open-consul/agent/structs/connect_ca.go

package structs

import (
	"math/big"
	"time"
)

// IndexedCARoots is the list of currently trusted CA Roots.
type IndexedCARoots struct {
	// ActiveRootID is the ID of a root in Roots that is the active CA root.
	// Other roots are still valid if they're in the Roots list but are in
	// the process of being rotated out.
	ActiveRootID string

	// Roots is a list of root CA certs to trust.
	Roots []*CARoot

	// QueryMeta contains the meta sent via a header. We ignore for JSON
	// so this whole structure can be returned.
	QueryMeta `json:"-"`
}

// CARoot represents a root CA certificate that is trusted.
type CARoot struct {
	// ID is a globally unique ID (UUID) representing this CA root.
	ID string

	// Name is a human-friendly name for this CA root. This value is
	// opaque to Consul and is not used for anything internally.
	Name string

	// RootCert is the PEM-encoded public certificate.
	RootCert string

	// SigningCert is the PEM-encoded signing certificate and SigningKey
	// is the PEM-encoded private key for the signing certificate. These
	// may actually be empty if the CA plugin in use manages these for us.
	SigningCert string `json:",omitempty"`
	SigningKey  string `json:",omitempty"`

	// Active is true if this is the current active CA. This must only
	// be true for exactly one CA. For any method that modifies roots in the
	// state store, tests should be written to verify that multiple roots
	// cannot be active.
	Active bool

	RaftIndex
}

// CARoots is a list of CARoot structures.
type CARoots []*CARoot

// CASignRequest is the request for signing a service certificate.
type CASignRequest struct {
	// Datacenter is the target for this request.
	Datacenter string

	// CSR is the PEM-encoded CSR.
	CSR string

	// WriteRequest is a common struct containing ACL tokens and other
	// write-related common elements for requests.
	WriteRequest
}

// RequestDatacenter returns the datacenter for a given request.
func (q *CASignRequest) RequestDatacenter() string {
	return q.Datacenter
}

// IssuedCert is a certificate that has been issued by a Connect CA.
type IssuedCert struct {
	// SerialNumber is the unique serial number for this certificate.
	SerialNumber *big.Int

	// CertPEM and PrivateKeyPEM are the PEM-encoded certificate and private
	// key for that cert, respectively. This should not be stored in the
	// state store, but is present in the sign API response.
	CertPEM       string `json:",omitempty"`
	PrivateKeyPEM string `json:",omitempty"`

	// Service is the name of the service for which the cert was issued.
	// ServiceURI is the cert URI value.
	Service    string
	ServiceURI string

	// ValidAfter and ValidBefore are the validity periods for the
	// certificate.
	ValidAfter  time.Time
	ValidBefore time.Time

	RaftIndex
}

// CAOp is the operation for a request related to intentions.
type CAOp string

const (
	CAOpSet CAOp = "set"
)

// CARequest is used to modify connect CA data. This is used by the
// FSM (agent/consul/fsm) to apply changes.
type CARequest struct {
	// Op is the type of operation being requested. This determines what
	// other fields are required.
	Op CAOp

	// Index is used by CAOpSet for a CAS operation.
	Index uint64

	// Roots is a list of roots. This is used for CAOpSet. One root must
	// always be active.
	Roots []*CARoot
}

// CAConfiguration is the configuration for the current CA plugin.
type CAConfiguration struct {
	// Provider is the CA provider implementation to use.
	Provider string

	// Configuration is arbitrary configuration for the provider. This
	// should only contain primitive values and containers (such as lists
	// and maps).
	Config map[string]interface{}
}
agent/consul/state: CARoot structs and initial state store 2018-03-17 04:20:54 +00:00			`package structs`

agent/consul: key the public key of the CSR, verify in test 2018-03-20 04:00:01 +00:00			`import (`
			`"math/big"`
agent: /v1/connect/ca/leaf/:service_id 2018-03-21 17:55:39 +00:00			`"time"`
agent/consul: key the public key of the CSR, verify in test 2018-03-20 04:00:01 +00:00			`)`

agent/consul/state: CARoot structs and initial state store 2018-03-17 04:20:54 +00:00			`// IndexedCARoots is the list of currently trusted CA Roots.`
			`type IndexedCARoots struct {`
			`// ActiveRootID is the ID of a root in Roots that is the active CA root.`
			`// Other roots are still valid if they're in the Roots list but are in`
			`// the process of being rotated out.`
			`ActiveRootID string`

			`// Roots is a list of root CA certs to trust.`
			`Roots []*CARoot`

agent/structs: json omit QueryMeta 2018-03-19 05:07:52 +00:00			`// QueryMeta contains the meta sent via a header. We ignore for JSON`
			`// so this whole structure can be returned.`
			QueryMeta `json:"-"`
agent/consul/state: CARoot structs and initial state store 2018-03-17 04:20:54 +00:00			`}`

			`// CARoot represents a root CA certificate that is trusted.`
			`type CARoot struct {`
			`// ID is a globally unique ID (UUID) representing this CA root.`
			`ID string`

			`// Name is a human-friendly name for this CA root. This value is`
			`// opaque to Consul and is not used for anything internally.`
			`Name string`

			`// RootCert is the PEM-encoded public certificate.`
			`RootCert string`

			`// SigningCert is the PEM-encoded signing certificate and SigningKey`
agent/consul: basic sign endpoint not tested yet 2018-03-19 21:36:17 +00:00			`// is the PEM-encoded private key for the signing certificate. These`
			`// may actually be empty if the CA plugin in use manages these for us.`
agent/structs: hide some fields from JSON 2018-03-21 19:55:43 +00:00			SigningCert string `json:",omitempty"`
			SigningKey string `json:",omitempty"`
agent/consul/state: CARoot structs and initial state store 2018-03-17 04:20:54 +00:00
agent/consul: test for ConnectCA.Sign 2018-03-20 03:29:14 +00:00			`// Active is true if this is the current active CA. This must only`
			`// be true for exactly one CA. For any method that modifies roots in the`
			`// state store, tests should be written to verify that multiple roots`
			`// cannot be active.`
			`Active bool`

agent/consul/state: CARoot structs and initial state store 2018-03-17 04:20:54 +00:00			`RaftIndex`
			`}`

			`// CARoots is a list of CARoot structures.`
			`type CARoots []*CARoot`
agent/consul: basic sign endpoint not tested yet 2018-03-19 21:36:17 +00:00
			`// CASignRequest is the request for signing a service certificate.`
			`type CASignRequest struct {`
			`// Datacenter is the target for this request.`
			`Datacenter string`

			`// CSR is the PEM-encoded CSR.`
			`CSR string`

			`// WriteRequest is a common struct containing ACL tokens and other`
			`// write-related common elements for requests.`
			`WriteRequest`
			`}`

			`// RequestDatacenter returns the datacenter for a given request.`
			`func (q *CASignRequest) RequestDatacenter() string {`
			`return q.Datacenter`
			`}`
agent/consul: key the public key of the CSR, verify in test 2018-03-20 04:00:01 +00:00
			`// IssuedCert is a certificate that has been issued by a Connect CA.`
			`type IssuedCert struct {`
			`// SerialNumber is the unique serial number for this certificate.`
			`SerialNumber *big.Int`

agent: /v1/connect/ca/leaf/:service_id 2018-03-21 17:55:39 +00:00			`// CertPEM and PrivateKeyPEM are the PEM-encoded certificate and private`
			`// key for that cert, respectively. This should not be stored in the`
agent/consul: key the public key of the CSR, verify in test 2018-03-20 04:00:01 +00:00			`// state store, but is present in the sign API response.`
agent: /v1/connect/ca/leaf/:service_id 2018-03-21 17:55:39 +00:00			CertPEM string `json:",omitempty"`
agent/structs: hide some fields from JSON 2018-03-21 19:55:43 +00:00			PrivateKeyPEM string `json:",omitempty"`
agent: /v1/connect/ca/leaf/:service_id 2018-03-21 17:55:39 +00:00
			`// Service is the name of the service for which the cert was issued.`
			`// ServiceURI is the cert URI value.`
			`Service string`
			`ServiceURI string`

			`// ValidAfter and ValidBefore are the validity periods for the`
			`// certificate.`
			`ValidAfter time.Time`
			`ValidBefore time.Time`

			`RaftIndex`
agent/consul: key the public key of the CSR, verify in test 2018-03-20 04:00:01 +00:00			`}`
agent/consul: CAS operations for setting the CA root 2018-03-21 17:10:53 +00:00
			`// CAOp is the operation for a request related to intentions.`
			`type CAOp string`

			`const (`
			`CAOpSet CAOp = "set"`
			`)`

			`// CARequest is used to modify connect CA data. This is used by the`
			`// FSM (agent/consul/fsm) to apply changes.`
			`type CARequest struct {`
			`// Op is the type of operation being requested. This determines what`
			`// other fields are required.`
			`Op CAOp`

			`// Index is used by CAOpSet for a CAS operation.`
			`Index uint64`

			`// Roots is a list of roots. This is used for CAOpSet. One root must`
			`// always be active.`
			`Roots []*CARoot`
			`}`
agent: /v1/connect/ca/configuration PUT for setting configuration 2018-03-21 19:42:42 +00:00
			`// CAConfiguration is the configuration for the current CA plugin.`
			`type CAConfiguration struct {`
			`// Provider is the CA provider implementation to use.`
			`Provider string`

			`// Configuration is arbitrary configuration for the provider. This`
			`// should only contain primitive values and containers (such as lists`
			`// and maps).`
			`Config map[string]interface{}`
			`}`