2022-03-08 12:26:07 +00:00
|
|
|
package policy
|
|
|
|
|
2022-03-15 14:51:45 +00:00
|
|
|
// Options is a container for authority level x509 and SSH
|
|
|
|
// policy configuration.
|
2022-03-08 12:26:07 +00:00
|
|
|
type Options struct {
|
|
|
|
X509 *X509PolicyOptions `json:"x509,omitempty"`
|
|
|
|
SSH *SSHPolicyOptions `json:"ssh,omitempty"`
|
|
|
|
}
|
|
|
|
|
2022-03-15 14:51:45 +00:00
|
|
|
// GetX509Options returns the x509 authority level policy
|
|
|
|
// configuration
|
2022-03-08 12:26:07 +00:00
|
|
|
func (o *Options) GetX509Options() *X509PolicyOptions {
|
|
|
|
if o == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return o.X509
|
|
|
|
}
|
|
|
|
|
2022-03-15 14:51:45 +00:00
|
|
|
// GetSSHOptions returns the SSH authority level policy
|
|
|
|
// configuration
|
2022-03-08 12:26:07 +00:00
|
|
|
func (o *Options) GetSSHOptions() *SSHPolicyOptions {
|
|
|
|
if o == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return o.SSH
|
|
|
|
}
|
|
|
|
|
2022-03-15 14:51:45 +00:00
|
|
|
// X509PolicyOptionsInterface is an interface for providers
|
|
|
|
// of x509 allowed and denied names.
|
2022-03-08 12:26:07 +00:00
|
|
|
type X509PolicyOptionsInterface interface {
|
|
|
|
GetAllowedNameOptions() *X509NameOptions
|
|
|
|
GetDeniedNameOptions() *X509NameOptions
|
2022-04-19 08:24:52 +00:00
|
|
|
IsWildcardLiteralAllowed() bool
|
2022-04-26 08:15:17 +00:00
|
|
|
ShouldVerifyCommonName() bool
|
2022-03-08 12:26:07 +00:00
|
|
|
}
|
|
|
|
|
2022-03-15 14:51:45 +00:00
|
|
|
// X509PolicyOptions is a container for x509 allowed and denied
|
|
|
|
// names.
|
2022-03-08 12:26:07 +00:00
|
|
|
type X509PolicyOptions struct {
|
2022-03-15 14:51:45 +00:00
|
|
|
// AllowedNames contains the x509 allowed names
|
2022-03-08 12:26:07 +00:00
|
|
|
AllowedNames *X509NameOptions `json:"allow,omitempty"`
|
2022-04-26 08:15:17 +00:00
|
|
|
|
2022-03-15 14:51:45 +00:00
|
|
|
// DeniedNames contains the x509 denied names
|
2022-03-08 12:26:07 +00:00
|
|
|
DeniedNames *X509NameOptions `json:"deny,omitempty"`
|
2022-04-26 08:15:17 +00:00
|
|
|
|
2022-04-19 08:24:52 +00:00
|
|
|
// AllowWildcardLiteral indicates if literal wildcard names
|
|
|
|
// such as *.example.com and @example.com are allowed. Defaults
|
|
|
|
// to false.
|
2022-04-26 08:15:17 +00:00
|
|
|
AllowWildcardLiteral bool `json:"allowWildcardLiteral,omitempty"`
|
|
|
|
|
|
|
|
// DisableCommonNameVerification indicates if the Subject Common Name
|
|
|
|
// is verified in addition to the SANs. Defaults to false, resulting in
|
|
|
|
// Common Names being verified.
|
|
|
|
DisableCommonNameVerification bool `json:"disableCommonNameVerification,omitempty"`
|
2022-03-08 12:26:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// X509NameOptions models the X509 name policy configuration.
|
|
|
|
type X509NameOptions struct {
|
|
|
|
DNSDomains []string `json:"dns,omitempty"`
|
|
|
|
IPRanges []string `json:"ip,omitempty"`
|
|
|
|
EmailAddresses []string `json:"email,omitempty"`
|
|
|
|
URIDomains []string `json:"uri,omitempty"`
|
|
|
|
}
|
|
|
|
|
|
|
|
// HasNames checks if the AllowedNameOptions has one or more
|
|
|
|
// names configured.
|
|
|
|
func (o *X509NameOptions) HasNames() bool {
|
|
|
|
return len(o.DNSDomains) > 0 ||
|
|
|
|
len(o.IPRanges) > 0 ||
|
|
|
|
len(o.EmailAddresses) > 0 ||
|
|
|
|
len(o.URIDomains) > 0
|
|
|
|
}
|
|
|
|
|
2022-04-21 10:14:03 +00:00
|
|
|
// GetAllowedNameOptions returns x509 allowed name policy configuration
|
|
|
|
func (o *X509PolicyOptions) GetAllowedNameOptions() *X509NameOptions {
|
2022-04-19 08:24:52 +00:00
|
|
|
if o == nil {
|
|
|
|
return nil
|
|
|
|
}
|
2022-04-21 10:14:03 +00:00
|
|
|
return o.AllowedNames
|
2022-04-19 08:24:52 +00:00
|
|
|
}
|
|
|
|
|
2022-04-21 10:14:03 +00:00
|
|
|
// GetDeniedNameOptions returns the x509 denied name policy configuration
|
|
|
|
func (o *X509PolicyOptions) GetDeniedNameOptions() *X509NameOptions {
|
2022-04-19 08:24:52 +00:00
|
|
|
if o == nil {
|
|
|
|
return nil
|
|
|
|
}
|
2022-04-21 10:14:03 +00:00
|
|
|
return o.DeniedNames
|
2022-04-19 08:24:52 +00:00
|
|
|
}
|
|
|
|
|
2022-04-21 21:45:05 +00:00
|
|
|
// IsWildcardLiteralAllowed returns whether the authority allows
|
|
|
|
// literal wildcard domains and other names to be signed.
|
2022-04-19 08:24:52 +00:00
|
|
|
func (o *X509PolicyOptions) IsWildcardLiteralAllowed() bool {
|
|
|
|
if o == nil {
|
|
|
|
return true
|
|
|
|
}
|
2022-04-21 21:45:05 +00:00
|
|
|
return o.AllowWildcardLiteral
|
2022-04-19 08:24:52 +00:00
|
|
|
}
|
|
|
|
|
2022-04-26 08:15:17 +00:00
|
|
|
// ShouldVerifyCommonName returns whether the authority
|
2022-04-21 21:45:05 +00:00
|
|
|
// should verify the Subject Common Name in addition to the SANs.
|
2022-04-26 08:15:17 +00:00
|
|
|
func (o *X509PolicyOptions) ShouldVerifyCommonName() bool {
|
2022-04-19 08:24:52 +00:00
|
|
|
if o == nil {
|
|
|
|
return false
|
|
|
|
}
|
2022-04-26 08:15:17 +00:00
|
|
|
return !o.DisableCommonNameVerification
|
2022-04-19 08:24:52 +00:00
|
|
|
}
|
|
|
|
|
2022-03-15 14:51:45 +00:00
|
|
|
// SSHPolicyOptionsInterface is an interface for providers of
|
|
|
|
// SSH user and host name policy configuration.
|
2022-03-08 12:26:07 +00:00
|
|
|
type SSHPolicyOptionsInterface interface {
|
|
|
|
GetAllowedUserNameOptions() *SSHNameOptions
|
|
|
|
GetDeniedUserNameOptions() *SSHNameOptions
|
|
|
|
GetAllowedHostNameOptions() *SSHNameOptions
|
|
|
|
GetDeniedHostNameOptions() *SSHNameOptions
|
|
|
|
}
|
|
|
|
|
2022-03-15 14:51:45 +00:00
|
|
|
// SSHPolicyOptions is a container for SSH user and host policy
|
|
|
|
// configuration
|
2022-03-08 12:26:07 +00:00
|
|
|
type SSHPolicyOptions struct {
|
|
|
|
// User contains SSH user certificate options.
|
|
|
|
User *SSHUserCertificateOptions `json:"user,omitempty"`
|
|
|
|
// Host contains SSH host certificate options.
|
|
|
|
Host *SSHHostCertificateOptions `json:"host,omitempty"`
|
|
|
|
}
|
|
|
|
|
2022-04-21 10:14:03 +00:00
|
|
|
// GetAllowedUserNameOptions returns the SSH allowed user name policy
|
|
|
|
// configuration.
|
|
|
|
func (o *SSHPolicyOptions) GetAllowedUserNameOptions() *SSHNameOptions {
|
|
|
|
if o == nil || o.User == nil {
|
2022-03-08 12:26:07 +00:00
|
|
|
return nil
|
|
|
|
}
|
2022-04-21 10:14:03 +00:00
|
|
|
return o.User.AllowedNames
|
2022-03-08 12:26:07 +00:00
|
|
|
}
|
|
|
|
|
2022-03-15 14:51:45 +00:00
|
|
|
// GetDeniedUserNameOptions returns the SSH denied user name policy
|
|
|
|
// configuration.
|
2022-03-08 12:26:07 +00:00
|
|
|
func (o *SSHPolicyOptions) GetDeniedUserNameOptions() *SSHNameOptions {
|
2022-04-21 10:14:03 +00:00
|
|
|
if o == nil || o.User == nil {
|
2022-03-08 12:26:07 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return o.User.DeniedNames
|
|
|
|
}
|
|
|
|
|
2022-03-15 14:51:45 +00:00
|
|
|
// GetAllowedHostNameOptions returns the SSH allowed host name policy
|
|
|
|
// configuration.
|
2022-03-08 12:26:07 +00:00
|
|
|
func (o *SSHPolicyOptions) GetAllowedHostNameOptions() *SSHNameOptions {
|
2022-04-21 10:14:03 +00:00
|
|
|
if o == nil || o.Host == nil {
|
2022-03-08 12:26:07 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return o.Host.AllowedNames
|
|
|
|
}
|
|
|
|
|
2022-03-15 14:51:45 +00:00
|
|
|
// GetDeniedHostNameOptions returns the SSH denied host name policy
|
|
|
|
// configuration.
|
2022-03-08 12:26:07 +00:00
|
|
|
func (o *SSHPolicyOptions) GetDeniedHostNameOptions() *SSHNameOptions {
|
2022-04-21 10:14:03 +00:00
|
|
|
if o == nil || o.Host == nil {
|
2022-03-08 12:26:07 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return o.Host.DeniedNames
|
|
|
|
}
|
|
|
|
|
|
|
|
// SSHUserCertificateOptions is a collection of SSH user certificate options.
|
|
|
|
type SSHUserCertificateOptions struct {
|
|
|
|
// AllowedNames contains the names the provisioner is authorized to sign
|
|
|
|
AllowedNames *SSHNameOptions `json:"allow,omitempty"`
|
|
|
|
// DeniedNames contains the names the provisioner is not authorized to sign
|
|
|
|
DeniedNames *SSHNameOptions `json:"deny,omitempty"`
|
|
|
|
}
|
|
|
|
|
|
|
|
// SSHHostCertificateOptions is a collection of SSH host certificate options.
|
|
|
|
// It's an alias of SSHUserCertificateOptions, as the options are the same
|
|
|
|
// for both types of certificates.
|
|
|
|
type SSHHostCertificateOptions SSHUserCertificateOptions
|
|
|
|
|
|
|
|
// SSHNameOptions models the SSH name policy configuration.
|
|
|
|
type SSHNameOptions struct {
|
|
|
|
DNSDomains []string `json:"dns,omitempty"`
|
|
|
|
IPRanges []string `json:"ip,omitempty"`
|
|
|
|
EmailAddresses []string `json:"email,omitempty"`
|
|
|
|
Principals []string `json:"principal,omitempty"`
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetAllowedNameOptions returns the AllowedSSHNameOptions, which models the
|
|
|
|
// names that a provisioner is authorized to sign SSH certificates for.
|
|
|
|
func (o *SSHUserCertificateOptions) GetAllowedNameOptions() *SSHNameOptions {
|
|
|
|
if o == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return o.AllowedNames
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetDeniedNameOptions returns the DeniedSSHNameOptions, which models the
|
|
|
|
// names that a provisioner is NOT authorized to sign SSH certificates for.
|
|
|
|
func (o *SSHUserCertificateOptions) GetDeniedNameOptions() *SSHNameOptions {
|
|
|
|
if o == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return o.DeniedNames
|
|
|
|
}
|
|
|
|
|
|
|
|
// HasNames checks if the SSHNameOptions has one or more
|
|
|
|
// names configured.
|
|
|
|
func (o *SSHNameOptions) HasNames() bool {
|
|
|
|
return len(o.DNSDomains) > 0 ||
|
2022-03-31 14:12:29 +00:00
|
|
|
len(o.IPRanges) > 0 ||
|
2022-03-08 12:26:07 +00:00
|
|
|
len(o.EmailAddresses) > 0 ||
|
|
|
|
len(o.Principals) > 0
|
|
|
|
}
|