identity

package
v11.3.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 13, 2022 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// TLSCertKey is the name under which TLS certificates exist in a destination.
	TLSCertKey = "tlscert"

	// SSHCertKey is the name under which SSH certificates exist in a destination.
	SSHCertKey = "key-cert.pub"

	// SSHCACertsKey is the name under which SSH CA certificates exist in a destination.
	SSHCACertsKey = "sshcacerts"

	// TLSCACertsKey is the name under which SSH CA certificates exist in a destination.
	TLSCACertsKey = "tlscacerts"

	// PrivateKeyKey is the name under which the private key exists in a destination.
	// The same private key is used for SSH and TLS certificates.
	PrivateKeyKey = "key"

	// PublicKeyKey is the ssh public key, required for successful SSH connections.
	PublicKeyKey = "key.pub"

	// TokenHashKey is the key where a hash of the onboarding token will be stored.
	TokenHashKey = "tokenhash"

	// WriteTestKey is the key for a file used to check that the destination is
	// writable.
	WriteTestKey = ".write-test"
)

Variables

This section is empty.

Functions

func CertAuthorityInfo 

func CertAuthorityInfo(ca types.CertAuthority) string

CertAuthorityInfo returns debugging information about certificate authority

func CertInfo 

func CertInfo(cert *x509.Certificate) string

CertInfo returns diagnostic information about certificate

func ContainsKind 

func ContainsKind(kind ArtifactKind, kinds []ArtifactKind) bool

ContainsKind determines if a particular artifact kind is included in the list of kinds.

func ListKeys 

func ListKeys(kinds ...ArtifactKind) []string

ListKeys returns a list of artifact keys that will be written given a list of artifacts.

func ReadSSHIdentityFromKeyPair 

func ReadSSHIdentityFromKeyPair(identity *Identity, keyBytes, publicKeyBytes, certBytes []byte) error

ReadSSHIdentityFromKeyPair reads identity from initialized keypair

func ReadTLSIdentityFromKeyPair 

func ReadTLSIdentityFromKeyPair(identity *Identity, keyBytes, certBytes []byte, caCertsBytes [][]byte) error

ReadTLSIdentityFromKeyPair reads TLS identity from key pair

func SaveIdentity 

func SaveIdentity(id *Identity, d bot.Destination, kinds ...ArtifactKind) error

SaveIdentity saves a bot identity to a destination.

func TLSCertInfo 

func TLSCertInfo(cert *tls.Certificate) string

TLSCertInfo returns diagnostic information about certificate

func VerifyWrite 

func VerifyWrite(dest bot.Destination) error

VerifyWrite attempts to write to the .write-test artifact inside the given destination. It should be called before attempting a renewal to help ensure we won't then fail to save the identity.

Types

type Artifact 

type Artifact struct {
	// Key is the name that this artifact should be stored under within a
	// destination. For a file based destination, this will be the file name.
	Key       string
	Kind      ArtifactKind
	ToBytes   func(*Identity) []byte
	FromBytes func(*proto.Certs, *LoadIdentityParams, []byte)

	// Optional indicates whether or not an identity should fail to load if this
	// key is missing.
	Optional bool

	// OldKey allows an artifact to be migrated from an older key to a new key.
	// If this value is set, and we are unable to load from Key, we will try
	// and load from OldKey
	OldKey string
}

Artifact is a component of a serialized identity.

func GetArtifacts 

func GetArtifacts() []Artifact

func (*Artifact) Matches 

func (a *Artifact) Matches(kinds ...ArtifactKind) bool

Matches returns true if this artifact's Kind matches any one of the given kinds or if it's kind is KindAlways

type ArtifactKind 

type ArtifactKind string

ArtifactKind is a type of identity artifact that can be stored and loaded. 

const (
	// KindAlways identifies identity resources that should always be
	// generated.
	KindAlways ArtifactKind = "always"

	// KindBotInternal identifies resources that should only be stored in the
	// bot's internal data directory.
	KindBotInternal ArtifactKind = "bot-internal"
)

func BotKinds 

func BotKinds() []ArtifactKind

BotKinds returns a list of all artifact kinds used internally by the bot. End-user destinations may contain a different set of artifacts.

func DestinationKinds 

func DestinationKinds() []ArtifactKind

DestinationKinds returns a list of all artifact kinds that should be written to end-user destinations.

type Identity 

type Identity struct {
	// PrivateKeyBytes is a PEM encoded private key
	PrivateKeyBytes []byte
	// PublicKeyBytes contains bytes of the original SSH public key
	PublicKeyBytes []byte
	// CertBytes is a PEM encoded SSH host cert
	CertBytes []byte
	// TLSCertBytes is a PEM encoded TLS x509 client certificate
	TLSCertBytes []byte
	// TLSCACertBytes is a list of PEM encoded TLS x509 certificate of certificate authority
	// associated with auth server services
	TLSCACertsBytes [][]byte
	// SSHCACertBytes is a list of SSH CAs encoded in the authorized_keys format.
	SSHCACertBytes [][]byte
	// KeySigner is an SSH host certificate signer
	KeySigner ssh.Signer
	// SSHCert is a parsed SSH certificate
	SSHCert *ssh.Certificate
	// X509Cert is an X509 client certificate
	X509Cert *x509.Certificate
	// ClusterName is a name of host's cluster
	ClusterName string
	// TokenHashBytes is the hash of the original join token
	TokenHashBytes []byte
}

Identity is collection of certificates and signers that represent server identity. This is derived from Teleport's usual auth.Identity with small modifications to work with user rather than host certificates.

func LoadIdentity 

func LoadIdentity(d bot.Destination, kinds ...ArtifactKind) (*Identity, error)

LoadIdentity loads a bot identity from a destination.

func ReadIdentityFromStore 

func ReadIdentityFromStore(params *LoadIdentityParams, certs *proto.Certs, kinds ...ArtifactKind) (*Identity, error)

ReadIdentityFromStore reads stored identity credentials

func (*Identity) HasDNSNames 

func (i *Identity) HasDNSNames(dnsNames []string) bool

HasDNSNames returns true if TLS certificate has required DNS names

func (*Identity) HasPrincipals 

func (i *Identity) HasPrincipals(additionalPrincipals []string) bool

HasPrincipals returns whether identity has principals

func (*Identity) HasTLSConfig 

func (i *Identity) HasTLSConfig() bool

HasTSLConfig returns true if this identity has TLS certificate and private key

func (*Identity) Params 

func (i *Identity) Params() *LoadIdentityParams

Params returns the LoadIdentityParams for this Identity, which are the local-only parameters to be carried over to a renewed identity.

func (*Identity) SSHClientConfig 

func (i *Identity) SSHClientConfig() (*ssh.ClientConfig, error)

SSHClientConfig returns a ssh.ClientConfig used by the bot to connect to the reverse tunnel server.

func (*Identity) String 

func (i *Identity) String() string

String returns user-friendly representation of the identity.

func (*Identity) TLSConfig 

func (i *Identity) TLSConfig(cipherSuites []uint16) (*tls.Config, error)

TLSConfig returns TLS config for mutual TLS authentication can return NotFound error if there are no TLS credentials setup for identity

type LoadIdentityParams 

type LoadIdentityParams struct {
	PrivateKeyBytes []byte
	PublicKeyBytes  []byte
	TokenHashBytes  []byte
}

LoadIdentityParams contains parameters beyond proto.Certs needed to load a stored identity.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.