puppetsec

package
v0.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 12, 2020 License: Apache-2.0 Imports: 22 Imported by: 0

Documentation

Overview

Package puppetsec provides a Puppet compatable Security Provider

The provider supports enrolling into a Puppet CA by creating a key and csr, sending it to the PuppetCA and waiting for it to be signed and later it will download the certificate once signed

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Config 

type Config struct {
	// Identity when not empty will force the identity to be used for validations etc
	Identity string

	// SSLDir is the directory where Puppet stores it's SSL
	SSLDir string

	// PrivilegedUsers is a list of regular expressions that identity privilged users
	PrivilegedUsers []string

	// AllowList is a list of regular expressions that identity valid users to allow in
	AllowList []string

	// DisableTLSVerify disables TLS verify in HTTP clients etc
	DisableTLSVerify bool

	// PuppetCAHost is the hostname of the PuppetCA
	PuppetCAHost string

	// PuppetCAPort is the port of the PuppetCA
	PuppetCAPort int

	// DisableSRV prevents SRV lookups
	DisableSRV bool

	// Is a URL where a remote signer is running
	RemoteSignerURL string

	// RemoteSignerTokenFile is a file with a token for access to the remote signer
	RemoteSignerTokenFile string

	// RemoteSignerTokenEnvironment is an environment variable that will hold the signer token
	RemoteSignerTokenEnvironment string

	// AlwaysOverwriteCache supports always overwriting the local filesystem cache
	AlwaysOverwriteCache bool
	// contains filtered or unexported fields
}

Config is the configuration for PuppetSecurity

type Option 

type Option func(*PuppetSecurity) error

Option is a function that can configure the Puppet Security Provider

func WithChoriaConfig 

func WithChoriaConfig(c *config.Config) Option

WithChoriaConfig optionally configures the Puppet Security Provider from settings found in a typical Choria configuration

func WithConfig 

func WithConfig(c *Config) Option

WithConfig optionally configures the Puppet Security Provider using its native configuration format

func WithLog 

func WithLog(l *logrus.Entry) Option

WithLog configures a logger for the Puppet Security Provider

func WithResolver 

func WithResolver(r Resolver) Option

WithResolver configures a SRV resolver for the Puppet Security Provider

type PuppetSecurity 

type PuppetSecurity struct {
	// contains filtered or unexported fields
}

PuppetSecurity implements SecurityProvider reusing AIO Puppet settings it supports enrollment the same way `puppet agent --waitforcert 10` does

func New 

func New(opts ...Option) (*PuppetSecurity, error)

New creates a new instance of the Puppet Security Provider

func (*PuppetSecurity) CachePublicData 

func (s *PuppetSecurity) CachePublicData(data []byte, identity string) error

CachePublicData caches the public key for a identity

func (*PuppetSecurity) CachedPublicData 

func (s *PuppetSecurity) CachedPublicData(identity string) ([]byte, error)

CachedPublicData retrieves the previously cached public data for a given identity

func (*PuppetSecurity) CallerIdentity 

func (s *PuppetSecurity) CallerIdentity(caller string) (string, error)

CallerIdentity extracts the identity from a choria like caller name in the form of choria=identity

func (*PuppetSecurity) CallerName 

func (s *PuppetSecurity) CallerName() string

CallerName creates a choria like caller name in the form of choria=identity

func (*PuppetSecurity) ChecksumBytes 

func (s *PuppetSecurity) ChecksumBytes(data []byte) []byte

ChecksumBytes calculates a sha256 checksum for data

func (*PuppetSecurity) ChecksumString 

func (s *PuppetSecurity) ChecksumString(data string) []byte

ChecksumString calculates a sha256 checksum for data

func (*PuppetSecurity) Enroll 

func (s *PuppetSecurity) Enroll(ctx context.Context, wait time.Duration, cb func(int)) error

Enroll sends a CSR to the PuppetCA and wait for it to be signed

func (*PuppetSecurity) HTTPClient 

func (s *PuppetSecurity) HTTPClient(secure bool) (*http.Client, error)

HTTPClient creates a standard HTTP client with optional security, it will be set to use the CA and client certs for auth. servername should match the remote hosts name for SNI

func (*PuppetSecurity) Identity 

func (s *PuppetSecurity) Identity() string

Identity determines the choria certname

func (*PuppetSecurity) PrivilegedVerifyByteSignature 

func (s *PuppetSecurity) PrivilegedVerifyByteSignature(dat []byte, sig []byte, identity string) bool

PrivilegedVerifyByteSignature verifies if the signature received is from any of the privileged certs or the given identity

func (*PuppetSecurity) PrivilegedVerifyStringSignature 

func (s *PuppetSecurity) PrivilegedVerifyStringSignature(dat string, sig []byte, identity string) bool

PrivilegedVerifyStringSignature verifies if the signature received is from any of the privilged certs or the given identity

func (*PuppetSecurity) Provider 

func (s *PuppetSecurity) Provider() string

Provider reports the name of the security provider

func (*PuppetSecurity) PublicCertPem 

func (s *PuppetSecurity) PublicCertPem() (*pem.Block, error)

PublicCertPem retrieves the public certificate for this instance

func (*PuppetSecurity) PublicCertTXT 

func (s *PuppetSecurity) PublicCertTXT() ([]byte, error)

PublicCertTXT retrieves pem data in textual form for the public certificate of the current identity

func (*PuppetSecurity) RemoteSignRequest added in v0.6.0 

func (s *PuppetSecurity) RemoteSignRequest(str []byte) (signed []byte, err error)

RemoteSignRequest signs a choria request using a remote signer and returns a secure request

func (*PuppetSecurity) SSLContext 

func (s *PuppetSecurity) SSLContext() (*http.Transport, error)

SSLContext creates a SSL context loaded with our certs and ca

func (*PuppetSecurity) SignBytes 

func (s *PuppetSecurity) SignBytes(str []byte) ([]byte, error)

SignBytes signs a message using a SHA256 PKCS1v15 protocol

func (*PuppetSecurity) SignString 

func (s *PuppetSecurity) SignString(str string) ([]byte, error)

SignString signs a message using a SHA256 PKCS1v15 protocol

func (*PuppetSecurity) TLSConfig 

func (s *PuppetSecurity) TLSConfig() (*tls.Config, error)

TLSConfig creates a TLS configuration for use by NATS, HTTPS etc

func (*PuppetSecurity) Validate 

func (s *PuppetSecurity) Validate() ([]string, bool)

Validate determines if the node represents a valid SSL configuration

func (*PuppetSecurity) VerifyByteSignature 

func (s *PuppetSecurity) VerifyByteSignature(dat []byte, sig []byte, identity string) bool

VerifyByteSignature verify that dat matches signature sig made by the key of identity if identity is "" the active public key will be used

func (*PuppetSecurity) VerifyCertificate 

func (s *PuppetSecurity) VerifyCertificate(certpem []byte, name string) error

VerifyCertificate verifies a certificate is signed with the configured CA and if name is not "" that it matches the name given

func (*PuppetSecurity) VerifyStringSignature 

func (s *PuppetSecurity) VerifyStringSignature(str string, sig []byte, identity string) bool

VerifyStringSignature verify that str matches signature sig made by the key of identity

type Resolver 

type Resolver interface {
	QuerySrvRecords(records []string) (srvcache.Servers, error)
}

Resolver provides DNS lookup facilities

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.