authority

package
v0.0.0-...-03b241a Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 25, 2020 License: Apache-2.0 Imports: 35 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// SSHAddUserPrincipal is the principal that will run the add user command.
	// Defaults to "provisioner" but it can be changed in the configuration.
	SSHAddUserPrincipal = "provisioner"

	// SSHAddUserCommand is the default command to run to add a new user.
	// Defaults to "sudo useradd -m <principal>; nc -q0 localhost 22" but it can be changed in the
	// configuration. The string "<principal>" will be replace by the new
	// principal to add.
	SSHAddUserCommand = "sudo useradd -m <principal>; nc -q0 localhost 22"
)

Variables

View Source 
var (
	// DefaultTLSOptions represents the default TLS version as well as the cipher
	// suites used in the TLS certificates.
	DefaultTLSOptions = tlsutil.TLSOptions{
		CipherSuites: x509util.CipherSuites{
			"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
			"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
			"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
		},
		MinVersion:    1.2,
		MaxVersion:    1.2,
		Renegotiation: false,
	}
)
View Source 
var GlobalVersion = Version{
	Version: "0.0.0",
}

GlobalVersion stores the version information of the server.

Functions

func IsValidForAddUser 

func IsValidForAddUser(cert *ssh.Certificate) error

IsValidForAddUser checks if a user provisioner certificate can be issued to the given certificate.

func NewContextWithSkipTokenReuse 

func NewContextWithSkipTokenReuse(ctx context.Context) context.Context

NewContextWithSkipTokenReuse creates a new context from ctx and attaches a value to skip the token reuse.

func SkipTokenReuseFromContext 

func SkipTokenReuseFromContext(ctx context.Context) bool

SkipTokenReuseFromContext returns if the token reuse needs to be ignored.

Types

type AuthConfig 

type AuthConfig struct {
	Provisioners         provisioner.List      `json:"provisioners"`
	Template             *x509util.ASN1DN      `json:"template,omitempty"`
	Claims               *provisioner.Claims   `json:"claims,omitempty"`
	DisableIssuedAtCheck bool                  `json:"disableIssuedAtCheck,omitempty"`
	Backdate             *provisioner.Duration `json:"backdate,omitempty"`
}

AuthConfig represents the configuration options for the authority.

func (*AuthConfig) Validate 

func (c *AuthConfig) Validate(audiences provisioner.Audiences) error

Validate validates the authority configuration.

type Authority 

type Authority struct {
	// contains filtered or unexported fields
}

Authority implements the Certificate Authority internal interface.

func New 

func New(config *Config, opts ...Option) (*Authority, error)

New creates and initiates a new Authority type.

func NewEmbedded 

func NewEmbedded(opts ...Option) (*Authority, error)

NewEmbedded initializes an authority that can be embedded in a different project without the limitations of the config.

func (*Authority) Authorize 

func (a *Authority) Authorize(ctx context.Context, token string) ([]provisioner.SignOption, error)

Authorize grabs the method from the context and authorizes the request by validating the one-time-token.

func (*Authority) AuthorizeSign 

func (a *Authority) AuthorizeSign(token string) ([]provisioner.SignOption, error)

AuthorizeSign authorizes a signature request by validating and authenticating a token that must be sent w/ the request.

NOTE: This method is deprecated and should not be used. We make it available in the short term os as not to break existing clients.

func (*Authority) CheckSSHHost 

func (a *Authority) CheckSSHHost(ctx context.Context, principal string, token string) (bool, error)

CheckSSHHost checks the given principal has been registered before.

func (*Authority) GetDatabase 

func (a *Authority) GetDatabase() db.AuthDB

GetDatabase returns the authority database. If the configuration does not define a database, GetDatabase will return a db.SimpleDB instance.

func (*Authority) GetEncryptedKey 

func (a *Authority) GetEncryptedKey(kid string) (string, error)

GetEncryptedKey returns the JWE key corresponding to the given kid argument.

func (*Authority) GetFederation 

func (a *Authority) GetFederation() (federation []*x509.Certificate, err error)

GetFederation returns all the root certificates in the federation. This method implements the Authority interface.

func (*Authority) GetProvisioners 

func (a *Authority) GetProvisioners(cursor string, limit int) (provisioner.List, string, error)

GetProvisioners returns a map listing each provisioner and the JWK Key Set with their public keys.

func (*Authority) GetRootCertificate 

func (a *Authority) GetRootCertificate() *x509.Certificate

GetRootCertificate returns the server root certificate.

func (*Authority) GetRootCertificates 

func (a *Authority) GetRootCertificates() []*x509.Certificate

GetRootCertificates returns the server root certificates.

In the Authority interface we also have a similar method, GetRoots, at the moment the functionality of these two methods are almost identical, but this method is intended to be used internally by CA HTTP server to load the roots that will be set in the tls.Config while GetRoots will be used by the Authority interface and might have extra checks in the future.

func (*Authority) GetRoots 

func (a *Authority) GetRoots() ([]*x509.Certificate, error)

GetRoots returns all the root certificates for this CA. This method implements the Authority interface.

func (*Authority) GetSSHBastion 

func (a *Authority) GetSSHBastion(ctx context.Context, user string, hostname string) (*Bastion, error)

GetSSHBastion returns the bastion configuration, for the given pair user, hostname.

func (*Authority) GetSSHConfig 

func (a *Authority) GetSSHConfig(ctx context.Context, typ string, data map[string]string) ([]templates.Output, error)

GetSSHConfig returns rendered templates for clients (user) or servers (host).

func (*Authority) GetSSHFederation 

func (a *Authority) GetSSHFederation(context.Context) (*SSHKeys, error)

GetSSHFederation returns the public keys for federated SSH signers.

func (*Authority) GetSSHHosts 

func (a *Authority) GetSSHHosts(ctx context.Context, cert *x509.Certificate) ([]sshutil.Host, error)

GetSSHHosts returns a list of valid host principals.

func (*Authority) GetSSHRoots 

func (a *Authority) GetSSHRoots(context.Context) (*SSHKeys, error)

GetSSHRoots returns the SSH User and Host public keys.

func (*Authority) GetTLSCertificate 

func (a *Authority) GetTLSCertificate() (*tls.Certificate, error)

GetTLSCertificate creates a new leaf certificate to be used by the CA HTTPS server.

func (*Authority) GetTLSOptions 

func (a *Authority) GetTLSOptions() *tlsutil.TLSOptions

GetTLSOptions returns the tls options configured.

func (*Authority) LoadProvisionerByCertificate 

func (a *Authority) LoadProvisionerByCertificate(crt *x509.Certificate) (provisioner.Interface, error)

LoadProvisionerByCertificate returns an interface to the provisioner that provisioned the certificate.

func (*Authority) LoadProvisionerByID 

func (a *Authority) LoadProvisionerByID(id string) (provisioner.Interface, error)

LoadProvisionerByID returns an interface to the provisioner with the given ID.

func (*Authority) Rekey 

func (a *Authority) Rekey(oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error)

Rekey is used for rekeying and renewing based on the public key. If the public key is 'nil' then it's assumed that the cert should be renewed using the existing public key. If the public key is not 'nil' then it's assumed that the cert should be rekeyed. For both Rekey and Renew all other attributes of the new certificate should match the old certificate. The exceptions are 'AuthorityKeyId' (which may have changed), 'SubjectKeyId' (different in case of rekey), and 'NotBefore/NotAfter' (the validity duration of the new certificate should be equal to the old one, but starting 'now').

func (*Authority) RekeySSH 

func (a *Authority) RekeySSH(ctx context.Context, oldCert *ssh.Certificate, pub ssh.PublicKey, signOpts ...provisioner.SignOption) (*ssh.Certificate, error)

RekeySSH creates a signed SSH certificate using the old SSH certificate as a template.

func (*Authority) Renew 

func (a *Authority) Renew(oldCert *x509.Certificate) ([]*x509.Certificate, error)

Renew creates a new Certificate identical to the old certificate, except with a validity window that begins 'now'.

func (*Authority) RenewSSH 

func (a *Authority) RenewSSH(ctx context.Context, oldCert *ssh.Certificate) (*ssh.Certificate, error)

RenewSSH creates a signed SSH certificate using the old SSH certificate as a template.

func (*Authority) Revoke 

func (a *Authority) Revoke(ctx context.Context, revokeOpts *RevokeOptions) error

Revoke revokes a certificate.

NOTE: Only supports passive revocation - prevent existing certificates from being renewed.

TODO: Add OCSP and CRL support.

func (*Authority) Root 

func (a *Authority) Root(sum string) (*x509.Certificate, error)

Root returns the certificate corresponding to the given SHA sum argument.

func (*Authority) Shutdown 

func (a *Authority) Shutdown() error

Shutdown safely shuts down any clients, databases, etc. held by the Authority.

func (*Authority) Sign 

func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error)

Sign creates a signed certificate from a certificate signing request.

func (*Authority) SignSSH 

func (a *Authority) SignSSH(ctx context.Context, key ssh.PublicKey, opts provisioner.SignSSHOptions, signOpts ...provisioner.SignOption) (*ssh.Certificate, error)

SignSSH creates a signed SSH certificate with the given public key and options.

func (*Authority) SignSSHAddUser 

func (a *Authority) SignSSHAddUser(ctx context.Context, key ssh.PublicKey, subject *ssh.Certificate) (*ssh.Certificate, error)

SignSSHAddUser signs a certificate that provisions a new user in a server.

func (*Authority) Version 

func (a *Authority) Version() Version

Version returns the version information of the server.

type Bastion 

type Bastion struct {
	Hostname string `json:"hostname"`
	User     string `json:"user,omitempty"`
	Port     string `json:"port,omitempty"`
	Command  string `json:"cmd,omitempty"`
	Flags    string `json:"flags,omitempty"`
}

Bastion contains the custom properties used on bastion.

type Claims 

type Claims struct {
	jose.Claims
	SANs  []string `json:"sans,omitempty"`
	Email string   `json:"email,omitempty"`
	Nonce string   `json:"nonce,omitempty"`
}

Claims extends jose.Claims with step attributes.

type Config 

type Config struct {
	Root             multiString          `json:"root"`
	FederatedRoots   []string             `json:"federatedRoots"`
	IntermediateCert string               `json:"crt"`
	IntermediateKey  string               `json:"key"`
	Address          string               `json:"address"`
	DNSNames         []string             `json:"dnsNames"`
	KMS              *kms.Options         `json:"kms,omitempty"`
	SSH              *SSHConfig           `json:"ssh,omitempty"`
	Logger           json.RawMessage      `json:"logger,omitempty"`
	DB               *db.Config           `json:"db,omitempty"`
	Monitoring       json.RawMessage      `json:"monitoring,omitempty"`
	AuthorityConfig  *AuthConfig          `json:"authority,omitempty"`
	TLS              *tlsutil.TLSOptions  `json:"tls,omitempty"`
	Password         string               `json:"password,omitempty"`
	Templates        *templates.Templates `json:"templates,omitempty"`
}

Config represents the CA configuration and it's mapped to a JSON object.

func LoadConfiguration 

func LoadConfiguration(filename string) (*Config, error)

LoadConfiguration parses the given filename in JSON format and returns the configuration struct.

func (*Config) Save 

func (c *Config) Save(filename string) error

Save saves the configuration to the given filename.

func (*Config) Validate 

func (c *Config) Validate() error

Validate validates the configuration.

type Option 

type Option func(*Authority) error

Option sets options to the Authority.

func WithConfig 

func WithConfig(config *Config) Option

WithConfig replaces the current config with the given one. No validation is performed in the given value.

func WithConfigFile 

func WithConfigFile(filename string) Option

WithConfigFile reads the given filename as a configuration file and replaces the current one. No validation is performed in the given configuration.

func WithDatabase 

func WithDatabase(db db.AuthDB) Option

WithDatabase sets an already initialized authority database to a new authority. This option is intended to be use on graceful reloads.

func WithGetIdentityFunc 

func WithGetIdentityFunc(fn func(ctx context.Context, p provisioner.Interface, email string) (*provisioner.Identity, error)) Option

WithGetIdentityFunc sets a custom function to retrieve the identity from an external resource.

func WithKeyManager 

func WithKeyManager(k kms.KeyManager) Option

WithKeyManager defines the key manager used to get and create keys, and sign certificates.

func WithSSHBastionFunc 

func WithSSHBastionFunc(fn func(ctx context.Context, user, host string) (*Bastion, error)) Option

WithSSHBastionFunc sets a custom function to get the bastion for a given user-host pair.

func WithSSHCheckHost 

func WithSSHCheckHost(fn func(ctx context.Context, principal string, tok string, roots []*x509.Certificate) (bool, error)) Option

WithSSHCheckHost sets a custom function to check whether a given host is step ssh enabled. The token is used to validate the request, while the roots are used to validate the token.

func WithSSHGetHosts 

func WithSSHGetHosts(fn func(ctx context.Context, cert *x509.Certificate) ([]sshutil.Host, error)) Option

WithSSHGetHosts sets a custom function to get the bastion for a given user-host pair.

func WithSSHHostSigner 

func WithSSHHostSigner(s crypto.Signer) Option

WithSSHHostSigner defines the signer used to sign SSH host certificates.

func WithSSHUserSigner 

func WithSSHUserSigner(s crypto.Signer) Option

WithSSHUserSigner defines the signer used to sign SSH user certificates.

func WithX509FederatedBundle 

func WithX509FederatedBundle(pemCerts []byte) Option

WithX509FederatedBundle is an option that allows to define the list of federated certificates. This option will replace any federated certificate defined before.

func WithX509FederatedCerts 

func WithX509FederatedCerts(certs ...*x509.Certificate) Option

WithX509FederatedCerts is an option that allows to define the list of federated certificates. This option will replace any federated certificate defined before.

func WithX509RootBundle 

func WithX509RootBundle(pemCerts []byte) Option

WithX509RootBundle is an option that allows to define the list of root certificates. This option will replace any root certificate defined before.

func WithX509RootCerts 

func WithX509RootCerts(rootCerts ...*x509.Certificate) Option

WithX509RootCerts is an option that allows to define the list of root certificates to use. This option will replace any root certificate defined before.

func WithX509Signer 

func WithX509Signer(crt *x509.Certificate, s crypto.Signer) Option

WithX509Signer defines the signer used to sign X509 certificates.

type RevokeOptions 

type RevokeOptions struct {
	Serial      string
	Reason      string
	ReasonCode  int
	PassiveOnly bool
	MTLS        bool
	Crt         *x509.Certificate
	OTT         string
}

RevokeOptions are the options for the Revoke API.

type SSHConfig 

type SSHConfig struct {
	HostKey          string          `json:"hostKey"`
	UserKey          string          `json:"userKey"`
	Keys             []*SSHPublicKey `json:"keys,omitempty"`
	AddUserPrincipal string          `json:"addUserPrincipal,omitempty"`
	AddUserCommand   string          `json:"addUserCommand,omitempty"`
	Bastion          *Bastion        `json:"bastion,omitempty"`
}

SSHConfig contains the user and host keys.

func (*SSHConfig) Validate 

func (c *SSHConfig) Validate() error

Validate checks the fields in SSHConfig.

type SSHKeys 

type SSHKeys struct {
	UserKeys []ssh.PublicKey
	HostKeys []ssh.PublicKey
}

SSHKeys represents the SSH User and Host public keys.

type SSHPublicKey 

type SSHPublicKey struct {
	Type      string          `json:"type"`
	Federated bool            `json:"federated"`
	Key       jose.JSONWebKey `json:"key"`
	// contains filtered or unexported fields
}

SSHPublicKey contains a public key used by federated CAs to keep old signing keys for this ca.

func (*SSHPublicKey) PublicKey 

func (k *SSHPublicKey) PublicKey() ssh.PublicKey

PublicKey returns the ssh public key.

func (*SSHPublicKey) Validate 

func (k *SSHPublicKey) Validate() error

Validate checks the fields in SSHPublicKey.

type Version 

type Version struct {
	Version                     string
	RequireClientAuthentication bool
}

Version defines the

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.