config

package
v0.28.1-rc2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 19, 2024 License: Apache-2.0 Imports: 17 Imported by: 3

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// DefaultBackdate length of time to backdate certificates to avoid
	// clock skew validation issues.
	DefaultBackdate = time.Minute
	// DefaultDisableRenewal disables renewals per provisioner.
	DefaultDisableRenewal = false
	// DefaultAllowRenewalAfterExpiry allows renewals even if the certificate is
	// expired.
	DefaultAllowRenewalAfterExpiry = false
	// DefaultEnableSSHCA enable SSH CA features per provisioner or globally
	// for all provisioners.
	DefaultEnableSSHCA = false
	// DefaultDisableSmallstepExtensions is the default value for the
	// DisableSmallstepExtensions provisioner claim.
	DefaultDisableSmallstepExtensions = false
	// DefaultCRLCacheDuration is the default cache duration for the CRL.
	DefaultCRLCacheDuration = &provisioner.Duration{Duration: 24 * time.Hour}
	// DefaultCRLExpiredDuration is the default duration in which expired
	// certificates will remain in the CRL after expiration.
	DefaultCRLExpiredDuration = time.Hour
	// GlobalProvisionerClaims is the default duration that expired certificates
	// remain in the CRL after expiration.
	GlobalProvisionerClaims = provisioner.Claims{
		MinTLSDur:                  &provisioner.Duration{Duration: 5 * time.Minute},
		MaxTLSDur:                  &provisioner.Duration{Duration: 24 * time.Hour},
		DefaultTLSDur:              &provisioner.Duration{Duration: 24 * time.Hour},
		MinUserSSHDur:              &provisioner.Duration{Duration: 5 * time.Minute},
		MaxUserSSHDur:              &provisioner.Duration{Duration: 24 * time.Hour},
		DefaultUserSSHDur:          &provisioner.Duration{Duration: 16 * time.Hour},
		MinHostSSHDur:              &provisioner.Duration{Duration: 5 * time.Minute},
		MaxHostSSHDur:              &provisioner.Duration{Duration: 30 * 24 * time.Hour},
		DefaultHostSSHDur:          &provisioner.Duration{Duration: 30 * 24 * time.Hour},
		EnableSSHCA:                &DefaultEnableSSHCA,
		DisableRenewal:             &DefaultDisableRenewal,
		AllowRenewalAfterExpiry:    &DefaultAllowRenewalAfterExpiry,
		DisableSmallstepExtensions: &DefaultDisableSmallstepExtensions,
	}
)
View Source
var (
	// DefaultTLSMinVersion default minimum version of TLS.
	DefaultTLSMinVersion = TLSVersion(1.2)
	// DefaultTLSMaxVersion default maximum version of TLS.
	DefaultTLSMaxVersion = TLSVersion(1.3)
	// DefaultTLSRenegotiation default TLS connection renegotiation policy.
	DefaultTLSRenegotiation = false // Never regnegotiate.
	// DefaultTLSCipherSuites specifies default step ciphersuite(s).
	// These are TLS 1.0 - 1.2 cipher suites.
	DefaultTLSCipherSuites = CipherSuites{
		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
		"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
	}
	// ApprovedTLSCipherSuites smallstep approved ciphersuites.
	ApprovedTLSCipherSuites = CipherSuites{

		"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
		"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
		"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
		"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
		"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
		"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
		"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
	}
	// DefaultTLSOptions represents the default TLS version as well as the cipher
	// suites used in the TLS certificates.
	DefaultTLSOptions = TLSOptions{
		CipherSuites:  DefaultTLSCipherSuites,
		MinVersion:    DefaultTLSMinVersion,
		MaxVersion:    DefaultTLSMaxVersion,
		Renegotiation: DefaultTLSRenegotiation,
	}
)

Functions

This section is empty.

Types

type ASN1DN

type ASN1DN struct {
	Country            string `json:"country,omitempty"`
	Organization       string `json:"organization,omitempty"`
	OrganizationalUnit string `json:"organizationalUnit,omitempty"`
	Locality           string `json:"locality,omitempty"`
	Province           string `json:"province,omitempty"`
	StreetAddress      string `json:"streetAddress,omitempty"`
	SerialNumber       string `json:"serialNumber,omitempty"`
	CommonName         string `json:"commonName,omitempty"`
}

ASN1DN contains ASN1.DN attributes that are used in Subject and Issuer x509 Certificate blocks.

type AuthConfig

type AuthConfig struct {
	*cas.Options
	AuthorityID          string                `json:"authorityId,omitempty"`
	DeploymentType       string                `json:"deploymentType,omitempty"`
	Provisioners         provisioner.List      `json:"provisioners,omitempty"`
	Admins               []*linkedca.Admin     `json:"-"`
	Template             *ASN1DN               `json:"template,omitempty"`
	Claims               *provisioner.Claims   `json:"claims,omitempty"`
	Policy               *policy.Options       `json:"policy,omitempty"`
	DisableIssuedAtCheck bool                  `json:"disableIssuedAtCheck,omitempty"`
	Backdate             *provisioner.Duration `json:"backdate,omitempty"`
	EnableAdmin          bool                  `json:"enableAdmin,omitempty"`
	DisableGetSSHHosts   bool                  `json:"disableGetSSHHosts,omitempty"`
}

AuthConfig represents the configuration options for the authority. An underlaying registration authority can also be configured using the cas.Options.

func (*AuthConfig) Validate

func (c *AuthConfig) Validate(provisioner.Audiences) error

Validate validates the authority configuration.

type Bastion

type Bastion struct {
	Hostname string `json:"hostname"`
	User     string `json:"user,omitempty"`
	Port     string `json:"port,omitempty"`
	Command  string `json:"cmd,omitempty"`
	Flags    string `json:"flags,omitempty"`
}

Bastion contains the custom properties used on bastion.

type CRLConfig added in v0.23.0

type CRLConfig struct {
	Enabled          bool                  `json:"enabled"`
	GenerateOnRevoke bool                  `json:"generateOnRevoke,omitempty"`
	CacheDuration    *provisioner.Duration `json:"cacheDuration,omitempty"`
	RenewPeriod      *provisioner.Duration `json:"renewPeriod,omitempty"`
	IDPurl           string                `json:"idpURL,omitempty"`
}

CRLConfig represents config options for CRL generation

func (*CRLConfig) IsEnabled added in v0.23.0

func (c *CRLConfig) IsEnabled() bool

IsEnabled returns if the CRL is enabled.

func (*CRLConfig) TickerDuration added in v0.23.0

func (c *CRLConfig) TickerDuration() time.Duration

TickerDuration the renewal ticker duration. This is set by renewPeriod, of it is not set is ~2/3 of cacheDuration.

func (*CRLConfig) Validate added in v0.23.0

func (c *CRLConfig) Validate() error

Validate validates the CRL configuration.

type CipherSuites

type CipherSuites []string

CipherSuites represents an array of string codes representing the cipher suites.

func (CipherSuites) Validate

func (c CipherSuites) Validate() error

Validate implements models.Validator and checks that a cipher suite is valid.

func (CipherSuites) Value

func (c CipherSuites) Value() []uint16

Value returns an []uint16 for the cipher suites.

type Config

type Config struct {
	Root             multiString          `json:"root"`
	FederatedRoots   []string             `json:"federatedRoots"`
	IntermediateCert string               `json:"crt"`
	IntermediateKey  string               `json:"key"`
	Address          string               `json:"address"`
	InsecureAddress  string               `json:"insecureAddress"`
	DNSNames         []string             `json:"dnsNames"`
	KMS              *kms.Options         `json:"kms,omitempty"`
	SSH              *SSHConfig           `json:"ssh,omitempty"`
	Logger           json.RawMessage      `json:"logger,omitempty"`
	DB               *db.Config           `json:"db,omitempty"`
	Monitoring       json.RawMessage      `json:"monitoring,omitempty"`
	AuthorityConfig  *AuthConfig          `json:"authority,omitempty"`
	TLS              *TLSOptions          `json:"tls,omitempty"`
	Password         string               `json:"password,omitempty"`
	Templates        *templates.Templates `json:"templates,omitempty"`
	CommonName       string               `json:"commonName,omitempty"`
	CRL              *CRLConfig           `json:"crl,omitempty"`
	MetricsAddress   string               `json:"metricsAddress,omitempty"`
	SkipValidation   bool                 `json:"-"`
	// contains filtered or unexported fields
}

Config represents the CA configuration and it's mapped to a JSON object.

func LoadConfiguration

func LoadConfiguration(filename string) (*Config, error)

LoadConfiguration parses the given filename in JSON format and returns the configuration struct.

func (*Config) Audience added in v0.19.0

func (c *Config) Audience(path string) []string

Audience returns the list of audiences for a given path.

func (*Config) Commit added in v0.23.0

func (c *Config) Commit() error

Commit saves the current configuration to the same file it was initially loaded from.

TODO(hs): rename Save() to WriteTo() and replace this with Save()? Or is Commit clear enough.

func (*Config) Filepath added in v0.23.0

func (c *Config) Filepath() string

Filepath returns the path to the file the Config was loaded from.

func (*Config) GetAudiences

func (c *Config) GetAudiences() provisioner.Audiences

GetAudiences returns the legacy and possible urls without the ports that will be used as the default provisioner audiences. The CA might have proxies in front so we cannot rely on the port.

func (*Config) Init

func (c *Config) Init()

Init initializes the minimal configuration required to create an authority. This is mainly used on embedded authorities.

func (*Config) Save

func (c *Config) Save(filename string) error

Save saves the configuration to the given filename.

func (*Config) Validate

func (c *Config) Validate() error

Validate validates the configuration.

func (*Config) WasLoadedFromFile added in v0.23.0

func (c *Config) WasLoadedFromFile() bool

WasLoadedFromFile returns whether or not the Config was loaded from a file.

type Host

type Host struct {
	HostID   string    `json:"hid"`
	HostTags []HostTag `json:"host_tags"`
	Hostname string    `json:"hostname"`
}

Host defines expected attributes for an ssh host.

type HostTag

type HostTag struct {
	ID    string
	Name  string
	Value string
}

HostTag are tagged with k,v pairs. These tags are how a user is ultimately associated with a host.

type SSHConfig

type SSHConfig struct {
	HostKey          string          `json:"hostKey"`
	UserKey          string          `json:"userKey"`
	Keys             []*SSHPublicKey `json:"keys,omitempty"`
	AddUserPrincipal string          `json:"addUserPrincipal,omitempty"`
	AddUserCommand   string          `json:"addUserCommand,omitempty"`
	Bastion          *Bastion        `json:"bastion,omitempty"`
}

SSHConfig contains the user and host keys.

func (*SSHConfig) Validate

func (c *SSHConfig) Validate() error

Validate checks the fields in SSHConfig.

type SSHKeys

type SSHKeys struct {
	UserKeys []ssh.PublicKey
	HostKeys []ssh.PublicKey
}

SSHKeys represents the SSH User and Host public keys.

type SSHPublicKey

type SSHPublicKey struct {
	Type      string          `json:"type"`
	Federated bool            `json:"federated"`
	Key       jose.JSONWebKey `json:"key"`
	// contains filtered or unexported fields
}

SSHPublicKey contains a public key used by federated CAs to keep old signing keys for this ca.

func (*SSHPublicKey) PublicKey

func (k *SSHPublicKey) PublicKey() ssh.PublicKey

PublicKey returns the ssh public key.

func (*SSHPublicKey) Validate

func (k *SSHPublicKey) Validate() error

Validate checks the fields in SSHPublicKey.

type TLSOptions

type TLSOptions struct {
	CipherSuites  CipherSuites `json:"cipherSuites"`
	MinVersion    TLSVersion   `json:"minVersion"`
	MaxVersion    TLSVersion   `json:"maxVersion"`
	Renegotiation bool         `json:"renegotiation"`
}

TLSOptions represents the TLS options that can be specified on *tls.Config types to configure HTTPS servers and clients.

func (*TLSOptions) TLSConfig

func (t *TLSOptions) TLSConfig() *tls.Config

TLSConfig returns the tls.Config equivalent of the TLSOptions.

type TLSVersion

type TLSVersion float64

TLSVersion represents a TLS version number.

func (TLSVersion) String

func (v TLSVersion) String() string

String returns the Go constant for the TLSVersion.

func (TLSVersion) Validate

func (v TLSVersion) Validate() error

Validate implements models.Validator and checks that a cipher suite is valid.

func (TLSVersion) Value

func (v TLSVersion) Value() uint16

Value returns the Go constant for the TLSVersion.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL