Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CertificatesFromHeader

func CertificatesFromHeader(headerData string) (certs []*x509.Certificate, err error)

    CertificatesFromHeader retrieves the certificates from the http header `X-TLS-Client-Certificate`.

    func CertificatesFromHeaderThenTLSState

    func CertificatesFromHeaderThenTLSState(state *tls.ConnectionState, headerData string) (certs []*x509.Certificate, err error)

      CertificatesFromHeaderThenTLSState retrieves the certificates in either from the header `X-TLS-Client-Certificate` or from the tls connection state in that order.

      Note: Using this function on a service directly available on the internet is extremely dangerous as it assumes the given certificate has already been validated by a third party and is just used as informative data. To use this function securely, the service using an mtls authenticator preferring header must be behind a proxy that does mtls authentication first.

      func CertificatesFromTLSState

      func CertificatesFromTLSState(state *tls.ConnectionState) (certs []*x509.Certificate, err error)

        CertificatesFromTLSState retrieves the certificates from the tls connection state.

        func CertificatesFromTLSStateThenHeader

        func CertificatesFromTLSStateThenHeader(state *tls.ConnectionState, headerData string) (certs []*x509.Certificate, err error)

          CertificatesFromTLSStateThenHeader retrieves the certificates in either from the tls connection state or from the header `X-TLS-Client-Certificate` in that order.

          Note: Using this function on a service directly available on the internet is extremely dangerous as it assumes the given certificate has already been validated by a third party and is just used as informative data. To use this function securely, the service using an mtls authenticator preferring header must be behind a proxy that does mtls authentication first.

          func NewMTLSAuthorizer

          func NewMTLSAuthorizer(
          	verifyOptions x509.VerifyOptions,
          	deciderFunc DeciderFunc,
          	ignoredIdentities []elemental.Identity,
          	certVerifier VerifierFunc,
          	certificateCheckMode CertificateCheckMode,
          ) bahamut.Authorizer

            NewMTLSAuthorizer returns a new Authorizer that ensures the client certificate can be verified using the given x509.VerifyOptions. The Authorizer will not enforce this for identities given by ignoredIdentities.

            deciderFunc is the DeciderFunc to used return the actual action you want the Authorizer to return.

            func NewMTLSRequestAuthenticator

            func NewMTLSRequestAuthenticator(
            	verifyOptions x509.VerifyOptions,
            	deciderFunc DeciderFunc,
            	certVerifier VerifierFunc,
            	certificateCheckMode CertificateCheckMode,
            ) bahamut.RequestAuthenticator

              NewMTLSRequestAuthenticator returns a new Authenticator that ensures the client certificate can be verified using the given x509.VerifyOptions. The Authenticator will not enforce this for identities given by ignoredIdentities.

              deciderFunc is the DeciderFunc to used return the actual action you want the RequestAuthenticator to return.

              func NewMTLSSessionAuthenticator

              func NewMTLSSessionAuthenticator(
              	verifyOptions x509.VerifyOptions,
              	deciderFunc DeciderFunc,
              	certVerifier VerifierFunc,
              	certificateCheckMode CertificateCheckMode,
              ) bahamut.SessionAuthenticator

                NewMTLSSessionAuthenticator returns a new Authenticator that ensures the client certificate are can be verified using the given x509.VerifyOptions. The Authenticator will not enforce this for identities given by ignoredIdentities.

                deciderFunc is the DeciderFunc to used return the actual action you want the SessionAuthenticator to return.

                Types

                type CertificateCheckMode

                type CertificateCheckMode int

                  CertificateCheckMode represents the mode to use to check the certificate.

                  const (
                  	CertificateCheckModeTLSStateOnly CertificateCheckMode = iota
                  	CertificateCheckModeTLSStateThenHeader
                  	CertificateCheckModeHeaderThenTLSState
                  	CertificateCheckModeHeaderOnly
                  )

                    Various value for CertificateCheckMode.

                    type DeciderFunc

                      DeciderFunc is the type of function to pass to decide what bahamut.Action to return after the MTLS check is done. It will be given the mtls result action, and the bahamut.Context or bahamut.Session according to the kind of authorization. If bahamut.Context is given, bahamut.Session will be nil and vice versa.

                      type VerifierFunc

                      type VerifierFunc func(*x509.Certificate) bool

                        VerifierFunc is the type of function you can pass to do custom verification on the certificates, like checking for the DN.