Documentation
¶
Index ¶
- Variables
- func DefaultExpiration() string
- func DefaultExtensions() map[string]string
- func Forbidden(message string) error
- func InternalError(message string) error
- func NewHandler(config Config) http.HandlerFunc
- func Unauthorized(message string) error
- func ValidateDuration(d string) error
- type Config
- type DefaultPolicy
- type HostPolicy
- type OIDCConfig
- type PolicyError
- type PolicyEvaluator
- type PolicyRulesConfig
- type Request
- type Response
Constants ¶
This section is empty.
Variables ¶
var ( ErrUnauthorized = &PolicyError{StatusCode: http.StatusUnauthorized, Message: "Unauthorized"} // ErrForbidden indicates token valid but access denied by policy (403) ErrForbidden = &PolicyError{StatusCode: http.StatusForbidden, Message: "Forbidden"} )
Standard errors for policy evaluation
Functions ¶
func DefaultExpiration ¶ added in v0.1.8
func DefaultExpiration() string
DefaultExpiration returns the default certificate expiration duration
func DefaultExtensions ¶ added in v0.1.8
DefaultExtensions returns the default SSH certificate extensions
func InternalError ¶
InternalError returns a 500 error with the given message
func NewHandler ¶
func NewHandler(config Config) http.HandlerFunc
NewHandler creates an HTTP handler for the policy server. The handler: 1. Parses the request body (token, signature, connection) 2. Verifies the CA signature (if CAPublicKey provided) 3. Calls the evaluator to make authorization decision 4. Returns appropriate HTTP response (200 with policy, or error)
func Unauthorized ¶
Unauthorized returns a 401 error with the given message
func ValidateDuration ¶ added in v0.1.8
ValidateDuration checks if a duration string is valid
Types ¶
type Config ¶
type Config struct {
// CAPublicKey is the CA's SSH public key for verifying request signatures.
// If empty, signature verification is skipped (not recommended for production).
CAPublicKey sshcert.RawPublicKey
// Evaluator makes authorization decisions
Evaluator PolicyEvaluator
// MaxRequestSize limits the request body size (default: 8192 bytes)
MaxRequestSize int64
}
Config configures the policy server HTTP handler
type DefaultPolicy ¶ added in v0.1.8
type DefaultPolicy struct {
Allow map[string][]string `yaml:"allow,omitempty" json:"allow,omitempty"` // principal → allowed tags
Expiration string `yaml:"expiration,omitempty" json:"expiration,omitempty"` // Default cert expiration (e.g., "5m")
Extensions map[string]string `yaml:"extensions,omitempty" json:"extensions,omitempty"` // Default cert extensions
}
DefaultPolicy defines default policy settings
type HostPolicy ¶ added in v0.1.8
type HostPolicy struct {
Allow map[string][]string `yaml:"allow,omitempty" json:"allow,omitempty"` // principal → allowed tags
Expiration string `yaml:"expiration,omitempty" json:"expiration,omitempty"` // Override expiration
Extensions map[string]string `yaml:"extensions,omitempty" json:"extensions,omitempty"` // Override extensions
}
HostPolicy defines per-host policy overrides
type OIDCConfig ¶ added in v0.1.8
type OIDCConfig struct {
Issuer string `yaml:"issuer" json:"issuer"`
Audience string `yaml:"audience" json:"audience"`
}
OIDCConfig represents OIDC configuration for token validation
type PolicyError ¶
PolicyError represents a policy evaluation error with HTTP status code
func (*PolicyError) Error ¶
func (e *PolicyError) Error() string
type PolicyEvaluator ¶
type PolicyEvaluator interface {
// Evaluate makes an authorization decision for the given token and connection.
// Returns:
// - *Response: Certificate parameters and policy if authorized
// - error: If authorization denied or validation failed
//
// Error handling:
// - Return ErrUnauthorized (401) if token is invalid/expired
// - Return ErrForbidden (403) if token valid but access denied by policy
// - Return other errors (500) for internal errors
Evaluate(token string, conn policy.Connection) (*Response, error)
}
PolicyEvaluator makes authorization decisions based on token and connection details. Implementations must: - Validate the authentication token (e.g., verify OIDC JWT signature) - Make authorization decision (allow/deny) - Return certificate parameters (principals, expiration, extensions) and policy (hostPattern) - Return appropriate errors for different failure modes
type PolicyRulesConfig ¶ added in v0.1.8
type PolicyRulesConfig struct {
CAPublicKey string `yaml:"ca_public_key" json:"ca_public_key"`
OIDC OIDCConfig `yaml:"oidc" json:"oidc"`
Users map[string][]string `yaml:"users" json:"users"` // user identity → tags
Defaults *DefaultPolicy `yaml:"defaults,omitempty" json:"defaults,omitempty"`
Hosts map[string]*HostPolicy `yaml:"hosts,omitempty" json:"hosts,omitempty"` // hostname → host policy
}
PolicyRulesConfig represents the policy server rules configuration. This defines users, hosts, and access policies - not CLI flags.
func (*PolicyRulesConfig) Validate ¶ added in v0.1.8
func (c *PolicyRulesConfig) Validate() error
Validate checks that the PolicyRulesConfig is valid
Source Files
Directories