Documentation
¶
Index ¶
- func Identify(req *http.Request, f IdentityFunc) kes.Identity
- type IdentityFunc
- type Roles
- func (r *Roles) Assign(name string, id kes.Identity) error
- func (r *Roles) Delete(name string)
- func (r *Roles) Forget(id kes.Identity)
- func (r *Roles) Get(name string) (*kes.Policy, bool)
- func (r *Roles) Identities() map[kes.Identity]string
- func (r *Roles) IsAssigned(id kes.Identity) bool
- func (r *Roles) Policies() (names []string)
- func (r *Roles) Set(name string, policy *kes.Policy)
- func (r *Roles) Verify(req *http.Request) error
- type TLSProxy
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Identify ¶
func Identify(req *http.Request, f IdentityFunc) kes.Identity
Identify computes the idenitiy of the X.509 certificate presented by the peer who sent the request.
It returns IdentityUnknown if no TLS connection state is present, more than one certificate is present or when f returns IdentityUnknown.
Types ¶
type IdentityFunc ¶
type IdentityFunc func(*x509.Certificate) kes.Identity
IdentityFunc maps a X.509 certificate to an Identity. This mapping should be deterministic and unique in the sense that:
- The same certificate always gets mapped to same identity.
- There is only one (valid / non-expired) certificate that gets mapped to a particular (known) identity.
If no certificate is provided or an identity cannot be computed - e.g. because the certificate does not contain enough information - the IdentityFunc should return IdentityUnknown.
func HashPublicKey ¶
func HashPublicKey(hash crypto.Hash) IdentityFunc
HashPublicKey returns an IdentityFunc that computes an identity as the cryptographic hash of the certificate's public key.
If the hash function is not available it uses crypto.SHA256.
type Roles ¶
type Roles struct {
Root kes.Identity
Identify IdentityFunc
// contains filtered or unexported fields
}
type TLSProxy ¶
type TLSProxy struct {
// Identify computes the identity from a X.509 certificate
// sent by the client or proxy.
//
// If it is nil a default IdentityFunc computing the
// SHA-256 of the certificate's public key will be used.
Identify IdentityFunc
// CertHeader is the HTTP header key used to extract the
// client certificate forwarded by a TLS proxy. The TLS
// proxy has to include the certificate of the actual
// client into the request headers as CertHeader.
//
// If the request has been sent by a proxy but the request
// headers do not contain an escaped and ASN.1 encoded
// certificate then the request will be rejected.
CertHeader string
// The X.509 certificate verification options used when
// verifiying the certificate that has been sent by the
// actual kes client and forwarded by the TLS proxy as
// part of the request headers.
//
// If it is nil the client certificate won't be verified.
VerifyOptions *x509.VerifyOptions
// contains filtered or unexported fields
}
func (*TLSProxy) Add ¶
Add adds the given identity to the list of TLS proxies if:
identity != kes.IdentityUnknown
func (*TLSProxy) Verify ¶
Verify verifies the given HTTP request. If the request has been made by a TLS proxy then Verify tries to extract the certificate of the actual kes client from the request headers and replaces the peer certificate of the TLS proxy with the extracted client certificate.
It verifies the certificate of the actual kes client, if present, only if the TLSProxy.VerifyOptions are not nil.
If the request has not been made by a TLS proxy, Verify only checks whether a client certificate is present.
Source Files