Add an option to avoid password prompts on step cas

When we are using `step ca init` to create a stepcas RA we don't
have access to the password for verify the provisioner.
This commit is contained in:
Mariano Cano 2021-08-04 16:16:35 -07:00
parent de292fbed6
commit de719eb6f0
3 changed files with 29 additions and 6 deletions

View file

@ -38,10 +38,17 @@ type Options struct {
CertificateChain []*x509.Certificate `json:"-"` CertificateChain []*x509.Certificate `json:"-"`
Signer crypto.Signer `json:"-"` Signer crypto.Signer `json:"-"`
// IsCreator is set to true when we're creating a certificate authority. Is // IsCreator is set to true when we're creating a certificate authority. It
// used to skip some validations when initializing a CertificateAuthority. // is used to skip some validations when initializing a
// CertificateAuthority. This option is used on SoftCAS and CloudCAS.
IsCreator bool `json:"-"` IsCreator bool `json:"-"`
// IsCAGetter is set to true when we're just using the
// CertificateAuthorityGetter interface to retrieve the root certificate. It
// is used to skip some validations when initializing a
// CertificateAuthority. This option is used on StepCAS.
IsCAGetter bool `json:"-"`
// KeyManager is the KMS used to generate keys in SoftCAS. // KeyManager is the KMS used to generate keys in SoftCAS.
KeyManager kms.KeyManager `json:"-"` KeyManager kms.KeyManager `json:"-"`

View file

@ -47,11 +47,14 @@ func New(ctx context.Context, opts apiv1.Options) (*StepCAS, error) {
return nil, err return nil, err
} }
// Create configured issuer var iss stepIssuer
iss, err := newStepIssuer(caURL, client, opts.CertificateIssuer) // Create configured issuer unless we only want to use GetCertificateAuthority.
if err != nil { // This avoid the request for the password if not provided.
if !opts.IsCAGetter {
if iss, err = newStepIssuer(caURL, client, opts.CertificateIssuer); err != nil {
return nil, err return nil, err
} }
}
return &StepCAS{ return &StepCAS{
iss: iss, iss: iss,

View file

@ -411,6 +411,19 @@ func TestNew(t *testing.T) {
client: client, client: client,
fingerprint: testRootFingerprint, fingerprint: testRootFingerprint,
}, false}, }, false},
{"ok ca getter", args{context.TODO(), apiv1.Options{
IsCAGetter: true,
CertificateAuthority: caURL.String(),
CertificateAuthorityFingerprint: testRootFingerprint,
CertificateIssuer: &apiv1.CertificateIssuer{
Type: "jwk",
Provisioner: "ra@doe.org",
},
}}, &StepCAS{
iss: nil,
client: client,
fingerprint: testRootFingerprint,
}, false},
{"fail authority", args{context.TODO(), apiv1.Options{ {"fail authority", args{context.TODO(), apiv1.Options{
CertificateAuthority: "", CertificateAuthority: "",
CertificateAuthorityFingerprint: testRootFingerprint, CertificateAuthorityFingerprint: testRootFingerprint,