spiffetls

package

v2.2.0 Latest Latest Go to latest Published: Feb 28, 2023 License: Apache-2.0 Imports: 11 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/accuknox/go-spiffe

Links

Open Source Insights

Documentation ¶

Rendered for

Index ¶

func Dial(ctx context.Context, network, addr string, authorizer tlsconfig.Authorizer, ...) (net.Conn, error)
func DialWithMode(ctx context.Context, network, addr string, mode DialMode, ...) (_ net.Conn, err error)
func Listen(ctx context.Context, network, laddr string, authorizer tlsconfig.Authorizer, ...) (net.Listener, error)
func ListenWithMode(ctx context.Context, network, laddr string, mode ListenMode, ...) (net.Listener, error)
func NewListener(ctx context.Context, inner net.Listener, authorizer tlsconfig.Authorizer, ...) (net.Listener, error)
func NewListenerWithMode(ctx context.Context, inner net.Listener, mode ListenMode, ...) (_ net.Listener, err error)
func PeerIDFromConn(conn net.Conn) (spiffeid.ID, error)
type DialMode
type DialOption
type ListenMode
type ListenOption
- func WithListenTLSConfigBase(base *tls.Config) ListenOption
- func WithListenTLSOptions(opts ...tlsconfig.Option) ListenOption
type PeerIDGetter

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func Dial ¶

func Dial(ctx context.Context, network, addr string, authorizer tlsconfig.Authorizer, options ...DialOption) (net.Conn, error)

Dial creates an mTLS connection using an X509-SVID obtained from the Workload API. The server is authenticated using X.509 bundles also obtained from the Workload API. The server is authorized using the given authorizer.

This is the same as DialWithMode using the MTLSClient mode.

func DialWithMode ¶

func DialWithMode(ctx context.Context, network, addr string, mode DialMode, options ...DialOption) (_ net.Conn, err error)

DialWithMode creates a TLS connection using the specified mode.

func Listen ¶

func Listen(ctx context.Context, network, laddr string, authorizer tlsconfig.Authorizer, options ...ListenOption) (net.Listener, error)

Listen creates an mTLS listener accepting connections on the given network address using net.Listen. The server X509-SVID is obtained via the Workload API along with X.509 bundles used to verify client X509-SVIDs. The client is authorized using the given authorizer.

This function is the same as ListenWithMode using the MTLSServer mode.

func ListenWithMode ¶

func ListenWithMode(ctx context.Context, network, laddr string, mode ListenMode, options ...ListenOption) (net.Listener, error)

ListenWithMode creates a TLS listener accepting connections on the given network address using net.Listen. The given mode controls the authentication and authorization exercised during the TLS handshake.

func NewListener ¶

func NewListener(ctx context.Context, inner net.Listener, authorizer tlsconfig.Authorizer, options ...ListenOption) (net.Listener, error)

NewListener creates an mTLS listener which accepts connections from an inner Listener and wraps each connection with tls.Server. The server X509-SVID is obtained via the Workload API along with X.509 bundles used to verify client X509-SVIDs. The client is authorized using the given authorizer.

This function is the same as NewListenerWithMode using the MTLSServer mode.

func NewListenerWithMode ¶

func NewListenerWithMode(ctx context.Context, inner net.Listener, mode ListenMode, options ...ListenOption) (_ net.Listener, err error)

NewListenerWithMode creates a TLS listener which accepts connections from an inner Listener and wraps each connection with tls.Server. The given mode controls the authentication and authorization exercised during the TLS handshake.

func PeerIDFromConn ¶

func PeerIDFromConn(conn net.Conn) (spiffeid.ID, error)

PeerIDFromConn returns the peer ID from a server or client peer connection. The handshake must have been completed. Note that in Go's TLS stack, the TLS 1.3 handshake may not complete until the first read from the connection.

Types ¶

type DialMode ¶

type DialMode interface {
	// contains filtered or unexported methods
}

DialMode is a SPIFFE TLS dialing mode.

func MTLSClient ¶

func MTLSClient(authorizer tlsconfig.Authorizer) DialMode

MTLSClient configures the dialing for mutually authenticated TLS (mTLS). The client X509-SVID and the X.509 bundles used to authenticate the server X509-SVID are obtained via the Workload API. The authorizer is used to authorize the server X509-SVID.

func MTLSClientWithRawConfig ¶

func MTLSClientWithRawConfig(authorizer tlsconfig.Authorizer, svid x509svid.Source, bundle x509bundle.Source) DialMode

MTLSClientWithRawConfig configures the dialing for mutually authenticated TLS (mTLS). The client X509-SVID and the X.509 bundles used to authenticate the server X509-SVID are obtained via the provided X509-SVID and X.509 bundle sources. The sources must remain valid for the lifetime of the connection. The authorizer is used to authorize the server X509-SVID.

func MTLSClientWithSource ¶

func MTLSClientWithSource(authorizer tlsconfig.Authorizer, source *workloadapi.X509Source) DialMode

MTLSClientWithSource configures the dialing for mutually authenticated TLS (mTLS). The client X509-SVID and the X.509 bundles used to authenticate the server X509-SVID are obtained via the provided Workload API X.509 source. The source must remain valid for the lifetime of the connection. The authorizer is used to authorize the server X509-SVID.

func MTLSClientWithSourceOptions ¶

func MTLSClientWithSourceOptions(authorizer tlsconfig.Authorizer, options ...workloadapi.X509SourceOption) DialMode

MTLSClientWithSourceOptions configures the dialing for mutually authenticated TLS (mTLS). The client X509-SVID and the X.509 bundles used to authenticate the server X509-SVID are obtained via a new Workload API X.509 source created with the provided source options. The authorizer is used to authorize the server X509-SVID.

func MTLSWebClient ¶

func MTLSWebClient(roots *x509.CertPool) DialMode

MTLSWebClient configures the dialing for mutually authenticated TLS (mTLS). The client X509-SVID is obtained via the Workload API. The roots (or the system roots if nil) are used to authenticate the server certificate.

func MTLSWebClientWithRawConfig ¶

func MTLSWebClientWithRawConfig(roots *x509.CertPool, svid x509svid.Source) DialMode

MTLSWebClientWithRawConfig configures the dialing for mutually authenticated TLS (mTLS). The client X509-SVID is obtained via the provided X509-SVID source. The source must remain valid for the lifetime of the connection. The roots (or the system roots if nil) are used to authenticate the server certificate.

func MTLSWebClientWithSource ¶

func MTLSWebClientWithSource(roots *x509.CertPool, source *workloadapi.X509Source) DialMode

MTLSWebClientWithSource configures the dialing for mutually authenticated TLS (mTLS). The client X509-SVID is obtained via the provided Workload API X.509 source. The source must remain valid for the lifetime of the connection. The roots (or the system roots if nil) are used to authenticate the server certificate.

func MTLSWebClientWithSourceOptions ¶

func MTLSWebClientWithSourceOptions(roots *x509.CertPool, options ...workloadapi.X509SourceOption) DialMode

MTLSWebClientWithSourceOptions configures the dialing for mutually authenticated TLS (mTLS). The client X509-SVID is obtained via a new Workload API X.509 source created with the provided source options. The roots (or the system roots if nil) are used to authenticate the server certificate.

func TLSClient ¶

func TLSClient(authorizer tlsconfig.Authorizer) DialMode

TLSClient configures the dialing for TLS. The server X509-SVID is authenticated using X.509 bundles obtained via the Workload API. The authorizer is used to authorize the server X509-SVID.

func TLSClientWithRawConfig ¶

func TLSClientWithRawConfig(authorizer tlsconfig.Authorizer, bundle x509bundle.Source) DialMode

TLSClientWithRawConfig configures the dialing for TLS. The server X509-SVID is authenticated using X.509 bundles obtained via the provided X.509 bundle source. The source must remain valid for the lifetime of the connection. The authorizer is used to authorize the server X509-SVID.

func TLSClientWithSource ¶

func TLSClientWithSource(authorizer tlsconfig.Authorizer, source *workloadapi.X509Source) DialMode

TLSClientWithSource configures the dialing for TLS. The server X509-SVID is authenticated using X.509 bundles obtained via the provided Workload API X.509 source. The source must remain valid for the lifetime of the connection. The authorizer is used to authorize the server X509-SVID.

func TLSClientWithSourceOptions ¶

func TLSClientWithSourceOptions(authorizer tlsconfig.Authorizer, options ...workloadapi.X509SourceOption) DialMode

TLSClientWithSourceOptions configures the dialing for TLS. The server X509-SVID is authenticated using X.509 bundles obtained via a new Workload API X.509 source created with the provided source options. The authorizer is used to authorize the server X509-SVID.

type DialOption ¶

type DialOption interface {
	// contains filtered or unexported methods
}

DialOption is an option for dialing. Option's are also DialOption's.

func WithDialTLSConfigBase ¶

func WithDialTLSConfigBase(base *tls.Config) DialOption

WithDialTLSConfigBase provides a base TLS configuration to use. Fields related to certificates and verification will be overwritten by this package as necessary to facilitate SPIFFE authentication.

func WithDialTLSOptions ¶

func WithDialTLSOptions(opts ...tlsconfig.Option) DialOption

WithDialTLSOptions provides options to use for the TLS config.

func WithDialer ¶

func WithDialer(dialer *net.Dialer) DialOption

WithDialer provides a net dialer to use. If unset, the standard net dialer will be used.

type ListenMode ¶

type ListenMode interface {
	// contains filtered or unexported methods
}

ListenMode is a SPIFFE TLS listening mode.

func MTLSServer ¶

func MTLSServer(authorizer tlsconfig.Authorizer) ListenMode

MTLSServer configures the listener for mutually authenticated TLS (mTLS). The listener presents an X509-SVID and authenticates client X509-SVIDs using X.509 bundles, both obtained via the Workload API. The authorizer is used to authorize client X509-SVIDs.

func MTLSServerWithRawConfig ¶

func MTLSServerWithRawConfig(authorizer tlsconfig.Authorizer, svid x509svid.Source, bundle x509bundle.Source) ListenMode

MTLSServerWithRawConfig configures the listener for mutually authenticated TLS (mTLS). The listener presents an X509-SVID and authenticates client X509-SVIDs using X.509 bundles, both obtained via the provided X509-SVID and X.509 bundle sources. The sources must remain valid for the lifetime of the listener. The authorizer is used to authorize client X509-SVIDs.

func MTLSServerWithSource ¶

func MTLSServerWithSource(authorizer tlsconfig.Authorizer, source *workloadapi.X509Source) ListenMode

MTLSServerWithSource configures the listener for mutually authenticated TLS (mTLS). The listener presents an X509-SVID and authenticates client X509-SVIDs using X.509 bundles, both obtained via the provided Workload API X.509 source. The source must remain valid for the lifetime of the listener. The authorizer is used to authorize client X509-SVIDs.

func MTLSServerWithSourceOptions ¶

func MTLSServerWithSourceOptions(authorizer tlsconfig.Authorizer, options ...workloadapi.X509SourceOption) ListenMode

MTLSServerWithSourceOptions configures the listener for mutually authenticated TLS (mTLS). The listener presents an X509-SVID and authenticates client X509-SVIDs using X.509 bundles, both obtained via a new Workload API X.509 source created with the provided source options. The authorizer is used to authorize client X509-SVIDs.

func MTLSWebServer ¶

func MTLSWebServer(authorizer tlsconfig.Authorizer, cert *tls.Certificate) ListenMode

MTLSWebServer configures the listener for mutually authenticated TLS (mTLS). The listener presents an X.509 certificate and authenticates client X509-SVIDs using X.509 bundles obtained via the Workload API. The authorizer is used to authorize client X509-SVIDs.

func MTLSWebServerWithRawConfig ¶

func MTLSWebServerWithRawConfig(authorizer tlsconfig.Authorizer, cert *tls.Certificate, bundle x509bundle.Source) ListenMode

MTLSWebServerWithRawConfig configures the listener for mutually authenticated TLS (mTLS). The listener presents an X.509 certificate and authenticates client X509-SVIDs using X.509 bundles, both obtained via the provided X.509 bundle source. The source must remain valid for the lifetime of the listener. The authorizer is used to authorize client X509-SVIDs.

func MTLSWebServerWithSource ¶

func MTLSWebServerWithSource(authorizer tlsconfig.Authorizer, cert *tls.Certificate, source *workloadapi.X509Source) ListenMode

MTLSWebServerWithSource configures the listener for mutually authenticated TLS (mTLS). The listener presents an X.509 certificate and authenticates client X509-SVIDs using X.509 bundles obtained via the provided Workload API X.509 source. The source must remain valid for the lifetime of the listener. The authorizer is used to authorize client X509-SVIDs.

func MTLSWebServerWithSourceOptions ¶

func MTLSWebServerWithSourceOptions(authorizer tlsconfig.Authorizer, cert *tls.Certificate, options ...workloadapi.X509SourceOption) ListenMode

MTLSWebServerWithSourceOptions configures the listener for mutually authenticated TLS (mTLS). The listener presents an X.509 certificate and authenticates client X509-SVIDs using X.509 bundles, both obtained via a new Workload API X.509 source created with the provided source options. The authorizer is used to authorize client X509-SVIDs.

func TLSServer ¶

func TLSServer() ListenMode

TLSServer configures the listener for TLS. The listener presents an X509-SVID obtained via the Workload API.

func TLSServerWithRawConfig ¶

func TLSServerWithRawConfig(svid x509svid.Source) ListenMode

TLSServerWithRawConfig configures the listener for TLS. The listener presents an X509-SVID obtained via the provided X509-SVID source. The source must remain valid for the lifetime of the listener.

func TLSServerWithSource ¶

func TLSServerWithSource(source *workloadapi.X509Source) ListenMode

TLSServerWithSource configures the listener for TLS. The listener presents an X509-SVID obtained via the provided Workload API X.509 source. The source must remain valid for the lifetime of the listener.

func TLSServerWithSourceOptions ¶

func TLSServerWithSourceOptions(options ...workloadapi.X509SourceOption) ListenMode

TLSServerWithSourceOptions configures the listener for TLS. The listener presents an X509-SVID obtained via a new Workload API X.509 source created with the provided source options.

type ListenOption ¶

type ListenOption interface {
	// contains filtered or unexported methods
}

ListenOption is an option for listening. Option's are also ListenOption's.

func WithListenTLSConfigBase ¶

func WithListenTLSConfigBase(base *tls.Config) ListenOption

WithListenTLSConfigBase provides a base TLS configuration to use. Fields related to certificates and verification will be overwritten by this package as necessary to facilitate SPIFFE authentication.

func WithListenTLSOptions ¶

func WithListenTLSOptions(opts ...tlsconfig.Option) ListenOption

WithListenTLSOptions provides options to use when doing Server mTLS.

type PeerIDGetter ¶

type PeerIDGetter interface {
	PeerID() (spiffeid.ID, error)
}

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
tlsconfig

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL