zerotrust

package

v1.0.0 Latest Latest Go to latest Published: Mar 31, 2026 License: Apache-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/syntrex-lab/gomcp

Links

Open Source Insights

Documentation ¶

Overview ¶

Package zerotrust implements SEC-008 Zero-Trust Internal Networking.

Provides mTLS with SPIFFE identity for all internal SOC communication:

Certificate generation and rotation (24h default)
SPIFFE workload identity (spiffe://sentinel.syntrex.io/soc/*)
TLS 1.3 only with strong cipher suites
Client certificate validation (mutual TLS)
Connection authorization based on SPIFFE ID allowlists

Usage:

zt := zerotrust.New("soc-ingest", spiffeID)
tlsConfig := zt.ServerTLSConfig()
// or
tlsConfig := zt.ClientTLSConfig(targetSPIFFEID)

Index ¶

Constants
Variables
type Identity
- func NewIdentity(serviceName string, spiffeID SPIFFEID) (*Identity, error)
type IdentityStats
type SPIFFEID

Constants ¶

View Source

const (
	// DefaultCertLifetime is the certificate rotation period.
	DefaultCertLifetime = 24 * time.Hour

	// TrustDomain is the SPIFFE trust domain.
	TrustDomain = "sentinel.syntrex.pro"
)

Variables ¶

View Source

var AuthzPolicy = map[SPIFFEID][]SPIFFEID{
	SPIFFEIngest:    {SPIFFEImmune, SPIFFEShield, SPIFFESidecar, SPIFFEDashboard},
	SPIFFECorrelate: {SPIFFEIngest},
	SPIFFERespond:   {SPIFFECorrelate},
}

AuthzPolicy defines which SPIFFE IDs can connect to a service.

Functions ¶

This section is empty.

Types ¶

type Identity ¶

type Identity struct {
	// contains filtered or unexported fields
}

Identity holds a service's mTLS identity.

func NewIdentity ¶

func NewIdentity(serviceName string, spiffeID SPIFFEID) (*Identity, error)

NewIdentity creates a new zero-trust mTLS identity.

func (*Identity) CertPEM ¶

func (id *Identity) CertPEM() []byte

CertPEM returns the current certificate in PEM format.

func (*Identity) ClientTLSConfig ¶

func (id *Identity) ClientTLSConfig() *tls.Config

ClientTLSConfig returns a TLS config for connecting to a peer.

func (*Identity) RotateCert ¶

func (id *Identity) RotateCert() error

RotateCert generates a new workload certificate.

func (*Identity) SPIFFEID ¶

func (id *Identity) SPIFFEID() SPIFFEID

SPIFFEID returns the identity's SPIFFE ID.

func (*Identity) ServerTLSConfig ¶

func (id *Identity) ServerTLSConfig() *tls.Config

ServerTLSConfig returns a TLS config for accepting mTLS connections.

func (*Identity) Stats ¶

func (id *Identity) Stats() IdentityStats

Stats returns identity metrics.

type IdentityStats ¶

type IdentityStats struct {
	CertRotations       int64     `json:"cert_rotations"`
	ConnectionsAccepted int64     `json:"connections_accepted"`
	ConnectionsDenied   int64     `json:"connections_denied"`
	LastRotation        time.Time `json:"last_rotation"`
	CertExpiry          time.Time `json:"cert_expiry"`
	StartedAt           time.Time `json:"started_at"`
	// contains filtered or unexported fields
}

IdentityStats tracks mTLS metrics.

type SPIFFEID ¶

type SPIFFEID string

SPIFFEID is a SPIFFE workload identity.

const (
	SPIFFEIngest    SPIFFEID = "spiffe://sentinel.syntrex.pro/soc/ingest"
	SPIFFECorrelate SPIFFEID = "spiffe://sentinel.syntrex.pro/soc/correlate"
	SPIFFERespond   SPIFFEID = "spiffe://sentinel.syntrex.pro/soc/respond"
	SPIFFEImmune    SPIFFEID = "spiffe://sentinel.syntrex.pro/sensor/immune"
	SPIFFESidecar   SPIFFEID = "spiffe://sentinel.syntrex.pro/sensor/sidecar"
	SPIFFEShield    SPIFFEID = "spiffe://sentinel.syntrex.pro/sensor/shield"
	SPIFFEDashboard SPIFFEID = "spiffe://sentinel.syntrex.pro/dashboard"
)

Well-known SPIFFE IDs for SOC components.

Source Files ¶

View all Source files

zerotrust.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL