certificates/authority/mgmt/config.go

119 lines
3.3 KiB
Go
Raw Normal View History

2021-05-03 19:48:20 +00:00
package mgmt
import (
2021-05-06 06:02:42 +00:00
"context"
"github.com/pkg/errors"
2021-05-07 00:03:12 +00:00
"github.com/smallstep/certificates/authority/config"
2021-05-03 19:48:20 +00:00
)
const (
2021-05-06 06:02:42 +00:00
// DefaultAuthorityID is the default AuthorityID. This will be the ID
// of the first Authority created, as well as the default AuthorityID
// if one is not specified in the configuration.
2021-05-03 19:48:20 +00:00
DefaultAuthorityID = "00000000-0000-0000-0000-000000000000"
)
2021-05-06 06:02:42 +00:00
// Claims encapsulates all x509 and ssh claims applied to the authority
// configuration. E.g. maxTLSCertDuration, defaultSSHCertDuration, etc.
2021-05-03 19:48:20 +00:00
type Claims struct {
2021-05-06 06:02:42 +00:00
X509 *X509Claims `json:"x509Claims"`
SSH *SSHClaims `json:"sshClaims"`
DisableRenewal bool `json:"disableRenewal"`
2021-05-03 19:48:20 +00:00
}
2021-05-06 06:02:42 +00:00
// X509Claims are the x509 claims applied to the authority.
2021-05-03 19:48:20 +00:00
type X509Claims struct {
Durations *Durations `json:"durations"`
}
2021-05-06 06:02:42 +00:00
// SSHClaims are the ssh claims applied to the authority.
2021-05-03 19:48:20 +00:00
type SSHClaims struct {
2021-05-06 06:02:42 +00:00
Enabled bool `json:"enabled"`
UserDurations *Durations `json:"userDurations"`
HostDurations *Durations `json:"hostDurations"`
2021-05-03 19:48:20 +00:00
}
2021-05-06 06:02:42 +00:00
// Durations represents min, max, default, duration.
2021-05-03 19:48:20 +00:00
type Durations struct {
Min string `json:"min"`
Max string `json:"max"`
Default string `json:"default"`
}
2021-05-07 00:03:12 +00:00
func NewDefaultClaims() *Claims {
return &Claims{
X509: &X509Claims{
Durations: &Durations{
Min: config.GlobalProvisionerClaims.MinTLSDur.String(),
Max: config.GlobalProvisionerClaims.MaxTLSDur.String(),
Default: config.GlobalProvisionerClaims.DefaultTLSDur.String(),
},
},
SSH: &SSHClaims{
UserDurations: &Durations{
Min: config.GlobalProvisionerClaims.MinUserSSHDur.String(),
Max: config.GlobalProvisionerClaims.MaxUserSSHDur.String(),
Default: config.GlobalProvisionerClaims.DefaultUserSSHDur.String(),
},
HostDurations: &Durations{
Min: config.GlobalProvisionerClaims.MinHostSSHDur.String(),
Max: config.GlobalProvisionerClaims.MaxHostSSHDur.String(),
Default: config.GlobalProvisionerClaims.DefaultHostSSHDur.String(),
},
},
DisableRenewal: config.DefaultDisableRenewal,
}
}
2021-05-06 06:02:42 +00:00
type AuthorityOption func(*AuthConfig) error
2021-05-03 19:48:20 +00:00
2021-05-06 06:02:42 +00:00
func WithDefaultAuthorityID(ac *AuthConfig) error {
ac.ID = DefaultAuthorityID
return nil
2021-05-03 19:48:20 +00:00
}
2021-05-06 06:02:42 +00:00
func CreateDefaultAuthority(ctx context.Context, db DB) (*AuthConfig, error) {
options := []AuthorityOption{WithDefaultAuthorityID}
2021-05-03 19:48:20 +00:00
2021-05-06 06:02:42 +00:00
return CreateAuthority(ctx, db, options...)
2021-05-03 19:48:20 +00:00
}
2021-05-06 06:02:42 +00:00
func CreateAuthority(ctx context.Context, db DB, options ...AuthorityOption) (*AuthConfig, error) {
ac := NewDefaultAuthConfig()
2021-05-03 19:48:20 +00:00
2021-05-06 06:02:42 +00:00
for _, o := range options {
if err := o(ac); err != nil {
2021-05-03 19:48:20 +00:00
return nil, err
}
}
2021-05-06 06:02:42 +00:00
if err := db.CreateAuthConfig(ctx, ac); err != nil {
return nil, errors.Wrap(err, "error creating authConfig")
2021-05-03 19:48:20 +00:00
}
2021-05-06 06:02:42 +00:00
// Generate default JWK provisioner.
2021-05-03 19:48:20 +00:00
2021-05-06 06:02:42 +00:00
provOpts := []ProvisionerOption{WithPassword("pass")}
prov, err := CreateProvisioner(ctx, db, "JWK", "changeme", provOpts...)
2021-05-03 19:48:20 +00:00
if err != nil {
2021-05-06 06:02:42 +00:00
// TODO should we try to clean up?
return nil, WrapErrorISE(err, "error creating first provisioner")
2021-05-03 19:48:20 +00:00
}
2021-05-18 04:07:25 +00:00
adm := &Admin{
ProvisionerID: prov.ID,
Subject: "Change Me",
Type: AdminTypeSuper,
}
if err := db.CreateAdmin(ctx, adm); err != nil {
2021-05-06 06:02:42 +00:00
// TODO should we try to clean up?
2021-05-18 04:07:25 +00:00
return nil, WrapErrorISE(err, "error creating first admin")
2021-05-03 19:48:20 +00:00
}
2021-05-06 06:02:42 +00:00
ac.Provisioners = []*Provisioner{prov}
2021-05-18 04:07:25 +00:00
ac.Admins = []*Admin{adm}
2021-05-06 06:02:42 +00:00
return ac, nil
2021-05-03 19:48:20 +00:00
}