certificates/authority/mgmt/provisioner.go

117 lines
3.4 KiB
Go
Raw Normal View History

2021-05-06 06:02:42 +00:00
package mgmt
import (
2021-05-26 04:13:01 +00:00
"context"
2021-05-06 06:02:42 +00:00
2021-05-26 04:13:01 +00:00
"github.com/smallstep/certificates/authority/config"
2021-05-24 20:38:24 +00:00
"github.com/smallstep/certificates/linkedca"
2021-05-06 06:02:42 +00:00
"go.step.sm/crypto/jose"
)
2021-05-24 20:38:24 +00:00
/*
2021-05-20 23:02:20 +00:00
type unmarshalProvisioner struct {
ID string `json:"-"`
AuthorityID string `json:"-"`
Type string `json:"type"`
Name string `json:"name"`
Claims *Claims `json:"claims"`
Details json.RawMessage `json:"details"`
X509Template string `json:"x509Template"`
X509TemplateData []byte `json:"x509TemplateData"`
SSHTemplate string `json:"sshTemplate"`
SSHTemplateData []byte `json:"sshTemplateData"`
Status status.Type `json:"status"`
}
type typ struct {
2021-05-24 20:38:24 +00:00
Type linkedca.Provisioner_Type `json:"type"`
2021-05-20 23:02:20 +00:00
}
// UnmarshalJSON implements the Unmarshal interface.
func (p *Provisioner) UnmarshalJSON(b []byte) error {
var (
err error
up = new(unmarshalProvisioner)
)
if err = json.Unmarshal(b, up); err != nil {
return WrapErrorISE(err, "error unmarshaling provisioner to intermediate type")
}
p.Details, err = UnmarshalProvisionerDetails(up.Details)
if err = json.Unmarshal(b, up); err != nil {
return WrapErrorISE(err, "error unmarshaling provisioner details")
}
p.ID = up.ID
p.AuthorityID = up.AuthorityID
p.Type = up.Type
p.Name = up.Name
p.Claims = up.Claims
p.X509Template = up.X509Template
p.X509TemplateData = up.X509TemplateData
p.SSHTemplate = up.SSHTemplate
p.SSHTemplateData = up.SSHTemplateData
p.Status = up.Status
return nil
}
2021-05-24 20:38:24 +00:00
*/
2021-05-20 23:02:20 +00:00
2021-05-26 04:13:01 +00:00
func NewDefaultClaims() *linkedca.Claims {
return &linkedca.Claims{
X509: &linkedca.X509Claims{
Durations: &linkedca.Durations{
Min: config.GlobalProvisionerClaims.MinTLSDur.String(),
Max: config.GlobalProvisionerClaims.MaxTLSDur.String(),
Default: config.GlobalProvisionerClaims.DefaultTLSDur.String(),
},
2021-05-06 06:02:42 +00:00
},
2021-05-26 04:13:01 +00:00
Ssh: &linkedca.SSHClaims{
UserDurations: &linkedca.Durations{
Min: config.GlobalProvisionerClaims.MinUserSSHDur.String(),
Max: config.GlobalProvisionerClaims.MaxUserSSHDur.String(),
Default: config.GlobalProvisionerClaims.DefaultUserSSHDur.String(),
},
HostDurations: &linkedca.Durations{
Min: config.GlobalProvisionerClaims.MinHostSSHDur.String(),
Max: config.GlobalProvisionerClaims.MaxHostSSHDur.String(),
Default: config.GlobalProvisionerClaims.DefaultHostSSHDur.String(),
},
2021-05-06 06:02:42 +00:00
},
2021-05-26 04:13:01 +00:00
DisableRenewal: config.DefaultDisableRenewal,
2021-05-06 06:02:42 +00:00
}
}
2021-05-26 04:13:01 +00:00
func CreateFirstProvisioner(ctx context.Context, db DB, password string) (*linkedca.Provisioner, error) {
jwk, jwe, err := jose.GenerateDefaultKeyPair([]byte(password))
2021-05-06 06:02:42 +00:00
if err != nil {
2021-05-26 04:13:01 +00:00
return nil, WrapErrorISE(err, "error generating JWK key pair")
2021-05-06 06:02:42 +00:00
}
2021-05-26 04:13:01 +00:00
jwkPubBytes, err := jwk.MarshalJSON()
if err != nil {
return nil, WrapErrorISE(err, "error marshaling JWK")
2021-05-06 06:02:42 +00:00
}
2021-05-26 04:13:01 +00:00
jwePrivStr, err := jwe.CompactSerialize()
if err != nil {
return nil, WrapErrorISE(err, "error serializing JWE")
2021-05-06 06:02:42 +00:00
}
2021-05-26 21:55:31 +00:00
p := &linkedca.Provisioner{
2021-05-26 04:13:01 +00:00
Name: "Admin JWK",
Type: linkedca.Provisioner_JWK,
Claims: NewDefaultClaims(),
Details: &linkedca.ProvisionerDetails{
Data: &linkedca.ProvisionerDetails_JWK{
JWK: &linkedca.JWKProvisioner{
PublicKey: jwkPubBytes,
EncryptedPrivateKey: []byte(jwePrivStr),
},
},
},
2021-05-26 21:55:31 +00:00
}
if err := db.CreateProvisioner(ctx, p); err != nil {
return nil, WrapErrorISE(err, "error creating provisioner")
}
return p, nil
2021-05-06 06:02:42 +00:00
}