Documentation
¶
Index ¶
- Constants
- type AllCAsUnavailableError
- type Bootstrap
- type BootstrapAuth
- type CAEndpoint
- type CAUnavailableError
- type CertResponse
- type Client
- func (c *Client) GetBootstrap(ctx context.Context) (*Bootstrap, error)
- func (c *Client) GetCert(ctx context.Context, token string, req *caserver.CreateCertRequest) (*CertResponse, error)
- func (c *Client) GetDiscovery(ctx context.Context, token string) (*Discovery, error)
- func (c *Client) GetPublicKey(ctx context.Context) (string, error)
- func (c *Client) Hello(ctx context.Context, token string) error
- func (c *Client) SetBootstrapURL(url string)
- func (c *Client) SetDiscoveryURL(url string)
- type ConnectionNotHandledError
- type Discovery
- type InvalidRequestError
- type InvalidTokenError
- type Option
- type PolicyDeniedError
Constants ¶
const DefaultCooldown = 10 * time.Minute
DefaultCooldown is the default circuit breaker cooldown duration.
const DefaultPriority = 100
DefaultPriority is the priority assigned to CA endpoints without an explicit priority. Higher priority values are tried first.
const DefaultTimeout = 15 * time.Second
DefaultTimeout is the default per-request timeout for CA requests.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AllCAsUnavailableError ¶ added in v0.3.0
type AllCAsUnavailableError struct {
}
AllCAsUnavailableError indicates all configured CAs are unavailable. This happens when all CAs have their circuit breakers in the open state.
func (*AllCAsUnavailableError) Error ¶ added in v0.3.0
func (e *AllCAsUnavailableError) Error() string
type Bootstrap ¶ added in v0.5.1
type Bootstrap struct {
Auth BootstrapAuth `json:"auth"`
}
Bootstrap contains information from the bootstrap endpoint.
type BootstrapAuth ¶ added in v0.5.1
type BootstrapAuth struct {
// Type identifies the auth method: "oidc" or "command"
Type string `json:"type"`
// OIDC fields (when type="oidc")
Issuer string `json:"issuer,omitempty"`
ClientID string `json:"client_id,omitempty"`
ClientSecret string `json:"client_secret,omitempty"`
Scopes []string `json:"scopes,omitempty"`
// Command field (when type="command") - opaque string
Command string `json:"command,omitempty"`
}
BootstrapAuth represents the auth configuration from the bootstrap endpoint. The Type field discriminates between auth methods.
type CAEndpoint ¶ added in v0.3.0
CAEndpoint represents a CA server URL with its priority for failover. Higher priority CAs are tried first; lower priority CAs are used as backups.
func ParseCAURL ¶ added in v0.3.0
func ParseCAURL(s string) (CAEndpoint, error)
ParseCAURL parses a CA URL string into a CAEndpoint. Format: "priority=N:https://ca.example.com/" or just "https://ca.example.com/" If no priority is specified, DefaultPriority (100) is used.
func ParseCAURLs ¶ added in v0.3.0
func ParseCAURLs(urls []string) ([]CAEndpoint, error)
ParseCAURLs parses multiple CA URL strings into CAEndpoints. Returns an error if any URL is invalid or if the list is empty.
type CAUnavailableError ¶ added in v0.1.1
type CAUnavailableError struct {
}
CAUnavailableError indicates the CA service is temporarily unavailable. This is typically a transient infrastructure issue.
func (*CAUnavailableError) Error ¶ added in v0.1.1
func (e *CAUnavailableError) Error() string
type CertResponse ¶ added in v0.3.0
type CertResponse struct {
Certificate sshcert.RawCertificate
Policy policy.Policy
DiscoveryURL string
}
CertResponse contains a certificate and discovery information.
type Client ¶
type Client struct {
// contains filtered or unexported fields
}
Client is a CA Client with support for multiple CA endpoints and failover.
func New ¶
func New(endpoints []CAEndpoint, options ...Option) (*Client, error)
New creates a new CA Client with the given endpoints. At least one endpoint is required.
func (*Client) GetBootstrap ¶ added in v0.5.1
GetBootstrap fetches the bootstrap configuration from the cached bootstrap URL. Returns the bootstrap auth config. No authentication required. If no bootstrap URL is cached (GetPublicKey not called), returns an error.
func (*Client) GetCert ¶
func (c *Client) GetCert(ctx context.Context, token string, req *caserver.CreateCertRequest) (*CertResponse, error)
GetCert requests a certificate from the CA, with automatic failover to backup CAs. It tries CAs in priority order, using circuit breakers to skip temporarily unavailable CAs. The token is sent in the Authorization header, not in the request body. Returns CertResponse containing the certificate, policy, and discovery URL.
func (*Client) GetDiscovery ¶ added in v0.3.0
GetDiscovery fetches discovery data using the cached discovery URL. If no URL is cached (from a previous cert request), returns nil. The discovery response itself is cached via httpcache.
func (*Client) GetPublicKey ¶ added in v0.5.1
GetPublicKey fetches the CA's public key and extracts the bootstrap URL from the Link header. This is the first step in the bootstrap flow - no authentication required. Returns the public key as a string.
func (*Client) Hello ¶ added in v0.3.1
Hello validates a token with the CA and learns the discovery URL. This sends an empty body to the CA's hello endpoint, which validates the token with the policy server and returns the discovery URL in the Link header. Returns nil on success. The discovery URL is cached for subsequent GetDiscovery calls.
func (*Client) SetBootstrapURL ¶ added in v0.5.1
SetBootstrapURL sets the cached bootstrap URL. This is primarily for testing.
func (*Client) SetDiscoveryURL ¶ added in v0.3.0
SetDiscoveryURL sets the cached discovery URL. This is primarily for testing. In normal operation, the URL is learned from CA cert response Link headers.
type ConnectionNotHandledError ¶ added in v0.3.0
type ConnectionNotHandledError struct {
Message string
}
ConnectionNotHandledError indicates the CA/policy server does not handle this connection. The broker should fail the match and let SSH fall through to other auth methods.
func (*ConnectionNotHandledError) Error ¶ added in v0.3.0
func (e *ConnectionNotHandledError) Error() string
type Discovery ¶ added in v0.3.0
type Discovery struct {
MatchPatterns []string `json:"matchPatterns"`
}
Discovery contains information from the discovery endpoint.
type InvalidRequestError ¶ added in v0.1.1
type InvalidRequestError struct {
Message string
}
InvalidRequestError indicates the certificate request was malformed. This typically indicates a bug in the client code.
func (*InvalidRequestError) Error ¶ added in v0.1.1
func (e *InvalidRequestError) Error() string
type InvalidTokenError ¶ added in v0.1.1
type InvalidTokenError struct {
Message string
}
InvalidTokenError indicates the authentication token is invalid or expired. The broker should clear the token and re-authenticate.
func (*InvalidTokenError) Error ¶ added in v0.1.1
func (e *InvalidTokenError) Error() string
type Option ¶
type Option interface {
// contains filtered or unexported methods
}
Option configures the agent
func WithCooldown ¶ added in v0.3.0
WithCooldown sets the circuit breaker cooldown duration. Failed CAs will be unavailable for this duration before being retried.
func WithHTTPClient ¶
WithHTTPClient specifies the http client to use
func WithLogger ¶ added in v0.1.1
WithLogger specifies the logger to use
func WithTLSConfig ¶ added in v0.1.4
WithTLSConfig creates an HTTP client with the specified TLS configuration
func WithTimeout ¶ added in v0.3.0
WithTimeout sets the per-request timeout for CA requests.
type PolicyDeniedError ¶ added in v0.1.1
type PolicyDeniedError struct {
Message string
}
PolicyDeniedError indicates authentication succeeded but policy denied access. The token is valid, but the user is not authorized for this connection.
func (*PolicyDeniedError) Error ¶ added in v0.1.1
func (e *PolicyDeniedError) Error() string
Source Files