Archives/smallstep-certificates
2
0
Fork 0
mirror of https://github.com/smallstep/certificates.git synced 2024-10-31 03:20:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
a258ea3e2d
smallstep-certificates/authority/provisioners.go

1284 lines
39 KiB
Go
Raw Normal View History

first commit
2018-10-05 21:48:36 +00:00
package authority
import (
Do not add extra new lines when creating nebula provisioners
2022-01-07 19:24:59 +00:00
"bytes"
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
"context"
Add /revoke API with interface db backend
2019-03-05 08:07:13 +00:00
"crypto/x509"
wip
2021-05-26 04:13:01 +00:00
"encoding/json"
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
"encoding/pem"
wip
2021-05-26 04:13:01 +00:00
"fmt"
Pin golangci-lint to v1.43.0 and fix issues
2021-11-12 23:46:34 +00:00
"os"
first commit
2018-10-05 21:48:36 +00:00
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
"github.com/pkg/errors"
Fix (part of) PR comments
2022-04-21 10:14:03 +00:00
"gopkg.in/square/go-jose.v2/jwt"
"go.step.sm/cli-utils/step"
"go.step.sm/cli-utils/ui"
"go.step.sm/crypto/jose"
"go.step.sm/linkedca"
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
"github.com/smallstep/certificates/authority/admin"
"github.com/smallstep/certificates/authority/config"
Add API implementation for authority and provisioner policy
2022-03-15 14:51:45 +00:00
"github.com/smallstep/certificates/authority/policy"
Use provisioner.Collection to store and request the provisioners.
2019-03-06 23:00:23 +00:00
"github.com/smallstep/certificates/authority/provisioner"
Load provisioner from the database instead of the extension.
2022-04-06 02:25:47 +00:00
"github.com/smallstep/certificates/db"
Simplify statuscoder error generators.
2020-01-24 06:04:34 +00:00
"github.com/smallstep/certificates/errs"
first commit
2018-10-05 21:48:36 +00:00
)
// GetEncryptedKey returns the JWE key corresponding to the given kid argument.
func (a *Authority) GetEncryptedKey(kid string) (string, error) {
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
a.adminMutex.RLock()
defer a.adminMutex.RUnlock()
Use provisioner.Collection to store and request the provisioners.
2019-03-06 23:00:23 +00:00
key, ok := a.provisioners.LoadEncryptedKey(kid)
first commit
2018-10-05 21:48:36 +00:00
if !ok {
Simplify statuscoder error generators.
2020-01-24 06:04:34 +00:00
return "", errs.NotFound("encrypted key with kid %s was not found", kid)
first commit
2018-10-05 21:48:36 +00:00
}
return key, nil
}
// GetProvisioners returns a map listing each provisioner and the JWK Key Set
// with their public keys.
Remove provisioner intermediate type.
2019-03-07 21:07:39 +00:00
func (a *Authority) GetProvisioners(cursor string, limit int) (provisioner.List, string, error) {
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
a.adminMutex.RLock()
defer a.adminMutex.RUnlock()
Use provisioner.Collection to store and request the provisioners.
2019-03-06 23:00:23 +00:00
provisioners, nextCursor := a.provisioners.Find(cursor, limit)
Add support for cursors in the api.
2018-10-26 01:53:13 +00:00
return provisioners, nextCursor, nil
first commit
2018-10-05 21:48:36 +00:00
}
Add /revoke API with interface db backend
2019-03-05 08:07:13 +00:00
// LoadProvisionerByCertificate returns an interface to the provisioner that
// provisioned the certificate.
func (a *Authority) LoadProvisionerByCertificate(crt *x509.Certificate) (provisioner.Interface, error) {
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
a.adminMutex.RLock()
defer a.adminMutex.RUnlock()
Add tests for LoadProvisionerByCertificate.
2022-04-08 20:06:29 +00:00
if p, err := a.unsafeLoadProvisionerFromDatabase(crt); err == nil {
Load provisioner from the database instead of the extension.
2022-04-06 02:25:47 +00:00
return p, nil
}
Add tests for LoadProvisionerByCertificate.
2022-04-08 20:06:29 +00:00
return a.unsafeLoadProvisionerFromExtension(crt)
}
Load provisioner from the database instead of the extension.
2022-04-06 02:25:47 +00:00
Add tests for LoadProvisionerByCertificate.
2022-04-08 20:06:29 +00:00
func (a *Authority) unsafeLoadProvisionerFromExtension(crt *x509.Certificate) (provisioner.Interface, error) {
Add /revoke API with interface db backend
2019-03-05 08:07:13 +00:00
p, ok := a.provisioners.LoadByCertificate(crt)
Add tests for LoadProvisionerByCertificate.
2022-04-08 20:06:29 +00:00
if !ok || p.GetType() == 0 {
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
return nil, admin.NewError(admin.ErrorNotFoundType, "unable to load provisioner from certificate")
}
return p, nil
}
Add tests for LoadProvisionerByCertificate.
2022-04-08 20:06:29 +00:00
func (a *Authority) unsafeLoadProvisionerFromDatabase(crt *x509.Certificate) (provisioner.Interface, error) {
Apply suggestions from code review Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>
2022-04-12 21:44:55 +00:00
// certificateDataGetter is an interface that can be used to retrieve the
Refactor admin token to use with RAs.
2022-04-08 01:14:43 +00:00
// provisioner from a db or a linked ca.
type certificateDataGetter interface {
Load provisioner from the database instead of the extension.
2022-04-06 02:25:47 +00:00
GetCertificateData(string) (*db.CertificateData, error)
Refactor admin token to use with RAs.
2022-04-08 01:14:43 +00:00
}
Add tests for LoadProvisionerByCertificate.
2022-04-08 20:06:29 +00:00
var err error
var data *db.CertificateData
if cdg, ok := a.adminDB.(certificateDataGetter); ok {
data, err = cdg.GetCertificateData(crt.SerialNumber.String())
} else if cdg, ok := a.db.(certificateDataGetter); ok {
data, err = cdg.GetCertificateData(crt.SerialNumber.String())
Refactor admin token to use with RAs.
2022-04-08 01:14:43 +00:00
}
Add tests for LoadProvisionerByCertificate.
2022-04-08 20:06:29 +00:00
if err == nil && data != nil && data.Provisioner != nil {
if p, ok := a.provisioners.Load(data.Provisioner.ID); ok {
return p, nil
Load provisioner from the database instead of the extension.
2022-04-06 02:25:47 +00:00
}
}
Add tests for LoadProvisionerByCertificate.
2022-04-08 20:06:29 +00:00
return nil, admin.NewError(admin.ErrorNotFoundType, "unable to load provisioner from certificate")
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
}
// LoadProvisionerByToken returns an interface to the provisioner that
// provisioned the token.
func (a *Authority) LoadProvisionerByToken(token *jwt.JSONWebToken, claims *jwt.Claims) (provisioner.Interface, error) {
a.adminMutex.RLock()
defer a.adminMutex.RUnlock()
p, ok := a.provisioners.LoadByToken(token, claims)
if !ok {
return nil, admin.NewError(admin.ErrorNotFoundType, "unable to load provisioner from token")
Add /revoke API with interface db backend
2019-03-05 08:07:13 +00:00
}
return p, nil
}
Add ACME CA capabilities
2019-05-27 00:41:10 +00:00
// LoadProvisionerByID returns an interface to the provisioner with the given ID.
func (a *Authority) LoadProvisionerByID(id string) (provisioner.Interface, error) {
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
a.adminMutex.RLock()
defer a.adminMutex.RUnlock()
Add ACME CA capabilities
2019-05-27 00:41:10 +00:00
p, ok := a.provisioners.Load(id)
if !ok {
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
return nil, admin.NewError(admin.ErrorNotFoundType, "provisioner %s not found", id)
Add ACME CA capabilities
2019-05-27 00:41:10 +00:00
}
return p, nil
}
wip
2021-05-26 04:13:01 +00:00
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
// LoadProvisionerByName returns an interface to the provisioner with the given Name.
func (a *Authority) LoadProvisionerByName(name string) (provisioner.Interface, error) {
a.adminMutex.RLock()
defer a.adminMutex.RUnlock()
p, ok := a.provisioners.LoadByName(name)
if !ok {
return nil, admin.NewError(admin.ErrorNotFoundType, "provisioner %s not found", name)
}
return p, nil
}
change return value of generateProvisionerConfig to value - always used as value (rather than pointer)
2022-02-28 19:04:40 +00:00
func (a *Authority) generateProvisionerConfig(ctx context.Context) (provisioner.Config, error) {
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
// Merge global and configuration claims
claimer, err := provisioner.NewClaimer(a.config.AuthorityConfig.Claims, config.GlobalProvisionerClaims)
if err != nil {
change return value of generateProvisionerConfig to value - always used as value (rather than pointer)
2022-02-28 19:04:40 +00:00
return provisioner.Config{}, err
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
}
// TODO: should we also be combining the ssh federated roots here?
// If we rotate ssh roots keys, sshpop provisioner will lose ability to
// validate old SSH certificates, unless they are added as federated certs.
sshKeys, err := a.GetSSHRoots(ctx)
if err != nil {
change return value of generateProvisionerConfig to value - always used as value (rather than pointer)
2022-02-28 19:04:40 +00:00
return provisioner.Config{}, err
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
}
change return value of generateProvisionerConfig to value - always used as value (rather than pointer)
2022-02-28 19:04:40 +00:00
return provisioner.Config{
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
Claims: claimer.Claims(),
Audiences: a.config.GetAudiences(),
SSHKeys: &provisioner.SSHKeys{
UserKeys: sshKeys.UserKeys,
HostKeys: sshKeys.HostKeys,
wip
2021-05-26 04:13:01 +00:00
},
Add options to use custom renewal methods.
2022-03-10 21:01:08 +00:00
GetIdentityFunc: a.getIdentityFunc,
AuthorizeRenewFunc: a.authorizeRenewFunc,
AuthorizeSSHRenewFunc: a.authorizeSSHRenewFunc,
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
WebhookClient: a.webhookClient,
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
}, nil
}
exposing authority configuration for provisioner cli commands
2022-04-25 17:23:07 +00:00
// StoreProvisioner stores a provisioner to the authority.
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
func (a *Authority) StoreProvisioner(ctx context.Context, prov *linkedca.Provisioner) error {
a.adminMutex.Lock()
defer a.adminMutex.Unlock()
certProv, err := ProvisionerToCertificates(prov)
if err != nil {
return admin.WrapErrorISE(err,
"error converting to certificates provisioner from linkedca provisioner")
}
if _, ok := a.provisioners.LoadByName(prov.GetName()); ok {
return admin.NewError(admin.ErrorBadRequestType,
"provisioner with name %s already exists", prov.GetName())
}
if _, ok := a.provisioners.LoadByTokenID(certProv.GetIDForToken()); ok {
return admin.NewError(admin.ErrorBadRequestType,
"provisioner with token ID %s already exists", certProv.GetIDForToken())
}
Validate provisioner configuration before storing in DB
2022-02-28 18:48:01 +00:00
provisionerConfig, err := a.generateProvisionerConfig(ctx)
if err != nil {
return admin.WrapErrorISE(err, "error generating provisioner config")
}
Fix check for admin not belonging to policy
2022-05-12 14:33:32 +00:00
if err := a.checkProvisionerPolicy(ctx, prov.Name, prov.Policy); err != nil {
Improve how policy errors are returned and used
2022-04-04 11:58:16 +00:00
return err
}
change return value of generateProvisionerConfig to value - always used as value (rather than pointer)
2022-02-28 19:04:40 +00:00
if err := certProv.Init(provisionerConfig); err != nil {
Validate provisioner configuration before storing in DB
2022-02-28 18:48:01 +00:00
return admin.WrapError(admin.ErrorBadRequestType, err, "error validating configuration for provisioner %s", prov.Name)
}
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
// Store to database -- this will set the ID.
if err := a.adminDB.CreateProvisioner(ctx, prov); err != nil {
Validate provisioner configuration before storing in DB
2022-02-28 18:48:01 +00:00
return admin.WrapErrorISE(err, "error creating provisioner")
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
}
// We need a new conversion that has the newly set ID.
certProv, err = ProvisionerToCertificates(prov)
if err != nil {
return admin.WrapErrorISE(err,
"error converting to certificates provisioner from linkedca provisioner")
}
change return value of generateProvisionerConfig to value - always used as value (rather than pointer)
2022-02-28 19:04:40 +00:00
if err := certProv.Init(provisionerConfig); err != nil {
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
return admin.WrapErrorISE(err, "error initializing provisioner %s", prov.Name)
}
if err := a.provisioners.Store(certProv); err != nil {
exposing authority configuration for provisioner cli commands
2022-04-25 17:23:07 +00:00
if err := a.ReloadAdminResources(ctx); err != nil {
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
return admin.WrapErrorISE(err, "error reloading admin resources on failed provisioner store")
}
return admin.WrapErrorISE(err, "error storing provisioner in authority cache")
}
return nil
}
// UpdateProvisioner stores an provisioner.Interface to the authority.
func (a *Authority) UpdateProvisioner(ctx context.Context, nu *linkedca.Provisioner) error {
a.adminMutex.Lock()
defer a.adminMutex.Unlock()
certProv, err := ProvisionerToCertificates(nu)
if err != nil {
return admin.WrapErrorISE(err,
"error converting to certificates provisioner from linkedca provisioner")
}
provisionerConfig, err := a.generateProvisionerConfig(ctx)
if err != nil {
return admin.WrapErrorISE(err, "error generating provisioner config")
}
Fix check for admin not belonging to policy
2022-05-12 14:33:32 +00:00
if err := a.checkProvisionerPolicy(ctx, nu.Name, nu.Policy); err != nil {
Improve how policy errors are returned and used
2022-04-04 11:58:16 +00:00
return err
}
change return value of generateProvisionerConfig to value - always used as value (rather than pointer)
2022-02-28 19:04:40 +00:00
if err := certProv.Init(provisionerConfig); err != nil {
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
return admin.WrapErrorISE(err, "error initializing provisioner %s", nu.Name)
}
if err := a.provisioners.Update(certProv); err != nil {
return admin.WrapErrorISE(err, "error updating provisioner '%s' in authority cache", nu.Name)
}
if err := a.adminDB.UpdateProvisioner(ctx, nu); err != nil {
exposing authority configuration for provisioner cli commands
2022-04-25 17:23:07 +00:00
if err := a.ReloadAdminResources(ctx); err != nil {
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
return admin.WrapErrorISE(err, "error reloading admin resources on failed provisioner update")
}
return admin.WrapErrorISE(err, "error updating provisioner '%s'", nu.Name)
}
return nil
}
// RemoveProvisioner removes an provisioner.Interface from the authority.
func (a *Authority) RemoveProvisioner(ctx context.Context, id string) error {
a.adminMutex.Lock()
defer a.adminMutex.Unlock()
p, ok := a.provisioners.Load(id)
if !ok {
return admin.NewError(admin.ErrorBadRequestType,
"provisioner %s not found", id)
}
provName, provID := p.GetName(), p.GetID()
Couple changes in response to PR - add skipInit option to skip authority initialization - check admin API status when removing provisioners - no need to check admins when not using Admin API
2022-05-12 00:04:43 +00:00
if a.IsAdminAPIEnabled() {
// Validate
// - Check that there will be SUPER_ADMINs that remain after we
// remove this provisioner.
if a.IsAdminAPIEnabled() && a.admins.SuperCount() == a.admins.SuperCountByProvisioner(provName) {
return admin.NewError(admin.ErrorBadRequestType,
"cannot remove provisioner %s because no super admins will remain", provName)
}
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
Couple changes in response to PR - add skipInit option to skip authority initialization - check admin API status when removing provisioners - no need to check admins when not using Admin API
2022-05-12 00:04:43 +00:00
// Delete all admins associated with the provisioner.
admins, ok := a.admins.LoadByProvisioner(provName)
if ok {
for _, adm := range admins {
if err := a.removeAdmin(ctx, adm.Id); err != nil {
return admin.WrapErrorISE(err, "error deleting admin %s, as part of provisioner %s deletion", adm.Subject, provName)
}
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
}
}
}
// Remove provisioner from authority caches.
if err := a.provisioners.Remove(provID); err != nil {
Couple changes in response to PR - add skipInit option to skip authority initialization - check admin API status when removing provisioners - no need to check admins when not using Admin API
2022-05-12 00:04:43 +00:00
return admin.WrapErrorISE(err, "error removing provisioner from authority cache")
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
}
// Remove provisioner from database.
if err := a.adminDB.DeleteProvisioner(ctx, provID); err != nil {
exposing authority configuration for provisioner cli commands
2022-04-25 17:23:07 +00:00
if err := a.ReloadAdminResources(ctx); err != nil {
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
return admin.WrapErrorISE(err, "error reloading admin resources on failed provisioner remove")
}
return admin.WrapErrorISE(err, "error deleting provisioner %s", provName)
}
return nil
}
Merge branch 'master' into max/context
2021-11-17 19:40:01 +00:00
// CreateFirstProvisioner creates and stores the first provisioner when using
// admin database provisioner storage.
Fix linter error importShadow
2022-04-08 01:33:13 +00:00
func CreateFirstProvisioner(ctx context.Context, adminDB admin.DB, password string) (*linkedca.Provisioner, error) {
Ask for the first provisioner password if none is provided.
2021-08-11 00:30:33 +00:00
if password == "" {
pass, err := ui.PromptPasswordGenerate("Please enter the password to encrypt your first provisioner, leave empty and we'll generate one")
if err != nil {
return nil, err
}
password = string(pass)
}
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
jwk, jwe, err := jose.GenerateDefaultKeyPair([]byte(password))
if err != nil {
return nil, admin.WrapErrorISE(err, "error generating JWK key pair")
}
jwkPubBytes, err := jwk.MarshalJSON()
if err != nil {
return nil, admin.WrapErrorISE(err, "error marshaling JWK")
}
jwePrivStr, err := jwe.CompactSerialize()
if err != nil {
return nil, admin.WrapErrorISE(err, "error serializing JWE")
}
p := &linkedca.Provisioner{
Name: "Admin JWK",
Type: linkedca.Provisioner_JWK,
Details: &linkedca.ProvisionerDetails{
Data: &linkedca.ProvisionerDetails_JWK{
JWK: &linkedca.JWKProvisioner{
PublicKey: jwkPubBytes,
EncryptedPrivateKey: []byte(jwePrivStr),
},
},
},
Claims: &linkedca.Claims{
X509: &linkedca.X509Claims{
Enabled: true,
Durations: &linkedca.Durations{
Default: "5m",
},
},
wip
2021-05-26 04:13:01 +00:00
},
}
Fix linter error importShadow
2022-04-08 01:33:13 +00:00
if err := adminDB.CreateProvisioner(ctx, p); err != nil {
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
return nil, admin.WrapErrorISE(err, "error creating provisioner")
}
return p, nil
}
Merge branch 'master' into max/context
2021-11-17 19:40:01 +00:00
// ValidateClaims validates the Claims type.
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
func ValidateClaims(c *linkedca.Claims) error {
if c == nil {
return nil
}
if c.X509 != nil {
if c.X509.Durations != nil {
if err := ValidateDurations(c.X509.Durations); err != nil {
return err
}
}
}
if c.Ssh != nil {
if c.Ssh.UserDurations != nil {
if err := ValidateDurations(c.Ssh.UserDurations); err != nil {
return err
}
}
if c.Ssh.HostDurations != nil {
if err := ValidateDurations(c.Ssh.HostDurations); err != nil {
return err
}
}
}
return nil
}
Merge branch 'master' into max/context
2021-11-17 19:40:01 +00:00
// ValidateDurations validates the Durations type.
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
func ValidateDurations(d *linkedca.Durations) error {
var (
err error
min, max, def *provisioner.Duration
)
if d.Min != "" {
min, err = provisioner.NewDuration(d.Min)
if err != nil {
return admin.WrapError(admin.ErrorBadRequestType, err, "min duration '%s' is invalid", d.Min)
}
if min.Value() < 0 {
return admin.WrapError(admin.ErrorBadRequestType, err, "min duration '%s' cannot be less than 0", d.Min)
}
}
if d.Max != "" {
max, err = provisioner.NewDuration(d.Max)
if err != nil {
return admin.WrapError(admin.ErrorBadRequestType, err, "max duration '%s' is invalid", d.Max)
}
if max.Value() < 0 {
return admin.WrapError(admin.ErrorBadRequestType, err, "max duration '%s' cannot be less than 0", d.Max)
}
}
if d.Default != "" {
def, err = provisioner.NewDuration(d.Default)
if err != nil {
return admin.WrapError(admin.ErrorBadRequestType, err, "default duration '%s' is invalid", d.Default)
}
if def.Value() < 0 {
return admin.WrapError(admin.ErrorBadRequestType, err, "default duration '%s' cannot be less than 0", d.Default)
}
}
if d.Min != "" && d.Max != "" && min.Value() > max.Value() {
return admin.NewError(admin.ErrorBadRequestType,
"min duration '%s' cannot be greater than max duration '%s'", d.Min, d.Max)
}
if d.Min != "" && d.Default != "" && min.Value() > def.Value() {
return admin.NewError(admin.ErrorBadRequestType,
"min duration '%s' cannot be greater than default duration '%s'", d.Min, d.Default)
}
if d.Default != "" && d.Max != "" && min.Value() > def.Value() {
return admin.NewError(admin.ErrorBadRequestType,
"default duration '%s' cannot be greater than max duration '%s'", d.Default, d.Max)
}
return nil
wip
2021-05-26 04:13:01 +00:00
}
func provisionerListToCertificates(l []*linkedca.Provisioner) (provisioner.List, error) {
var nu provisioner.List
for _, p := range l {
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
certProv, err := ProvisionerToCertificates(p)
wip
2021-05-26 04:13:01 +00:00
if err != nil {
return nil, err
}
nu = append(nu, certProv)
}
return nu, nil
}
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
func optionsToCertificates(p *linkedca.Provisioner) *provisioner.Options {
ops := &provisioner.Options{
X509: &provisioner.X509Options{},
SSH: &provisioner.SSHOptions{},
}
if p.X509Template != nil {
ops.X509.Template = string(p.X509Template.Template)
ops.X509.TemplateData = p.X509Template.Data
}
if p.SshTemplate != nil {
ops.SSH.Template = string(p.SshTemplate.Template)
ops.SSH.TemplateData = p.SshTemplate.Data
}
Fix (part of) PR comments
2022-04-21 10:14:03 +00:00
if pol := p.GetPolicy(); pol != nil {
if x := pol.GetX509(); x != nil {
if allow := x.GetAllow(); allow != nil {
Add API implementation for authority and provisioner policy
2022-03-15 14:51:45 +00:00
ops.X509.AllowedNames = &policy.X509NameOptions{
Fix (part of) PR comments
2022-04-21 10:14:03 +00:00
DNSDomains: allow.Dns,
IPRanges: allow.Ips,
EmailAddresses: allow.Emails,
URIDomains: allow.Uris,
Add API implementation for authority and provisioner policy
2022-03-15 14:51:45 +00:00
}
}
Fix (part of) PR comments
2022-04-21 10:14:03 +00:00
if deny := x.GetDeny(); deny != nil {
Add API implementation for authority and provisioner policy
2022-03-15 14:51:45 +00:00
ops.X509.DeniedNames = &policy.X509NameOptions{
Fix (part of) PR comments
2022-04-21 10:14:03 +00:00
DNSDomains: deny.Dns,
IPRanges: deny.Ips,
EmailAddresses: deny.Emails,
URIDomains: deny.Uris,
Add API implementation for authority and provisioner policy
2022-03-15 14:51:45 +00:00
}
}
}
Fix (part of) PR comments
2022-04-21 10:14:03 +00:00
if ssh := pol.GetSsh(); ssh != nil {
if host := ssh.GetHost(); host != nil {
Add API implementation for authority and provisioner policy
2022-03-15 14:51:45 +00:00
ops.SSH.Host = &policy.SSHHostCertificateOptions{}
Fix (part of) PR comments
2022-04-21 10:14:03 +00:00
if allow := host.GetAllow(); allow != nil {
Add API implementation for authority and provisioner policy
2022-03-15 14:51:45 +00:00
ops.SSH.Host.AllowedNames = &policy.SSHNameOptions{
Fix (part of) PR comments
2022-04-21 10:14:03 +00:00
DNSDomains: allow.Dns,
IPRanges: allow.Ips,
Principals: allow.Principals,
Add API implementation for authority and provisioner policy
2022-03-15 14:51:45 +00:00
}
}
Fix (part of) PR comments
2022-04-21 10:14:03 +00:00
if deny := host.GetDeny(); deny != nil {
Add API implementation for authority and provisioner policy
2022-03-15 14:51:45 +00:00
ops.SSH.Host.DeniedNames = &policy.SSHNameOptions{
Fix (part of) PR comments
2022-04-21 10:14:03 +00:00
DNSDomains: deny.Dns,
IPRanges: deny.Ips,
Principals: deny.Principals,
Add API implementation for authority and provisioner policy
2022-03-15 14:51:45 +00:00
}
}
}
Fix (part of) PR comments
2022-04-21 10:14:03 +00:00
if user := ssh.GetUser(); user != nil {
Add API implementation for authority and provisioner policy
2022-03-15 14:51:45 +00:00
ops.SSH.User = &policy.SSHUserCertificateOptions{}
Fix (part of) PR comments
2022-04-21 10:14:03 +00:00
if allow := user.GetAllow(); allow != nil {
Add API implementation for authority and provisioner policy
2022-03-15 14:51:45 +00:00
ops.SSH.User.AllowedNames = &policy.SSHNameOptions{
Fix (part of) PR comments
2022-04-21 10:14:03 +00:00
EmailAddresses: allow.Emails,
Principals: allow.Principals,
Add API implementation for authority and provisioner policy
2022-03-15 14:51:45 +00:00
}
}
Fix (part of) PR comments
2022-04-21 10:14:03 +00:00
if deny := user.GetDeny(); deny != nil {
Add API implementation for authority and provisioner policy
2022-03-15 14:51:45 +00:00
ops.SSH.User.DeniedNames = &policy.SSHNameOptions{
Fix (part of) PR comments
2022-04-21 10:14:03 +00:00
EmailAddresses: deny.Emails,
Principals: deny.Principals,
Add API implementation for authority and provisioner policy
2022-03-15 14:51:45 +00:00
}
}
}
}
}
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
for _, wh := range p.Webhooks {
whCert := webhookToCertificates(wh)
ops.Webhooks = append(ops.Webhooks, whCert)
}
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
return ops
}
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
func webhookToCertificates(wh *linkedca.Webhook) *provisioner.Webhook {
pwh := &provisioner.Webhook{
ID: wh.Id,
Name: wh.Name,
URL: wh.Url,
Kind: wh.Kind.String(),
Secret: wh.Secret,
DisableTLSClientAuth: wh.DisableTlsClientAuth,
CertType: wh.CertType.String(),
}
switch a := wh.GetAuth().(type) {
case *linkedca.Webhook_BearerToken:
pwh.BearerToken = a.BearerToken.BearerToken
case *linkedca.Webhook_BasicAuth:
pwh.BasicAuth.Username = a.BasicAuth.Username
pwh.BasicAuth.Password = a.BasicAuth.Password
}
return pwh
}
func provisionerWebhookToLinkedca(pwh *provisioner.Webhook) *linkedca.Webhook {
lwh := &linkedca.Webhook{
Id: pwh.ID,
Name: pwh.Name,
Url: pwh.URL,
Kind: linkedca.Webhook_Kind(linkedca.Webhook_Kind_value[pwh.Kind]),
Secret: pwh.Secret,
DisableTlsClientAuth: pwh.DisableTLSClientAuth,
CertType: linkedca.Webhook_CertType(linkedca.Webhook_CertType_value[pwh.CertType]),
}
if pwh.BearerToken != "" {
lwh.Auth = &linkedca.Webhook_BearerToken{
BearerToken: &linkedca.BearerToken{
BearerToken: pwh.BearerToken,
},
}
} else if pwh.BasicAuth.Username != "" || pwh.BasicAuth.Password != "" {
lwh.Auth = &linkedca.Webhook_BasicAuth{
BasicAuth: &linkedca.BasicAuth{
Username: pwh.BasicAuth.Username,
Password: pwh.BasicAuth.Password,
},
}
}
return lwh
}
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
func durationsToCertificates(d *linkedca.Durations) (min, max, def *provisioner.Duration, err error) {
if len(d.Min) > 0 {
min, err = provisioner.NewDuration(d.Min)
if err != nil {
return nil, nil, nil, admin.WrapErrorISE(err, "error parsing minimum duration '%s'", d.Min)
}
}
if len(d.Max) > 0 {
max, err = provisioner.NewDuration(d.Max)
if err != nil {
return nil, nil, nil, admin.WrapErrorISE(err, "error parsing maximum duration '%s'", d.Max)
}
}
if len(d.Default) > 0 {
def, err = provisioner.NewDuration(d.Default)
if err != nil {
return nil, nil, nil, admin.WrapErrorISE(err, "error parsing default duration '%s'", d.Default)
}
}
return
}
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
func durationsToLinkedca(d *provisioner.Duration) string {
if d == nil {
return ""
}
return d.Duration.String()
}
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
// claimsToCertificates converts the linkedca provisioner claims type to the
// certifictes claims type.
func claimsToCertificates(c *linkedca.Claims) (*provisioner.Claims, error) {
if c == nil {
A few more linter errors
2022-09-21 04:01:55 +00:00
//nolint:nilnil // nil claims do not pose an issue.
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
return nil, nil
}
pc := &provisioner.Claims{
Rename unreleased claim to allowRenewalAfterExpiry for consistency.
2022-04-13 22:11:54 +00:00
DisableRenewal: &c.DisableRenewal,
AllowRenewalAfterExpiry: &c.AllowRenewalAfterExpiry,
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
}
var err error
if xc := c.X509; xc != nil {
if d := xc.Durations; d != nil {
pc.MinTLSDur, pc.MaxTLSDur, pc.DefaultTLSDur, err = durationsToCertificates(d)
if err != nil {
return nil, err
}
}
}
if sc := c.Ssh; sc != nil {
pc.EnableSSHCA = &sc.Enabled
if d := sc.UserDurations; d != nil {
pc.MinUserSSHDur, pc.MaxUserSSHDur, pc.DefaultUserSSHDur, err = durationsToCertificates(d)
if err != nil {
return nil, err
}
}
if d := sc.HostDurations; d != nil {
pc.MinHostSSHDur, pc.MaxHostSSHDur, pc.DefaultHostSSHDur, err = durationsToCertificates(d)
if err != nil {
return nil, err
}
}
}
return pc, nil
}
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
func claimsToLinkedca(c *provisioner.Claims) *linkedca.Claims {
if c == nil {
return nil
}
disableRenewal := config.DefaultDisableRenewal
Rename unreleased claim to allowRenewalAfterExpiry for consistency.
2022-04-13 22:11:54 +00:00
allowRenewalAfterExpiry := config.DefaultAllowRenewalAfterExpiry
Rename claim to allowRenewAfterExpiry.
2022-03-14 22:40:01 +00:00
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
if c.DisableRenewal != nil {
disableRenewal = *c.DisableRenewal
}
Rename unreleased claim to allowRenewalAfterExpiry for consistency.
2022-04-13 22:11:54 +00:00
if c.AllowRenewalAfterExpiry != nil {
allowRenewalAfterExpiry = *c.AllowRenewalAfterExpiry
Rename claim to allowRenewAfterExpiry.
2022-03-14 22:40:01 +00:00
}
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
lc := &linkedca.Claims{
Rename unreleased claim to allowRenewalAfterExpiry for consistency.
2022-04-13 22:11:54 +00:00
DisableRenewal: disableRenewal,
AllowRenewalAfterExpiry: allowRenewalAfterExpiry,
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
}
if c.DefaultTLSDur != nil || c.MinTLSDur != nil || c.MaxTLSDur != nil {
lc.X509 = &linkedca.X509Claims{
Enabled: true,
Durations: &linkedca.Durations{
Default: durationsToLinkedca(c.DefaultTLSDur),
Min: durationsToLinkedca(c.MinTLSDur),
Max: durationsToLinkedca(c.MaxTLSDur),
},
}
}
if c.EnableSSHCA != nil && *c.EnableSSHCA {
lc.Ssh = &linkedca.SSHClaims{
Enabled: true,
}
if c.DefaultUserSSHDur != nil || c.MinUserSSHDur != nil || c.MaxUserSSHDur != nil {
lc.Ssh.UserDurations = &linkedca.Durations{
Default: durationsToLinkedca(c.DefaultUserSSHDur),
Min: durationsToLinkedca(c.MinUserSSHDur),
Max: durationsToLinkedca(c.MaxUserSSHDur),
}
}
if c.DefaultHostSSHDur != nil || c.MinHostSSHDur != nil || c.MaxHostSSHDur != nil {
lc.Ssh.HostDurations = &linkedca.Durations{
Default: durationsToLinkedca(c.DefaultHostSSHDur),
Min: durationsToLinkedca(c.MinHostSSHDur),
Max: durationsToLinkedca(c.MaxHostSSHDur),
}
}
}
return lc
}
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
func provisionerOptionsToLinkedca(p *provisioner.Options) (*linkedca.Template, *linkedca.Template, []*linkedca.Webhook, error) {
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
var err error
var x509Template, sshTemplate *linkedca.Template
if p == nil {
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
return nil, nil, nil, nil
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
}
if p.X509 != nil && p.X509.HasTemplate() {
x509Template = &linkedca.Template{
Template: nil,
Data: nil,
}
if p.X509.Template != "" {
x509Template.Template = []byte(p.SSH.Template)
} else if p.X509.TemplateFile != "" {
updates after rebase to keep up with master
2021-10-18 20:56:24 +00:00
filename := step.Abs(p.X509.TemplateFile)
Pin golangci-lint to v1.43.0 and fix issues
2021-11-12 23:46:34 +00:00
if x509Template.Template, err = os.ReadFile(filename); err != nil {
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
return nil, nil, nil, errors.Wrap(err, "error reading x509 template")
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
}
}
}
if p.SSH != nil && p.SSH.HasTemplate() {
sshTemplate = &linkedca.Template{
Template: nil,
Data: nil,
}
if p.SSH.Template != "" {
sshTemplate.Template = []byte(p.SSH.Template)
} else if p.SSH.TemplateFile != "" {
updates after rebase to keep up with master
2021-10-18 20:56:24 +00:00
filename := step.Abs(p.SSH.TemplateFile)
Pin golangci-lint to v1.43.0 and fix issues
2021-11-12 23:46:34 +00:00
if sshTemplate.Template, err = os.ReadFile(filename); err != nil {
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
return nil, nil, nil, errors.Wrap(err, "error reading ssh template")
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
}
}
}
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
var webhooks []*linkedca.Webhook
for _, pwh := range p.Webhooks {
webhooks = append(webhooks, provisionerWebhookToLinkedca(pwh))
}
return x509Template, sshTemplate, webhooks, nil
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
}
func provisionerPEMToLinkedca(b []byte) [][]byte {
var roots [][]byte
var block *pem.Block
for {
if block, b = pem.Decode(b); block == nil {
break
}
roots = append(roots, pem.EncodeToMemory(block))
}
return roots
}
Include attestation roots on provisioner converters
2022-09-29 23:12:55 +00:00
func provisionerPEMToCertificates(bs [][]byte) []byte {
var roots []byte
for i, root := range bs {
if i > 0 && !bytes.HasSuffix(root, []byte{'\n'}) {
roots = append(roots, '\n')
}
roots = append(roots, root...)
}
return roots
}
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
// ProvisionerToCertificates converts the linkedca provisioner type to the certificates provisioner
// interface.
func ProvisionerToCertificates(p *linkedca.Provisioner) (provisioner.Interface, error) {
wip
2021-05-26 04:13:01 +00:00
claims, err := claimsToCertificates(p.Claims)
if err != nil {
return nil, err
}
details := p.Details.GetData()
if details == nil {
Wrap json errors.
2021-08-06 21:55:17 +00:00
return nil, errors.New("provisioner does not have any details")
wip
2021-05-26 04:13:01 +00:00
}
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
options := optionsToCertificates(p)
wip
2021-05-26 04:13:01 +00:00
switch d := details.(type) {
case *linkedca.ProvisionerDetails_JWK:
jwk := new(jose.JSONWebKey)
if err := json.Unmarshal(d.JWK.PublicKey, &jwk); err != nil {
Wrap json errors.
2021-08-06 21:55:17 +00:00
return nil, errors.Wrap(err, "error unmarshaling public key")
wip
2021-05-26 04:13:01 +00:00
}
return &provisioner.JWK{
ID: p.Id,
Type: p.Type.String(),
Name: p.Name,
Key: jwk,
EncryptedKey: string(d.JWK.EncryptedPrivateKey),
Claims: claims,
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
Options: options,
}, nil
case *linkedca.ProvisionerDetails_X5C:
var roots []byte
for i, root := range d.X5C.GetRoots() {
if i > 0 {
roots = append(roots, '\n')
}
roots = append(roots, root...)
}
return &provisioner.X5C{
ID: p.Id,
Type: p.Type.String(),
Name: p.Name,
Roots: roots,
Claims: claims,
Options: options,
}, nil
case *linkedca.ProvisionerDetails_K8SSA:
var publicKeys []byte
for i, k := range d.K8SSA.GetPublicKeys() {
if i > 0 {
publicKeys = append(publicKeys, '\n')
}
publicKeys = append(publicKeys, k...)
}
return &provisioner.K8sSA{
ID: p.Id,
Type: p.Type.String(),
Name: p.Name,
PubKeys: publicKeys,
Claims: claims,
Options: options,
}, nil
case *linkedca.ProvisionerDetails_SSHPOP:
return &provisioner.SSHPOP{
ID: p.Id,
Type: p.Type.String(),
Name: p.Name,
Claims: claims,
}, nil
case *linkedca.ProvisionerDetails_ACME:
cfg := d.ACME
return &provisioner.ACME{
Add methods to convert attestation formats
2022-09-09 00:49:24 +00:00
ID: p.Id,
Type: p.Type.String(),
Name: p.Name,
ForceCN: cfg.ForceCn,
RequireEAB: cfg.RequireEab,
Challenges: challengesToCertificates(cfg.Challenges),
AttestationFormats: attestationFormatsToCertificates(cfg.AttestationFormats),
Include attestation roots on provisioner converters
2022-09-29 23:12:55 +00:00
AttestationRoots: provisionerPEMToCertificates(cfg.AttestationRoots),
Add methods to convert attestation formats
2022-09-09 00:49:24 +00:00
Claims: claims,
Options: options,
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
}, nil
case *linkedca.ProvisionerDetails_OIDC:
cfg := d.OIDC
return &provisioner.OIDC{
ID: p.Id,
Type: p.Type.String(),
Name: p.Name,
TenantID: cfg.TenantId,
ClientID: cfg.ClientId,
ClientSecret: cfg.ClientSecret,
ConfigurationEndpoint: cfg.ConfigurationEndpoint,
Admins: cfg.Admins,
Domains: cfg.Domains,
Groups: cfg.Groups,
ListenAddress: cfg.ListenAddress,
Claims: claims,
Options: options,
}, nil
case *linkedca.ProvisionerDetails_AWS:
cfg := d.AWS
instanceAge, err := parseInstanceAge(cfg.InstanceAge)
if err != nil {
return nil, err
}
return &provisioner.AWS{
ID: p.Id,
Type: p.Type.String(),
Name: p.Name,
Accounts: cfg.Accounts,
DisableCustomSANs: cfg.DisableCustomSans,
DisableTrustOnFirstUse: cfg.DisableTrustOnFirstUse,
InstanceAge: instanceAge,
Claims: claims,
Options: options,
}, nil
case *linkedca.ProvisionerDetails_GCP:
cfg := d.GCP
instanceAge, err := parseInstanceAge(cfg.InstanceAge)
if err != nil {
return nil, err
}
return &provisioner.GCP{
ID: p.Id,
Type: p.Type.String(),
Name: p.Name,
ServiceAccounts: cfg.ServiceAccounts,
ProjectIDs: cfg.ProjectIds,
DisableCustomSANs: cfg.DisableCustomSans,
DisableTrustOnFirstUse: cfg.DisableTrustOnFirstUse,
InstanceAge: instanceAge,
Claims: claims,
Options: options,
}, nil
case *linkedca.ProvisionerDetails_Azure:
cfg := d.Azure
return &provisioner.Azure{
ID: p.Id,
Type: p.Type.String(),
Name: p.Name,
TenantID: cfg.TenantId,
ResourceGroups: cfg.ResourceGroups,
Add SubscriptionIDs and ObjectIDs to provisioner-linkedca conversion functions
2022-02-25 11:06:48 +00:00
SubscriptionIDs: cfg.SubscriptionIds,
ObjectIDs: cfg.ObjectIds,
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
Audience: cfg.Audience,
DisableCustomSANs: cfg.DisableCustomSans,
DisableTrustOnFirstUse: cfg.DisableTrustOnFirstUse,
Claims: claims,
Options: options,
wip
2021-05-26 04:13:01 +00:00
}, nil
Add LinkedCA integration for improved SCEP provisioner
2022-01-21 15:07:31 +00:00
case *linkedca.ProvisionerDetails_SCEP:
cfg := d.SCEP
return &provisioner.SCEP{
ID: p.Id,
Type: p.Type.String(),
Name: p.Name,
ForceCN: cfg.ForceCn,
ChallengePassword: cfg.Challenge,
Capabilities: cfg.Capabilities,
IncludeRoot: cfg.IncludeRoot,
MinimumPublicKeyLength: int(cfg.MinimumPublicKeyLength),
EncryptionAlgorithmIdentifier: int(cfg.EncryptionAlgorithmIdentifier),
Claims: claims,
Options: options,
}, nil
Add linkedca conversions.
2022-01-05 02:42:57 +00:00
case *linkedca.ProvisionerDetails_Nebula:
var roots []byte
for i, root := range d.Nebula.GetRoots() {
Do not add extra new lines when creating nebula provisioners
2022-01-07 19:24:59 +00:00
if i > 0 && !bytes.HasSuffix(root, []byte{'\n'}) {
Add linkedca conversions.
2022-01-05 02:42:57 +00:00
roots = append(roots, '\n')
}
roots = append(roots, root...)
}
return &provisioner.Nebula{
ID: p.Id,
Type: p.Type.String(),
Name: p.Name,
Roots: roots,
Claims: claims,
Options: options,
}, nil
wip
2021-05-26 04:13:01 +00:00
default:
return nil, fmt.Errorf("provisioner %s not implemented", p.Type)
}
}
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
// ProvisionerToLinkedca converts a provisioner.Interface to a
// linkedca.Provisioner type.
func ProvisionerToLinkedca(p provisioner.Interface) (*linkedca.Provisioner, error) {
switch p := p.(type) {
case *provisioner.JWK:
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
x509Template, sshTemplate, webhooks, err := provisionerOptionsToLinkedca(p.Options)
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
if err != nil {
return nil, err
}
publicKey, err := json.Marshal(p.Key)
if err != nil {
return nil, errors.Wrap(err, "error marshaling key")
}
return &linkedca.Provisioner{
Add is converting provisioners to linkedca. The ids are required to be able to link admins with provisioners.
2021-07-29 01:05:57 +00:00
Id: p.ID,
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
Type: linkedca.Provisioner_JWK,
Name: p.GetName(),
Details: &linkedca.ProvisionerDetails{
Data: &linkedca.ProvisionerDetails_JWK{
JWK: &linkedca.JWKProvisioner{
PublicKey: publicKey,
EncryptedPrivateKey: []byte(p.EncryptedKey),
},
},
},
Claims: claimsToLinkedca(p.Claims),
X509Template: x509Template,
SshTemplate: sshTemplate,
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
Webhooks: webhooks,
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
}, nil
case *provisioner.OIDC:
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
x509Template, sshTemplate, webhooks, err := provisionerOptionsToLinkedca(p.Options)
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
if err != nil {
return nil, err
}
return &linkedca.Provisioner{
Add is converting provisioners to linkedca. The ids are required to be able to link admins with provisioners.
2021-07-29 01:05:57 +00:00
Id: p.ID,
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
Type: linkedca.Provisioner_OIDC,
Name: p.GetName(),
Details: &linkedca.ProvisionerDetails{
Data: &linkedca.ProvisionerDetails_OIDC{
OIDC: &linkedca.OIDCProvisioner{
ClientId: p.ClientID,
ClientSecret: p.ClientSecret,
ConfigurationEndpoint: p.ConfigurationEndpoint,
Admins: p.Admins,
Domains: p.Domains,
Groups: p.Groups,
ListenAddress: p.ListenAddress,
TenantId: p.TenantID,
},
},
},
Claims: claimsToLinkedca(p.Claims),
X509Template: x509Template,
SshTemplate: sshTemplate,
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
Webhooks: webhooks,
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
}, nil
case *provisioner.GCP:
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
x509Template, sshTemplate, webhooks, err := provisionerOptionsToLinkedca(p.Options)
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
if err != nil {
return nil, err
}
return &linkedca.Provisioner{
Add is converting provisioners to linkedca. The ids are required to be able to link admins with provisioners.
2021-07-29 01:05:57 +00:00
Id: p.ID,
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
Type: linkedca.Provisioner_GCP,
Name: p.GetName(),
Details: &linkedca.ProvisionerDetails{
Data: &linkedca.ProvisionerDetails_GCP{
GCP: &linkedca.GCPProvisioner{
ServiceAccounts: p.ServiceAccounts,
ProjectIds: p.ProjectIDs,
DisableCustomSans: p.DisableCustomSANs,
DisableTrustOnFirstUse: p.DisableTrustOnFirstUse,
InstanceAge: p.InstanceAge.String(),
},
},
},
Claims: claimsToLinkedca(p.Claims),
X509Template: x509Template,
SshTemplate: sshTemplate,
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
Webhooks: webhooks,
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
}, nil
case *provisioner.AWS:
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
x509Template, sshTemplate, webhooks, err := provisionerOptionsToLinkedca(p.Options)
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
if err != nil {
return nil, err
}
return &linkedca.Provisioner{
Add is converting provisioners to linkedca. The ids are required to be able to link admins with provisioners.
2021-07-29 01:05:57 +00:00
Id: p.ID,
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
Type: linkedca.Provisioner_AWS,
Name: p.GetName(),
Details: &linkedca.ProvisionerDetails{
Data: &linkedca.ProvisionerDetails_AWS{
AWS: &linkedca.AWSProvisioner{
Accounts: p.Accounts,
DisableCustomSans: p.DisableCustomSANs,
DisableTrustOnFirstUse: p.DisableTrustOnFirstUse,
InstanceAge: p.InstanceAge.String(),
},
},
},
Claims: claimsToLinkedca(p.Claims),
X509Template: x509Template,
SshTemplate: sshTemplate,
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
Webhooks: webhooks,
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
}, nil
case *provisioner.Azure:
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
x509Template, sshTemplate, webhooks, err := provisionerOptionsToLinkedca(p.Options)
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
if err != nil {
return nil, err
}
return &linkedca.Provisioner{
Add is converting provisioners to linkedca. The ids are required to be able to link admins with provisioners.
2021-07-29 01:05:57 +00:00
Id: p.ID,
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
Type: linkedca.Provisioner_AZURE,
Name: p.GetName(),
Details: &linkedca.ProvisionerDetails{
Data: &linkedca.ProvisionerDetails_Azure{
Azure: &linkedca.AzureProvisioner{
TenantId: p.TenantID,
ResourceGroups: p.ResourceGroups,
Add SubscriptionIDs and ObjectIDs to provisioner-linkedca conversion functions
2022-02-25 11:06:48 +00:00
SubscriptionIds: p.SubscriptionIDs,
ObjectIds: p.ObjectIDs,
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
Audience: p.Audience,
DisableCustomSans: p.DisableCustomSANs,
DisableTrustOnFirstUse: p.DisableTrustOnFirstUse,
},
},
},
Claims: claimsToLinkedca(p.Claims),
X509Template: x509Template,
SshTemplate: sshTemplate,
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
Webhooks: webhooks,
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
}, nil
case *provisioner.ACME:
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
x509Template, sshTemplate, webhooks, err := provisionerOptionsToLinkedca(p.Options)
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
if err != nil {
return nil, err
}
return &linkedca.Provisioner{
Add is converting provisioners to linkedca. The ids are required to be able to link admins with provisioners.
2021-07-29 01:05:57 +00:00
Id: p.ID,
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
Type: linkedca.Provisioner_ACME,
Name: p.GetName(),
Details: &linkedca.ProvisionerDetails{
Data: &linkedca.ProvisionerDetails_ACME{
ACME: &linkedca.ACMEProvisioner{
Add methods to convert attestation formats
2022-09-09 00:49:24 +00:00
ForceCn: p.ForceCN,
Challenges: challengesToLinkedca(p.Challenges),
AttestationFormats: attestationFormatsToLinkedca(p.AttestationFormats),
Include attestation roots on provisioner converters
2022-09-29 23:12:55 +00:00
AttestationRoots: provisionerPEMToLinkedca(p.AttestationRoots),
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
},
},
},
Claims: claimsToLinkedca(p.Claims),
X509Template: x509Template,
SshTemplate: sshTemplate,
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
Webhooks: webhooks,
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
}, nil
case *provisioner.X5C:
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
x509Template, sshTemplate, webhooks, err := provisionerOptionsToLinkedca(p.Options)
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
if err != nil {
return nil, err
}
return &linkedca.Provisioner{
Add is converting provisioners to linkedca. The ids are required to be able to link admins with provisioners.
2021-07-29 01:05:57 +00:00
Id: p.ID,
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
Type: linkedca.Provisioner_X5C,
Name: p.GetName(),
Details: &linkedca.ProvisionerDetails{
Data: &linkedca.ProvisionerDetails_X5C{
X5C: &linkedca.X5CProvisioner{
Roots: provisionerPEMToLinkedca(p.Roots),
},
},
},
Claims: claimsToLinkedca(p.Claims),
X509Template: x509Template,
SshTemplate: sshTemplate,
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
Webhooks: webhooks,
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
}, nil
case *provisioner.K8sSA:
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
x509Template, sshTemplate, webhooks, err := provisionerOptionsToLinkedca(p.Options)
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
if err != nil {
return nil, err
}
return &linkedca.Provisioner{
Add is converting provisioners to linkedca. The ids are required to be able to link admins with provisioners.
2021-07-29 01:05:57 +00:00
Id: p.ID,
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
Type: linkedca.Provisioner_K8SSA,
Name: p.GetName(),
Details: &linkedca.ProvisionerDetails{
Data: &linkedca.ProvisionerDetails_K8SSA{
K8SSA: &linkedca.K8SSAProvisioner{
PublicKeys: provisionerPEMToLinkedca(p.PubKeys),
},
},
},
Claims: claimsToLinkedca(p.Claims),
X509Template: x509Template,
SshTemplate: sshTemplate,
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
Webhooks: webhooks,
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
}, nil
case *provisioner.SSHPOP:
return &linkedca.Provisioner{
Add is converting provisioners to linkedca. The ids are required to be able to link admins with provisioners.
2021-07-29 01:05:57 +00:00
Id: p.ID,
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
Type: linkedca.Provisioner_SSHPOP,
Name: p.GetName(),
Details: &linkedca.ProvisionerDetails{
Data: &linkedca.ProvisionerDetails_SSHPOP{
SSHPOP: &linkedca.SSHPOPProvisioner{},
},
},
Claims: claimsToLinkedca(p.Claims),
}, nil
case *provisioner.SCEP:
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
x509Template, sshTemplate, webhooks, err := provisionerOptionsToLinkedca(p.Options)
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
if err != nil {
return nil, err
}
return &linkedca.Provisioner{
Add is converting provisioners to linkedca. The ids are required to be able to link admins with provisioners.
2021-07-29 01:05:57 +00:00
Id: p.ID,
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
Type: linkedca.Provisioner_SCEP,
Name: p.GetName(),
Details: &linkedca.ProvisionerDetails{
Data: &linkedca.ProvisionerDetails_SCEP{
SCEP: &linkedca.SCEPProvisioner{
Add LinkedCA integration for improved SCEP provisioner
2022-01-21 15:07:31 +00:00
ForceCn: p.ForceCN,
Challenge: p.GetChallengePassword(),
Capabilities: p.Capabilities,
MinimumPublicKeyLength: int32(p.MinimumPublicKeyLength),
IncludeRoot: p.IncludeRoot,
EncryptionAlgorithmIdentifier: int32(p.EncryptionAlgorithmIdentifier),
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
},
},
},
Claims: claimsToLinkedca(p.Claims),
X509Template: x509Template,
SshTemplate: sshTemplate,
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
Webhooks: webhooks,
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
}, nil
Add linkedca conversions.
2022-01-05 02:42:57 +00:00
case *provisioner.Nebula:
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
x509Template, sshTemplate, webhooks, err := provisionerOptionsToLinkedca(p.Options)
Add linkedca conversions.
2022-01-05 02:42:57 +00:00
if err != nil {
return nil, err
}
return &linkedca.Provisioner{
Id: p.ID,
Type: linkedca.Provisioner_NEBULA,
Name: p.GetName(),
Details: &linkedca.ProvisionerDetails{
Data: &linkedca.ProvisionerDetails_Nebula{
Nebula: &linkedca.NebulaProvisioner{
Roots: provisionerPEMToLinkedca(p.Roots),
},
},
},
Claims: claimsToLinkedca(p.Claims),
X509Template: x509Template,
SshTemplate: sshTemplate,
Provisioner webhooks (#1001)
2022-09-30 00:16:26 +00:00
Webhooks: webhooks,
Add linkedca conversions.
2022-01-05 02:42:57 +00:00
}, nil
Create a way to export ca configurations.
2021-07-27 02:01:56 +00:00
default:
return nil, fmt.Errorf("provisioner %s not implemented", p.GetType())
}
}
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
func parseInstanceAge(age string) (provisioner.Duration, error) {
var instanceAge provisioner.Duration
if age != "" {
iap, err := provisioner.NewDuration(age)
wip
2021-05-26 04:13:01 +00:00
if err != nil {
Admin level API for provisioner mgmt v1
2021-05-03 19:48:20 +00:00
return instanceAge, err
}
instanceAge = *iap
}
return instanceAge, nil
wip
2021-05-26 04:13:01 +00:00
}
Add acme property to enable challenges Fixes #1027
2022-08-24 00:11:40 +00:00
Use a type for acme challenges
2022-09-08 19:34:06 +00:00
// challengesToCertificates converts linkedca challenges to provisioner ones
// skipping the unknown ones.
func challengesToCertificates(challenges []linkedca.ACMEProvisioner_ChallengeType) []provisioner.ACMEChallenge {
ret := make([]provisioner.ACMEChallenge, 0, len(challenges))
for _, ch := range challenges {
Add acme property to enable challenges Fixes #1027
2022-08-24 00:11:40 +00:00
switch ch {
case linkedca.ACMEProvisioner_HTTP_01:
Use a type for acme challenges
2022-09-08 19:34:06 +00:00
ret = append(ret, provisioner.HTTP_01)
Add acme property to enable challenges Fixes #1027
2022-08-24 00:11:40 +00:00
case linkedca.ACMEProvisioner_DNS_01:
Use a type for acme challenges
2022-09-08 19:34:06 +00:00
ret = append(ret, provisioner.DNS_01)
Fix typo in linkedca variable
2022-09-09 21:34:32 +00:00
case linkedca.ACMEProvisioner_TLS_ALPN_01:
Use a type for acme challenges
2022-09-08 19:34:06 +00:00
ret = append(ret, provisioner.TLS_ALPN_01)
Add acme property to enable challenges Fixes #1027
2022-08-24 00:11:40 +00:00
case linkedca.ACMEProvisioner_DEVICE_ATTEST_01:
Use a type for acme challenges
2022-09-08 19:34:06 +00:00
ret = append(ret, provisioner.DEVICE_ATTEST_01)
Add acme property to enable challenges Fixes #1027
2022-08-24 00:11:40 +00:00
}
}
return ret
}
Use a type for acme challenges
2022-09-08 19:34:06 +00:00
// challengesToLinkedca converts provisioner challenges to linkedca ones
// skipping the unknown ones.
func challengesToLinkedca(challenges []provisioner.ACMEChallenge) []linkedca.ACMEProvisioner_ChallengeType {
ret := make([]linkedca.ACMEProvisioner_ChallengeType, 0, len(challenges))
for _, ch := range challenges {
switch provisioner.ACMEChallenge(ch.String()) {
case provisioner.HTTP_01:
ret = append(ret, linkedca.ACMEProvisioner_HTTP_01)
case provisioner.DNS_01:
ret = append(ret, linkedca.ACMEProvisioner_DNS_01)
case provisioner.TLS_ALPN_01:
Fix typo in linkedca variable
2022-09-09 21:34:32 +00:00
ret = append(ret, linkedca.ACMEProvisioner_TLS_ALPN_01)
Use a type for acme challenges
2022-09-08 19:34:06 +00:00
case provisioner.DEVICE_ATTEST_01:
ret = append(ret, linkedca.ACMEProvisioner_DEVICE_ATTEST_01)
Add acme property to enable challenges Fixes #1027
2022-08-24 00:11:40 +00:00
}
}
return ret
}
Add methods to convert attestation formats
2022-09-09 00:49:24 +00:00
// attestationFormatsToCertificates converts linkedca attestation formats to
// provisioner ones skipping the unknown ones.
func attestationFormatsToCertificates(formats []linkedca.ACMEProvisioner_AttestationFormatType) []provisioner.ACMEAttestationFormat {
ret := make([]provisioner.ACMEAttestationFormat, 0, len(formats))
for _, f := range formats {
switch f {
case linkedca.ACMEProvisioner_APPLE:
ret = append(ret, provisioner.APPLE)
case linkedca.ACMEProvisioner_STEP:
ret = append(ret, provisioner.STEP)
case linkedca.ACMEProvisioner_TPM:
ret = append(ret, provisioner.TPM)
}
}
return ret
}
// attestationFormatsToLinkedca converts provisioner attestation formats to
// linkedca ones skipping the unknown ones.
func attestationFormatsToLinkedca(formats []provisioner.ACMEAttestationFormat) []linkedca.ACMEProvisioner_AttestationFormatType {
ret := make([]linkedca.ACMEProvisioner_AttestationFormatType, 0, len(formats))
for _, f := range formats {
switch provisioner.ACMEAttestationFormat(f.String()) {
case provisioner.APPLE:
ret = append(ret, linkedca.ACMEProvisioner_APPLE)
case provisioner.STEP:
ret = append(ret, linkedca.ACMEProvisioner_STEP)
case provisioner.TPM:
ret = append(ret, linkedca.ACMEProvisioner_TPM)
}
}
return ret
}
Reference in New Issue Copy Permalink