Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix PR comments

Browse Source
pull/1075/head
Herman Slatman 2 years ago
parent 49718f1bbb
commit fd38dd34f9
No known key found for this signature in database
GPG Key ID: F4D8A44EA0A75A4F
2 changed files with 28 additions and 40 deletions
Show Stats Download Patch File Download Diff File

28
authority/authority.go
Unescape Escape View File

@ -633,23 +633,11 @@ func (a *Authority) init() error {
c := a.config c := a.config
if c.WasLoadedFromFile() { if c.WasLoadedFromFile() {
// TODO(hs): check if prerequisites for writing files look OK (user/group, permission bits, etc) as // The provisioners in the configuration file can be deleted from
// extra safety check before trying to write at all? // the file by editing it. Automatic rewriting of the file was considered
// to be too surprising for users and not the right solution for all
// Remove the existing provisioners from the authority configuration // use cases, so we leave it up to users to this themselves.
// and commit it to the existing configuration file. NOTE: committing a.initLogf("Provisioners that were migrated can now be removed from `ca.json` by editing it.")
// the configuration at this point also writes other properties that
// have been initialized with default values, such as the `backdate` and
// `template` settings in the `authority`.
oldProvisioners := c.AuthorityConfig.Provisioners
c.AuthorityConfig.Provisioners = []provisioner.Interface{}
if err := c.Commit(); err != nil {
// Restore the provisioners in in-memory representation for consistency
// when writing the updated configuration fails. This is considered a soft
// error, so execution can continue.
c.AuthorityConfig.Provisioners = oldProvisioners
a.initLogf("Failed removing provisioners from configuration: %v", err)
}
} }
a.initLogf("Finished migrating provisioners") a.initLogf("Finished migrating provisioners")
@ -673,16 +661,16 @@ func (a *Authority) init() error {
// case if `step` isn't allowed to be signed by Name Constraints or the X.509 policy. // case if `step` isn't allowed to be signed by Name Constraints or the X.509 policy.
// We have protection for that when creating and updating a policy, but if a policy or // We have protection for that when creating and updating a policy, but if a policy or
// Name Constraints are in use at the time of migration, that could lock the user out. // Name Constraints are in use at the time of migration, that could lock the user out.
firstSuperAdminSubject := "step" superAdminSubject := "step"
if err := a.adminDB.CreateAdmin(ctx, &linkedca.Admin{ if err := a.adminDB.CreateAdmin(ctx, &linkedca.Admin{
ProvisionerId: firstJWKProvisioner.Id, ProvisionerId: firstJWKProvisioner.Id,
Subject: firstSuperAdminSubject, Subject: superAdminSubject,
Type: linkedca.Admin_SUPER_ADMIN, Type: linkedca.Admin_SUPER_ADMIN,
}); err != nil { }); err != nil {
return admin.WrapErrorISE(err, "error creating first admin") return admin.WrapErrorISE(err, "error creating first admin")
} }
a.initLogf("Created super admin %q for JWK provisioner %q", firstSuperAdminSubject, firstJWKProvisioner.GetName()) a.initLogf("Created super admin %q for JWK provisioner %q", superAdminSubject, firstJWKProvisioner.GetName())
} }
} }

40
pki/pki.go
Unescape Escape View File

@ -175,19 +175,19 @@ func GetProvisionerKey(caURL, rootFile, kid string) (string, error) {
} }
type options struct { type options struct {
provisioner string provisioner string
firstSuperAdminSubject string superAdminSubject string
pkiOnly bool pkiOnly bool
enableACME bool enableACME bool
enableSSH bool enableSSH bool
enableAdmin bool enableAdmin bool
noDB bool noDB bool
isHelm bool isHelm bool
deploymentType DeploymentType deploymentType DeploymentType
rootKeyURI string rootKeyURI string
intermediateKeyURI string intermediateKeyURI string
hostKeyURI string hostKeyURI string
userKeyURI string userKeyURI string
} }
// Option is the type of a configuration option on the pki constructor. // Option is the type of a configuration option on the pki constructor.
@ -221,12 +221,12 @@ func WithProvisioner(s string) Option {
} }
} }
// WithFirstSuperAdminSubject defines the subject of the first // WithSuperAdminSubject defines the subject of the first
// super admin for use with the Admin API. The admin will belong // super admin for use with the Admin API. The admin will belong
// to the first JWK provisioner. // to the first JWK provisioner.
func WithFirstSuperAdminSubject(s string) Option { func WithSuperAdminSubject(s string) Option {
return func(p *PKI) { return func(p *PKI) {
p.options.firstSuperAdminSubject = s p.options.superAdminSubject = s
} }
} }
@ -924,13 +924,13 @@ func (p *PKI) GenerateConfig(opt ...ConfigOption) (*authconfig.Config, error) {
} }
} }
// Add the first provisioner as an admin. // Add the first provisioner as an admin.
firstSuperAdminSubject := "step" superAdminSubject := "step"
if p.options.firstSuperAdminSubject != "" { if p.options.superAdminSubject != "" {
firstSuperAdminSubject = p.options.firstSuperAdminSubject superAdminSubject = p.options.superAdminSubject
} }
if err := adminDB.CreateAdmin(context.Background(), &linkedca.Admin{ if err := adminDB.CreateAdmin(context.Background(), &linkedca.Admin{
AuthorityId: admin.DefaultAuthorityID, AuthorityId: admin.DefaultAuthorityID,
Subject: firstSuperAdminSubject, Subject: superAdminSubject,
Type: linkedca.Admin_SUPER_ADMIN, Type: linkedca.Admin_SUPER_ADMIN,
ProvisionerId: adminID, ProvisionerId: adminID,
}); err != nil { }); err != nil {

Write Preview
Loading…
Cancel
Save