policyserver

package

v0.1.3 Latest Latest Go to latest Published: Nov 22, 2025 License: Apache-2.0, Apache-2.0 Imports: 7 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/epithet-ssh/epithet

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func Forbidden(message string) error
func InternalError(message string) error
func NewHandler(config Config) http.HandlerFunc
func Unauthorized(message string) error
type Config
type PolicyError
- func (e *PolicyError) Error() string
type PolicyEvaluator
type Request
type Response

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// ErrUnauthorized indicates token is invalid or expired (401)
	ErrUnauthorized = &PolicyError{StatusCode: http.StatusUnauthorized, Message: "Unauthorized"}

	// ErrForbidden indicates token valid but access denied by policy (403)
	ErrForbidden = &PolicyError{StatusCode: http.StatusForbidden, Message: "Forbidden"}
)

Standard errors for policy evaluation

Functions ¶

func Forbidden ¶

func Forbidden(message string) error

Forbidden returns a 403 error with the given message

func InternalError ¶

func InternalError(message string) error

InternalError returns a 500 error with the given message

func NewHandler ¶

func NewHandler(config Config) http.HandlerFunc

NewHandler creates an HTTP handler for the policy server. The handler: 1. Parses the request body (token, signature, connection) 2. Verifies the CA signature (if CAPublicKey provided) 3. Calls the evaluator to make authorization decision 4. Returns appropriate HTTP response (200 with policy, or error)

func Unauthorized ¶

func Unauthorized(message string) error

Unauthorized returns a 401 error with the given message

Types ¶

type Config ¶

type Config struct {
	// CAPublicKey is the CA's SSH public key for verifying request signatures.
	// If empty, signature verification is skipped (not recommended for production).
	CAPublicKey sshcert.RawPublicKey

	// Evaluator makes authorization decisions
	Evaluator PolicyEvaluator

	// MaxRequestSize limits the request body size (default: 8192 bytes)
	MaxRequestSize int64
}

Config configures the policy server HTTP handler

type PolicyError ¶

type PolicyError struct {
	StatusCode int
	Message    string
}

PolicyError represents a policy evaluation error with HTTP status code

func (*PolicyError) Error ¶

func (e *PolicyError) Error() string

type PolicyEvaluator ¶

type PolicyEvaluator interface {
	// Evaluate makes an authorization decision for the given token and connection.
	// Returns:
	// - *Response: Certificate parameters and policy if authorized
	// - error: If authorization denied or validation failed
	//
	// Error handling:
	// - Return ErrUnauthorized (401) if token is invalid/expired
	// - Return ErrForbidden (403) if token valid but access denied by policy
	// - Return other errors (500) for internal errors
	Evaluate(token string, conn policy.Connection) (*Response, error)
}

PolicyEvaluator makes authorization decisions based on token and connection details. Implementations must: - Validate the authentication token (e.g., verify OIDC JWT signature) - Make authorization decision (allow/deny) - Return certificate parameters (principals, expiration, extensions) and policy (hostPattern) - Return appropriate errors for different failure modes

type Request ¶

type Request struct {
	Token      string            `json:"token"`
	Signature  string            `json:"signature"`
	Connection policy.Connection `json:"connection"`
}

Request from CA to policy server

type Response ¶

type Response struct {
	CertParams ca.CertParams `json:"certParams"`
	Policy     policy.Policy `json:"policy"`
}

Response from policy server to CA

Source Files ¶

View all Source files

policyserver.go

Directories ¶

Path	Synopsis
config
evaluator
oidc

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL