mtls

package
v1.148.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 11, 2023 License: Apache-2.0 Imports: 8 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CertificatesFromHeader

func CertificatesFromHeader(headerData string) (certs []*x509.Certificate, err error)

CertificatesFromHeader retrieves the certificates from the http header `X-TLS-Client-Certificate`.

func CertificatesFromHeaderThenTLSState

func CertificatesFromHeaderThenTLSState(state *tls.ConnectionState, headerData string) (certs []*x509.Certificate, err error)

CertificatesFromHeaderThenTLSState retrieves the certificates in either from the header `X-TLS-Client-Certificate` or from the tls connection state in that order.

Note: Using this function on a service directly available on the internet is extremely dangerous as it assumes the given certificate has already been validated by a third party and is just used as informative data. To use this function securely, the service using an mtls authenticator preferring header must be behind a proxy that does mtls authentication first.

func CertificatesFromTLSState

func CertificatesFromTLSState(state *tls.ConnectionState) (certs []*x509.Certificate, err error)

CertificatesFromTLSState retrieves the certificates from the tls connection state.

func CertificatesFromTLSStateThenHeader

func CertificatesFromTLSStateThenHeader(state *tls.ConnectionState, headerData string) (certs []*x509.Certificate, err error)

CertificatesFromTLSStateThenHeader retrieves the certificates in either from the tls connection state or from the header `X-TLS-Client-Certificate` in that order.

Note: Using this function on a service directly available on the internet is extremely dangerous as it assumes the given certificate has already been validated by a third party and is just used as informative data. To use this function securely, the service using an mtls authenticator preferring header must be behind a proxy that does mtls authentication first.

func NewMTLSAuthorizer

func NewMTLSAuthorizer(
	verifyOptions x509.VerifyOptions,
	deciderFunc DeciderFunc,
	ignoredIdentities []elemental.Identity,
	certVerifier VerifierFunc,
	certificateCheckMode CertificateCheckMode,
) bahamut.Authorizer

NewMTLSAuthorizer returns a new Authorizer that ensures the client certificate can be verified using the given x509.VerifyOptions. The Authorizer will not enforce this for identities given by ignoredIdentities.

deciderFunc is the DeciderFunc to used return the actual action you want the Authorizer to return.

func NewMTLSRequestAuthenticator

func NewMTLSRequestAuthenticator(
	verifyOptions x509.VerifyOptions,
	deciderFunc DeciderFunc,
	certVerifier VerifierFunc,
	certificateCheckMode CertificateCheckMode,
) bahamut.RequestAuthenticator

NewMTLSRequestAuthenticator returns a new Authenticator that ensures the client certificate can be verified using the given x509.VerifyOptions. The Authenticator will not enforce this for identities given by ignoredIdentities.

deciderFunc is the DeciderFunc to used return the actual action you want the RequestAuthenticator to return.

func NewMTLSSessionAuthenticator

func NewMTLSSessionAuthenticator(
	verifyOptions x509.VerifyOptions,
	deciderFunc DeciderFunc,
	certVerifier VerifierFunc,
	certificateCheckMode CertificateCheckMode,
) bahamut.SessionAuthenticator

NewMTLSSessionAuthenticator returns a new Authenticator that ensures the client certificate are can be verified using the given x509.VerifyOptions. The Authenticator will not enforce this for identities given by ignoredIdentities.

deciderFunc is the DeciderFunc to used return the actual action you want the SessionAuthenticator to return.

Types

type CertificateCheckMode

type CertificateCheckMode int

CertificateCheckMode represents the mode to use to check the certificate.

const (
	CertificateCheckModeTLSStateOnly CertificateCheckMode = iota
	CertificateCheckModeTLSStateThenHeader
	CertificateCheckModeHeaderThenTLSState
	CertificateCheckModeHeaderOnly
)

Various value for CertificateCheckMode.

type DeciderFunc

DeciderFunc is the type of function to pass to decide what bahamut.Action to return after the MTLS check is done. It will be given the mtls result action, and the bahamut.Context or bahamut.Session according to the kind of authorization. If bahamut.Context is given, bahamut.Session will be nil and vice versa.

type VerifierFunc

type VerifierFunc func(*x509.Certificate) bool

VerifierFunc is the type of function you can pass to do custom verification on the certificates, like checking against a certificate revocation list. Note that CRL checking is not done by Go when using x509.VerifyOptions. If you need need advanced CRL check you need to implement it in a VerifierFunc.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL