wip

3 years ago · 1726076ea2
parent 423942da44
commit 1726076ea2
9 changed files with 153 additions and 297 deletions
--- a/authority/admin/collection.go
+++ b/authority/admin/collection.go
@ -178,12 +178,3 @@ func loadAdmin(m *sync.Map, key string) (*linkedca.Admin, bool) {
 	}
 	return adm, true
 }
-
-/*
-// provisionerSum returns the SHA1 of the provisioners ID. From this we will
-// create the unique and sorted id.
-func provisionerSum(p Interface) []byte {
-	sum := sha1.Sum([]byte(p.GetID()))
-	return sum[:]
-}
-*/
--- a/authority/config/config.go
+++ b/authority/config/config.go
@ -8,11 +8,11 @@ import (
 	"time"

 	"github.com/pkg/errors"
-	"github.com/smallstep/certificates/authority/admin"
 	"github.com/smallstep/certificates/authority/provisioner"
 	cas "github.com/smallstep/certificates/cas/apiv1"
 	"github.com/smallstep/certificates/db"
 	kms "github.com/smallstep/certificates/kms/apiv1"
+	"github.com/smallstep/certificates/linkedca"
 	"github.com/smallstep/certificates/templates"
 )

@ -96,7 +96,7 @@ type AuthConfig struct {
 	*cas.Options
 	AuthorityID          string                `json:"authorityID,omitempty"`
 	Provisioners         provisioner.List      `json:"provisioners"`
-	Admins               []*admin.Admin        `json:"-"`
+	Admins               []*linkedca.Admin     `json:"-"`
 	Template             *ASN1DN               `json:"template,omitempty"`
 	Claims               *provisioner.Claims   `json:"claims,omitempty"`
 	DisableIssuedAtCheck bool                  `json:"disableIssuedAtCheck,omitempty"`
--- a/authority/mgmt/config.go
+++ b/authority/mgmt/config.go
@ -2,6 +2,7 @@ package mgmt

 import (
 	"github.com/smallstep/certificates/authority/config"
+	"github.com/smallstep/certificates/linkedca"
 )

 const (
@ -11,49 +12,22 @@ const (
 	DefaultAuthorityID = "00000000-0000-0000-0000-000000000000"
 )

-// Claims encapsulates all x509 and ssh claims applied to the authority
-// configuration. E.g. maxTLSCertDuration, defaultSSHCertDuration, etc.
-type Claims struct {
-	X509           *X509Claims `json:"x509Claims"`
-	SSH            *SSHClaims  `json:"sshClaims"`
-	DisableRenewal bool        `json:"disableRenewal"`
-}
-
-// X509Claims are the x509 claims applied to the authority.
-type X509Claims struct {
-	Durations *Durations `json:"durations"`
-}
-
-// SSHClaims are the ssh claims applied to the authority.
-type SSHClaims struct {
-	Enabled       bool       `json:"enabled"`
-	UserDurations *Durations `json:"userDurations"`
-	HostDurations *Durations `json:"hostDurations"`
-}
-
-// Durations represents min, max, default, duration.
-type Durations struct {
-	Min     string `json:"min"`
-	Max     string `json:"max"`
-	Default string `json:"default"`
-}
-
-func NewDefaultClaims() *Claims {
-	return &Claims{
-		X509: &X509Claims{
-			Durations: &Durations{
+func NewDefaultClaims() *linkedca.Claims {
+	return &linkedca.Claims{
+		X509: &linkedca.X509Claims{
+			Durations: &linkedca.Durations{
 				Min:     config.GlobalProvisionerClaims.MinTLSDur.String(),
 				Max:     config.GlobalProvisionerClaims.MaxTLSDur.String(),
 				Default: config.GlobalProvisionerClaims.DefaultTLSDur.String(),
 			},
 		},
-		SSH: &SSHClaims{
-			UserDurations: &Durations{
+		Ssh: &linkedca.SSHClaims{
+			UserDurations: &linkedca.Durations{
 				Min:     config.GlobalProvisionerClaims.MinUserSSHDur.String(),
 				Max:     config.GlobalProvisionerClaims.MaxUserSSHDur.String(),
 				Default: config.GlobalProvisionerClaims.DefaultUserSSHDur.String(),
 			},
-			HostDurations: &Durations{
+			HostDurations: &linkedca.Durations{
 				Min:     config.GlobalProvisionerClaims.MinHostSSHDur.String(),
 				Max:     config.GlobalProvisionerClaims.MaxHostSSHDur.String(),
 				Default: config.GlobalProvisionerClaims.DefaultHostSSHDur.String(),
--- a/authority/mgmt/db.go
+++ b/authority/mgmt/db.go
@ -17,11 +17,13 @@ type DB interface {
 	GetProvisioner(ctx context.Context, id string) (*linkedca.Provisioner, error)
 	GetProvisioners(ctx context.Context) ([]*linkedca.Provisioner, error)
 	UpdateProvisioner(ctx context.Context, prov *linkedca.Provisioner) error
+	DeleteProvisioner(ctx context.Context, id string) error

 	CreateAdmin(ctx context.Context, admin *linkedca.Admin) error
 	GetAdmin(ctx context.Context, id string) (*linkedca.Admin, error)
 	GetAdmins(ctx context.Context) ([]*linkedca.Admin, error)
 	UpdateAdmin(ctx context.Context, admin *linkedca.Admin) error
+	DeleteAdmin(ctx context.Context, id string) error
 }

 // MockDB is an implementation of the DB interface that should only be used as
@ -31,11 +33,13 @@ type MockDB struct {
 	MockGetProvisioner    func(ctx context.Context, id string) (*linkedca.Provisioner, error)
 	MockGetProvisioners   func(ctx context.Context) ([]*linkedca.Provisioner, error)
 	MockUpdateProvisioner func(ctx context.Context, prov *linkedca.Provisioner) error
+	MockDeleteProvisioner func(ctx context.Context, id string) error

 	MockCreateAdmin func(ctx context.Context, adm *linkedca.Admin) error
 	MockGetAdmin    func(ctx context.Context, id string) (*linkedca.Admin, error)
 	MockGetAdmins   func(ctx context.Context) ([]*linkedca.Admin, error)
 	MockUpdateAdmin func(ctx context.Context, adm *linkedca.Admin) error
+	MockDeleteAdmin func(ctx context.Context, id string) error

 	MockError error
 	MockRet1  interface{}
@ -79,6 +83,14 @@ func (m *MockDB) UpdateProvisioner(ctx context.Context, prov *linkedca.Provision
 	return m.MockError
 }

+// DeleteProvisioner mock
+func (m *MockDB) DeleteProvisioner(ctx context.Context, id string) error {
+	if m.MockDeleteProvisioner != nil {
+		return m.MockDeleteProvisioner(ctx, id)
+	}
+	return m.MockError
+}
+
 // CreateAdmin mock
 func (m *MockDB) CreateAdmin(ctx context.Context, admin *linkedca.Admin) error {
 	if m.MockCreateAdmin != nil {
@ -114,3 +126,11 @@ func (m *MockDB) UpdateAdmin(ctx context.Context, adm *linkedca.Admin) error {
 	}
 	return m.MockError
 }
+
+// DeleteAdmin mock
+func (m *MockDB) DeleteAdmin(ctx context.Context, id string) error {
+	if m.MockDeleteAdmin != nil {
+		return m.MockDeleteAdmin(ctx, id)
+	}
+	return m.MockError
+}
--- a/authority/mgmt/db/nosql/admin.go
+++ b/authority/mgmt/db/nosql/admin.go
@ -6,21 +6,20 @@ import (
 	"time"

 	"github.com/pkg/errors"
-	"github.com/smallstep/certificates/authority/admin"
 	"github.com/smallstep/certificates/authority/mgmt"
-	"github.com/smallstep/certificates/authority/status"
+	"github.com/smallstep/certificates/linkedca"
 	"github.com/smallstep/nosql"
 )

 // dbAdmin is the database representation of the Admin type.
 type dbAdmin struct {
-	ID            string     `json:"id"`
-	AuthorityID   string     `json:"authorityID"`
-	ProvisionerID string     `json:"provisionerID"`
-	Subject       string     `json:"subject"`
-	Type          admin.Type `json:"type"`
-	CreatedAt     time.Time  `json:"createdAt"`
-	DeletedAt     time.Time  `json:"deletedAt"`
+	ID            string              `json:"id"`
+	AuthorityID   string              `json:"authorityID"`
+	ProvisionerID string              `json:"provisionerID"`
+	Subject       string              `json:"subject"`
+	Type          linkedca.Admin_Type `json:"type"`
+	CreatedAt     time.Time           `json:"createdAt"`
+	DeletedAt     time.Time           `json:"deletedAt"`
 }

 func (dbp *dbAdmin) clone() *dbAdmin {
@ -59,30 +58,28 @@ func unmarshalDBAdmin(data []byte, id string) (*dbAdmin, error) {
 	if err := json.Unmarshal(data, dba); err != nil {
 		return nil, errors.Wrapf(err, "error unmarshaling admin %s into dbAdmin", id)
 	}
+	if !dba.DeletedAt.IsZero() {
+		return nil, mgmt.NewError(mgmt.ErrorDeletedType, "admin %s is deleted", id)
+	}
 	return dba, nil
 }

-func unmarshalAdmin(data []byte, id string) (*mgmt.Admin, error) {
-	var dba = new(dbAdmin)
-	if err := json.Unmarshal(data, dba); err != nil {
-		return nil, errors.Wrapf(err, "error unmarshaling admin %s into dbAdmin", id)
+func unmarshalAdmin(data []byte, id string) (*linkedca.Admin, error) {
+	dba, err := unmarshalDBAdmin(data, id)
+	if err != nil {
+		return nil, err
 	}
-	adm := &mgmt.Admin{
-		ID:            dba.ID,
-		AuthorityID:   dba.AuthorityID,
-		ProvisionerID: dba.ProvisionerID,
+	return &linkedca.Admin{
+		Id:            dba.ID,
+		AuthorityId:   dba.AuthorityID,
+		ProvisionerId: dba.ProvisionerID,
 		Subject:       dba.Subject,
 		Type:          dba.Type,
-		Status:        status.Active,
-	}
-	if !dba.DeletedAt.IsZero() {
-		adm.Status = status.Deleted
-	}
-	return adm, nil
+	}, nil
 }

 // GetAdmin retrieves and unmarshals a admin from the database.
-func (db *DB) GetAdmin(ctx context.Context, id string) (*mgmt.Admin, error) {
+func (db *DB) GetAdmin(ctx context.Context, id string) (*linkedca.Admin, error) {
 	data, err := db.getDBAdminBytes(ctx, id)
 	if err != nil {
 		return nil, err
@ -91,12 +88,9 @@ func (db *DB) GetAdmin(ctx context.Context, id string) (*mgmt.Admin, error) {
 	if err != nil {
 		return nil, err
 	}
-	if adm.Status == status.Deleted {
-		return nil, mgmt.NewError(mgmt.ErrorDeletedType, "admin %s is deleted", adm.ID)
-	}
-	if adm.AuthorityID != db.authorityID {
+	if adm.AuthorityId != db.authorityID {
 		return nil, mgmt.NewError(mgmt.ErrorAuthorityMismatchType,
-			"admin %s is not owned by authority %s", adm.ID, db.authorityID)
+			"admin %s is not owned by authority %s", adm.Id, db.authorityID)
 	}

 	return adm, nil
@ -105,21 +99,18 @@ func (db *DB) GetAdmin(ctx context.Context, id string) (*mgmt.Admin, error) {
 // GetAdmins retrieves and unmarshals all active (not deleted) admins
 // from the database.
 // TODO should we be paginating?
-func (db *DB) GetAdmins(ctx context.Context) ([]*mgmt.Admin, error) {
+func (db *DB) GetAdmins(ctx context.Context) ([]*linkedca.Admin, error) {
 	dbEntries, err := db.db.List(authorityAdminsTable)
 	if err != nil {
 		return nil, errors.Wrap(err, "error loading admins")
 	}
-	var admins = []*mgmt.Admin{}
+	var admins = []*linkedca.Admin{}
 	for _, entry := range dbEntries {
 		adm, err := unmarshalAdmin(entry.Value, string(entry.Key))
 		if err != nil {
 			return nil, err
 		}
-		if adm.Status == status.Deleted {
-			continue
-		}
-		if adm.AuthorityID != db.authorityID {
+		if adm.AuthorityId != db.authorityID {
 			continue
 		}
 		admins = append(admins, adm)
@ -128,18 +119,18 @@ func (db *DB) GetAdmins(ctx context.Context) ([]*mgmt.Admin, error) {
 }

 // CreateAdmin stores a new admin to the database.
-func (db *DB) CreateAdmin(ctx context.Context, adm *mgmt.Admin) error {
+func (db *DB) CreateAdmin(ctx context.Context, adm *linkedca.Admin) error {
 	var err error
-	adm.ID, err = randID()
+	adm.Id, err = randID()
 	if err != nil {
 		return mgmt.WrapErrorISE(err, "error generating random id for admin")
 	}
-	adm.AuthorityID = db.authorityID
+	adm.AuthorityId = db.authorityID

 	dba := &dbAdmin{
-		ID:            adm.ID,
+		ID:            adm.Id,
 		AuthorityID:   db.authorityID,
-		ProvisionerID: adm.ProvisionerID,
+		ProvisionerID: adm.ProvisionerId,
 		Subject:       adm.Subject,
 		Type:          adm.Type,
 		CreatedAt:     clock.Now(),
@ -149,19 +140,27 @@ func (db *DB) CreateAdmin(ctx context.Context, adm *mgmt.Admin) error {
 }

 // UpdateAdmin saves an updated admin to the database.
-func (db *DB) UpdateAdmin(ctx context.Context, adm *mgmt.Admin) error {
-	old, err := db.getDBAdmin(ctx, adm.ID)
+func (db *DB) UpdateAdmin(ctx context.Context, adm *linkedca.Admin) error {
+	old, err := db.getDBAdmin(ctx, adm.Id)
 	if err != nil {
 		return err
 	}

 	nu := old.clone()
+	nu.Type = adm.Type
+
+	return db.save(ctx, old.ID, nu, old, "admin", authorityAdminsTable)
+}

-	// If the admin was active but is now deleted ...
-	if old.DeletedAt.IsZero() && adm.Status == status.Deleted {
-		nu.DeletedAt = clock.Now()
+// DeleteAdmin saves an updated admin to the database.
+func (db *DB) DeleteAdmin(ctx context.Context, id string) error {
+	old, err := db.getDBAdmin(ctx, id)
+	if err != nil {
+		return err
 	}
-	nu.Type = adm.Type
+
+	nu := old.clone()
+	nu.DeletedAt = clock.Now()

 	return db.save(ctx, old.ID, nu, old, "admin", authorityAdminsTable)
 }
--- a/authority/mgmt/db/nosql/authConfig.go
+++ b/authority/mgmt/db/nosql/authConfig.go
@ -1,117 +0,0 @@
-package nosql
-
-import (
-	"context"
-	"encoding/json"
-	"time"
-
-	"github.com/pkg/errors"
-	"github.com/smallstep/certificates/authority/config"
-	"github.com/smallstep/certificates/authority/mgmt"
-	"github.com/smallstep/certificates/authority/status"
-	"github.com/smallstep/nosql"
-)
-
-type dbAuthConfig struct {
-	ID        string         `json:"id"`
-	ASN1DN    *config.ASN1DN `json:"asn1dn"`
-	Claims    *mgmt.Claims   `json:"claims"`
-	Backdate  string         `json:"backdate,omitempty"`
-	CreatedAt time.Time      `json:"createdAt"`
-	DeletedAt time.Time      `json:"deletedAt"`
-}
-
-func (dbp *dbAuthConfig) clone() *dbAuthConfig {
-	u := *dbp
-	return &u
-}
-
-func (db *DB) getDBAuthConfigBytes(ctx context.Context, id string) ([]byte, error) {
-	data, err := db.db.Get(authorityConfigsTable, []byte(id))
-	if nosql.IsErrNotFound(err) {
-		return nil, mgmt.NewError(mgmt.ErrorNotFoundType, "authConfig %s not found", id)
-	} else if err != nil {
-		return nil, errors.Wrapf(err, "error loading authConfig %s", id)
-	}
-	return data, nil
-}
-
-func (db *DB) getDBAuthConfig(ctx context.Context, id string) (*dbAuthConfig, error) {
-	data, err := db.getDBAuthConfigBytes(ctx, id)
-	if err != nil {
-		return nil, err
-	}
-
-	var dba = new(dbAuthConfig)
-	if err = json.Unmarshal(data, dba); err != nil {
-		return nil, errors.Wrapf(err, "error unmarshaling authority %s into dbAuthConfig", id)
-	}
-
-	return dba, nil
-}
-
-// GetAuthConfig retrieves an AuthConfig configuration from the DB.
-func (db *DB) GetAuthConfig(ctx context.Context, id string) (*mgmt.AuthConfig, error) {
-	dba, err := db.getDBAuthConfig(ctx, id)
-	if err != nil {
-		return nil, err
-	}
-
-	provs, err := db.GetProvisioners(ctx)
-	if err != nil {
-		return nil, err
-	}
-	admins, err := db.GetAdmins(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	return &mgmt.AuthConfig{
-		ID:           dba.ID,
-		Admins:       admins,
-		Provisioners: provs,
-		ASN1DN:       dba.ASN1DN,
-		Backdate:     dba.Backdate,
-		Claims:       dba.Claims,
-	}, nil
-}
-
-// CreateAuthConfig stores a new provisioner to the database.
-func (db *DB) CreateAuthConfig(ctx context.Context, ac *mgmt.AuthConfig) error {
-	var err error
-	if ac.ID == "" {
-		ac.ID, err = randID()
-		if err != nil {
-			return errors.Wrap(err, "error generating random id for provisioner")
-		}
-	}
-
-	dba := &dbAuthConfig{
-		ID:        ac.ID,
-		ASN1DN:    ac.ASN1DN,
-		Claims:    ac.Claims,
-		Backdate:  ac.Backdate,
-		CreatedAt: clock.Now(),
-	}
-
-	return db.save(ctx, dba.ID, dba, nil, "authConfig", authorityConfigsTable)
-}
-
-// UpdateAuthConfig saves an updated provisioner to the database.
-func (db *DB) UpdateAuthConfig(ctx context.Context, ac *mgmt.AuthConfig) error {
-	old, err := db.getDBAuthConfig(ctx, ac.ID)
-	if err != nil {
-		return err
-	}
-
-	nu := old.clone()
-
-	// If the authority was active but is now deleted ...
-	if old.DeletedAt.IsZero() && ac.Status == status.Deleted {
-		nu.DeletedAt = clock.Now()
-	}
-	nu.Claims = ac.Claims
-	nu.Backdate = ac.Backdate
-
-	return db.save(ctx, old.ID, nu, old, "authConfig", authorityProvisionersTable)
-}
--- a/authority/mgmt/db/nosql/provisioner.go
+++ b/authority/mgmt/db/nosql/provisioner.go
@ -7,25 +7,25 @@ import (

 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/authority/mgmt"
-	"github.com/smallstep/certificates/authority/status"
+	"github.com/smallstep/certificates/linkedca"
 	"github.com/smallstep/nosql"
 )

 // dbProvisioner is the database representation of a Provisioner type.
 type dbProvisioner struct {
-	ID          string `json:"id"`
-	AuthorityID string `json:"authorityID"`
-	Type        string `json:"type"`
+	ID          string                    `json:"id"`
+	AuthorityID string                    `json:"authorityID"`
+	Type        linkedca.Provisioner_Type `json:"type"`
 	// Name is the key
-	Name             string       `json:"name"`
-	Claims           *mgmt.Claims `json:"claims"`
-	Details          []byte       `json:"details"`
-	X509Template     string       `json:"x509Template"`
-	X509TemplateData []byte       `json:"x509TemplateData"`
-	SSHTemplate      string       `json:"sshTemplate"`
-	SSHTemplateData  []byte       `json:"sshTemplateData"`
-	CreatedAt        time.Time    `json:"createdAt"`
-	DeletedAt        time.Time    `json:"deletedAt"`
+	Name             string           `json:"name"`
+	Claims           *linkedca.Claims `json:"claims"`
+	Details          []byte           `json:"details"`
+	X509Template     []byte           `json:"x509Template"`
+	X509TemplateData []byte           `json:"x509TemplateData"`
+	SSHTemplate      []byte           `json:"sshTemplate"`
+	SSHTemplateData  []byte           `json:"sshTemplateData"`
+	CreatedAt        time.Time        `json:"createdAt"`
+	DeletedAt        time.Time        `json:"deletedAt"`
 }

 type provisionerNameID struct {
@ -68,7 +68,7 @@ func (db *DB) getDBProvisioner(ctx context.Context, id string) (*dbProvisioner,
 }

 // GetProvisioner retrieves and unmarshals a provisioner from the database.
-func (db *DB) GetProvisioner(ctx context.Context, id string) (*mgmt.Provisioner, error) {
+func (db *DB) GetProvisioner(ctx context.Context, id string) (*linkedca.Provisioner, error) {
 	data, err := db.getDBProvisionerBytes(ctx, id)
 	if err != nil {
 		return nil, err
@ -78,12 +78,9 @@ func (db *DB) GetProvisioner(ctx context.Context, id string) (*mgmt.Provisioner,
 	if err != nil {
 		return nil, err
 	}
-	if prov.Status == status.Deleted {
-		return nil, mgmt.NewError(mgmt.ErrorDeletedType, "provisioner %s is deleted", prov.ID)
-	}
-	if prov.AuthorityID != db.authorityID {
+	if prov.AuthorityId != db.authorityID {
 		return nil, mgmt.NewError(mgmt.ErrorAuthorityMismatchType,
-			"provisioner %s is not owned by authority %s", prov.ID, db.authorityID)
+			"provisioner %s is not owned by authority %s", prov.Id, db.authorityID)
 	}
 	return prov, nil
 }
@ -93,56 +90,52 @@ func unmarshalDBProvisioner(data []byte, name string) (*dbProvisioner, error) {
 	if err := json.Unmarshal(data, dbp); err != nil {
 		return nil, errors.Wrapf(err, "error unmarshaling provisioner %s into dbProvisioner", name)
 	}
+	if !dbp.DeletedAt.IsZero() {
+		return nil, mgmt.NewError(mgmt.ErrorDeletedType, "provisioner %s is deleted", name)
+	}
 	return dbp, nil
 }

-func unmarshalProvisioner(data []byte, name string) (*mgmt.Provisioner, error) {
+func unmarshalProvisioner(data []byte, name string) (*linkedca.Provisioner, error) {
 	dbp, err := unmarshalDBProvisioner(data, name)
 	if err != nil {
 		return nil, err
 	}

-	details, err := mgmt.UnmarshalProvisionerDetails(dbp.Details)
+	details, err := linkedca.UnmarshalProvisionerDetails(dbp.Type, dbp.Details)
 	if err != nil {
 		return nil, err
 	}

-	prov := &mgmt.Provisioner{
-		ID:               dbp.ID,
-		AuthorityID:      dbp.AuthorityID,
+	prov := &linkedca.Provisioner{
+		Id:               dbp.ID,
+		AuthorityId:      dbp.AuthorityID,
 		Type:             dbp.Type,
 		Name:             dbp.Name,
 		Claims:           dbp.Claims,
 		Details:          details,
-		Status:           status.Active,
 		X509Template:     dbp.X509Template,
 		X509TemplateData: dbp.X509TemplateData,
-		SSHTemplate:      dbp.SSHTemplate,
-		SSHTemplateData:  dbp.SSHTemplateData,
-	}
-	if !dbp.DeletedAt.IsZero() {
-		prov.Status = status.Deleted
+		SshTemplate:      dbp.SSHTemplate,
+		SshTemplateData:  dbp.SSHTemplateData,
 	}
 	return prov, nil
 }

 // GetProvisioners retrieves and unmarshals all active (not deleted) provisioners
 // from the database.
-func (db *DB) GetProvisioners(ctx context.Context) ([]*mgmt.Provisioner, error) {
+func (db *DB) GetProvisioners(ctx context.Context) ([]*linkedca.Provisioner, error) {
 	dbEntries, err := db.db.List(authorityProvisionersTable)
 	if err != nil {
 		return nil, mgmt.WrapErrorISE(err, "error loading provisioners")
 	}
-	var provs []*mgmt.Provisioner
+	var provs []*linkedca.Provisioner
 	for _, entry := range dbEntries {
 		prov, err := unmarshalProvisioner(entry.Value, string(entry.Key))
 		if err != nil {
 			return nil, err
 		}
-		if prov.Status == status.Deleted {
-			continue
-		}
-		if prov.AuthorityID != db.authorityID {
+		if prov.AuthorityId != db.authorityID {
 			continue
 		}
 		provs = append(provs, prov)
@ -151,9 +144,9 @@ func (db *DB) GetProvisioners(ctx context.Context) ([]*mgmt.Provisioner, error)
 }

 // CreateProvisioner stores a new provisioner to the database.
-func (db *DB) CreateProvisioner(ctx context.Context, prov *mgmt.Provisioner) error {
+func (db *DB) CreateProvisioner(ctx context.Context, prov *linkedca.Provisioner) error {
 	var err error
-	prov.ID, err = randID()
+	prov.Id, err = randID()
 	if err != nil {
 		return errors.Wrap(err, "error generating random id for provisioner")
 	}
@ -164,7 +157,7 @@ func (db *DB) CreateProvisioner(ctx context.Context, prov *mgmt.Provisioner) err
 	}

 	dbp := &dbProvisioner{
-		ID:               prov.ID,
+		ID:               prov.Id,
 		AuthorityID:      db.authorityID,
 		Type:             prov.Type,
 		Name:             prov.Name,
@ -172,12 +165,12 @@ func (db *DB) CreateProvisioner(ctx context.Context, prov *mgmt.Provisioner) err
 		Details:          details,
 		X509Template:     prov.X509Template,
 		X509TemplateData: prov.X509TemplateData,
-		SSHTemplate:      prov.SSHTemplate,
-		SSHTemplateData:  prov.SSHTemplateData,
+		SSHTemplate:      prov.SshTemplate,
+		SSHTemplateData:  prov.SshTemplateData,
 		CreatedAt:        clock.Now(),
 	}

-	if err := db.save(ctx, prov.ID, dbp, nil, "provisioner", authorityProvisionersTable); err != nil {
+	if err := db.save(ctx, prov.Id, dbp, nil, "provisioner", authorityProvisionersTable); err != nil {
 		return mgmt.WrapErrorISE(err, "error creating provisioner %s", prov.Name)
 	}

@ -185,8 +178,8 @@ func (db *DB) CreateProvisioner(ctx context.Context, prov *mgmt.Provisioner) err
 }

 // UpdateProvisioner saves an updated provisioner to the database.
-func (db *DB) UpdateProvisioner(ctx context.Context, prov *mgmt.Provisioner) error {
-	old, err := db.getDBProvisioner(ctx, prov.ID)
+func (db *DB) UpdateProvisioner(ctx context.Context, prov *linkedca.Provisioner) error {
+	old, err := db.getDBProvisioner(ctx, prov.Id)
 	if err != nil {
 		return err
 	}
@ -202,9 +195,10 @@ func (db *DB) UpdateProvisioner(ctx context.Context, prov *mgmt.Provisioner) err
 	}
 	nu.X509Template = prov.X509Template
 	nu.X509TemplateData = prov.X509TemplateData
-	nu.SSHTemplateData = prov.SSHTemplateData
+	nu.SSHTemplate = prov.SshTemplate
+	nu.SSHTemplateData = prov.SshTemplateData

-	if err := db.save(ctx, prov.ID, nu, old, "provisioner", authorityProvisionersTable); err != nil {
+	if err := db.save(ctx, prov.Id, nu, old, "provisioner", authorityProvisionersTable); err != nil {
 		return mgmt.WrapErrorISE(err, "error updating provisioner %s", prov.Name)
 	}

--- a/authority/mgmt/provisioner.go
+++ b/authority/mgmt/provisioner.go
@ -246,46 +246,3 @@ func claimsToCertificates(c *linkedca.Claims) (*provisioner.Claims, error) {
 		EnableSSHCA:       &c.Ssh.Enabled,
 	}, nil
 }
-
-/*
-type detailsType struct {
-	Type ProvisionerType
-}
-
-// UnmarshalProvisionerDetails unmarshals bytes into the proper details type.
-func UnmarshalProvisionerDetails(data json.RawMessage) (ProvisionerDetails, error) {
-	dt := new(detailsType)
-	if err := json.Unmarshal(data, dt); err != nil {
-		return nil, WrapErrorISE(err, "error unmarshaling provisioner details")
-	}
-
-	var v ProvisionerDetails
-	switch dt.Type {
-	case ProvisionerTypeJWK:
-		v = new(ProvisionerDetailsJWK)
-	case ProvisionerTypeOIDC:
-		v = new(ProvisionerDetailsOIDC)
-	case ProvisionerTypeGCP:
-		v = new(ProvisionerDetailsGCP)
-	case ProvisionerTypeAWS:
-		v = new(ProvisionerDetailsAWS)
-	case ProvisionerTypeAZURE:
-		v = new(ProvisionerDetailsAzure)
-	case ProvisionerTypeACME:
-		v = new(ProvisionerDetailsACME)
-	case ProvisionerTypeX5C:
-		v = new(ProvisionerDetailsX5C)
-	case ProvisionerTypeK8SSA:
-		v = new(ProvisionerDetailsK8SSA)
-	case ProvisionerTypeSSHPOP:
-		v = new(ProvisionerDetailsSSHPOP)
-	default:
-		return nil, fmt.Errorf("unsupported provisioner type %s", dt.Type)
-	}
-
-	if err := json.Unmarshal(data, v); err != nil {
-		return nil, err
-	}
-	return v, nil
-}
-*/
--- a/linkedca/provisioners.go
+++ b/linkedca/provisioners.go
@ -0,0 +1,38 @@
+package linkedca
+
+import (
+	"encoding/json"
+	"fmt"
+)
+
+// UnmarshalProvisionerDetails unmarshals details type to the specific provisioner details.
+func UnmarshalProvisionerDetails(typ Provisioner_Type, data []byte) (*ProvisionerDetails, error) {
+	var v isProvisionerDetails_Data
+	switch typ {
+	case Provisioner_JWK:
+		v = new(ProvisionerDetails_JWK)
+	case Provisioner_OIDC:
+		v = new(ProvisionerDetails_OIDC)
+	case Provisioner_GCP:
+		v = new(ProvisionerDetails_GCP)
+	case Provisioner_AWS:
+		v = new(ProvisionerDetails_AWS)
+	case Provisioner_AZURE:
+		v = new(ProvisionerDetails_Azure)
+	case Provisioner_ACME:
+		v = new(ProvisionerDetails_ACME)
+	case Provisioner_X5C:
+		v = new(ProvisionerDetails_X5C)
+	case Provisioner_K8SSA:
+		v = new(ProvisionerDetails_K8SSA)
+	case Provisioner_SSHPOP:
+		v = new(ProvisionerDetails_SSHPOP)
+	default:
+		return nil, fmt.Errorf("unsupported provisioner type %s", typ)
+	}
+
+	if err := json.Unmarshal(data, v); err != nil {
+		return nil, err
+	}
+	return &ProvisionerDetails{Data: v}, nil
+}