You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
102 lines
2.9 KiB
Go
102 lines
2.9 KiB
Go
5 years ago
|
package provisioner
|
||
|
|
||
|
import (
|
||
|
"crypto/x509"
|
||
|
|
||
|
"github.com/pkg/errors"
|
||
|
)
|
||
|
|
||
|
// azureAttestedDocumentURL is the URL for the attested document.
|
||
|
const azureAttestedDocumentURL = "http://169.254.169.254/metadata/attested/document?api-version=2018-10-01"
|
||
|
|
||
|
type azureConfig struct {
|
||
|
attestedDocumentURL string
|
||
|
}
|
||
|
|
||
|
func newAzureConfig() *azureConfig {
|
||
|
return &azureConfig{
|
||
|
attestedDocumentURL: azureAttestedDocumentURL,
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// Azure is the provisioner that supports identity tokens created from the
|
||
|
// Microsoft Azure Instance Metadata service.
|
||
|
//
|
||
|
// If DisableCustomSANs is true, only the internal DNS and IP will be added as a
|
||
|
// SAN. By default it will accept any SAN in the CSR.
|
||
|
//
|
||
|
// If DisableTrustOnFirstUse is true, multiple sign request for this provisioner
|
||
|
// with the same instance will be accepted. By default only the first request
|
||
|
// will be accepted.
|
||
|
type Azure struct {
|
||
|
Type string `json:"type"`
|
||
|
Name string `json:"name"`
|
||
|
DisableCustomSANs bool `json:"disableCustomSANs"`
|
||
|
DisableTrustOnFirstUse bool `json:"disableTrustOnFirstUse"`
|
||
|
Claims *Claims `json:"claims,omitempty"`
|
||
|
claimer *Claimer
|
||
|
config *azureConfig
|
||
|
}
|
||
|
|
||
|
// GetID returns the provisioner unique identifier.
|
||
|
func (p *Azure) GetID() string {
|
||
|
return "azure:" + p.Name
|
||
|
}
|
||
|
|
||
|
// GetTokenID returns the identifier of the token.
|
||
|
func (p *Azure) GetTokenID(token string) (string, error) {
|
||
|
return "", errors.New("TODO")
|
||
|
}
|
||
|
|
||
|
// GetName returns the name of the provisioner.
|
||
|
func (p *Azure) GetName() string {
|
||
|
return p.Name
|
||
|
}
|
||
|
|
||
|
// GetType returns the type of provisioner.
|
||
|
func (p *Azure) GetType() Type {
|
||
|
return TypeAzure
|
||
|
}
|
||
|
|
||
|
// GetEncryptedKey is not available in an Azure provisioner.
|
||
|
func (p *Azure) GetEncryptedKey() (kid string, key string, ok bool) {
|
||
|
return "", "", false
|
||
|
}
|
||
|
|
||
|
// Init validates and initializes the Azure provisioner.
|
||
|
func (p *Azure) Init(config Config) (err error) {
|
||
|
switch {
|
||
|
case p.Type == "":
|
||
|
return errors.New("provisioner type cannot be empty")
|
||
|
case p.Name == "":
|
||
|
return errors.New("provisioner name cannot be empty")
|
||
|
}
|
||
|
// Update claims with global ones
|
||
|
if p.claimer, err = NewClaimer(p.Claims, config.Claims); err != nil {
|
||
|
return err
|
||
|
}
|
||
|
// Initialize configuration
|
||
|
p.config = newAzureConfig()
|
||
|
return nil
|
||
|
}
|
||
|
|
||
|
// AuthorizeSign validates the given token and returns the sign options that
|
||
|
// will be used on certificate creation.
|
||
|
func (p *Azure) AuthorizeSign(token string) ([]SignOption, error) {
|
||
|
return nil, errors.New("TODO")
|
||
|
}
|
||
|
|
||
|
// AuthorizeRenewal returns an error if the renewal is disabled.
|
||
|
func (p *Azure) AuthorizeRenewal(cert *x509.Certificate) error {
|
||
|
if p.claimer.IsDisableRenewal() {
|
||
|
return errors.Errorf("renew is disabled for provisioner %s", p.GetID())
|
||
|
}
|
||
|
return nil
|
||
|
}
|
||
|
|
||
|
// AuthorizeRevoke returns an error because revoke is not supported on Azure
|
||
|
// provisioners.
|
||
|
func (p *Azure) AuthorizeRevoke(token string) error {
|
||
|
return errors.New("revoke is not supported on a Azure provisioner")
|
||
|
}
|