Merge pull request #862 from smallstep/startup-info

Print some basic configuration info on startup

authority/authority.go

@@ -80,6 +80,14 @@ type Authority struct {
 	adminMutex sync.RWMutex
 }
 
+type Info struct {
+	StartTime          time.Time
+	RootX509Certs      []*x509.Certificate
+	SSHCAUserPublicKey []byte
+	SSHCAHostPublicKey []byte
+	DNSNames           []string
+}
+
 // New creates and initiates a new Authority type.
 func New(cfg *config.Config, opts ...Option) (*Authority, error) {
 	err := cfg.Validate()
@@ -294,8 +302,6 @@ func (a *Authority) init() error {
 				return err
 			}
 			a.rootX509Certs = append(a.rootX509Certs, resp.RootCertificate)
-			sum := sha256.Sum256(resp.RootCertificate.Raw)
-			log.Printf("Using root fingerprint '%s'", hex.EncodeToString(sum[:]))
 		}
 	}
 
@@ -561,6 +567,21 @@ func (a *Authority) GetAdminDatabase() admin.DB {
 	return a.adminDB
 }
 
+func (a *Authority) GetInfo() Info {
+	ai := Info{
+		StartTime:     a.startTime,
+		RootX509Certs: a.rootX509Certs,
+		DNSNames:      a.config.DNSNames,
+	}
+	if a.sshCAUserCertSignKey != nil {
+		ai.SSHCAUserPublicKey = ssh.MarshalAuthorizedKey(a.sshCAUserCertSignKey.PublicKey())
+	}
+	if a.sshCAHostCertSignKey != nil {
+		ai.SSHCAHostPublicKey = ssh.MarshalAuthorizedKey(a.sshCAHostCertSignKey.PublicKey())
+	}
+	return ai
+}
+
 // IsAdminAPIEnabled returns a boolean indicating whether the Admin API has
 // been enabled.
 func (a *Authority) IsAdminAPIEnabled() bool {

ca/ca.go

@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"net/url"
 	"reflect"
+	"strings"
 	"sync"
 
 	"github.com/go-chi/chi"
@@ -26,11 +27,14 @@ import (
 	scepAPI "github.com/smallstep/certificates/scep/api"
 	"github.com/smallstep/certificates/server"
 	"github.com/smallstep/nosql"
+	"go.step.sm/cli-utils/step"
+	"go.step.sm/crypto/x509util"
 )
 
 type options struct {
 	configFile      string
 	linkedCAToken   string
+	quiet           bool
 	password        []byte
 	issuerPassword  []byte
 	sshHostPassword []byte
@@ -101,6 +105,13 @@ func WithLinkedCAToken(token string) Option {
 	}
 }
 
+// WithQuiet sets the quiet flag.
+func WithQuiet(quiet bool) Option {
+	return func(o *options) {
+		o.quiet = quiet
+	}
+}
+
 // CA is the type used to build the complete certificate authority. It builds
 // the HTTP server, set ups the middlewares and the HTTP handlers.
 type CA struct {
@@ -288,6 +299,35 @@ func (ca *CA) Run() error {
 	var wg sync.WaitGroup
 	errs := make(chan error, 1)
 
+	if !ca.opts.quiet {
+		authorityInfo := ca.auth.GetInfo()
+		log.Printf("Starting %s", step.Version())
+		log.Printf("Documentation: https://u.step.sm/docs/ca")
+		log.Printf("Community Discord: https://u.step.sm/discord")
+		if step.Contexts().GetCurrent() != nil {
+			log.Printf("Current context: %s", step.Contexts().GetCurrent().Name)
+		}
+		log.Printf("Config file: %s", ca.opts.configFile)
+		baseURL := fmt.Sprintf("https://%s%s",
+			authorityInfo.DNSNames[0],
+			ca.config.Address[strings.LastIndex(ca.config.Address, ":"):])
+		log.Printf("The primary server URL is %s", baseURL)
+		log.Printf("Root certificates are available at %s/roots.pem", baseURL)
+		if len(authorityInfo.DNSNames) > 1 {
+			log.Printf("Additional configured hostnames: %s",
+				strings.Join(authorityInfo.DNSNames[1:], ", "))
+		}
+		for _, crt := range authorityInfo.RootX509Certs {
+			log.Printf("X.509 Root Fingerprint: %s", x509util.Fingerprint(crt))
+		}
+		if authorityInfo.SSHCAHostPublicKey != nil {
+			log.Printf("SSH Host CA Key is %s\n", authorityInfo.SSHCAHostPublicKey)
+		}
+		if authorityInfo.SSHCAUserPublicKey != nil {
+			log.Printf("SSH User CA Key: %s\n", authorityInfo.SSHCAUserPublicKey)
+		}
+	}
+
 	if ca.insecureSrv != nil {
 		wg.Add(1)
 		go func() {
@@ -355,6 +395,7 @@ func (ca *CA) Reload() error {
 		WithSSHUserPassword(ca.opts.sshUserPassword),
 		WithIssuerPassword(ca.opts.issuerPassword),
 		WithLinkedCAToken(ca.opts.linkedCAToken),
+		WithQuiet(ca.opts.quiet),
 		WithConfigFile(ca.opts.configFile),
 		WithDatabase(ca.auth.GetDatabase()),
 	)

commands/app.go

@@ -58,6 +58,11 @@ certificate issuer private key used in the RA mode.`,
 			Usage:  "token used to enable the linked ca.",
 			EnvVar: "STEP_CA_TOKEN",
 		},
+		cli.BoolFlag{
+			Name:   "quiet",
+			Usage:  "disable startup information",
+			EnvVar: "STEP_CA_QUIET",
+		},
 		cli.StringFlag{
 			Name:   "context",
 			Usage:  "The name of the authority's context.",
@@ -74,6 +79,7 @@ func appAction(ctx *cli.Context) error {
 	issuerPassFile := ctx.String("issuer-password-file")
 	resolver := ctx.String("resolver")
 	token := ctx.String("token")
+	quiet := ctx.Bool("quiet")
 
 	if ctx.NArg() > 1 {
 		return errs.TooManyArguments(ctx)
@@ -155,7 +161,8 @@ To get a linked authority token:
 		ca.WithSSHHostPassword(sshHostPassword),
 		ca.WithSSHUserPassword(sshUserPassword),
 		ca.WithIssuerPassword(issuerPassword),
-		ca.WithLinkedCAToken(token))
+		ca.WithLinkedCAToken(token),
+		ca.WithQuiet(quiet))
 	if err != nil {
 		fatal(err)
 	}