cassh

package module
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 31, 2023 License: MIT Imports: 13 Imported by: 0

README

License go.mod Go version GoDoc Latest tag Go Report

CASSH client

The cassh package expose - through the Client struct - methods to talk the CASSH server.

Usage example; see godoc for full package documentation.

package main

import (
	"context"
	"fmt"
	"os"
	"time"

	"github.com/krostar/cassh"
	"github.com/krostar/sshx"
	"golang.org/x/crypto/ssh"
)

func signUserKeyOnlyIfNeeded(ctx context.Context) error {
	// create the cassh client object
	client, err := cassh.NewClient("https://cassh-server.address")
	if err != nil {
		return fmt.Errorf("unable to create cassh client: %v", err)
	}

	// is the server reachable ?
	if err := client.Ping(ctx); err != nil {
		return fmt.Errorf("unable to ping cassh server: %v", err)
	}

	// setup the user session
	userSession := client.SessionUser("john.doe", cassh.SessionUserOptionAuthenticationMechanismLDAP("john.doe@company.corp", "awesome42password"))

	// get current user status
	status, err := userSession.Status(ctx)
	if err != nil {
		return fmt.Errorf("unable to create cassh client: %v", err)
	}

	// check whenever user key is valid for at least 10 more minutes
	if status.KeyState == cassh.KeyStateActive && time.Now().Add(10*time.Minute).Before(status.KeyExpiration) {
		return nil
	}

	// otherwise, considering the user already has a key validated by an admin, sign the key

	// first get the user public key from file
	userPublicKey, err := sshx.NewPublicKeyFromOpenSSHAuthorizedKeyFile("~/.ssh/id_rsa.pub")
	if err != nil {
		return fmt.Errorf("unable to open user ssh public key: %v", err)
	}

	// sign it
	userSignedCertificate, err := userSession.Key(userPublicKey).Sign(ctx)
	if err != nil {
		return fmt.Errorf("unable to sign user key: %v", err)
	}

	// write the signed certificate
	if err := os.WriteFile("~/.ssh/id_rsa-cert.pub", ssh.MarshalAuthorizedKey(userSignedCertificate), 0644); err != nil {
		return fmt.Errorf("unable to write signed certificate: %v", err)
	}

	return nil
}

Documentation

Index

Constants

View Source 
const ErrInsufficientPrivileges = sentinelError("insufficient privileges")

ErrInsufficientPrivileges is returned when the privileges provided to the CASSH server are not sufficient to execute the request successfully.

Variables

This section is empty.

Functions

This section is empty.

Types

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client stores useful attributes to talk to the CASSH server.

func NewClient 

func NewClient(serverAddress string, opts ...ClientOption) (*Client, error)

NewClient creates a new CASSH client to be used to contact the server. Warning: server send time without timezone so some tweaking may be needed to interpret the right time if server and client timezone are not configured the same. By default, time is interpreted with UTC timezone, to change it provide the appropriate timezone using ClientOptionServerTimezone.

func (*Client) AuthorityPublicKey 

func (c *Client) AuthorityPublicKey(ctx context.Context) (sshx.PublicKey, error)

AuthorityPublicKey return the CASSH server public key of the key used to sign certificate.

func (*Client) Health 

func (c *Client) Health(ctx context.Context) (string, string, error)

Health returns the name and version of the /health endpoint.

func (*Client) KeyRevocationList 

func (c *Client) KeyRevocationList(ctx context.Context) (*krl.KRL, error)

KeyRevocationList return the list of keys revoked by the CASSH server.

func (*Client) Ping 

func (c *Client) Ping(ctx context.Context) error

Ping checks whenever the server respond a 200 to /ping.

func (*Client) SessionAdmin 

func (c *Client) SessionAdmin(opts ...SessionAdminOption) *SessionAdmin

SessionAdmin exposes all admin related methods.

func (*Client) SessionUser 

func (c *Client) SessionUser(username Username, opts ...SessionUserOption) *SessionUser

SessionUser exposes all user related methods.

type ClientOption 

type ClientOption func(o *clientOptions)

ClientOption defines the signature of all options usable on NewClient.

func ClientOptionHTTPClient 

func ClientOptionHTTPClient(httpDoer httpclient.Doer) ClientOption

ClientOptionHTTPClient sets the http client used on each request made to the CASSH server.

func ClientOptionHTTPHeader 

func ClientOptionHTTPHeader(httpDefaultHeaders http.Header) ClientOption

ClientOptionHTTPHeader sets some headers used by default on all http requests.

func ClientOptionServerTimezone 

func ClientOptionServerTimezone(serverTimezone *time.Location) ClientOption

ClientOptionServerTimezone sets the timezone of the CASSH server for time response to be received correctly.

func ClientOptionTolerateInsecureProtocols 

func ClientOptionTolerateInsecureProtocols() ClientOption

ClientOptionTolerateInsecureProtocols allows the CASSH server to be join using http instead of https.

type KeyState 

type KeyState string

KeyState defines the different states a user key can be in. 

const (
	// KeyStateActive means the key is usable on the CASSH server.
	KeyStateActive KeyState = "ACTIVE"
	// KeyStateRevoked means the key has been revoked by the CASSH server and cannot be used anymore.
	KeyStateRevoked KeyState = "REVOKED"
	// KeyStatePending means the key has not been signed yet by a CASSH server admin and cannot be used yet.
	KeyStatePending KeyState = "PENDING"
)

func (KeyState) String 

func (ks KeyState) String() string

String implements stringer for KeyState.

type Principal 

type Principal string

Principal stores a single principal.

func (Principal) String 

func (principal Principal) String() string

String implements stringer for Principal.

type Principals 

type Principals []Principal

Principals aliases []Principal to add useful methods.

func (Principals) Has 

func (principals Principals) Has(requiredPrincipal Principal, requiredPrincipals ...Principal) error

Has returns whenever provided principals exists all in the list of principals.

type SessionAdmin 

type SessionAdmin struct {
	// contains filtered or unexported fields
}

SessionAdmin stores attributes useful to make admin related requests to the CASSH server.

func (*SessionAdmin) CheckAuthentication 

func (s *SessionAdmin) CheckAuthentication(ctx context.Context) error

CheckAuthentication checks whenever the provided admin authentication mechanism is valid and authorized.

func (*SessionAdmin) User 

func (s *SessionAdmin) User(username Username) *SessionAdminUser

User sets the user on which further commands will be applied.

type SessionAdminOption 

type SessionAdminOption func(o *sessionAdminOptions)

SessionAdminOption defines the signature of all options usable on SessionAdmin.

func SessionAdminOptionAuthenticationMechanismLDAP 

func SessionAdminOptionAuthenticationMechanismLDAP(ldapName, ldapPassword string) SessionAdminOption

SessionAdminOptionAuthenticationMechanismLDAP sets the authentication mechanism to LDAP for the entire session.

type SessionAdminUser 

type SessionAdminUser struct {
	// contains filtered or unexported fields
}

SessionAdminUser stores attributes useful to make admin requests related to a specific user, to the CASSH server.

func (*SessionAdminUser) Key 

func (s *SessionAdminUser) Key() *SessionAdminUserKey

Key allows the manipulation of the user key as admin.

func (*SessionAdminUser) Principals 

func (s *SessionAdminUser) Principals() *SessionAdminUserPrincipals

Principals handles user principals as admin.

func (*SessionAdminUser) Status 

func (s *SessionAdminUser) Status(ctx context.Context) (*UserStatus, error)

Status returns the current user status.

type SessionAdminUserKey 

type SessionAdminUserKey struct {
	// contains filtered or unexported fields
}

SessionAdminUserKey stores attributes useful to make admin requests related to keys for a specific user, to the CASSH server.

func (*SessionAdminUserKey) Activate 

func (s *SessionAdminUserKey) Activate(ctx context.Context) error

Activate activates the user's key.

func (*SessionAdminUserKey) Delete 

func (s *SessionAdminUserKey) Delete(ctx context.Context) error

Delete deletes the user's key (but it does not revoke it).

func (*SessionAdminUserKey) Revoke 

func (s *SessionAdminUserKey) Revoke(ctx context.Context) error

Revoke revokes the user's key.

func (*SessionAdminUserKey) SetExpiry 

func (s *SessionAdminUserKey) SetExpiry(ctx context.Context, expiry time.Duration) error

SetExpiry sets the provided expiry for the user's key.

type SessionAdminUserPrincipals 

type SessionAdminUserPrincipals struct {
	// contains filtered or unexported fields
}

SessionAdminUserPrincipals stores attributes useful to make admin requests related to user principals, to the CASSH server.

func (*SessionAdminUserPrincipals) Add 

func (s *SessionAdminUserPrincipals) Add(ctx context.Context, principal Principal, principals ...Principal) error

Add adds the provided principals to the user principals.

func (*SessionAdminUserPrincipals) Remove 

func (s *SessionAdminUserPrincipals) Remove(ctx context.Context, principal Principal, principals ...Principal) error

Remove removes the provided principals from the user principals.

func (*SessionAdminUserPrincipals) Reset 

func (s *SessionAdminUserPrincipals) Reset(ctx context.Context) error

Reset removes all the user principals.

func (*SessionAdminUserPrincipals) Set 

func (s *SessionAdminUserPrincipals) Set(ctx context.Context, principal Principal, principals ...Principal) error

Set replaces the user principals with the provided principals.

type SessionAuth 

type SessionAuth interface {
	ExtendRequestParameters(url.Values)
}

SessionAuth defines a way to authenticate a request.

type SessionUser 

type SessionUser struct {
	// contains filtered or unexported fields
}

SessionUser stores attributes useful to make user related requests to the CASSH server.

func (*SessionUser) Key 

func (s *SessionUser) Key(key ssh.PublicKey) *SessionUserKey

Key allows the manipulation of the user key.

func (*SessionUser) Status 

func (s *SessionUser) Status(ctx context.Context) (*UserStatus, error)

Status returns the current user status.

type SessionUserKey 

type SessionUserKey struct {
	// contains filtered or unexported fields
}

SessionUserKey stores attributes useful to make requests related to user's keys, to the CASSH server.

func (*SessionUserKey) Set 

func (s *SessionUserKey) Set(ctx context.Context) error

Set sets the user key.

func (*SessionUserKey) Sign 

func (s *SessionUserKey) Sign(ctx context.Context, opts ...SessionUserKeySignOption) (*ssh.Certificate, error)

Sign returns a certificate signed by the CASSH server.

type SessionUserKeySignOption 

type SessionUserKeySignOption func(o *sessionUserKeySignOptions)

SessionUserKeySignOption defines the signature of all options usable on SessionUserKeySign.

func SessionUserKeySignOptionForce 

func SessionUserKeySignOptionForce() SessionUserKeySignOption

SessionUserKeySignOptionForce sets the force attribute to the sign request.

type SessionUserOption 

type SessionUserOption func(o *sessionUserOptions)

SessionUserOption defines the signature of all options usable on SessionUser.

func SessionUserOptionAuthenticationMechanismLDAP 

func SessionUserOptionAuthenticationMechanismLDAP(ldapName, ldapPassword string) SessionUserOption

SessionUserOptionAuthenticationMechanismLDAP sets the authentication mechanism to LDAP for the entire session.

type UserStatus 

type UserStatus struct {
	Name          Username
	RealName      string
	KeyState      KeyState
	KeyExpiration time.Time
	KeyPrincipals Principals
}

UserStatus stores the status attributes of a CASSH user.

func (UserStatus) String 

func (us UserStatus) String() string

String implements stringer for UserStatus.

type Username 

type Username string

Username of the CASSH user.

func (Username) String 

func (u Username) String() string

String implements stringer for Username.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.