Documentation
¶
Index ¶
- type AuthToken
- type BootstrapAuth
- type CA
- func (c *CA) FetchDiscovery(ctx context.Context) (*DiscoveryResponse, error)
- func (c *CA) PolicyURL() string
- func (c *CA) PublicKey() sshcert.RawPublicKey
- func (c *CA) RequestPolicy(ctx context.Context, token string, conn policy.Connection) (*PolicyResponse, error)
- func (c *CA) SignPublicKey(rawPubKey sshcert.RawPublicKey, params *CertParams) (sshcert.RawCertificate, error)
- type CertParams
- type DiscoveryResponse
- type Option
- type PolicyError
- type PolicyResponse
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AuthToken ¶
AuthToken is the token passed from the plugin through to the CA (and to the ca verifier plugin matching Provider). Token is opaque and can hold whatever the plugins need it to.
type BootstrapAuth ¶ added in v0.14.0
type BootstrapAuth struct {
Type string `json:"type"`
Issuer string `json:"issuer,omitempty"`
ClientID string `json:"client_id,omitempty"`
ClientSecret string `json:"client_secret,omitempty"`
Scopes []string `json:"scopes,omitempty"`
Command string `json:"command,omitempty"`
}
BootstrapAuth represents the auth configuration from the policy server.
type CA ¶
type CA struct {
// contains filtered or unexported fields
}
CA performs CA operations.
func (*CA) FetchDiscovery ¶ added in v0.14.0
func (c *CA) FetchDiscovery(ctx context.Context) (*DiscoveryResponse, error)
FetchDiscovery fetches discovery data from the policy server. Uses HTTP caching (Cache-Control headers) to avoid unnecessary requests. The request is signed with RFC 9421 HTTP Message Signatures.
The signature has a 30s expiry while the cache TTL is 300s. This is safe because httpcache serves directly from cache during max-age and creates a fresh (newly signed) request after the cache expires.
func (*CA) PublicKey ¶
func (c *CA) PublicKey() sshcert.RawPublicKey
PublicKey returns the ssh on-disk format public key for the CA.
func (*CA) RequestPolicy ¶
func (c *CA) RequestPolicy(ctx context.Context, token string, conn policy.Connection) (*PolicyResponse, error)
RequestPolicy requests policy from the policy server for a cert request. The request is signed with RFC 9421 HTTP Message Signatures.
func (*CA) SignPublicKey ¶
func (c *CA) SignPublicKey(rawPubKey sshcert.RawPublicKey, params *CertParams) (sshcert.RawCertificate, error)
SignPublicKey signs a key to generate a certificate.
type CertParams ¶
type CertParams struct {
Identity string `json:"identity"`
Names []string `json:"principals"`
Expiration time.Duration `json:"expiration"`
Extensions map[string]string `json:"extensions"`
}
CertParams are options which can be set on a certificate.
type DiscoveryResponse ¶ added in v0.14.0
type DiscoveryResponse struct {
Auth *BootstrapAuth `json:"auth"`
MatchPatterns []string `json:"matchPatterns,omitempty"`
// CacheControl is the Cache-Control header from the policy server response.
// Not serialized to JSON — used by the CA server to pass through to clients.
CacheControl string `json:"-"`
}
DiscoveryResponse is the discovery data fetched from the policy server.
type Option ¶
type Option interface {
// contains filtered or unexported methods
}
Option configures the CA.
func WithHTTPClient ¶
WithHTTPClient configures the CA to use the specified HTTP Client.
func WithLogger ¶ added in v0.3.3
WithLogger configures the CA to use the specified logger.
func WithTLSConfig ¶ added in v0.1.4
WithTLSConfig creates an HTTP client with the specified TLS configuration.
type PolicyError ¶ added in v0.1.1
PolicyError represents an error from the policy server. The CA server should return the same status code to the client.
func (*PolicyError) Error ¶ added in v0.1.1
func (e *PolicyError) Error() string
type PolicyResponse ¶ added in v0.1.1
type PolicyResponse struct {
CertParams CertParams `json:"certParams"`
Policy policy.Policy `json:"policy"`
}
PolicyResponse is the response from the policy server, containing both the certificate parameters and the policy.
Source Files