lastkeypair

package
v0.0.0-...-0325025 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 13, 2018 License: Apache-2.0 Imports: 35 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var ApplicationBuildDate string
View Source 
var ApplicationVersion string
View Source 
var DefaultSshPermissions = ssh.Permissions{
	CriticalOptions: map[string]string{},
	Extensions: map[string]string{
		"permit-X11-forwarding":   "",
		"permit-agent-forwarding": "",
		"permit-port-forwarding":  "",
		"permit-pty":              "",
		"permit-user-rc":          "",
	},
}

Functions

func AppDir 

func AppDir() string

func ClientAwsSession 

func ClientAwsSession(profile, region string) *session.Session

func GenerateSshPermissions 

func GenerateSshPermissions(options *CertificateOptions) ssh.Permissions

func LambdaAwsSession 

func LambdaAwsSession() *session.Session

func LambdaHandle 

func LambdaHandle(evt json.RawMessage) (interface{}, error)

func RequestSignedPayload 

func RequestSignedPayload(sess *session.Session, lambdaArn string, req interface{}, resp interface{}) error

func SignSsh 

func SignSsh(caKeyBytes, sshKeyPassphrase, pubkeyBytes []byte, certType uint32, expiry uint64, permissions ssh.Permissions, keyId string, principals []string) (*string, error)

func TmpDir 

func TmpDir() string

func ValidateToken 

func ValidateToken(sess *session.Session, token Token, expectedKeyId string) bool

Types

type AuthorizationLambda 

type AuthorizationLambda struct {
	// contains filtered or unexported fields
}

func NewAuthorizationLambda 

func NewAuthorizationLambda(config LambdaConfig) *AuthorizationLambda

func (*AuthorizationLambda) DoHostReq 

func (a *AuthorizationLambda) DoHostReq(hostReq HostCertReqJson) (*LkpHostCertAuthorizationResponse, error)

func (*AuthorizationLambda) DoUserReq 

func (a *AuthorizationLambda) DoUserReq(userReq UserCertReqJson) (*LkpUserCertAuthorizationResponse, error)

type CertificateOptions 

type CertificateOptions struct {
	ForceCommand          *string `json:",omitempty"`
	SourceAddress         *string `json:",omitempty"`
	PermitX11Forwarding   bool
	PermitAgentForwarding bool
	PermitPortForwarding  bool
}

type HostCertReqJson 

type HostCertReqJson struct {
	EventType string
	Token     Token
	PublicKey string
}

type HostCertRespJson 

type HostCertRespJson struct {
	SignedHostPublicKey string
}

func DoHostCertReq 

func DoHostCertReq(req HostCertReqJson, config LambdaConfig) (*HostCertRespJson, error)

type Jumpbox 

type Jumpbox struct {
	Address            string
	User               string
	HostKeyAlias       string
	Principals         []string
	SignedPublicKey    string
	CertificateOptions *CertificateOptions
}

func (*Jumpbox) JumpCertificatePath 

func (j *Jumpbox) JumpCertificatePath() string

func (*Jumpbox) JumpboxFilepath 

func (j *Jumpbox) JumpboxFilepath() string

type Keypair 

type Keypair struct {
	PrivateKey []byte
	PublicKey  []byte
}

func GenerateKeyPair 

func GenerateKeyPair() (*Keypair, error)

func MyKeyPair 

func MyKeyPair() (*Keypair, error)

type LambdaConfig 

type LambdaConfig struct {
	KeyId                string
	KmsTokenIdentity     string
	CaKeyBytes           []byte
	CaKeyPassphraseBytes []byte
	ValidityDuration     int64
	AuthorizationLambda  string
}

type LkpHostCertAuthorizationRequest 

type LkpHostCertAuthorizationRequest struct {
	Kind            string
	From            authorizationLambdaIdentity
	HostInstanceArn string
	Principals      []string
}

type LkpHostCertAuthorizationResponse 

type LkpHostCertAuthorizationResponse struct {
	Authorized bool
	KeyId      string
	Principals []string
}

type LkpUserCertAuthorizationRequest 

type LkpUserCertAuthorizationRequest struct {
	Kind              string
	From              authorizationLambdaIdentity
	RemoteInstanceArn string
	SshUsername       string
	Vouchers          []authorizationLambdaVoucher `json:",omitempty"`
}

type LkpUserCertAuthorizationResponse 

type LkpUserCertAuthorizationResponse struct {
	Authorized         bool
	Message            string
	Principals         []string
	Jumpboxes          []Jumpbox `json:",omitempty"`
	TargetAddress      string    `json:",omitempty"`
	CertificateOptions *CertificateOptions
}

type PlaintextPayload 

type PlaintextPayload struct {
	NotBefore int64 // this is what json.unmarshal wants
	NotAfter  int64
}

type ReifiedLogin 

type ReifiedLogin struct {
	InstanceArn string

	Request  *UserCertReqJson
	Response *UserCertRespJson
	// contains filtered or unexported fields
}

func NewReifiedLoginWithCmd 

func NewReifiedLoginWithCmd(cmd *cobra.Command, args []string) *ReifiedLogin

func (*ReifiedLogin) CertificatePath 

func (r *ReifiedLogin) CertificatePath() string

func (*ReifiedLogin) Filepath 

func (r *ReifiedLogin) Filepath(name string) string

func (*ReifiedLogin) PopulateByInvoke 

func (r *ReifiedLogin) PopulateByInvoke()

func (*ReifiedLogin) PopulateByRestoreCache 

func (r *ReifiedLogin) PopulateByRestoreCache()

func (*ReifiedLogin) PrivateKeyPath 

func (r *ReifiedLogin) PrivateKeyPath() string

func (*ReifiedLogin) WriteSshConfig 

func (r *ReifiedLogin) WriteSshConfig() string

type StsIdentity 

type StsIdentity struct {
	AccountId string
	UserId    string
	Username  string
	Type      string
}

func CallerIdentityUser 

func CallerIdentityUser(sess *session.Session) (*StsIdentity, error)

type Token 

type Token struct {
	Params    TokenParams
	Signature []byte
}

func CreateToken 

func CreateToken(sess *session.Session, params TokenParams, keyId string) Token

type TokenParams 

type TokenParams struct {
	FromId      string
	FromAccount string
	To          string
	Type        string

	// optional fields below this comment
	FromName string         `json:",omitempty"`
	Vouchee  string         `json:",omitempty"`
	Context  string         `json:",omitempty"`
	Vouchers []VoucherToken `json:",omitempty"`

	// the reason we have both these fields (rather than overloading one "InstanceArn" field)
	// is because we want to specify a KMS key policy that HostInstanceArn _MUST_ match
	// the ec2:SourceInstanceARN if it exists. if we didn't do this, then anyone _not_ on
	// an instance could request a host cert.
	HostInstanceArn   string `json:",omitempty"` // this field is for when an instance is requesting a host cert
	RemoteInstanceArn string `json:",omitempty"` // this field is for when a user is requesting a user cert for a specific host

	SshUsername string   `json:",omitempty"` // username on remote instance that user wants to access
	Principals  []string `json:",omitempty"` // additional principals to include in cert
}

func (*TokenParams) ToKmsContext 

func (params *TokenParams) ToKmsContext() map[string]*string

type UserCertReqJson 

type UserCertReqJson struct {
	// NOTE: be very careful of adding new fields to this struct. only fields
	// inside Token.TokenParams are part of the encryption context (and hence
	// logged in cloudtrail)
	EventType string
	Token     Token
	PublicKey string
}

type UserCertRespJson 

type UserCertRespJson struct {
	SignedPublicKey string
	Jumpboxes       []Jumpbox `json:",omitempty"`
	TargetAddress   string    `json:",omitempty"`
	Expiry          int64
}

func DoUserCertReq 

func DoUserCertReq(req UserCertReqJson, config LambdaConfig) (*UserCertRespJson, error)

type VoucherToken 

type VoucherToken Token

func DecodeVoucherToken 

func DecodeVoucherToken(encoded string) (*VoucherToken, error)

func Vouch 

func Vouch(sess *session.Session, kmsKeyId, to, vouchee, context string) VoucherToken

func (*VoucherToken) Encode 

func (vt *VoucherToken) Encode() string

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.