diff options
Diffstat (limited to 'doc/share/authz/todo')
| -rw-r--r-- | doc/share/authz/todo/001_ldap.md | 19 | ||||
| -rw-r--r-- | doc/share/authz/todo/002_hierarchical_membership.md | 19 | ||||
| -rw-r--r-- | doc/share/authz/todo/003_workload_identity_federation.md | 21 | ||||
| -rw-r--r-- | doc/share/authz/todo/004_acme_protocol.md | 69 | ||||
| -rw-r--r-- | doc/share/authz/todo/005_open_pubkey.md | 20 | ||||
| -rw-r--r-- | doc/share/authz/todo/006_zero_knowledge_proof.md | 17 |
6 files changed, 0 insertions, 165 deletions
diff --git a/doc/share/authz/todo/001_ldap.md b/doc/share/authz/todo/001_ldap.md deleted file mode 100644 index 408cc771..00000000 --- a/doc/share/authz/todo/001_ldap.md +++ /dev/null @@ -1,19 +0,0 @@ -As an `Owner`, I want to `control group membership via LDAP`, so that `I can manage users in my company using my existing LDAP server`. - -# SYNOPSIS - -An external LDAP server should be able to synchronize data to the IdP. - -# DESCRIPTION - -# SEE ALSO - -* [ ] TBD - -# Tasks - -* [ ] TBD - -# Acceptance Criteria - -* [ ] TBD diff --git a/doc/share/authz/todo/002_hierarchical_membership.md b/doc/share/authz/todo/002_hierarchical_membership.md deleted file mode 100644 index 224eed7a..00000000 --- a/doc/share/authz/todo/002_hierarchical_membership.md +++ /dev/null @@ -1,19 +0,0 @@ -As an `Owner`, I want to `manage group membership`, so that `I can manage users in my company`. - -# SYNOPSIS - -Owners of an Organization can create group hierarchies and manage memberships to those groups. - -# DESCRIPTION - -# SEE ALSO - -* [ ] TBD - -# Tasks - -* [ ] TBD - -# Acceptance Criteria - -* [ ] TBD diff --git a/doc/share/authz/todo/003_workload_identity_federation.md b/doc/share/authz/todo/003_workload_identity_federation.md deleted file mode 100644 index a93353a7..00000000 --- a/doc/share/authz/todo/003_workload_identity_federation.md +++ /dev/null @@ -1,21 +0,0 @@ -As an `Operator`, I want to `integrate multicloud workloads`, so that `I can operate multiple clouds include on-premises`. - -# SYNOPSIS - -I have no idea what workload identity federation is but it sounds like a neat -way to federate authn to an external/central identity provider to interop -between multiple clouds. - -# DESCRIPTION - -# SEE ALSO - -* https://cloud.google.com/iam/docs/workload-identity-federation - -# Tasks - -* [ ] TBD - -# Acceptance Criteria - -* [ ] TBD diff --git a/doc/share/authz/todo/004_acme_protocol.md b/doc/share/authz/todo/004_acme_protocol.md deleted file mode 100644 index 93628f77..00000000 --- a/doc/share/authz/todo/004_acme_protocol.md +++ /dev/null @@ -1,69 +0,0 @@ -As an `Operator`, I want to `use the ACME protocol`, so that `I have a standards based way to manage PKI`. - -# SYNOPSIS - -Use the ACME protocol to generate TLS PKI. - -# DESCRIPTION - -Below is an example startup configuration for using the ACME protocol in golang -and distributing the key material using file storage. The file storage should be -replaced with a distributed blob storage that is locked down. This also uses -the `STEPPATH` environment variable to access an internal root certificate -authority. - -```golang -func WithAcmeTLS(ctx context.Context, directoryURL string, cacheDir string) cfg.Option { - storageFor := func(config *cfg.Config) certmagic.Storage { - return &certmagic.FileStorage{Path: cacheDir} - } - return func(config *cfg.Config) { - host := os.Getenv("HOST") - tls := srv.NewTLS(ctx, host, storageFor(config), []certmagic.ACMEIssuer{ - { - Agreed: true, - CA: directoryURL, - DisableHTTPChallenge: true, - Email: "everyone@example.com", - TestCA: directoryURL, - TrustedRoots: newCertPool(), - AltTLSALPNPort: bindingPort(), - }, - }) - config.TLS = x.Must(tls.Config()) - } -} - -func newCertPool() *x509.CertPool { - certPool := x.Must(x509.SystemCertPool()) - certPool.AddCert(func() *x509.Certificate { - block, _ := pem.Decode(x.Must(ioutil.ReadFile( - filepath.Join(os.ExpandEnv("$STEPPATH"), "/certs/root_ca.crt"), - ))) - return x.Must(x509.ParseCertificate(block.Bytes)) - }()) - return certPool -} - -func bindingPort() int { - parts := strings.SplitN(os.Getenv("BIND_ADDR"), ":", 2) - bindPort, err := strconv.Atoi(parts[1]) - if err != nil { - bindPort = 0 - } - return bindPort -} -``` - -# SEE ALSO - -* [RFC-8555](https://datatracker.ietf.org/doc/html/rfc8555) -* [$STEPPATH](https://smallstep.com/docs/step-cli/reference/path/#examples) - -# Tasks - -* [ ] TBD - -# Acceptance Criteria - -* [ ] TBD diff --git a/doc/share/authz/todo/005_open_pubkey.md b/doc/share/authz/todo/005_open_pubkey.md deleted file mode 100644 index 92b0b7a8..00000000 --- a/doc/share/authz/todo/005_open_pubkey.md +++ /dev/null @@ -1,20 +0,0 @@ -As an `Owner`, I want to `enable ssh access via open pubkey`, so that `have a standard based approach to connect over SSH`. - -# SYNOPSIS - -Research OpenPubKey to see how it operates on top of OIDC to provide ephemeral -SSH keys for temporary access. - -# DESCRIPTION - -# SEE ALSO - -* https://docs.bastionzero.com/openpubkey-ssh - -# Tasks - -* [ ] TBD - -# Acceptance Criteria - -* [ ] TBD diff --git a/doc/share/authz/todo/006_zero_knowledge_proof.md b/doc/share/authz/todo/006_zero_knowledge_proof.md deleted file mode 100644 index eb3984e9..00000000 --- a/doc/share/authz/todo/006_zero_knowledge_proof.md +++ /dev/null @@ -1,17 +0,0 @@ -As an `Developer`, I want to `understand what a zero knowledge proof is`, so that `I can understand how to be considerate of privacy`. - -# SYNOPSIS - -# DESCRIPTION - -# SEE ALSO - -* https://dl.acm.org/doi/pdf/10.1145/3708622.3708634 - -# Tasks - -* [ ] TBD - -# Acceptance Criteria - -* [ ] TBD |