caclient

package

v0.3.2 Latest Latest Go to latest Published: Dec 26, 2025 License: Apache-2.0, Apache-2.0 Imports: 20 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/epithet-ssh/epithet

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
type AllCAsUnavailableError
- func (e *AllCAsUnavailableError) Error() string
type CAEndpoint
- func ParseCAURL(s string) (CAEndpoint, error)
- func ParseCAURLs(urls []string) ([]CAEndpoint, error)
type CAUnavailableError
- func (e *CAUnavailableError) Error() string
type CertResponse
type Client
- func New(endpoints []CAEndpoint, options ...Option) (*Client, error)
- func (c *Client) GetCert(ctx context.Context, token string, req *caserver.CreateCertRequest) (*CertResponse, error)
- func (c *Client) GetDiscovery(ctx context.Context, token string) (*Discovery, error)
- func (c *Client) Hello(ctx context.Context, token string) error
- func (c *Client) SetDiscoveryURL(url string)
type ConnectionNotHandledError
- func (e *ConnectionNotHandledError) Error() string
type Discovery
type InvalidRequestError
- func (e *InvalidRequestError) Error() string
type InvalidTokenError
- func (e *InvalidTokenError) Error() string
type Option
- func WithCooldown(d time.Duration) Option
- func WithHTTPClient(httpClient *http.Client) Option
- func WithLogger(logger *slog.Logger) Option
- func WithTLSConfig(cfg tlsconfig.Config) Option
- func WithTimeout(d time.Duration) Option
type PolicyDeniedError
- func (e *PolicyDeniedError) Error() string

Constants ¶

View Source

const DefaultCooldown = 10 * time.Minute

DefaultCooldown is the default circuit breaker cooldown duration.

View Source

const DefaultPriority = 100

DefaultPriority is the priority assigned to CA endpoints without an explicit priority. Higher priority values are tried first.

View Source

const DefaultTimeout = 15 * time.Second

DefaultTimeout is the default per-request timeout for CA requests.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type AllCAsUnavailableError ¶ added in v0.3.0

type AllCAsUnavailableError struct {
	Message string
}

AllCAsUnavailableError indicates all configured CAs are unavailable. This happens when all CAs have their circuit breakers in the open state.

func (*AllCAsUnavailableError) Error ¶ added in v0.3.0

func (e *AllCAsUnavailableError) Error() string

type CAEndpoint ¶ added in v0.3.0

type CAEndpoint struct {
	URL      string
	Priority int
}

CAEndpoint represents a CA server URL with its priority for failover. Higher priority CAs are tried first; lower priority CAs are used as backups.

func ParseCAURL ¶ added in v0.3.0

func ParseCAURL(s string) (CAEndpoint, error)

ParseCAURL parses a CA URL string into a CAEndpoint. Format: "priority=N:https://ca.example.com/" or just "https://ca.example.com/" If no priority is specified, DefaultPriority (100) is used.

func ParseCAURLs ¶ added in v0.3.0

func ParseCAURLs(urls []string) ([]CAEndpoint, error)

ParseCAURLs parses multiple CA URL strings into CAEndpoints. Returns an error if any URL is invalid or if the list is empty.

type CAUnavailableError ¶ added in v0.1.1

type CAUnavailableError struct {
	Message string
}

CAUnavailableError indicates the CA service is temporarily unavailable. This is typically a transient infrastructure issue.

func (*CAUnavailableError) Error ¶ added in v0.1.1

func (e *CAUnavailableError) Error() string

type CertResponse ¶ added in v0.3.0

type CertResponse struct {
	Certificate  sshcert.RawCertificate
	Policy       policy.Policy
	DiscoveryURL string
}

CertResponse contains a certificate and discovery information.

type Client ¶

type Client struct {
	// contains filtered or unexported fields
}

Client is a CA Client with support for multiple CA endpoints and failover.

func New ¶

func New(endpoints []CAEndpoint, options ...Option) (*Client, error)

New creates a new CA Client with the given endpoints. At least one endpoint is required.

func (*Client) GetCert ¶

func (c *Client) GetCert(ctx context.Context, token string, req *caserver.CreateCertRequest) (*CertResponse, error)

GetCert requests a certificate from the CA, with automatic failover to backup CAs. It tries CAs in priority order, using circuit breakers to skip temporarily unavailable CAs. The token is sent in the Authorization header, not in the request body. Returns CertResponse containing the certificate, policy, and discovery URL.

func (*Client) GetDiscovery ¶ added in v0.3.0

func (c *Client) GetDiscovery(ctx context.Context, token string) (*Discovery, error)

GetDiscovery fetches discovery data using the cached discovery URL. If no URL is cached (from a previous cert request), returns nil. The discovery response itself is cached via httpcache.

func (*Client) Hello ¶ added in v0.3.1

func (c *Client) Hello(ctx context.Context, token string) error

Hello validates a token with the CA and learns the discovery URL. This sends an empty body to the CA's hello endpoint, which validates the token with the policy server and returns the discovery URL in the Link header. Returns nil on success. The discovery URL is cached for subsequent GetDiscovery calls.

func (*Client) SetDiscoveryURL ¶ added in v0.3.0

func (c *Client) SetDiscoveryURL(url string)

SetDiscoveryURL sets the cached discovery URL. This is primarily for testing. In normal operation, the URL is learned from CA cert response Link headers.

type ConnectionNotHandledError ¶ added in v0.3.0

type ConnectionNotHandledError struct {
	Message string
}

ConnectionNotHandledError indicates the CA/policy server does not handle this connection. The broker should fail the match and let SSH fall through to other auth methods.

func (*ConnectionNotHandledError) Error ¶ added in v0.3.0

func (e *ConnectionNotHandledError) Error() string

type Discovery ¶ added in v0.3.0

type Discovery struct {
	MatchPatterns []string `json:"matchPatterns"`
}

Discovery contains information from the discovery endpoint.

type InvalidRequestError ¶ added in v0.1.1

type InvalidRequestError struct {
	Message string
}

InvalidRequestError indicates the certificate request was malformed. This typically indicates a bug in the client code.

func (*InvalidRequestError) Error ¶ added in v0.1.1

func (e *InvalidRequestError) Error() string

type InvalidTokenError ¶ added in v0.1.1

type InvalidTokenError struct {
	Message string
}

InvalidTokenError indicates the authentication token is invalid or expired. The broker should clear the token and re-authenticate.

func (*InvalidTokenError) Error ¶ added in v0.1.1

func (e *InvalidTokenError) Error() string

type Option ¶

type Option interface {
	// contains filtered or unexported methods
}

Option configures the agent

func WithCooldown ¶ added in v0.3.0

func WithCooldown(d time.Duration) Option

WithCooldown sets the circuit breaker cooldown duration. Failed CAs will be unavailable for this duration before being retried.

func WithHTTPClient ¶

func WithHTTPClient(httpClient *http.Client) Option

WithHTTPClient specifies the http client to use

func WithLogger ¶ added in v0.1.1

func WithLogger(logger *slog.Logger) Option

WithLogger specifies the logger to use

func WithTLSConfig ¶ added in v0.1.4

func WithTLSConfig(cfg tlsconfig.Config) Option

WithTLSConfig creates an HTTP client with the specified TLS configuration

func WithTimeout ¶ added in v0.3.0

func WithTimeout(d time.Duration) Option

WithTimeout sets the per-request timeout for CA requests.

type PolicyDeniedError ¶ added in v0.1.1

type PolicyDeniedError struct {
	Message string
}

PolicyDeniedError indicates authentication succeeded but policy denied access. The token is valid, but the user is not authorized for this connection.

func (*PolicyDeniedError) Error ¶ added in v0.1.1

func (e *PolicyDeniedError) Error() string

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL