README
¶
ContainerSSH configuration
This package contains the configuration structure of ContainerSSH. The root
configuration object is config.AppConfig. You can use this library to
generate a valid ContainerSSH configuration file.
Each configuration structure also contains a Validate() function which
can be used to check if the configuration is valid. (Note, this will do a
full validation. Validating a partial configuration is not supported.)
Documentation
¶
Index ¶
- Constants
- type AppConfig
- type AuditLogConfig
- type AuditLogFileConfig
- type AuditLogFormat
- type AuditLogInterceptConfig
- type AuditLogS3Config
- type AuditLogS3Metadata
- type AuditLogStorage
- type AuthConfig
- type AuthGenericConfig
- type AuthGitHubConfig
- type AuthKerberosClientConfig
- type AuthMethod
- type AuthOAuth2ClientConfig
- type AuthOIDCConfig
- type AuthWebhookClientConfig
- type AuthzConfig
- type AuthzMethod
- type Backend
- type CipherSuite
- type CipherSuiteList
- type ClientConfig
- type CommandConfig
- type DockerConfig
- type DockerConnectionConfig
- type DockerExecutionConfig
- type DockerExecutionMode
- type DockerImagePullPolicy
- type DockerLaunchConfig
- type DockerTimeoutConfig
- type ECDHCurve
- type ECDHCurveList
- type ForwardingConfig
- type GSSAPIAuthConfig
- type GSSAPIAuthMethod
- type GeoIPConfig
- type GeoIPProvider
- type HTTPClientCerts
- type HTTPClientConfiguration
- type HTTPServerCerts
- type HTTPServerConfiguration
- type HealthConfig
- type KeyboardInteractiveAuthConfig
- type KeyboardInteractiveAuthMethod
- type KubernetesConfig
- type KubernetesConnectionConfig
- type KubernetesExecutionMode
- type KubernetesPodConfig
- type KubernetesTimeoutConfig
- type LogConfig
- type LogDestination
- type LogFacility
- type LogFacilityString
- type LogFormat
- type LogLevel
- func (level LogLevel) MarshalJSON() ([]byte, error)
- func (level LogLevel) MarshalYAML() (interface{}, error)
- func (level LogLevel) MustName() LogLevelString
- func (level *LogLevel) Name() (LogLevelString, error)
- func (level LogLevel) String() string
- func (level *LogLevel) UnmarshalJSON(data []byte) error
- func (level *LogLevel) UnmarshalYAML(unmarshal func(interface{}) error) error
- func (level LogLevel) Validate() error
- type LogLevelString
- type MetricsConfig
- type OAuth2ProviderName
- type OAuth2RedirectConfig
- type PasswordAuthConfig
- type PasswordAuthMethod
- type PublicKeyAuthConfig
- type PublicKeyAuthMethod
- type Request
- type RequestEncoding
- type Response
- type ResponseBody
- type SSHCipher
- type SSHCipherList
- type SSHConfig
- type SSHKex
- type SSHKexList
- type SSHKeyAlgo
- type SSHKeyAlgoList
- type SSHMAC
- type SSHMACList
- type SSHProxyAllowedHostKeyFingerprints
- type SSHProxyClientVersion
- type SSHProxyConfig
- type SSHServerVersion
- type SecurityConfig
- type SecurityEnvConfig
- type SecurityExecutionPolicy
- type SecurityShellConfig
- type SecuritySignalConfig
- type SecurityTTYConfig
- type SubsystemConfig
- type SyslogConfig
- type TLSVersion
Constants ¶
View Source
const RequestEncodingDefault = ""
RequestEncodingDefault is the default encoding and encodes the body to JSON.
View Source
const RequestEncodingJSON = "JSON"
RequestEncodingJSON encodes the body to JSON.
View Source
const RequestEncodingWWWURLEncoded = "WWW-URLENCODED"
RequestEncodingWWWURLEncoded encodes the body via www-urlencoded.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AppConfig ¶
type AppConfig struct {
// SSH contains the configuration for the SSH server.
// swagger:ignore
SSH SSHConfig `json:"ssh" yaml:"ssh"`
// ConfigServer contains the settings for fetching the user-specific configuration.
// swagger:ignore
ConfigServer ClientConfig `json:"configserver" yaml:"configserver"`
// Auth contains the configuration for user authentication.
// swagger:ignore
Auth AuthConfig `json:"auth" yaml:"auth"`
// Log contains the configuration for the logging level.
// swagger:ignore
Log LogConfig `json:"log" yaml:"log"`
// Metrics contains the configuration for the metrics server.
// swagger:ignore
Metrics MetricsConfig `json:"metrics" yaml:"metrics"`
// GeoIP contains the configuration for the GeoIP lookups.
// swagger:ignore
GeoIP GeoIPConfig `json:"geoip" yaml:"geoip"`
// Audit contains the configuration for audit logging and log upload.
// swagger:ignore
Audit AuditLogConfig `json:"audit" yaml:"audit"`
// Health contains the configuration for the health check service.
Health HealthConfig `json:"health" yaml:"health"`
// Security contains the security restrictions on what can be executed. This option can be changed from the config
// server.
Security SecurityConfig `json:"security" yaml:"security"`
// Backend defines which backend to use. This option can be changed from the config server.
Backend Backend `json:"backend" yaml:"backend" default:"docker"`
// Docker contains the configuration for the docker backend. This option can be changed from the config server.
Docker DockerConfig `json:"docker,omitempty" yaml:"docker"`
// DockerRun is a placeholder for the removed DockerRun backend. Filling this with anything but nil will yield a
// validation error.
DockerRun interface{} `json:"dockerrun,omitempty"`
// Kubernetes contains the configuration for the kubernetes backend. This option can be changed from the config
// server.
Kubernetes KubernetesConfig `json:"kubernetes,omitempty" yaml:"kubernetes"`
// KubeRun is a placeholder for the removed DockerRun backend. Filling this with anything but nil will yield a
// validation error.
KubeRun interface{} `json:"kuberun,omitempty"`
// SSHProxy is the configuration for the SSH proxy backend, which forwards requests to a backing SSH server.
SSHProxy SSHProxyConfig `json:"sshproxy,omitempty" yaml:"sshproxy"`
}
AppConfig is the root configuration object of ContainerSSH.
type AuditLogConfig ¶
type AuditLogConfig struct {
// Enable turns on audit logging.
Enable bool `json:"enable" yaml:"enable" default:"false"`
// Format audit format
Format AuditLogFormat `json:"format" yaml:"format" default:"none"`
// Storage audit storage type
Storage AuditLogStorage `json:"storage" yaml:"storage" default:"none"`
// File audit logger configuration
File AuditLogFileConfig `json:"file" yaml:"file"`
// S3 configuration
S3 AuditLogS3Config `json:"s3" yaml:"s3"`
// Intercept configures what should be intercepted
Intercept AuditLogInterceptConfig `json:"intercept" yaml:"intercept"`
}
AuditLogConfig is the configuration structure for audit logging.
func (*AuditLogConfig) Validate ¶
func (config *AuditLogConfig) Validate() error
Validate checks the configuration to enable global configuration check.
type AuditLogFileConfig ¶
type AuditLogFileConfig struct {
Directory string `json:"directory" yaml:"directory" default:"/var/log/audit"`
}
AuditLogFileConfig is the configuration for the file storage.
func (*AuditLogFileConfig) Validate ¶
func (c *AuditLogFileConfig) Validate() error
type AuditLogFormat ¶
type AuditLogFormat string
AuditLogFormat describes the audit log format in use.
const ( // AuditLogFormatNone signals that no audit logging should take place. AuditLogFormatNone AuditLogFormat = "none" // AuditLogFormatBinary signals that audit logging should take place in CBOR+GZIP format // (see https://containerssh.github.io/advanced/audit/format/ ) AuditLogFormatBinary AuditLogFormat = "binary" // AuditLogFormatAsciinema signals that audit logging should take place in Asciicast v2 format // (see https://github.com/asciinema/asciinema/blob/develop/doc/asciicast-v2.md ) AuditLogFormatAsciinema AuditLogFormat = "asciinema" )
func (AuditLogFormat) Validate ¶
func (f AuditLogFormat) Validate() error
Validate checks the format.
type AuditLogInterceptConfig ¶
type AuditLogInterceptConfig struct {
// Stdin signals that the standard input from the user should be captured.
Stdin bool `json:"stdin" yaml:"stdin" default:"false"`
// Stdout signals that the standard output to the user should be captured.
Stdout bool `json:"stdout" yaml:"stdout" default:"false"`
// Stderr signals that the standard error to the user should be captured.
Stderr bool `json:"stderr" yaml:"stderr" default:"false"`
// Passwords signals that passwords during authentication should be captured.
Passwords bool `json:"passwords" yaml:"passwords" default:"false"`
// Forwarding signals that the contents of forward and reverse connection forwardings should be captured.
Forwarding bool `json:"forwarding" yaml:"forwarding" default:"false"`
}
AuditLogInterceptConfig configures what should be intercepted by the auditing facility.
type AuditLogS3Config ¶
type AuditLogS3Config struct {
Local string `json:"local" yaml:"local" default:"/var/lib/audit"`
AccessKey string `json:"accessKey" yaml:"accessKey"`
SecretKey string `json:"secretKey" yaml:"secretKey"`
Bucket string `json:"bucket" yaml:"bucket"`
Region string `json:"region" yaml:"region"`
Endpoint string `json:"endpoint" yaml:"endpoint"`
CACert string `json:"cacert" yaml:"cacert"`
ACL string `json:"acl" yaml:"acl"`
PathStyleAccess bool `json:"pathStyleAccess" yaml:"pathStyleAccess"`
UploadPartSize uint `json:"uploadPartSize" yaml:"uploadPartSize" default:"5242880"`
ParallelUploads uint `json:"parallelUploads" yaml:"parallelUploads" default:"20"`
Metadata AuditLogS3Metadata `json:"metadata" yaml:"metadata"`
}
AuditLogS3Config S3 storage configuration
func (AuditLogS3Config) Validate ¶
func (config AuditLogS3Config) Validate() error
Validate validates the
type AuditLogS3Metadata ¶
type AuditLogS3Metadata struct {
IP bool `json:"ip" yaml:"ip"`
Username bool `json:"username" yaml:"username"`
}
AuditLogS3Metadata AuditLogS3Metadata configuration for the S3 storage
type AuditLogStorage ¶
type AuditLogStorage string
AuditLogStorage describes the storage backend to use.
const ( // AuditLogStorageNone signals that no storage should be used. AuditLogStorageNone AuditLogStorage = "none" // AuditLogStorageFile signals that audit logs should be stored in a local directory. AuditLogStorageFile AuditLogStorage = "file" // AuditLogStorageS3 signals that audit logs should be stored in an S3-compatible object storage. AuditLogStorageS3 AuditLogStorage = "s3" )
func (AuditLogStorage) Validate ¶
func (s AuditLogStorage) Validate() error
Validate checks the storage.
type AuthConfig ¶
type AuthConfig struct {
// PasswordAuth configures how users are authenticated with passwords. If not set, password authentication is
// disabled.
PasswordAuth PasswordAuthConfig `json:"password" yaml:"password"`
// PublicKeyAuth configures how users are authenticated with their public keys. If not set, public key
// authentication is disabled.
PublicKeyAuth PublicKeyAuthConfig `json:"publicKey" yaml:"publicKey"`
// KeyboardInteractiveAuth configures how users are authenticated using the keyboard-interactive (question-answer)
// method. If this is empty, keyboard-interactive is disabled.
KeyboardInteractiveAuth KeyboardInteractiveAuthConfig `json:"keyboardInteractive" yaml:"keyboardInteractive"`
// GSSAPIAuth configures how users are authenticated using the GSSAPI (typically Kerberos) method. If this is empty,
// GSSAPI authentication is disabled.
GSSAPIAuth GSSAPIAuthConfig `json:"gssapi" yaml:"gssapi"`
// Authz is the authorization configuration. The authorization server will receive a webhook after successful user
// authentication to determine whether the specified user has access to the service. If not set authorization is
// disabled. It is strongly recommended you configure AuthZ in case of oAuth2 and GSSAPI methods as these methods
// do not verify the provided SSH username.
Authz AuthzConfig `json:"authz" yaml:"authz"`
// AuthTimeout is the timeout for the overall authentication call (e.g. verifying a password). If the server
// responds with a non-200 response the call will be retried until this timeout is reached. This timeout
// should be increased to ~180s for OAuth2 login.
// Deprecated: please use the individual authentication methods instead.
AuthTimeout time.Duration `json:"authTimeout" yaml:"authTimeout" default:"60s"`
// Deprecated: please use the individual authentication configurations instead.
HTTPClientConfiguration `json:",inline" yaml:",inline"`
// Password is a flag to enable password authentication.
// Deprecated: use PasswordAuth instead.
Password *bool `json:"-" yaml:"-" comment:"Perform password authentication" default:"true"`
// PubKey is a flag to enable public key authentication.
// Deprecated: use PublicKeyAuth instead.
PubKey *bool `json:"pubkey" yaml:"pubkey" comment:"Perform public key authentication" default:"true"`
}
AuthConfig is the configuration of the authentication client.
func (*AuthConfig) UnmarshalJSON ¶
func (c *AuthConfig) UnmarshalJSON(data []byte) error
func (*AuthConfig) UnmarshalYAML ¶
func (c *AuthConfig) UnmarshalYAML(unmarshal func(interface{}) error) error
func (*AuthConfig) Validate ¶
func (c *AuthConfig) Validate() error
Validate checks if the authentication configuration is valid.
type AuthGenericConfig ¶
type AuthGenericConfig struct {
// AuthorizeEndpointURL is the endpoint configuration for the OAuth2 authorization
AuthorizeEndpointURL string `json:"authorizeEndpointURL" yaml:"authorizeEndpointURL"`
// TokenEndpoint is the endpoint configuration for the OAuth2 authorization
TokenEndpoint HTTPClientConfiguration `json:"tokenEndpoint" yaml:"tokenEndpoint"`
// RedirectURI is the URI the client is returned to. This URL should be configured to the redirect server endpoint.
RedirectURI string `json:"redirectURI" yaml:"redirectURI"`
}
func (*AuthGenericConfig) Validate ¶
func (o *AuthGenericConfig) Validate() error
type AuthGitHubConfig ¶
type AuthGitHubConfig struct {
// CACert is the PEM-encoded CA certificate, or file containing a PEM-encoded CA certificate used to verify the
// GitHub server certificate.
CACert string `json:"cacert" yaml:"cacert" default:""`
// URL is the base GitHub URL. Change this for GitHub Enterprise.
URL string `json:"url" yaml:"url" default:"https://github.com"`
// APIURL is the GitHub API URL. Change this for GitHub Enterprise.
APIURL string `json:"apiurl" yaml:"apiurl" default:"https://api.github.com"`
// ClientCert is a PEM containing an x509 certificate to present to the server or a file name containing the PEM.
ClientCert string `json:"cert" yaml:"cert" comment:"Client certificate file in PEM format."`
// ClientKey is a PEM containing a private key to use to connect the server or a file name containing the PEM.
ClientKey string `json:"key" yaml:"key" comment:"Client key file in PEM format."`
// TLSVersion is the minimum TLS version to use.
TLSVersion TLSVersion `json:"tlsVersion" yaml:"tlsVersion" default:"1.3"`
// ECDHCurves is the list of curve algorithms to support.
ECDHCurves ECDHCurveList `json:"curves" yaml:"curves" default:"[\"x25519\",\"secp256r1\",\"secp384r1\",\"secp521r1\"]"`
// CipherSuites is a list of supported cipher suites.
CipherSuites CipherSuiteList `` /* 212-byte string literal not displayed */
// EnforceUsername requires that the GitHub username and the entered SSH username match. If this is set to false
// the configuration server has to handle the GITHUB_USER connnection parameter in order to obtain the correct
// username as the SSH username cannot be trusted.
EnforceUsername bool `json:"enforceUsername" yaml:"enforceUsername" default:"true"`
// RequireOrgMembership checks if the user is part of the specified organization on GitHub. This requires the
// read:org scope to be granted by the user. If the user does not grant this scope the authentication fails.
RequireOrgMembership string `json:"requireOrgMembership" yaml:"requireOrgMembership"`
// Require2FA requires the user to have two factor authentication enabled when logging in to this server. This
// requires the read:user scope to be granted by the user. If the user does not grant this scope the authentication
// fails.
Require2FA bool `json:"require2FA" yaml:"require2FA"`
// ExtraScopes asks the user to grant extra scopes to ContainerSSH. This is useful when the configuration server
// needs these scopes to operate.
ExtraScopes []string `json:"extraScopes" yaml:"extraScopes"`
// EnforceScopes rejects the user authentication if the user fails to grant the scopes requested in extraScopes.
EnforceScopes bool `json:"enforceScopes" yaml:"enforceScopes"`
// RequestTimeout is the timeout for individual HTTP requests.
RequestTimeout time.Duration `json:"timeout" yaml:"timeout" default:"10s"`
}
AuthGitHubConfig is the configuration structure for GitHub authentication.
func (*AuthGitHubConfig) Validate ¶
func (c *AuthGitHubConfig) Validate() (err error)
type AuthKerberosClientConfig ¶
type AuthKerberosClientConfig struct {
// Keytab is the path to the kerberos keytab. If unset it defaults to
// the default of /etc/krb5.keytab. If this file doesn't exist and
// kerberos authentication is requested ContainerSSH will fail to start.
Keytab string `json:"keytab" yaml:"keytab" default:"/etc/krb5.keytab"`
// Acceptor is the name of the keytab entry to authenticate against.
// The value of this field needs to be in the form of `service/name`.
//
// The special value of `host` will authenticate clients only against
// the service `host/hostname` where hostname is the system hostname
// The special value of 'any' will authenticate against all keytab
// entries regardless of name.
Acceptor string `json:"acceptor" yaml:"acceptor" default:"any"`
// EnforceUsername specifies whether to check that the username of the
// authenticated user matches the SSH username entered. If set to false
// the authorization server must be responsible for ensuring proper
// access control.
//
// WARNING: If authorization is unset and this is set to false all
// authenticated users can log in to any account!
EnforceUsername bool `json:"enforceUsername" yaml:"enforceUsername" default:"true"`
// CredentialCachePath is the path in which the kerberos credentials
// will be written inside the user containers.
CredentialCachePath string `json:"credentialCachePath" yaml:"credentialCachePath" default:"/tmp/krb5cc"`
// ConfigPath is the path of the kerberos configuration file. This is
// only used for password authentication.
ConfigPath string `json:"configPath" yaml:"configPath" default:"/etc/containerssh/krb5.conf"`
// ClockSkew is the maximum allowed clock skew for kerberos messages,
// any messages older than this will be rejected. This value is also
// used for the replay cache.
ClockSkew time.Duration `json:"clockSkew" yaml:"clockSkew" default:"5m"`
}
AuthKerberosClientConfig is the configuration for the Kerberos authentication method.
func (*AuthKerberosClientConfig) Validate ¶
func (k *AuthKerberosClientConfig) Validate() error
type AuthMethod ¶
type AuthMethod string
AuthMethod is a listing of all authentication methods. These methods are not guaranteed to support any particular authentication method.
const AuthMethodDisabled AuthMethod = ""
AuthMethodDisabled disables the authentication method
const AuthMethodKerberos AuthMethod = "kerberos"
AuthMethodKerberos authenticates using the Kerberos method.
const AuthMethodOAuth2 AuthMethod = "oauth2"
AuthMethodOAuth2 authenticates by sending the user to a web interface using the keyboard-interactive facility.
const AuthMethodWebhook AuthMethod = "webhook"
AuthMethodWebhook authenticates using HTTP.
func (AuthMethod) Validate ¶
func (m AuthMethod) Validate() error
Validate checks if the provided method is valid or not.
type AuthOAuth2ClientConfig ¶
type AuthOAuth2ClientConfig struct {
// Redirect is the configuration for the redirect URI server.
Redirect OAuth2RedirectConfig `json:"redirect" yaml:"redirect"`
// ClientID is the public identifier for the ContainerSSH installation.
ClientID string `json:"clientId" yaml:"clientId"`
// ClientSecret is the OAuth2 secret value needed to obtain the access token.
ClientSecret string `json:"clientSecret" yaml:"clientSecret"`
// Provider is the provider to use for authentication
Provider OAuth2ProviderName `json:"provider" yaml:"provider"`
// GitHub is the configuration for the GitHub provider.
GitHub AuthGitHubConfig `json:"github" yaml:"github"`
// OIDC is the configuration for the OpenID Connect provider.
OIDC AuthOIDCConfig `json:"oidc" yaml:"oidc"`
// Generic is a generic OAuth2 authentication without OIDC userinfo. This method cannot verify the username.
Generic AuthGenericConfig `json:"generic" yaml:"generic"`
// QRCodeClients contains a list of strings that are used to identify SSH clients that can display an ASCII QR Code
// for the device authorization flow. Each string is compiled as regular expressions and are used to match against
// the client version string.
//
// This is done primarily because OpenSSH cuts off the sent text and mangles the drawing characters, so it cannot
// be used to display a QR code.
QRCodeClients []string `json:"qrCodeClients" yaml:"qrCodeClients"`
// DeviceFlowClients is a list of clients that can use the device flow without sending keyboard-interactive
// questions.
DeviceFlowClients []string `json:"deviceFlowClients" yaml:"deviceFlowClients"`
// AuthTimeout is the timeout for the overall authentication call. If the server
// responds with a non-200 response the call will be retried until this timeout is reached.
AuthTimeout time.Duration `json:"authTimeout" yaml:"authTimeout" default:"120s"`
}
AuthOAuth2ClientConfig is the configuration for OAuth2-based authentication.
func (*AuthOAuth2ClientConfig) Validate ¶
func (o *AuthOAuth2ClientConfig) Validate() error
Validate validates if the OAuth2 client configuration is valid.
type AuthOIDCConfig ¶
type AuthOIDCConfig struct {
HTTPClientConfiguration `json:",inline" yaml:",inline"`
// DeviceFlow enables or disables using the OIDC device flow.
DeviceFlow bool `json:"deviceFlow" yaml:"deviceFlow"`
// AuthorizationCodeFlow enables or disables the OIDC authorization code flow.
AuthorizationCodeFlow bool `json:"authorizationCodeFlow" yaml:"authorizationCodeFlow"`
// UsernameField indicates the userinfo field that should be taken as the username.
UsernameField string `json:"usernameField" yaml:"usernameField" default:"sub"`
// RedirectURI is the URI the client is returned to. This URL should be configured to the redirect server endpoint.
RedirectURI string `json:"redirectURI" yaml:"redirectURI"`
}
func (*AuthOIDCConfig) Validate ¶
func (o *AuthOIDCConfig) Validate() error
type AuthWebhookClientConfig ¶
type AuthWebhookClientConfig struct {
HTTPClientConfiguration `json:",inline" yaml:",inline"`
// AuthTimeout is the timeout for the overall authentication call (e.g. verifying a password). If the server
// responds with a non-200 response the call will be retried until this timeout is reached.
AuthTimeout time.Duration `json:"authTimeout" yaml:"authTimeout" default:"60s"`
}
AuthWebhookClientConfig is the configuration for webhook authentication.
func (*AuthWebhookClientConfig) Validate ¶
func (c *AuthWebhookClientConfig) Validate() error
Validate validates the authentication client configuration.
type AuthzConfig ¶
type AuthzConfig struct {
Method AuthzMethod `json:"method" yaml:"method" default:""`
Webhook AuthWebhookClientConfig `json:"webhook" yaml:"webhook"`
}
AuthzConfig is the configuration for the authorization flow
func (*AuthzConfig) Validate ¶
func (k *AuthzConfig) Validate() error
Validate validates the authorization configuration.
type AuthzMethod ¶
type AuthzMethod string
AuthzMethod provides the methods usable authorization.
const AuthzMethodDisabled AuthzMethod = AuthzMethod(AuthMethodDisabled)
AuthzMethodDisabled disables authorization. All usernames will be accepted as they are authenticated.
const AuthzMethodWebhook AuthzMethod = AuthzMethod(AuthMethodWebhook)
AuthzMethodWebhook authorizes users using HTTP webhooks.
func (AuthzMethod) Validate ¶
func (m AuthzMethod) Validate() error
Validate checks if the provided method is valid or not.
type Backend ¶
type Backend string
Backend holds the possible values for backend selector.
func BackendValues ¶
func BackendValues() []Backend
BackendValues returns all possible values for the Backend field.
type CipherSuite ¶
type CipherSuite string
CipherSuite is the cipher suite used for TLS connections.
const ( IANA_TLS_AES_128_GCM_SHA256 CipherSuite = "TLS_AES_128_GCM_SHA256" IANA_TLS_AES_256_GCM_SHA384 CipherSuite = "TLS_AES_256_GCM_SHA384" IANA_TLS_CHACHA20_POLY1305_SHA256 CipherSuite = "TLS_CHACHA20_POLY1305_SHA256" IANA_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 CipherSuite = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" OpenSSL_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 CipherSuite = "ECDHE-ECDSA-AES128-GCM-SHA256" GnuTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 CipherSuite = "TLS_ECDHE_ECDSA_AES_128_GCM_SHA256" IANA_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 CipherSuite = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" OpenSSL_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 CipherSuite = "ECDHE-RSA-AES128-GCM-SHA256" GnuTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 CipherSuite = "TLS_ECDHE_RSA_AES_128_GCM_SHA256" IANA_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 CipherSuite = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" OpenSSL_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 CipherSuite = "ECDHE-ECDSA-AES256-GCM-SHA384" GnuTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 CipherSuite = "TLS_ECDHE_ECDSA_AES_256_GCM_SHA384" IANA_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 CipherSuite = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" OpenSSL_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 CipherSuite = "ECDHE-RSA-AES256-GCM-SHA384" GnuTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 CipherSuite = "TLS_ECDHE_RSA_AES_256_GCM_SHA384" IANA_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 CipherSuite = "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305" OpenSSL_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 CipherSuite = "ECDHE-ECDSA-CHACHA20-POLY1305" GnuTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 CipherSuite = "TLS_ECDHE_ECDSA_CHACHA20_POLY1305" IANA_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 CipherSuite = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305" OpenSSL_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 CipherSuite = "ECDHE-RSA-CHACHA20-POLY1305" GnuTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 CipherSuite = "TLS_ECDHE_RSA_CHACHA20_POLY1305" )
func (CipherSuite) Validate ¶
func (c CipherSuite) Validate() error
Validate validates if the cipher suite is supported.
type CipherSuiteList ¶
type CipherSuiteList []CipherSuite
CipherSuiteList is a list of cipher suites. This type is provided for easier unmarshaling from a list or string.
func (CipherSuiteList) GetList ¶
func (c CipherSuiteList) GetList() []uint16
GetList returns a go-specific list of cipher IDs.
func (*CipherSuiteList) UnmarshalJSON ¶
func (c *CipherSuiteList) UnmarshalJSON(data []byte) error
UnmarshalJSON provides JSON unmarshalling from both a list and a cipher suite string.
func (*CipherSuiteList) UnmarshalYAML ¶
func (c *CipherSuiteList) UnmarshalYAML(unmarshal func(interface{}) error) error
UnmarshalYAML provides YAML unmarshalling from both a list and a cipher suite string.
func (CipherSuiteList) Validate ¶
func (c CipherSuiteList) Validate() error
Validate provides validation for a list of cipher suites.
type ClientConfig ¶
type ClientConfig struct {
HTTPClientConfiguration `json:",inline" yaml:",inline"`
// TransmitSensitiveMetadata enables sending sensitive metadata fields to the configuration webhook server.
// If disabled, sensitive metadata fields are sanitized from the webhook request.
TransmitSensitiveMetadata bool `json:"transmitSensitiveMetadata" yaml:"transmitSensitiveMetadata"`
}
noinspection GoNameStartsWithPackageName
func (*ClientConfig) Validate ¶
func (c *ClientConfig) Validate() error
Validate validates the client configuration.
type CommandConfig ¶
type CommandConfig struct {
// Mode configures how to treat command execution (exec) requests by SSH clients.
Mode SecurityExecutionPolicy `json:"mode" yaml:"mode" default:""`
// Allow takes effect when Mode is ExecutionPolicyFilter and only allows the specified commands to be
// executed. Note that the match an exact match is performed to avoid shell injections, etc.
Allow []string `json:"allow" yaml:"allow"`
}
CommandConfig controls command executions via SSH (exec requests).
func (CommandConfig) Validate ¶
func (c CommandConfig) Validate() error
Validate validates a shell configuration
type DockerConfig ¶
type DockerConfig struct {
// Connection configures how to connect to dockerd
Connection DockerConnectionConfig `json:"connection" yaml:"connection"`
// Execution drives how the container and the workload are executed
Execution DockerExecutionConfig `json:"execution" yaml:"execution"`
// Timeouts configures the various timeouts when interacting with dockerd.
Timeouts DockerTimeoutConfig `json:"timeouts" yaml:"timeouts"`
}
DockerConfig is the base configuration structure of the Docker backend.
func (DockerConfig) Validate ¶
func (c DockerConfig) Validate() error
Validate validates the provided configuration and returns an error if invalid.
type DockerConnectionConfig ¶
type DockerConnectionConfig struct {
// Host is the docker connect URL.
Host string `json:"host" yaml:"host" default:"unix:///var/run/docker.sock"`
// CaCert is the CA certificate for Docker connection embedded in the configuration in PEM format.
CaCert string `json:"cacert" yaml:"cacert"`
// Cert is the client certificate in PEM format embedded in the configuration.
Cert string `json:"cert" yaml:"cert"`
// Key is the client key in PEM format embedded in the configuration.
Key string `json:"key" yaml:"key"`
}
DockerConnectionConfig configures how to connect to dockerd.
func (DockerConnectionConfig) Validate ¶
func (c DockerConnectionConfig) Validate() error
type DockerExecutionConfig ¶
type DockerExecutionConfig struct {
// DockerLaunchConfig contains the Docker-specific launch configuration.
DockerLaunchConfig `json:",inline" yaml:",inline"`
// Auth contains the image registry authentication config
Auth *types.AuthConfig `json:"auth" yaml:"auth"`
// Mode influences how commands are executed.
//
// - If DockerExecutionModeConnection is chosen (default) a new container is launched per connection. In this mode
// sessions are executed using the "docker exec" functionality and the main container console runs a script that
// waits for a termination signal.
// - If DockerExecutionModeSession is chosen a new container is launched per session, leading to potentially multiple
// containers per connection. In this mode the program is launched directly as the main process of the container.
// When configuring this mode you should explicitly configure the "cmd" option to an empty list if you want the
// default command in the container to launch.
Mode DockerExecutionMode `json:"mode" yaml:"mode" default:"connection"`
// IdleCommand is the command that runs as the first process in the container in DockerExecutionModeConnection. Ignored in DockerExecutionModeSession.
IdleCommand []string `` /* 199-byte string literal not displayed */
// ShellCommand is the command used for launching shells when the container is in DockerExecutionModeConnection. Ignored in DockerExecutionModeSession.
ShellCommand []string `json:"shellCommand" yaml:"shellCommand" comment:"Run this command as a default shell." default:"[\"/bin/bash\"]"`
// AgentPath contains the path to the ContainerSSH Guest Agent.
AgentPath string `json:"agentPath" yaml:"agentPath" default:"/usr/bin/containerssh-agent"`
// DisableAgent enables using the ContainerSSH Guest Agent.
DisableAgent bool `json:"disableAgent" yaml:"disableAgent"`
// Subsystems contains a map of subsystem names and their corresponding binaries in the container.
Subsystems map[string]string `` /* 133-byte string literal not displayed */
// ImagePullPolicy controls when to pull container images.
ImagePullPolicy DockerImagePullPolicy `json:"imagePullPolicy" yaml:"imagePullPolicy" comment:"Image pull policy" default:"IfNotPresent"`
// ExposeAuthMetadataAsEnv lets you expose the authentication metadata (e.g. GITHUB_TOKEN) as an environment variable
// in the container. In contrast to the environment variables set in the SSH connection these environment variables
// are available to all processes in the container, including the idle command.
ExposeAuthMetadataAsEnv bool `json:"exposeAuthMetadataAsEnv" yaml:"exposeAuthMetadataAsEnv"`
}
DockerExecutionConfig contains the configuration of what container to run in Docker.
func (*DockerExecutionConfig) UnmarshalJSON ¶
func (d *DockerExecutionConfig) UnmarshalJSON(b []byte) error
UnmarshalJSON implements the special unmarshalling of the DockerExecutionConfig that allows embedding the DockerLaunchConfig.
func (*DockerExecutionConfig) UnmarshalYAML ¶
func (d *DockerExecutionConfig) UnmarshalYAML(unmarshal func(interface{}) error) error
UnmarshalYAML implements the special unmarshalling of the DockerExecutionConfig that allows embedding the DockerLaunchConfig.
func (DockerExecutionConfig) Validate ¶
func (c DockerExecutionConfig) Validate() error
Validate validates the docker config structure.
type DockerExecutionMode ¶
type DockerExecutionMode string
DockerExecutionMode determines when a container is launched. DockerExecutionModeConnection launches one container per SSH connection (default), while DockerExecutionModeSession launches one container per SSH session.
const ( // DockerExecutionModeConnection launches one container per SSH connection. DockerExecutionModeConnection DockerExecutionMode = "connection" // DockerExecutionModeSession launches one container per SSH session (multiple containers per connection). DockerExecutionModeSession DockerExecutionMode = "session" )
func (DockerExecutionMode) Validate ¶
func (e DockerExecutionMode) Validate() error
Validate validates the execution config.
type DockerImagePullPolicy ¶
type DockerImagePullPolicy string
DockerImagePullPolicy drives how and when images are pulled. The values are closely aligned with the Kubernetes image pull policy.
- ImagePullPolicyAlways means that the container image will be pulled on every connection.
- ImagePullPolicyIfNotPresent means the image will be pulled if the image is not present locally, an empty tag, or the "latest" tag was specified.
- ImagePullPolicyNever means that the image will never be pulled, and if the image is not available locally the connection will fail.
const ( // ImagePullPolicyAlways means that the container image will be pulled on every connection. ImagePullPolicyAlways DockerImagePullPolicy = "Always" // ImagePullPolicyIfNotPresent means the image will be pulled if the image is not present locally, an empty tag, or // the "latest" tag was specified. ImagePullPolicyIfNotPresent DockerImagePullPolicy = "IfNotPresent" // ImagePullPolicyNever means that the image will never be pulled, and if the image is not available locally the // connection will fail. ImagePullPolicyNever DockerImagePullPolicy = "Never" )
func (DockerImagePullPolicy) Validate ¶
func (p DockerImagePullPolicy) Validate() error
Validate checks if the given image pull policy is valid.
type DockerLaunchConfig ¶
type DockerLaunchConfig struct {
// ContainerConfig contains container-specific configuration options.
ContainerConfig *container.Config `` /* 135-byte string literal not displayed */
// HostConfig contains the host-specific configuration options.
HostConfig *container.HostConfig `json:"host" yaml:"host" comment:"Host configuration"`
// NetworkConfig contains the network settings.
NetworkConfig *network.NetworkingConfig `json:"network" yaml:"network" comment:"Network configuration"`
// Platform contains the platform specification.
Platform *specs.Platform `json:"platform" yaml:"platform" comment:"Platform specification"`
// ContainerName is the name of the container to launch. It is recommended to leave this empty, otherwise
// ContainerSSH may not be able to start the container if a container with the same name already exists.
ContainerName string `json:"containername" yaml:"containername" comment:"Name for the container to be launched"`
}
DockerLaunchConfig contains the container configuration for the Docker client version 20.
func (*DockerLaunchConfig) UnmarshalJSON ¶
func (l *DockerLaunchConfig) UnmarshalJSON(b []byte) error
UnmarshalJSON implements the special unmarshalling of the DockerLaunchConfig that ignores unknown fields. This is needed because Docker treats removing fields as backwards-compatible. See https://github.com/moby/moby/pull/39158#issuecomment-489704731
func (*DockerLaunchConfig) UnmarshalYAML ¶
func (l *DockerLaunchConfig) UnmarshalYAML(unmarshal func(interface{}) error) error
UnmarshalYAML implements the special unmarshalling of the DockerLaunchConfig that ignores unknown fields. This is needed because Docker treats removing fields as backwards-compatible. See https://github.com/moby/moby/pull/39158#issuecomment-489704731
func (*DockerLaunchConfig) Validate ¶
func (l *DockerLaunchConfig) Validate() error
Validate validates the launch configuration.
type DockerTimeoutConfig ¶
type DockerTimeoutConfig struct {
// ContainerStart is the maximum time starting a container may take.
ContainerStart time.Duration `json:"containerStart" yaml:"containerStart" default:"60s"`
// ContainerStop is the maximum time to wait for a container to stop. This should always be set higher than the Docker StopTimeout.
ContainerStop time.Duration `json:"containerStop" yaml:"containerStop" default:"60s"`
// CommandStart sets the maximum time starting a command may take.
CommandStart time.Duration `json:"commandStart" yaml:"commandStart" default:"60s"`
// Signal sets the maximum time sending a signal may take.
Signal time.Duration `json:"signal" yaml:"signal" default:"60s"`
// Signal sets the maximum time setting the window size may take.
Window time.Duration `json:"window" yaml:"window" default:"60s"`
// HTTP
HTTP time.Duration `json:"http" yaml:"http" default:"15s"`
}
DockerTimeoutConfig drives the various timeouts in the Docker backend.
func (*DockerTimeoutConfig) UnmarshalJSON ¶
func (t *DockerTimeoutConfig) UnmarshalJSON(b []byte) error
UnmarshalJSON takes a JSON byte array and unmarshalls it into a structure.
func (*DockerTimeoutConfig) UnmarshalYAML ¶
func (t *DockerTimeoutConfig) UnmarshalYAML(unmarshal func(interface{}) error) error
UnmarshalYAML takes a YAML byte array and unmarshalls it into a structure.
type ECDHCurve ¶
type ECDHCurve string
ECDHCurve is an elliptic curve algorithm.
type ECDHCurveList ¶
type ECDHCurveList []ECDHCurve
ECDHCurveList is a list of supported ECDHCurve
func (ECDHCurveList) GetList ¶
func (c ECDHCurveList) GetList() []tls.CurveID
GetList returns a list of go-internal TLS CurveIDs.
func (*ECDHCurveList) UnmarshalJSON ¶
func (c *ECDHCurveList) UnmarshalJSON(data []byte) error
UnmarshalJSON provides JSON unmarshalling from both a list and a string with ECDH curves.
func (*ECDHCurveList) UnmarshalYAML ¶
func (c *ECDHCurveList) UnmarshalYAML(unmarshal func(interface{}) error) error
UnmarshalYAML provides YAML unmarshalling from both a list and a string with ECDH curves.
func (ECDHCurveList) Validate ¶
func (c ECDHCurveList) Validate() error
Validate provides validation for a list of cipher suites.
type ForwardingConfig ¶
type ForwardingConfig struct {
// ReverseForwardingMode configures how to treat reverse port forwarding requests from the container to the client.
ReverseForwardingMode SecurityExecutionPolicy `json:"reverseForwardingMode" yaml:"reverseForwardingMode" default:"disable"`
// ForwardingMode configures how to treat port forwarding requests from the client to the container. Enabling this setting also allows using ContainerSSH as a SOCKs proxy.
ForwardingMode SecurityExecutionPolicy `json:"forwardingMode" yaml:"forwardingMode" default:"disable"`
// SocketForwardingMode configures how to treat connection requests from the client to a unix socket in the container.
SocketForwardingMode SecurityExecutionPolicy `json:"socketForwardingMode" yaml:"socketForwardingMode" default:"disable"`
// SocketListenMode configures how to treat requests to listen for connections to a unix socket in the container.
SocketListenMode SecurityExecutionPolicy `json:"socketListenMode" yaml:"socketListenMode" default:"disable"`
// X11forwardingMode configures how to treat X11 forwarding requests from the container to the client
X11ForwardingMode SecurityExecutionPolicy `json:"x11ForwardingMode" yaml:"x11ForwardingMode" default:"disable"`
}
func (ForwardingConfig) Validate ¶
func (f ForwardingConfig) Validate() error
type GSSAPIAuthConfig ¶
type GSSAPIAuthConfig struct {
// Method is the authenticator to use for GSSAPI authentication.
Method GSSAPIAuthMethod `json:"method" yaml:"method"`
// Kerberos configures GSSAPI for Kerberos authentication.
Kerberos AuthKerberosClientConfig `json:"kerberos" yaml:"kerberos"`
}
func (GSSAPIAuthConfig) Validate ¶
func (c GSSAPIAuthConfig) Validate() error
type GSSAPIAuthMethod ¶
type GSSAPIAuthMethod string
GSSAPIAuthMethod provides the methods usable for GSSAPI authentication.
const GSSAPIAuthMethodDisabled GSSAPIAuthMethod = GSSAPIAuthMethod(AuthMethodDisabled)
GSSAPIAuthMethodDisabled disables GSSAPI authentication.
const GSSAPIAuthMethodKerberos GSSAPIAuthMethod = GSSAPIAuthMethod(AuthMethodKerberos)
GSSAPIAuthMethodKerberos authenticates using Kerberos.
func (GSSAPIAuthMethod) Validate ¶
func (m GSSAPIAuthMethod) Validate() error
Validate checks if the provided method is valid or not.
type GeoIPConfig ¶
type GeoIPConfig struct {
Provider GeoIPProvider `yaml:"provider" json:"provider" default:"dummy"`
GeoIP2File string `yaml:"maxmind-geoip2-file" json:"maxmind-geoip2-file" default:"/var/lib/GeoIP/GeoIP2-Country.mmdb"`
}
GeoIPConfig is the structure configuring the GeoIP lookup process.
func (GeoIPConfig) Validate ¶
func (config GeoIPConfig) Validate() error
Validate checks the configuration.
type GeoIPProvider ¶
type GeoIPProvider string
GeoIPProvider is a configuration option to select the GeoIP lookup provider.
const ( // GeoIPDummyProvider always returns the XX country code. GeoIPDummyProvider GeoIPProvider = "dummy" // GeoIPMaxMindProvider looks up IP addresses via the MaxMind GeoIP database. GeoIPMaxMindProvider GeoIPProvider = "maxmind" )
func (GeoIPProvider) Validate ¶
func (p GeoIPProvider) Validate() error
type HTTPClientCerts ¶
type HTTPClientCerts struct {
// CACertPool contains the certificate pool used for verifying the server identity.
CACertPool *x509.CertPool
// Cert is the client certificate to authenticate to the server with, if any.
Cert *tls.Certificate
}
HTTPClientCerts is a structure that holds the client certificates after successfully calling ValidateWithCerts
type HTTPClientConfiguration ¶
type HTTPClientConfiguration struct {
// URL is the base URL for requests.
URL string `json:"url" yaml:"url" comment:"Base URL of the server to connect."`
// AllowRedirects sets if the client should honor HTTP redirects. Defaults to false.
AllowRedirects bool `json:"allowRedirects" yaml:"allowRedirects" comment:""`
// Timeout is the time the client should wait for a response.
Timeout time.Duration `json:"timeout" yaml:"timeout" comment:"HTTP call timeout." default:"2s"`
// CACert is either the CA certificate to expect on the server in PEM format
// or the name of a file containing the PEM.
CACert string `json:"cacert" yaml:"cacert" comment:"CA certificate in PEM format to use for host verification."`
// ClientCert is a PEM containing an x509 certificate to present to the server or a file name containing the PEM.
ClientCert string `json:"cert" yaml:"cert" comment:"Client certificate file in PEM format."`
// ClientKey is a PEM containing a private key to use to connect the server or a file name containing the PEM.
ClientKey string `json:"key" yaml:"key" comment:"Client key file in PEM format."`
// TLSVersion is the minimum TLS version to use.
TLSVersion TLSVersion `json:"tlsVersion" yaml:"tlsVersion" default:"1.3"`
// ECDHCurves is the list of curve algorithms to support.
ECDHCurves ECDHCurveList `json:"curves" yaml:"curves" default:"[\"x25519\",\"secp256r1\",\"secp384r1\",\"secp521r1\"]"`
// CipherSuites is a list of supported cipher suites.
CipherSuites CipherSuiteList `` /* 212-byte string literal not displayed */
// RequestEncoding is the means by which the request body is encoded. It defaults to JSON encoding.
RequestEncoding RequestEncoding `json:"-" yaml:"-"`
}
HTTPClientConfiguration is the configuration structure for HTTP clients
func (*HTTPClientConfiguration) Validate ¶
func (c *HTTPClientConfiguration) Validate() error
Validate validates the HTTP client configuration.
func (*HTTPClientConfiguration) ValidateWithCerts ¶
func (c *HTTPClientConfiguration) ValidateWithCerts() (*HTTPClientCerts, error)
ValidateWithCerts validates the client configuration and returns the loaded certificates if any.
type HTTPServerCerts ¶
type HTTPServerCerts struct {
// Cert is the server certificate.
Cert *tls.Certificate
// ClientCAPool contains the CA certificate pool to verify client certificates against, if any.
ClientCAPool *x509.CertPool
}
HTTPServerCerts is a structure returned from ValidateWithCerts, containing the loaded certificates after validation.
type HTTPServerConfiguration ¶
type HTTPServerConfiguration struct {
// Listen contains the IP and port to listen on.
Listen string `json:"listen" yaml:"listen" default:"0.0.0.0:8080"`
// Key contains either a file name to a private key, or the private key itself in PEM format to use as a server key.
Key string `json:"key" yaml:"key"`
// Cert contains either a file to a certificate, or the certificate itself in PEM format to use as a server
// certificate.
Cert string `json:"cert" yaml:"cert"`
// ClientCACert contains either a file or a certificate in PEM format to verify the connecting clients by.
ClientCACert string `json:"clientcacert" yaml:"clientcacert"`
// TLSVersion is the minimum TLS version to use.
TLSVersion TLSVersion `json:"tlsVersion" yaml:"tlsVersion" default:"1.3"`
// ECDHCurves is the list of curve algorithms to support.
ECDHCurves ECDHCurveList `json:"curves" yaml:"curves" default:"[\"x25519\",\"secp256r1\",\"secp384r1\",\"secp521r1\"]"`
// CipherSuites is a list of supported cipher suites.
CipherSuites CipherSuiteList `` /* 212-byte string literal not displayed */
}
HTTPServerConfiguration is a structure to configure the simple HTTP server by.
func (*HTTPServerConfiguration) Validate ¶
func (config *HTTPServerConfiguration) Validate() error
func (*HTTPServerConfiguration) ValidateWithCerts ¶
func (config *HTTPServerConfiguration) ValidateWithCerts() (*HTTPServerCerts, error)
ValidateWithCerts validates the server configuration and returns the loaded certificates
type HealthConfig ¶
type HealthConfig struct {
Enable bool `json:"enable" yaml:"enable"`
HTTPServerConfiguration `json:",inline" yaml:",inline" default:"{\"listen\":\"0.0.0.0:7000\"}"`
Client HTTPClientConfiguration `json:"client" yaml:"client" default:"{\"url\":\"http://127.0.0.1:7000/\"}"`
}
HealthConfig is the configuration for the health service.
func (HealthConfig) Validate ¶
func (c HealthConfig) Validate() error
type KeyboardInteractiveAuthConfig ¶
type KeyboardInteractiveAuthConfig struct {
// Method is the authenticator to use for public keys.
Method KeyboardInteractiveAuthMethod `json:"method" yaml:"method" default:""`
// Webhook configures the oAuth2 authenticator for keyboard-interactive authentication.
OAuth2 AuthOAuth2ClientConfig `json:"oauth2" yaml:"oauth2"`
}
KeyboardInteractiveAuthConfig configures the keyboard-interactive authentication method.
func (KeyboardInteractiveAuthConfig) Validate ¶
func (c KeyboardInteractiveAuthConfig) Validate() error
type KeyboardInteractiveAuthMethod ¶
type KeyboardInteractiveAuthMethod string
KeyboardInteractiveAuthMethod provides the methods usable for keyboard-interactive authentication.
const KeyboardInteractiveAuthMethodDisabled KeyboardInteractiveAuthMethod = KeyboardInteractiveAuthMethod(AuthMethodDisabled)
KeyboardInteractiveAuthMethodDisabled disables keyboard-interactive authentication.
const KeyboardInteractiveAuthMethodOAuth2 KeyboardInteractiveAuthMethod = KeyboardInteractiveAuthMethod(AuthMethodOAuth2)
KeyboardInteractiveAuthMethodOAuth2 authenticates using oAuth2/OIDC.
func (KeyboardInteractiveAuthMethod) Validate ¶
func (m KeyboardInteractiveAuthMethod) Validate() error
Validate checks if the provided method is valid or not.
type KubernetesConfig ¶
type KubernetesConfig struct {
// Connection configures the connection to the Kubernetes cluster.
Connection KubernetesConnectionConfig `json:"connection,omitempty" yaml:"connection" comment:"Kubernetes configuration options"`
// Pod contains the spec and specific settings for creating the pod.
Pod KubernetesPodConfig `json:"pod,omitempty" yaml:"pod" comment:"Container configuration"`
// Timeout specifies how long to wait for the Pod to come up.
Timeouts KubernetesTimeoutConfig `json:"timeouts,omitempty" yaml:"timeouts" comment:"Timeout for pod creation"`
}
KubernetesConfig is the base configuration structure for Kubernetes
func (KubernetesConfig) Validate ¶
func (c KubernetesConfig) Validate() error
Validate checks the configuration options and returns an error if the configuration is invalid.
type KubernetesConnectionConfig ¶
type KubernetesConnectionConfig struct {
// Host is a host string, a host:port pair, or a URL to the Kubernetes apiserver. Defaults to kubernetes.default.svc.
Host string `` /* 148-byte string literal not displayed */
// APIPath is a sub-path that points to the API root. Defaults to /api
APIPath string `json:"path,omitempty" yaml:"path" comment:"APIPath is a sub-path that points to an API root." default:"/api"`
// Username is the username for basic authentication.
Username string `json:"username,omitempty" yaml:"username" comment:"Username for basic authentication"`
// Password is the password for basic authentication.
Password string `json:"password,omitempty" yaml:"password" comment:"Password for basic authentication"`
// ServerName sets the server name to be set in the SNI and used by the client for TLS verification.
ServerName string `` /* 162-byte string literal not displayed */
// CertFile points to a file that contains the client certificate used for authentication.
CertFile string `` /* 129-byte string literal not displayed */
// KeyFile points to a file that contains the client key used for authentication.
KeyFile string `json:"keyFile,omitempty" yaml:"keyFile" comment:"File containing client key for TLS client certificate authentication"`
// CAFile points to a file that contains the CA certificate for authentication.
CAFile string `json:"cacertFile,omitempty" yaml:"cacertFile" comment:"File containing trusted root certificates for the server"`
// CertData contains a PEM-encoded certificate for TLS client certificate authentication.
CertData string `json:"cert,omitempty" yaml:"cert" comment:"PEM-encoded certificate for TLS client certificate authentication"`
// KeyData contains a PEM-encoded client key for TLS client certificate authentication.
KeyData string `json:"key,omitempty" yaml:"key" comment:"PEM-encoded client key for TLS client certificate authentication"`
// CAData contains a PEM-encoded trusted root certificates for the server.
CAData string `json:"cacert,omitempty" yaml:"cacert" comment:"PEM-encoded trusted root certificates for the server"`
// BearerToken contains a bearer (service) token for authentication.
BearerToken string `json:"bearerToken,omitempty" yaml:"bearerToken" comment:"Bearer (service token) authentication"`
// BearerTokenFile points to a file containing a bearer (service) token for authentication.
// Set to /var/run/secrets/kubernetes.io/serviceaccount/token to use service token in a Kubernetes kubeConfigCluster.
BearerTokenFile string `` /* 221-byte string literal not displayed */
// QPS indicates the maximum QPS to the master from this client. Defaults to 5.
QPS float32 `json:"qps,omitempty" yaml:"qps" comment:"QPS indicates the maximum QPS to the master from this client." default:"5"`
// Burst indicates the maximum burst for throttle.
Burst int `json:"burst,omitempty" yaml:"burst" comment:"Maximum burst for throttle." default:"10"`
}
KubernetesConnectionConfig configures the connection to the Kubernetes cluster.
func (KubernetesConnectionConfig) Validate ¶
func (c KubernetesConnectionConfig) Validate() error
type KubernetesExecutionMode ¶
type KubernetesExecutionMode string
KubernetesExecutionMode determines when a container is launched. KubernetesExecutionModeConnection launches one container per SSH connection (default), while KubernetesExecutionModeSession launches one container per SSH session.
const ( // KubernetesExecutionModeConnection launches one container per SSH connection. KubernetesExecutionModeConnection KubernetesExecutionMode = "connection" // KubernetesExecutionModeSession launches one container per SSH session (multiple containers per connection). KubernetesExecutionModeSession KubernetesExecutionMode = "session" )
func (KubernetesExecutionMode) Validate ¶
func (e KubernetesExecutionMode) Validate() error
Validate validates the execution config.
type KubernetesPodConfig ¶
type KubernetesPodConfig struct {
// Metadata configures the pod metadata.
Metadata metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty" default:"{\"namespace\":\"default\",\"generateName\":\"containerssh-\"}"`
// Spec contains the pod specification to launch.
Spec v1.PodSpec `` /* 173-byte string literal not displayed */
// ConsoleContainerNumber specifies the container to attach the running process to. Defaults to 0.
ConsoleContainerNumber int `` /* 139-byte string literal not displayed */
// IdleCommand contains the command to run as the first process in the container. Other commands are executed using the "exec" method.
IdleCommand []string `` /* 209-byte string literal not displayed */
// ShellCommand is the command used for launching shells when the container. Required in KubernetesExecutionModeConnection and when the agent is used.
ShellCommand []string `json:"shellCommand,omitempty" yaml:"shellCommand" comment:"Run this command as a default shell." default:"[\"/bin/bash\"]"`
// AgentPath contains the path to the ContainerSSH Guest Agent.
AgentPath string `json:"agentPath,omitempty" yaml:"agentPath" default:"/usr/bin/containerssh-agent"`
// DisableAgent disables using the ContainerSSH Guest Agent.
DisableAgent bool `json:"disableAgent,omitempty" yaml:"disableAgent"`
// Subsystems contains a map of subsystem names and the executable to launch.
Subsystems map[string]string `` /* 143-byte string literal not displayed */
// Mode influences how commands are executed.
//
// - If KubernetesExecutionModeConnection is chosen (default) a new pod is launched per connection. In this mode
// sessions are executed using the "docker exec" functionality and the main container console runs a script that
// waits for a termination signal.
// - If KubernetesExecutionModeSession is chosen a new pod is launched per session, leading to potentially multiple
// pods per connection. In this mode the program is launched directly as the main process of the container.
// When configuring this mode you should explicitly configure the "cmd" option to an empty list if you want the
// default command in the container to launch.
Mode KubernetesExecutionMode `json:"mode,omitempty" yaml:"mode" default:"connection"`
// ExposeAuthMetadataAsEnv causes the specified metadata entries received from the authentication process to be
// exposed as environment variables. They are provided as a map, where the key is the authentication metadata entry
// name and the value is the environment variable. The default is to expose no authentication metadata.
ExposeAuthMetadataAsEnv map[string]string `json:"exposeAuthMetadataAsEnv" yaml:"exposeAuthMetadataAsEnv"`
// ExposeAuthMetadataAsLabels causes the specified metadata entries received from the authentication process to be
// exposed in the pod labels. They are provided as a map, where the key is the authentication metadata entry name
// and the value is the label name. The label name must conform to Kubernetes label name requirements or the pod
// will not start. The default is to expose no labels.
ExposeAuthMetadataAsLabels map[string]string `json:"exposeAuthMetadataAsLabels" yaml:"exposeAuthMetadataAsLabels"`
// ExposeAuthMetadataAsAnnotations causes the specified metadata entries received from the authentication process to
// be exposed in the pod annotations. They are provided as a map, where the key is the authentication metadata entry
// name and the value is the annotation name. The annotation name must conform to Kubernetes annotation name
// requirements or the pod will not start. The default is to expose no annotations.
ExposeAuthMetadataAsAnnotations map[string]string `json:"exposeAuthMetadataAsAnnotations" yaml:"exposeAuthMetadataAsAnnotations"`
}
KubernetesPodConfig describes the pod to launch.
func (KubernetesPodConfig) MarshalYAML ¶
func (c KubernetesPodConfig) MarshalYAML() (interface{}, error)
MarshalYAML uses the Kubernetes YAML library to encode the KubernetesPodConfig instead of the default configuration.
func (*KubernetesPodConfig) UnmarshalYAML ¶
func (c *KubernetesPodConfig) UnmarshalYAML(unmarshal func(interface{}) error) error
UnmarshalYAML uses the Kubernetes YAML library to encode the KubernetesPodConfig instead of the default configuration.
func (KubernetesPodConfig) Validate ¶
func (c KubernetesPodConfig) Validate() error
Validate validates the pod configuration.
type KubernetesTimeoutConfig ¶
type KubernetesTimeoutConfig struct {
// PodStart is the timeout for creating and starting the pod.
PodStart time.Duration `json:"podStart,omitempty" yaml:"podStart" default:"60s"`
// PodStop is the timeout for stopping and removing the pod.
PodStop time.Duration `json:"podStop,omitempty" yaml:"podStop" default:"60s"`
// CommandStart sets the maximum time starting a command may take.
CommandStart time.Duration `json:"commandStart,omitempty" yaml:"commandStart" default:"60s"`
// Signal sets the maximum time sending a signal may take.
Signal time.Duration `json:"signal,omitempty" yaml:"signal" default:"60s"`
// Signal sets the maximum time setting the window size may take.
Window time.Duration `json:"window,omitempty" yaml:"window" default:"60s"`
// HTTP configures the timeout for HTTP calls
HTTP time.Duration `json:"http,omitempty" yaml:"http" default:"15s"`
}
KubernetesTimeoutConfig configures the various timeouts for the Kubernetes backend.
func (KubernetesTimeoutConfig) Validate ¶
func (c KubernetesTimeoutConfig) Validate() error
Validate validates the timeout configuration.
type LogConfig ¶
type LogConfig struct {
// Level describes the minimum level to log at
Level LogLevel `json:"level" yaml:"level" default:"5"`
// Format describes the log message format
Format LogFormat `json:"format" yaml:"format" default:"ljson"`
// Destination is the target to write the log messages to.
Destination LogDestination `json:"destination" yaml:"destination" default:"stdout"`
// File is the log file to write to if Destination is set to "file".
File string `json:"file" yaml:"file" default:"/var/log/containerssh/containerssh.log"`
// Syslog configures the syslog destination.
Syslog SyslogConfig `json:"syslog" yaml:"syslog"`
// T is the Go test for logging purposes.
T *testing.T `json:"-" yaml:"-"`
// Stdout is the standard output used by the LogDestinationStdout destination.
Stdout io.Writer `json:"-" yaml:"-"`
}
LogConfig describes the logging settings.
type LogDestination ¶
type LogDestination string
LogDestination is the output to write to.
const ( // LogDestinationStdout is writing log messages to the standard output. LogDestinationStdout LogDestination = "stdout" // LogDestinationFile is writing the log messages to a file. LogDestinationFile LogDestination = "file" // LogDestinationSyslog is writing log messages to syslog. LogDestinationSyslog LogDestination = "syslog" // LogDestinationTest writes the logs to the *testing.T facility. LogDestinationTest LogDestination = "test" )
func (LogDestination) Validate ¶
func (o LogDestination) Validate() error
Validate validates the output target.
type LogFacility ¶
type LogFacility int
LogFacility describes the syslog facility log messages are sent to.
const ( // LogFacilityKern are kernel messages. LogFacilityKern LogFacility = 0 // LogFacilityUser are user level messages. LogFacilityUser LogFacility = 1 // LogFacilityMail are user mail log messages. LogFacilityMail LogFacility = 2 // LogFacilityDaemon are daemon messages. LogFacilityDaemon LogFacility = 3 // LogFacilityAuth are authentication messages. LogFacilityAuth LogFacility = 4 // LogFacilitySyslog are syslog-specific messages. LogFacilitySyslog LogFacility = 5 // LogFacilityLPR are printer messages. LogFacilityLPR LogFacility = 6 // LogFacilityNews are news messages. LogFacilityNews LogFacility = 7 // LogFacilityUUCP are UUCP subsystem messages. LogFacilityUUCP LogFacility = 8 // LogFacilityCron are clock daemon messages. LogFacilityCron LogFacility = 9 // LogFacilityAuthPriv are security/authorization messages. LogFacilityAuthPriv LogFacility = 10 // LogFacilityFTP are FTP daemon messages. LogFacilityFTP LogFacility = 11 // LogFacilityNTP are network time daemon messages. LogFacilityNTP LogFacility = 12 // LogFacilityLogAudit are log audit messages. LogFacilityLogAudit LogFacility = 13 // LogFacilityLogAlert are log alert messages. LogFacilityLogAlert LogFacility = 14 // LogFacilityClock are clock daemon messages. LogFacilityClock LogFacility = 15 // LogFacilityLocal0 are locally administered messages. LogFacilityLocal0 LogFacility = 16 // LogFacilityLocal1 are locally administered messages. LogFacilityLocal1 LogFacility = 17 // LogFacilityLocal2 are locally administered messages. LogFacilityLocal2 LogFacility = 18 // LogFacilityLocal3 are locally administered messages. LogFacilityLocal3 LogFacility = 19 // LogFacilityLocal4 are locally administered messages. LogFacilityLocal4 LogFacility = 20 // LogFacilityLocal5 are locally administered messages. LogFacilityLocal5 LogFacility = 21 // LogFacilityLocal6 are locally administered messages. LogFacilityLocal6 LogFacility = 22 // LogFacilityLocal7 are locally administered messages. LogFacilityLocal7 LogFacility = 23 )
func (LogFacility) MustName ¶
func (f LogFacility) MustName() LogFacilityString
MustName is identical to Name but panics if the facility is invalid.
func (LogFacility) Name ¶
func (f LogFacility) Name() (LogFacilityString, error)
Name returns the facility name.
func (LogFacility) Validate ¶
func (f LogFacility) Validate() error
Validate checks if the facility is valid.
type LogFacilityString ¶
type LogFacilityString string
LogFacilityString are facility names.
const ( // LogFacilityStringKern are kernel messages. LogFacilityStringKern LogFacilityString = "kern" // LogFacilityStringUser are user level messages. LogFacilityStringUser LogFacilityString = "user" // LogFacilityStringMail are user mail log messages. LogFacilityStringMail LogFacilityString = "mail" // LogFacilityStringDaemon are daemon messages. LogFacilityStringDaemon LogFacilityString = "daemon" // LogFacilityStringAuth are authentication messages. LogFacilityStringAuth LogFacilityString = "auth" // LogFacilityStringSyslog are syslog-specific messages. LogFacilityStringSyslog LogFacilityString = "syslog" // LogFacilityStringLPR are printer messages. LogFacilityStringLPR LogFacilityString = "lpr" // LogFacilityStringNews are news messages. LogFacilityStringNews LogFacilityString = "news" // LogFacilityStringUUCP are UUCP subsystem messages. LogFacilityStringUUCP LogFacilityString = "uucp" // LogFacilityStringCron are clock daemon messages. LogFacilityStringCron LogFacilityString = "cron" // LogFacilityStringAuthPriv are security/authorization messages. LogFacilityStringAuthPriv LogFacilityString = "authpriv" // LogFacilityStringFTP are FTP daemon messages. LogFacilityStringFTP LogFacilityString = "ftp" // LogFacilityStringNTP are network time daemon messages. LogFacilityStringNTP LogFacilityString = "ntp" // LogFacilityStringLogAudit are log audit messages. LogFacilityStringLogAudit LogFacilityString = "logaudit" // LogFacilityStringLogAlert are log alert messages. LogFacilityStringLogAlert LogFacilityString = "logalert" // LogFacilityStringClock are clock daemon messages. LogFacilityStringClock LogFacilityString = "clock" // LogFacilityStringLocal0 are locally administered messages. LogFacilityStringLocal0 LogFacilityString = "local0" // LogFacilityStringLocal1 are locally administered messages. LogFacilityStringLocal1 LogFacilityString = "local1" // LogFacilityStringLocal2 are locally administered messages. LogFacilityStringLocal2 LogFacilityString = "local2" // LogFacilityStringLocal3 are locally administered messages. LogFacilityStringLocal3 LogFacilityString = "local3" // LogFacilityStringLocal4 are locally administered messages. LogFacilityStringLocal4 LogFacilityString = "local4" // LogFacilityStringLocal5 are locally administered messages. LogFacilityStringLocal5 LogFacilityString = "local5" // LogFacilityStringLocal6 are locally administered messages. LogFacilityStringLocal6 LogFacilityString = "local6" // LogFacilityStringLocal7 are locally administered messages. LogFacilityStringLocal7 LogFacilityString = "local7" )
func (LogFacilityString) MustNumber ¶
func (s LogFacilityString) MustNumber() LogFacility
MustNumber is identical to Number but panics instead of returning errors
func (LogFacilityString) Number ¶
func (s LogFacilityString) Number() (LogFacility, error)
Number returns the facility number.
func (LogFacilityString) Validate ¶
func (s LogFacilityString) Validate() error
Validate validates the facility string.
type LogLevel ¶
type LogLevel int8
LogLevel syslog-style log level identifiers
const ( LogLevelDebug LogLevel = 7 LogLevelInfo LogLevel = 6 LogLevelNotice LogLevel = 5 LogLevelWarning LogLevel = 4 LogLevelError LogLevel = 3 LogLevelCritical LogLevel = 2 LogLevelAlert LogLevel = 1 LogLevelEmergency LogLevel = 0 )
Supported values for LogLevel
func (LogLevel) MarshalJSON ¶
MarshalJSON marshals a level number to a JSON string
func (LogLevel) MarshalYAML ¶
MarshalYAML creates a YAML text representation from a numeric level
func (LogLevel) MustName ¶
func (level LogLevel) MustName() LogLevelString
MustName Convert the int level to the string representation and panics if the name is not valid.
func (*LogLevel) Name ¶
func (level *LogLevel) Name() (LogLevelString, error)
Name Convert the int level to the string representation
func (LogLevel) String ¶
String Convert the int level to the string representation. Panics if the level is not valid.
func (*LogLevel) UnmarshalJSON ¶
UnmarshalJSON decodes a JSON level string to a level type.
func (*LogLevel) UnmarshalYAML ¶
UnmarshalYAML decodes a YAML level string to a level type.
type LogLevelString ¶
type LogLevelString string
LogLevelString is a type for supported log level strings
const ( LevelDebugString LogLevelString = "debug" LevelInfoString LogLevelString = "info" LevelNoticeString LogLevelString = "notice" LevelWarningString LogLevelString = "warning" LevelErrorString LogLevelString = "error" LevelCriticalString LogLevelString = "crit" LevelAlertString LogLevelString = "alert" LevelEmergencyString LogLevelString = "emerg" )
List of valid string values for log levels
func (LogLevelString) ToLevel ¶
func (level LogLevelString) ToLevel() (LogLevel, error)
ToLevel convert the string level to the int representation
type MetricsConfig ¶
type MetricsConfig struct {
HTTPServerConfiguration `json:",inline" yaml:",inline" default:"{\"listen\":\"0.0.0.0:9100\"}"`
Enable bool `yaml:"enable" json:"enable" comment:"Enable metrics server." default:"false"`
Path string `yaml:"path" json:"path" comment:"Path to run the Metrics endpoint on." default:"/metrics"`
}
func (MetricsConfig) Validate ¶
func (c MetricsConfig) Validate() error
Validate validates the configuration.
type OAuth2ProviderName ¶
type OAuth2ProviderName string
OAuth2ProviderName provides the various methods of oAuth2 authentication.
const ( // AuthOAuth2GitHubProvider authenticates against the GitHub API or a private GitHub Enterprise instance. AuthOAuth2GitHubProvider OAuth2ProviderName = "github" // AuthOAuth2OIDCProvider authenticates against a configured OIDC server. AuthOAuth2OIDCProvider OAuth2ProviderName = "oidc" // AuthOAuth2GenericProvider authenticates against a generic OAuth2 server. AuthOAuth2GenericProvider OAuth2ProviderName = "generic" )
func (OAuth2ProviderName) Validate ¶
func (o OAuth2ProviderName) Validate() error
type OAuth2RedirectConfig ¶
type OAuth2RedirectConfig struct {
HTTPServerConfiguration `json:",inline" yaml:",inline"`
// Webroot is a directory which contains all files that should be served as part of the return page
// the user lands on when completing the oAuth2 authentication process. The webroot must contain an
// index.html file, which will be served on the root URL. The files are read for each request and are not cached. If
// the webroot is left empty the default ContainerSSH return page is presented.
Webroot string `json:"webroot" yaml:"webroot"`
}
OAuth2RedirectConfig is the configuration for the HTTP server that serves the page presented to the user after they are authenticated.
func (OAuth2RedirectConfig) Validate ¶
func (o OAuth2RedirectConfig) Validate() error
Validate checks if the redirect server configuration is valid. Particularly, it checks the HTTP server parameters as well as if the webroot is valid and contains an index.html.
type PasswordAuthConfig ¶
type PasswordAuthConfig struct {
// Method is the authenticator to use for passwords.
Method PasswordAuthMethod `json:"method" yaml:"method" default:""`
// Webhook configures the webhook authenticator for password authentication.
Webhook AuthWebhookClientConfig `json:"webhook" yaml:"webhook"`
// Kerberos configures the Kerberos authenticator for password authentication.
Kerberos AuthKerberosClientConfig `json:"kerberos" yaml:"kerberos"`
}
PasswordAuthConfig configures how password authentications are performed.
func (PasswordAuthConfig) Validate ¶
func (c PasswordAuthConfig) Validate() error
Validate checks the password configuration structure for misconfiguration.
type PasswordAuthMethod ¶
type PasswordAuthMethod string
PasswordAuthMethod provides the methods usable for password authentication.
const PasswordAuthMethodDisabled PasswordAuthMethod = PasswordAuthMethod(AuthMethodDisabled)
PasswordAuthMethodDisabled disables password authentication.
const PasswordAuthMethodKerberos PasswordAuthMethod = PasswordAuthMethod(AuthMethodKerberos)
PasswordAuthMethodKerberos authenticates passwords using Kerberos.
const PasswordAuthMethodWebhook PasswordAuthMethod = PasswordAuthMethod(AuthMethodWebhook)
PasswordAuthMethodWebhook authenticates using an HTTP webhook.
func (PasswordAuthMethod) Validate ¶
func (m PasswordAuthMethod) Validate() error
Validate checks if the provided method is valid or not.
type PublicKeyAuthConfig ¶
type PublicKeyAuthConfig struct {
// Method is the authenticator to use for public keys.
Method PublicKeyAuthMethod `json:"method" yaml:"method" default:""`
// Webhook configures the webhook authenticator for public key authentication.
Webhook AuthWebhookClientConfig `json:"webhook" yaml:"webhook"`
}
PublicKeyAuthConfig holds the configuration for public key authentication.
func (PublicKeyAuthConfig) Validate ¶
func (c PublicKeyAuthConfig) Validate() error
type PublicKeyAuthMethod ¶
type PublicKeyAuthMethod string
PublicKeyAuthMethod provides the methods usable for public key authentication.
const PubKeyAuthMethodDisabled PublicKeyAuthMethod = PublicKeyAuthMethod(AuthMethodDisabled)
PubKeyAuthMethodDisabled disables public key authentication.
const PubKeyAuthMethodWebhook PublicKeyAuthMethod = PublicKeyAuthMethod(AuthMethodWebhook)
PubKeyAuthMethodWebhook authenticates using an HTTP webhook.
func (PublicKeyAuthMethod) Validate ¶
func (m PublicKeyAuthMethod) Validate() error
Validate checks if the provided method is valid or not.
type Request ¶
type Request struct {
// Metadata is the metadata received from the authentication server.
metadata.ConnectionAuthenticatedMetadata `json:",inline"`
}
Request is the request object passed from the client to the config server.
swagger:model ConfigRequest
type RequestEncoding ¶
type RequestEncoding string
RequestEncoding is the method by which the response is encoded.
func (RequestEncoding) Validate ¶
func (r RequestEncoding) Validate() error
Validate validates the RequestEncoding
type Response ¶
type Response struct {
// Body is the configuration response body.
//
// in: body
// required: true
Body ResponseBody
}
Response is the entire response from the config server
swagger:response ConfigResponse
type ResponseBody ¶
type ResponseBody struct {
// Metadata is the metadata received from the authentication server.
metadata.ConnectionAuthenticatedMetadata `json:",inline"`
// Config is the configuration structure to be passed back from the config server.
//
// required: true
Config AppConfig `json:"config"`
}
ResponseBody is the structure representing the JSON HTTP response.
swagger:model ConfigResponseBody
type SSHCipher ¶
type SSHCipher string
SSHCipher is the SSH cipher
const ( SSHCipherChaCha20Poly1305 SSHCipher = "chacha20-poly1305@openssh.com" SSHCipherAES256GCM SSHCipher = "aes256-gcm@openssh.com" SSHCipherAES128GCM SSHCipher = "aes128-gcm@openssh.com" SSHCipherAES256CTE SSHCipher = "aes256-ctr" SSHCipherAES192CTR SSHCipher = "aes192-ctr" SSHCipherAES128CTR SSHCipher = "aes128-ctr" SSHCipherAES128CBC SSHCipher = "aes128-cbc" SSHCipherArcFour256 SSHCipher = "arcfour256" SSHCipherArcFour128 SSHCipher = "arcfour128" SSHCipherArcFour SSHCipher = "arcfour" SSHCipherTripleDESCBCID SSHCipher = "tripledescbcID" )
SSHCipher is the SSH cipher
type SSHCipherList ¶
type SSHCipherList []SSHCipher
SSHCipherList is a list of supported ciphers
func (SSHCipherList) StringList ¶
func (c SSHCipherList) StringList() []string
StringList returns a list of cipher names.
func (SSHCipherList) Validate ¶
func (c SSHCipherList) Validate() error
Validate validates the list of ciphers to contain only supported items.
type SSHConfig ¶
type SSHConfig struct {
// Listen is the listen address for the SSH server
Listen string `json:"listen" yaml:"listen" default:"0.0.0.0:2222"`
// ServerVersion is the version sent to the client.
// Must be in the format of "SSH-protoversion-softwareversion SPACE comments".
// See https://tools.ietf.org/html/rfc4253#page-4 section 4.2. Protocol Version Exchange
// The trailing CR and LF characters should NOT be added to this string.
ServerVersion SSHServerVersion `json:"serverVersion" yaml:"serverVersion" default:"SSH-2.0-ContainerSSH"`
// Ciphers are the ciphers offered to the client.
Ciphers SSHCipherList `` /* 208-byte string literal not displayed */
// KexAlgorithms are the key exchange algorithms offered to the client.
KexAlgorithms SSHKexList `` /* 176-byte string literal not displayed */
// MACs are the SSHMAC algorithms offered to the client.
MACs SSHMACList `json:"macs" yaml:"macs" default:"[\"hmac-sha2-256-etm@openssh.com\",\"hmac-sha2-256\"]" comment:"SSHMAC algorithms to use"`
// Banner is the banner sent to the client on connecting.
Banner string `json:"banner" yaml:"banner" comment:"Host banner to show after the username" default:""`
// HostKeys are the host keys either in PEM format, or filenames to load.
HostKeys []string `json:"hostkeys" yaml:"hostkeys" comment:"Host keys in PEM format or files to load PEM host keys from."`
// ClientAliveInterval is the duration between keep alive messages that
// ContainerSSH will send to each client. If the duration is 0 or unset
// it disables the feature.
ClientAliveInterval time.Duration `json:"clientAliveInterval" yaml:"clientAliveInterval" comment:"Inverval to send keepalive packets to the client"`
// ClientAliveCountMax is the number of keepalive messages that is
// allowed to be sent without a response being received. If this number
// is exceeded the connection is considered dead
ClientAliveCountMax int `json:"clientAliveCountMax" yaml:"clientAliveCountMax" default:"3" comment:"Maximum number of failed keepalives"`
}
SSHConfig is the base configuration structure of the SSH server.
func (*SSHConfig) GenerateHostKey ¶
GenerateHostKey generates a random host key and adds it to SSHConfig
type SSHKex ¶
type SSHKex string
SSHKex are the SSH key exchange algorithms
const ( SSHKexCurve25519SHA256 SSHKex = "curve25519-sha256@libssh.org" SSHKexECDHSHA2NISTp521 SSHKex = "ecdh-sha2-nistp521" SSHKexECDHSHA2Nistp384 SSHKex = "ecdh-sha2-nistp384" SSHKexECDHSHA2Nistp256 SSHKex = "ecdh-sha2-nistp256" SSHKexDHGroup14SHA1 SSHKex = "diffie-hellman-group14-sha1" SSHKexDHGroup1SHA1 SSHKex = "diffie-hellman-group1-sha1" )
SSHKex are the SSH key exchange algorithms
type SSHKexList ¶
type SSHKexList []SSHKex
SSHKexList is a list of key exchange algorithms.
func (SSHKexList) StringList ¶
func (k SSHKexList) StringList() []string
StringList returns a list of key exchange algorithms as a list.
func (SSHKexList) Validate ¶
func (k SSHKexList) Validate() error
Validate validates the key exchange list
type SSHKeyAlgo ¶
type SSHKeyAlgo string
SSHKeyAlgo are supported key algorithms.
const ( SSHKeyAlgoSSHRSACertv01 SSHKeyAlgo = "ssh-rsa-cert-v01@openssh.com" SSHKeyAlgoSSHDSSCertv01 SSHKeyAlgo = "ssh-dss-cert-v01@openssh.com" SSHKeyAlgoECDSASHA2NISTp256Certv01 SSHKeyAlgo = "ecdsa-sha2-nistp256-cert-v01@openssh.com" SSHKeyAlgoECDSASHA2NISTp384Certv01 SSHKeyAlgo = "ecdsa-sha2-nistp384-cert-v01@openssh.com" SSHKeyAlgoECDSASHA2NISTp521Certv01 SSHKeyAlgo = "ecdsa-sha2-nistp521-cert-v01@openssh.com" SSHKeyAlgoSSHED25519Certv01 SSHKeyAlgo = "ssh-ed25519-cert-v01@openssh.com" SSHKeyAlgoSSHRSA SSHKeyAlgo = "ssh-rsa" SSHKeyAlgoSSHDSS SSHKeyAlgo = "ssh-dss" SSHKeyAlgoSSHED25519 SSHKeyAlgo = "ssh-ed25519" )
SSHKeyAlgo are supported key algorithms.
func (SSHKeyAlgo) String ¶
func (h SSHKeyAlgo) String() string
String creates a string representation.
func (SSHKeyAlgo) Validate ¶
func (h SSHKeyAlgo) Validate() error
Validate checks if a given key algorithm is valid.
type SSHKeyAlgoList ¶
type SSHKeyAlgoList []SSHKeyAlgo
SSHKeyAlgoList is a list of key algorithms.
func MustSSHKeyAlgoListFromStringList ¶
func MustSSHKeyAlgoListFromStringList(hostKeyAlgorithms []string) SSHKeyAlgoList
MustSSHKeyAlgoListFromStringList is identical to SSHKeyAlgoListFromStringList but panics on error.
func SSHKeyAlgoListFromStringList ¶
func SSHKeyAlgoListFromStringList(hostKeyAlgorithms []string) (SSHKeyAlgoList, error)
SSHKeyAlgoListFromStringList converts a string list into a list of SSH key algorithms.
func (SSHKeyAlgoList) StringList ¶
func (h SSHKeyAlgoList) StringList() []string
StringList returns a list of cipher names.
func (SSHKeyAlgoList) Validate ¶
func (h SSHKeyAlgoList) Validate() error
Validate validates the list of ciphers to contain only supported items.
type SSHMAC ¶
type SSHMAC string
SSHMAC are the SSH mac algorithms.
type SSHMACList ¶
type SSHMACList []SSHMAC
SSHMACList is a list of SSHMAC algorithms
func (SSHMACList) StringList ¶
func (m SSHMACList) StringList() []string
StringList returns a list of SSHMAC names.
func (SSHMACList) Validate ¶
func (m SSHMACList) Validate() error
Validate checks if the SSHMACList is valid.
type SSHProxyAllowedHostKeyFingerprints ¶
type SSHProxyAllowedHostKeyFingerprints []string
SSHProxyAllowedHostKeyFingerprints is a list of fingerprints that ContainerSSH is allowed to connect to.
func (SSHProxyAllowedHostKeyFingerprints) Validate ¶
func (a SSHProxyAllowedHostKeyFingerprints) Validate() error
Validate validates the correct format of the host key fingerprints.
type SSHProxyClientVersion ¶
type SSHProxyClientVersion string
SSHProxyClientVersion is a string that is issued to the client when connecting.
func (SSHProxyClientVersion) String ¶
func (s SSHProxyClientVersion) String() string
String returns a string from the SSHProxyClientVersion.
func (SSHProxyClientVersion) Validate ¶
func (s SSHProxyClientVersion) Validate() error
Validate checks if the client version conforms to RFC 4253 section 4.2. See https://tools.ietf.org/html/rfc4253#page-4
type SSHProxyConfig ¶
type SSHProxyConfig struct {
// Server is the IP address or hostname of the backing server.
Server string `json:"server" yaml:"server"`
// Port is the TCP port to connect to.
Port uint16 `json:"port" yaml:"port" default:"22"`
// UsernamePassThrough means that the username should be taken from the connecting client.
UsernamePassThrough bool `json:"usernamePassThrough" yaml:"usernamePassThrough"`
// Username is the username to pass to the backing SSH server for authentication.
Username string `json:"username" yaml:"username"`
// Password is the password to offer to the backing SSH server for authentication.
Password string `json:"password" yaml:"password"`
// PrivateKey is the private key to use for authenticating with the backing server.
PrivateKey string `json:"privateKey" yaml:"privateKey"`
// AllowedHostKeyFingerprints lists which fingerprints we accept
AllowedHostKeyFingerprints SSHProxyAllowedHostKeyFingerprints `json:"allowedHostKeyFingerprints" yaml:"allowedHostKeyFingerprints"`
// Ciphers are the ciphers supported for the backend connection.
Ciphers SSHCipherList `` /* 205-byte string literal not displayed */
// KexAlgorithms are the key exchange algorithms for the backend connection.
KexAlgorithms SSHKexList `` /* 176-byte string literal not displayed */
// MACs are the MAC algorithms for the backend connection.
MACs SSHMACList `json:"macs" yaml:"macs" default:"[\"hmac-sha2-256-etm@openssh.com\",\"hmac-sha2-256\"]" comment:"MAC algorithms to use"`
// HostKeyAlgorithms is a list of algorithms for host keys. The server can offer multiple host keys and this list
// are the ones we want to accept. The fingerprints for the accepted algorithms should be added to
// AllowedHostKeyFingerprints.
HostKeyAlgorithms SSHKeyAlgoList `` /* 329-byte string literal not displayed */
// Timeout is the time ContainerSSH is willing to wait for the backing connection to be established.
Timeout time.Duration `json:"timeout" yaml:"timeout" default:"60s"`
// ClientVersion is the version sent to the server.
// Must be in the format of "SSH-protoversion-softwareversion SPACE comments".
// See https://tools.ietf.org/html/rfc4253#page-4 section 4.2. Protocol Version Exchange
// The trailing CR and LF characters should NOT be added to this string.
ClientVersion SSHProxyClientVersion `json:"clientVersion" yaml:"clientVersion" default:"SSH-2.0-ContainerSSH"`
}
SSHProxyConfig is the configuration for the SSH proxy module.
func (SSHProxyConfig) LoadPrivateKey ¶
func (c SSHProxyConfig) LoadPrivateKey() (ssh.Signer, error)
func (SSHProxyConfig) Validate ¶
func (c SSHProxyConfig) Validate() error
Validate checks the configuration for the backing SSH server.
type SSHServerVersion ¶
type SSHServerVersion string
SSHServerVersion is a string that is issued to the client when connecting.
func (SSHServerVersion) String ¶
func (s SSHServerVersion) String() string
String returns a string from the SSHServerVersion.
func (SSHServerVersion) Validate ¶
func (s SSHServerVersion) Validate() error
Validate checks if the server version conforms to RFC 4253 section 4.2. See https://tools.ietf.org/html/rfc4253#page-4
type SecurityConfig ¶
type SecurityConfig struct {
// DefaultMode sets the default execution policy for all other commands. It is recommended to set this to "disable"
// if for restricted setups to avoid accidentally allowing new features coming in with version upgrades.
DefaultMode SecurityExecutionPolicy `json:"defaultMode" yaml:"defaultMode"`
// ForceCommand behaves similar to the OpenSSH ForceCommand option. When set this command overrides any command
// requested by the client and executes this command instead. The original command supplied by the client will be
// set in the `SSH_ORIGINAL_COMMAND` environment variable.
//
// Setting ForceCommand changes subsystem requests into exec requests for the backends.
ForceCommand string `json:"forceCommand" yaml:"forceCommand"`
// Env controls whether to allow or block setting environment variables.
Env SecurityEnvConfig `json:"env" yaml:"env"`
// Command controls whether to allow or block command ("exec") requests via SSh.
Command CommandConfig `json:"command" yaml:"command"`
// Shell controls whether to allow or block shell requests via SSh.
Shell SecurityShellConfig `json:"shell" yaml:"shell"`
// Subsystem controls whether to allow or block subsystem requests via SSH.
Subsystem SubsystemConfig `json:"subsystem" yaml:"subsystem"`
// Forwarding controls whether to allow or block connection, port or socket forwarding
Forwarding ForwardingConfig `json:"forwarding" yaml:"forwarding"`
// TTY controls how to treat TTY/PTY requests by clients.
TTY SecurityTTYConfig `json:"tty" yaml:"tty"`
// Signal configures how to handle signal requests to running programs.
Signal SecuritySignalConfig `json:"signal" yaml:"signal"`
// MaxSessions drives how many session channels can be open at the same time for a single network connection.
// -1 means unlimited. It is strongly recommended to configure this to a sane value, e.g. 10.
MaxSessions int `json:"maxSessions" yaml:"maxSessions" default:"-1"`
}
SecurityConfig is the configuration structure for security settings.
func (SecurityConfig) Validate ¶
func (c SecurityConfig) Validate() error
Validate validates a shell configuration
type SecurityEnvConfig ¶
type SecurityEnvConfig struct {
// Mode configures how to treat environment variable requests by SSH clients.
Mode SecurityExecutionPolicy `json:"mode" yaml:"mode" default:""`
// Allow takes effect when Mode is ExecutionPolicyFilter and only allows the specified environment variables to be
// set.
Allow []string `json:"allow" yaml:"allow"`
// Allow takes effect when Mode is not ExecutionPolicyDisable and disallows the specified environment variables to
// be set.
Deny []string `json:"deny" yaml:"deny"`
}
SecurityEnvConfig configures setting environment variables.
func (SecurityEnvConfig) Validate ¶
func (e SecurityEnvConfig) Validate() error
Validate validates a shell configuration
type SecurityExecutionPolicy ¶
type SecurityExecutionPolicy string
SecurityExecutionPolicy drives how to treat a certain request.
const ( // ExecutionPolicyUnconfigured falls back to the default mode. If unconfigured on a global level the default is to // "allow". ExecutionPolicyUnconfigured SecurityExecutionPolicy = "" // ExecutionPolicyEnable allows the execution of the specified method unless the specified option matches the // "deny" list. ExecutionPolicyEnable SecurityExecutionPolicy = "enable" // ExecutionPolicyFilter filters the execution against a specified allow list. If the allow list is empty or not // supported this option behaves like "disable". ExecutionPolicyFilter SecurityExecutionPolicy = "filter" // ExecutionPolicyDisable disables the specified method and does not take the allow or deny lists into account. ExecutionPolicyDisable SecurityExecutionPolicy = "disable" )
func (SecurityExecutionPolicy) Validate ¶
func (e SecurityExecutionPolicy) Validate() error
Validate validates the execution policy.
type SecurityShellConfig ¶
type SecurityShellConfig struct {
// Mode configures how to treat shell requests by SSH clients.
Mode SecurityExecutionPolicy `json:"mode" yaml:"mode" default:""`
}
SecurityShellConfig controls shell executions via SSH.
func (SecurityShellConfig) Validate ¶
func (s SecurityShellConfig) Validate() error
Validate validates a shell configuration
type SecuritySignalConfig ¶
type SecuritySignalConfig struct {
// Mode configures how to treat signal requests to running programs
Mode SecurityExecutionPolicy `json:"mode" yaml:"mode" default:""`
// Allow takes effect when Mode is ExecutionPolicyFilter and only allows the specified signals to be forwarded.
Allow []string `json:"allow" yaml:"allow"`
// Allow takes effect when Mode is not ExecutionPolicyDisable and disallows the specified signals to be forwarded.
Deny []string `json:"deny" allow:"deny"`
}
SecuritySignalConfig configures how signal forwarding requests are treated.
func (SecuritySignalConfig) Validate ¶
func (s SecuritySignalConfig) Validate() error
Validate validates the signal configuration
type SecurityTTYConfig ¶
type SecurityTTYConfig struct {
// Mode configures how to treat TTY/PTY requests by SSH clients.
Mode SecurityExecutionPolicy `json:"mode" yaml:"mode" default:""`
}
SecurityTTYConfig controls how to treat TTY/PTY requests by clients.
func (SecurityTTYConfig) Validate ¶
func (t SecurityTTYConfig) Validate() error
Validate validates the TTY configuration
type SubsystemConfig ¶
type SubsystemConfig struct {
// Mode configures how to treat subsystem requests by SSH clients.
Mode SecurityExecutionPolicy `json:"mode" yaml:"mode" default:""`
// Allow takes effect when Mode is ExecutionPolicyFilter and only allows the specified subsystems to be
// executed.
Allow []string `json:"allow" yaml:"allow"`
// Allow takes effect when Mode is not ExecutionPolicyDisable and disallows the specified subsystems to be executed.
Deny []string `json:"deny" yaml:"deny"`
}
SubsystemConfig controls shell executions via SSH.
func (SubsystemConfig) Validate ¶
func (s SubsystemConfig) Validate() error
Validate validates a subsystem configuration
type SyslogConfig ¶
type SyslogConfig struct {
// Destination is the socket to send logs to. Can be a local path to unix sockets as well as UDP destinations.
Destination string `json:"destination" yaml:"destination" default:"/dev/log"`
// Facility logs to the specified syslog facility.
Facility LogFacilityString `json:"facility" yaml:"facility" default:"auth"`
// Tag is the syslog tag to log with.
Tag string `json:"tag" yaml:"tag" default:"ContainerSSH"`
// Pid is a setting to append the current process ID to the tag.
Pid bool `json:"pid" yaml:"pid" default:"false"`
// Connection is the connection to the Syslog server. This is only present after Validate has been called.
Connection net.Conn `json:"-" yaml:"-"`
}
SyslogConfig is the configuration for syslog logging.
func (*SyslogConfig) Validate ¶
func (c *SyslogConfig) Validate() error
Validate validates the syslog configuration
type TLSVersion ¶
type TLSVersion string
TLSVersion is the version of the TLS protocol to use.
const ( TLSVersion12 TLSVersion = "1.2" TLSVersion13 TLSVersion = "1.3" )
func (TLSVersion) GetTLSVersion ¶
func (t TLSVersion) GetTLSVersion() uint16
GetTLSVersion returns the go-representation of the TLS version.
func (TLSVersion) Validate ¶
func (t TLSVersion) Validate() error
Validate validates the TLS version
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.