|
|
@ -8,20 +8,22 @@ import (
|
|
|
|
"time"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
|
|
|
|
"github.com/pkg/errors"
|
|
|
|
"github.com/pkg/errors"
|
|
|
|
|
|
|
|
"github.com/smallstep/certificates/authority/provisioner"
|
|
|
|
"github.com/smallstep/nosql"
|
|
|
|
"github.com/smallstep/nosql"
|
|
|
|
"github.com/smallstep/nosql/database"
|
|
|
|
"github.com/smallstep/nosql/database"
|
|
|
|
"golang.org/x/crypto/ssh"
|
|
|
|
"golang.org/x/crypto/ssh"
|
|
|
|
)
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
var (
|
|
|
|
var (
|
|
|
|
certsTable = []byte("x509_certs")
|
|
|
|
certsTable = []byte("x509_certs")
|
|
|
|
revokedCertsTable = []byte("revoked_x509_certs")
|
|
|
|
certsToProvisionerTable = []byte("x509_certs_provisioner")
|
|
|
|
revokedSSHCertsTable = []byte("revoked_ssh_certs")
|
|
|
|
revokedCertsTable = []byte("revoked_x509_certs")
|
|
|
|
usedOTTTable = []byte("used_ott")
|
|
|
|
revokedSSHCertsTable = []byte("revoked_ssh_certs")
|
|
|
|
sshCertsTable = []byte("ssh_certs")
|
|
|
|
usedOTTTable = []byte("used_ott")
|
|
|
|
sshHostsTable = []byte("ssh_hosts")
|
|
|
|
sshCertsTable = []byte("ssh_certs")
|
|
|
|
sshUsersTable = []byte("ssh_users")
|
|
|
|
sshHostsTable = []byte("ssh_hosts")
|
|
|
|
sshHostPrincipalsTable = []byte("ssh_host_principals")
|
|
|
|
sshUsersTable = []byte("ssh_users")
|
|
|
|
|
|
|
|
sshHostPrincipalsTable = []byte("ssh_host_principals")
|
|
|
|
)
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
// ErrAlreadyExists can be returned if the DB attempts to set a key that has
|
|
|
|
// ErrAlreadyExists can be returned if the DB attempts to set a key that has
|
|
|
@ -82,7 +84,7 @@ func New(c *Config) (AuthDB, error) {
|
|
|
|
tables := [][]byte{
|
|
|
|
tables := [][]byte{
|
|
|
|
revokedCertsTable, certsTable, usedOTTTable,
|
|
|
|
revokedCertsTable, certsTable, usedOTTTable,
|
|
|
|
sshCertsTable, sshHostsTable, sshHostPrincipalsTable, sshUsersTable,
|
|
|
|
sshCertsTable, sshHostsTable, sshHostPrincipalsTable, sshUsersTable,
|
|
|
|
revokedSSHCertsTable,
|
|
|
|
revokedSSHCertsTable, certsToProvisionerTable,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
for _, b := range tables {
|
|
|
|
for _, b := range tables {
|
|
|
|
if err := db.CreateTable(b); err != nil {
|
|
|
|
if err := db.CreateTable(b); err != nil {
|
|
|
@ -210,6 +212,36 @@ func (db *DB) StoreCertificate(crt *x509.Certificate) error {
|
|
|
|
return nil
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
type certsToProvionersData struct {
|
|
|
|
|
|
|
|
ID string `json:"id"`
|
|
|
|
|
|
|
|
Name string `json:"name"`
|
|
|
|
|
|
|
|
Type string `json:"type"`
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// StoreCertificateChain stores the leaf certificate and the provisioner that
|
|
|
|
|
|
|
|
// authorized the certificate.
|
|
|
|
|
|
|
|
func (d *DB) StoreCertificateChain(p provisioner.Interface, chain ...*x509.Certificate) error {
|
|
|
|
|
|
|
|
leaf := chain[0]
|
|
|
|
|
|
|
|
if err := d.StoreCertificate(leaf); err != nil {
|
|
|
|
|
|
|
|
return err
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
if p != nil {
|
|
|
|
|
|
|
|
b, err := json.Marshal(certsToProvionersData{
|
|
|
|
|
|
|
|
ID: p.GetID(),
|
|
|
|
|
|
|
|
Name: p.GetName(),
|
|
|
|
|
|
|
|
Type: p.GetType().String(),
|
|
|
|
|
|
|
|
})
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
|
|
return errors.Wrap(err, "error marshaling json")
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if err := d.Set(certsToProvisionerTable, []byte(leaf.SerialNumber.String()), b); err != nil {
|
|
|
|
|
|
|
|
return errors.Wrap(err, "database Set error")
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// UseToken returns true if we were able to successfully store the token for
|
|
|
|
// UseToken returns true if we were able to successfully store the token for
|
|
|
|
// for the first time, false otherwise.
|
|
|
|
// for the first time, false otherwise.
|
|
|
|
func (db *DB) UseToken(id, tok string) (bool, error) {
|
|
|
|
func (db *DB) UseToken(id, tok string) (bool, error) {
|
|
|
|