sshutil

package
v0.53.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 26, 2024 License: Apache-2.0 Imports: 25 Imported by: 16

Documentation

Overview

Package sshutil implements utilities to build SSH certificates based on JSON templates.

Index

Constants

View Source 
const (
	// DefaultFingerprint represents base64RawStd encoding of the fingerprint.
	DefaultFingerprint = FingerprintEncoding(0)
	// HexFingerprint represents the hex encoding of the fingerprint.
	HexFingerprint = fingerprint.HexFingerprint
	// Base64Fingerprint represents the base64 encoding of the fingerprint.
	Base64Fingerprint = fingerprint.Base64Fingerprint
	// Base64URLFingerprint represents the base64URL encoding of the fingerprint.
	Base64URLFingerprint = fingerprint.Base64URLFingerprint
	// Base64RawFingerprint represents the base64RawStd encoding of the fingerprint.
	Base64RawFingerprint = fingerprint.Base64RawFingerprint
	// Base64RawURLFingerprint represents the base64RawURL encoding of the fingerprint.
	Base64RawURLFingerprint = fingerprint.Base64RawURLFingerprint
	// EmojiFingerprint represents the emoji encoding of the fingerprint.
	EmojiFingerprint = fingerprint.EmojiFingerprint
)

Supported fingerprint encodings.

View Source 
const (
	TypeKey               = "Type"
	KeyIDKey              = "KeyID"
	PrincipalsKey         = "Principals"
	ExtensionsKey         = "Extensions"
	CriticalOptionsKey    = "CriticalOptions"
	TokenKey              = "Token"
	InsecureKey           = "Insecure"
	UserKey               = "User"
	CertificateRequestKey = "CR"
	AuthorizationCrtKey   = "AuthorizationCrt"
	AuthorizationChainKey = "AuthorizationChain"
	WebhooksKey           = "Webhooks"
)

Variables used to hold template data.

View Source 
const CertificateRequestTemplate = `` /* 374-byte string literal not displayed */

CertificateRequestTemplate is the template used for provisioners that accepts any certificate request. The provisioner must validate that type, keyId and principals are passed in the request.

View Source 
const DefaultAdminTemplate = `` /* 281-byte string literal not displayed */

DefaultAdminTemplate is the template used by an admin user in a OIDC provisioner.

View Source 
const DefaultIIDTemplate = `` /* 254-byte string literal not displayed */

DefaultIIDTemplate is the default template for IID provisioners. By default certificate type will be set always to host, key id to the instance id. Principals will be only enforced by the provisioner if disableCustomSANs is set to true.

View Source 
const DefaultTemplate = `` /* 195-byte string literal not displayed */

DefaultTemplate is the default template for an SSH certificate.

Variables

This section is empty.

Functions

func CreateCertificate 

func CreateCertificate(cert *ssh.Certificate, signer ssh.Signer) (*ssh.Certificate, error)

CreateCertificate signs the given certificate with the given signer. If the certificate does not have a nonce or a serial, it will create random ones.

If the signer is an RSA key, it will use rsa-sha2-256 instead of the default ssh-rsa (SHA-1), this method is currently deprecated and rsa-sha2-256/512 are supported since OpenSSH 7.2 (2016).

func CryptoPublicKey added in v0.17.0 

func CryptoPublicKey(pub interface{}) (crypto.PublicKey, error)

CryptoPublicKey returns the crypto.PublicKey version of an ssh.PublicKey or *agent.Key.

func DefaultExtensions 

func DefaultExtensions(ct CertType) map[string]interface{}

DefaultExtensions returns the default extensions set in an SSH certificate.

func EncodedFingerprint added in v0.20.0 

func EncodedFingerprint(pub ssh.PublicKey, encoding FingerprintEncoding) string

EncodedFingerprint returns the SHA-256 hash of an ssh public key or certificate using the specified encoding. If an invalid encoding is passed, the return value will be an empty string.

func Fingerprint added in v0.20.0 

func Fingerprint(pub ssh.PublicKey) string

Fingerprint returns the SHA-256 fingerprint of an ssh public key or certificate.

func FormatCertificateFingerprint added in v0.29.2 

func FormatCertificateFingerprint(in []byte, encoding FingerprintEncoding) (string, error)

FormatCertificateFingerprint parses an SSH certificate as used by OpenSSH and returns a public key fingerprint in the following format: 

<size> SHA256:<base64-raw-fingerprint> <comment> (<type)

If the input is not an SSH certificate, an error will be returned.

func FormatFingerprint added in v0.20.0 

func FormatFingerprint(in []byte, encoding FingerprintEncoding) (string, error)

FormatFingerprint parses a public key from an authorized_keys file used in OpenSSH and returns a public key fingerprint in the following format: 

<size> SHA256:<base64-raw-fingerprint> <comment> (<type)

If the input is an SSH certificate, its public key will be extracted and taken as input for the fingerprint.

func GetFuncMap added in v0.34.0 

func GetFuncMap() template.FuncMap

GetFuncMap returns the list of functions used by the templates. It will return all the functions supported by "sprig.TxtFuncMap()" but exclude "env" and "expandenv", removed to avoid the leak of information.

func ValidateTemplate added in v0.18.0 

func ValidateTemplate(text []byte) error

ValidateTemplate validates a text template.

func ValidateTemplateData added in v0.18.0 

func ValidateTemplateData(data []byte) error

ValidateTemplateData validates that template data is valid JSON.

Types

type CertType 

type CertType uint32

CertType defines the certificate type, it can be a user or a host certificate. 

const (
	// UserCert defines a user certificate.
	UserCert CertType = ssh.UserCert

	// HostCert defines a host certificate.
	HostCert CertType = ssh.HostCert
)

func CertTypeFromString 

func CertTypeFromString(s string) (CertType, error)

CertTypeFromString returns the CertType for the string "user" and "host".

func (CertType) MarshalJSON 

func (c CertType) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface for CertType. UserCert will be marshaled as the string "user" and HostCert as "host".

func (CertType) String 

func (c CertType) String() string

String returns "user" for user certificates and "host" for host certificates. It will return the empty string for any other value.

func (*CertType) UnmarshalJSON 

func (c *CertType) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface for CertType.

type Certificate 

type Certificate struct {
	Nonce           []byte            `json:"nonce"`
	Key             ssh.PublicKey     `json:"-"`
	Serial          uint64            `json:"serial"`
	Type            CertType          `json:"type"`
	KeyID           string            `json:"keyId"`
	Principals      []string          `json:"principals"`
	ValidAfter      time.Time         `json:"validAfter"`
	ValidBefore     time.Time         `json:"validBefore"`
	CriticalOptions map[string]string `json:"criticalOptions"`
	Extensions      map[string]string `json:"extensions"`
	Reserved        []byte            `json:"reserved"`
	SignatureKey    ssh.PublicKey     `json:"-"`
	Signature       *ssh.Signature    `json:"-"`
}

Certificate is the json representation of ssh.Certificate.

func NewCertificate 

func NewCertificate(cr CertificateRequest, opts ...Option) (*Certificate, error)

NewCertificate creates a new certificate with the given key after parsing a template given in the options.

func (*Certificate) GetCertificate 

func (c *Certificate) GetCertificate() *ssh.Certificate

GetCertificate return the ssh.Certificate representation of the certificate.

type CertificateRequest 

type CertificateRequest struct {
	Key        ssh.PublicKey
	Type       string
	KeyID      string
	Principals []string
}

CertificateRequest simulates a certificate request for SSH. SSH does not have a concept of certificate requests, but the CA accepts the key and some other parameters in the requests that are part of the certificate. This struct will hold these parameters.

CertificateRequest object will be used in the templates to set parameters passed with the API instead of the validated ones.

type FingerprintEncoding added in v0.20.0 

type FingerprintEncoding = fingerprint.Encoding

FingerprintEncoding defines the supported encodings for SSH key and certificate fingerprints.

type Option 

type Option func(cr CertificateRequest, o *Options) error

Option is the type used as a variadic argument in NewCertificate.

func WithTemplate 

func WithTemplate(text string, data TemplateData) Option

WithTemplate is an options that executes the given template text with the given data.

func WithTemplateBase64 

func WithTemplateBase64(s string, data TemplateData) Option

WithTemplateBase64 is an options that executes the given template base64 string with the given data.

func WithTemplateFile 

func WithTemplateFile(path string, data TemplateData) Option

WithTemplateFile is an options that reads the template file and executes it with the given data.

type Options 

type Options struct {
	CertBuffer *bytes.Buffer
}

Options are the options that can be passed to NewCertificate.

type TemplateData 

type TemplateData map[string]interface{}

TemplateData is an alias for map[string]interface{}. It represents the data passed to the templates.

func CreateTemplateData 

func CreateTemplateData(ct CertType, keyID string, principals []string) TemplateData

CreateTemplateData returns a TemplateData with the given certificate type, key id, principals, and the default extensions.

func NewTemplateData 

func NewTemplateData() TemplateData

NewTemplateData creates a new map for templates data.

func (TemplateData) AddCriticalOption 

func (t TemplateData) AddCriticalOption(key, value string)

AddCriticalOption adds one critical option to the templates data.

func (TemplateData) AddExtension 

func (t TemplateData) AddExtension(key, value string)

AddExtension adds one extension to the templates data.

func (TemplateData) Set 

func (t TemplateData) Set(key string, v interface{})

Set sets a key-value pair in the template data.

func (TemplateData) SetAuthorizationCertificate added in v0.14.0 

func (t TemplateData) SetAuthorizationCertificate(crt interface{})

SetAuthorizationCertificate sets the given certificate in the template. This certificate is generally present in a token header.

func (TemplateData) SetAuthorizationCertificateChain added in v0.14.0 

func (t TemplateData) SetAuthorizationCertificateChain(chain interface{})

SetAuthorizationCertificateChain sets a the given certificate chain in the template. These certificates are generally present in a token header.

func (TemplateData) SetCertificateRequest 

func (t TemplateData) SetCertificateRequest(cr CertificateRequest)

SetCertificateRequest sets the simulated ssh certificate request the insecure template data.

func (TemplateData) SetCriticalOptions 

func (t TemplateData) SetCriticalOptions(o map[string]interface{})

SetCriticalOptions sets the certificate critical options in the template data.

func (TemplateData) SetExtensions 

func (t TemplateData) SetExtensions(e map[string]interface{})

SetExtensions sets the certificate extensions in the template data.

func (TemplateData) SetInsecure 

func (t TemplateData) SetInsecure(key string, v interface{})

SetInsecure sets a key-value pair in the insecure template data.

func (TemplateData) SetKeyID 

func (t TemplateData) SetKeyID(id string)

SetKeyID sets the certificate key id in the template data.

func (TemplateData) SetPrincipals 

func (t TemplateData) SetPrincipals(p []string)

SetPrincipals sets the certificate principals in the template data.

func (TemplateData) SetToken 

func (t TemplateData) SetToken(v interface{})

SetToken sets the given token in the template data.

func (TemplateData) SetType 

func (t TemplateData) SetType(typ CertType)

SetType sets the certificate type in the template data.

func (TemplateData) SetUserData 

func (t TemplateData) SetUserData(v interface{})

SetUserData sets the given user provided object in the insecure template data.

func (TemplateData) SetWebhook added in v0.20.0 

func (t TemplateData) SetWebhook(webhookName string, data interface{})

SetWebhook sets the given webhook response in the webhooks template data.

type TemplateError 

type TemplateError struct {
	Message string
}

TemplateError represents an error in a template produced by the fail function.

func (*TemplateError) Error 

func (e *TemplateError) Error() string

Error implements the error interface and returns the error string when a template executes the `fail "message"` function.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.