spiffetls

package
v2.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 17, 2024 License: Apache-2.0 Imports: 11 Imported by: 7

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Dial

func Dial(ctx context.Context, network, addr string, authorizer tlsconfig.Authorizer, options ...DialOption) (net.Conn, error)

Dial creates an mTLS connection using an X509-SVID obtained from the Workload API. The server is authenticated using X.509 bundles also obtained from the Workload API. The server is authorized using the given authorizer.

This is the same as DialWithMode using the MTLSClient mode.

func DialWithMode

func DialWithMode(ctx context.Context, network, addr string, mode DialMode, options ...DialOption) (_ net.Conn, err error)

DialWithMode creates a TLS connection using the specified mode.

func Listen

func Listen(ctx context.Context, network, laddr string, authorizer tlsconfig.Authorizer, options ...ListenOption) (net.Listener, error)

Listen creates an mTLS listener accepting connections on the given network address using net.Listen. The server X509-SVID is obtained via the Workload API along with X.509 bundles used to verify client X509-SVIDs. The client is authorized using the given authorizer.

This function is the same as ListenWithMode using the MTLSServer mode.

func ListenWithMode

func ListenWithMode(ctx context.Context, network, laddr string, mode ListenMode, options ...ListenOption) (net.Listener, error)

ListenWithMode creates a TLS listener accepting connections on the given network address using net.Listen. The given mode controls the authentication and authorization exercised during the TLS handshake.

func NewListener

func NewListener(ctx context.Context, inner net.Listener, authorizer tlsconfig.Authorizer, options ...ListenOption) (net.Listener, error)

NewListener creates an mTLS listener which accepts connections from an inner Listener and wraps each connection with tls.Server. The server X509-SVID is obtained via the Workload API along with X.509 bundles used to verify client X509-SVIDs. The client is authorized using the given authorizer.

This function is the same as NewListenerWithMode using the MTLSServer mode.

func NewListenerWithMode

func NewListenerWithMode(ctx context.Context, inner net.Listener, mode ListenMode, options ...ListenOption) (_ net.Listener, err error)

NewListenerWithMode creates a TLS listener which accepts connections from an inner Listener and wraps each connection with tls.Server. The given mode controls the authentication and authorization exercised during the TLS handshake.

func PeerIDFromConn

func PeerIDFromConn(conn net.Conn) (spiffeid.ID, error)

PeerIDFromConn returns the peer ID from a server or client peer connection. The handshake must have been completed. Note that in Go's TLS stack, the TLS 1.3 handshake may not complete until the first read from the connection.

func PeerIDFromConnectionState added in v2.1.5

func PeerIDFromConnectionState(state tls.ConnectionState) (spiffeid.ID, error)

Types

type DialMode

type DialMode interface {
	// contains filtered or unexported methods
}

DialMode is a SPIFFE TLS dialing mode.

func MTLSClient

func MTLSClient(authorizer tlsconfig.Authorizer) DialMode

MTLSClient configures the dialing for mutually authenticated TLS (mTLS). The client X509-SVID and the X.509 bundles used to authenticate the server X509-SVID are obtained via the Workload API. The authorizer is used to authorize the server X509-SVID.

func MTLSClientWithRawConfig

func MTLSClientWithRawConfig(authorizer tlsconfig.Authorizer, svid x509svid.Source, bundle x509bundle.Source) DialMode

MTLSClientWithRawConfig configures the dialing for mutually authenticated TLS (mTLS). The client X509-SVID and the X.509 bundles used to authenticate the server X509-SVID are obtained via the provided X509-SVID and X.509 bundle sources. The sources must remain valid for the lifetime of the connection. The authorizer is used to authorize the server X509-SVID.

func MTLSClientWithSource

func MTLSClientWithSource(authorizer tlsconfig.Authorizer, source *workloadapi.X509Source) DialMode

MTLSClientWithSource configures the dialing for mutually authenticated TLS (mTLS). The client X509-SVID and the X.509 bundles used to authenticate the server X509-SVID are obtained via the provided Workload API X.509 source. The source must remain valid for the lifetime of the connection. The authorizer is used to authorize the server X509-SVID.

func MTLSClientWithSourceOptions

func MTLSClientWithSourceOptions(authorizer tlsconfig.Authorizer, options ...workloadapi.X509SourceOption) DialMode

MTLSClientWithSourceOptions configures the dialing for mutually authenticated TLS (mTLS). The client X509-SVID and the X.509 bundles used to authenticate the server X509-SVID are obtained via a new Workload API X.509 source created with the provided source options. The authorizer is used to authorize the server X509-SVID.

func MTLSWebClient

func MTLSWebClient(roots *x509.CertPool) DialMode

MTLSWebClient configures the dialing for mutually authenticated TLS (mTLS). The client X509-SVID is obtained via the Workload API. The roots (or the system roots if nil) are used to authenticate the server certificate.

func MTLSWebClientWithRawConfig

func MTLSWebClientWithRawConfig(roots *x509.CertPool, svid x509svid.Source) DialMode

MTLSWebClientWithRawConfig configures the dialing for mutually authenticated TLS (mTLS). The client X509-SVID is obtained via the provided X509-SVID source. The source must remain valid for the lifetime of the connection. The roots (or the system roots if nil) are used to authenticate the server certificate.

func MTLSWebClientWithSource

func MTLSWebClientWithSource(roots *x509.CertPool, source *workloadapi.X509Source) DialMode

MTLSWebClientWithSource configures the dialing for mutually authenticated TLS (mTLS). The client X509-SVID is obtained via the provided Workload API X.509 source. The source must remain valid for the lifetime of the connection. The roots (or the system roots if nil) are used to authenticate the server certificate.

func MTLSWebClientWithSourceOptions

func MTLSWebClientWithSourceOptions(roots *x509.CertPool, options ...workloadapi.X509SourceOption) DialMode

MTLSWebClientWithSourceOptions configures the dialing for mutually authenticated TLS (mTLS). The client X509-SVID is obtained via a new Workload API X.509 source created with the provided source options. The roots (or the system roots if nil) are used to authenticate the server certificate.

func TLSClient

func TLSClient(authorizer tlsconfig.Authorizer) DialMode

TLSClient configures the dialing for TLS. The server X509-SVID is authenticated using X.509 bundles obtained via the Workload API. The authorizer is used to authorize the server X509-SVID.

func TLSClientWithRawConfig

func TLSClientWithRawConfig(authorizer tlsconfig.Authorizer, bundle x509bundle.Source) DialMode

TLSClientWithRawConfig configures the dialing for TLS. The server X509-SVID is authenticated using X.509 bundles obtained via the provided X.509 bundle source. The source must remain valid for the lifetime of the connection. The authorizer is used to authorize the server X509-SVID.

func TLSClientWithSource

func TLSClientWithSource(authorizer tlsconfig.Authorizer, source *workloadapi.X509Source) DialMode

TLSClientWithSource configures the dialing for TLS. The server X509-SVID is authenticated using X.509 bundles obtained via the provided Workload API X.509 source. The source must remain valid for the lifetime of the connection. The authorizer is used to authorize the server X509-SVID.

func TLSClientWithSourceOptions

func TLSClientWithSourceOptions(authorizer tlsconfig.Authorizer, options ...workloadapi.X509SourceOption) DialMode

TLSClientWithSourceOptions configures the dialing for TLS. The server X509-SVID is authenticated using X.509 bundles obtained via a new Workload API X.509 source created with the provided source options. The authorizer is used to authorize the server X509-SVID.

type DialOption

type DialOption interface {
	// contains filtered or unexported methods
}

DialOption is an option for dialing. Option's are also DialOption's.

func WithDialTLSConfigBase

func WithDialTLSConfigBase(base *tls.Config) DialOption

WithDialTLSConfigBase provides a base TLS configuration to use. Fields related to certificates and verification will be overwritten by this package as necessary to facilitate SPIFFE authentication.

func WithDialTLSOptions

func WithDialTLSOptions(opts ...tlsconfig.Option) DialOption

WithDialTLSOptions provides options to use for the TLS config.

func WithDialer

func WithDialer(dialer *net.Dialer) DialOption

WithDialer provides a net dialer to use. If unset, the standard net dialer will be used.

type ListenMode

type ListenMode interface {
	// contains filtered or unexported methods
}

ListenMode is a SPIFFE TLS listening mode.

func MTLSServer

func MTLSServer(authorizer tlsconfig.Authorizer) ListenMode

MTLSServer configures the listener for mutually authenticated TLS (mTLS). The listener presents an X509-SVID and authenticates client X509-SVIDs using X.509 bundles, both obtained via the Workload API. The authorizer is used to authorize client X509-SVIDs.

func MTLSServerWithRawConfig

func MTLSServerWithRawConfig(authorizer tlsconfig.Authorizer, svid x509svid.Source, bundle x509bundle.Source) ListenMode

MTLSServerWithRawConfig configures the listener for mutually authenticated TLS (mTLS). The listener presents an X509-SVID and authenticates client X509-SVIDs using X.509 bundles, both obtained via the provided X509-SVID and X.509 bundle sources. The sources must remain valid for the lifetime of the listener. The authorizer is used to authorize client X509-SVIDs.

func MTLSServerWithSource

func MTLSServerWithSource(authorizer tlsconfig.Authorizer, source *workloadapi.X509Source) ListenMode

MTLSServerWithSource configures the listener for mutually authenticated TLS (mTLS). The listener presents an X509-SVID and authenticates client X509-SVIDs using X.509 bundles, both obtained via the provided Workload API X.509 source. The source must remain valid for the lifetime of the listener. The authorizer is used to authorize client X509-SVIDs.

func MTLSServerWithSourceOptions

func MTLSServerWithSourceOptions(authorizer tlsconfig.Authorizer, options ...workloadapi.X509SourceOption) ListenMode

MTLSServerWithSourceOptions configures the listener for mutually authenticated TLS (mTLS). The listener presents an X509-SVID and authenticates client X509-SVIDs using X.509 bundles, both obtained via a new Workload API X.509 source created with the provided source options. The authorizer is used to authorize client X509-SVIDs.

func MTLSWebServer

func MTLSWebServer(authorizer tlsconfig.Authorizer, cert *tls.Certificate) ListenMode

MTLSWebServer configures the listener for mutually authenticated TLS (mTLS). The listener presents an X.509 certificate and authenticates client X509-SVIDs using X.509 bundles obtained via the Workload API. The authorizer is used to authorize client X509-SVIDs.

func MTLSWebServerWithRawConfig

func MTLSWebServerWithRawConfig(authorizer tlsconfig.Authorizer, cert *tls.Certificate, bundle x509bundle.Source) ListenMode

MTLSWebServerWithRawConfig configures the listener for mutually authenticated TLS (mTLS). The listener presents an X.509 certificate and authenticates client X509-SVIDs using X.509 bundles, both obtained via the provided X.509 bundle source. The source must remain valid for the lifetime of the listener. The authorizer is used to authorize client X509-SVIDs.

func MTLSWebServerWithSource

func MTLSWebServerWithSource(authorizer tlsconfig.Authorizer, cert *tls.Certificate, source *workloadapi.X509Source) ListenMode

MTLSWebServerWithSource configures the listener for mutually authenticated TLS (mTLS). The listener presents an X.509 certificate and authenticates client X509-SVIDs using X.509 bundles obtained via the provided Workload API X.509 source. The source must remain valid for the lifetime of the listener. The authorizer is used to authorize client X509-SVIDs.

func MTLSWebServerWithSourceOptions

func MTLSWebServerWithSourceOptions(authorizer tlsconfig.Authorizer, cert *tls.Certificate, options ...workloadapi.X509SourceOption) ListenMode

MTLSWebServerWithSourceOptions configures the listener for mutually authenticated TLS (mTLS). The listener presents an X.509 certificate and authenticates client X509-SVIDs using X.509 bundles, both obtained via a new Workload API X.509 source created with the provided source options. The authorizer is used to authorize client X509-SVIDs.

func TLSServer

func TLSServer() ListenMode

TLSServer configures the listener for TLS. The listener presents an X509-SVID obtained via the Workload API.

func TLSServerWithRawConfig

func TLSServerWithRawConfig(svid x509svid.Source) ListenMode

TLSServerWithRawConfig configures the listener for TLS. The listener presents an X509-SVID obtained via the provided X509-SVID source. The source must remain valid for the lifetime of the listener.

func TLSServerWithSource

func TLSServerWithSource(source *workloadapi.X509Source) ListenMode

TLSServerWithSource configures the listener for TLS. The listener presents an X509-SVID obtained via the provided Workload API X.509 source. The source must remain valid for the lifetime of the listener.

func TLSServerWithSourceOptions

func TLSServerWithSourceOptions(options ...workloadapi.X509SourceOption) ListenMode

TLSServerWithSourceOptions configures the listener for TLS. The listener presents an X509-SVID obtained via a new Workload API X.509 source created with the provided source options.

type ListenOption

type ListenOption interface {
	// contains filtered or unexported methods
}

ListenOption is an option for listening. Option's are also ListenOption's.

func WithListenTLSConfigBase

func WithListenTLSConfigBase(base *tls.Config) ListenOption

WithListenTLSConfigBase provides a base TLS configuration to use. Fields related to certificates and verification will be overwritten by this package as necessary to facilitate SPIFFE authentication.

func WithListenTLSOptions

func WithListenTLSOptions(opts ...tlsconfig.Option) ListenOption

WithListenTLSOptions provides options to use when doing Server mTLS.

type PeerIDGetter

type PeerIDGetter interface {
	PeerID() (spiffeid.ID, error)
}

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL