spiffetls

package
v2.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 1, 2024 License: Apache-2.0 Imports: 11 Imported by: 7

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Dial 

func Dial(ctx context.Context, network, addr string, authorizer tlsconfig.Authorizer, options ...DialOption) (net.Conn, error)

Dial creates an mTLS connection using an X509-SVID obtained from the Workload API. The server is authenticated using X.509 bundles also obtained from the Workload API. The server is authorized using the given authorizer.

This is the same as DialWithMode using the MTLSClient mode.

func DialWithMode 

func DialWithMode(ctx context.Context, network, addr string, mode DialMode, options ...DialOption) (_ net.Conn, err error)

DialWithMode creates a TLS connection using the specified mode.

func Listen 

func Listen(ctx context.Context, network, laddr string, authorizer tlsconfig.Authorizer, options ...ListenOption) (net.Listener, error)

Listen creates an mTLS listener accepting connections on the given network address using net.Listen. The server X509-SVID is obtained via the Workload API along with X.509 bundles used to verify client X509-SVIDs. The client is authorized using the given authorizer.

This function is the same as ListenWithMode using the MTLSServer mode.

func ListenWithMode 

func ListenWithMode(ctx context.Context, network, laddr string, mode ListenMode, options ...ListenOption) (net.Listener, error)

ListenWithMode creates a TLS listener accepting connections on the given network address using net.Listen. The given mode controls the authentication and authorization exercised during the TLS handshake.

func NewListener 

func NewListener(ctx context.Context, inner net.Listener, authorizer tlsconfig.Authorizer, options ...ListenOption) (net.Listener, error)

NewListener creates an mTLS listener which accepts connections from an inner Listener and wraps each connection with tls.Server. The server X509-SVID is obtained via the Workload API along with X.509 bundles used to verify client X509-SVIDs. The client is authorized using the given authorizer.

This function is the same as NewListenerWithMode using the MTLSServer mode.

func NewListenerWithMode 

func NewListenerWithMode(ctx context.Context, inner net.Listener, mode ListenMode, options ...ListenOption) (_ net.Listener, err error)

NewListenerWithMode creates a TLS listener which accepts connections from an inner Listener and wraps each connection with tls.Server. The given mode controls the authentication and authorization exercised during the TLS handshake.

func PeerIDFromConn 

func PeerIDFromConn(conn net.Conn) (spiffeid.ID, error)

PeerIDFromConn returns the peer ID from a server or client peer connection. The handshake must have been completed. Note that in Go's TLS stack, the TLS 1.3 handshake may not complete until the first read from the connection.

func PeerIDFromConnectionState added in v2.1.5 

func PeerIDFromConnectionState(state tls.ConnectionState) (spiffeid.ID, error)

Types

type DialMode 

type DialMode interface {
	// contains filtered or unexported methods
}

DialMode is a SPIFFE TLS dialing mode.

func MTLSClient 

func MTLSClient(authorizer tlsconfig.Authorizer) DialMode

MTLSClient configures the dialing for mutually authenticated TLS (mTLS). The client X509-SVID and the X.509 bundles used to authenticate the server X509-SVID are obtained via the Workload API. The authorizer is used to authorize the server X509-SVID.

func MTLSClientWithRawConfig 

func MTLSClientWithRawConfig(authorizer tlsconfig.Authorizer, svid x509svid.Source, bundle x509bundle.Source) DialMode

MTLSClientWithRawConfig configures the dialing for mutually authenticated TLS (mTLS). The client X509-SVID and the X.509 bundles used to authenticate the server X509-SVID are obtained via the provided X509-SVID and X.509 bundle sources. The sources must remain valid for the lifetime of the connection. The authorizer is used to authorize the server X509-SVID.

func MTLSClientWithSource 

func MTLSClientWithSource(authorizer tlsconfig.Authorizer, source *workloadapi.X509Source) DialMode

MTLSClientWithSource configures the dialing for mutually authenticated TLS (mTLS). The client X509-SVID and the X.509 bundles used to authenticate the server X509-SVID are obtained via the provided Workload API X.509 source. The source must remain valid for the lifetime of the connection. The authorizer is used to authorize the server X509-SVID.

func MTLSClientWithSourceOptions 

func MTLSClientWithSourceOptions(authorizer tlsconfig.Authorizer, options ...workloadapi.X509SourceOption) DialMode

MTLSClientWithSourceOptions configures the dialing for mutually authenticated TLS (mTLS). The client X509-SVID and the X.509 bundles used to authenticate the server X509-SVID are obtained via a new Workload API X.509 source created with the provided source options. The authorizer is used to authorize the server X509-SVID.

func MTLSWebClient 

func MTLSWebClient(roots *x509.CertPool) DialMode

MTLSWebClient configures the dialing for mutually authenticated TLS (mTLS). The client X509-SVID is obtained via the Workload API. The roots (or the system roots if nil) are used to authenticate the server certificate.

func MTLSWebClientWithRawConfig 

func MTLSWebClientWithRawConfig(roots *x509.CertPool, svid x509svid.Source) DialMode

MTLSWebClientWithRawConfig configures the dialing for mutually authenticated TLS (mTLS). The client X509-SVID is obtained via the provided X509-SVID source. The source must remain valid for the lifetime of the connection. The roots (or the system roots if nil) are used to authenticate the server certificate.

func MTLSWebClientWithSource 

func MTLSWebClientWithSource(roots *x509.CertPool, source *workloadapi.X509Source) DialMode

MTLSWebClientWithSource configures the dialing for mutually authenticated TLS (mTLS). The client X509-SVID is obtained via the provided Workload API X.509 source. The source must remain valid for the lifetime of the connection. The roots (or the system roots if nil) are used to authenticate the server certificate.

func MTLSWebClientWithSourceOptions 

func MTLSWebClientWithSourceOptions(roots *x509.CertPool, options ...workloadapi.X509SourceOption) DialMode

MTLSWebClientWithSourceOptions configures the dialing for mutually authenticated TLS (mTLS). The client X509-SVID is obtained via a new Workload API X.509 source created with the provided source options. The roots (or the system roots if nil) are used to authenticate the server certificate.

func TLSClient 

func TLSClient(authorizer tlsconfig.Authorizer) DialMode

TLSClient configures the dialing for TLS. The server X509-SVID is authenticated using X.509 bundles obtained via the Workload API. The authorizer is used to authorize the server X509-SVID.

func TLSClientWithRawConfig 

func TLSClientWithRawConfig(authorizer tlsconfig.Authorizer, bundle x509bundle.Source) DialMode

TLSClientWithRawConfig configures the dialing for TLS. The server X509-SVID is authenticated using X.509 bundles obtained via the provided X.509 bundle source. The source must remain valid for the lifetime of the connection. The authorizer is used to authorize the server X509-SVID.

func TLSClientWithSource 

func TLSClientWithSource(authorizer tlsconfig.Authorizer, source *workloadapi.X509Source) DialMode

TLSClientWithSource configures the dialing for TLS. The server X509-SVID is authenticated using X.509 bundles obtained via the provided Workload API X.509 source. The source must remain valid for the lifetime of the connection. The authorizer is used to authorize the server X509-SVID.

func TLSClientWithSourceOptions 

func TLSClientWithSourceOptions(authorizer tlsconfig.Authorizer, options ...workloadapi.X509SourceOption) DialMode

TLSClientWithSourceOptions configures the dialing for TLS. The server X509-SVID is authenticated using X.509 bundles obtained via a new Workload API X.509 source created with the provided source options. The authorizer is used to authorize the server X509-SVID.

type DialOption 

type DialOption interface {
	// contains filtered or unexported methods
}

DialOption is an option for dialing. Option's are also DialOption's.

func WithDialTLSConfigBase 

func WithDialTLSConfigBase(base *tls.Config) DialOption

WithDialTLSConfigBase provides a base TLS configuration to use. Fields related to certificates and verification will be overwritten by this package as necessary to facilitate SPIFFE authentication.

func WithDialTLSOptions 

func WithDialTLSOptions(opts ...tlsconfig.Option) DialOption

WithDialTLSOptions provides options to use for the TLS config.

func WithDialer 

func WithDialer(dialer *net.Dialer) DialOption

WithDialer provides a net dialer to use. If unset, the standard net dialer will be used.

type ListenMode 

type ListenMode interface {
	// contains filtered or unexported methods
}

ListenMode is a SPIFFE TLS listening mode.

func MTLSServer 

func MTLSServer(authorizer tlsconfig.Authorizer) ListenMode

MTLSServer configures the listener for mutually authenticated TLS (mTLS). The listener presents an X509-SVID and authenticates client X509-SVIDs using X.509 bundles, both obtained via the Workload API. The authorizer is used to authorize client X509-SVIDs.

func MTLSServerWithRawConfig 

func MTLSServerWithRawConfig(authorizer tlsconfig.Authorizer, svid x509svid.Source, bundle x509bundle.Source) ListenMode

MTLSServerWithRawConfig configures the listener for mutually authenticated TLS (mTLS). The listener presents an X509-SVID and authenticates client X509-SVIDs using X.509 bundles, both obtained via the provided X509-SVID and X.509 bundle sources. The sources must remain valid for the lifetime of the listener. The authorizer is used to authorize client X509-SVIDs.

func MTLSServerWithSource 

func MTLSServerWithSource(authorizer tlsconfig.Authorizer, source *workloadapi.X509Source) ListenMode

MTLSServerWithSource configures the listener for mutually authenticated TLS (mTLS). The listener presents an X509-SVID and authenticates client X509-SVIDs using X.509 bundles, both obtained via the provided Workload API X.509 source. The source must remain valid for the lifetime of the listener. The authorizer is used to authorize client X509-SVIDs.

func MTLSServerWithSourceOptions 

func MTLSServerWithSourceOptions(authorizer tlsconfig.Authorizer, options ...workloadapi.X509SourceOption) ListenMode

MTLSServerWithSourceOptions configures the listener for mutually authenticated TLS (mTLS). The listener presents an X509-SVID and authenticates client X509-SVIDs using X.509 bundles, both obtained via a new Workload API X.509 source created with the provided source options. The authorizer is used to authorize client X509-SVIDs.

func MTLSWebServer 

func MTLSWebServer(authorizer tlsconfig.Authorizer, cert *tls.Certificate) ListenMode

MTLSWebServer configures the listener for mutually authenticated TLS (mTLS). The listener presents an X.509 certificate and authenticates client X509-SVIDs using X.509 bundles obtained via the Workload API. The authorizer is used to authorize client X509-SVIDs.

func MTLSWebServerWithRawConfig 

func MTLSWebServerWithRawConfig(authorizer tlsconfig.Authorizer, cert *tls.Certificate, bundle x509bundle.Source) ListenMode

MTLSWebServerWithRawConfig configures the listener for mutually authenticated TLS (mTLS). The listener presents an X.509 certificate and authenticates client X509-SVIDs using X.509 bundles, both obtained via the provided X.509 bundle source. The source must remain valid for the lifetime of the listener. The authorizer is used to authorize client X509-SVIDs.

func MTLSWebServerWithSource 

func MTLSWebServerWithSource(authorizer tlsconfig.Authorizer, cert *tls.Certificate, source *workloadapi.X509Source) ListenMode

MTLSWebServerWithSource configures the listener for mutually authenticated TLS (mTLS). The listener presents an X.509 certificate and authenticates client X509-SVIDs using X.509 bundles obtained via the provided Workload API X.509 source. The source must remain valid for the lifetime of the listener. The authorizer is used to authorize client X509-SVIDs.

func MTLSWebServerWithSourceOptions 

func MTLSWebServerWithSourceOptions(authorizer tlsconfig.Authorizer, cert *tls.Certificate, options ...workloadapi.X509SourceOption) ListenMode

MTLSWebServerWithSourceOptions configures the listener for mutually authenticated TLS (mTLS). The listener presents an X.509 certificate and authenticates client X509-SVIDs using X.509 bundles, both obtained via a new Workload API X.509 source created with the provided source options. The authorizer is used to authorize client X509-SVIDs.

func TLSServer 

func TLSServer() ListenMode

TLSServer configures the listener for TLS. The listener presents an X509-SVID obtained via the Workload API.

func TLSServerWithRawConfig 

func TLSServerWithRawConfig(svid x509svid.Source) ListenMode

TLSServerWithRawConfig configures the listener for TLS. The listener presents an X509-SVID obtained via the provided X509-SVID source. The source must remain valid for the lifetime of the listener.

func TLSServerWithSource 

func TLSServerWithSource(source *workloadapi.X509Source) ListenMode

TLSServerWithSource configures the listener for TLS. The listener presents an X509-SVID obtained via the provided Workload API X.509 source. The source must remain valid for the lifetime of the listener.

func TLSServerWithSourceOptions 

func TLSServerWithSourceOptions(options ...workloadapi.X509SourceOption) ListenMode

TLSServerWithSourceOptions configures the listener for TLS. The listener presents an X509-SVID obtained via a new Workload API X.509 source created with the provided source options.

type ListenOption 

type ListenOption interface {
	// contains filtered or unexported methods
}

ListenOption is an option for listening. Option's are also ListenOption's.

func WithListenTLSConfigBase 

func WithListenTLSConfigBase(base *tls.Config) ListenOption

WithListenTLSConfigBase provides a base TLS configuration to use. Fields related to certificates and verification will be overwritten by this package as necessary to facilitate SPIFFE authentication.

func WithListenTLSOptions 

func WithListenTLSOptions(opts ...tlsconfig.Option) ListenOption

WithListenTLSOptions provides options to use when doing Server mTLS.

type PeerIDGetter 

type PeerIDGetter interface {
	PeerID() (spiffeid.ID, error)
}

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.