Documentation
¶
Overview ¶
Package protocol provides objects and methods to interact between the various components of the Schism infra.
This ranges from Lambda Payload(s) and Response(s) to Certificate types and Various marshaling of object into S3 objects.
Index ¶
Constants ¶
const LookupKeySeparator = ":"
LookupKeySeparator is used to separate the cert type and the cert key
const S3CaPubkeyPrefix = "CA-Pubkeys/"
S3CaPubkeyPrefix The subprefix for storing the Public CA keys
Full Object path will follow this template
{profile.S3Prefix}{S3CaPubkeyPrefix}/{CertType}-{bundle_key_extras}.json
const S3CertStoragePrefix = "Signed-Certs/"
S3CertStoragePrefix The subprefix for storing the Signed Certificate
Full Object path will follow this template
{profile.S3Prefix}{S3CertStoragePrefix}{LookupKey}.json
const (
TestValidBucket = "schism-test"
)
Variables ¶
This section is empty.
Functions ¶
Types ¶
type CAPublicKeyS3Object ¶
type CAPublicKeyS3Object struct {
// Type of public key to be saved
CertificateType CertType `json:"certificate_type"`
// The raw representation of PublicKey after Marshaling to an AuthorizedKey format
AuthorizedKey []byte `json:"authorized_key"`
// The Fingerprint of the PublicKey as returned by ssh.FingerprintSHA256
KeyFingerprint string `json:"fingerprint"`
// If this is from a Host CA, the AuthDomain is the domain (or subdomain)
// that the Host CA is authorized to sign certificates for
//
// In theory this can be a comma separated list but I haven't tested that yet
HostCertAuthDomain string `json:"host_cert_auth_domain,omitempty"`
}
CAPublicKeyS3Object represents all the information that will be saved to S3 for a given CA PublicKey
func (*CAPublicKeyS3Object) LoadObject ¶
func (c *CAPublicKeyS3Object) LoadObject(s3Svc s3iface.S3API, s3Bucket string, s3ObjectKey string) error
LoadObject loads an object from the given s3://{s3Bucket}/{s3ObjectKey} and un-marshals it into a CAPublicKeyS3Object
func (*CAPublicKeyS3Object) ObjectKey ¶
func (c *CAPublicKeyS3Object) ObjectKey(prefix string) string
ObjectKey, given a prefix, return a key for S3 based on CA type.
If the HostCertAuthDomain is set, this will be added to the ObjectKey
Format:
{prefix}{S3CaPubkeyPrefix}/{host|user}.json
{prefix}{S3CaPubkeyPrefix}/{host|user}-{fingerprint}.json
{prefix}{S3CaPubkeyPrefix}/{host|user}-{HostCertAuthDomain}.json
{prefix}{S3CaPubkeyPrefix}/{host|user}-{HostCertAuthDomain}-{fingerprint}.json
type CertType ¶
type CertType string
CertType: Schism supports two types of certificates: "user" and "host"
Used to manage different aspects of the certification process
const ( // Authenticates server hosts to users HostCertificate CertType = "host" // Authenticates users to servers UserCertificate CertType = "user" // Used in `schism list -ca` primarily but maybe I'll find more places this is useful // cakp ~> CertAuthority KeyPair CaKeyPair CertType = "cakp" )
Valid options for CertType
func (CertType) Expand ¶
Expand returns the full CertType given a single character type
h => host | u => user
This is a no-op for already expanded `CertType`s
func (CertType) OppositeCA ¶
OppositeCA returns "host" for "user" and "user" for "host"
type LookupKey ¶
LookupKey is used for storing certificates in S3, 64-character sha256sum
Partial keys are allowed, use lk.Expand() to attempt to fetch the full key
func GenerateLookupKey ¶
GenerateLookupKey creates a 64-character long sha256sum key based on the given Identity and Principals
The Identity is joined with the sorted list of Principals then separated with commas and run through sha256.Sum256()
Example:
ident := "someUser@dev1.example.com"
princs := []string{"someUser", "admin"}
sampleKey := protocol.GenerateLookupKey(ident, princs, protocol.UserCertificate)
// sampleKey => {
// Id: "a5ba427b532c152b3e9cded5ab36f040072f7582a455271fd26d1fc696c7ac64",
// Type: "user",
// }
func ParseLookupKey ¶
ParseLookupKey takes a string in the same format that `String()` provides and returns a pointer to a new LookupKey object
returns an error if the key is improperly formatted
Expansion does NOT happen here. See `lk.Expand()` if you wish to resolve a partial key
func (*LookupKey) Expand ¶
Expand expands a LookupKey into a full 64-character key, given a partial key that matches a singular certificate bundle of the given type stored in the given S3 bucket (and prefix)
Returns an error if there is not a singular match or S3 calls fail. Returns an error if the expanded key is in an invalid format
Example:
sampleKey := protocol.LookupKey{Id: "55e8182e", Type: protocol.HostCertificate}
err := sampleKey.Expand(s3Con, bucket, prfx)
if err != nil { panic(err) }
# sampleKey.Id => "55e8182ec4413d51676d1ba7480708a48c5b50f4a86b3afb9be6c43c648b373d"
func (*LookupKey) MarshalJSON ¶
MarshalJSON returns the same thing as String but as a `[]byte`
This will not return errors, including for the interface only.
func (*LookupKey) String ¶
String returns the LookupKey as a string in the format:
"#{lk.Type}:#{lk.Id}"
func (*LookupKey) UnmarshalJSON ¶
UnmarshalJSON parses the output of `LookupKey.MarshalJSON()` See `LookupKey.String()` for formatting
Returns an error if the raw data cannot be parsed
type MockS3Client ¶
func (*MockS3Client) GetObject ¶
func (m *MockS3Client) GetObject(input *s3.GetObjectInput) (*s3.GetObjectOutput, error)
func (*MockS3Client) ListObjectsV2 ¶
func (m *MockS3Client) ListObjectsV2(input *s3.ListObjectsV2Input) (*s3.ListObjectsV2Output, error)
type RequestSSHCertLambdaPayload ¶
type RequestSSHCertLambdaPayload struct {
// Type of SSH-cert being requested.
//
// The following are accepted:
// * "host"
// * "user
CertificateType CertType `json:"certificate_type"`
// Specify the key identity when signing a public key.
Identity string `json:"certificate_identity"`
// Specify one or more principals (user or host names) to be included in a certificate when signing a key.
Principals []string `json:"certificate_principals"`
// Length of time the Signed Certificate will be valid for.
ValidityInterval time.Duration `json:"validity_interval"`
// Specify a certificate option when signing a key.
UserKeyOptions []string `json:"user_key_options,omitempty"`
// Public Key to submit to the CA for signing.
// Supported types: (Others may work, ymmv)
//
// * "ed25519"
// * "rsa"
PublicKey string `json:"public_key"`
}
RequestSSHCertLambdaPayload is used to pass the required information to the lambda function
type RequestSSHCertLambdaResponse ¶
type RequestSSHCertLambdaResponse struct {
// Type of SSH-cert that was generated.
CertificateType CertType `json:"certificate_type"`
// 64-character key used with the CertType to fetch the Certificate bundle from S3
LookupKey string `json:"lookup_key"`
}
RequestSSHCertLambdaResponse is used to return pertinent information from the lambda function
type S3Object ¶
type S3Object interface {
// ObjectKey should take a prefix and
// return a full object key for where the object should be saved
ObjectKey(prefix string) string
// LoadObject takes an S3 connection, S3 Bucket, and S3 ObjectKey
// and populates the wantFields of the struct with the saved S3 object's data
LoadObject(s3Svc s3iface.S3API, s3Bucket string, s3ObjectKey string) error
}
S3Object provides an interface for saving mostly any struct to S3 as a Marshaled JSON object
type SignedCertificateS3Object ¶
type SignedCertificateS3Object struct {
// Type of SSH-cert to be saved
CertificateType CertType `json:"certificate_type"`
// Timestamp of when we minted the cert
IssuedOn time.Time `json:"issued_on"`
// Originally requested Identity for this Certificate
Identity string `json:"identity"`
// Originally requested Principals for this Certificate
Principals []string `json:"certificate_principals"`
// How long will this Certificate be valid for?
ValidityInterval time.Duration `json:"validity_interval"`
// The raw representation of this Certificate after Marshaling
// TODO: Work on KMS encryption for this section
RawSignedCertificate []byte `json:"signed_certificate"`
// The S3 ObjectKey for the AuthorizedKey half of the CA
// In theory this is here because when you have both halves working for Schism,
// Hosts need the Public half of the User CA to authenticate UserCertificates,
// and the reverse for the Users' side
OppositePublicCA string `json:"opposite_public_ca"`
// TODO: To be implemented later.
SignedCertificateEncryption map[string]string `json:"signed_certificate_encryption,omitempty"`
}
SignedCertificateS3Object represents all the information that will be saved to S3 for a Signed SSH Certificate
func (*SignedCertificateS3Object) LoadObject ¶
func (c *SignedCertificateS3Object) LoadObject(s3Svc s3iface.S3API, s3Bucket string, s3ObjectKey string) error
LoadObject loads an object from the given s3://{s3Bucket}/{s3ObjectKey} and un-marshals it into a SignedCertificateS3Object
func (*SignedCertificateS3Object) ObjectKey ¶
func (c *SignedCertificateS3Object) ObjectKey(prefix string) string
ObjectKey given a prefix, return a key for S3 by invoking GenerateLookupKey() and calling .String() on the result
Format:
{prefix}{LookupKey.String()}.json
Source Files