Merge branch 'master' into fix/adminra

2 years ago · d3b6bc3c75
parent ad5aedfa60 6331041b2b
commit d3b6bc3c75
11 changed files with 72 additions and 83 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -6,9 +6,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.

 ## [Unreleased - 0.18.3] - DATE
 ### Added
- Added support for renew after expiry using the claim `allowRenewAfterExpiry`.
- Added initial support for `extraNames` in X.509 templates.
- Added initial support for automatic configuration of linked RAs.
+- Added support for certificate renewals after expiry using the claim `allowRenewalAfterExpiry`.
+- Added support for `extraNames` in X.509 templates.
+- Added support for automatic configuration of linked RAs.
 ### Changed
 - Made SCEP CA URL paths dynamic
 - Support two latest versions of Go (1.17, 1.18)
--- a/README.md
+++ b/README.md
@ -54,7 +54,7 @@ Setting up a *public key infrastructure* (PKI) is out of reach for many small te
 - [Short-lived certificates](https://smallstep.com/blog/passive-revocation.html) with automated enrollment, renewal, and passive revocation
 - Capable of high availability (HA) deployment using [root federation](https://smallstep.com/blog/step-v0.8.3-federation-root-rotation.html) and/or multiple intermediaries
 - Can operate as [an online intermediate CA for an existing root CA](https://smallstep.com/docs/tutorials/intermediate-ca-new-ca)
- [Badger, BoltDB, and MySQL database backends](https://smallstep.com/docs/step-ca/configuration#databases)
+- [Badger, BoltDB, Postgres, and MySQL database backends](https://smallstep.com/docs/step-ca/configuration#databases)

 ### ⚙️ Many ways to automate

--- a/authority/config/config.go
+++ b/authority/config/config.go
@ -26,27 +26,27 @@ var (
 	DefaultBackdate = time.Minute
 	// DefaultDisableRenewal disables renewals per provisioner.
 	DefaultDisableRenewal = false
-	// DefaultAllowRenewAfterExpiry allows renewals even if the certificate is
+	// DefaultAllowRenewalAfterExpiry allows renewals even if the certificate is
 	// expired.
-	DefaultAllowRenewAfterExpiry = false
+	DefaultAllowRenewalAfterExpiry = false
 	// DefaultEnableSSHCA enable SSH CA features per provisioner or globally
 	// for all provisioners.
 	DefaultEnableSSHCA = false
 	// GlobalProvisionerClaims default claims for the Authority. Can be overridden
 	// by provisioner specific claims.
 	GlobalProvisionerClaims = provisioner.Claims{
-		MinTLSDur:             &provisioner.Duration{Duration: 5 * time.Minute}, // TLS certs
-		MaxTLSDur:             &provisioner.Duration{Duration: 24 * time.Hour},
-		DefaultTLSDur:         &provisioner.Duration{Duration: 24 * time.Hour},
-		MinUserSSHDur:         &provisioner.Duration{Duration: 5 * time.Minute}, // User SSH certs
-		MaxUserSSHDur:         &provisioner.Duration{Duration: 24 * time.Hour},
-		DefaultUserSSHDur:     &provisioner.Duration{Duration: 16 * time.Hour},
-		MinHostSSHDur:         &provisioner.Duration{Duration: 5 * time.Minute}, // Host SSH certs
-		MaxHostSSHDur:         &provisioner.Duration{Duration: 30 * 24 * time.Hour},
-		DefaultHostSSHDur:     &provisioner.Duration{Duration: 30 * 24 * time.Hour},
-		EnableSSHCA:           &DefaultEnableSSHCA,
-		DisableRenewal:        &DefaultDisableRenewal,
-		AllowRenewAfterExpiry: &DefaultAllowRenewAfterExpiry,
+		MinTLSDur:               &provisioner.Duration{Duration: 5 * time.Minute}, // TLS certs
+		MaxTLSDur:               &provisioner.Duration{Duration: 24 * time.Hour},
+		DefaultTLSDur:           &provisioner.Duration{Duration: 24 * time.Hour},
+		MinUserSSHDur:           &provisioner.Duration{Duration: 5 * time.Minute}, // User SSH certs
+		MaxUserSSHDur:           &provisioner.Duration{Duration: 24 * time.Hour},
+		DefaultUserSSHDur:       &provisioner.Duration{Duration: 16 * time.Hour},
+		MinHostSSHDur:           &provisioner.Duration{Duration: 5 * time.Minute}, // Host SSH certs
+		MaxHostSSHDur:           &provisioner.Duration{Duration: 30 * 24 * time.Hour},
+		DefaultHostSSHDur:       &provisioner.Duration{Duration: 30 * 24 * time.Hour},
+		EnableSSHCA:             &DefaultEnableSSHCA,
+		DisableRenewal:          &DefaultDisableRenewal,
+		AllowRenewalAfterExpiry: &DefaultAllowRenewalAfterExpiry,
 	}
 )

--- a/authority/provisioner/claims.go
+++ b/authority/provisioner/claims.go
@ -24,8 +24,8 @@ type Claims struct {
 	EnableSSHCA       *bool     `json:"enableSSHCA,omitempty"`

 	// Renewal properties
-	DisableRenewal        *bool `json:"disableRenewal,omitempty"`
-	AllowRenewAfterExpiry *bool `json:"allowRenewAfterExpiry,omitempty"`
+	DisableRenewal          *bool `json:"disableRenewal,omitempty"`
+	AllowRenewalAfterExpiry *bool `json:"allowRenewalAfterExpiry,omitempty"`
 }

 // Claimer is the type that controls claims. It provides an interface around the
@ -44,22 +44,22 @@ func NewClaimer(claims *Claims, global Claims) (*Claimer, error) {
 // Claims returns the merge of the inner and global claims.
 func (c *Claimer) Claims() Claims {
 	disableRenewal := c.IsDisableRenewal()
-	allowRenewAfterExpiry := c.AllowRenewAfterExpiry()
+	allowRenewalAfterExpiry := c.AllowRenewalAfterExpiry()
 	enableSSHCA := c.IsSSHCAEnabled()

 	return Claims{
-		MinTLSDur:             &Duration{c.MinTLSCertDuration()},
-		MaxTLSDur:             &Duration{c.MaxTLSCertDuration()},
-		DefaultTLSDur:         &Duration{c.DefaultTLSCertDuration()},
-		MinUserSSHDur:         &Duration{c.MinUserSSHCertDuration()},
-		MaxUserSSHDur:         &Duration{c.MaxUserSSHCertDuration()},
-		DefaultUserSSHDur:     &Duration{c.DefaultUserSSHCertDuration()},
-		MinHostSSHDur:         &Duration{c.MinHostSSHCertDuration()},
-		MaxHostSSHDur:         &Duration{c.MaxHostSSHCertDuration()},
-		DefaultHostSSHDur:     &Duration{c.DefaultHostSSHCertDuration()},
-		EnableSSHCA:           &enableSSHCA,
-		DisableRenewal:        &disableRenewal,
-		AllowRenewAfterExpiry: &allowRenewAfterExpiry,
+		MinTLSDur:               &Duration{c.MinTLSCertDuration()},
+		MaxTLSDur:               &Duration{c.MaxTLSCertDuration()},
+		DefaultTLSDur:           &Duration{c.DefaultTLSCertDuration()},
+		MinUserSSHDur:           &Duration{c.MinUserSSHCertDuration()},
+		MaxUserSSHDur:           &Duration{c.MaxUserSSHCertDuration()},
+		DefaultUserSSHDur:       &Duration{c.DefaultUserSSHCertDuration()},
+		MinHostSSHDur:           &Duration{c.MinHostSSHCertDuration()},
+		MaxHostSSHDur:           &Duration{c.MaxHostSSHCertDuration()},
+		DefaultHostSSHDur:       &Duration{c.DefaultHostSSHCertDuration()},
+		EnableSSHCA:             &enableSSHCA,
+		DisableRenewal:          &disableRenewal,
+		AllowRenewalAfterExpiry: &allowRenewalAfterExpiry,
 	}
 }

@ -109,14 +109,14 @@ func (c *Claimer) IsDisableRenewal() bool {
 	return *c.claims.DisableRenewal
 }

-// AllowRenewAfterExpiry returns if the renewal flow is authorized if the
+// AllowRenewalAfterExpiry returns if the renewal flow is authorized if the
 // certificate is expired. If the property is not set within the provisioner
 // then the global value from the authority configuration will be used.
-func (c *Claimer) AllowRenewAfterExpiry() bool {
-	if c.claims == nil || c.claims.AllowRenewAfterExpiry == nil {
-		return *c.global.AllowRenewAfterExpiry
+func (c *Claimer) AllowRenewalAfterExpiry() bool {
+	if c.claims == nil || c.claims.AllowRenewalAfterExpiry == nil {
+		return *c.global.AllowRenewalAfterExpiry
 	}
-	return *c.claims.AllowRenewAfterExpiry
+	return *c.claims.AllowRenewalAfterExpiry
 }

 // DefaultSSHCertDuration returns the default SSH certificate duration for the
--- a/authority/provisioner/controller.go
+++ b/authority/provisioner/controller.go
@ -124,7 +124,7 @@ func DefaultAuthorizeRenew(ctx context.Context, p *Controller, cert *x509.Certif
 	if now.Before(cert.NotBefore) {
 		return errs.Unauthorized("certificate is not yet valid" + " " + now.UTC().Format(time.RFC3339Nano) + " vs " + cert.NotBefore.Format(time.RFC3339Nano))
 	}
-	if now.After(cert.NotAfter) && !p.Claimer.AllowRenewAfterExpiry() {
+	if now.After(cert.NotAfter) && !p.Claimer.AllowRenewalAfterExpiry() {
 		return errs.Unauthorized("certificate has expired")
 	}

@ -144,7 +144,7 @@ func DefaultAuthorizeSSHRenew(ctx context.Context, p *Controller, cert *ssh.Cert
 	if after := int64(cert.ValidAfter); after < 0 || unixNow < int64(cert.ValidAfter) {
 		return errs.Unauthorized("certificate is not yet valid")
 	}
-	if before := int64(cert.ValidBefore); cert.ValidBefore != uint64(ssh.CertTimeInfinity) && (unixNow >= before || before < 0) && !p.Claimer.AllowRenewAfterExpiry() {
+	if before := int64(cert.ValidBefore); cert.ValidBefore != uint64(ssh.CertTimeInfinity) && (unixNow >= before || before < 0) && !p.Claimer.AllowRenewalAfterExpiry() {
 		return errs.Unauthorized("certificate has expired")
 	}

--- a/authority/provisioner/controller_test.go
+++ b/authority/provisioner/controller_test.go
@ -160,13 +160,13 @@ func TestController_AuthorizeRenew(t *testing.T) {
 			NotBefore: now,
 			NotAfter:  now.Add(time.Hour),
 		}}, false},
-		{"ok custom disabled", fields{&JWK{}, mustClaimer(t, &Claims{AllowRenewAfterExpiry: &trueValue}, globalProvisionerClaims), func(ctx context.Context, p *Controller, cert *x509.Certificate) error {
+		{"ok custom disabled", fields{&JWK{}, mustClaimer(t, &Claims{AllowRenewalAfterExpiry: &trueValue}, globalProvisionerClaims), func(ctx context.Context, p *Controller, cert *x509.Certificate) error {
 			return nil
 		}}, args{ctx, &x509.Certificate{
 			NotBefore: now,
 			NotAfter:  now.Add(time.Hour),
 		}}, false},
-		{"ok renew after expiry", fields{&JWK{}, mustClaimer(t, &Claims{AllowRenewAfterExpiry: &trueValue}, globalProvisionerClaims), nil}, args{ctx, &x509.Certificate{
+		{"ok renew after expiry", fields{&JWK{}, mustClaimer(t, &Claims{AllowRenewalAfterExpiry: &trueValue}, globalProvisionerClaims), nil}, args{ctx, &x509.Certificate{
 			NotBefore: now.Add(-time.Hour),
 			NotAfter:  now.Add(-time.Minute),
 		}}, false},
@ -231,13 +231,13 @@ func TestController_AuthorizeSSHRenew(t *testing.T) {
 			ValidAfter:  uint64(now.Unix()),
 			ValidBefore: uint64(now.Add(time.Hour).Unix()),
 		}}, false},
-		{"ok custom disabled", fields{&JWK{}, mustClaimer(t, &Claims{AllowRenewAfterExpiry: &trueValue}, globalProvisionerClaims), func(ctx context.Context, p *Controller, cert *ssh.Certificate) error {
+		{"ok custom disabled", fields{&JWK{}, mustClaimer(t, &Claims{AllowRenewalAfterExpiry: &trueValue}, globalProvisionerClaims), func(ctx context.Context, p *Controller, cert *ssh.Certificate) error {
 			return nil
 		}}, args{ctx, &ssh.Certificate{
 			ValidAfter:  uint64(now.Unix()),
 			ValidBefore: uint64(now.Add(time.Hour).Unix()),
 		}}, false},
-		{"ok renew after expiry", fields{&JWK{}, mustClaimer(t, &Claims{AllowRenewAfterExpiry: &trueValue}, globalProvisionerClaims), nil}, args{ctx, &ssh.Certificate{
+		{"ok renew after expiry", fields{&JWK{}, mustClaimer(t, &Claims{AllowRenewalAfterExpiry: &trueValue}, globalProvisionerClaims), nil}, args{ctx, &ssh.Certificate{
 			ValidAfter:  uint64(now.Add(-time.Hour).Unix()),
 			ValidBefore: uint64(now.Add(-time.Minute).Unix()),
 		}}, false},
@ -296,7 +296,7 @@ func TestDefaultAuthorizeRenew(t *testing.T) {
 		}}, false},
 		{"ok renew after expiry", args{ctx, &Controller{
 			Interface: &JWK{},
-			Claimer:   mustClaimer(t, &Claims{AllowRenewAfterExpiry: &trueValue}, globalProvisionerClaims),
+			Claimer:   mustClaimer(t, &Claims{AllowRenewalAfterExpiry: &trueValue}, globalProvisionerClaims),
 		}, &x509.Certificate{
 			NotBefore: now.Add(-time.Hour),
 			NotAfter:  now.Add(-time.Minute),
@ -354,7 +354,7 @@ func TestDefaultAuthorizeSSHRenew(t *testing.T) {
 		}}, false},
 		{"ok renew after expiry", args{ctx, &Controller{
 			Interface: &JWK{},
-			Claimer:   mustClaimer(t, &Claims{AllowRenewAfterExpiry: &trueValue}, globalProvisionerClaims),
+			Claimer:   mustClaimer(t, &Claims{AllowRenewalAfterExpiry: &trueValue}, globalProvisionerClaims),
 		}, &ssh.Certificate{
 			ValidAfter:  uint64(now.Add(-time.Hour).Unix()),
 			ValidBefore: uint64(now.Add(-time.Minute).Unix()),
--- a/authority/provisioner/utils_test.go
+++ b/authority/provisioner/utils_test.go
@ -24,22 +24,22 @@ import (
 )

 var (
-	defaultDisableRenewal        = false
-	defaultAllowRenewAfterExpiry = false
-	defaultEnableSSHCA           = true
-	globalProvisionerClaims      = Claims{
-		MinTLSDur:             &Duration{5 * time.Minute},
-		MaxTLSDur:             &Duration{24 * time.Hour},
-		DefaultTLSDur:         &Duration{24 * time.Hour},
-		MinUserSSHDur:         &Duration{Duration: 5 * time.Minute}, // User SSH certs
-		MaxUserSSHDur:         &Duration{Duration: 24 * time.Hour},
-		DefaultUserSSHDur:     &Duration{Duration: 16 * time.Hour},
-		MinHostSSHDur:         &Duration{Duration: 5 * time.Minute}, // Host SSH certs
-		MaxHostSSHDur:         &Duration{Duration: 30 * 24 * time.Hour},
-		DefaultHostSSHDur:     &Duration{Duration: 30 * 24 * time.Hour},
-		EnableSSHCA:           &defaultEnableSSHCA,
-		DisableRenewal:        &defaultDisableRenewal,
-		AllowRenewAfterExpiry: &defaultAllowRenewAfterExpiry,
+	defaultDisableRenewal          = false
+	defaultAllowRenewalAfterExpiry = false
+	defaultEnableSSHCA             = true
+	globalProvisionerClaims        = Claims{
+		MinTLSDur:               &Duration{5 * time.Minute},
+		MaxTLSDur:               &Duration{24 * time.Hour},
+		DefaultTLSDur:           &Duration{24 * time.Hour},
+		MinUserSSHDur:           &Duration{Duration: 5 * time.Minute}, // User SSH certs
+		MaxUserSSHDur:           &Duration{Duration: 24 * time.Hour},
+		DefaultUserSSHDur:       &Duration{Duration: 16 * time.Hour},
+		MinHostSSHDur:           &Duration{Duration: 5 * time.Minute}, // Host SSH certs
+		MaxHostSSHDur:           &Duration{Duration: 30 * 24 * time.Hour},
+		DefaultHostSSHDur:       &Duration{Duration: 30 * 24 * time.Hour},
+		EnableSSHCA:             &defaultEnableSSHCA,
+		DisableRenewal:          &defaultDisableRenewal,
+		AllowRenewalAfterExpiry: &defaultAllowRenewalAfterExpiry,
 	}
 	testAudiences = Audiences{
 		Sign:      []string{"https://ca.smallstep.com/1.0/sign", "https://ca.smallstep.com/sign"},
--- a/authority/provisioners.go
+++ b/authority/provisioners.go
@ -467,8 +467,8 @@ func claimsToCertificates(c *linkedca.Claims) (*provisioner.Claims, error) {
 	}

 	pc := &provisioner.Claims{
-		DisableRenewal:        &c.DisableRenewal,
-		AllowRenewAfterExpiry: &c.AllowRenewAfterExpiry,
+		DisableRenewal:          &c.DisableRenewal,
+		AllowRenewalAfterExpiry: &c.AllowRenewalAfterExpiry,
 	}

 	var err error
@ -506,18 +506,18 @@ func claimsToLinkedca(c *provisioner.Claims) *linkedca.Claims {
 	}

 	disableRenewal := config.DefaultDisableRenewal
-	allowRenewAfterExpiry := config.DefaultAllowRenewAfterExpiry
+	allowRenewalAfterExpiry := config.DefaultAllowRenewalAfterExpiry

 	if c.DisableRenewal != nil {
 		disableRenewal = *c.DisableRenewal
 	}
-	if c.AllowRenewAfterExpiry != nil {
-		allowRenewAfterExpiry = *c.AllowRenewAfterExpiry
+	if c.AllowRenewalAfterExpiry != nil {
+		allowRenewalAfterExpiry = *c.AllowRenewalAfterExpiry
 	}

 	lc := &linkedca.Claims{
-		DisableRenewal:        disableRenewal,
-		AllowRenewAfterExpiry: allowRenewAfterExpiry,
+		DisableRenewal:          disableRenewal,
+		AllowRenewalAfterExpiry: allowRenewalAfterExpiry,
 	}

 	if c.DefaultTLSDur != nil || c.MinTLSDur != nil || c.MaxTLSDur != nil {
--- a/authority/status/status.go
+++ b/authority/status/status.go
@ -1,11 +0,0 @@
-package status
-
-// Type is the type for status.
-type Type string
-
-var (
-	// Active active
-	Active = Type("active")
-	// Deleted deleted
-	Deleted = Type("deleted")
-)
--- a/go.mod
+++ b/go.mod
@ -38,7 +38,7 @@ require (
 	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352
 	go.step.sm/cli-utils v0.7.0
 	go.step.sm/crypto v0.16.1
-	go.step.sm/linkedca v0.13.0
+	go.step.sm/linkedca v0.15.0
 	golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3
 	golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd
 	google.golang.org/api v0.70.0
--- a/go.sum
+++ b/go.sum
@ -711,8 +711,8 @@ go.step.sm/cli-utils v0.7.0/go.mod h1:Ur6bqA/yl636kCUJbp30J7Unv5JJ226eW2KqXPDwF/
 go.step.sm/crypto v0.9.0/go.mod h1:+CYG05Mek1YDqi5WK0ERc6cOpKly2i/a5aZmU1sfGj0=
 go.step.sm/crypto v0.16.1 h1:4mnZk21cSxyMGxsEpJwZKKvJvDu1PN09UVrWWFNUBdk=
 go.step.sm/crypto v0.16.1/go.mod h1:3G0yQr5lQqfEG0CMYz8apC/qMtjLRQlzflL2AxkcN+g=
-go.step.sm/linkedca v0.13.0 h1:bRJEsyy3ZpHsSbDjKtaEBb3/vORzDuhS5+rQ2RsGopg=
-go.step.sm/linkedca v0.13.0/go.mod h1:W59ucS4vFpuR0g4PtkGbbtXAwxbDEnNCg+ovkej1ANM=
+go.step.sm/linkedca v0.15.0 h1:lEkGRDY+u7FudGKt8yEo7nBy5OzceO9s3rl+/sZVL5M=
+go.step.sm/linkedca v0.15.0/go.mod h1:W59ucS4vFpuR0g4PtkGbbtXAwxbDEnNCg+ovkej1ANM=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=