Generate PKI and start server using onboarding.
This commit is contained in:
parent
bca5dcc326
commit
0efae31a29
1 changed files with 70 additions and 15 deletions
|
@ -18,20 +18,22 @@ import (
|
||||||
"time"
|
"time"
|
||||||
"unicode"
|
"unicode"
|
||||||
|
|
||||||
"github.com/smallstep/cli/crypto/randutil"
|
|
||||||
|
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"github.com/smallstep/certificates/authority"
|
"github.com/smallstep/certificates/authority"
|
||||||
"github.com/smallstep/certificates/ca"
|
"github.com/smallstep/certificates/ca"
|
||||||
|
"github.com/smallstep/cli/crypto/pki"
|
||||||
|
"github.com/smallstep/cli/crypto/randutil"
|
||||||
"github.com/smallstep/cli/errs"
|
"github.com/smallstep/cli/errs"
|
||||||
"github.com/smallstep/cli/usage"
|
"github.com/smallstep/cli/usage"
|
||||||
|
"github.com/smallstep/cli/utils"
|
||||||
"github.com/urfave/cli"
|
"github.com/urfave/cli"
|
||||||
)
|
)
|
||||||
|
|
||||||
type onboardingConfiguration struct {
|
type onboardingConfiguration struct {
|
||||||
Name string `json:"name"`
|
Name string `json:"name"`
|
||||||
DNS string `json:"dns"`
|
DNS string `json:"dns"`
|
||||||
Address string `json:"address"`
|
Address string `json:"address"`
|
||||||
|
password []byte
|
||||||
}
|
}
|
||||||
type onboardingPayload struct {
|
type onboardingPayload struct {
|
||||||
Fingerprint string `json:"fingerprint"`
|
Fingerprint string `json:"fingerprint"`
|
||||||
|
@ -307,8 +309,7 @@ func onboardAction(ctx *cli.Context) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
var config onboardingConfiguration
|
var config onboardingConfiguration
|
||||||
err = json.Unmarshal(body, &config)
|
if err = json.Unmarshal(body, &config); err != nil {
|
||||||
if err != nil {
|
|
||||||
return errors.Wrap(err, "error unmarshaling response")
|
return errors.Wrap(err, "error unmarshaling response")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -316,17 +317,20 @@ func onboardAction(ctx *cli.Context) error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
config.password = []byte(password)
|
||||||
|
|
||||||
|
caConfig, fp, err := onboardPKI(config)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
fmt.Printf("Connected! Initializing step-ca with the following configuration...\n\n")
|
fmt.Printf("Connected! Initializing step-ca with the following configuration...\n\n")
|
||||||
fmt.Printf("Name: %s\n", config.Name)
|
fmt.Printf("Name: %s\n", config.Name)
|
||||||
fmt.Printf("DNS: %s\n", config.DNS)
|
fmt.Printf("DNS: %s\n", config.DNS)
|
||||||
fmt.Printf("Address: %s\n", config.Address)
|
fmt.Printf("Address: %s\n", config.Address)
|
||||||
fmt.Printf("Provisioner Password: %s\n\n", password)
|
fmt.Printf("Password: %s\n\n", password)
|
||||||
|
|
||||||
// TODO actually initialize the CA config (automatically add an "admin" JWT provisioner)
|
payload, err := json.Marshal(onboardingPayload{Fingerprint: fp})
|
||||||
// and start listening
|
|
||||||
// TODO get the root cert fingerprint to post back to the onboarding guide
|
|
||||||
payload, err := json.Marshal(onboardingPayload{Fingerprint: "foobarbatbaz"})
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errors.Wrap(err, "error marshalling payload")
|
return errors.Wrap(err, "error marshalling payload")
|
||||||
}
|
}
|
||||||
|
@ -338,10 +342,61 @@ func onboardAction(ctx *cli.Context) error {
|
||||||
resp.Body.Close()
|
resp.Body.Close()
|
||||||
|
|
||||||
fmt.Printf("Initialized!\n")
|
fmt.Printf("Initialized!\n")
|
||||||
fmt.Printf("Step CA has been started. Please return to the onboarding guide in your browser to continue.\n")
|
fmt.Printf("Step CA is starting. Please return to the onboarding guide in your browser to continue.\n")
|
||||||
for {
|
|
||||||
time.Sleep(1 * time.Second)
|
srv, err := ca.New(caConfig, ca.WithPassword(config.password))
|
||||||
|
if err != nil {
|
||||||
|
fatal(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
go ca.StopReloaderHandler(srv)
|
||||||
|
if err = srv.Run(); err != nil && err != http.ErrServerClosed {
|
||||||
|
fatal(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func onboardPKI(config onboardingConfiguration) (*authority.Config, string, error) {
|
||||||
|
p, err := pki.New(pki.GetPublicPath(), pki.GetSecretsPath(), pki.GetConfigPath())
|
||||||
|
if err != nil {
|
||||||
|
return nil, "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
p.SetAddress(config.Address)
|
||||||
|
p.SetDNSNames([]string{config.DNS})
|
||||||
|
|
||||||
|
rootCrt, rootKey, err := p.GenerateRootCertificate(config.Name+" Root CA", config.password)
|
||||||
|
if err != nil {
|
||||||
|
return nil, "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
err = p.GenerateIntermediateCertificate(config.Name+" Intermediate CA", rootCrt, rootKey, config.password)
|
||||||
|
if err != nil {
|
||||||
|
return nil, "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Generate provisioner
|
||||||
|
p.SetProvisioner("admin")
|
||||||
|
if err = p.GenerateKeyPairs(config.password); err != nil {
|
||||||
|
return nil, "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Generate and write configuration
|
||||||
|
caConfig, err := p.GenerateConfig()
|
||||||
|
if err != nil {
|
||||||
|
return nil, "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
b, err := json.MarshalIndent(caConfig, "", " ")
|
||||||
|
if err != nil {
|
||||||
|
return nil, "", errors.Wrapf(err, "error marshaling %s", p.GetCAConfigPath())
|
||||||
|
}
|
||||||
|
if err = utils.WriteFile(p.GetCAConfigPath(), b, 0666); err != nil {
|
||||||
|
return nil, "", errs.FileError(err, p.GetCAConfigPath())
|
||||||
|
}
|
||||||
|
|
||||||
|
return caConfig, p.GetRootFingerprint(), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// fatal writes the passed error on the standard error and exits with the exit
|
// fatal writes the passed error on the standard error and exits with the exit
|
||||||
|
|
Loading…
Reference in a new issue