Merge branch 'master' into herman/allow-deny

2 years ago · 034b7943fe
parent 7df52dbb76 1fd2481cb4
commit 034b7943fe
5 changed files with 118 additions and 6 deletions
--- a/acme/challenge.go
+++ b/acme/challenge.go
@ -79,7 +79,7 @@ func (ch *Challenge) Validate(ctx context.Context, db DB, jwk *jose.JSONWebKey,
 }

 func http01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebKey, vo *ValidateChallengeOptions) error {
-	u := &url.URL{Scheme: "http", Host: ch.Value, Path: fmt.Sprintf("/.well-known/acme-challenge/%s", ch.Token)}
+	u := &url.URL{Scheme: "http", Host: http01ChallengeHost(ch.Value), Path: fmt.Sprintf("/.well-known/acme-challenge/%s", ch.Token)}

 	resp, err := vo.HTTPGet(u.String())
 	if err != nil {
@ -119,6 +119,17 @@ func http01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWeb
 	return nil
 }

+// http01ChallengeHost checks if a Challenge value is an IPv6 address
+// and adds square brackets if that's the case, so that it can be used
+// as a hostname. Returns the original Challenge value as the host to
+// use in other cases.
+func http01ChallengeHost(value string) string {
+	if ip := net.ParseIP(value); ip != nil && ip.To4() == nil {
+		value = "[" + value + "]"
+	}
+	return value
+}
+
 func tlsAlert(err error) uint8 {
 	var opErr *net.OpError
 	if errors.As(err, &opErr) {
--- a/acme/challenge_test.go
+++ b/acme/challenge_test.go
@ -13,6 +13,7 @@ import (
 	"encoding/asn1"
 	"encoding/base64"
 	"encoding/hex"
+	"errors"
 	"fmt"
 	"io"
 	"math/big"
@ -23,9 +24,9 @@ import (
 	"testing"
 	"time"

-	"github.com/pkg/errors"
-	"github.com/smallstep/assert"
 	"go.step.sm/crypto/jose"
+
+	"github.com/smallstep/assert"
 )

 func Test_storeError(t *testing.T) {
@ -2350,3 +2351,34 @@ func Test_serverName(t *testing.T) {
 		})
 	}
 }
+
+func Test_http01ChallengeHost(t *testing.T) {
+	tests := []struct {
+		name  string
+		value string
+		want  string
+	}{
+		{
+			name:  "dns",
+			value: "www.example.com",
+			want:  "www.example.com",
+		},
+		{
+			name:  "ipv4",
+			value: "127.0.0.1",
+			want:  "127.0.0.1",
+		},
+		{
+			name:  "ipv6",
+			value: "::1",
+			want:  "[::1]",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := http01ChallengeHost(tt.value); got != tt.want {
+				t.Errorf("http01ChallengeHost() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
--- a/authority/authority.go
+++ b/authority/authority.go
@ -89,6 +89,14 @@ type Authority struct {
 	adminMutex sync.RWMutex
 }

+type Info struct {
+	StartTime          time.Time
+	RootX509Certs      []*x509.Certificate
+	SSHCAUserPublicKey []byte
+	SSHCAHostPublicKey []byte
+	DNSNames           []string
+}
+
 // New creates and initiates a new Authority type.
 func New(cfg *config.Config, opts ...Option) (*Authority, error) {
 	err := cfg.Validate()
@ -360,8 +368,6 @@ func (a *Authority) init() error {
 				return err
 			}
 			a.rootX509Certs = append(a.rootX509Certs, resp.RootCertificate)
-			sum := sha256.Sum256(resp.RootCertificate.Raw)
-			log.Printf("Using root fingerprint '%s'", hex.EncodeToString(sum[:]))
 		}
 	}

@ -632,6 +638,21 @@ func (a *Authority) GetAdminDatabase() admin.DB {
 	return a.adminDB
 }

+func (a *Authority) GetInfo() Info {
+	ai := Info{
+		StartTime:     a.startTime,
+		RootX509Certs: a.rootX509Certs,
+		DNSNames:      a.config.DNSNames,
+	}
+	if a.sshCAUserCertSignKey != nil {
+		ai.SSHCAUserPublicKey = ssh.MarshalAuthorizedKey(a.sshCAUserCertSignKey.PublicKey())
+	}
+	if a.sshCAHostCertSignKey != nil {
+		ai.SSHCAHostPublicKey = ssh.MarshalAuthorizedKey(a.sshCAHostCertSignKey.PublicKey())
+	}
+	return ai
+}
+
 // IsAdminAPIEnabled returns a boolean indicating whether the Admin API has
 // been enabled.
 func (a *Authority) IsAdminAPIEnabled() bool {
--- a/ca/ca.go
+++ b/ca/ca.go
@ -8,6 +8,7 @@ import (
 	"net/http"
 	"net/url"
 	"reflect"
+	"strings"
 	"sync"

 	"github.com/go-chi/chi"
@ -26,11 +27,14 @@ import (
 	scepAPI "github.com/smallstep/certificates/scep/api"
 	"github.com/smallstep/certificates/server"
 	"github.com/smallstep/nosql"
+	"go.step.sm/cli-utils/step"
+	"go.step.sm/crypto/x509util"
 )

 type options struct {
 	configFile      string
 	linkedCAToken   string
+	quiet           bool
 	password        []byte
 	issuerPassword  []byte
 	sshHostPassword []byte
@ -101,6 +105,13 @@ func WithLinkedCAToken(token string) Option {
 	}
 }

+// WithQuiet sets the quiet flag.
+func WithQuiet(quiet bool) Option {
+	return func(o *options) {
+		o.quiet = quiet
+	}
+}
+
 // CA is the type used to build the complete certificate authority. It builds
 // the HTTP server, set ups the middlewares and the HTTP handlers.
 type CA struct {
@ -289,6 +300,35 @@ func (ca *CA) Run() error {
 	var wg sync.WaitGroup
 	errs := make(chan error, 1)

+	if !ca.opts.quiet {
+		authorityInfo := ca.auth.GetInfo()
+		log.Printf("Starting %s", step.Version())
+		log.Printf("Documentation: https://u.step.sm/docs/ca")
+		log.Printf("Community Discord: https://u.step.sm/discord")
+		if step.Contexts().GetCurrent() != nil {
+			log.Printf("Current context: %s", step.Contexts().GetCurrent().Name)
+		}
+		log.Printf("Config file: %s", ca.opts.configFile)
+		baseURL := fmt.Sprintf("https://%s%s",
+			authorityInfo.DNSNames[0],
+			ca.config.Address[strings.LastIndex(ca.config.Address, ":"):])
+		log.Printf("The primary server URL is %s", baseURL)
+		log.Printf("Root certificates are available at %s/roots.pem", baseURL)
+		if len(authorityInfo.DNSNames) > 1 {
+			log.Printf("Additional configured hostnames: %s",
+				strings.Join(authorityInfo.DNSNames[1:], ", "))
+		}
+		for _, crt := range authorityInfo.RootX509Certs {
+			log.Printf("X.509 Root Fingerprint: %s", x509util.Fingerprint(crt))
+		}
+		if authorityInfo.SSHCAHostPublicKey != nil {
+			log.Printf("SSH Host CA Key is %s\n", authorityInfo.SSHCAHostPublicKey)
+		}
+		if authorityInfo.SSHCAUserPublicKey != nil {
+			log.Printf("SSH User CA Key: %s\n", authorityInfo.SSHCAUserPublicKey)
+		}
+	}
+
 	if ca.insecureSrv != nil {
 		wg.Add(1)
 		go func() {
@ -356,6 +396,7 @@ func (ca *CA) Reload() error {
 		WithSSHUserPassword(ca.opts.sshUserPassword),
 		WithIssuerPassword(ca.opts.issuerPassword),
 		WithLinkedCAToken(ca.opts.linkedCAToken),
+		WithQuiet(ca.opts.quiet),
 		WithConfigFile(ca.opts.configFile),
 		WithDatabase(ca.auth.GetDatabase()),
 	)
--- a/commands/app.go
+++ b/commands/app.go
@ -58,6 +58,11 @@ certificate issuer private key used in the RA mode.`,
 			Usage:  "token used to enable the linked ca.",
 			EnvVar: "STEP_CA_TOKEN",
 		},
+		cli.BoolFlag{
+			Name:   "quiet",
+			Usage:  "disable startup information",
+			EnvVar: "STEP_CA_QUIET",
+		},
 		cli.StringFlag{
 			Name:   "context",
 			Usage:  "The name of the authority's context.",
@ -74,6 +79,7 @@ func appAction(ctx *cli.Context) error {
 	issuerPassFile := ctx.String("issuer-password-file")
 	resolver := ctx.String("resolver")
 	token := ctx.String("token")
+	quiet := ctx.Bool("quiet")

 	if ctx.NArg() > 1 {
 		return errs.TooManyArguments(ctx)
@ -155,7 +161,8 @@ To get a linked authority token:
 		ca.WithSSHHostPassword(sshHostPassword),
 		ca.WithSSHUserPassword(sshUserPassword),
 		ca.WithIssuerPassword(issuerPassword),
-		ca.WithLinkedCAToken(token))
+		ca.WithLinkedCAToken(token),
+		ca.WithQuiet(quiet))
 	if err != nil {
 		fatal(err)
 	}