smallstep-certificates/cas/apiv1/options.go
2022-04-15 12:19:32 -07:00

111 lines
3.9 KiB
Go

package apiv1
import (
"crypto"
"crypto/x509"
"encoding/json"
"github.com/pkg/errors"
"github.com/smallstep/certificates/kms"
)
// Options represents the configuration options used to select and configure the
// CertificateAuthorityService (CAS) to use.
type Options struct {
// The type of the CAS to use.
Type string `json:"type"`
// CertificateAuthority reference:
// In StepCAS the value is the CA url, e.g., "https://ca.smallstep.com:9000".
// In CloudCAS the format is "projects/*/locations/*/certificateAuthorities/*".
// In VaultCAS the value is the url, e.g., "https://vault.smallstep.com".
CertificateAuthority string `json:"certificateAuthority,omitempty"`
// CertificateAuthorityFingerprint is the root fingerprint used to
// authenticate the connection to the CA when using StepCAS.
CertificateAuthorityFingerprint string `json:"certificateAuthorityFingerprint,omitempty"`
// CertificateIssuer contains the configuration used in StepCAS.
CertificateIssuer *CertificateIssuer `json:"certificateIssuer,omitempty"`
// Path to the credentials file used in CloudCAS. If not defined the default
// authentication mechanism provided by Google SDK will be used. See
// https://cloud.google.com/docs/authentication.
CredentialsFile string `json:"credentialsFile,omitempty"`
// CertificateChain contains the issuer certificate, along with any other
// bundled certificates to be returned in the chain to consumers. It is used
// used in SoftCAS and it is configured in the crt property of the ca.json.
CertificateChain []*x509.Certificate `json:"-"`
// Signer is the private key or a KMS signer for the issuer certificate. It
// is used in SoftCAS and it is configured in the key property of the
// ca.json.
Signer crypto.Signer `json:"-"`
// CertificateSigner combines CertificateChain and Signer in a callback that
// returns the chain of certificate and signer used to sign X.509
// certificates in SoftCAS.
CertificateSigner func() ([]*x509.Certificate, crypto.Signer, error) `json:"-"`
// IsCreator is set to true when we're creating a certificate authority. It
// is used to skip some validations when initializing a
// CertificateAuthority. This option is used on SoftCAS and CloudCAS.
IsCreator bool `json:"-"`
// IsCAGetter is set to true when we're just using the
// CertificateAuthorityGetter interface to retrieve the root certificate. It
// is used to skip some validations when initializing a
// CertificateAuthority. This option is used on StepCAS.
IsCAGetter bool `json:"-"`
// KeyManager is the KMS used to generate keys in SoftCAS.
KeyManager kms.KeyManager `json:"-"`
// Project, Location, CaPool and GCSBucket are parameters used in CloudCAS
// to create a new certificate authority. If a CaPool does not exist it will
// be created. GCSBucket is optional, if not provided GCloud will create a
// managed bucket.
Project string `json:"-"`
Location string `json:"-"`
CaPool string `json:"-"`
CaPoolTier string `json:"-"`
GCSBucket string `json:"-"`
// Generic structure to configure any CAS
Config json.RawMessage `json:"config,omitempty"`
}
// CertificateIssuer contains the properties used to use the StepCAS certificate
// authority service.
type CertificateIssuer struct {
Type string `json:"type"`
Provisioner string `json:"provisioner,omitempty"`
Certificate string `json:"crt,omitempty"`
Key string `json:"key,omitempty"`
Password string `json:"password,omitempty"`
}
// Validate checks the fields in Options.
func (o *Options) Validate() error {
var typ Type
if o == nil {
typ = Type(SoftCAS)
} else {
typ = Type(o.Type)
}
// Check that the type can be loaded.
if _, ok := LoadCertificateAuthorityServiceNewFunc(typ); !ok {
return errors.Errorf("unsupported cas type %s", typ)
}
return nil
}
// Is returns if the options have the given type.
func (o *Options) Is(t Type) bool {
if o == nil {
return t.String() == SoftCAS
}
return Type(o.Type).String() == t.String()
}