2019-05-27 00:41:10 +00:00
|
|
|
package provisioner
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"crypto/x509"
|
2022-01-03 11:25:24 +00:00
|
|
|
"net"
|
2020-05-20 01:44:55 +00:00
|
|
|
"time"
|
2019-05-27 00:41:10 +00:00
|
|
|
|
|
|
|
"github.com/pkg/errors"
|
2019-12-20 21:30:05 +00:00
|
|
|
"github.com/smallstep/certificates/errs"
|
2019-05-27 00:41:10 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// ACME is the acme provisioner type, an entity that can authorize the ACME
|
|
|
|
// provisioning flow.
|
|
|
|
type ACME struct {
|
2019-10-28 18:50:43 +00:00
|
|
|
*base
|
2021-05-20 01:23:20 +00:00
|
|
|
ID string `json:"-"`
|
2020-07-23 01:24:45 +00:00
|
|
|
Type string `json:"type"`
|
|
|
|
Name string `json:"name"`
|
|
|
|
ForceCN bool `json:"forceCN,omitempty"`
|
|
|
|
Claims *Claims `json:"claims,omitempty"`
|
|
|
|
Options *Options `json:"options,omitempty"`
|
2019-05-27 00:41:10 +00:00
|
|
|
claimer *Claimer
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetID returns the provisioner unique identifier.
|
|
|
|
func (p ACME) GetID() string {
|
2021-05-20 01:23:20 +00:00
|
|
|
if p.ID != "" {
|
|
|
|
return p.ID
|
|
|
|
}
|
|
|
|
return p.GetIDForToken()
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetIDForToken returns an identifier that will be used to load the provisioner
|
|
|
|
// from a token.
|
|
|
|
func (p *ACME) GetIDForToken() string {
|
2019-05-27 00:41:10 +00:00
|
|
|
return "acme/" + p.Name
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetTokenID returns the identifier of the token.
|
|
|
|
func (p *ACME) GetTokenID(ott string) (string, error) {
|
|
|
|
return "", errors.New("acme provisioner does not implement GetTokenID")
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetName returns the name of the provisioner.
|
|
|
|
func (p *ACME) GetName() string {
|
|
|
|
return p.Name
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetType returns the type of provisioner.
|
|
|
|
func (p *ACME) GetType() Type {
|
|
|
|
return TypeACME
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetEncryptedKey returns the base provisioner encrypted key if it's defined.
|
|
|
|
func (p *ACME) GetEncryptedKey() (string, string, bool) {
|
|
|
|
return "", "", false
|
|
|
|
}
|
|
|
|
|
2020-07-16 00:30:29 +00:00
|
|
|
// GetOptions returns the configured provisioner options.
|
2020-07-23 01:24:45 +00:00
|
|
|
func (p *ACME) GetOptions() *Options {
|
2020-07-16 00:30:29 +00:00
|
|
|
return p.Options
|
|
|
|
}
|
|
|
|
|
2020-05-20 01:44:55 +00:00
|
|
|
// DefaultTLSCertDuration returns the default TLS cert duration enforced by
|
|
|
|
// the provisioner.
|
|
|
|
func (p *ACME) DefaultTLSCertDuration() time.Duration {
|
|
|
|
return p.claimer.DefaultTLSCertDuration()
|
|
|
|
}
|
|
|
|
|
2022-01-03 11:25:24 +00:00
|
|
|
// Init initializes and validates the fields of an ACME type.
|
2019-05-27 00:41:10 +00:00
|
|
|
func (p *ACME) Init(config Config) (err error) {
|
2022-01-03 11:25:24 +00:00
|
|
|
p.base = &base{} // prevent nil pointers
|
2019-05-27 00:41:10 +00:00
|
|
|
switch {
|
|
|
|
case p.Type == "":
|
|
|
|
return errors.New("provisioner type cannot be empty")
|
|
|
|
case p.Name == "":
|
|
|
|
return errors.New("provisioner name cannot be empty")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Update claims with global ones
|
|
|
|
if p.claimer, err = NewClaimer(p.Claims, config.Claims); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2022-01-03 11:25:24 +00:00
|
|
|
// Initialize the x509 allow/deny policy engine
|
|
|
|
// TODO(hs): ensure no race conditions happen when reloading settings and requesting certs?
|
|
|
|
// TODO(hs): implement memoization strategy, so that reloading is not required when no changes were made to allow/deny?
|
|
|
|
if p.x509PolicyEngine, err = newX509PolicyEngine(p.Options.GetX509Options()); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// ACMEIdentifierType encodes ACME Identifier types
|
|
|
|
type ACMEIdentifierType string
|
|
|
|
|
|
|
|
const (
|
|
|
|
// IP is the ACME ip identifier type
|
|
|
|
IP ACMEIdentifierType = "ip"
|
|
|
|
// DNS is the ACME dns identifier type
|
|
|
|
DNS ACMEIdentifierType = "dns"
|
|
|
|
)
|
|
|
|
|
|
|
|
// ACMEIdentifier encodes ACME Order Identifiers
|
|
|
|
type ACMEIdentifier struct {
|
|
|
|
Type ACMEIdentifierType
|
|
|
|
Value string
|
|
|
|
}
|
|
|
|
|
|
|
|
// AuthorizeOrderIdentifiers verifies the provisioner is authorized to issue a
|
|
|
|
// certificate for the Identifiers provided in an Order.
|
|
|
|
func (p *ACME) AuthorizeOrderIdentifier(ctx context.Context, identifier string) error {
|
|
|
|
|
|
|
|
if p.x509PolicyEngine == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-01-03 14:32:58 +00:00
|
|
|
// assuming only valid identifiers (IP or DNS) are provided
|
2022-01-03 11:25:24 +00:00
|
|
|
var err error
|
|
|
|
if ip := net.ParseIP(identifier); ip != nil {
|
|
|
|
_, err = p.x509PolicyEngine.IsIPAllowed(ip)
|
|
|
|
} else {
|
|
|
|
_, err = p.x509PolicyEngine.IsDNSAllowed(identifier)
|
|
|
|
}
|
|
|
|
|
2019-05-27 00:41:10 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2019-10-28 18:50:43 +00:00
|
|
|
// AuthorizeSign does not do any validation, because all validation is handled
|
|
|
|
// in the ACME protocol. This method returns a list of modifiers / constraints
|
|
|
|
// on the resulting certificate.
|
|
|
|
func (p *ACME) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
|
2022-01-03 11:25:24 +00:00
|
|
|
opts := []SignOption{
|
2019-09-05 01:31:09 +00:00
|
|
|
// modifiers / withOptions
|
2019-05-27 00:41:10 +00:00
|
|
|
newProvisionerExtensionOption(TypeACME, p.Name, ""),
|
2020-05-17 17:23:13 +00:00
|
|
|
newForceCNOption(p.ForceCN),
|
2019-09-05 01:31:09 +00:00
|
|
|
profileDefaultDuration(p.claimer.DefaultTLSCertDuration()),
|
|
|
|
// validators
|
2019-05-27 00:41:10 +00:00
|
|
|
defaultPublicKeyValidator{},
|
2019-09-05 01:31:09 +00:00
|
|
|
newValidityValidator(p.claimer.MinTLSCertDuration(), p.claimer.MaxTLSCertDuration()),
|
2022-01-03 11:25:24 +00:00
|
|
|
newX509NamePolicyValidator(p.x509PolicyEngine),
|
|
|
|
}
|
|
|
|
|
|
|
|
return opts, nil
|
2019-05-27 00:41:10 +00:00
|
|
|
}
|
|
|
|
|
2021-07-09 22:28:31 +00:00
|
|
|
// AuthorizeRevoke is called just before the certificate is to be revoked by
|
|
|
|
// the CA. It can be used to authorize revocation of a certificate. It
|
|
|
|
// currently is a no-op.
|
2021-11-28 20:20:57 +00:00
|
|
|
// TODO(hs): add configuration option that toggles revocation? Or change function signature to make it more useful?
|
2021-07-09 22:28:31 +00:00
|
|
|
// Or move certain logic out of the Revoke API to here? Would likely involve some more stuff in the ctx.
|
|
|
|
func (p *ACME) AuthorizeRevoke(ctx context.Context, token string) error {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2019-10-28 18:50:43 +00:00
|
|
|
// AuthorizeRenew returns an error if the renewal is disabled.
|
|
|
|
// NOTE: This method does not actually validate the certificate or check it's
|
|
|
|
// revocation status. Just confirms that the provisioner that created the
|
|
|
|
// certificate was configured to allow renewals.
|
|
|
|
func (p *ACME) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error {
|
2019-05-27 00:41:10 +00:00
|
|
|
if p.claimer.IsDisableRenewal() {
|
2021-05-03 19:48:20 +00:00
|
|
|
return errs.Unauthorized("acme.AuthorizeRenew; renew is disabled for acme provisioner '%s'", p.GetName())
|
2019-05-27 00:41:10 +00:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|