smallstep-certificates/authority/provisioner/provisioner.go

539 lines
16 KiB
Go
Raw Normal View History

package provisioner
import (
"context"
"crypto/x509"
"encoding/json"
stderrors "errors"
"net/url"
"regexp"
"strings"
"github.com/pkg/errors"
"github.com/smallstep/certificates/db"
"github.com/smallstep/certificates/errs"
"golang.org/x/crypto/ssh"
)
// Interface is the interface that all provisioner types must implement.
type Interface interface {
GetID() string
2021-05-20 01:23:20 +00:00
GetIDForToken() string
GetTokenID(token string) (string, error)
GetName() string
GetType() Type
2019-03-05 22:52:26 +00:00
GetEncryptedKey() (kid string, key string, ok bool)
Init(config Config) error
AuthorizeSign(ctx context.Context, token string) ([]SignOption, error)
AuthorizeRevoke(ctx context.Context, token string) error
AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error
AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error)
AuthorizeSSHRevoke(ctx context.Context, token string) error
AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error)
AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error)
}
// ErrAllowTokenReuse is an error that is returned by provisioners that allows
// the reuse of tokens.
//
2021-08-11 21:59:26 +00:00
// This is, for example, returned by the Azure provisioner when
// DisableTrustOnFirstUse is set to true. Azure caches tokens for up to 24hr and
// has no mechanism for getting a different token - this can be an issue when
// rebooting a VM. In contrast, AWS and GCP have facilities for requesting a new
// token. Therefore, for the Azure provisioner we are enabling token reuse, with
// the understanding that we are not following security best practices
var ErrAllowTokenReuse = stderrors.New("allow token reuse")
// Audiences stores all supported audiences by request type.
type Audiences struct {
Sign []string
Revoke []string
SSHSign []string
SSHRevoke []string
SSHRenew []string
SSHRekey []string
}
// All returns all supported audiences across all request types in one list.
func (a Audiences) All() (auds []string) {
auds = a.Sign
auds = append(auds, a.Revoke...)
auds = append(auds, a.SSHSign...)
auds = append(auds, a.SSHRevoke...)
auds = append(auds, a.SSHRenew...)
auds = append(auds, a.SSHRekey...)
return
}
// WithFragment returns a copy of audiences where the url audiences contains the
// given fragment.
func (a Audiences) WithFragment(fragment string) Audiences {
ret := Audiences{
Sign: make([]string, len(a.Sign)),
Revoke: make([]string, len(a.Revoke)),
SSHSign: make([]string, len(a.SSHSign)),
SSHRevoke: make([]string, len(a.SSHRevoke)),
SSHRenew: make([]string, len(a.SSHRenew)),
SSHRekey: make([]string, len(a.SSHRekey)),
}
for i, s := range a.Sign {
if u, err := url.Parse(s); err == nil {
ret.Sign[i] = u.ResolveReference(&url.URL{Fragment: fragment}).String()
} else {
ret.Sign[i] = s
}
}
for i, s := range a.Revoke {
if u, err := url.Parse(s); err == nil {
ret.Revoke[i] = u.ResolveReference(&url.URL{Fragment: fragment}).String()
} else {
ret.Revoke[i] = s
}
}
for i, s := range a.SSHSign {
if u, err := url.Parse(s); err == nil {
ret.SSHSign[i] = u.ResolveReference(&url.URL{Fragment: fragment}).String()
} else {
ret.SSHSign[i] = s
}
}
for i, s := range a.SSHRevoke {
if u, err := url.Parse(s); err == nil {
ret.SSHRevoke[i] = u.ResolveReference(&url.URL{Fragment: fragment}).String()
} else {
ret.SSHRevoke[i] = s
}
}
for i, s := range a.SSHRenew {
if u, err := url.Parse(s); err == nil {
ret.SSHRenew[i] = u.ResolveReference(&url.URL{Fragment: fragment}).String()
} else {
ret.SSHRenew[i] = s
}
}
for i, s := range a.SSHRekey {
if u, err := url.Parse(s); err == nil {
ret.SSHRekey[i] = u.ResolveReference(&url.URL{Fragment: fragment}).String()
} else {
ret.SSHRekey[i] = s
}
}
return ret
}
// generateSignAudience generates a sign audience with the format
2019-06-07 18:24:56 +00:00
// https://<host>/1.0/sign#provisionerID
func generateSignAudience(caURL, provisionerID string) (string, error) {
u, err := url.Parse(caURL)
if err != nil {
return "", errors.Wrapf(err, "error parsing %s", caURL)
}
return u.ResolveReference(&url.URL{Path: "/1.0/sign", Fragment: provisionerID}).String(), nil
}
// Type indicates the provisioner Type.
type Type int
const (
noopType Type = 0
// TypeJWK is used to indicate the JWK provisioners.
TypeJWK Type = 1
// TypeOIDC is used to indicate the OIDC provisioners.
TypeOIDC Type = 2
2019-04-18 00:28:21 +00:00
// TypeGCP is used to indicate the GCP provisioners.
TypeGCP Type = 3
2019-04-24 19:12:36 +00:00
// TypeAWS is used to indicate the AWS provisioners.
TypeAWS Type = 4
2019-04-24 21:26:37 +00:00
// TypeAzure is used to indicate the Azure provisioners.
TypeAzure Type = 5
2019-05-27 00:41:10 +00:00
// TypeACME is used to indicate the ACME provisioners.
TypeACME Type = 6
2019-09-05 01:31:09 +00:00
// TypeX5C is used to indicate the X5C provisioners.
TypeX5C Type = 7
// TypeK8sSA is used to indicate the X5C provisioners.
TypeK8sSA Type = 8
2019-10-27 00:40:43 +00:00
// TypeSSHPOP is used to indicate the SSHPOP provisioners.
TypeSSHPOP Type = 9
// TypeSCEP is used to indicate the SCEP provisioners
TypeSCEP Type = 10
)
// String returns the string representation of the type.
func (t Type) String() string {
switch t {
case TypeJWK:
return "JWK"
case TypeOIDC:
return "OIDC"
case TypeGCP:
return "GCP"
case TypeAWS:
return "AWS"
case TypeAzure:
return "Azure"
2019-05-27 00:41:10 +00:00
case TypeACME:
return "ACME"
2019-09-05 01:31:09 +00:00
case TypeX5C:
return "X5C"
case TypeK8sSA:
return "K8sSA"
2019-10-27 00:40:43 +00:00
case TypeSSHPOP:
return "SSHPOP"
case TypeSCEP:
return "SCEP"
default:
return ""
}
}
// SSHKeys represents the SSH User and Host public keys.
type SSHKeys struct {
UserKeys []ssh.PublicKey
HostKeys []ssh.PublicKey
}
// Config defines the default parameters used in the initialization of
// provisioners.
type Config struct {
// Claims are the default claims.
Claims Claims
// Audiences are the audiences used in the default provisioner, (JWK).
Audiences Audiences
// DB is the interface to the authority DB client.
DB db.AuthDB
// SSHKeys are the root SSH public keys
SSHKeys *SSHKeys
// GetIdentityFunc is a function that returns an identity that will be
// used by the provisioner to populate certificate attributes.
GetIdentityFunc GetIdentityFunc
}
type provisioner struct {
Type string `json:"type"`
}
2019-03-07 21:07:39 +00:00
// List represents a list of provisioners.
type List []Interface
// UnmarshalJSON implements json.Unmarshaler and allows to unmarshal a list of a
// interfaces into the right type.
func (l *List) UnmarshalJSON(data []byte) error {
ps := []json.RawMessage{}
if err := json.Unmarshal(data, &ps); err != nil {
return errors.Wrap(err, "error unmarshaling provisioner list")
}
2019-03-05 22:28:32 +00:00
*l = List{}
2019-03-07 21:07:39 +00:00
for _, data := range ps {
var typ provisioner
if err := json.Unmarshal(data, &typ); err != nil {
return errors.Errorf("error unmarshaling provisioner")
}
var p Interface
switch strings.ToLower(typ.Type) {
case "jwk":
p = &JWK{}
case "oidc":
p = &OIDC{}
2019-04-18 00:28:21 +00:00
case "gcp":
p = &GCP{}
2019-04-24 19:12:36 +00:00
case "aws":
p = &AWS{}
case "azure":
p = &Azure{}
2019-05-27 00:41:10 +00:00
case "acme":
p = &ACME{}
2019-09-05 01:31:09 +00:00
case "x5c":
p = &X5C{}
case "k8ssa":
p = &K8sSA{}
2019-10-27 00:40:43 +00:00
case "sshpop":
p = &SSHPOP{}
case "scep":
p = &SCEP{}
2019-03-07 21:07:39 +00:00
default:
2019-08-29 00:28:03 +00:00
// Skip unsupported provisioners. A client using this method may be
// compiled with a version of smallstep/certificates that does not
// support a specific provisioner type. If we don't skip unknown
// provisioners, a client encountering an unknown provisioner will
// break. Rather than break the client, we skip the provisioner.
// TODO: accept a pluggable logger (depending on client) that can
2019-08-29 00:28:03 +00:00
// warn the user that an unknown provisioner was found and suggest
// that the user update their client's dependency on
// step/certificates and recompile.
2019-08-28 11:15:38 +00:00
continue
2019-03-07 21:07:39 +00:00
}
if err := json.Unmarshal(data, p); err != nil {
2020-07-09 02:02:35 +00:00
return errors.Wrap(err, "error unmarshaling provisioner")
2019-03-07 21:07:39 +00:00
}
*l = append(*l, p)
}
return nil
}
var sshUserRegex = regexp.MustCompile("^[a-z][-a-z0-9_]*$")
// SanitizeSSHUserPrincipal grabs an email or a string with the format
// local@domain and returns a sanitized version of the local, valid to be used
// as a user name. If the email starts with a letter between a and z, the
// resulting string will match the regular expression `^[a-z][-a-z0-9_]*$`.
func SanitizeSSHUserPrincipal(email string) string {
if i := strings.LastIndex(email, "@"); i >= 0 {
email = email[:i]
}
return strings.Map(func(r rune) rune {
switch {
case r >= 'a' && r <= 'z':
return r
case r >= '0' && r <= '9':
return r
case r == '-':
return '-'
case r == '.': // drop dots
return -1
default:
return '_'
}
}, strings.ToLower(email))
}
2019-05-27 00:41:10 +00:00
2020-07-09 02:02:35 +00:00
type base struct{}
2020-02-27 18:48:16 +00:00
// AuthorizeSign returns an unimplemented error. Provisioners should overwrite
// this method if they will support authorizing tokens for signing x509 Certificates.
func (b *base) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
2020-01-24 06:04:34 +00:00
return nil, errs.Unauthorized("provisioner.AuthorizeSign not implemented")
}
2020-02-27 18:48:16 +00:00
// AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite
// this method if they will support authorizing tokens for revoking x509 Certificates.
func (b *base) AuthorizeRevoke(ctx context.Context, token string) error {
2020-01-24 06:04:34 +00:00
return errs.Unauthorized("provisioner.AuthorizeRevoke not implemented")
}
2020-02-27 18:48:16 +00:00
// AuthorizeRenew returns an unimplemented error. Provisioners should overwrite
// this method if they will support authorizing tokens for renewing x509 Certificates.
func (b *base) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error {
2020-01-24 06:04:34 +00:00
return errs.Unauthorized("provisioner.AuthorizeRenew not implemented")
}
2020-02-27 18:48:16 +00:00
// AuthorizeSSHSign returns an unimplemented error. Provisioners should overwrite
// this method if they will support authorizing tokens for signing SSH Certificates.
func (b *base) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) {
2020-01-24 06:04:34 +00:00
return nil, errs.Unauthorized("provisioner.AuthorizeSSHSign not implemented")
}
2020-02-27 18:48:16 +00:00
// AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite
// this method if they will support authorizing tokens for revoking SSH Certificates.
func (b *base) AuthorizeSSHRevoke(ctx context.Context, token string) error {
2020-01-24 06:04:34 +00:00
return errs.Unauthorized("provisioner.AuthorizeSSHRevoke not implemented")
}
2020-02-27 18:48:16 +00:00
// AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite
// this method if they will support authorizing tokens for renewing SSH Certificates.
func (b *base) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error) {
2020-01-24 06:04:34 +00:00
return nil, errs.Unauthorized("provisioner.AuthorizeSSHRenew not implemented")
}
2020-02-27 18:48:16 +00:00
// AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite
// this method if they will support authorizing tokens for rekeying SSH Certificates.
func (b *base) AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error) {
2020-01-24 06:04:34 +00:00
return nil, nil, errs.Unauthorized("provisioner.AuthorizeSSHRekey not implemented")
}
// Identity is the type representing an externally supplied identity that is used
// by provisioners to populate certificate fields.
type Identity struct {
Usernames []string `json:"usernames"`
Permissions `json:"permissions"`
}
// Permissions defines extra extensions and critical options to grant to an SSH certificate.
type Permissions struct {
Extensions map[string]string `json:"extensions"`
CriticalOptions map[string]string `json:"criticalOptions"`
}
// GetIdentityFunc is a function that returns an identity.
type GetIdentityFunc func(ctx context.Context, p Interface, email string) (*Identity, error)
// DefaultIdentityFunc return a default identity depending on the provisioner
// type. For OIDC email is always present and the usernames might
// contain empty strings.
func DefaultIdentityFunc(ctx context.Context, p Interface, email string) (*Identity, error) {
switch k := p.(type) {
case *OIDC:
// OIDC principals would be:
// ~~1. Preferred usernames.~~ Note: Under discussion, currently disabled
// 2. Sanitized local.
// 3. Raw local (if different).
// 4. Email address.
name := SanitizeSSHUserPrincipal(email)
if !sshUserRegex.MatchString(name) {
return nil, errors.Errorf("invalid principal '%s' from email '%s'", name, email)
}
usernames := []string{name}
if i := strings.LastIndex(email, "@"); i >= 0 {
usernames = append(usernames, email[:i])
}
usernames = append(usernames, email)
return &Identity{
Usernames: SanitizeStringSlices(usernames),
}, nil
default:
return nil, errors.Errorf("provisioner type '%T' not supported by identity function", k)
}
}
// SanitizeStringSlices removes duplicated an empty strings.
2021-04-30 00:41:06 +00:00
func SanitizeStringSlices(original []string) []string {
output := []string{}
seen := make(map[string]struct{})
2021-04-30 00:41:06 +00:00
for _, entry := range original {
if entry == "" {
continue
}
if _, value := seen[entry]; !value {
seen[entry] = struct{}{}
2021-04-30 00:41:06 +00:00
output = append(output, entry)
}
}
return output
}
2019-05-27 00:41:10 +00:00
// MockProvisioner for testing
type MockProvisioner struct {
Mret1, Mret2, Mret3 interface{}
Merr error
MgetID func() string
2021-05-20 01:23:20 +00:00
MgetIDForToken func() string
2019-05-27 00:41:10 +00:00
MgetTokenID func(string) (string, error)
MgetName func() string
MgetType func() Type
MgetEncryptedKey func() (string, string, bool)
Minit func(Config) error
MauthorizeSign func(ctx context.Context, ott string) ([]SignOption, error)
MauthorizeRenew func(ctx context.Context, cert *x509.Certificate) error
MauthorizeRevoke func(ctx context.Context, ott string) error
MauthorizeSSHSign func(ctx context.Context, ott string) ([]SignOption, error)
MauthorizeSSHRenew func(ctx context.Context, ott string) (*ssh.Certificate, error)
MauthorizeSSHRekey func(ctx context.Context, ott string) (*ssh.Certificate, []SignOption, error)
MauthorizeSSHRevoke func(ctx context.Context, ott string) error
2019-05-27 00:41:10 +00:00
}
// GetID mock
func (m *MockProvisioner) GetID() string {
if m.MgetID != nil {
return m.MgetID()
}
return m.Mret1.(string)
}
2021-05-20 01:23:20 +00:00
// GetIDForToken mock
func (m *MockProvisioner) GetIDForToken() string {
if m.MgetIDForToken != nil {
return m.MgetIDForToken()
}
return m.Mret1.(string)
}
2019-05-27 00:41:10 +00:00
// GetTokenID mock
func (m *MockProvisioner) GetTokenID(token string) (string, error) {
if m.MgetTokenID != nil {
return m.MgetTokenID(token)
}
if m.Mret1 == nil {
return "", m.Merr
}
return m.Mret1.(string), m.Merr
}
// GetName mock
func (m *MockProvisioner) GetName() string {
if m.MgetName != nil {
return m.MgetName()
}
return m.Mret1.(string)
}
// GetType mock
func (m *MockProvisioner) GetType() Type {
if m.MgetType != nil {
return m.MgetType()
}
return m.Mret1.(Type)
}
// GetEncryptedKey mock
func (m *MockProvisioner) GetEncryptedKey() (string, string, bool) {
if m.MgetEncryptedKey != nil {
return m.MgetEncryptedKey()
}
return m.Mret1.(string), m.Mret2.(string), m.Mret3.(bool)
}
// Init mock
func (m *MockProvisioner) Init(c Config) error {
if m.Minit != nil {
return m.Minit(c)
}
return m.Merr
}
// AuthorizeSign mock
func (m *MockProvisioner) AuthorizeSign(ctx context.Context, ott string) ([]SignOption, error) {
if m.MauthorizeSign != nil {
return m.MauthorizeSign(ctx, ott)
}
return m.Mret1.([]SignOption), m.Merr
}
2019-05-27 00:41:10 +00:00
// AuthorizeRevoke mock
func (m *MockProvisioner) AuthorizeRevoke(ctx context.Context, ott string) error {
2019-05-27 00:41:10 +00:00
if m.MauthorizeRevoke != nil {
return m.MauthorizeRevoke(ctx, ott)
2019-05-27 00:41:10 +00:00
}
return m.Merr
}
// AuthorizeRenew mock
func (m *MockProvisioner) AuthorizeRenew(ctx context.Context, c *x509.Certificate) error {
if m.MauthorizeRenew != nil {
return m.MauthorizeRenew(ctx, c)
}
return m.Merr
}
// AuthorizeSSHSign mock
func (m *MockProvisioner) AuthorizeSSHSign(ctx context.Context, ott string) ([]SignOption, error) {
2019-05-27 00:41:10 +00:00
if m.MauthorizeSign != nil {
return m.MauthorizeSign(ctx, ott)
}
return m.Mret1.([]SignOption), m.Merr
}
// AuthorizeSSHRenew mock
func (m *MockProvisioner) AuthorizeSSHRenew(ctx context.Context, ott string) (*ssh.Certificate, error) {
if m.MauthorizeRenew != nil {
return m.MauthorizeSSHRenew(ctx, ott)
}
return m.Mret1.(*ssh.Certificate), m.Merr
}
// AuthorizeSSHRekey mock
func (m *MockProvisioner) AuthorizeSSHRekey(ctx context.Context, ott string) (*ssh.Certificate, []SignOption, error) {
if m.MauthorizeSSHRekey != nil {
return m.MauthorizeSSHRekey(ctx, ott)
}
return m.Mret1.(*ssh.Certificate), m.Mret2.([]SignOption), m.Merr
}
// AuthorizeSSHRevoke mock
func (m *MockProvisioner) AuthorizeSSHRevoke(ctx context.Context, ott string) error {
if m.MauthorizeSSHRevoke != nil {
return m.MauthorizeSSHRevoke(ctx, ott)
2019-05-27 00:41:10 +00:00
}
return m.Merr
}