Add some notes for SCEP provisioners

11 months ago · 557672bb4b
parent b2bf2c330b
commit 557672bb4b
3 changed files with 11 additions and 12 deletions
--- a/authority/authority.go
+++ b/authority/authority.go
@ -262,7 +262,7 @@ func (a *Authority) ReloadAdminResources(ctx context.Context) error {
 	a.config.AuthorityConfig.Admins = adminList
 	a.admins = adminClxn
-	// update the SCEP service with the currently active SCEP
+	// update the SCEP Authority with the currently active SCEP
 	// provisioner names and revalidate the configuration.
 	if a.scepAuthority != nil {
 		a.scepAuthority.UpdateProvisioners(a.getSCEPProvisionerNames())
@ -651,10 +651,10 @@ func (a *Authority) init() error {
 	}
 	// The SCEP functionality is provided through an instance of
-	// scep.Service. It is initialized once when the CA is started.
+	// scep.Authority. It is initialized once when the CA is started.
-	// TODO(hs): should the SCEP service support reloading? For example,
+	// TODO(hs): should the SCEP Authority support reloading? For example,
 	// when the admin resources are reloaded, specifically the provisioners,
-	// it can happen that the SCEP service is no longer required and can
+	// it can happen that the SCEP Authority is no longer required and can
 	// be destroyed, or that it needs to be instantiated. It may also need
 	// to be revalidated, because not all SCEP provisioner may have a
 	// valid decrypter available.
@ -674,7 +674,7 @@ func (a *Authority) init() error {
 		}
 		// TODO(hs): instead of creating the decrypter here, pass the
-		// intermediate key + chain down to the SCEP service / authority,
+		// intermediate key + chain down to the SCEP authority,
 		// and only instantiate it when required there. Is that possible?
 		// Also with entering passwords?
 		// TODO(hs): if moving the logic, try improving the logic for the
--- a/scep/api/api.go
+++ b/scep/api/api.go
@ -18,6 +18,7 @@ import (
 	"github.com/smallstep/certificates/api"
 	"github.com/smallstep/certificates/api/log"
 	"github.com/smallstep/certificates/authority"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/scep"
 )
@ -208,7 +209,7 @@ func lookupProvisioner(next http.HandlerFunc) http.HandlerFunc {
 		}
 		ctx := r.Context()
-		auth := scep.MustFromContext(ctx)
+		auth := authority.MustFromContext(ctx)
 		p, err := auth.LoadProvisionerByName(provisionerName)
 		if err != nil {
 			fail(w, err)
--- a/scep/provisioner.go
+++ b/scep/provisioner.go
@ -4,17 +4,15 @@ import (
 	"context"
 	"crypto"
 	"crypto/x509"
 	"time"
 	"github.com/smallstep/certificates/authority/provisioner"
 )
-// Provisioner is an interface that implements a subset of the provisioner.Interface --
+// Provisioner is an interface that embeds the
-// only those methods required by the SCEP api/authority.
+// provisioner.Interface and adds some SCEP specific
 // functions.
 type Provisioner interface {
-	AuthorizeSign(ctx context.Context, token string) ([]provisioner.SignOption, error)
+	provisioner.Interface
 	GetName() string
 	DefaultTLSCertDuration() time.Duration
 	GetOptions() *provisioner.Options
 	GetCapabilities() []string
 	ShouldIncludeRootInChain() bool