policy

package
v0.28.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 29, 2024 License: Apache-2.0 Imports: 6 Imported by: 4

Documentation

Index

Constants

View Source
const (
	UserPolicyEngineType sshPolicyEngineType = "user"
	HostPolicyEngineType sshPolicyEngineType = "host"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type Engine

type Engine struct {
	// contains filtered or unexported fields
}

Engine is a container for multiple policies.

func New

func New(options *Options) (*Engine, error)

New returns a new Engine using Options.

func (*Engine) AreSANsAllowed

func (e *Engine) AreSANsAllowed(sans []string) error

AreSANsAllowed evaluates the slice of SANs against the X.509 policy (if available) and returns an error if one of the SANs is not allowed.

func (*Engine) IsSSHCertificateAllowed

func (e *Engine) IsSSHCertificateAllowed(cert *ssh.Certificate) error

IsSSHCertificateAllowed evaluates an SSH certificate against the user or host policy (if configured) and returns an error if one of the principals in the certificate is not allowed.

func (*Engine) IsX509CertificateAllowed

func (e *Engine) IsX509CertificateAllowed(cert *x509.Certificate) error

IsX509CertificateAllowed evaluates an X.509 certificate against the X.509 policy (if available) and returns an error if one of the names in the certificate is not allowed.

type HostPolicy

type HostPolicy policy.SSHNamePolicyEngine

HostPolicy is an alias for policy.SSHNamePolicyEngine

func NewSSHHostPolicyEngine

func NewSSHHostPolicyEngine(policyOptions SSHPolicyOptionsInterface) (HostPolicy, error)

newSSHHostPolicyEngine create a new SSH host certificate policy engine

type Options

type Options struct {
	X509 *X509PolicyOptions `json:"x509,omitempty"`
	SSH  *SSHPolicyOptions  `json:"ssh,omitempty"`
}

Options is a container for authority level x509 and SSH policy configuration.

func LinkedToCertificates

func LinkedToCertificates(p *linkedca.Policy) *Options

func (*Options) GetSSHOptions

func (o *Options) GetSSHOptions() *SSHPolicyOptions

GetSSHOptions returns the SSH authority level policy configuration

func (*Options) GetX509Options

func (o *Options) GetX509Options() *X509PolicyOptions

GetX509Options returns the x509 authority level policy configuration

type SSHHostCertificateOptions

type SSHHostCertificateOptions SSHUserCertificateOptions

SSHHostCertificateOptions is a collection of SSH host certificate options. It's an alias of SSHUserCertificateOptions, as the options are the same for both types of certificates.

type SSHNameOptions

type SSHNameOptions struct {
	DNSDomains     []string `json:"dns,omitempty"`
	IPRanges       []string `json:"ip,omitempty"`
	EmailAddresses []string `json:"email,omitempty"`
	Principals     []string `json:"principal,omitempty"`
}

SSHNameOptions models the SSH name policy configuration.

func (*SSHNameOptions) HasNames

func (o *SSHNameOptions) HasNames() bool

HasNames checks if the SSHNameOptions has one or more names configured.

type SSHPolicyOptions

type SSHPolicyOptions struct {
	// User contains SSH user certificate options.
	User *SSHUserCertificateOptions `json:"user,omitempty"`
	// Host contains SSH host certificate options.
	Host *SSHHostCertificateOptions `json:"host,omitempty"`
}

SSHPolicyOptions is a container for SSH user and host policy configuration

func (*SSHPolicyOptions) GetAllowedHostNameOptions

func (o *SSHPolicyOptions) GetAllowedHostNameOptions() *SSHNameOptions

GetAllowedHostNameOptions returns the SSH allowed host name policy configuration.

func (*SSHPolicyOptions) GetAllowedUserNameOptions

func (o *SSHPolicyOptions) GetAllowedUserNameOptions() *SSHNameOptions

GetAllowedUserNameOptions returns the SSH allowed user name policy configuration.

func (*SSHPolicyOptions) GetDeniedHostNameOptions

func (o *SSHPolicyOptions) GetDeniedHostNameOptions() *SSHNameOptions

GetDeniedHostNameOptions returns the SSH denied host name policy configuration.

func (*SSHPolicyOptions) GetDeniedUserNameOptions

func (o *SSHPolicyOptions) GetDeniedUserNameOptions() *SSHNameOptions

GetDeniedUserNameOptions returns the SSH denied user name policy configuration.

type SSHPolicyOptionsInterface

type SSHPolicyOptionsInterface interface {
	GetAllowedUserNameOptions() *SSHNameOptions
	GetDeniedUserNameOptions() *SSHNameOptions
	GetAllowedHostNameOptions() *SSHNameOptions
	GetDeniedHostNameOptions() *SSHNameOptions
}

SSHPolicyOptionsInterface is an interface for providers of SSH user and host name policy configuration.

type SSHUserCertificateOptions

type SSHUserCertificateOptions struct {
	// AllowedNames contains the names the provisioner is authorized to sign
	AllowedNames *SSHNameOptions `json:"allow,omitempty"`
	// DeniedNames contains the names the provisioner is not authorized to sign
	DeniedNames *SSHNameOptions `json:"deny,omitempty"`
}

SSHUserCertificateOptions is a collection of SSH user certificate options.

func (*SSHUserCertificateOptions) GetAllowedNameOptions

func (o *SSHUserCertificateOptions) GetAllowedNameOptions() *SSHNameOptions

GetAllowedNameOptions returns the AllowedSSHNameOptions, which models the names that a provisioner is authorized to sign SSH certificates for.

func (*SSHUserCertificateOptions) GetDeniedNameOptions

func (o *SSHUserCertificateOptions) GetDeniedNameOptions() *SSHNameOptions

GetDeniedNameOptions returns the DeniedSSHNameOptions, which models the names that a provisioner is NOT authorized to sign SSH certificates for.

type UserPolicy

type UserPolicy policy.SSHNamePolicyEngine

UserPolicy is an alias for policy.SSHNamePolicyEngine

func NewSSHUserPolicyEngine

func NewSSHUserPolicyEngine(policyOptions SSHPolicyOptionsInterface) (UserPolicy, error)

newSSHUserPolicyEngine creates a new SSH user certificate policy engine

type X509NameOptions

type X509NameOptions struct {
	CommonNames    []string `json:"cn,omitempty"`
	DNSDomains     []string `json:"dns,omitempty"`
	IPRanges       []string `json:"ip,omitempty"`
	EmailAddresses []string `json:"email,omitempty"`
	URIDomains     []string `json:"uri,omitempty"`
}

X509NameOptions models the X509 name policy configuration.

func (*X509NameOptions) HasNames

func (o *X509NameOptions) HasNames() bool

HasNames checks if the AllowedNameOptions has one or more names configured.

type X509Policy

type X509Policy policy.X509NamePolicyEngine

X509Policy is an alias for policy.X509NamePolicyEngine

func NewX509PolicyEngine

func NewX509PolicyEngine(policyOptions X509PolicyOptionsInterface) (X509Policy, error)

NewX509PolicyEngine creates a new x509 name policy engine

type X509PolicyOptions

type X509PolicyOptions struct {
	// AllowedNames contains the x509 allowed names
	AllowedNames *X509NameOptions `json:"allow,omitempty"`

	// DeniedNames contains the x509 denied names
	DeniedNames *X509NameOptions `json:"deny,omitempty"`

	// AllowWildcardNames indicates if literal wildcard names
	// like *.example.com are allowed. Defaults to false.
	AllowWildcardNames bool `json:"allowWildcardNames,omitempty"`
}

X509PolicyOptions is a container for x509 allowed and denied names.

func (*X509PolicyOptions) AreWildcardNamesAllowed

func (o *X509PolicyOptions) AreWildcardNamesAllowed() bool

AreWildcardNamesAllowed returns whether the authority allows literal wildcard names to be signed.

func (*X509PolicyOptions) GetAllowedNameOptions

func (o *X509PolicyOptions) GetAllowedNameOptions() *X509NameOptions

GetAllowedNameOptions returns x509 allowed name policy configuration

func (*X509PolicyOptions) GetDeniedNameOptions

func (o *X509PolicyOptions) GetDeniedNameOptions() *X509NameOptions

GetDeniedNameOptions returns the x509 denied name policy configuration

type X509PolicyOptionsInterface

type X509PolicyOptionsInterface interface {
	GetAllowedNameOptions() *X509NameOptions
	GetDeniedNameOptions() *X509NameOptions
	AreWildcardNamesAllowed() bool
}

X509PolicyOptionsInterface is an interface for providers of x509 allowed and denied names.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL