Documentation ¶
Index ¶
- Constants
- func GenerateKeyID(priv interface{}) (string, error)
- type AWSAmazonPayload
- type AWSInstanceIdentityDocument
- type AzurePayload
- type Claims
- type GCPComputeEnginePayload
- type GCPGooglePayload
- type JSONWebToken
- type Options
- func WithAudience(s string) Options
- func WithClaim(name string, value interface{}) Options
- func WithIssuer(s string) Options
- func WithJWTID(s string) Options
- func WithKid(s string) Options
- func WithNebulaCert(certFile string, key []byte) Options
- func WithRootCA(path string) Options
- func WithSANS(sans []string) Options
- func WithSHA(sum string) Options
- func WithSSH(v interface{}) Options
- func WithSSHPOPFile(certFile string, key interface{}) Options
- func WithStep(v interface{}) Options
- func WithSubject(s string) Options
- func WithValidity(notBefore, expiration time.Time) Options
- func WithX5CCerts(certs []*x509.Certificate, key interface{}) Options
- func WithX5CFile(certFile string, key interface{}) Options
- func WithX5CInsecureCerts(certs []*x509.Certificate, key interface{}) Options
- func WithX5CInsecureFile(certFile string, key interface{}) Options
- type Payload
- type Token
- type Type
Constants ¶
const ( // DefaultIssuer when generating tokens. DefaultIssuer = "step-cli" // DefaultAudience when generating tokens. DefaultAudience = "https://ca/sign" // MinValidity token validity token duration. MinValidity = 10 * time.Second // MaxValidity token validity token duration. MaxValidity = 1 * time.Hour // DefaultValidity token validity duration. DefaultValidity = 5 * time.Minute // MaxValidityDelay allowable delay between Now and beginning of token validity period. MaxValidityDelay = 30 * time.Minute )
const RootSHAClaim = "sha"
RootSHAClaim is the property name for a JWT claim that stores the SHA256 of a root certificate.
const SANSClaim = "sans"
SANSClaim is the property name for a JWT claim that stores the list of required subject alternative names.
const StepClaim = "step"
StepClaim is the property name for a JWT claim the stores the custom information in the certificate.
Variables ¶
This section is empty.
Functions ¶
func GenerateKeyID ¶
GenerateKeyID returns the SHA256 of a public key.
Types ¶
type AWSAmazonPayload ¶ added in v0.11.0
type AWSAmazonPayload struct { Document []byte `json:"document"` Signature []byte `json:"signature"` InstanceIdentityDocument *AWSInstanceIdentityDocument `json:"-"` }
AWSAmazonPayload represents the Amazon payload for a AWS token.
type AWSInstanceIdentityDocument ¶ added in v0.11.0
type AWSInstanceIdentityDocument struct { AccountID string `json:"accountId"` Architecture string `json:"architecture"` AvailabilityZone string `json:"availabilityZone"` BillingProducts []string `json:"billingProducts"` DevpayProductCodes []string `json:"devpayProductCodes"` ImageID string `json:"imageId"` InstanceID string `json:"instanceId"` InstanceType string `json:"instanceType"` KernelID string `json:"kernelId"` PendingTime time.Time `json:"pendingTime"` PrivateIP string `json:"privateIp"` RamdiskID string `json:"ramdiskId"` Region string `json:"region"` Version string `json:"version"` }
AWSInstanceIdentityDocument is the JSON representation of the instance identity document.
type AzurePayload ¶ added in v0.11.0
type AzurePayload struct { SubscriptionID string ResourceGroup string ResourceType string ResourceName string }
AzurePayload contains the information in the xms_mirid claim.
type Claims ¶
type Claims struct { jose.Claims ExtraClaims map[string]interface{} ExtraHeaders map[string]interface{} }
Claims represents the claims that a token might have.
func DefaultClaims ¶
func DefaultClaims() *Claims
DefaultClaims returns the default claims of any token.
type GCPComputeEnginePayload ¶ added in v0.11.0
type GCPComputeEnginePayload struct { InstanceID string `json:"instance_id"` InstanceName string `json:"instance_name"` InstanceCreationTimestamp *jose.NumericDate `json:"instance_creation_timestamp"` ProjectID string `json:"project_id"` ProjectNumber int64 `json:"project_number"` Zone string `json:"zone"` LicenseID []string `json:"license_id"` }
GCPComputeEnginePayload represents the Google ComputeEngine payload in GCP.
type GCPGooglePayload ¶ added in v0.11.0
type GCPGooglePayload struct {
ComputeEngine GCPComputeEnginePayload `json:"compute_engine"`
}
GCPGooglePayload represents the Google payload in GCP.
type JSONWebToken ¶ added in v0.11.0
type JSONWebToken struct { *jose.JSONWebToken Payload Payload }
JSONWebToken represents a JSON Web Token (as specified in RFC7519). Using the Parse or ParseInsecure it will contain the payloads supported on step ca.
func Parse ¶ added in v0.11.0
func Parse(token string, key interface{}) (*JSONWebToken, error)
Parse parses the given token verifying the signature with the key.
func ParseInsecure ¶ added in v0.11.0
func ParseInsecure(token string) (*JSONWebToken, error)
ParseInsecure parses the given token.
type Options ¶
Options is a function that set claims.
func WithAudience ¶
WithAudience returns a Options that sets the audience to use in the token claims. If Audience is not used the default audience will be used.
func WithIssuer ¶
WithIssuer returns an Options function that sets the issuer to use in the token claims. If Issuer is not used the default issuer will be used.
func WithJWTID ¶
WithJWTID returns a Options that sets the jwtID to use in the token claims. If WithJWTID is not used a random identifier will be used.
func WithKid ¶
WithKid returns a Options that sets the header kid claims. If WithKid is not used a thumbprint using SHA256 will be used.
func WithNebulaCert ¶ added in v0.18.1
WithNebulaCert returns a Options that sets the nebula header.
func WithRootCA ¶
WithRootCA returns an Options function that calculates the SHA256 of the given root certificate to be used in the token claims. If this method it's not used the default root certificate in the $STEPPATH secrets directory will be used.
func WithSANS ¶ added in v0.8.4
WithSANS returns an Options function that sets the list of required SANs in the token claims.
func WithSHA ¶ added in v0.11.0
WithSHA returns an Options function that sets the SHA claim to the given value.
func WithSSH ¶ added in v0.12.0
func WithSSH(v interface{}) Options
WithSSH returns an Options function that sets the step claim with the ssh property in the value.
func WithSSHPOPFile ¶ added in v0.14.0
WithSSHPOPFile returns a Options that sets the header sshpop claims.
func WithStep ¶ added in v0.12.0
func WithStep(v interface{}) Options
WithStep returns an Options function that sets the step claim in the payload.
func WithSubject ¶
WithSubject returns an Options that sets the subject to use in the token claims.
func WithValidity ¶
WithValidity validates boundary inputs and sets the 'nbf' (NotBefore) and 'exp' (expiration) options.
func WithX5CCerts ¶ added in v0.23.0
func WithX5CCerts(certs []*x509.Certificate, key interface{}) Options
WithX5CCerts returns a Options that sets the header x5c claims from a cert in memory
func WithX5CFile ¶ added in v0.14.0
WithX5CFile returns a Options that sets the header x5c claims.
func WithX5CInsecureCerts ¶ added in v0.23.0
func WithX5CInsecureCerts(certs []*x509.Certificate, key interface{}) Options
WithX5CInsecureCerts returns a Options that sets the header x5cAllowInvalid claims using the cert in memory
func WithX5CInsecureFile ¶ added in v0.14.0
WithX5CInsecureFile returns a Options that sets the header x5cAllowInvalid claims. The `x5c` claims can only be accessed by running a method on the jose Token which validates the certificate chain before returning it. This option serves a use case where the user would prefer not to validate the certificate chain before returning it. Presumably the user would then perform their own validation. NOTE: here be dragons. Use WithX5CFile unless you know what you are doing.
type Payload ¶ added in v0.11.0
type Payload struct { jose.Claims SHA string `json:"sha"` // JWK token claims SANs []string `json:"sans"` // ... AtHash string `json:"at_hash"` // OIDC token claims AuthorizedParty string `json:"azp"` // ... Email string `json:"email"` EmailVerified bool `json:"email_verified"` Hd string `json:"hd"` Nonce string `json:"nonce"` AppID string `json:"appid"` // Azure token claims AppIDAcr string `json:"appidacr"` // ... IdentityProvider string `json:"idp"` ObjectID string `json:"oid"` TenantID string `json:"tid"` Version interface{} `json:"ver"` XMSMirID string `json:"xms_mirid"` K8sSANamespace string `json:"kubernetes.io/serviceaccount/namespace,omitempty"` K8sSASecretName string `json:"kubernetes.io/serviceaccount/secret.name,omitempty"` K8sSAServiceAccountName string `json:"kubernetes.io/serviceaccount/service-account.name,omitempty"` K8sSAServiceAccountUID string `json:"kubernetes.io/serviceaccount/service-account.uid,omitempty"` Google *GCPGooglePayload `json:"google"` // GCP token claims Amazon *AWSAmazonPayload `json:"amazon"` // AWS token claims Azure *AzurePayload `json:"azure"` // Azure token claims }
Payload represents public claim values (as specified in RFC 7519). In addition to the standard claims it contains the ones supported in step ca.