smallstep-certificates/authority/options.go

211 lines
6.0 KiB
Go
Raw Normal View History

2019-11-14 23:29:04 +00:00
package authority
import (
"context"
2020-01-10 02:42:26 +00:00
"crypto"
"crypto/x509"
"encoding/pem"
"github.com/pkg/errors"
2021-05-03 19:48:20 +00:00
"github.com/smallstep/certificates/authority/config"
"github.com/smallstep/certificates/authority/provisioner"
2020-09-16 20:31:26 +00:00
"github.com/smallstep/certificates/cas"
casapi "github.com/smallstep/certificates/cas/apiv1"
2019-11-14 23:29:04 +00:00
"github.com/smallstep/certificates/db"
2020-01-10 02:42:26 +00:00
"github.com/smallstep/certificates/kms"
"golang.org/x/crypto/ssh"
2019-11-14 23:29:04 +00:00
)
// Option sets options to the Authority.
type Option func(*Authority) error
2019-11-14 23:29:04 +00:00
// WithConfig replaces the current config with the given one. No validation is
// performed in the given value.
2021-05-03 19:48:20 +00:00
func WithConfig(config *config.Config) Option {
return func(a *Authority) error {
a.config = config
return nil
}
}
// WithConfigFile reads the given filename as a configuration file and replaces
// the current one. No validation is performed in the given configuration.
func WithConfigFile(filename string) Option {
return func(a *Authority) (err error) {
2021-05-03 19:48:20 +00:00
a.config, err = config.LoadConfiguration(filename)
return
}
}
2019-11-14 23:29:04 +00:00
// WithDatabase sets an already initialized authority database to a new
// authority. This option is intended to be use on graceful reloads.
func WithDatabase(db db.AuthDB) Option {
return func(a *Authority) error {
2019-11-14 23:29:04 +00:00
a.db = db
return nil
2019-11-14 23:29:04 +00:00
}
}
2019-11-15 02:24:58 +00:00
2019-11-20 19:32:27 +00:00
// WithGetIdentityFunc sets a custom function to retrieve the identity from
// an external resource.
func WithGetIdentityFunc(fn func(ctx context.Context, p provisioner.Interface, email string) (*provisioner.Identity, error)) Option {
return func(a *Authority) error {
2019-11-20 19:32:27 +00:00
a.getIdentityFunc = fn
return nil
2019-11-20 19:32:27 +00:00
}
}
// WithSSHBastionFunc sets a custom function to get the bastion for a
2019-11-15 02:24:58 +00:00
// given user-host pair.
2021-05-03 19:48:20 +00:00
func WithSSHBastionFunc(fn func(ctx context.Context, user, host string) (*config.Bastion, error)) Option {
return func(a *Authority) error {
2019-11-15 02:24:58 +00:00
a.sshBastionFunc = fn
return nil
2019-11-15 02:24:58 +00:00
}
}
2019-11-20 19:32:27 +00:00
// WithSSHGetHosts sets a custom function to get the bastion for a
// given user-host pair.
2021-05-03 19:48:20 +00:00
func WithSSHGetHosts(fn func(ctx context.Context, cert *x509.Certificate) ([]config.Host, error)) Option {
return func(a *Authority) error {
2019-11-20 19:32:27 +00:00
a.sshGetHostsFunc = fn
return nil
}
}
// WithSSHCheckHost sets a custom function to check whether a given host is
// step ssh enabled. The token is used to validate the request, while the roots
// are used to validate the token.
func WithSSHCheckHost(fn func(ctx context.Context, principal string, tok string, roots []*x509.Certificate) (bool, error)) Option {
return func(a *Authority) error {
a.sshCheckHostFunc = fn
return nil
}
}
2020-01-10 02:42:26 +00:00
// WithKeyManager defines the key manager used to get and create keys, and sign
// certificates.
func WithKeyManager(k kms.KeyManager) Option {
return func(a *Authority) error {
2020-01-10 02:42:26 +00:00
a.keyManager = k
return nil
2020-01-10 02:42:26 +00:00
}
}
// WithX509Signer defines the signer used to sign X509 certificates.
func WithX509Signer(crt *x509.Certificate, s crypto.Signer) Option {
return func(a *Authority) error {
2020-09-16 20:31:26 +00:00
srv, err := cas.New(context.Background(), casapi.Options{
Type: casapi.SoftCAS,
Signer: s,
CertificateChain: []*x509.Certificate{crt},
2020-09-16 20:31:26 +00:00
})
if err != nil {
return err
}
a.x509CAService = srv
return nil
2020-01-10 02:42:26 +00:00
}
}
// WithSSHUserSigner defines the signer used to sign SSH user certificates.
func WithSSHUserSigner(s crypto.Signer) Option {
return func(a *Authority) error {
signer, err := ssh.NewSignerFromSigner(s)
if err != nil {
return errors.Wrap(err, "error creating ssh user signer")
}
a.sshCAUserCertSignKey = signer
// Append public key to list of user certs
pub := signer.PublicKey()
a.sshCAUserCerts = append(a.sshCAUserCerts, pub)
a.sshCAUserFederatedCerts = append(a.sshCAUserFederatedCerts, pub)
return nil
2020-01-10 02:42:26 +00:00
}
}
// WithSSHHostSigner defines the signer used to sign SSH host certificates.
func WithSSHHostSigner(s crypto.Signer) Option {
return func(a *Authority) error {
signer, err := ssh.NewSignerFromSigner(s)
if err != nil {
return errors.Wrap(err, "error creating ssh host signer")
}
a.sshCAHostCertSignKey = signer
// Append public key to list of host certs
pub := signer.PublicKey()
a.sshCAHostCerts = append(a.sshCAHostCerts, pub)
a.sshCAHostFederatedCerts = append(a.sshCAHostFederatedCerts, pub)
return nil
2020-01-10 02:42:26 +00:00
}
}
// WithX509RootCerts is an option that allows to define the list of root
// certificates to use. This option will replace any root certificate defined
// before.
func WithX509RootCerts(rootCerts ...*x509.Certificate) Option {
return func(a *Authority) error {
a.rootX509Certs = rootCerts
return nil
}
}
// WithX509FederatedCerts is an option that allows to define the list of
// federated certificates. This option will replace any federated certificate
// defined before.
func WithX509FederatedCerts(certs ...*x509.Certificate) Option {
return func(a *Authority) error {
a.federatedX509Certs = certs
return nil
}
}
// WithX509RootBundle is an option that allows to define the list of root
// certificates. This option will replace any root certificate defined before.
func WithX509RootBundle(pemCerts []byte) Option {
return func(a *Authority) error {
certs, err := readCertificateBundle(pemCerts)
if err != nil {
return err
}
a.rootX509Certs = certs
return nil
}
}
// WithX509FederatedBundle is an option that allows to define the list of
// federated certificates. This option will replace any federated certificate
// defined before.
func WithX509FederatedBundle(pemCerts []byte) Option {
return func(a *Authority) error {
certs, err := readCertificateBundle(pemCerts)
if err != nil {
return err
}
a.federatedX509Certs = certs
return nil
}
}
func readCertificateBundle(pemCerts []byte) ([]*x509.Certificate, error) {
var block *pem.Block
var certs []*x509.Certificate
for len(pemCerts) > 0 {
block, pemCerts = pem.Decode(pemCerts)
if block == nil {
break
}
if block.Type != "CERTIFICATE" || len(block.Headers) != 0 {
continue
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return nil, err
}
certs = append(certs, cert)
}
return certs, nil
}