policyserver

package
v0.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 5, 2026 License: Apache-2.0, Apache-2.0 Imports: 13 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrUnauthorized indicates token is invalid or expired (401)
	ErrUnauthorized = &PolicyError{StatusCode: http.StatusUnauthorized, Message: "Unauthorized"}

	// ErrForbidden indicates token valid but access denied by policy (403)
	ErrForbidden = &PolicyError{StatusCode: http.StatusForbidden, Message: "Forbidden"}

	// ErrNotHandled indicates this policy server does not handle the connection (422)
	ErrNotHandled = &PolicyError{StatusCode: http.StatusUnprocessableEntity, Message: "connection not handled"}
)

Standard errors for policy evaluation

Functions

func DefaultExpiration added in v0.1.8 

func DefaultExpiration() string

DefaultExpiration returns the default certificate expiration duration

func DefaultExtensions added in v0.1.8 

func DefaultExtensions() map[string]string

DefaultExtensions returns the default SSH certificate extensions

func DefaultScopes added in v0.5.1 

func DefaultScopes() []string

DefaultScopes returns the default OIDC scopes

func Forbidden 

func Forbidden(message string) error

Forbidden returns a 403 error with the given message

func InternalError 

func InternalError(message string) error

InternalError returns a 500 error with the given message

func NewBootstrapRedirectHandler added in v0.5.1 

func NewBootstrapRedirectHandler(hash string, baseURL string) http.HandlerFunc

NewBootstrapRedirectHandler returns a handler that redirects to the content-addressed bootstrap URL. The redirect response is cached for 5 minutes to allow config changes to propagate. Clients should request /d/bootstrap and follow the redirect to /d/{hash}. Uses 302 Found (temporary) rather than 301 (permanent) since the redirect target may change. If baseURL is set, redirects to an absolute URL on that base; otherwise uses relative URLs.

func NewDiscoveryHandler added in v0.3.0 

func NewDiscoveryHandler(config DiscoveryConfig) http.HandlerFunc

NewDiscoveryHandler creates an HTTP handler for the /d/<hash> content-addressed endpoints. The handler: - For bootstrap hash: Returns auth config (no authentication required) - For discovery hash: Validates Bearer token and returns match patterns - For unknown hashes: Returns 404 (forces clients to follow redirect) Sets Cache-Control: immutable for aggressive caching.

func NewDiscoveryRedirectHandler added in v0.3.5 

func NewDiscoveryRedirectHandler(hash string, baseURL string) http.HandlerFunc

NewDiscoveryRedirectHandler returns a handler that redirects to the content-addressed discovery URL. The redirect response is cached for 5 minutes to allow policy changes to propagate. Clients should request /d/current and follow the redirect to /d/{hash}. Uses 302 Found (temporary) rather than 301 (permanent) since the redirect target may change. If baseURL is set, redirects to an absolute URL on that base; otherwise uses relative URLs.

func NewHandler 

func NewHandler(config Config) http.HandlerFunc

NewHandler creates an HTTP handler for the policy server. The handler: 1. Parses the request body (token, connection) 2. Verifies the CA signature from Authorization header (if CAPublicKey provided) 3. Calls the evaluator to make authorization decision 4. Returns appropriate HTTP response (200 with policy, or error)

func NotHandled added in v0.3.0 

func NotHandled(message string) error

NotHandled returns a 422 error indicating this policy server does not handle the requested connection. The CA will return 422 to the client.

func Unauthorized 

func Unauthorized(message string) error

Unauthorized returns a 401 error with the given message

func ValidateDuration added in v0.1.8 

func ValidateDuration(d string) error

ValidateDuration checks if a duration string is valid

Types

type Bootstrap added in v0.5.1 

type Bootstrap struct {
	Auth BootstrapAuth `json:"auth"`
}

Bootstrap represents the bootstrap endpoint response

type BootstrapAuth added in v0.5.1 

type BootstrapAuth struct {
	// Type identifies the auth method: "oidc" or "command"
	Type string `json:"type"`

	// OIDC fields (when type="oidc")
	Issuer       string   `json:"issuer,omitempty"`
	ClientID     string   `json:"client_id,omitempty"`
	ClientSecret string   `json:"client_secret,omitempty"`
	Scopes       []string `json:"scopes,omitempty"`

	// Command field (when type="command") - opaque string
	Command string `json:"command,omitempty"`
}

BootstrapAuth represents the auth configuration returned by the bootstrap endpoint. The Type field discriminates between auth methods.

type Config 

type Config struct {
	// CAPublicKey is the CA's SSH public key for verifying request signatures.
	// If empty, signature verification is skipped (not recommended for production).
	CAPublicKey sshcert.RawPublicKey

	// Validator validates tokens and extracts identity (authentication)
	Validator TokenValidator

	// Evaluator makes authorization decisions based on identity
	Evaluator PolicyEvaluator

	// MaxRequestSize limits the request body size (default: 8192 bytes)
	MaxRequestSize int64

	// DiscoveryHash is the content-addressable hash for the Link header.
	// If empty, no Link header is set.
	// The path is hardcoded to "/d/" + hash.
	DiscoveryHash string

	// BootstrapHash is the content-addressable hash for the bootstrap Link header.
	// If empty, no bootstrap Link header is set.
	BootstrapHash string

	// DiscoveryBaseURL is the base URL for discovery endpoints.
	// If set, discovery URLs will be absolute URLs on this base (e.g., "https://cdn.example.com").
	// If empty, discovery URLs will be relative (e.g., "/d/current").
	DiscoveryBaseURL string
}

Config configures the policy server HTTP handler

type DefaultPolicy added in v0.1.8 

type DefaultPolicy struct {
	Allow      map[string][]string `yaml:"allow,omitempty" json:"allow,omitempty"`           // principal → allowed tags
	Expiration string              `yaml:"expiration,omitempty" json:"expiration,omitempty"` // Default cert expiration (e.g., "5m")
	Extensions map[string]string   `yaml:"extensions,omitempty" json:"extensions,omitempty"` // Default cert extensions
}

DefaultPolicy defines default policy settings

type Discovery added in v0.3.0 

type Discovery struct {
	MatchPatterns []string `json:"matchPatterns"`
}

Discovery is the response format for the discovery endpoint

type DiscoveryConfig added in v0.3.0 

type DiscoveryConfig struct {
	// Validator validates Bearer tokens and extracts identity
	Validator TokenValidator

	// MatchPatterns are the host patterns to return
	MatchPatterns []string

	// DiscoveryHash is the content-addressable hash for discovery (authenticated)
	DiscoveryHash string

	// BootstrapHash is the content-addressable hash for bootstrap (unauthenticated)
	BootstrapHash string

	// AuthConfig is the bootstrap auth configuration to return
	AuthConfig BootstrapAuth
}

DiscoveryConfig configures the discovery handler

type HostPolicy added in v0.1.8 

type HostPolicy struct {
	Allow      map[string][]string `yaml:"allow,omitempty" json:"allow,omitempty"`           // principal → allowed tags
	Expiration string              `yaml:"expiration,omitempty" json:"expiration,omitempty"` // Override expiration
	Extensions map[string]string   `yaml:"extensions,omitempty" json:"extensions,omitempty"` // Override extensions
}

HostPolicy defines per-host policy overrides

type OIDCConfig added in v0.1.8 

type OIDCConfig struct {
	Issuer       string   `yaml:"issuer" json:"issuer"`
	ClientID     string   `yaml:"client_id" json:"client_id"`
	ClientSecret string   `yaml:"client_secret,omitempty" json:"client_secret,omitempty"` // Optional, for confidential clients
	Scopes       []string `yaml:"scopes,omitempty" json:"scopes,omitempty"`               // Optional, defaults to ["openid", "profile", "email"]
}

OIDCConfig represents OIDC configuration for token validation

type PolicyError 

type PolicyError struct {
	StatusCode int
	Message    string
}

PolicyError represents a policy evaluation error with HTTP status code

func (*PolicyError) Error 

func (e *PolicyError) Error() string

type PolicyEvaluator 

type PolicyEvaluator interface {
	// Evaluate makes an authorization decision for the given identity and connection.
	// The identity has already been extracted from a validated token.
	// Returns:
	// - *Response: Certificate parameters and policy if authorized
	// - error: If authorization denied
	//
	// Error handling:
	// - Return ErrForbidden (403) if access denied by policy
	// - Return other errors (500) for internal errors
	Evaluate(identity string, conn policy.Connection) (*Response, error)
}

PolicyEvaluator makes authorization decisions based on identity and connection details. The token has already been validated and identity extracted by the handler. Implementations must: - Make authorization decision (allow/deny) based on identity - Return certificate parameters (principals, expiration, extensions) and policy (hostPattern) - Return appropriate errors for different failure modes

type PolicyRulesConfig added in v0.1.8 

type PolicyRulesConfig struct {
	CAPublicKey string                 `yaml:"ca_pubkey" json:"ca_pubkey"`
	OIDC        OIDCConfig             `yaml:"oidc" json:"oidc"`
	Users       map[string][]string    `yaml:"users" json:"users"` // user identity → tags
	Defaults    *DefaultPolicy         `yaml:"defaults,omitempty" json:"defaults,omitempty"`
	Hosts       map[string]*HostPolicy `yaml:"hosts,omitempty" json:"hosts,omitempty"` // hostname → host policy
}

PolicyRulesConfig represents the policy server rules configuration. This defines users, hosts, and access policies - not CLI flags.

func (*PolicyRulesConfig) BootstrapAuth added in v0.5.1 

func (c *PolicyRulesConfig) BootstrapAuth() BootstrapAuth

BootstrapAuth returns the auth configuration for the bootstrap endpoint. Currently only supports OIDC auth type.

func (*PolicyRulesConfig) BootstrapHash added in v0.5.1 

func (c *PolicyRulesConfig) BootstrapHash() string

BootstrapHash computes a content-addressable hash of the auth configuration. This hash changes when the auth config changes (issuer, client_id, scopes). Returns a 12-character hex string.

func (*PolicyRulesConfig) DiscoveryHash added in v0.3.0 

func (c *PolicyRulesConfig) DiscoveryHash() string

DiscoveryHash computes a content-addressable hash of the policy rules. This hash changes when the matching policy changes (hosts, users, etc.). Returns a 12-character hex string.

func (*PolicyRulesConfig) Validate added in v0.1.8 

func (c *PolicyRulesConfig) Validate() error

Validate checks that the PolicyRulesConfig is valid

type Request 

type Request struct {
	Token      string            `json:"token"`
	Connection policy.Connection `json:"connection"`
}

Request from CA to policy server

type Response 

type Response struct {
	CertParams ca.CertParams `json:"certParams"`
	Policy     policy.Policy `json:"policy"`
}

Response from policy server to CA

type TokenValidator added in v0.3.0 

type TokenValidator interface {
	// ValidateAndExtractIdentity validates the token and returns the identity.
	// Returns an error if the token is invalid or expired.
	ValidateAndExtractIdentity(token string) (identity string, err error)
}

TokenValidator validates authentication tokens and extracts identity. Used by handlers to authenticate requests before policy evaluation.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.