github.com/Schaudge/grailbase@v0.0.0-20240223061707-44c758a471c0/security/ticket/ticket.vdl (about) 1 package ticket 2 3 import "v.io/v23/security/access" 4 5 // TicketConfig Controls fields 6 type Control enum { 7 PagerDutyId 8 Rationale 9 TicketId 10 } 11 12 // AwsCredentials describes a set of (potentially temporary) AWS credentials. 13 type AwsCredentials struct { 14 Region string 15 AccessKeyId string 16 SecretAccessKey string 17 SessionToken string 18 19 // Expiration indicates the date on which the credentials expire. 20 Expiration string 21 } 22 23 24 // Builder. 25 26 // AwsAssumeRoleBuilder describes the information required to obtain a temporary 27 // set of AWS credentials (which can be described using AwsCredentials) using 28 // the AssumeRole call from Security Token Service (STS). 29 type AwsAssumeRoleBuilder struct { 30 Region string 31 Role string 32 TtlSec int32 33 } 34 35 // AwsSessionBuilder describes the information required to obtain a temporary 36 // set of AWS credentials (described using AwsCredentials) then using 37 // the GetSessionToken call from Security Token Service (STS). 38 type AwsSessionBuilder struct { 39 AwsCredentials AwsCredentials 40 // TTL in seconds for the generated AWS credential from 900-129600. 41 TtlSec int32 42 } 43 44 // TlsCertAuthorityBuilder describes a Certification Authority capable to 45 // generate a particular cert. 46 type TlsCertAuthorityBuilder struct { 47 // PEM-encoded certificate and private key of the Certificate Authority. 48 Authority string 49 50 // TTL for the generated cert. 51 TtlSec int32 52 53 // Common Name of the generated cert. 54 CommonName string 55 56 // Subject Alternate Name list. 57 // Note: x509 spec says if SAN is set, CN is usually ignored. 58 // Include CN in SAN list if you want the CN to be verified. 59 San []string 60 } 61 62 type SshCertAuthorityBuilder struct { 63 // ssh-encoded private key of the Certificate Authority. 64 CaPrivateKey string 65 66 // ssh-encoded Certificate 67 CaCertificate string 68 69 // ssh-encoded Public key that will be signed to create the certificate. 70 PublicKey string 71 72 // Additional SSH Cert options like 73 // permit-X11-forwarding 74 // permit-agent-forwarding 75 // permit-port-forwarding 76 // permit-pty 77 // permit-user-rc 78 ExtensionsOptions []string 79 80 // Additional SSH Options that are required to be valid/accepted 81 CriticalOptions []string 82 83 // The Usernames that this key can connect as - defaults as 84 // ubuntu 85 // core 86 // ec2-user 87 Principals []string 88 89 // TTL for the generated cert - user cert < 60 ; host cert < 2628000 (5 years) 90 TtlMin int32 91 } 92 93 // B2AccountAuthorizationBuilder describes the information required to 94 // obtain a B2 account authorization. 95 type B2AccountAuthorizationBuilder struct { 96 AccountId string 97 ApplicationKey string 98 } 99 100 // VanadiumBuilder describes the information required to build Vanadium 101 // blessings. 102 type VanadiumBuilder struct { 103 BlessingName string 104 } 105 106 // Tickets. 107 108 // AwsTicket is a ticket that contains a set of (potentially temporary) 109 // AWS credentials. 110 type AwsTicket struct { 111 AwsAssumeRoleBuilder ?AwsAssumeRoleBuilder 112 AwsSessionBuilder ?AwsSessionBuilder 113 114 AwsCredentials AwsCredentials 115 } 116 117 // S3Ticket describes an AWS S3 object or prefix. 118 type S3Ticket struct { 119 AwsAssumeRoleBuilder ?AwsAssumeRoleBuilder 120 AwsSessionBuilder ?AwsSessionBuilder 121 122 AwsCredentials AwsCredentials 123 Endpoint string 124 Bucket string 125 Prefix string 126 } 127 128 // EcrTicket describes an AWS EC2 Container Registry. 129 type EcrTicket struct { 130 AwsAssumeRoleBuilder ?AwsAssumeRoleBuilder 131 132 // The base64-encoded authorization token which can be presented directly to 133 // the Docker registry. 134 // Reference: https://docs.docker.com/registry/spec/auth/token/ 135 AuthorizationToken string 136 137 // Expiration indicates the date on which the authorization token expire. 138 Expiration string 139 140 // The register URL ("https://${ACCOUNTID}.dkr.ecr.region.amazonaws.com"). 141 Endpoint string 142 } 143 144 // SshCert describes a ssh public Certifcate 145 type SshCert struct { 146 // ssh-encoded certificate (host or user). 147 Cert string 148 } 149 150 // TlsCredentials describes a generic set of Tls credentials that include: 151 // the CA that accepted by the client (only peers that present a certificate 152 // sign by this CA are accepted), the client certificate and the client 153 // private key. 154 type TlsCredentials struct { 155 // PEM-encoded public certificate of the Certificate Authority. 156 AuthorityCert string 157 158 // PEM-encoded client certificate. 159 Cert string 160 161 // PEM-encoded client private key. 162 Key string 163 } 164 165 // TlsServerTicket describes a TLS server. 166 type TlsServerTicket struct { 167 TlsCertAuthorityBuilder ?TlsCertAuthorityBuilder 168 169 Credentials TlsCredentials 170 } 171 172 // TlsClientTicket describes a TLS client. 173 type TlsClientTicket struct { 174 TlsCertAuthorityBuilder ?TlsCertAuthorityBuilder 175 176 Credentials TlsCredentials 177 178 // Endpoints indicate the servers the client can connect to. 179 Endpoints []string 180 } 181 182 // DockerTicket instance represents a Docker repository and the TLS 183 // certificate material required to verify and authenticate to it. 184 // TODO(razvanm): Remove DockerTicket and replace with DockerServerTicket 185 // and DockerClientTicket 186 type DockerTicket struct { 187 TlsCertAuthorityBuilder ?TlsCertAuthorityBuilder 188 189 Credentials TlsCredentials 190 Url string 191 } 192 193 // DockerServerTicket instance represents a Docker Server and the TLS 194 // certificate material required for clients to verify and authenticate it. 195 type DockerServerTicket struct { 196 TlsCertAuthorityBuilder ?TlsCertAuthorityBuilder 197 198 Credentials TlsCredentials 199 } 200 201 // DockerClientTicket instance represents the TLS certificate material required 202 // for clients to authenticate against a specific DockerServer. 203 type DockerClientTicket struct { 204 TlsCertAuthorityBuilder ?TlsCertAuthorityBuilder 205 206 Credentials TlsCredentials 207 208 // Url indicates the Docker host the client can connect to. 209 Url string 210 } 211 212 // SshCertificateTicket describes a SSH Signed Certificate. 213 // SSH Certificates are essentially a version of TLS certs but they have additional 214 // optional parameters and can take a public key as part of their signing request. 215 type SshCertificateTicket struct { 216 SshCertAuthorityBuilder ?SshCertAuthorityBuilder 217 AwsComputeInstancesBuilder ?AwsComputeInstancesBuilder 218 219 ComputeInstances []ComputeInstance 220 Credentials SshCert 221 // Recommended username to use 222 Username string 223 } 224 225 type AwsComputeInstancesBuilder struct { 226 // Instance Filters that will produce a list of instance IDs and related information 227 // https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html 228 InstanceFilters []Parameter 229 230 // AWS ARN for a role that should be used to perform the instance lookups 231 AwsAccountLookupRole string 232 233 // AWS region to use for the lookup 234 Region string 235 } 236 237 // Simplification of describeInstance data to provide to ticket-server users 238 type ComputeInstance struct { 239 PublicIp string 240 PrivateIp string 241 InstanceId string 242 Tags []Parameter 243 } 244 245 // B2Ticket instance contains a B2 account level authorization 246 // token plus URLs and configuration values for the account. 247 type B2Ticket struct { 248 B2AccountAuthorizationBuilder ?B2AccountAuthorizationBuilder 249 250 AccountId string 251 AuthorizationToken string 252 ApiUrl string 253 DownloadUrl string 254 RecommendedPartSize int64 255 AbsoluteMinimumPartSize int64 256 } 257 258 // VanadiumTicket describes a set of Vanadium blessings. This allows 259 // obtaining a completely new blessings (role blessings) by the owners 260 // of certain blessings. 261 type VanadiumTicket struct { 262 VanadiumBuilder ?VanadiumBuilder 263 264 // v.io/v23/security.WireBlessings in VOM + Base64 format. 265 Blessing string 266 } 267 268 // GenericTicket describes a generic unstructured piece of data. This 269 // can be used to store arbitrary secrets for example. 270 type GenericTicket struct { 271 Data []byte 272 } 273 274 // Ticket is a union of all our tickets. 275 type Ticket union { 276 AwsTicket AwsTicket 277 S3Ticket S3Ticket 278 SshCertificateTicket SshCertificateTicket 279 EcrTicket EcrTicket 280 TlsServerTicket TlsServerTicket 281 TlsClientTicket TlsClientTicket 282 DockerTicket DockerTicket 283 DockerServerTicket DockerServerTicket 284 DockerClientTicket DockerClientTicket 285 B2Ticket B2Ticket 286 VanadiumTicket VanadiumTicket 287 GenericTicket GenericTicket 288 } 289 290 // TicketConfig describes a ticket and its associated permissions. 291 type TicketConfig struct { 292 Ticket Ticket 293 Permissions access.Permissions 294 Controls map[Control]bool 295 } 296 297 type Config struct { 298 Tickets map[string]TicketConfig 299 Permissions access.Permissions 300 } 301 302 // Key/Value pair that can be passed into the GET request. 303 type Parameter struct { 304 Key string 305 Value string 306 } 307 308 309 // TicketService provides a way to obtain a ticket. The access can be 310 // restricted by setting the permissions appropriately. 311 type TicketService interface { 312 GetPermissions() (perms access.Permissions, version string | error) {access.Read} 313 SetPermissions(perms access.Permissions, version string) error {access.Admin} 314 Get() (Ticket | error) {access.Read} 315 GetWithParameters(parameters []Parameter) (Ticket | error) {access.Read} 316 GetWithArgs(args map[string]string) (Ticket | error) {access.Read} 317 } 318 319 type ListService interface { 320 List() ([]string | error) {access.Read} 321 }