forked from TrueCloudLab/certificates
2b7f6931f3
Subject Common Names can now also be configured to be allowed or denied, similar to SANs. When a Subject Common Name is not explicitly allowed or denied, its type will be determined and its value will be validated according to the constraints for that type of name (i.e. URI).
195 lines
5.8 KiB
Go
195 lines
5.8 KiB
Go
package policy
|
|
|
|
// Options is a container for authority level x509 and SSH
|
|
// policy configuration.
|
|
type Options struct {
|
|
X509 *X509PolicyOptions `json:"x509,omitempty"`
|
|
SSH *SSHPolicyOptions `json:"ssh,omitempty"`
|
|
}
|
|
|
|
// GetX509Options returns the x509 authority level policy
|
|
// configuration
|
|
func (o *Options) GetX509Options() *X509PolicyOptions {
|
|
if o == nil {
|
|
return nil
|
|
}
|
|
return o.X509
|
|
}
|
|
|
|
// GetSSHOptions returns the SSH authority level policy
|
|
// configuration
|
|
func (o *Options) GetSSHOptions() *SSHPolicyOptions {
|
|
if o == nil {
|
|
return nil
|
|
}
|
|
return o.SSH
|
|
}
|
|
|
|
// X509PolicyOptionsInterface is an interface for providers
|
|
// of x509 allowed and denied names.
|
|
type X509PolicyOptionsInterface interface {
|
|
GetAllowedNameOptions() *X509NameOptions
|
|
GetDeniedNameOptions() *X509NameOptions
|
|
IsWildcardLiteralAllowed() bool
|
|
}
|
|
|
|
// X509PolicyOptions is a container for x509 allowed and denied
|
|
// names.
|
|
type X509PolicyOptions struct {
|
|
// AllowedNames contains the x509 allowed names
|
|
AllowedNames *X509NameOptions `json:"allow,omitempty"`
|
|
|
|
// DeniedNames contains the x509 denied names
|
|
DeniedNames *X509NameOptions `json:"deny,omitempty"`
|
|
|
|
// AllowWildcardLiteral indicates if literal wildcard names
|
|
// such as *.example.com and @example.com are allowed. Defaults
|
|
// to false.
|
|
AllowWildcardLiteral bool `json:"allowWildcardLiteral,omitempty"`
|
|
}
|
|
|
|
// X509NameOptions models the X509 name policy configuration.
|
|
type X509NameOptions struct {
|
|
CommonNames []string `json:"cn,omitempty"`
|
|
DNSDomains []string `json:"dns,omitempty"`
|
|
IPRanges []string `json:"ip,omitempty"`
|
|
EmailAddresses []string `json:"email,omitempty"`
|
|
URIDomains []string `json:"uri,omitempty"`
|
|
}
|
|
|
|
// HasNames checks if the AllowedNameOptions has one or more
|
|
// names configured.
|
|
func (o *X509NameOptions) HasNames() bool {
|
|
return len(o.CommonNames) > 0 ||
|
|
len(o.DNSDomains) > 0 ||
|
|
len(o.IPRanges) > 0 ||
|
|
len(o.EmailAddresses) > 0 ||
|
|
len(o.URIDomains) > 0
|
|
}
|
|
|
|
// GetAllowedNameOptions returns x509 allowed name policy configuration
|
|
func (o *X509PolicyOptions) GetAllowedNameOptions() *X509NameOptions {
|
|
if o == nil {
|
|
return nil
|
|
}
|
|
return o.AllowedNames
|
|
}
|
|
|
|
// GetDeniedNameOptions returns the x509 denied name policy configuration
|
|
func (o *X509PolicyOptions) GetDeniedNameOptions() *X509NameOptions {
|
|
if o == nil {
|
|
return nil
|
|
}
|
|
return o.DeniedNames
|
|
}
|
|
|
|
// IsWildcardLiteralAllowed returns whether the authority allows
|
|
// literal wildcard domains and other names to be signed.
|
|
func (o *X509PolicyOptions) IsWildcardLiteralAllowed() bool {
|
|
if o == nil {
|
|
return true
|
|
}
|
|
return o.AllowWildcardLiteral
|
|
}
|
|
|
|
// SSHPolicyOptionsInterface is an interface for providers of
|
|
// SSH user and host name policy configuration.
|
|
type SSHPolicyOptionsInterface interface {
|
|
GetAllowedUserNameOptions() *SSHNameOptions
|
|
GetDeniedUserNameOptions() *SSHNameOptions
|
|
GetAllowedHostNameOptions() *SSHNameOptions
|
|
GetDeniedHostNameOptions() *SSHNameOptions
|
|
}
|
|
|
|
// SSHPolicyOptions is a container for SSH user and host policy
|
|
// configuration
|
|
type SSHPolicyOptions struct {
|
|
// User contains SSH user certificate options.
|
|
User *SSHUserCertificateOptions `json:"user,omitempty"`
|
|
// Host contains SSH host certificate options.
|
|
Host *SSHHostCertificateOptions `json:"host,omitempty"`
|
|
}
|
|
|
|
// GetAllowedUserNameOptions returns the SSH allowed user name policy
|
|
// configuration.
|
|
func (o *SSHPolicyOptions) GetAllowedUserNameOptions() *SSHNameOptions {
|
|
if o == nil || o.User == nil {
|
|
return nil
|
|
}
|
|
return o.User.AllowedNames
|
|
}
|
|
|
|
// GetDeniedUserNameOptions returns the SSH denied user name policy
|
|
// configuration.
|
|
func (o *SSHPolicyOptions) GetDeniedUserNameOptions() *SSHNameOptions {
|
|
if o == nil || o.User == nil {
|
|
return nil
|
|
}
|
|
return o.User.DeniedNames
|
|
}
|
|
|
|
// GetAllowedHostNameOptions returns the SSH allowed host name policy
|
|
// configuration.
|
|
func (o *SSHPolicyOptions) GetAllowedHostNameOptions() *SSHNameOptions {
|
|
if o == nil || o.Host == nil {
|
|
return nil
|
|
}
|
|
return o.Host.AllowedNames
|
|
}
|
|
|
|
// GetDeniedHostNameOptions returns the SSH denied host name policy
|
|
// configuration.
|
|
func (o *SSHPolicyOptions) GetDeniedHostNameOptions() *SSHNameOptions {
|
|
if o == nil || o.Host == nil {
|
|
return nil
|
|
}
|
|
return o.Host.DeniedNames
|
|
}
|
|
|
|
// SSHUserCertificateOptions is a collection of SSH user certificate options.
|
|
type SSHUserCertificateOptions struct {
|
|
// AllowedNames contains the names the provisioner is authorized to sign
|
|
AllowedNames *SSHNameOptions `json:"allow,omitempty"`
|
|
// DeniedNames contains the names the provisioner is not authorized to sign
|
|
DeniedNames *SSHNameOptions `json:"deny,omitempty"`
|
|
}
|
|
|
|
// SSHHostCertificateOptions is a collection of SSH host certificate options.
|
|
// It's an alias of SSHUserCertificateOptions, as the options are the same
|
|
// for both types of certificates.
|
|
type SSHHostCertificateOptions SSHUserCertificateOptions
|
|
|
|
// SSHNameOptions models the SSH name policy configuration.
|
|
type SSHNameOptions struct {
|
|
DNSDomains []string `json:"dns,omitempty"`
|
|
IPRanges []string `json:"ip,omitempty"`
|
|
EmailAddresses []string `json:"email,omitempty"`
|
|
Principals []string `json:"principal,omitempty"`
|
|
}
|
|
|
|
// GetAllowedNameOptions returns the AllowedSSHNameOptions, which models the
|
|
// names that a provisioner is authorized to sign SSH certificates for.
|
|
func (o *SSHUserCertificateOptions) GetAllowedNameOptions() *SSHNameOptions {
|
|
if o == nil {
|
|
return nil
|
|
}
|
|
return o.AllowedNames
|
|
}
|
|
|
|
// GetDeniedNameOptions returns the DeniedSSHNameOptions, which models the
|
|
// names that a provisioner is NOT authorized to sign SSH certificates for.
|
|
func (o *SSHUserCertificateOptions) GetDeniedNameOptions() *SSHNameOptions {
|
|
if o == nil {
|
|
return nil
|
|
}
|
|
return o.DeniedNames
|
|
}
|
|
|
|
// HasNames checks if the SSHNameOptions has one or more
|
|
// names configured.
|
|
func (o *SSHNameOptions) HasNames() bool {
|
|
return len(o.DNSDomains) > 0 ||
|
|
len(o.IPRanges) > 0 ||
|
|
len(o.EmailAddresses) > 0 ||
|
|
len(o.Principals) > 0
|
|
}
|