bastion

package module
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 16, 2026 License: MPL-2.0 Imports: 13 Imported by: 2

README

Bastion-go

Tests Go Report Card Go Reference

A go library to interact with The Bastion.

Installation

go get github.com/adfinis/bastion-go

Example

package main

import (
	"log"
	"os"

	"github.com/adfinis/bastion-go"
)

func main() {
    cfg := bastion.Config{
		Host:                  "bastion.mycompany.org",
		Port:                  22,
		Username:              "clarkkent",
	}

    client, err := bastion.New(&cfg, bastion.WithPrivateKeyFileAuthWithPassphrase(
		"/path/to/private/key",
		os.Getenv("BASTION_PRIVATE_KEY_PASSPHRASE"),
	))
	if err != nil {
		log.Fatalln(err)
	}

	groupServers, err := client.GroupListServers("mygroup1")
	if err != nil {
  		log.Fatalln(err)
	}
	_ = groupServers
}

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrNoAuthMethodsProvided = errors.New("no authentication method provided")
	ErrMissingConfig         = errors.New("missing configuration")
	ErrHostRequired          = errors.New("host is required")
	ErrInvalidPort           = errors.New("invalid port")
	ErrUsernameRequired      = errors.New("username is required")
	ErrProxyMissingHost      = errors.New("proxy host is required")
	ErrProxyMissingPort      = errors.New("proxy port is required")
	ErrProxyMissingUser      = errors.New("proxy user is required")
)

Functions

This section is empty.

Types

type ACL 

type ACL struct {
	IP            string  `json:"ip"`
	Port          *Port   `json:"port"`
	User          *string `json:"user"`
	ProxyIP       *string `json:"proxyIp"`
	ProxyPort     *Port   `json:"proxyPort"`
	ProxyUser     *string `json:"proxyUser"`
	Comment       *string `json:"comment"`
	UserComment   *string `json:"userComment"`
	ForcePassword *string `json:"forcePassword"`
	ForceKey      *string `json:"forceKey"`
	Protocol      *string `json:"protocol"`
	ReverseDNS    *string `json:"reverseDns"`
	AddedBy       string  `json:"addedBy"`
	AddedDate     string  `json:"addedDate"`
	Expiry        *int    `json:"expiry"`
	RemotePort    *Port   `json:"remotePort"`
	LocalPort     *Port   `json:"localPort"`
}

type APIResponse 

type APIResponse struct {
	Command      string `json:"command"`
	ErrorCode    string `json:"error_code"`
	ErrorMessage string `json:"error_message"`
	Value        any    `json:"value"`
}

APIResponse represents the standard API response from The Bastion.

func (*APIResponse) Error 

func (e *APIResponse) Error() string

Error implements the error interface for APIResponse.

type Account 

type Account struct {
	Account                   string              `json:"account"`
	MFATOTPBypass             BoolFromInt         `json:"mfa_totp_bypass"`
	MFATOTPRequired           BoolFromInt         `json:"mfa_totp_required"`
	MFATOTPConfigured         BoolFromInt         `json:"mfa_totp_configured"`
	MFAPasswordBypass         BoolFromInt         `json:"mfa_password_bypass"`
	MFAPasswordRequired       BoolFromInt         `json:"mfa_password_required"`
	MFAPasswordConfigured     BoolFromInt         `json:"mfa_password_configured"`
	GlobalIngressPolicy       BoolFromInt         `json:"global_ingress_policy"`
	IsExpired                 BoolFromInt         `json:"is_expired"`
	PersonalEgressMFARequired MFARequiredPolicy   `json:"personal_egress_mfa_required"`
	CreationInformation       CreationInformation `json:"creation_information"`
	AllowedCommands           []string            `json:"allowed_commands"`
	IngressPIVPolicy          PIVPolicy           `json:"ingress_piv_policy"`
	IngressPIVEnforced        BoolFromInt         `json:"ingress_piv_enforced"`
	IngressPIVGrace           IngressPIVGrace     `json:"ingress_piv_grace"`
	CanConnect                BoolFromInt         `json:"can_connect"`
	AlreadySeenBefore         BoolFromInt         `json:"already_seen_before"`
	IsActive                  BoolFromInt         `json:"is_active"`
	AlwaysActive              BoolFromInt         `json:"always_active"`
	MaxInactiveDays           string              `json:"max_inactive_days"`
	IsFrozen                  BoolFromInt         `json:"is_frozen"`
	OshOnly                   BoolFromInt         `json:"osh_only"`
	IsAdmin                   BoolFromInt         `json:"is_admin"`
	IsSuperOwner              BoolFromInt         `json:"is_super_owner"`
	IsAuditor                 BoolFromInt         `json:"is_auditor"`
	IsTTLSet                  BoolFromInt         `json:"is_ttl_set"`
	IsTTLExpired              BoolFromInt         `json:"is_ttl_expired"`
	TTTLTimestamp             int                 `json:"ttl_timestamp"`
	IdleIgnore                BoolFromInt         `json:"idle_ignore"`
	PamAuthBypass             BoolFromInt         `json:"pam_auth_bypass"`
}

Account represents a Bastion account.

type AccountAccess 

type AccountAccess struct {
	AccessType string  `json:"type"` // "personal", "group" or "group-guest"
	Group      *string `json:"group"`
	ACL        []ACL   `json:"acl"`
}

type BoolFromInt 

type BoolFromInt bool

BoolFromInt is simple and works like this 1 => true, 0 => false.

func (BoolFromInt) Bool 

func (b BoolFromInt) Bool() bool

func (BoolFromInt) MarshalJSON 

func (b BoolFromInt) MarshalJSON() ([]byte, error)

func (*BoolFromInt) UnmarshalJSON 

func (b *BoolFromInt) UnmarshalJSON(data []byte) error

type Client 

type Client struct {
	Host string
	Port int
	// contains filtered or unexported fields
}

func New 

func New(cfg *Config, authMethods ...SSHAuthMethod) (*Client, error)

func (*Client) AccountGrantCommand 

func (c *Client) AccountGrantCommand(account, command string) error

AccuntGrantCommand grants a command to a Bastion account.

func (*Client) AccountInfo 

func (c *Client) AccountInfo(name string) (*Account, error)

func (*Client) AccountListAccesses 

func (c *Client) AccountListAccesses(account string) ([]*AccountAccess, error)

AccountListAccesses lists all accesses for an account.

func (*Client) AccountRevokeCommand 

func (c *Client) AccountRevokeCommand(account, command string) error

AccountRevokeCommand revokes a command from a Bastion account.

func (*Client) AccountSetPIVGrace 

func (c *Client) AccountSetPIVGrace(account string, ttl int) error

AccountSetPIVGrace sets the PIV grace policy for an account with a TTL. The ttl parameter is in seconds.

func (*Client) AccountSetPIVPolicy 

func (c *Client) AccountSetPIVPolicy(account string, policy PIVPolicy) error

AccountSetPIVPolicy sets the PIV policy for an account.

func (*Client) CreateAccount 

func (c *Client) CreateAccount(name string, uidOpt UIDOpt, createOpts *CreateAccountOptions) error

CreateAccount creates a new Bastion account.

func (*Client) CreateGroup 

func (c *Client) CreateGroup(name, owner string, keyAlgo KeyAlgo) (*Group, error)

CreateGroup creates a new Bastion group.

func (*Client) DeleteAccount 

func (c *Client) DeleteAccount(name string) error

DeleteAccount deletes a Bastion account.

func (*Client) DeleteGroup 

func (c *Client) DeleteGroup(name string) error

DeleteGroup deletes a Bastion group. This is a restricted command that allows deletion of any group.

func (*Client) DestroyGroup 

func (c *Client) DestroyGroup(name string) error

DestroyGroup deletes a Bastion group. This command can be used by group owners to delete their own groups.

func (*Client) GroupAddACLKeeper 

func (c *Client) GroupAddACLKeeper(group, account string) error

GroupAddACLKeeper adds an ACL keeper to a Bastion group.

func (*Client) GroupAddGatekeeper 

func (c *Client) GroupAddGatekeeper(group, account string) error

GroupAddGatekeeper adds a gatekeeper to a Bastion group.

func (*Client) GroupAddGuestAccess 

func (c *Client) GroupAddGuestAccess(group, account, host, port, user string, options *GroupAddGuestAccessOptions) error

GroupAddGuestAccess adds a guest access to a group.

func (*Client) GroupAddMember 

func (c *Client) GroupAddMember(group, account string) error

GroupAddMember adds a member to a Bastion group.

func (*Client) GroupAddOwner 

func (c *Client) GroupAddOwner(group, account string) error

GroupAddOwner adds an owner to a Bastion group.

func (*Client) GroupAddServer 

func (c *Client) GroupAddServer(group, host, port, user string, options *GroupAddServerOptions) (*GroupServer, error)

GroupAddServer adds a server access to a group.

func (*Client) GroupDelGuestAccess 

func (c *Client) GroupDelGuestAccess(group, account, host, port, user, protocol string, proxyOpts *ProxyOptions, remotePort *int64) error

GroupDelGuestAccess removes a guest access from a group.

func (*Client) GroupDelServer 

func (c *Client) GroupDelServer(group, host, port, user, protocol string, proxyOpts *ProxyOptions, remotePort *int64) error

GroupDelServer removes a server access from a group.

func (*Client) GroupInfo 

func (c *Client) GroupInfo(name string) (*Group, error)

GroupInfo returns information about a Bastion group.

func (*Client) GroupListGuestAccesses 

func (c *Client) GroupListGuestAccesses(group, account string) ([]*GroupGuestAccess, error)

GroupListGuestAccesses lists all guest accesses from a group.

func (*Client) GroupListServers 

func (c *Client) GroupListServers(name string) ([]*GroupServer, error)

GroupListServers lists all accesses from a group.

func (*Client) GroupRemoveACLKeeper 

func (c *Client) GroupRemoveACLKeeper(group, account string) error

GroupRemoveACLKeeper removes an ACL keeper from a Bastion group.

func (*Client) GroupRemoveGatekeeper 

func (c *Client) GroupRemoveGatekeeper(group, account string) error

GroupRemoveGatekeeper removes a gatekeeper from a Bastion group.

func (*Client) GroupRemoveMember 

func (c *Client) GroupRemoveMember(group, account string) error

GroupRemoveMember removes a member from a Bastion group.

func (*Client) GroupRemoveOwner 

func (c *Client) GroupRemoveOwner(group, account string) error

GroupRemoveOwner removes an owner from a Bastion group.

func (*Client) GroupTransmitOwnership 

func (c *Client) GroupTransmitOwnership(group, account string) error

GroupTransmitOwnership transmits ownership of a Bastion group to another account. This method must be called by an explicit owner of the group.

func (*Client) ModifyAccount 

func (c *Client) ModifyAccount(name string, modifyOpts *ModifyAccountOptions) error

ModifyAccount modifies an existing Bastion account.

func (*Client) ModifyGroup 

func (c *Client) ModifyGroup(name string, modifyOpts *GroupModifyOptions) error

ModifyGroup modifies a Bastion group.

func (*Client) SelfListAccesses added in v0.2.0 

func (c *Client) SelfListAccesses() ([]*AccountAccess, error)

SelfListAccesses lists all the accesses for the authenticated account.

type Config 

type Config struct {
	Host                  string
	Port                  int
	Username              string
	Timeout               int
	StrictHostKeyChecking bool
}

type CreateAccountOptions 

type CreateAccountOptions struct {
	AlwaysActive    bool
	OshOnly         bool
	MaxInactiveDays uint
	ImmutableKey    bool
	Comment         string
	PublicKey       string
	NoKey           bool
	TTL             int
}

CreateAccountOptions holds options for creating a Bastion account.

type CreationInformation 

type CreationInformation struct {
	Timestamp      int    `json:"timestamp"`
	Comment        string `json:"comment"`
	By             string `json:"by"`
	BastionVersion string `json:"bastion_version"`
}

type EgressStrictHostKeyCheckingPolicy 

type EgressStrictHostKeyCheckingPolicy string

EgressStrictHostKeyCheckingPolicy represents the egress strict host key checking policies. 

const (
	EgressStrictHostKeyCheckingYes      EgressStrictHostKeyCheckingPolicy = "yes"
	EgressStricHostKeyCheckingAcceptNew EgressStrictHostKeyCheckingPolicy = "accept-new"
	EgressStrictHostKeyCheckingNo       EgressStrictHostKeyCheckingPolicy = "no"
	EgressStrictHostKeyCheckingAsk      EgressStrictHostKeyCheckingPolicy = "ask"
	EgressStrictHostKeyCheckingDefault  EgressStrictHostKeyCheckingPolicy = "default"
	EgressStrictHostKeyCheckingBypass   EgressStrictHostKeyCheckingPolicy = "bypass"
)

type Group 

type Group struct {
	Group           string             `json:"group"`
	Inactive        []string           `json:"inactive"`
	Guests          []string           `json:"guests"`
	Owners          []string           `json:"owners"`
	Members         []string           `json:"members"`
	Gatekeepers     []string           `json:"gatekeepers"`
	ACLKeepers      []string           `json:"aclkeepers"`
	GuestAccesses   []string           `json:"guest_accesses"`
	Keys            map[string]Key     `json:"keys"`
	MFARequired     *MFARequiredPolicy `json:"mfa_required"`
	IdleLockTimeout *string            `json:"idle_lock_timeout"`
	IdleKillTimeout *string            `json:"idle_kill_timeout"`
	GuestTtlLimit   *string            `json:"guest_ttl_limit"`
	TryPersonalKeys *BoolFromInt       `json:"try_personal_keys"`
}

Group represents a Bastion group.

type GroupAddGuestAccessOptions 

type GroupAddGuestAccessOptions struct {
	TTL          string
	Comment      string
	Protocol     string
	ProxyOptions *ProxyOptions
	RemotePort   *int
}

GroupAddGuestAccessOptions represents options for adding a guest access to a group.

type GroupAddServerOptions 

type GroupAddServerOptions struct {
	Force         bool
	ForceKey      string
	ForcePassword string
	TTL           string
	Comment       string
	Protocol      string
	ProxyOptions  *ProxyOptions
	RemotePort    *int
}

GroupAddServerOptions represents options for adding a server access to a group.

type GroupGuestAccess 

type GroupGuestAccess ACL

type GroupModifyOptions 

type GroupModifyOptions struct {
	MFARequired     *MFARequiredPolicy
	IdleLockTimeout *string
	IdleKillTimeout *string
	GuestTtlLimit   *string
	TryPersonalKeys *bool
}

GroupModifyOptions holds options for modifying a Bastion group.

type GroupServer 

type GroupServer ACL

GroupServer represents a Bastion group server access.

type IngressPIVGrace 

type IngressPIVGrace struct {
	Enabled             BoolFromInt `json:"enabled"`
	ExpirationTimestamp int         `json:"expiration_timestamp"`
	SecondsRemaining    int         `json:"seconds_remaining"`
}

type Key 

type Key struct {
	Prefix      string   `json:"prefix"`
	ID          string   `json:"id"`
	FromList    []string `json:"fromList"`
	Fingerprint string   `json:"fingerprint"`
	Typecode    string   `json:"typecode"`
	Family      string   `json:"family"`
	Filename    string   `json:"filename"`
	Size        int      `json:"size"`
	Mtime       int      `json:"mtime"`
	Fullpath    string   `json:"fullpath"`
	Comment     string   `json:"comment"`
	Base64      string   `json:"base64"`
	Line        string   `json:"line"`
}

Key represents a Bastion SSH key.

type KeyAlgo 

type KeyAlgo string

KeyAlgo represents a Bastion SSH key algorithm. 

const (
	ED25519  KeyAlgo = "ed25519"
	RSA2048  KeyAlgo = "rsa2048"
	RSA4096  KeyAlgo = "rsa4096"
	RSA8192  KeyAlgo = "rsa8192"
	ECDSA256 KeyAlgo = "ecdsa256"
	ECDSA384 KeyAlgo = "ecdsa384"
	ECDSA521 KeyAlgo = "ecdsa521"
)

func (KeyAlgo) AlgoAndSize 

func (k KeyAlgo) AlgoAndSize() (string, int)

type KeyboardInteractiveChallenge added in v0.3.0 

type KeyboardInteractiveChallenge func(name, instruction string, questions []string, echos []bool) ([]string, error)

KeyboardInteractiveChallenge is a callback for answering SSH keyboard-interactive challenges. It receives the challenge name, instruction, questions, and echo flags, and returns answers.

type LastActivity 

type LastActivity struct {
	Timestamp int    `json:"timestamp"`
	Ago       string `json:"ago"`
}

type MFARequiredPolicy 

type MFARequiredPolicy string

MFARequiredPolicy represents an MFA policies. 

const (
	MFARequiredPassword MFARequiredPolicy = "password"
	MFARequiredTOTP     MFARequiredPolicy = "totp"
	MFARequiredAny      MFARequiredPolicy = "any"
	MFARequiredNone     MFARequiredPolicy = "none"
)

type ModifyAccountOptions 

type ModifyAccountOptions struct {
	PamAuthBypass               *bool
	MFAPasswordRequired         *YesNoBypass
	MFATOTPRequired             *YesNoBypass
	EgressStrictHostKeyChecking *EgressStrictHostKeyCheckingPolicy
	EgressSessionMultiplexing   *YesNoDefault
	PersonalEgressMFARequired   *MFARequiredPolicy
	AlwaysActive                *bool
	IdleIgnore                  *bool
	MaxInactiveDays             *int
	OshOnly                     *bool
	PubkeyAuthOptional          *bool
}

ModifyAccountOptions holds options for modifying a Bastion account.

type PIVPolicy 

type PIVPolicy string

PIVPolicy represents the PIV policy for account ingress keys. 

const (
	PIVPolicyDefault PIVPolicy = "default"
	PIVPolicyEnforce PIVPolicy = "enforce"
	PIVPolicyNever   PIVPolicy = "never"
	PIVPolicyGrace   PIVPolicy = "grace"
)

type Port 

type Port struct {
	Number int
	// contains filtered or unexported fields
}

Port is a helper to represent port which can be a string or int.

func NewPort 

func NewPort(port string) *Port

func (*Port) MarshalJSON 

func (p *Port) MarshalJSON() ([]byte, error)

func (*Port) UnmarshalJSON 

func (p *Port) UnmarshalJSON(data []byte) error

func (*Port) ValueInt 

func (p *Port) ValueInt() int

func (*Port) ValueString 

func (p *Port) ValueString() string

type ProxyOptions 

type ProxyOptions struct {
	ProxyHost string
	ProxyPort string
	ProxyUser string
}

ProxyOptions respresents proxy options for adding an access.

type SSHAuthMethod 

type SSHAuthMethod func() (ssh.AuthMethod, error)

SSHAuthMethod defines a function that returns an SSH authentication method.

func WithKeyboardInteractiveAuth added in v0.3.0 

func WithKeyboardInteractiveAuth(challenge KeyboardInteractiveChallenge) SSHAuthMethod

WithKeyboardInteractiveAuth returns a keyboard-interactive authentication method using the provided challenge callback.

func WithPrivateKeyAuth 

func WithPrivateKeyAuth(privateKey string) SSHAuthMethod

WithPrivateKeyAuth returns a private key authentication method.

func WithPrivateKeyAuthWithPassphrase 

func WithPrivateKeyAuthWithPassphrase(privateKey string, passphrase string) SSHAuthMethod

WithPrivateKeyAuthWithPassphrase returns a private key authentication method with passphrase support.

func WithPrivateKeyAuthWithPassphraseWithSignedCert added in v0.4.0 

func WithPrivateKeyAuthWithPassphraseWithSignedCert(privateKey string, passphrase string, cert string) SSHAuthMethod

WithPrivateKeyAuthWithPassphraseWithSignedCert returns a private key authentication method with passphrase support and a signed certificate.

func WithPrivateKeyAuthWithPassphraseWithSignedCertFile added in v0.5.0 

func WithPrivateKeyAuthWithPassphraseWithSignedCertFile(privateKey string, passphrase string, certPath string) SSHAuthMethod

WithPrivateKeyAuthWithPassphraseWithSignedCertFile returns a private key authentication method with passphrase support and a signed certificate read from a file.

func WithPrivateKeyAuthWithSignedCert added in v0.4.0 

func WithPrivateKeyAuthWithSignedCert(privateKey string, cert string) SSHAuthMethod

WithPrivateKeyAuthWithSignedCert returns a private key authentication method with a signed certificate.

func WithPrivateKeyAuthWithSignedCertFile added in v0.5.0 

func WithPrivateKeyAuthWithSignedCertFile(privateKey string, certPath string) SSHAuthMethod

WithPrivateKeyAuthWithSignedCertFile returns a private key authentication method with a signed certificate read from a file.

func WithPrivateKeyFileAuth 

func WithPrivateKeyFileAuth(keyPath string) SSHAuthMethod

WithPrivateKeyFileAuth returns a private key file authentication method.

func WithPrivateKeyFileAuthWithPassphrase 

func WithPrivateKeyFileAuthWithPassphrase(keyPath string, passphrase string) SSHAuthMethod

WithPrivateKeyFileAuthWithPassphrase returns a private key file authentication method with passphrase support.

func WithPrivateKeyFileAuthWithPassphraseWithSignedCert added in v0.4.0 

func WithPrivateKeyFileAuthWithPassphraseWithSignedCert(keyPath string, passphrase string, cert string) SSHAuthMethod

WithPrivateKeyFileAuthWithPassphraseWithSignedCert returns a private key file authentication method with passphrase support and a signed certificate.

func WithPrivateKeyFileAuthWithPassphraseWithSignedCertFile added in v0.5.0 

func WithPrivateKeyFileAuthWithPassphraseWithSignedCertFile(keyPath string, passphrase string, certPath string) SSHAuthMethod

WithPrivateKeyFileAuthWithPassphraseWithSignedCertFile returns a private key file authentication method with passphrase support and a signed certificate read from a file.

func WithSSHAgentAuth 

func WithSSHAgentAuth() SSHAuthMethod

WithSSHAgentAuth returns an SSH agent authentication method.

type UIDOpt 

type UIDOpt func(*UIDOptions)

UIDOpt defines a function type for setting UID options.

func WithAutoUID 

func WithAutoUID() UIDOpt

WithAutoUID sets the option to automatically assign a UID.

func WithSpecificUID 

func WithSpecificUID(uid uint) UIDOpt

WithSpecificUID sets a specific UID for the account.

type UIDOptions 

type UIDOptions struct {
	// contains filtered or unexported fields
}

UIDOptions holds the uid options for creating an account.

type YesNoBypass 

type YesNoBypass string

YesNoBypass represents a three-state option: yes, no, or bypass. 

const (
	YesNoBypassYes    YesNoBypass = "yes"
	YesNoBypassNo     YesNoBypass = "no"
	YesNoBypassBypass YesNoBypass = "bypass"
)

type YesNoDefault 

type YesNoDefault string

YesNoDefault represents a three-state option: yes, no, or default. 

const (
	YesNoDefaultYes     YesNoDefault = "yes"
	YesNoDefaultNo      YesNoDefault = "no"
	YesNoDefaultDefault YesNoDefault = "default"
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.