a new provisioner controller.
func (*Controller) AuthorizeRenew ¶ added in v0.19.0
func (c *Controller) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error
AuthorizeRenew returns nil if the given cert can be renewed, returns an error otherwise.
func (*Controller) AuthorizeSSHRenew ¶ added in v0.19.0
func (c *Controller) AuthorizeSSHRenew(ctx context.Context, cert *ssh.Certificate) error
AuthorizeSSHRenew returns nil if the given cert can be renewed, returns an error otherwise.
func (*Controller) GetIdentity ¶ added in v0.19.0
GetIdentity returns the identity for a given email.
type Duration ¶
Duration is a wrapper around Time.Duration to aid with marshal/unmarshal.
func NewDuration ¶ added in v0.11.0
NewDuration parses a duration string and returns a Duration type or an error if the given string is not a duration.
func (*Duration) MarshalJSON ¶
MarshalJSON parses a duration string and sets it to the duration.
A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
func (*Duration) UnmarshalJSON ¶
UnmarshalJSON parses a duration string and sets it to the duration.
A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
type Extension ¶ added in v0.19.0
Extension is the Go representation of the provisioner extension.
func GetProvisionerExtension ¶ added in v0.19.0
func GetProvisionerExtension(cert *x509.Certificate) (*Extension, bool)
GetProvisionerExtension goes through all the certificate extensions and returns the provisioner extension (1.3.6.1.4.1.37476.9000.64.1).
type GCP ¶ added in v0.11.0
type GCP struct { ID string `json:"-"` Type string `json:"type"` Name string `json:"name"` ServiceAccounts []string `json:"serviceAccounts"` ProjectIDs []string `json:"projectIDs"` DisableCustomSANs bool `json:"disableCustomSANs"` DisableTrustOnFirstUse bool `json:"disableTrustOnFirstUse"` InstanceAge Duration `json:"instanceAge,omitempty"` Claims *Claims `json:"claims,omitempty"` Options *Options `json:"options,omitempty"` // contains filtered or unexported fields }
GCP is the provisioner that supports identity tokens created by the Google Cloud Platform metadata API.
If DisableCustomSANs is true, only the internal DNS and IP will be added as a SAN. By default it will accept any SAN in the CSR.
If DisableTrustOnFirstUse is true, multiple sign request for this provisioner with the same instance will be accepted. By default only the first request will be accepted.
If InstanceAge is set, only the instances with an instance_creation_timestamp within the given period will be accepted.
Google Identity docs are available at https://cloud.google.com/compute/docs/instances/verifying-instance-identity
func (*GCP) AuthorizeRenew ¶ added in v0.14.0
AuthorizeRenew returns an error if the renewal is disabled.
func (GCP) AuthorizeRevoke ¶ added in v0.11.0
AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking x509 Certificates.
func (GCP) AuthorizeSSHRekey ¶ added in v0.14.0
func (b GCP) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)
AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for rekeying SSH Certificates.
func (GCP) AuthorizeSSHRenew ¶ added in v0.14.0
AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing SSH Certificates.
func (GCP) AuthorizeSSHRevoke ¶ added in v0.14.0
AuthorizeSSHRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking SSH Certificates.
func (*GCP) AuthorizeSSHSign ¶ added in v0.14.0
AuthorizeSSHSign returns the list of SignOption for a SignSSH request.
func (*GCP) AuthorizeSign ¶ added in v0.11.0
AuthorizeSign validates the given token and returns the sign options that will be used on certificate creation.
func (*GCP) GetEncryptedKey ¶ added in v0.11.0
GetEncryptedKey is not available in a GCP provisioner.
func (*GCP) GetID ¶ added in v0.11.0
GetID returns the provisioner unique identifier. The name should uniquely identify any GCP provisioner.
func (*GCP) GetIDForToken ¶ added in v0.16.0
GetIDForToken returns an identifier that will be used to load the provisioner from a token.
func (*GCP) GetIdentityToken ¶ added in v0.11.0
GetIdentityToken does an HTTP request to the identity url.
func (*GCP) GetIdentityURL ¶ added in v0.11.0
GetIdentityURL returns the url that generates the GCP token.
func (*GCP) GetTokenID ¶ added in v0.11.0
GetTokenID returns the identifier of the token. The default value for GCP the SHA256 of "provisioner_id.instance_id", but if DisableTrustOnFirstUse is set to true, then it will be the SHA256 of the token.
type GetIdentityFunc ¶ added in v0.14.0
GetIdentityFunc is a function that returns an identity.
type Identity ¶ added in v0.14.0
type Identity struct { Usernames []string `json:"usernames"` Permissions `json:"permissions"` }
Identity is the type representing an externally supplied identity that is used by provisioners to populate certificate fields.
type Interface ¶
type Interface interface { GetID() string GetIDForToken() string GetTokenID(token string) (string, error) GetName() string GetType() Type GetEncryptedKey() (kid string, key string, ok bool) Init(config Config) error AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) AuthorizeRevoke(ctx context.Context, token string) error AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) AuthorizeSSHRevoke(ctx context.Context, token string) error AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error) AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error) }
Interface is the interface that all provisioner types must implement.
type JWK ¶
type JWK struct { ID string `json:"-"` Type string `json:"type"` Name string `json:"name"` Key *jose.JSONWebKey `json:"key"` EncryptedKey string `json:"encryptedKey,omitempty"` Claims *Claims `json:"claims,omitempty"` Options *Options `json:"options,omitempty"` // contains filtered or unexported fields }
JWK is the default provisioner, an entity that can sign tokens necessary for signature requests.
func (*JWK) AuthorizeRenew ¶ added in v0.14.0
AuthorizeRenew returns an error if the renewal is disabled. NOTE: This method does not actually validate the certificate or check it's revocation status. Just confirms that the provisioner that created the certificate was configured to allow renewals.
func (*JWK) AuthorizeRevoke ¶
AuthorizeRevoke returns an error if the provisioner does not have rights to revoke the certificate with serial number in the `sub` property.
func (JWK) AuthorizeSSHRekey ¶ added in v0.14.0
func (b JWK) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)
AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for rekeying SSH Certificates.
func (JWK) AuthorizeSSHRenew ¶ added in v0.14.0
AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing SSH Certificates.
func (*JWK) AuthorizeSSHRevoke ¶ added in v0.14.0
AuthorizeSSHRevoke returns nil if the token is valid, false otherwise.
func (*JWK) AuthorizeSSHSign ¶ added in v0.14.0
AuthorizeSSHSign returns the list of SignOption for a SignSSH request.
func (*JWK) AuthorizeSign ¶ added in v0.10.0
AuthorizeSign validates the given token.
func (*JWK) GetEncryptedKey ¶
GetEncryptedKey returns the base provisioner encrypted key if it's defined.
func (*JWK) GetID ¶
GetID returns the provisioner unique identifier. The name and credential id should uniquely identify any JWK provisioner.
func (*JWK) GetIDForToken ¶ added in v0.16.0
GetIDForToken returns an identifier that will be used to load the provisioner from a token.
func (*JWK) GetTokenID ¶ added in v0.10.0
GetTokenID returns the identifier of the token.
type K8sSA ¶ added in v0.14.0
type K8sSA struct { ID string `json:"-"` Type string `json:"type"` Name string `json:"name"` PubKeys []byte `json:"publicKeys,omitempty"` Claims *Claims `json:"claims,omitempty"` Options *Options `json:"options,omitempty"` // contains filtered or unexported fields }
K8sSA represents a Kubernetes ServiceAccount provisioner; an entity trusted to make signature requests.
func (*K8sSA) AuthorizeRenew ¶ added in v0.14.0
AuthorizeRenew returns an error if the renewal is disabled.
func (*K8sSA) AuthorizeRevoke ¶ added in v0.14.0
AuthorizeRevoke returns an error if the provisioner does not have rights to revoke the certificate with serial number in the `sub` property.
func (K8sSA) AuthorizeSSHRekey ¶ added in v0.14.0
func (b K8sSA) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)
AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for rekeying SSH Certificates.
func (K8sSA) AuthorizeSSHRenew ¶ added in v0.14.0
AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing SSH Certificates.
func (K8sSA) AuthorizeSSHRevoke ¶ added in v0.14.0
AuthorizeSSHRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking SSH Certificates.
func (*K8sSA) AuthorizeSSHSign ¶ added in v0.14.0
AuthorizeSSHSign validates an request for an SSH certificate.
func (*K8sSA) AuthorizeSign ¶ added in v0.14.0
AuthorizeSign validates the given token.
func (*K8sSA) GetEncryptedKey ¶ added in v0.14.0
GetEncryptedKey returns false, because the kubernetes provisioner does not have access to the private key.
func (*K8sSA) GetID ¶ added in v0.14.0
GetID returns the provisioner unique identifier. The name and credential id should uniquely identify any K8sSA provisioner.
func (*K8sSA) GetIDForToken ¶ added in v0.16.0
GetIDForToken returns an identifier that will be used to load the provisioner from a token.
func (*K8sSA) GetTokenID ¶ added in v0.14.0
GetTokenID returns an unimplemented error and does not use the input ott.
type List ¶
type List []Interface
List represents a list of provisioners.
func (*List) UnmarshalJSON ¶
UnmarshalJSON implements json.Unmarshaler and allows to unmarshal a list of a interfaces into the right type.
type Method ¶ added in v0.12.0
type Method int
Method indicates the action to action that we will perform, it's used as part of the context in the call to authorize. It defaults to Sing.
const ( // SignMethod is the method used to sign X.509 certificates. SignMethod Method = iota // SignIdentityMethod is the method used to sign X.509 identity certificates. SignIdentityMethod // RevokeMethod is the method used to revoke X.509 certificates. RevokeMethod // RenewMethod is the method used to renew X.509 certificates. RenewMethod // SSHSignMethod is the method used to sign SSH certificates. SSHSignMethod // SSHRenewMethod is the method used to renew SSH certificates. SSHRenewMethod // SSHRevokeMethod is the method used to revoke SSH certificates. SSHRevokeMethod // SSHRekeyMethod is the method used to rekey SSH certificates. SSHRekeyMethod )
func MethodFromContext ¶ added in v0.12.0
MethodFromContext returns the Method saved in ctx.
type MockProvisioner ¶ added in v0.13.0
type MockProvisioner struct {
Mret1, Mret2, Mret3 interface{}
Merr error
MgetID func() string
MgetIDForToken func() string
MgetTokenID func(string) (string, error)
MgetName func() string
MgetType func() Type
MgetEncryptedKey func() (string, string, bool)
Minit func(Config) error
}
MockProvisioner for testing
func (*MockProvisioner) AuthorizeRenew ¶ added in v0.14.0
func (m *MockProvisioner) AuthorizeRenew(ctx context.Context, c *x509.Certificate) error
AuthorizeRenew mock
func (*MockProvisioner) AuthorizeRevoke ¶ added in v0.13.0
func (m *MockProvisioner) AuthorizeRevoke(ctx context.Context, ott string) error
AuthorizeRevoke mock
func (*MockProvisioner) AuthorizeSSHRekey ¶ added in v0.14.0
func (m *MockProvisioner) AuthorizeSSHRekey(ctx context.Context, ott string) (*ssh.Certificate, []SignOption, error)
AuthorizeSSHRekey mock
func (*MockProvisioner) AuthorizeSSHRenew ¶ added in v0.14.0
func (m *MockProvisioner) AuthorizeSSHRenew(ctx context.Context, ott string) (*ssh.Certificate, error)
AuthorizeSSHRenew mock
func (*MockProvisioner) AuthorizeSSHRevoke ¶ added in v0.14.0
func (m *MockProvisioner) AuthorizeSSHRevoke(ctx context.Context, ott string) error
AuthorizeSSHRevoke mock
func (*MockProvisioner) AuthorizeSSHSign ¶ added in v0.14.0
func (m *MockProvisioner) AuthorizeSSHSign(ctx context.Context, ott string) ([]SignOption, error)
AuthorizeSSHSign mock
func (*MockProvisioner) AuthorizeSign ¶ added in v0.13.0
func (m *MockProvisioner) AuthorizeSign(ctx context.Context, ott string) ([]SignOption, error)
AuthorizeSign mock
func (*MockProvisioner) GetEncryptedKey ¶ added in v0.13.0
func (m *MockProvisioner) GetEncryptedKey() (string, string, bool)
GetEncryptedKey mock
func (*MockProvisioner) GetID ¶ added in v0.13.0
func (m *MockProvisioner) GetID() string
GetID mock
func (*MockProvisioner) GetIDForToken ¶ added in v0.16.0
func (m *MockProvisioner) GetIDForToken() string
GetIDForToken mock
func (*MockProvisioner) GetName ¶ added in v0.13.0
func (m *MockProvisioner) GetName() string
GetName mock
func (*MockProvisioner) GetTokenID ¶ added in v0.13.0
func (m *MockProvisioner) GetTokenID(token string) (string, error)
GetTokenID mock
func (*MockProvisioner) GetType ¶ added in v0.13.0
func (m *MockProvisioner) GetType() Type
GetType mock
func (*MockProvisioner) Init ¶ added in v0.13.0
func (m *MockProvisioner) Init(c Config) error
Init mock
type Nebula ¶ added in v0.18.1
type Nebula struct { ID string `json:"-"` Type string `json:"type"` Name string `json:"name"` Roots []byte `json:"roots"` Claims *Claims `json:"claims,omitempty"` Options *Options `json:"options,omitempty"` // contains filtered or unexported fields }
Nebula is a provisioner that verifies tokens signed using Nebula private keys. The tokens contain a Nebula certificate in the header, which can be used to verify the token signature. The certificates are themselves verified using the Nebula CA certificates encoded in Roots. The verification process is similar to the process for X5C tokens.
Because Nebula "leaf" certificates use X25519 keys, the tokens are signed using XEd25519 defined at https://signal.org/docs/specifications/xeddsa/#xeddsa and implemented by go.step.sm/crypto/x25519.
func (*Nebula) AuthorizeRenew ¶ added in v0.18.1
AuthorizeRenew returns an error if the renewal is disabled.
func (*Nebula) AuthorizeRevoke ¶ added in v0.18.1
AuthorizeRevoke returns an error if the token is not valid.
func (*Nebula) AuthorizeSSHRekey ¶ added in v0.18.1
func (p *Nebula) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)
AuthorizeSSHRekey returns an unauthorized error.
func (*Nebula) AuthorizeSSHRenew ¶ added in v0.18.1
AuthorizeSSHRenew returns an unauthorized error.
func (*Nebula) AuthorizeSSHRevoke ¶ added in v0.18.1
AuthorizeSSHRevoke returns an error if SSH is disabled or the token is invalid.
func (*Nebula) AuthorizeSSHSign ¶ added in v0.18.1
AuthorizeSSHSign returns the list of SignOption for a SignSSH request. Currently the Nebula provisioner only grants host SSH certificates.
func (*Nebula) AuthorizeSign ¶ added in v0.18.1
AuthorizeSign returns the list of SignOption for a Sign request.
func (*Nebula) GetEncryptedKey ¶ added in v0.18.1
GetEncryptedKey returns the base provisioner encrypted key if it's defined.
func (*Nebula) GetIDForToken ¶ added in v0.18.1
GetIDForToken returns an identifier that will be used to load the provisioner from a token.
func (*Nebula) GetTokenID ¶ added in v0.18.1
GetTokenID returns the identifier of the token.
type OIDC ¶
type OIDC struct { ID string `json:"-"` Type string `json:"type"` Name string `json:"name"` ClientID string `json:"clientID"` ClientSecret string `json:"clientSecret"` ConfigurationEndpoint string `json:"configurationEndpoint"` TenantID string `json:"tenantID,omitempty"` Admins []string `json:"admins,omitempty"` Domains []string `json:"domains,omitempty"` Groups []string `json:"groups,omitempty"` ListenAddress string `json:"listenAddress,omitempty"` Claims *Claims `json:"claims,omitempty"` Options *Options `json:"options,omitempty"` Scopes []string `json:"scopes,omitempty"` AuthParams []string `json:"authParams,omitempty"` // contains filtered or unexported fields }
OIDC represents an OAuth 2.0 OpenID Connect provider.
ClientSecret is mandatory, but it can be an empty string.
func (*OIDC) AuthorizeRenew ¶ added in v0.14.0
AuthorizeRenew returns an error if the renewal is disabled. NOTE: This method does not actually validate the certificate or check it's revocation status. Just confirms that the provisioner that created the certificate was configured to allow renewals.
func (*OIDC) AuthorizeRevoke ¶
AuthorizeRevoke returns an error if the provisioner does not have rights to revoke the certificate with serial number in the `sub` property. Only tokens generated by an admin have the right to revoke a certificate.
func (OIDC) AuthorizeSSHRekey ¶ added in v0.14.0
func (b OIDC) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)
AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for rekeying SSH Certificates.
func (OIDC) AuthorizeSSHRenew ¶ added in v0.14.0
AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing SSH Certificates.
func (*OIDC) AuthorizeSSHRevoke ¶ added in v0.14.0
AuthorizeSSHRevoke returns nil if the token is valid, false otherwise.
func (*OIDC) AuthorizeSSHSign ¶ added in v0.14.0
AuthorizeSSHSign returns the list of SignOption for a SignSSH request.
func (*OIDC) AuthorizeSign ¶ added in v0.10.0
AuthorizeSign validates the given token.
func (*OIDC) GetEncryptedKey ¶
GetEncryptedKey is not available in an OIDC provisioner.
func (*OIDC) GetID ¶
GetID returns the provisioner unique identifier, the OIDC provisioner the uses the clientID for this.
func (*OIDC) GetIDForToken ¶ added in v0.16.0
GetIDForToken returns an identifier that will be used to load the provisioner from a token.
func (*OIDC) GetTokenID ¶ added in v0.10.0
GetTokenID returns the provisioner unique identifier, the OIDC provisioner the uses the clientID for this.
func (*OIDC) ValidatePayload ¶
ValidatePayload validates the given token payload.
type Options ¶
type Options struct { X509 *X509Options `json:"x509,omitempty"` SSH *SSHOptions `json:"ssh,omitempty"` // Webhooks is a list of webhooks that can augment template data Webhooks []*Webhook `json:"webhooks,omitempty"` }
Options are a collection of custom options that can be added to each provisioner.
func (*Options) GetSSHOptions ¶ added in v0.15.2
func (o *Options) GetSSHOptions() *SSHOptions
GetSSHOptions returns the SSH options.
func (*Options) GetWebhooks ¶ added in v0.23.0
GetWebhooks returns the webhooks options.
func (*Options) GetX509Options ¶ added in v0.15.0
func (o *Options) GetX509Options() *X509Options
GetX509Options returns the X.509 options.
type Permissions ¶ added in v0.15.2
type Permissions struct { Extensions map[string]string `json:"extensions"` CriticalOptions map[string]string `json:"criticalOptions"` }
Permissions defines extra extensions and critical options to grant to an SSH certificate.
type RAInfo ¶ added in v0.22.0
type RAInfo struct { AuthorityID string `json:"authorityId,omitempty"` EndpointID string `json:"endpointId,omitempty"` ProvisionerID string `json:"provisionerId,omitempty"` ProvisionerType string `json:"provisionerType,omitempty"` ProvisionerName string `json:"provisionerName,omitempty"` }
RAInfo is the information about a provisioner present in RA tokens generated by StepCAS.
type SCEP ¶ added in v0.15.16
type SCEP struct { ID string `json:"-"` Type string `json:"type"` Name string `json:"name"` ForceCN bool `json:"forceCN,omitempty"` ChallengePassword string `json:"challenge,omitempty"` Capabilities []string `json:"capabilities,omitempty"` // IncludeRoot makes the provisioner return the CA root in addition to the // intermediate in the GetCACerts response IncludeRoot bool `json:"includeRoot,omitempty"` // ExcludeIntermediate makes the provisioner skip the intermediate CA in the // GetCACerts response ExcludeIntermediate bool `json:"excludeIntermediate,omitempty"` // MinimumPublicKeyLength is the minimum length for public keys in CSRs MinimumPublicKeyLength int `json:"minimumPublicKeyLength,omitempty"` // TODO(hs): also support a separate signer configuration? DecrypterCertificate []byte `json:"decrypterCertificate,omitempty"` DecrypterKeyPEM []byte `json:"decrypterKeyPEM,omitempty"` DecrypterKeyURI string `json:"decrypterKey,omitempty"` DecrypterKeyPassword string `json:"decrypterKeyPassword,omitempty"` // Numerical identifier for the ContentEncryptionAlgorithm as defined in github.com/mozilla-services/pkcs7 // at https://github.com/mozilla-services/pkcs7/blob/33d05740a3526e382af6395d3513e73d4e66d1cb/encrypt.go#L63 // Defaults to 0, being DES-CBC EncryptionAlgorithmIdentifier int `json:"encryptionAlgorithmIdentifier,omitempty"` Options *Options `json:"options,omitempty"` Claims *Claims `json:"claims,omitempty"` // contains filtered or unexported fields }
SCEP is the SCEP provisioner type, an entity that can authorize the SCEP provisioning flow
func (SCEP) AuthorizeRenew ¶ added in v0.15.16
func (b SCEP) AuthorizeRenew(context.Context, *x509.Certificate) error
AuthorizeRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing x509 Certificates.
func (SCEP) AuthorizeRevoke ¶ added in v0.15.16
AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking x509 Certificates.
func (SCEP) AuthorizeSSHRekey ¶ added in v0.15.16
func (b SCEP) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)
AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for rekeying SSH Certificates.
func (SCEP) AuthorizeSSHRenew ¶ added in v0.15.16
AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing SSH Certificates.
func (SCEP) AuthorizeSSHRevoke ¶ added in v0.15.16
AuthorizeSSHRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking SSH Certificates.
func (SCEP) AuthorizeSSHSign ¶ added in v0.15.16
func (b SCEP) AuthorizeSSHSign(context.Context, string) ([]SignOption, error)
AuthorizeSSHSign returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for signing SSH Certificates.
func (*SCEP) AuthorizeSign ¶ added in v0.15.16
AuthorizeSign does not do any verification, because all verification is handled in the SCEP protocol. This method returns a list of modifiers / constraints on the resulting certificate.
func (*SCEP) DefaultTLSCertDuration ¶ added in v0.15.16
DefaultTLSCertDuration returns the default TLS cert duration enforced by the provisioner.
func (*SCEP) GetCapabilities ¶ added in v0.15.16
GetCapabilities returns the CA capabilities
func (*SCEP) GetContentEncryptionAlgorithm ¶ added in v0.18.1
GetContentEncryptionAlgorithm returns the numeric identifier for the pkcs7 package encryption algorithm to use.
func (*SCEP) GetDecrypter ¶ added in v0.25.0
func (s *SCEP) GetDecrypter() (*x509.Certificate, crypto.Decrypter)
GetDecrypter returns the provisioner specific decrypter, used to decrypt SCEP request messages sent by a SCEP client. The decrypter consists of a crypto.Decrypter (a private key) and a certificate for the public key corresponding to the private key.
func (*SCEP) GetEncryptedKey ¶ added in v0.15.16
GetEncryptedKey returns the base provisioner encrypted key if it's defined.
func (*SCEP) GetIDForToken ¶ added in v0.16.0
GetIDForToken returns an identifier that will be used to load the provisioner from a token.
func (*SCEP) GetOptions ¶ added in v0.15.16
GetOptions returns the configured provisioner options.
func (*SCEP) GetSigner ¶ added in v0.25.0
func (s *SCEP) GetSigner() (*x509.Certificate, crypto.Signer)
GetSigner returns the provisioner specific signer, used to sign SCEP response messages for the client. The signer consists of a crypto.Signer and a certificate for the public key corresponding to the private key.
func (*SCEP) GetTokenID ¶ added in v0.15.16
GetTokenID returns the identifier of the token.
func (*SCEP) NotifyFailure ¶ added in v0.25.0
func (*SCEP) NotifySuccess ¶ added in v0.25.0
func (s *SCEP) NotifySuccess(ctx context.Context, csr *x509.CertificateRequest, cert *x509.Certificate, transactionID string) error
func (*SCEP) ShouldIncludeIntermediateInChain ¶ added in v0.25.0
ShouldIncludeIntermediateInChain indicates if the CA should include the intermediate CA certificate in the GetCACerts response. This is true by default, but can be overridden through configuration in case SCEP clients don't pick the right recipient.
func (*SCEP) ShouldIncludeRootInChain ¶ added in v0.18.1
ShouldIncludeRootInChain indicates if the CA should return its intermediate, which is currently used for both signing and decryption, as well as the root in its chain.
func (*SCEP) ValidateChallenge ¶ added in v0.24.2
func (s *SCEP) ValidateChallenge(ctx context.Context, csr *x509.CertificateRequest, challenge, transactionID string) error
ValidateChallenge validates the provided challenge. It starts by selecting the validation method to use, then performs validation according to that method.
type SCEPKeyManager ¶ added in v0.26.1
type SCEPKeyManager interface { kmsapi.KeyManager kmsapi.Decrypter }
SCEPKeyManager is a KMS interface that combines a KeyManager with a Decrypter.
type SSHCertModifier ¶ added in v0.14.0
type SSHCertModifier interface { SignOption Modify(cert *ssh.Certificate, opts SignSSHOptions) error }
SSHCertModifier is the interface used to change properties in an SSH certificate.
type SSHCertOptionsValidator ¶ added in v0.14.0
type SSHCertOptionsValidator interface { SignOption Valid(got SignSSHOptions) error }
SSHCertOptionsValidator is the interface used to validate the custom options used to modify the SSH certificate.
type SSHCertValidator ¶ added in v0.14.0
type SSHCertValidator interface { SignOption Valid(cert *ssh.Certificate, opts SignSSHOptions) error }
SSHCertValidator is the interface used to validate an SSH certificate.
type SSHCertificateOptions ¶ added in v0.15.2
type SSHCertificateOptions interface {
Options(SignSSHOptions) []sshutil.Option
}
SSHCertificateOptions is an interface that returns a list of options passed when creating a new certificate.
func CustomSSHTemplateOptions ¶ added in v0.15.2
func CustomSSHTemplateOptions(o *Options, data sshutil.TemplateData, defaultTemplate string) (SSHCertificateOptions, error)
CustomSSHTemplateOptions generates a CertificateOptions with the template, data defined in the ProvisionerOptions, the provisioner generated data and the user data provided in the request. If no template has been provided in the ProvisionerOptions, the given template will be used.
func TemplateSSHOptions ¶ added in v0.15.2
func TemplateSSHOptions(o *Options, data sshutil.TemplateData) (SSHCertificateOptions, error)
TemplateSSHOptions generates a SSHCertificateOptions with the template and data defined in the ProvisionerOptions, the provisioner generated data, and the user data provided in the request. If no template has been provided, x509util.DefaultLeafTemplate will be used.
type SSHOptions ¶ added in v0.12.0
type SSHOptions struct { // Template contains an SSH certificate template. It can be a JSON template // escaped in a string or it can be also encoded in base64. Template string `json:"template,omitempty"` // TemplateFile points to a file containing a SSH certificate template. TemplateFile string `json:"templateFile,omitempty"` // TemplateData is a JSON object with variables that can be used in custom // templates. TemplateData json.RawMessage `json:"templateData,omitempty"` // User contains SSH user certificate options. User *policy.SSHUserCertificateOptions `json:"-"` // Host contains SSH host certificate options. Host *policy.SSHHostCertificateOptions `json:"-"` }
SSHOptions are a collection of custom options that can be added to each provisioner.
func (*SSHOptions) GetAllowedHostNameOptions ¶ added in v0.20.0
func (o *SSHOptions) GetAllowedHostNameOptions() *policy.SSHNameOptions
GetAllowedHostNameOptions returns the SSHNameOptions that are allowed when SSH host certificates are requested.
func (*SSHOptions) GetAllowedUserNameOptions ¶ added in v0.20.0
func (o *SSHOptions) GetAllowedUserNameOptions() *policy.SSHNameOptions
GetAllowedUserNameOptions returns the SSHNameOptions that are allowed when SSH User certificates are requested.
func (*SSHOptions) GetDeniedHostNameOptions ¶ added in v0.20.0
func (o *SSHOptions) GetDeniedHostNameOptions() *policy.SSHNameOptions
GetDeniedHostNameOptions returns the SSHNameOptions that are denied when SSH host certificates are requested.
func (*SSHOptions) GetDeniedUserNameOptions ¶ added in v0.20.0
func (o *SSHOptions) GetDeniedUserNameOptions() *policy.SSHNameOptions
GetDeniedUserNameOptions returns the SSHNameOptions that are denied when SSH user certificates are requested.
func (*SSHOptions) HasTemplate ¶ added in v0.15.2
func (o *SSHOptions) HasTemplate() bool
HasTemplate returns true if a template is defined in the provisioner options.
type SSHPOP ¶ added in v0.14.0
type SSHPOP struct { ID string `json:"-"` Type string `json:"type"` Name string `json:"name"` Claims *Claims `json:"claims,omitempty"` // contains filtered or unexported fields }
SSHPOP is the default provisioner, an entity that can sign tokens necessary for signature requests.
func (SSHPOP) AuthorizeRenew ¶ added in v0.14.0
func (b SSHPOP) AuthorizeRenew(context.Context, *x509.Certificate) error
AuthorizeRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing x509 Certificates.
func (SSHPOP) AuthorizeRevoke ¶ added in v0.14.0
AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking x509 Certificates.
func (*SSHPOP) AuthorizeSSHRekey ¶ added in v0.14.0
func (p *SSHPOP) AuthorizeSSHRekey(_ context.Context, token string) (*ssh.Certificate, []SignOption, error)
AuthorizeSSHRekey validates the authorization token and extracts/validates the SSH certificate from the ssh-pop header.
func (*SSHPOP) AuthorizeSSHRenew ¶ added in v0.14.0
AuthorizeSSHRenew validates the authorization token and extracts/validates the SSH certificate from the ssh-pop header.
func (*SSHPOP) AuthorizeSSHRevoke ¶ added in v0.14.0
AuthorizeSSHRevoke validates the authorization token and extracts/validates the SSH certificate from the ssh-pop header.
func (SSHPOP) AuthorizeSSHSign ¶ added in v0.14.0
func (b SSHPOP) AuthorizeSSHSign(context.Context, string) ([]SignOption, error)
AuthorizeSSHSign returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for signing SSH Certificates.
func (SSHPOP) AuthorizeSign ¶ added in v0.14.0
func (b SSHPOP) AuthorizeSign(context.Context, string) ([]SignOption, error)
AuthorizeSign returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for signing x509 Certificates.
func (*SSHPOP) GetEncryptedKey ¶ added in v0.14.0
GetEncryptedKey returns the base provisioner encrypted key if it's defined.
func (*SSHPOP) GetID ¶ added in v0.14.0
GetID returns the provisioner unique identifier. The name and credential id should uniquely identify any SSH-POP provisioner.
func (*SSHPOP) GetIDForToken ¶ added in v0.16.0
GetIDForToken returns an identifier that will be used to load the provisioner from a token.
func (*SSHPOP) GetTokenID ¶ added in v0.14.0
GetTokenID returns the identifier of the token.
type SignOption ¶
type SignOption interface{}
SignOption is the interface used to collect all extra options used in the Sign method.
type SignOptions ¶ added in v0.15.0
type SignOptions struct { NotAfter TimeDuration `json:"notAfter"` NotBefore TimeDuration `json:"notBefore"` TemplateData json.RawMessage `json:"templateData"` Backdate time.Duration `json:"-"` }
SignOptions contains the options that can be passed to the Sign method. Backdate is automatically filled and can only be configured in the CA.
type SignSSHOptions ¶ added in v0.15.0
type SignSSHOptions struct { CertType string `json:"certType"` KeyID string `json:"keyID"` Principals []string `json:"principals"` ValidAfter TimeDuration `json:"validAfter,omitempty"` ValidBefore TimeDuration `json:"validBefore,omitempty"` TemplateData json.RawMessage `json:"templateData,omitempty"` Backdate time.Duration `json:"-"` }
SignSSHOptions contains the options that can be passed to the SignSSH method.
func (SignSSHOptions) Modify ¶ added in v0.15.0
func (o SignSSHOptions) Modify(cert *ssh.Certificate, _ SignSSHOptions) error
Modify implements SSHCertModifier and sets the SSHOption in the ssh.Certificate.
func (SignSSHOptions) ModifyValidity ¶ added in v0.15.2
func (o SignSSHOptions) ModifyValidity(cert *ssh.Certificate) error
ModifyValidity modifies only the ValidAfter and ValidBefore on the given ssh.Certificate.
func (SignSSHOptions) Type ¶ added in v0.15.0
func (o SignSSHOptions) Type() uint32
Type returns the uint32 representation of the CertType.
func (SignSSHOptions) Validate ¶ added in v0.15.2
func (o SignSSHOptions) Validate() error
Validate validates the given SignSSHOptions.
type TimeDuration ¶
type TimeDuration struct {
// contains filtered or unexported fields
}
TimeDuration is a type that represents a time but the JSON unmarshaling can use a time using the RFC 3339 format or a time.Duration string. If a duration is used, the time will be set on the first call to TimeDuration.Time.
func NewTimeDuration ¶
func NewTimeDuration(t time.Time) TimeDuration
NewTimeDuration returns a TimeDuration with the defined time.
func ParseTimeDuration ¶
func ParseTimeDuration(s string) (TimeDuration, error)
ParseTimeDuration returns a new TimeDuration parsing the RFC 3339 time or time.Duration string.
func (*TimeDuration) Equal ¶ added in v0.12.0
func (t *TimeDuration) Equal(other *TimeDuration) bool
Equal returns if t and other are equal.
func (*TimeDuration) IsZero ¶ added in v0.12.0
func (t *TimeDuration) IsZero() bool
IsZero returns true the TimeDuration represents the zero value, false otherwise.
func (TimeDuration) MarshalJSON ¶
func (t TimeDuration) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface. If the time is set it will return the time in RFC 3339 format if not it will return the duration string.
func (*TimeDuration) RelativeTime ¶ added in v0.11.0
func (t *TimeDuration) RelativeTime(base time.Time) time.Time
RelativeTime returns the embedded time.Time or the base time plus the duration if this is not zero.
func (*TimeDuration) SetDuration ¶
func (t *TimeDuration) SetDuration(d time.Duration)
SetDuration initializes the TimeDuration with the given duration string. If the time was set it will re-set to zero.
func (*TimeDuration) SetTime ¶
func (t *TimeDuration) SetTime(tt time.Time)
SetTime initializes the TimeDuration with the given time. If the duration is set it will be re-set to zero.
func (*TimeDuration) String ¶
func (t *TimeDuration) String() string
String implements the fmt.Stringer interface.
func (*TimeDuration) Time ¶
func (t *TimeDuration) Time() time.Time
Time calculates the time if needed and returns it.
func (*TimeDuration) Unix ¶ added in v0.12.0
func (t *TimeDuration) Unix() int64
Unix calculates the time if needed it and returns the Unix time in seconds.
func (*TimeDuration) UnmarshalJSON ¶
func (t *TimeDuration) UnmarshalJSON(data []byte) error
UnmarshalJSON implements the json.Unmarshaler interface. The time is expected to be a quoted string in RFC 3339 format or a quoted time.Duration string.
type Type ¶
type Type int
Type indicates the provisioner Type.
const ( // TypeJWK is used to indicate the JWK provisioners. TypeJWK Type = 1 // TypeOIDC is used to indicate the OIDC provisioners. TypeOIDC Type = 2 // TypeGCP is used to indicate the GCP provisioners. TypeGCP Type = 3 // TypeAWS is used to indicate the AWS provisioners. TypeAWS Type = 4 // TypeAzure is used to indicate the Azure provisioners. TypeAzure Type = 5 // TypeACME is used to indicate the ACME provisioners. TypeACME Type = 6 // TypeX5C is used to indicate the X5C provisioners. TypeX5C Type = 7 // TypeK8sSA is used to indicate the X5C provisioners. TypeK8sSA Type = 8 // TypeSSHPOP is used to indicate the SSHPOP provisioners. TypeSSHPOP Type = 9 // TypeSCEP is used to indicate the SCEP provisioners TypeSCEP Type = 10 // TypeNebula is used to indicate the Nebula provisioners TypeNebula Type = 11 )
type Uninitialized ¶ added in v0.27.0
Uninitialized represents a disabled provisioner. Uninitialized provisioners are created when the Init methods fails.
func (Uninitialized) MarshalJSON ¶ added in v0.27.0
func (p Uninitialized) MarshalJSON() ([]byte, error)
MarshalJSON returns the JSON encoding of the provisioner with the disabled reason.
type Webhook ¶ added in v0.23.0
type Webhook struct { ID string `json:"id"` Name string `json:"name"` URL string `json:"url"` Kind string `json:"kind"` DisableTLSClientAuth bool `json:"disableTLSClientAuth,omitempty"` CertType string `json:"certType"` Secret string `json:"-"` BearerToken string `json:"-"` BasicAuth struct { Username string Password string } `json:"-"` }
func (*Webhook) DoWithContext ¶ added in v0.24.2
type WebhookController ¶ added in v0.23.0
type WebhookController struct { TemplateData WebhookSetter // contains filtered or unexported fields }
func (*WebhookController) Authorize ¶ added in v0.23.0
func (wc *WebhookController) Authorize(ctx context.Context, req *webhook.RequestBody) error
Authorize checks that all remote servers allow the request
func (*WebhookController) Enrich ¶ added in v0.23.0
func (wc *WebhookController) Enrich(ctx context.Context, req *webhook.RequestBody) error
Enrich fetches data from remote servers and adds returned data to the templateData
type WebhookSetter ¶ added in v0.23.0
type X509Options ¶ added in v0.15.0
type X509Options struct { // Template contains a X.509 certificate template. It can be a JSON template // escaped in a string or it can be also encoded in base64. Template string `json:"template,omitempty"` // TemplateFile points to a file containing a X.509 certificate template. TemplateFile string `json:"templateFile,omitempty"` // TemplateData is a JSON object with variables that can be used in custom // templates. TemplateData json.RawMessage `json:"templateData,omitempty"` // AllowedNames contains the SANs the provisioner is authorized to sign AllowedNames *policy.X509NameOptions `json:"-"` // DeniedNames contains the SANs the provisioner is not authorized to sign DeniedNames *policy.X509NameOptions `json:"-"` // AllowWildcardNames indicates if literal wildcard names // like *.example.com are allowed. Defaults to false. AllowWildcardNames bool `json:"-"` }
X509Options contains specific options for X.509 certificates.
func (*X509Options) AreWildcardNamesAllowed ¶ added in v0.20.0
func (o *X509Options) AreWildcardNamesAllowed() bool
func (*X509Options) GetAllowedNameOptions ¶ added in v0.20.0
func (o *X509Options) GetAllowedNameOptions() *policy.X509NameOptions
GetAllowedNameOptions returns the AllowedNames, which models the SANs that a provisioner is authorized to sign x509 certificates for.
func (*X509Options) GetDeniedNameOptions ¶ added in v0.20.0
func (o *X509Options) GetDeniedNameOptions() *policy.X509NameOptions
GetDeniedNameOptions returns the DeniedNames, which models the SANs that a provisioner is NOT authorized to sign x509 certificates for.
func (*X509Options) HasTemplate ¶ added in v0.15.0
func (o *X509Options) HasTemplate() bool
HasTemplate returns true if a template is defined in the provisioner options.
type X5C ¶ added in v0.14.0
type X5C struct { ID string `json:"-"` Type string `json:"type"` Name string `json:"name"` Roots []byte `json:"roots"` Claims *Claims `json:"claims,omitempty"` Options *Options `json:"options,omitempty"` // contains filtered or unexported fields }
X5C is the default provisioner, an entity that can sign tokens necessary for signature requests.
func (*X5C) AuthorizeRenew ¶ added in v0.14.0
AuthorizeRenew returns an error if the renewal is disabled.
func (*X5C) AuthorizeRevoke ¶ added in v0.14.0
AuthorizeRevoke returns an error if the provisioner does not have rights to revoke the certificate with serial number in the `sub` property.
func (X5C) AuthorizeSSHRekey ¶ added in v0.14.0
func (b X5C) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error)
AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for rekeying SSH Certificates.
func (X5C) AuthorizeSSHRenew ¶ added in v0.14.0
AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for renewing SSH Certificates.
func (X5C) AuthorizeSSHRevoke ¶ added in v0.14.0
AuthorizeSSHRevoke returns an unimplemented error. Provisioners should overwrite this method if they will support authorizing tokens for revoking SSH Certificates.
func (*X5C) AuthorizeSSHSign ¶ added in v0.14.0
AuthorizeSSHSign returns the list of SignOption for a SignSSH request.
func (*X5C) AuthorizeSign ¶ added in v0.14.0
AuthorizeSign validates the given token.
func (*X5C) GetEncryptedKey ¶ added in v0.14.0
GetEncryptedKey returns the base provisioner encrypted key if it's defined.
func (*X5C) GetID ¶ added in v0.14.0
GetID returns the provisioner unique identifier. The name and credential id should uniquely identify any X5C provisioner.
func (*X5C) GetIDForToken ¶ added in v0.16.0
GetIDForToken returns an identifier that will be used to load the provisioner from a token.
func (*X5C) GetTokenID ¶ added in v0.14.0
GetTokenID returns the identifier of the token.