smallstep-certificates/ca/bootstrap.go

package ca

import (
	"context"
	"crypto"
	"crypto/tls"
	"net"
	"net/http"
	"strings"

	"github.com/pkg/errors"
	"github.com/smallstep/certificates/api"
	"go.step.sm/crypto/jose"
)

type tokenClaims struct {
	SHA string `json:"sha"`
	jose.Claims
}

// Bootstrap is a helper function that initializes a client with the
// configuration in the bootstrap token.
func Bootstrap(token string) (*Client, error) {
	tok, err := jose.ParseSigned(token)
	if err != nil {
		return nil, errors.Wrap(err, "error parsing token")
	}
	var claims tokenClaims
	if err := tok.UnsafeClaimsWithoutVerification(&claims); err != nil {
		return nil, errors.Wrap(err, "error parsing token")
	}

	// Validate bootstrap token
	switch {
	case claims.SHA == "":
		return nil, errors.New("invalid bootstrap token: sha claim is not present")
	case !strings.HasPrefix(strings.ToLower(claims.Audience[0]), "http"):
		return nil, errors.New("invalid bootstrap token: aud claim is not a url")
	}

	return NewClient(claims.Audience[0], WithRootSHA256(claims.SHA))
}

// BootstrapClient is a helper function that using the given bootstrap token
// return an http.Client configured with a Transport prepared to do TLS
// connections using the client certificate returned by the certificate
// authority. By default the server will kick off a routine that will renew the
// certificate after 2/3rd of the certificate's lifetime has expired.
//
// Usage:
//   // Default example with certificate rotation.
//   client, err := ca.BootstrapClient(ctx.Background(), token)
//
//   // Example canceling automatic certificate rotation.
//   ctx, cancel := context.WithCancel(context.Background())
//   defer cancel()
//   client, err := ca.BootstrapClient(ctx, token)
//   if err != nil {
//     return err
//   }
//   resp, err := client.Get("https://internal.smallstep.com")
func BootstrapClient(ctx context.Context, token string, options ...TLSOption) (*http.Client, error) {
	b, err := createBootstrap(token)
	if err != nil {
		return nil, err
	}

	// Make sure the tlsConfig has all supported roots on RootCAs.
	//
	// The roots request is only supported if identity certificates are not
	// required. In all cases the current root is also added after applying all
	// options too.
	if !b.RequireClientAuth {
		options = append(options, AddRootsToRootCAs())
	}

	transport, err := b.Client.Transport(ctx, b.SignResponse, b.PrivateKey, options...)
	if err != nil {
		return nil, err
	}

	return &http.Client{
		Transport: transport,
	}, nil
}

// BootstrapServer is a helper function that using the given token returns the
// given http.Server configured with a TLS certificate signed by the Certificate
// Authority. By default the server will kick off a routine that will renew the
// certificate after 2/3rd of the certificate's lifetime has expired.
//
// Without any extra option the server will be configured for mTLS, it will
// require and verify clients certificates, but options can be used to drop this
// requirement, the most common will be only verify the certs if given with
// ca.VerifyClientCertIfGiven(), or add extra CAs with
// ca.AddClientCA(*x509.Certificate).
//
// Usage:
//   // Default example with certificate rotation.
//   srv, err := ca.BootstrapServer(context.Background(), token, &http.Server{
//       Addr: ":443",
//       Handler: handler,
//   })
//
//   // Example canceling automatic certificate rotation.
//   ctx, cancel := context.WithCancel(context.Background())
//   defer cancel()
//   srv, err := ca.BootstrapServer(ctx, token, &http.Server{
//       Addr: ":443",
//       Handler: handler,
//   })
//   if err != nil {
//       return err
//   }
//   srv.ListenAndServeTLS("", "")
func BootstrapServer(ctx context.Context, token string, base *http.Server, options ...TLSOption) (*http.Server, error) {
	if base.TLSConfig != nil {
		return nil, errors.New("server TLSConfig is already set")
	}

	b, err := createBootstrap(token)
	if err != nil {
		return nil, err
	}

	// Make sure the tlsConfig has all supported roots on RootCAs.
	//
	// The roots request is only supported if identity certificates are not
	// required. In all cases the current root is also added after applying all
	// options too.
	if !b.RequireClientAuth {
		options = append(options, AddRootsToCAs())
	}

	tlsConfig, err := b.Client.GetServerTLSConfig(ctx, b.SignResponse, b.PrivateKey, options...)
	if err != nil {
		return nil, err
	}

	base.TLSConfig = tlsConfig
	return base, nil
}

// BootstrapListener is a helper function that using the given token returns a
// TLS listener which accepts connections from an inner listener and wraps each
// connection with Server.
//
// Without any extra option the server will be configured for mTLS, it will
// require and verify clients certificates, but options can be used to drop this
// requirement, the most common will be only verify the certs if given with
// ca.VerifyClientCertIfGiven(), or add extra CAs with
// ca.AddClientCA(*x509.Certificate).
//
// Usage:
//   inner, err := net.Listen("tcp", ":443")
//   if err != nil {
//     return nil
//   }
//   ctx, cancel := context.WithCancel(context.Background())
//   defer cancel()
//   lis, err := ca.BootstrapListener(ctx, token, inner)
//   if err != nil {
//       return err
//   }
//   srv := grpc.NewServer()
//   ... // register services
//   srv.Serve(lis)
func BootstrapListener(ctx context.Context, token string, inner net.Listener, options ...TLSOption) (net.Listener, error) {
	b, err := createBootstrap(token)
	if err != nil {
		return nil, err
	}

	// Make sure the tlsConfig has all supported roots on RootCAs.
	//
	// The roots request is only supported if identity certificates are not
	// required. In all cases the current root is also added after applying all
	// options too.
	if !b.RequireClientAuth {
		options = append(options, AddRootsToCAs())
	}

	tlsConfig, err := b.Client.GetServerTLSConfig(ctx, b.SignResponse, b.PrivateKey, options...)
	if err != nil {
		return nil, err
	}

	return tls.NewListener(inner, tlsConfig), nil
}

type bootstrap struct {
	Client            *Client
	RequireClientAuth bool
	SignResponse      *api.SignResponse
	PrivateKey        crypto.PrivateKey
}

func createBootstrap(token string) (*bootstrap, error) {
	client, err := Bootstrap(token)
	if err != nil {
		return nil, err
	}

	version, err := client.Version()
	if err != nil {
		return nil, err
	}

	req, pk, err := CreateSignRequest(token)
	if err != nil {
		return nil, err
	}

	sign, err := client.Sign(req)
	if err != nil {
		return nil, err
	}

	return &bootstrap{
		Client:            client,
		RequireClientAuth: version.RequireClientAuthentication,
		SignResponse:      sign,
		PrivateKey:        pk,
	}, nil
}
Add bootstrap helpers that uses just a token. 2018-11-03 01:54:49 +00:00			`package ca`

			`import (`
			`"context"`
Remove duplicated code in bootstrap methods 2021-12-15 19:24:46 +00:00			`"crypto"`
Add new bootstrap method that creates a listener. 2019-01-17 22:48:33 +00:00			`"crypto/tls"`
			`"net"`
Add bootstrap helpers that uses just a token. 2018-11-03 01:54:49 +00:00			`"net/http"`
			`"strings"`

			`"github.com/pkg/errors"`
Remove duplicated code in bootstrap methods 2021-12-15 19:24:46 +00:00			`"github.com/smallstep/certificates/api"`
Use go.step.sm/crypto/jose Replace use of github.com/smallstep/cli/crypto with the new package go.step.sm/crypto/jose. 2020-08-24 21:44:11 +00:00			`"go.step.sm/crypto/jose"`
Add bootstrap helpers that uses just a token. 2018-11-03 01:54:49 +00:00			`)`

			`type tokenClaims struct {`
			SHA string `json:"sha"`
			`jose.Claims`
			`}`

			`// Bootstrap is a helper function that initializes a client with the`
			`// configuration in the bootstrap token.`
			`func Bootstrap(token string) (*Client, error) {`
Use go.step.sm/crypto/jose Replace use of github.com/smallstep/cli/crypto with the new package go.step.sm/crypto/jose. 2020-08-24 21:44:11 +00:00			`tok, err := jose.ParseSigned(token)`
Add bootstrap helpers that uses just a token. 2018-11-03 01:54:49 +00:00			`if err != nil {`
			`return nil, errors.Wrap(err, "error parsing token")`
			`}`
			`var claims tokenClaims`
			`if err := tok.UnsafeClaimsWithoutVerification(&claims); err != nil {`
Add tests for bootstrap functions. 2018-11-05 20:22:10 +00:00			`return nil, errors.Wrap(err, "error parsing token")`
Add bootstrap helpers that uses just a token. 2018-11-03 01:54:49 +00:00			`}`

			`// Validate bootstrap token`
			`switch {`
Introduce gocritic linter and address warnings 2021-10-08 18:59:57 +00:00			`case claims.SHA == "":`
Add bootstrap helpers that uses just a token. 2018-11-03 01:54:49 +00:00			`return nil, errors.New("invalid bootstrap token: sha claim is not present")`
			`case !strings.HasPrefix(strings.ToLower(claims.Audience[0]), "http"):`
			`return nil, errors.New("invalid bootstrap token: aud claim is not a url")`
			`}`

			`return NewClient(claims.Audience[0], WithRootSHA256(claims.SHA))`
			`}`

first commit 2021-05-03 19:48:20 +00:00			`// BootstrapClient is a helper function that using the given bootstrap token`
			`// return an http.Client configured with a Transport prepared to do TLS`
			`// connections using the client certificate returned by the certificate`
			`// authority. By default the server will kick off a routine that will renew the`
change documentation for bootstrap Server\|Client * provide documentation for default and non-default invocation. 2018-11-07 01:39:00 +00:00			`// certificate after 2/3rd of the certificate's lifetime has expired.`
Add bootstrap helpers that uses just a token. 2018-11-03 01:54:49 +00:00			`//`
			`// Usage:`
change documentation for bootstrap Server\|Client * provide documentation for default and non-default invocation. 2018-11-07 01:39:00 +00:00			`// // Default example with certificate rotation.`
first commit 2021-05-03 19:48:20 +00:00			`// client, err := ca.BootstrapClient(ctx.Background(), token)`
change documentation for bootstrap Server\|Client * provide documentation for default and non-default invocation. 2018-11-07 01:39:00 +00:00			`//`
			`// // Example canceling automatic certificate rotation.`
Add context to bootstrap methods. 2018-11-07 01:16:33 +00:00			`// ctx, cancel := context.WithCancel(context.Background())`
			`// defer cancel()`
first commit 2021-05-03 19:48:20 +00:00			`// client, err := ca.BootstrapClient(ctx, token)`
Add bootstrap helpers that uses just a token. 2018-11-03 01:54:49 +00:00			`// if err != nil {`
first commit 2021-05-03 19:48:20 +00:00			`// return err`
Add bootstrap helpers that uses just a token. 2018-11-03 01:54:49 +00:00			`// }`
first commit 2021-05-03 19:48:20 +00:00			`// resp, err := client.Get("https://internal.smallstep.com")`
			`func BootstrapClient(ctx context.Context, token string, options ...TLSOption) (*http.Client, error) {`
Remove duplicated code in bootstrap methods 2021-12-15 19:24:46 +00:00			`b, err := createBootstrap(token)`
Add helpers to add direct support for mTLS. 2018-11-08 00:07:35 +00:00			`if err != nil {`
			`return nil, err`
			`}`

fix grammar 2021-12-15 20:16:21 +00:00			`// Make sure the tlsConfig has all supported roots on RootCAs.`
Avoid doing unauthenticated requests on the SDK When step-ca runs with mTLS required on some endpoints, the SDK used in autocert will fail to start because the identity certificate is missing. This certificate is only required to retrieve all roots, in most cases there's only one, and the SDK has access to it. 2021-12-14 22:42:38 +00:00			`//`
			`// The roots request is only supported if identity certificates are not`
			`// required. In all cases the current root is also added after applying all`
			`// options too.`
Remove duplicated code in bootstrap methods 2021-12-15 19:24:46 +00:00			`if !b.RequireClientAuth {`
Avoid doing unauthenticated requests on the SDK When step-ca runs with mTLS required on some endpoints, the SDK used in autocert will fail to start because the identity certificate is missing. This certificate is only required to retrieve all roots, in most cases there's only one, and the SDK has access to it. 2021-12-14 22:42:38 +00:00			`options = append(options, AddRootsToRootCAs())`
			`}`
Add all root certificates by default on bootstrap methods. 2019-01-08 02:55:40 +00:00
Remove duplicated code in bootstrap methods 2021-12-15 19:24:46 +00:00			`transport, err := b.Client.Transport(ctx, b.SignResponse, b.PrivateKey, options...)`
Add helpers to add direct support for mTLS. 2018-11-08 00:07:35 +00:00			`if err != nil {`
			`return nil, err`
			`}`

first commit 2021-05-03 19:48:20 +00:00			`return &http.Client{`
			`Transport: transport,`
			`}, nil`
Add helpers to add direct support for mTLS. 2018-11-08 00:07:35 +00:00			`}`

first commit 2021-05-03 19:48:20 +00:00			`// BootstrapServer is a helper function that using the given token returns the`
			`// given http.Server configured with a TLS certificate signed by the Certificate`
			`// Authority. By default the server will kick off a routine that will renew the`
change documentation for bootstrap Server\|Client * provide documentation for default and non-default invocation. 2018-11-07 01:39:00 +00:00			`// certificate after 2/3rd of the certificate's lifetime has expired.`
Add bootstrap helpers that uses just a token. 2018-11-03 01:54:49 +00:00			`//`
first commit 2021-05-03 19:48:20 +00:00			`// Without any extra option the server will be configured for mTLS, it will`
			`// require and verify clients certificates, but options can be used to drop this`
			`// requirement, the most common will be only verify the certs if given with`
			`// ca.VerifyClientCertIfGiven(), or add extra CAs with`
			`// ca.AddClientCA(*x509.Certificate).`
			`//`
Add bootstrap helpers that uses just a token. 2018-11-03 01:54:49 +00:00			`// Usage:`
change documentation for bootstrap Server\|Client * provide documentation for default and non-default invocation. 2018-11-07 01:39:00 +00:00			`// // Default example with certificate rotation.`
first commit 2021-05-03 19:48:20 +00:00			`// srv, err := ca.BootstrapServer(context.Background(), token, &http.Server{`
			`// Addr: ":443",`
			`// Handler: handler,`
			`// })`
change documentation for bootstrap Server\|Client * provide documentation for default and non-default invocation. 2018-11-07 01:39:00 +00:00			`//`
			`// // Example canceling automatic certificate rotation.`
Add context to bootstrap methods. 2018-11-07 01:16:33 +00:00			`// ctx, cancel := context.WithCancel(context.Background())`
			`// defer cancel()`
first commit 2021-05-03 19:48:20 +00:00			`// srv, err := ca.BootstrapServer(ctx, token, &http.Server{`
			`// Addr: ":443",`
			`// Handler: handler,`
			`// })`
Add bootstrap helpers that uses just a token. 2018-11-03 01:54:49 +00:00			`// if err != nil {`
first commit 2021-05-03 19:48:20 +00:00			`// return err`
Add bootstrap helpers that uses just a token. 2018-11-03 01:54:49 +00:00			`// }`
first commit 2021-05-03 19:48:20 +00:00			`// srv.ListenAndServeTLS("", "")`
			`func BootstrapServer(ctx context.Context, token string, base http.Server, options ...TLSOption) (http.Server, error) {`
			`if base.TLSConfig != nil {`
			`return nil, errors.New("server TLSConfig is already set")`
			`}`

Remove duplicated code in bootstrap methods 2021-12-15 19:24:46 +00:00			`b, err := createBootstrap(token)`
Add bootstrap helpers that uses just a token. 2018-11-03 01:54:49 +00:00			`if err != nil {`
			`return nil, err`
			`}`

fix grammar 2021-12-15 20:16:21 +00:00			`// Make sure the tlsConfig has all supported roots on RootCAs.`
Avoid doing unauthenticated requests on the SDK When step-ca runs with mTLS required on some endpoints, the SDK used in autocert will fail to start because the identity certificate is missing. This certificate is only required to retrieve all roots, in most cases there's only one, and the SDK has access to it. 2021-12-14 22:42:38 +00:00			`//`
			`// The roots request is only supported if identity certificates are not`
			`// required. In all cases the current root is also added after applying all`
			`// options too.`
Remove duplicated code in bootstrap methods 2021-12-15 19:24:46 +00:00			`if !b.RequireClientAuth {`
Avoid doing unauthenticated requests on the SDK When step-ca runs with mTLS required on some endpoints, the SDK used in autocert will fail to start because the identity certificate is missing. This certificate is only required to retrieve all roots, in most cases there's only one, and the SDK has access to it. 2021-12-14 22:42:38 +00:00			`options = append(options, AddRootsToCAs())`
			`}`
Add all root certificates by default on bootstrap methods. 2019-01-08 02:55:40 +00:00
Remove duplicated code in bootstrap methods 2021-12-15 19:24:46 +00:00			`tlsConfig, err := b.Client.GetServerTLSConfig(ctx, b.SignResponse, b.PrivateKey, options...)`
Add bootstrap helpers that uses just a token. 2018-11-03 01:54:49 +00:00			`if err != nil {`
			`return nil, err`
			`}`

first commit 2021-05-03 19:48:20 +00:00			`base.TLSConfig = tlsConfig`
			`return base, nil`
Add bootstrap helpers that uses just a token. 2018-11-03 01:54:49 +00:00			`}`
Add new bootstrap method that creates a listener. 2019-01-17 22:48:33 +00:00
			`// BootstrapListener is a helper function that using the given token returns a`
			`// TLS listener which accepts connections from an inner listener and wraps each`
			`// connection with Server.`
			`//`
			`// Without any extra option the server will be configured for mTLS, it will`
			`// require and verify clients certificates, but options can be used to drop this`
			`// requirement, the most common will be only verify the certs if given with`
			`// ca.VerifyClientCertIfGiven(), or add extra CAs with`
			`// ca.AddClientCA(*x509.Certificate).`
			`//`
			`// Usage:`
			`// inner, err := net.Listen("tcp", ":443")`
			`// if err != nil {`
			`// return nil`
			`// }`
			`// ctx, cancel := context.WithCancel(context.Background())`
			`// defer cancel()`
			`// lis, err := ca.BootstrapListener(ctx, token, inner)`
			`// if err != nil {`
			`// return err`
			`// }`
			`// srv := grpc.NewServer()`
			`// ... // register services`
			`// srv.Serve(lis)`
			`func BootstrapListener(ctx context.Context, token string, inner net.Listener, options ...TLSOption) (net.Listener, error) {`
Remove duplicated code in bootstrap methods 2021-12-15 19:24:46 +00:00			`b, err := createBootstrap(token)`
Add new bootstrap method that creates a listener. 2019-01-17 22:48:33 +00:00			`if err != nil {`
			`return nil, err`
			`}`

fix grammar 2021-12-15 20:16:21 +00:00			`// Make sure the tlsConfig has all supported roots on RootCAs.`
Remove duplicated code in bootstrap methods 2021-12-15 19:24:46 +00:00			`//`
			`// The roots request is only supported if identity certificates are not`
			`// required. In all cases the current root is also added after applying all`
			`// options too.`
			`if !b.RequireClientAuth {`
			`options = append(options, AddRootsToCAs())`
			`}`

			`tlsConfig, err := b.Client.GetServerTLSConfig(ctx, b.SignResponse, b.PrivateKey, options...)`
Avoid doing unauthenticated requests on the SDK When step-ca runs with mTLS required on some endpoints, the SDK used in autocert will fail to start because the identity certificate is missing. This certificate is only required to retrieve all roots, in most cases there's only one, and the SDK has access to it. 2021-12-14 22:42:38 +00:00			`if err != nil {`
			`return nil, err`
			`}`

Remove duplicated code in bootstrap methods 2021-12-15 19:24:46 +00:00			`return tls.NewListener(inner, tlsConfig), nil`
			`}`

			`type bootstrap struct {`
			`Client *Client`
			`RequireClientAuth bool`
			`SignResponse *api.SignResponse`
			`PrivateKey crypto.PrivateKey`
			`}`

			`func createBootstrap(token string) (*bootstrap, error) {`
			`client, err := Bootstrap(token)`
Add new bootstrap method that creates a listener. 2019-01-17 22:48:33 +00:00			`if err != nil {`
			`return nil, err`
			`}`

Remove duplicated code in bootstrap methods 2021-12-15 19:24:46 +00:00			`version, err := client.Version()`
Add new bootstrap method that creates a listener. 2019-01-17 22:48:33 +00:00			`if err != nil {`
			`return nil, err`
			`}`

Remove duplicated code in bootstrap methods 2021-12-15 19:24:46 +00:00			`req, pk, err := CreateSignRequest(token)`
			`if err != nil {`
			`return nil, err`
Avoid doing unauthenticated requests on the SDK When step-ca runs with mTLS required on some endpoints, the SDK used in autocert will fail to start because the identity certificate is missing. This certificate is only required to retrieve all roots, in most cases there's only one, and the SDK has access to it. 2021-12-14 22:42:38 +00:00			`}`
Add new bootstrap method that creates a listener. 2019-01-17 22:48:33 +00:00
Remove duplicated code in bootstrap methods 2021-12-15 19:24:46 +00:00			`sign, err := client.Sign(req)`
Add new bootstrap method that creates a listener. 2019-01-17 22:48:33 +00:00			`if err != nil {`
			`return nil, err`
			`}`

Remove duplicated code in bootstrap methods 2021-12-15 19:24:46 +00:00			`return &bootstrap{`
			`Client: client,`
			`RequireClientAuth: version.RequireClientAuthentication,`
			`SignResponse: sign,`
			`PrivateKey: pk,`
			`}, nil`
Add new bootstrap method that creates a listener. 2019-01-17 22:48:33 +00:00			`}`