Merge pull request #1018 from smallstep/ra-config

Ra config
2 years ago · 85fc837dc3
parent ae76d943c9 3c88a9ccc2
commit 85fc837dc3
7 changed files with 74 additions and 14 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -16,10 +16,19 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ---

 ## [Unreleased]
+### Added
+- Added automatic configuration of Linked RAs.
+- Send provisioner configuration on Linked RAs.
 ### Changed
- Certificates signed by an issuer using an RSA key will be signed using the same algorithm as the issuer certificate was signed with. The signature will no longer default to PKCS #1. For example, if the issuer certificate was signed using RSA-PSS with SHA-256, a new certificate will also be signed using RSA-PSS with SHA-256.
- Support two latest versions of Go (1.18, 1.19)
- Vadlidate revocation serial number (either base 10 or prefixed with an appropriate base)
+- Certificates signed by an issuer using an RSA key will be signed using the
+  same algorithm used to sign the issuer certificate. The signature will no
+  longer default to PKCS #1. For example, if the issuer certificate was signed
+  using RSA-PSS with SHA-256, a new certificate will also be signed using
+  RSA-PSS with SHA-256.
+- Support two latest versions of Go (1.18, 1.19).
+- Validate revocation serial number (either base 10 or prefixed with an
+  appropriate base).
+- Sanitize TLS options.

 ## [0.20.0] - 2022-05-26
 ### Added
--- a/authority/authority.go
+++ b/authority/authority.go
@ -339,6 +339,19 @@ func (a *Authority) init() error {
 					Type:        conf.RaConfig.Provisioner.Type.String(),
 					Provisioner: conf.RaConfig.Provisioner.Name,
 				}
+				// Configure the RA authority type if needed
+				if options.Type == "" {
+					options.Type = casapi.StepCAS
+				}
+			}
+			// Remote configuration is currently only supported on a linked RA
+			if sc := conf.ServerConfig; sc != nil {
+				if a.config.Address == "" {
+					a.config.Address = sc.Address
+				}
+				if len(a.config.DNSNames) == 0 {
+					a.config.DNSNames = sc.DnsNames
+				}
 			}
 		}

--- a/authority/config/config.go
+++ b/authority/config/config.go
@ -72,6 +72,7 @@ type Config struct {
 	Password         string               `json:"password,omitempty"`
 	Templates        *templates.Templates `json:"templates,omitempty"`
 	CommonName       string               `json:"commonName,omitempty"`
+	SkipValidation   bool                 `json:"-"`
 }

 // ASN1DN contains ASN1.DN attributes that are used in Subject and Issuer
@ -201,6 +202,8 @@ func (c *Config) Save(filename string) error {
 // Validate validates the configuration.
 func (c *Config) Validate() error {
 	switch {
+	case c.SkipValidation:
+		return nil
 	case c.Address == "":
 		return errors.New("address cannot be empty")
 	case len(c.DNSNames) == 0:
--- a/authority/config/config_test.go
+++ b/authority/config/config_test.go
@ -35,9 +35,16 @@ func TestConfigValidate(t *testing.T) {
 	type ConfigValidateTest struct {
 		config *Config
 		err    error
-		tls    TLSOptions
+		tls    *TLSOptions
 	}
 	tests := map[string]func(*testing.T) ConfigValidateTest{
+		"skip-validation": func(t *testing.T) ConfigValidateTest {
+			return ConfigValidateTest{
+				config: &Config{
+					SkipValidation: true,
+				},
+			}
+		},
 		"empty-address": func(t *testing.T) ConfigValidateTest {
 			return ConfigValidateTest{
 				config: &Config{
@ -128,7 +135,7 @@ func TestConfigValidate(t *testing.T) {
 					Password:         "pass",
 					AuthorityConfig:  ac,
 				},
-				tls: DefaultTLSOptions,
+				tls: &DefaultTLSOptions,
 			}
 		},
 		"empty-TLS-values": func(t *testing.T) ConfigValidateTest {
@ -143,7 +150,7 @@ func TestConfigValidate(t *testing.T) {
 					AuthorityConfig:  ac,
 					TLS:              &TLSOptions{},
 				},
-				tls: DefaultTLSOptions,
+				tls: &DefaultTLSOptions,
 			}
 		},
 		"custom-tls-values": func(t *testing.T) ConfigValidateTest {
@ -165,7 +172,7 @@ func TestConfigValidate(t *testing.T) {
 						Renegotiation: true,
 					},
 				},
-				tls: TLSOptions{
+				tls: &TLSOptions{
 					CipherSuites: CipherSuites{
 						"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
 					},
@ -209,9 +216,9 @@ func TestConfigValidate(t *testing.T) {
 				}
 			} else {
 				if assert.Nil(t, tc.err) {
-					fmt.Printf("tc.tls = %+v\n", tc.tls)
-					fmt.Printf("*tc.config.TLS = %+v\n", *tc.config.TLS)
-					assert.Equals(t, *tc.config.TLS, tc.tls)
+					fmt.Printf("tc.tls = %v\n", tc.tls)
+					fmt.Printf("*tc.config.TLS = %v\n", tc.config.TLS)
+					assert.Equals(t, tc.config.TLS, tc.tls)
 				}
 			}
 		})
--- a/commands/app.go
+++ b/commands/app.go
@ -7,12 +7,15 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"path/filepath"
 	"strings"
 	"unicode"

 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/authority/config"
+	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/ca"
+	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/certificates/pki"
 	"github.com/urfave/cli"
 	"go.step.sm/cli-utils/errs"
@ -99,10 +102,35 @@ func appAction(ctx *cli.Context) error {
 	}

 	cfg, err := config.LoadConfiguration(configFile)
-	if err != nil {
+	if err != nil && token == "" {
 		fatal(err)
 	}

+	// Initialize a basic configuration to be used with an automatically
+	// configured linked RA. Default configuration includes:
+	//  * badgerv2 on $(step path)/db
+	//  * JSON logger
+	//  * Default TLS options
+	if cfg == nil {
+		cfg = &config.Config{
+			SkipValidation: true,
+			Logger:         []byte(`{"format":"json"}`),
+			DB: &db.Config{
+				Type:       "badgerv2",
+				DataSource: filepath.Join(step.Path(), "db"),
+			},
+			AuthorityConfig: &config.AuthConfig{
+				DeploymentType: pki.LinkedDeployment.String(),
+				Provisioners:   provisioner.List{},
+				Template:       &config.ASN1DN{},
+				Backdate: &provisioner.Duration{
+					Duration: config.DefaultBackdate,
+				},
+			},
+			TLS: &config.DefaultTLSOptions,
+		}
+	}
+
 	if cfg.AuthorityConfig != nil {
 		if token == "" && strings.EqualFold(cfg.AuthorityConfig.DeploymentType, pki.LinkedDeployment.String()) {
 			return errors.New(`'step-ca' requires the '--token' flag for linked deploy type.
--- a/go.mod
+++ b/go.mod
@ -27,7 +27,7 @@ require (
 	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352
 	go.step.sm/cli-utils v0.7.3
 	go.step.sm/crypto v0.17.1
-	go.step.sm/linkedca v0.17.1
+	go.step.sm/linkedca v0.18.0
 	golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3
 	golang.org/x/net v0.0.0-20220607020251-c690dde0001d
 	google.golang.org/api v0.84.0
--- a/go.sum
+++ b/go.sum
@ -769,8 +769,8 @@ go.step.sm/cli-utils v0.7.3/go.mod h1:RJRwbBLqzs5nrepQLAV9FuT3fVpWz66tKzLIB7Izpf
 go.step.sm/crypto v0.9.0/go.mod h1:+CYG05Mek1YDqi5WK0ERc6cOpKly2i/a5aZmU1sfGj0=
 go.step.sm/crypto v0.17.1 h1:uKpJNvzVy/GKR28hJbW8VCbfcKKBDnGNBYCKhAp2TSg=
 go.step.sm/crypto v0.17.1/go.mod h1:FXFiLBUsoE0OGz8JTjxhYU1rwKKNgVIb5izZTUMdc/8=
-go.step.sm/linkedca v0.17.1 h1:LSP3kGGeVkOAoDWoqg89tko6mpvJKTRcOHfrEOnPsNc=
-go.step.sm/linkedca v0.17.1/go.mod h1:qSuYlIIhvPmA2+DSSS03E2IXhbXWTLW61Xh9zDQJ3VM=
+go.step.sm/linkedca v0.18.0 h1:uxRBd2WDvJNZ2i0nJm/QmG4lkRxWoebYKJinchX7T7o=
+go.step.sm/linkedca v0.18.0/go.mod h1:qSuYlIIhvPmA2+DSSS03E2IXhbXWTLW61Xh9zDQJ3VM=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=