Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove provisioner intermediate type.

Browse Source
pull/51/head
Mariano Cano 5 years ago
parent 1671ab2590
commit 507fd01062
5 changed files with 45 additions and 100 deletions
Show Stats Download Patch File Download Diff File

6
api/api.go
Unescape Escape View File

@ -31,7 +31,7 @@ type Authority interface {
Root(shasum string) (*x509.Certificate, error) Root(shasum string) (*x509.Certificate, error)
Sign(cr *x509.CertificateRequest, signOpts authority.SignOptions, extraOpts ...provisioner.SignOption) (*x509.Certificate, *x509.Certificate, error) Sign(cr *x509.CertificateRequest, signOpts authority.SignOptions, extraOpts ...provisioner.SignOption) (*x509.Certificate, *x509.Certificate, error)
Renew(peer *x509.Certificate) (*x509.Certificate, *x509.Certificate, error) Renew(peer *x509.Certificate) (*x509.Certificate, *x509.Certificate, error)
GetProvisioners(cursor string, limit int) ([]*provisioner.Provisioner, string, error) GetProvisioners(cursor string, limit int) (provisioner.List, string, error)
GetEncryptedKey(kid string) (string, error) GetEncryptedKey(kid string) (string, error)
GetRoots() (federation []*x509.Certificate, err error) GetRoots() (federation []*x509.Certificate, err error)
GetFederation() ([]*x509.Certificate, error) GetFederation() ([]*x509.Certificate, error)
@ -162,8 +162,8 @@ type SignRequest struct {
// ProvisionersResponse is the response object that returns the list of // ProvisionersResponse is the response object that returns the list of
// provisioners. // provisioners.
type ProvisionersResponse struct { type ProvisionersResponse struct {
Provisioners []*provisioner.Provisioner `json:"provisioners"` Provisioners provisioner.List `json:"provisioners"`
NextCursor string `json:"nextCursor"` NextCursor string `json:"nextCursor"`
} }
// ProvisionerKeyResponse is the response object that returns the encryptoed key // ProvisionerKeyResponse is the response object that returns the encryptoed key

8
authority/config.go
Unescape Escape View File

@ -52,10 +52,10 @@ type Config struct {
// AuthConfig represents the configuration options for the authority. // AuthConfig represents the configuration options for the authority.
type AuthConfig struct { type AuthConfig struct {
Provisioners []*provisioner.Provisioner `json:"provisioners"` Provisioners provisioner.List `json:"provisioners"`
Template *x509util.ASN1DN `json:"template,omitempty"` Template *x509util.ASN1DN `json:"template,omitempty"`
Claims *provisioner.Claims `json:"claims,omitempty"` Claims *provisioner.Claims `json:"claims,omitempty"`
DisableIssuedAtCheck bool `json:"disableIssuedAtCheck,omitempty"` DisableIssuedAtCheck bool `json:"disableIssuedAtCheck,omitempty"`
} }
// Validate validates the authority configuration. // Validate validates the authority configuration.

20
authority/provisioner/collection.go
Unescape Escape View File

@ -23,7 +23,7 @@ const DefaultProvisionersLimit = 20
const DefaultProvisionersMax = 100 const DefaultProvisionersMax = 100
type uidProvisioner struct { type uidProvisioner struct {
provisioner *Provisioner provisioner Interface
uid string uid string
} }
@ -52,12 +52,12 @@ func NewCollection(audiences []string) *Collection {
} }
// Load a provisioner by the ID. // Load a provisioner by the ID.
func (c *Collection) Load(id string) (*Provisioner, bool) { func (c *Collection) Load(id string) (Interface, bool) {
return loadProvisioner(c.byID, id) return loadProvisioner(c.byID, id)
} }
// LoadByToken parses the token claims and loads the provisioner associated. // LoadByToken parses the token claims and loads the provisioner associated.
func (c *Collection) LoadByToken(token *jose.JSONWebToken, claims *jose.Claims) (*Provisioner, bool) { func (c *Collection) LoadByToken(token *jose.JSONWebToken, claims *jose.Claims) (Interface, bool) {
// match with server audiences // match with server audiences
if matchesAudience(claims.Audience, c.audiences) { if matchesAudience(claims.Audience, c.audiences) {
// If matches with stored audiences it will be a JWT token (default), and // If matches with stored audiences it will be a JWT token (default), and
@ -82,7 +82,7 @@ func (c *Collection) LoadByToken(token *jose.JSONWebToken, claims *jose.Claims)
// LoadByCertificate lookds for the provisioner extension and extracts the // LoadByCertificate lookds for the provisioner extension and extracts the
// proper id to load the provisioner. // proper id to load the provisioner.
func (c *Collection) LoadByCertificate(cert *x509.Certificate) (*Provisioner, bool) { func (c *Collection) LoadByCertificate(cert *x509.Certificate) (Interface, bool) {
for _, e := range cert.Extensions { for _, e := range cert.Extensions {
if e.Id.Equal(stepOIDProvisioner) { if e.Id.Equal(stepOIDProvisioner) {
var provisioner stepProvisionerASN1 var provisioner stepProvisionerASN1
@ -111,7 +111,7 @@ func (c *Collection) LoadEncryptedKey(keyID string) (string, bool) {
// Store adds a provisioner to the collection, it makes sure two provisioner // Store adds a provisioner to the collection, it makes sure two provisioner
// does not have the same ID. // does not have the same ID.
func (c *Collection) Store(p *Provisioner) error { func (c *Collection) Store(p Interface) error {
// Store provisioner always in byID. ID must be unique. // Store provisioner always in byID. ID must be unique.
if _, loaded := c.byID.LoadOrStore(p.GetID(), p); loaded == true { if _, loaded := c.byID.LoadOrStore(p.GetID(), p); loaded == true {
return errors.New("cannot add multiple provisioners with the same id") return errors.New("cannot add multiple provisioners with the same id")
@ -142,7 +142,7 @@ func (c *Collection) Store(p *Provisioner) error {
} }
// Find implements pagination on a list of sorted provisioners. // Find implements pagination on a list of sorted provisioners.
func (c *Collection) Find(cursor string, limit int) ([]*Provisioner, string) { func (c *Collection) Find(cursor string, limit int) (List, string) {
switch { switch {
case limit <= 0: case limit <= 0:
limit = DefaultProvisionersLimit limit = DefaultProvisionersLimit
@ -154,7 +154,7 @@ func (c *Collection) Find(cursor string, limit int) ([]*Provisioner, string) {
cursor = fmt.Sprintf("%040s", cursor) cursor = fmt.Sprintf("%040s", cursor)
i := sort.Search(n, func(i int) bool { return c.sorted[i].uid >= cursor }) i := sort.Search(n, func(i int) bool { return c.sorted[i].uid >= cursor })
slice := []*Provisioner{} slice := List{}
for ; i < n && len(slice) < limit; i++ { for ; i < n && len(slice) < limit; i++ {
slice = append(slice, c.sorted[i].provisioner) slice = append(slice, c.sorted[i].provisioner)
} }
@ -165,12 +165,12 @@ func (c *Collection) Find(cursor string, limit int) ([]*Provisioner, string) {
return slice, "" return slice, ""
} }
func loadProvisioner(m *sync.Map, key string) (*Provisioner, bool) { func loadProvisioner(m *sync.Map, key string) (Interface, bool) {
i, ok := m.Load(key) i, ok := m.Load(key)
if !ok { if !ok {
return nil, false return nil, false
} }
p, ok := i.(*Provisioner) p, ok := i.(Interface)
if !ok { if !ok {
return nil, false return nil, false
} }
@ -179,7 +179,7 @@ func loadProvisioner(m *sync.Map, key string) (*Provisioner, bool) {
// provisionerSum returns the SHA1 of the provisioners ID. From this we will // provisionerSum returns the SHA1 of the provisioners ID. From this we will
// create the unique and sorted id. // create the unique and sorted id.
func provisionerSum(p *Provisioner) ([]byte, error) { func provisionerSum(p Interface) ([]byte, error) {
sum := sha1.Sum([]byte(p.GetID())) sum := sha1.Sum([]byte(p.GetID()))
return sum[:], nil return sum[:], nil
} }

109
authority/provisioner/provisioner.go
Unescape Escape View File

@ -44,91 +44,36 @@ type provisioner struct {
Type string `json:"type"` Type string `json:"type"`
} }
// Provisioner implements the provisioner.Interface on a base provisioner. It // List represents a list of provisioners.
// also implements custom marshalers and unmarshalers so different provisioners type List []Interface
// can be represented in a configuration type.
type Provisioner struct { // UnmarshalJSON implements json.Unmarshaler and allows to unmarshal a list of a
base Interface // interfaces into the right type.
} func (l *List) UnmarshalJSON(data []byte) error {
ps := []json.RawMessage{}
// New creates a new provisioner from the base provisioner. if err := json.Unmarshal(data, &ps); err != nil {
func New(base Interface) *Provisioner { return errors.Wrap(err, "error unmarshaling provisioner list")
return &Provisioner{
base: base,
} }
}
// Base returns the base type of the provisioner.
func (p *Provisioner) Base() Interface {
return p.base
}
// GetID returns the base provisioner unique ID. This identifier is used as the
// key in a provisioner.Collection.
func (p *Provisioner) GetID() string {
return p.base.GetID()
}
// GetEncryptedKey returns the base provisioner encrypted key if it's defined.
func (p *Provisioner) GetEncryptedKey() (string, string, bool) {
return p.base.GetEncryptedKey()
}
// GetName returns the name of the provisioner
func (p *Provisioner) GetName() string {
return p.base.GetName()
}
// GetType return the provisioners type.
func (p *Provisioner) GetType() Type {
return p.base.GetType()
}
// Init initializes the base provisioner with the given claims. for _, data := range ps {
func (p *Provisioner) Init(c Config) error { var typ provisioner
return p.base.Init(c) if err := json.Unmarshal(data, &typ); err != nil {
} return errors.Errorf("error unmarshaling provisioner")
}
// Authorize validates the given token on the base provisioner returning a list var p Interface
// of options to validate the signing request. switch strings.ToLower(typ.Type) {
func (p *Provisioner) Authorize(token string) ([]SignOption, error) { case "jwk":
return p.base.Authorize(token) p = &JWK{}
} case "oidc":
p = &OIDC{}
// AuthorizeRenewal checks if the base provisioner authorizes the renewal. default:
func (p *Provisioner) AuthorizeRenewal(cert *x509.Certificate) error { return errors.Errorf("provisioner type %s not supported", typ.Type)
return p.base.AuthorizeRenewal(cert) }
} if err := json.Unmarshal(data, p); err != nil {
return errors.Errorf("error unmarshaling provisioner")
// AuthorizeRevoke checks on the base provisioner if the given token has revoke }
// access. *l = append(*l, p)
func (p *Provisioner) AuthorizeRevoke(token string) error {
return p.base.AuthorizeRevoke(token)
}
// MarshalJSON implements the json.Marshaler interface on the Provisioner type.
func (p *Provisioner) MarshalJSON() ([]byte, error) {
return json.Marshal(p.base)
}
// UnmarshalJSON implements the json.Unmarshaler interface on the Provisioner
// type.
func (p *Provisioner) UnmarshalJSON(data []byte) error {
var typ provisioner
if err := json.Unmarshal(data, &typ); err != nil {
return errors.Errorf("error unmarshaling provisioner")
} }
switch strings.ToLower(typ.Type) {
case "jwk":
p.base = &JWK{}
case "oidc":
p.base = &OIDC{}
default:
return errors.Errorf("provisioner type %s not supported", typ.Type)
}
if err := json.Unmarshal(data, &p.base); err != nil {
return errors.Errorf("error unmarshaling provisioner")
}
return nil return nil
} }

2
authority/provisioners.go
Unescape Escape View File

@ -19,7 +19,7 @@ func (a *Authority) GetEncryptedKey(kid string) (string, error) {
// GetProvisioners returns a map listing each provisioner and the JWK Key Set // GetProvisioners returns a map listing each provisioner and the JWK Key Set
// with their public keys. // with their public keys.
func (a *Authority) GetProvisioners(cursor string, limit int) ([]*provisioner.Provisioner, string, error) { func (a *Authority) GetProvisioners(cursor string, limit int) (provisioner.List, string, error) {
provisioners, nextCursor := a.provisioners.Find(cursor, limit) provisioners, nextCursor := a.provisioners.Find(cursor, limit)
return provisioners, nextCursor, nil return provisioners, nextCursor, nil
} }

Write Preview
Loading…
Cancel
Save