Documentation
¶
Index ¶
- func CertificatesFromHeader(headerData string) (certs []*x509.Certificate, err error)
- func CertificatesFromHeaderThenTLSState(state *tls.ConnectionState, headerData string) (certs []*x509.Certificate, err error)
- func CertificatesFromTLSState(state *tls.ConnectionState) (certs []*x509.Certificate, err error)
- func CertificatesFromTLSStateThenHeader(state *tls.ConnectionState, headerData string) (certs []*x509.Certificate, err error)
- func NewMTLSAuthorizer(verifyOptions x509.VerifyOptions, deciderFunc DeciderFunc, ...) bahamut.Authorizer
- func NewMTLSRequestAuthenticator(verifyOptions x509.VerifyOptions, deciderFunc DeciderFunc, ...) bahamut.RequestAuthenticator
- func NewMTLSSessionAuthenticator(verifyOptions x509.VerifyOptions, deciderFunc DeciderFunc, ...) bahamut.SessionAuthenticator
- type CertificateCheckMode
- type DeciderFunc
- type VerifierFunc
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CertificatesFromHeader ¶
func CertificatesFromHeader(headerData string) (certs []*x509.Certificate, err error)
CertificatesFromHeader retrieves the certificates from the http header `X-TLS-Client-Certificate`.
func CertificatesFromHeaderThenTLSState ¶
func CertificatesFromHeaderThenTLSState(state *tls.ConnectionState, headerData string) (certs []*x509.Certificate, err error)
CertificatesFromHeaderThenTLSState retrieves the certificates in either from the header `X-TLS-Client-Certificate` or from the tls connection state in that order.
Note: Using this function on a service directly available on the internet is extremely dangerous as it assumes the given certificate has already been validated by a third party and is just used as informative data. To use this function securely, the service using an mtls authenticator preferring header must be behind a proxy that does mtls authentication first.
func CertificatesFromTLSState ¶
func CertificatesFromTLSState(state *tls.ConnectionState) (certs []*x509.Certificate, err error)
CertificatesFromTLSState retrieves the certificates from the tls connection state.
func CertificatesFromTLSStateThenHeader ¶
func CertificatesFromTLSStateThenHeader(state *tls.ConnectionState, headerData string) (certs []*x509.Certificate, err error)
CertificatesFromTLSStateThenHeader retrieves the certificates in either from the tls connection state or from the header `X-TLS-Client-Certificate` in that order.
Note: Using this function on a service directly available on the internet is extremely dangerous as it assumes the given certificate has already been validated by a third party and is just used as informative data. To use this function securely, the service using an mtls authenticator preferring header must be behind a proxy that does mtls authentication first.
func NewMTLSAuthorizer ¶
func NewMTLSAuthorizer( verifyOptions x509.VerifyOptions, deciderFunc DeciderFunc, ignoredIdentities []elemental.Identity, certVerifier VerifierFunc, certificateCheckMode CertificateCheckMode, ) bahamut.Authorizer
NewMTLSAuthorizer returns a new Authorizer that ensures the client certificate can be verified using the given x509.VerifyOptions. The Authorizer will not enforce this for identities given by ignoredIdentities.
deciderFunc is the DeciderFunc to used return the actual action you want the Authorizer to return.
func NewMTLSRequestAuthenticator ¶
func NewMTLSRequestAuthenticator( verifyOptions x509.VerifyOptions, deciderFunc DeciderFunc, certVerifier VerifierFunc, certificateCheckMode CertificateCheckMode, ) bahamut.RequestAuthenticator
NewMTLSRequestAuthenticator returns a new Authenticator that ensures the client certificate can be verified using the given x509.VerifyOptions. The Authenticator will not enforce this for identities given by ignoredIdentities.
deciderFunc is the DeciderFunc to used return the actual action you want the RequestAuthenticator to return.
func NewMTLSSessionAuthenticator ¶
func NewMTLSSessionAuthenticator( verifyOptions x509.VerifyOptions, deciderFunc DeciderFunc, certVerifier VerifierFunc, certificateCheckMode CertificateCheckMode, ) bahamut.SessionAuthenticator
NewMTLSSessionAuthenticator returns a new Authenticator that ensures the client certificate are can be verified using the given x509.VerifyOptions. The Authenticator will not enforce this for identities given by ignoredIdentities.
deciderFunc is the DeciderFunc to used return the actual action you want the SessionAuthenticator to return.
Types ¶
type CertificateCheckMode ¶
type CertificateCheckMode int
CertificateCheckMode represents the mode to use to check the certificate.
const ( CertificateCheckModeTLSStateOnly CertificateCheckMode = iota CertificateCheckModeTLSStateThenHeader CertificateCheckModeHeaderThenTLSState CertificateCheckModeHeaderOnly )
Various value for CertificateCheckMode.
type DeciderFunc ¶
type DeciderFunc func(bahamut.AuthAction, bahamut.Context, bahamut.Session) bahamut.AuthAction
DeciderFunc is the type of function to pass to decide what bahamut.Action to return after the MTLS check is done. It will be given the mtls result action, and the bahamut.Context or bahamut.Session according to the kind of authorization. If bahamut.Context is given, bahamut.Session will be nil and vice versa.
type VerifierFunc ¶
type VerifierFunc func(*x509.Certificate) bool
VerifierFunc is the type of function you can pass to do custom verification on the certificates, like checking against a certificate revocation list. Note that CRL checking is not done by Go when using x509.VerifyOptions. If you need need advanced CRL check you need to implement it in a VerifierFunc.
Source Files