Add some notes for SCEP provisioners

pull/1523/head
Herman Slatman 11 months ago
parent b2bf2c330b
commit 557672bb4b
No known key found for this signature in database
GPG Key ID: F4D8A44EA0A75A4F

@ -262,7 +262,7 @@ func (a *Authority) ReloadAdminResources(ctx context.Context) error {
a.config.AuthorityConfig.Admins = adminList a.config.AuthorityConfig.Admins = adminList
a.admins = adminClxn a.admins = adminClxn
// update the SCEP service with the currently active SCEP // update the SCEP Authority with the currently active SCEP
// provisioner names and revalidate the configuration. // provisioner names and revalidate the configuration.
if a.scepAuthority != nil { if a.scepAuthority != nil {
a.scepAuthority.UpdateProvisioners(a.getSCEPProvisionerNames()) a.scepAuthority.UpdateProvisioners(a.getSCEPProvisionerNames())
@ -651,10 +651,10 @@ func (a *Authority) init() error {
} }
// The SCEP functionality is provided through an instance of // The SCEP functionality is provided through an instance of
// scep.Service. It is initialized once when the CA is started. // scep.Authority. It is initialized once when the CA is started.
// TODO(hs): should the SCEP service support reloading? For example, // TODO(hs): should the SCEP Authority support reloading? For example,
// when the admin resources are reloaded, specifically the provisioners, // when the admin resources are reloaded, specifically the provisioners,
// it can happen that the SCEP service is no longer required and can // it can happen that the SCEP Authority is no longer required and can
// be destroyed, or that it needs to be instantiated. It may also need // be destroyed, or that it needs to be instantiated. It may also need
// to be revalidated, because not all SCEP provisioner may have a // to be revalidated, because not all SCEP provisioner may have a
// valid decrypter available. // valid decrypter available.
@ -674,7 +674,7 @@ func (a *Authority) init() error {
} }
// TODO(hs): instead of creating the decrypter here, pass the // TODO(hs): instead of creating the decrypter here, pass the
// intermediate key + chain down to the SCEP service / authority, // intermediate key + chain down to the SCEP authority,
// and only instantiate it when required there. Is that possible? // and only instantiate it when required there. Is that possible?
// Also with entering passwords? // Also with entering passwords?
// TODO(hs): if moving the logic, try improving the logic for the // TODO(hs): if moving the logic, try improving the logic for the

@ -18,6 +18,7 @@ import (
"github.com/smallstep/certificates/api" "github.com/smallstep/certificates/api"
"github.com/smallstep/certificates/api/log" "github.com/smallstep/certificates/api/log"
"github.com/smallstep/certificates/authority"
"github.com/smallstep/certificates/authority/provisioner" "github.com/smallstep/certificates/authority/provisioner"
"github.com/smallstep/certificates/scep" "github.com/smallstep/certificates/scep"
) )
@ -208,7 +209,7 @@ func lookupProvisioner(next http.HandlerFunc) http.HandlerFunc {
} }
ctx := r.Context() ctx := r.Context()
auth := scep.MustFromContext(ctx) auth := authority.MustFromContext(ctx)
p, err := auth.LoadProvisionerByName(provisionerName) p, err := auth.LoadProvisionerByName(provisionerName)
if err != nil { if err != nil {
fail(w, err) fail(w, err)

@ -4,17 +4,15 @@ import (
"context" "context"
"crypto" "crypto"
"crypto/x509" "crypto/x509"
"time"
"github.com/smallstep/certificates/authority/provisioner" "github.com/smallstep/certificates/authority/provisioner"
) )
// Provisioner is an interface that implements a subset of the provisioner.Interface -- // Provisioner is an interface that embeds the
// only those methods required by the SCEP api/authority. // provisioner.Interface and adds some SCEP specific
// functions.
type Provisioner interface { type Provisioner interface {
AuthorizeSign(ctx context.Context, token string) ([]provisioner.SignOption, error) provisioner.Interface
GetName() string
DefaultTLSCertDuration() time.Duration
GetOptions() *provisioner.Options GetOptions() *provisioner.Options
GetCapabilities() []string GetCapabilities() []string
ShouldIncludeRootInChain() bool ShouldIncludeRootInChain() bool

Loading…
Cancel
Save