From b2ca3176f5c17f240881e0cf2ee02b5dc5f5930b Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Tue, 14 Jul 2020 17:12:07 -0700 Subject: [PATCH] Prepend insecure to user and CR variables names. --- authority/provisioner/options.go | 19 ++++++++++++---- x509util/options.go | 29 ++++++++++++++----------- x509util/templates.go | 37 ++++++++++++++++++++------------ 3 files changed, 54 insertions(+), 31 deletions(-) diff --git a/authority/provisioner/options.go b/authority/provisioner/options.go index c5ffff2f..802ec37b 100644 --- a/authority/provisioner/options.go +++ b/authority/provisioner/options.go @@ -19,9 +19,18 @@ func (fn certificateOptionsFunc) Options(so Options) []x509util.Option { return fn(so) } +// ProvisionerOptions are a collection of custom options that can be added to +// each provisioner. type ProvisionerOptions struct { - Template string `json:"template"` - TemplateFile string `json:"templateFile"` + // Template contains a X.509 certificate template. It can be a JSON template + // escaped in a string or it can be also encoded in base64. + Template string `json:"template"` + + // TemplateFile points to a file containing a X.509 certificate template. + TemplateFile string `json:"templateFile"` + + // TemplateData is a JSON object with variables that can be used in custom + // templates. TemplateData json.RawMessage `json:"templateData"` } @@ -63,11 +72,13 @@ func CustomTemplateOptions(o *ProvisionerOptions, data x509util.TemplateData, de if len(so.TemplateData) > 0 { userObject := make(map[string]interface{}) if err := json.Unmarshal(so.TemplateData, &userObject); err != nil { - data[x509util.UserKey] = map[string]interface{}{} + data.SetUserData(map[string]interface{}{}) } else { - data[x509util.UserKey] = userObject + data.SetUserData(userObject) } } + + // Load a template from a file if Template is not defined. if o.Template == "" && o.TemplateFile != "" { return []x509util.Option{ x509util.WithTemplateFile(o.TemplateFile, data), diff --git a/x509util/options.go b/x509util/options.go index 9a061bed..6b2b8697 100644 --- a/x509util/options.go +++ b/x509util/options.go @@ -3,6 +3,7 @@ package x509util import ( "bytes" "crypto/x509" + "encoding/base64" "io/ioutil" "text/template" @@ -47,6 +48,19 @@ func WithTemplate(text string, data TemplateData) Option { } } +// WithTemplateBase64 is an options that executes the given template base64 +// string with the given data. +func WithTemplateBase64(s string, data TemplateData) Option { + return func(cr *x509.CertificateRequest, o *Options) error { + b, err := base64.StdEncoding.DecodeString(s) + if err != nil { + return errors.Wrap(err, "error decoding template") + } + fn := WithTemplate(string(b), data) + return fn(cr, o) + } +} + // WithTemplateFile is an options that reads the template file and executes it // with the given data. func WithTemplateFile(path string, data TemplateData) Option { @@ -56,18 +70,7 @@ func WithTemplateFile(path string, data TemplateData) Option { if err != nil { return errors.Wrapf(err, "error reading %s", path) } - - tmpl, err := template.New(path).Funcs(sprig.TxtFuncMap()).Parse(string(b)) - if err != nil { - return errors.Wrapf(err, "error parsing %s", path) - } - - buf := new(bytes.Buffer) - data.SetCertificateRequest(cr) - if err := tmpl.Execute(buf, data); err != nil { - return errors.Wrapf(err, "error executing %s", path) - } - o.CertBuffer = buf - return nil + fn := WithTemplate(string(b), data) + return fn(cr, o) } } diff --git a/x509util/templates.go b/x509util/templates.go index 8ef8d5d3..855370a1 100644 --- a/x509util/templates.go +++ b/x509util/templates.go @@ -3,10 +3,11 @@ package x509util import "crypto/x509" const ( - UserKey = "User" SubjectKey = "Subject" SANsKey = "SANs" TokenKey = "Token" + InsecureKey = "Insecure" + UserKey = "User" CertificateRequestKey = "CR" ) @@ -33,12 +34,16 @@ func (t TemplateData) Set(key string, v interface{}) { t[key] = v } -func (t TemplateData) SetUserData(v Subject) { - t[UserKey] = v +func (t TemplateData) SetInsecure(key string, v interface{}) { + if m, ok := t[InsecureKey].(TemplateData); ok { + m[key] = v + } else { + t[InsecureKey] = TemplateData{key: v} + } } func (t TemplateData) SetSubject(v Subject) { - t[SubjectKey] = v + t.Set(SubjectKey, v) } func (t TemplateData) SetCommonName(cn string) { @@ -48,15 +53,19 @@ func (t TemplateData) SetCommonName(cn string) { } func (t TemplateData) SetSANs(sans []string) { - t[SANsKey] = CreateSANs(sans) + t.Set(SANsKey, CreateSANs(sans)) } func (t TemplateData) SetToken(v interface{}) { - t[TokenKey] = v + t.Set(TokenKey, v) +} + +func (t TemplateData) SetUserData(v interface{}) { + t.SetInsecure(UserKey, v) } func (t TemplateData) SetCertificateRequest(cr *x509.CertificateRequest) { - t[CertificateRequestKey] = newCertificateRequest(cr) + t.SetInsecure(CertificateRequestKey, newCertificateRequest(cr)) } // DefaultLeafTemplate is the default templated used to generate a leaf @@ -79,14 +88,14 @@ const DefaultLeafTemplate = `{ // keys. const DefaultIIDLeafTemplate = `{ {{- if .SANs }} - "subject": {"commonName": "{{ .CR.Subject.CommonName }}"}, + "subject": {"commonName": "{{ .Insecure.CR.Subject.CommonName }}"}, "sans": {{ toJson .SANs }}, {{- else }} - "subject": {{ toJson .CR.Subject }}, - "dnsNames": {{ toJson .CR.DNSNames }}, - "emailAddresses": {{ toJson .CR.EmailAddresses }}, - "ipAddresses": {{ toJson .CR.IPAddresses }}, - "uris": {{ toJson .CR.URIs }}, + "subject": {{ toJson .Insecure.CR.Subject }}, + "dnsNames": {{ toJson .Insecure.CR.DNSNames }}, + "emailAddresses": {{ toJson .Insecure.CR.EmailAddresses }}, + "ipAddresses": {{ toJson .Insecure.CR.IPAddresses }}, + "uris": {{ toJson .Insecure.CR.URIs }}, {{- end }} "keyUsage": ["keyEncipherment", "digitalSignature"], "extKeyUsage": ["serverAuth", "clientAuth"] @@ -117,4 +126,4 @@ const DefaultRootTemplate = `{ // CertificateRequestTemplate is a template that will sign the given certificate // request. -const CertificateRequestTemplate = `{{ toJson .CR }}` +const CertificateRequestTemplate = `{{ toJson .Insecure.CR }}`