Documentation
¶
Index ¶
Constants ¶
const ( UserPolicyEngineType sshPolicyEngineType = "user" HostPolicyEngineType sshPolicyEngineType = "host" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Engine ¶
type Engine struct {
// contains filtered or unexported fields
}
Engine is a container for multiple policies.
func (*Engine) AreSANsAllowed ¶
AreSANsAllowed evaluates the slice of SANs against the X.509 policy (if available) and returns an error if one of the SANs is not allowed.
func (*Engine) IsSSHCertificateAllowed ¶
func (e *Engine) IsSSHCertificateAllowed(cert *ssh.Certificate) error
IsSSHCertificateAllowed evaluates an SSH certificate against the user or host policy (if configured) and returns an error if one of the principals in the certificate is not allowed.
func (*Engine) IsX509CertificateAllowed ¶
func (e *Engine) IsX509CertificateAllowed(cert *x509.Certificate) error
IsX509CertificateAllowed evaluates an X.509 certificate against the X.509 policy (if available) and returns an error if one of the names in the certificate is not allowed.
type HostPolicy ¶
type HostPolicy policy.SSHNamePolicyEngine
HostPolicy is an alias for policy.SSHNamePolicyEngine
func NewSSHHostPolicyEngine ¶
func NewSSHHostPolicyEngine(policyOptions SSHPolicyOptionsInterface) (HostPolicy, error)
newSSHHostPolicyEngine create a new SSH host certificate policy engine
type Options ¶
type Options struct {
X509 *X509PolicyOptions `json:"x509,omitempty"`
SSH *SSHPolicyOptions `json:"ssh,omitempty"`
}
Options is a container for authority level x509 and SSH policy configuration.
func LinkedToCertificates ¶
func (*Options) GetSSHOptions ¶
func (o *Options) GetSSHOptions() *SSHPolicyOptions
GetSSHOptions returns the SSH authority level policy configuration
func (*Options) GetX509Options ¶
func (o *Options) GetX509Options() *X509PolicyOptions
GetX509Options returns the x509 authority level policy configuration
type SSHHostCertificateOptions ¶
type SSHHostCertificateOptions SSHUserCertificateOptions
SSHHostCertificateOptions is a collection of SSH host certificate options. It's an alias of SSHUserCertificateOptions, as the options are the same for both types of certificates.
type SSHNameOptions ¶
type SSHNameOptions struct {
DNSDomains []string `json:"dns,omitempty"`
IPRanges []string `json:"ip,omitempty"`
EmailAddresses []string `json:"email,omitempty"`
Principals []string `json:"principal,omitempty"`
}
SSHNameOptions models the SSH name policy configuration.
func (*SSHNameOptions) HasNames ¶
func (o *SSHNameOptions) HasNames() bool
HasNames checks if the SSHNameOptions has one or more names configured.
type SSHPolicyOptions ¶
type SSHPolicyOptions struct {
// User contains SSH user certificate options.
User *SSHUserCertificateOptions `json:"user,omitempty"`
// Host contains SSH host certificate options.
Host *SSHHostCertificateOptions `json:"host,omitempty"`
}
SSHPolicyOptions is a container for SSH user and host policy configuration
func (*SSHPolicyOptions) GetAllowedHostNameOptions ¶
func (o *SSHPolicyOptions) GetAllowedHostNameOptions() *SSHNameOptions
GetAllowedHostNameOptions returns the SSH allowed host name policy configuration.
func (*SSHPolicyOptions) GetAllowedUserNameOptions ¶
func (o *SSHPolicyOptions) GetAllowedUserNameOptions() *SSHNameOptions
GetAllowedUserNameOptions returns the SSH allowed user name policy configuration.
func (*SSHPolicyOptions) GetDeniedHostNameOptions ¶
func (o *SSHPolicyOptions) GetDeniedHostNameOptions() *SSHNameOptions
GetDeniedHostNameOptions returns the SSH denied host name policy configuration.
func (*SSHPolicyOptions) GetDeniedUserNameOptions ¶
func (o *SSHPolicyOptions) GetDeniedUserNameOptions() *SSHNameOptions
GetDeniedUserNameOptions returns the SSH denied user name policy configuration.
type SSHPolicyOptionsInterface ¶
type SSHPolicyOptionsInterface interface {
GetAllowedUserNameOptions() *SSHNameOptions
GetDeniedUserNameOptions() *SSHNameOptions
GetAllowedHostNameOptions() *SSHNameOptions
GetDeniedHostNameOptions() *SSHNameOptions
}
SSHPolicyOptionsInterface is an interface for providers of SSH user and host name policy configuration.
type SSHUserCertificateOptions ¶
type SSHUserCertificateOptions struct {
// AllowedNames contains the names the provisioner is authorized to sign
AllowedNames *SSHNameOptions `json:"allow,omitempty"`
// DeniedNames contains the names the provisioner is not authorized to sign
DeniedNames *SSHNameOptions `json:"deny,omitempty"`
}
SSHUserCertificateOptions is a collection of SSH user certificate options.
func (*SSHUserCertificateOptions) GetAllowedNameOptions ¶
func (o *SSHUserCertificateOptions) GetAllowedNameOptions() *SSHNameOptions
GetAllowedNameOptions returns the AllowedSSHNameOptions, which models the names that a provisioner is authorized to sign SSH certificates for.
func (*SSHUserCertificateOptions) GetDeniedNameOptions ¶
func (o *SSHUserCertificateOptions) GetDeniedNameOptions() *SSHNameOptions
GetDeniedNameOptions returns the DeniedSSHNameOptions, which models the names that a provisioner is NOT authorized to sign SSH certificates for.
type UserPolicy ¶
type UserPolicy policy.SSHNamePolicyEngine
UserPolicy is an alias for policy.SSHNamePolicyEngine
func NewSSHUserPolicyEngine ¶
func NewSSHUserPolicyEngine(policyOptions SSHPolicyOptionsInterface) (UserPolicy, error)
newSSHUserPolicyEngine creates a new SSH user certificate policy engine
type X509NameOptions ¶
type X509NameOptions struct {
CommonNames []string `json:"cn,omitempty"`
DNSDomains []string `json:"dns,omitempty"`
IPRanges []string `json:"ip,omitempty"`
EmailAddresses []string `json:"email,omitempty"`
URIDomains []string `json:"uri,omitempty"`
}
X509NameOptions models the X509 name policy configuration.
func (*X509NameOptions) HasNames ¶
func (o *X509NameOptions) HasNames() bool
HasNames checks if the AllowedNameOptions has one or more names configured.
type X509Policy ¶
type X509Policy policy.X509NamePolicyEngine
X509Policy is an alias for policy.X509NamePolicyEngine
func NewX509PolicyEngine ¶
func NewX509PolicyEngine(policyOptions X509PolicyOptionsInterface) (X509Policy, error)
NewX509PolicyEngine creates a new x509 name policy engine
type X509PolicyOptions ¶
type X509PolicyOptions struct {
// AllowedNames contains the x509 allowed names
AllowedNames *X509NameOptions `json:"allow,omitempty"`
// DeniedNames contains the x509 denied names
DeniedNames *X509NameOptions `json:"deny,omitempty"`
// AllowWildcardNames indicates if literal wildcard names
// like *.example.com are allowed. Defaults to false.
AllowWildcardNames bool `json:"allowWildcardNames,omitempty"`
}
X509PolicyOptions is a container for x509 allowed and denied names.
func (*X509PolicyOptions) AreWildcardNamesAllowed ¶
func (o *X509PolicyOptions) AreWildcardNamesAllowed() bool
AreWildcardNamesAllowed returns whether the authority allows literal wildcard names to be signed.
func (*X509PolicyOptions) GetAllowedNameOptions ¶
func (o *X509PolicyOptions) GetAllowedNameOptions() *X509NameOptions
GetAllowedNameOptions returns x509 allowed name policy configuration
func (*X509PolicyOptions) GetDeniedNameOptions ¶
func (o *X509PolicyOptions) GetDeniedNameOptions() *X509NameOptions
GetDeniedNameOptions returns the x509 denied name policy configuration
type X509PolicyOptionsInterface ¶
type X509PolicyOptionsInterface interface {
GetAllowedNameOptions() *X509NameOptions
GetDeniedNameOptions() *X509NameOptions
AreWildcardNamesAllowed() bool
}
X509PolicyOptionsInterface is an interface for providers of x509 allowed and denied names.
Source Files