policyserver

package

v0.5.0 Latest Latest Go to latest Published: Dec 28, 2025 License: Apache-2.0, Apache-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/epithet-ssh/epithet

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func DefaultExpiration() string
func DefaultExtensions() map[string]string
func Forbidden(message string) error
func InternalError(message string) error
func NewDiscoveryHandler(config DiscoveryConfig) http.HandlerFunc
func NewDiscoveryRedirectHandler(hash string, baseURL string) http.HandlerFunc
func NewHandler(config Config) http.HandlerFunc
func NotHandled(message string) error
func Unauthorized(message string) error
func ValidateDuration(d string) error
type Config
type DefaultPolicy
type Discovery
type DiscoveryConfig
type HostPolicy
type OIDCConfig
type PolicyError
- func (e *PolicyError) Error() string
type PolicyEvaluator
type PolicyRulesConfig
- func (c *PolicyRulesConfig) DiscoveryHash() string
- func (c *PolicyRulesConfig) Validate() error
type Request
type Response
type TokenValidator

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// ErrUnauthorized indicates token is invalid or expired (401)
	ErrUnauthorized = &PolicyError{StatusCode: http.StatusUnauthorized, Message: "Unauthorized"}

	// ErrForbidden indicates token valid but access denied by policy (403)
	ErrForbidden = &PolicyError{StatusCode: http.StatusForbidden, Message: "Forbidden"}

	// ErrNotHandled indicates this policy server does not handle the connection (422)
	ErrNotHandled = &PolicyError{StatusCode: http.StatusUnprocessableEntity, Message: "connection not handled"}
)

Standard errors for policy evaluation

Functions ¶

func DefaultExpiration ¶ added in v0.1.8

func DefaultExpiration() string

DefaultExpiration returns the default certificate expiration duration

func DefaultExtensions ¶ added in v0.1.8

func DefaultExtensions() map[string]string

DefaultExtensions returns the default SSH certificate extensions

func Forbidden ¶

func Forbidden(message string) error

Forbidden returns a 403 error with the given message

func InternalError ¶

func InternalError(message string) error

InternalError returns a 500 error with the given message

func NewDiscoveryHandler ¶ added in v0.3.0

func NewDiscoveryHandler(config DiscoveryConfig) http.HandlerFunc

NewDiscoveryHandler creates an HTTP handler for the discovery endpoint. The handler: 1. Validates the Bearer token via the evaluator 2. Returns the match patterns as JSON 3. Sets Cache-Control: immutable for aggressive caching

func NewDiscoveryRedirectHandler ¶ added in v0.3.5

func NewDiscoveryRedirectHandler(hash string, baseURL string) http.HandlerFunc

NewDiscoveryRedirectHandler returns a handler that redirects to the content-addressed discovery URL. The redirect response is cached for 5 minutes to allow policy changes to propagate. Clients should request /d/current and follow the redirect to /d/{hash}. Uses 302 Found (temporary) rather than 301 (permanent) since the redirect target may change. If baseURL is set, redirects to an absolute URL on that base; otherwise uses relative URLs.

func NewHandler ¶

func NewHandler(config Config) http.HandlerFunc

NewHandler creates an HTTP handler for the policy server. The handler: 1. Parses the request body (token, connection) 2. Verifies the CA signature from Authorization header (if CAPublicKey provided) 3. Calls the evaluator to make authorization decision 4. Returns appropriate HTTP response (200 with policy, or error)

func NotHandled ¶ added in v0.3.0

func NotHandled(message string) error

NotHandled returns a 422 error indicating this policy server does not handle the requested connection. The CA will return 422 to the client.

func Unauthorized ¶

func Unauthorized(message string) error

Unauthorized returns a 401 error with the given message

func ValidateDuration ¶ added in v0.1.8

func ValidateDuration(d string) error

ValidateDuration checks if a duration string is valid

Types ¶

type Config ¶

type Config struct {
	// CAPublicKey is the CA's SSH public key for verifying request signatures.
	// If empty, signature verification is skipped (not recommended for production).
	CAPublicKey sshcert.RawPublicKey

	// Validator validates tokens and extracts identity (authentication)
	Validator TokenValidator

	// Evaluator makes authorization decisions based on identity
	Evaluator PolicyEvaluator

	// MaxRequestSize limits the request body size (default: 8192 bytes)
	MaxRequestSize int64

	// DiscoveryHash is the content-addressable hash for the Link header.
	// If empty, no Link header is set.
	// The path is hardcoded to "/d/" + hash.
	DiscoveryHash string

	// DiscoveryBaseURL is the base URL for discovery endpoints.
	// If set, discovery URLs will be absolute URLs on this base (e.g., "https://cdn.example.com").
	// If empty, discovery URLs will be relative (e.g., "/d/current").
	DiscoveryBaseURL string
}

Config configures the policy server HTTP handler

type DefaultPolicy ¶ added in v0.1.8

type DefaultPolicy struct {
	Allow      map[string][]string `yaml:"allow,omitempty" json:"allow,omitempty"`           // principal → allowed tags
	Expiration string              `yaml:"expiration,omitempty" json:"expiration,omitempty"` // Default cert expiration (e.g., "5m")
	Extensions map[string]string   `yaml:"extensions,omitempty" json:"extensions,omitempty"` // Default cert extensions
}

DefaultPolicy defines default policy settings

type Discovery ¶ added in v0.3.0

type Discovery struct {
	MatchPatterns []string `json:"matchPatterns"`
}

Discovery is the response format for the discovery endpoint

type DiscoveryConfig ¶ added in v0.3.0

type DiscoveryConfig struct {
	// Validator validates Bearer tokens and extracts identity
	Validator TokenValidator

	// MatchPatterns are the host patterns to return
	MatchPatterns []string

	// Hash is the content-addressable hash (for verification, not currently used)
	Hash string
}

DiscoveryConfig configures the discovery handler

type HostPolicy ¶ added in v0.1.8

type HostPolicy struct {
	Allow      map[string][]string `yaml:"allow,omitempty" json:"allow,omitempty"`           // principal → allowed tags
	Expiration string              `yaml:"expiration,omitempty" json:"expiration,omitempty"` // Override expiration
	Extensions map[string]string   `yaml:"extensions,omitempty" json:"extensions,omitempty"` // Override extensions
}

HostPolicy defines per-host policy overrides

type OIDCConfig ¶ added in v0.1.8

type OIDCConfig struct {
	Issuer   string `yaml:"issuer" json:"issuer"`
	Audience string `yaml:"audience" json:"audience"`
}

OIDCConfig represents OIDC configuration for token validation

type PolicyError ¶

type PolicyError struct {
	StatusCode int
	Message    string
}

PolicyError represents a policy evaluation error with HTTP status code

func (*PolicyError) Error ¶

func (e *PolicyError) Error() string

type PolicyEvaluator ¶

type PolicyEvaluator interface {
	// Evaluate makes an authorization decision for the given identity and connection.
	// The identity has already been extracted from a validated token.
	// Returns:
	// - *Response: Certificate parameters and policy if authorized
	// - error: If authorization denied
	//
	// Error handling:
	// - Return ErrForbidden (403) if access denied by policy
	// - Return other errors (500) for internal errors
	Evaluate(identity string, conn policy.Connection) (*Response, error)
}

PolicyEvaluator makes authorization decisions based on identity and connection details. The token has already been validated and identity extracted by the handler. Implementations must: - Make authorization decision (allow/deny) based on identity - Return certificate parameters (principals, expiration, extensions) and policy (hostPattern) - Return appropriate errors for different failure modes

type PolicyRulesConfig ¶ added in v0.1.8

type PolicyRulesConfig struct {
	CAPublicKey string                 `yaml:"ca_pubkey" json:"ca_pubkey"`
	OIDC        OIDCConfig             `yaml:"oidc" json:"oidc"`
	Users       map[string][]string    `yaml:"users" json:"users"` // user identity → tags
	Defaults    *DefaultPolicy         `yaml:"defaults,omitempty" json:"defaults,omitempty"`
	Hosts       map[string]*HostPolicy `yaml:"hosts,omitempty" json:"hosts,omitempty"` // hostname → host policy
}

PolicyRulesConfig represents the policy server rules configuration. This defines users, hosts, and access policies - not CLI flags.

func (*PolicyRulesConfig) DiscoveryHash ¶ added in v0.3.0

func (c *PolicyRulesConfig) DiscoveryHash() string

DiscoveryHash computes a content-addressable hash of the policy rules. This hash changes when the matching policy changes (hosts, users, etc.). Returns a 12-character hex string.

func (*PolicyRulesConfig) Validate ¶ added in v0.1.8

func (c *PolicyRulesConfig) Validate() error

Validate checks that the PolicyRulesConfig is valid

type Request ¶

type Request struct {
	Token      string            `json:"token"`
	Connection policy.Connection `json:"connection"`
}

Request from CA to policy server

type Response ¶

type Response struct {
	CertParams ca.CertParams `json:"certParams"`
	Policy     policy.Policy `json:"policy"`
}

Response from policy server to CA

type TokenValidator ¶ added in v0.3.0

type TokenValidator interface {
	// ValidateAndExtractIdentity validates the token and returns the identity.
	// Returns an error if the token is invalid or expired.
	ValidateAndExtractIdentity(token string) (identity string, err error)
}

TokenValidator validates authentication tokens and extracts identity. Used by handlers to authenticate requests before policy evaluation.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
evaluator
oidc

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL