Merge pull request #1381 from smallstep/max/go-1.19
Bump go.mod golang version to 1.19
This commit is contained in:
commit
df13351586
67 changed files with 231 additions and 265 deletions
|
@ -34,27 +34,20 @@ var (
|
||||||
|
|
||||||
type fakeProvisioner struct{}
|
type fakeProvisioner struct{}
|
||||||
|
|
||||||
func (*fakeProvisioner) AuthorizeOrderIdentifier(ctx context.Context, identifier provisioner.ACMEIdentifier) error {
|
func (*fakeProvisioner) AuthorizeOrderIdentifier(context.Context, provisioner.ACMEIdentifier) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
func (*fakeProvisioner) AuthorizeSign(context.Context, string) ([]provisioner.SignOption, error) {
|
||||||
func (*fakeProvisioner) AuthorizeSign(ctx context.Context, token string) ([]provisioner.SignOption, error) {
|
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
func (*fakeProvisioner) IsChallengeEnabled(context.Context, provisioner.ACMEChallenge) bool {
|
||||||
func (*fakeProvisioner) IsChallengeEnabled(ctx context.Context, challenge provisioner.ACMEChallenge) bool {
|
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
func (*fakeProvisioner) IsAttestationFormatEnabled(context.Context, provisioner.ACMEAttestationFormat) bool {
|
||||||
func (*fakeProvisioner) IsAttestationFormatEnabled(ctx context.Context, format provisioner.ACMEAttestationFormat) bool {
|
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
func (*fakeProvisioner) GetAttestationRoots() (*x509.CertPool, bool) { return nil, false }
|
||||||
func (*fakeProvisioner) GetAttestationRoots() (*x509.CertPool, bool) {
|
func (*fakeProvisioner) AuthorizeRevoke(context.Context, string) error { return nil }
|
||||||
return nil, false
|
|
||||||
}
|
|
||||||
|
|
||||||
func (*fakeProvisioner) AuthorizeRevoke(ctx context.Context, token string) error { return nil }
|
|
||||||
func (*fakeProvisioner) GetID() string { return "" }
|
func (*fakeProvisioner) GetID() string { return "" }
|
||||||
func (*fakeProvisioner) GetName() string { return "" }
|
func (*fakeProvisioner) GetName() string { return "" }
|
||||||
func (*fakeProvisioner) DefaultTLSCertDuration() time.Duration { return 0 }
|
func (*fakeProvisioner) DefaultTLSCertDuration() time.Duration { return 0 }
|
||||||
|
|
|
@ -273,7 +273,7 @@ func shouldAddMetaObject(p *provisioner.ACME) bool {
|
||||||
|
|
||||||
// NotImplemented returns a 501 and is generally a placeholder for functionality which
|
// NotImplemented returns a 501 and is generally a placeholder for functionality which
|
||||||
// MAY be added at some point in the future but is not in any way a guarantee of such.
|
// MAY be added at some point in the future but is not in any way a guarantee of such.
|
||||||
func NotImplemented(w http.ResponseWriter, r *http.Request) {
|
func NotImplemented(w http.ResponseWriter, _ *http.Request) {
|
||||||
render.Error(w, acme.NewError(acme.ErrorNotImplementedType, "this API is not implemented"))
|
render.Error(w, acme.NewError(acme.ErrorNotImplementedType, "this API is not implemented"))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -24,7 +24,7 @@ import (
|
||||||
|
|
||||||
var testBody = []byte("foo")
|
var testBody = []byte("foo")
|
||||||
|
|
||||||
func testNext(w http.ResponseWriter, r *http.Request) {
|
func testNext(w http.ResponseWriter, _ *http.Request) {
|
||||||
w.Write(testBody)
|
w.Write(testBody)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -328,7 +328,7 @@ func TestHandler_isPostAsGet(t *testing.T) {
|
||||||
|
|
||||||
type errReader int
|
type errReader int
|
||||||
|
|
||||||
func (errReader) Read(p []byte) (n int, err error) {
|
func (errReader) Read([]byte) (int, error) {
|
||||||
return 0, errors.New("force")
|
return 0, errors.New("force")
|
||||||
}
|
}
|
||||||
func (errReader) Close() error {
|
func (errReader) Close() error {
|
||||||
|
|
|
@ -151,7 +151,7 @@ func RevokeCert(w http.ResponseWriter, r *http.Request) {
|
||||||
// the identifiers in the certificate are extracted and compared against the (valid) Authorizations
|
// the identifiers in the certificate are extracted and compared against the (valid) Authorizations
|
||||||
// that are stored for the ACME Account. If these sets match, the Account is considered authorized
|
// that are stored for the ACME Account. If these sets match, the Account is considered authorized
|
||||||
// to revoke the certificate. If this check fails, the client will receive an unauthorized error.
|
// to revoke the certificate. If this check fails, the client will receive an unauthorized error.
|
||||||
func isAccountAuthorized(ctx context.Context, dbCert *acme.Certificate, certToBeRevoked *x509.Certificate, account *acme.Account) *acme.Error {
|
func isAccountAuthorized(_ context.Context, dbCert *acme.Certificate, certToBeRevoked *x509.Certificate, account *acme.Account) *acme.Error {
|
||||||
if !account.IsValid() {
|
if !account.IsValid() {
|
||||||
return wrapUnauthorizedError(certToBeRevoked, nil, fmt.Sprintf("account '%s' has status '%s'", account.ID, account.Status), nil)
|
return wrapUnauthorizedError(certToBeRevoked, nil, fmt.Sprintf("account '%s' has status '%s'", account.ID, account.Status), nil)
|
||||||
}
|
}
|
||||||
|
|
|
@ -258,7 +258,7 @@ func jwkEncode(pub crypto.PublicKey) (string, error) {
|
||||||
// jwsFinal constructs the final JWS object.
|
// jwsFinal constructs the final JWS object.
|
||||||
// Implementation taken from github.com/mholt/acmez, which seems to be based on
|
// Implementation taken from github.com/mholt/acmez, which seems to be based on
|
||||||
// https://github.com/golang/crypto/blob/master/acme/jws.go.
|
// https://github.com/golang/crypto/blob/master/acme/jws.go.
|
||||||
func jwsFinal(sha crypto.Hash, sig []byte, phead, payload string) ([]byte, error) {
|
func jwsFinal(_ crypto.Hash, sig []byte, phead, payload string) ([]byte, error) {
|
||||||
enc := struct {
|
enc := struct {
|
||||||
Protected string `json:"protected"`
|
Protected string `json:"protected"`
|
||||||
Payload string `json:"payload"`
|
Payload string `json:"payload"`
|
||||||
|
@ -281,7 +281,7 @@ type mockCA struct {
|
||||||
MockAreSANsallowed func(ctx context.Context, sans []string) error
|
MockAreSANsallowed func(ctx context.Context, sans []string) error
|
||||||
}
|
}
|
||||||
|
|
||||||
func (m *mockCA) Sign(cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
|
func (m *mockCA) Sign(*x509.CertificateRequest, provisioner.SignOptions, ...provisioner.SignOption) ([]*x509.Certificate, error) {
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -520,7 +520,7 @@ const (
|
||||||
coseAlgRS256 coseAlgorithmIdentifier = -257
|
coseAlgRS256 coseAlgorithmIdentifier = -257
|
||||||
)
|
)
|
||||||
|
|
||||||
func doTPMAttestationFormat(ctx context.Context, prov Provisioner, ch *Challenge, jwk *jose.JSONWebKey, att *attestationObject) (*tpmAttestationData, error) {
|
func doTPMAttestationFormat(_ context.Context, prov Provisioner, ch *Challenge, jwk *jose.JSONWebKey, att *attestationObject) (*tpmAttestationData, error) {
|
||||||
ver, ok := att.AttStatement["ver"].(string)
|
ver, ok := att.AttStatement["ver"].(string)
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil, NewError(ErrorBadAttestationStatementType, "ver not present")
|
return nil, NewError(ErrorBadAttestationStatementType, "ver not present")
|
||||||
|
@ -742,11 +742,7 @@ func validateAKCertificate(c *x509.Certificate) error {
|
||||||
if err := validateAKCertificateExtendedKeyUsage(c); err != nil {
|
if err := validateAKCertificateExtendedKeyUsage(c); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := validateAKCertificateSubjectAlternativeNames(c); err != nil {
|
return validateAKCertificateSubjectAlternativeNames(c)
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// validateAKCertificateSubjectAlternativeNames checks if the AK certificate
|
// validateAKCertificateSubjectAlternativeNames checks if the AK certificate
|
||||||
|
@ -828,7 +824,7 @@ type appleAttestationData struct {
|
||||||
Fingerprint string
|
Fingerprint string
|
||||||
}
|
}
|
||||||
|
|
||||||
func doAppleAttestationFormat(ctx context.Context, prov Provisioner, ch *Challenge, att *attestationObject) (*appleAttestationData, error) {
|
func doAppleAttestationFormat(_ context.Context, prov Provisioner, _ *Challenge, att *attestationObject) (*appleAttestationData, error) {
|
||||||
// Use configured or default attestation roots if none is configured.
|
// Use configured or default attestation roots if none is configured.
|
||||||
roots, ok := prov.GetAttestationRoots()
|
roots, ok := prov.GetAttestationRoots()
|
||||||
if !ok {
|
if !ok {
|
||||||
|
@ -933,7 +929,7 @@ type stepAttestationData struct {
|
||||||
Fingerprint string
|
Fingerprint string
|
||||||
}
|
}
|
||||||
|
|
||||||
func doStepAttestationFormat(ctx context.Context, prov Provisioner, ch *Challenge, jwk *jose.JSONWebKey, att *attestationObject) (*stepAttestationData, error) {
|
func doStepAttestationFormat(_ context.Context, prov Provisioner, ch *Challenge, jwk *jose.JSONWebKey, att *attestationObject) (*stepAttestationData, error) {
|
||||||
// Use configured or default attestation roots if none is configured.
|
// Use configured or default attestation roots if none is configured.
|
||||||
roots, ok := prov.GetAttestationRoots()
|
roots, ok := prov.GetAttestationRoots()
|
||||||
if !ok {
|
if !ok {
|
||||||
|
|
|
@ -148,7 +148,7 @@ func mustAttestApple(t *testing.T, nonce string) ([]byte, *x509.Certificate, *x5
|
||||||
return payload, leaf, ca.Root
|
return payload, leaf, ca.Root
|
||||||
}
|
}
|
||||||
|
|
||||||
func mustAttestYubikey(t *testing.T, nonce, keyAuthorization string, serial int) ([]byte, *x509.Certificate, *x509.Certificate) {
|
func mustAttestYubikey(t *testing.T, _, keyAuthorization string, serial int) ([]byte, *x509.Certificate, *x509.Certificate) {
|
||||||
ca, err := minica.New()
|
ca, err := minica.New()
|
||||||
fatalError(t, err)
|
fatalError(t, err)
|
||||||
|
|
||||||
|
@ -888,7 +888,7 @@ func TestChallenge_Validate(t *testing.T) {
|
||||||
|
|
||||||
type errReader int
|
type errReader int
|
||||||
|
|
||||||
func (errReader) Read(p []byte) (n int, err error) {
|
func (errReader) Read([]byte) (int, error) {
|
||||||
return 0, errors.New("force")
|
return 0, errors.New("force")
|
||||||
}
|
}
|
||||||
func (errReader) Close() error {
|
func (errReader) Close() error {
|
||||||
|
@ -1636,9 +1636,9 @@ func (c *noopConn) Write(_ []byte) (n int, err error) { return 0, io.EOF }
|
||||||
func (c *noopConn) Close() error { return nil }
|
func (c *noopConn) Close() error { return nil }
|
||||||
func (c *noopConn) LocalAddr() net.Addr { return &net.IPAddr{IP: net.IPv4zero, Zone: ""} }
|
func (c *noopConn) LocalAddr() net.Addr { return &net.IPAddr{IP: net.IPv4zero, Zone: ""} }
|
||||||
func (c *noopConn) RemoteAddr() net.Addr { return &net.IPAddr{IP: net.IPv4zero, Zone: ""} }
|
func (c *noopConn) RemoteAddr() net.Addr { return &net.IPAddr{IP: net.IPv4zero, Zone: ""} }
|
||||||
func (c *noopConn) SetDeadline(t time.Time) error { return nil }
|
func (c *noopConn) SetDeadline(time.Time) error { return nil }
|
||||||
func (c *noopConn) SetReadDeadline(t time.Time) error { return nil }
|
func (c *noopConn) SetReadDeadline(time.Time) error { return nil }
|
||||||
func (c *noopConn) SetWriteDeadline(t time.Time) error { return nil }
|
func (c *noopConn) SetWriteDeadline(time.Time) error { return nil }
|
||||||
|
|
||||||
func newTLSALPNValidationCert(keyAuthHash []byte, obsoleteOID, critical bool, names ...string) (*tls.Certificate, error) {
|
func newTLSALPNValidationCert(keyAuthHash []byte, obsoleteOID, critical bool, names ...string) (*tls.Certificate, error) {
|
||||||
privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
|
privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
|
||||||
|
|
|
@ -46,7 +46,7 @@ type PrerequisitesChecker func(ctx context.Context) (bool, error)
|
||||||
|
|
||||||
// DefaultPrerequisitesChecker is the default PrerequisiteChecker and returns
|
// DefaultPrerequisitesChecker is the default PrerequisiteChecker and returns
|
||||||
// always true.
|
// always true.
|
||||||
func DefaultPrerequisitesChecker(ctx context.Context) (bool, error) {
|
func DefaultPrerequisitesChecker(context.Context) (bool, error) {
|
||||||
return true, nil
|
return true, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -26,7 +26,7 @@ func (dba *dbAccount) clone() *dbAccount {
|
||||||
return &nu
|
return &nu
|
||||||
}
|
}
|
||||||
|
|
||||||
func (db *DB) getAccountIDByKeyID(ctx context.Context, kid string) (string, error) {
|
func (db *DB) getAccountIDByKeyID(_ context.Context, kid string) (string, error) {
|
||||||
id, err := db.db.Get(accountByKeyIDTable, []byte(kid))
|
id, err := db.db.Get(accountByKeyIDTable, []byte(kid))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if nosqlDB.IsErrNotFound(err) {
|
if nosqlDB.IsErrNotFound(err) {
|
||||||
|
@ -38,7 +38,7 @@ func (db *DB) getAccountIDByKeyID(ctx context.Context, kid string) (string, erro
|
||||||
}
|
}
|
||||||
|
|
||||||
// getDBAccount retrieves and unmarshals dbAccount.
|
// getDBAccount retrieves and unmarshals dbAccount.
|
||||||
func (db *DB) getDBAccount(ctx context.Context, id string) (*dbAccount, error) {
|
func (db *DB) getDBAccount(_ context.Context, id string) (*dbAccount, error) {
|
||||||
data, err := db.db.Get(accountTable, []byte(id))
|
data, err := db.db.Get(accountTable, []byte(id))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if nosqlDB.IsErrNotFound(err) {
|
if nosqlDB.IsErrNotFound(err) {
|
||||||
|
|
|
@ -32,7 +32,7 @@ func (ba *dbAuthz) clone() *dbAuthz {
|
||||||
|
|
||||||
// getDBAuthz retrieves and unmarshals a database representation of the
|
// getDBAuthz retrieves and unmarshals a database representation of the
|
||||||
// ACME Authorization type.
|
// ACME Authorization type.
|
||||||
func (db *DB) getDBAuthz(ctx context.Context, id string) (*dbAuthz, error) {
|
func (db *DB) getDBAuthz(_ context.Context, id string) (*dbAuthz, error) {
|
||||||
data, err := db.db.Get(authzTable, []byte(id))
|
data, err := db.db.Get(authzTable, []byte(id))
|
||||||
if nosql.IsErrNotFound(err) {
|
if nosql.IsErrNotFound(err) {
|
||||||
return nil, acme.NewError(acme.ErrorMalformedType, "authz %s not found", id)
|
return nil, acme.NewError(acme.ErrorMalformedType, "authz %s not found", id)
|
||||||
|
@ -121,7 +121,7 @@ func (db *DB) UpdateAuthorization(ctx context.Context, az *acme.Authorization) e
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetAuthorizationsByAccountID retrieves and unmarshals ACME authz types from the database.
|
// GetAuthorizationsByAccountID retrieves and unmarshals ACME authz types from the database.
|
||||||
func (db *DB) GetAuthorizationsByAccountID(ctx context.Context, accountID string) ([]*acme.Authorization, error) {
|
func (db *DB) GetAuthorizationsByAccountID(_ context.Context, accountID string) ([]*acme.Authorization, error) {
|
||||||
entries, err := db.db.List(authzTable)
|
entries, err := db.db.List(authzTable)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.Wrapf(err, "error listing authz")
|
return nil, errors.Wrapf(err, "error listing authz")
|
||||||
|
|
|
@ -69,7 +69,7 @@ func (db *DB) CreateCertificate(ctx context.Context, cert *acme.Certificate) err
|
||||||
|
|
||||||
// GetCertificate retrieves and unmarshals an ACME certificate type from the
|
// GetCertificate retrieves and unmarshals an ACME certificate type from the
|
||||||
// datastore.
|
// datastore.
|
||||||
func (db *DB) GetCertificate(ctx context.Context, id string) (*acme.Certificate, error) {
|
func (db *DB) GetCertificate(_ context.Context, id string) (*acme.Certificate, error) {
|
||||||
b, err := db.db.Get(certTable, []byte(id))
|
b, err := db.db.Get(certTable, []byte(id))
|
||||||
if nosql.IsErrNotFound(err) {
|
if nosql.IsErrNotFound(err) {
|
||||||
return nil, acme.NewError(acme.ErrorMalformedType, "certificate %s not found", id)
|
return nil, acme.NewError(acme.ErrorMalformedType, "certificate %s not found", id)
|
||||||
|
|
|
@ -29,7 +29,7 @@ func (dbc *dbChallenge) clone() *dbChallenge {
|
||||||
return &u
|
return &u
|
||||||
}
|
}
|
||||||
|
|
||||||
func (db *DB) getDBChallenge(ctx context.Context, id string) (*dbChallenge, error) {
|
func (db *DB) getDBChallenge(_ context.Context, id string) (*dbChallenge, error) {
|
||||||
data, err := db.db.Get(challengeTable, []byte(id))
|
data, err := db.db.Get(challengeTable, []byte(id))
|
||||||
if nosql.IsErrNotFound(err) {
|
if nosql.IsErrNotFound(err) {
|
||||||
return nil, acme.NewError(acme.ErrorMalformedType, "challenge %s not found", id)
|
return nil, acme.NewError(acme.ErrorMalformedType, "challenge %s not found", id)
|
||||||
|
@ -69,6 +69,7 @@ func (db *DB) CreateChallenge(ctx context.Context, ch *acme.Challenge) error {
|
||||||
// GetChallenge retrieves and unmarshals an ACME challenge type from the database.
|
// GetChallenge retrieves and unmarshals an ACME challenge type from the database.
|
||||||
// Implements the acme.DB GetChallenge interface.
|
// Implements the acme.DB GetChallenge interface.
|
||||||
func (db *DB) GetChallenge(ctx context.Context, id, authzID string) (*acme.Challenge, error) {
|
func (db *DB) GetChallenge(ctx context.Context, id, authzID string) (*acme.Challenge, error) {
|
||||||
|
_ = authzID // unused input
|
||||||
dbch, err := db.getDBChallenge(ctx, id)
|
dbch, err := db.getDBChallenge(ctx, id)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
|
|
@ -35,7 +35,7 @@ type dbExternalAccountKeyReference struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
// getDBExternalAccountKey retrieves and unmarshals dbExternalAccountKey.
|
// getDBExternalAccountKey retrieves and unmarshals dbExternalAccountKey.
|
||||||
func (db *DB) getDBExternalAccountKey(ctx context.Context, id string) (*dbExternalAccountKey, error) {
|
func (db *DB) getDBExternalAccountKey(_ context.Context, id string) (*dbExternalAccountKey, error) {
|
||||||
data, err := db.db.Get(externalAccountKeyTable, []byte(id))
|
data, err := db.db.Get(externalAccountKeyTable, []byte(id))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if nosqlDB.IsErrNotFound(err) {
|
if nosqlDB.IsErrNotFound(err) {
|
||||||
|
@ -160,6 +160,8 @@ func (db *DB) DeleteExternalAccountKey(ctx context.Context, provisionerID, keyID
|
||||||
|
|
||||||
// GetExternalAccountKeys retrieves all External Account Binding keys for a provisioner
|
// GetExternalAccountKeys retrieves all External Account Binding keys for a provisioner
|
||||||
func (db *DB) GetExternalAccountKeys(ctx context.Context, provisionerID, cursor string, limit int) ([]*acme.ExternalAccountKey, string, error) {
|
func (db *DB) GetExternalAccountKeys(ctx context.Context, provisionerID, cursor string, limit int) ([]*acme.ExternalAccountKey, string, error) {
|
||||||
|
_, _ = cursor, limit // unused input
|
||||||
|
|
||||||
externalAccountKeyMutex.RLock()
|
externalAccountKeyMutex.RLock()
|
||||||
defer externalAccountKeyMutex.RUnlock()
|
defer externalAccountKeyMutex.RUnlock()
|
||||||
|
|
||||||
|
@ -227,7 +229,7 @@ func (db *DB) GetExternalAccountKeyByReference(ctx context.Context, provisionerI
|
||||||
return db.GetExternalAccountKey(ctx, provisionerID, dbExternalAccountKeyReference.ExternalAccountKeyID)
|
return db.GetExternalAccountKey(ctx, provisionerID, dbExternalAccountKeyReference.ExternalAccountKeyID)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (db *DB) GetExternalAccountKeyByAccountID(ctx context.Context, provisionerID, accountID string) (*acme.ExternalAccountKey, error) {
|
func (db *DB) GetExternalAccountKeyByAccountID(context.Context, string, string) (*acme.ExternalAccountKey, error) {
|
||||||
//nolint:nilnil // legacy
|
//nolint:nilnil // legacy
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -39,7 +39,7 @@ func (db *DB) CreateNonce(ctx context.Context) (acme.Nonce, error) {
|
||||||
|
|
||||||
// DeleteNonce verifies that the nonce is valid (by checking if it exists),
|
// DeleteNonce verifies that the nonce is valid (by checking if it exists),
|
||||||
// and if so, consumes the nonce resource by deleting it from the database.
|
// and if so, consumes the nonce resource by deleting it from the database.
|
||||||
func (db *DB) DeleteNonce(ctx context.Context, nonce acme.Nonce) error {
|
func (db *DB) DeleteNonce(_ context.Context, nonce acme.Nonce) error {
|
||||||
err := db.db.Update(&database.Tx{
|
err := db.db.Update(&database.Tx{
|
||||||
Operations: []*database.TxEntry{
|
Operations: []*database.TxEntry{
|
||||||
{
|
{
|
||||||
|
|
|
@ -48,7 +48,7 @@ func New(db nosqlDB.DB) (*DB, error) {
|
||||||
|
|
||||||
// save writes the new data to the database, overwriting the old data if it
|
// save writes the new data to the database, overwriting the old data if it
|
||||||
// existed.
|
// existed.
|
||||||
func (db *DB) save(ctx context.Context, id string, nu, old interface{}, typ string, table []byte) error {
|
func (db *DB) save(_ context.Context, id string, nu, old interface{}, typ string, table []byte) error {
|
||||||
var (
|
var (
|
||||||
err error
|
err error
|
||||||
newB []byte
|
newB []byte
|
||||||
|
|
|
@ -35,7 +35,7 @@ func (a *dbOrder) clone() *dbOrder {
|
||||||
}
|
}
|
||||||
|
|
||||||
// getDBOrder retrieves and unmarshals an ACME Order type from the database.
|
// getDBOrder retrieves and unmarshals an ACME Order type from the database.
|
||||||
func (db *DB) getDBOrder(ctx context.Context, id string) (*dbOrder, error) {
|
func (db *DB) getDBOrder(_ context.Context, id string) (*dbOrder, error) {
|
||||||
b, err := db.db.Get(orderTable, []byte(id))
|
b, err := db.db.Get(orderTable, []byte(id))
|
||||||
if nosql.IsErrNotFound(err) {
|
if nosql.IsErrNotFound(err) {
|
||||||
return nil, acme.NewError(acme.ErrorMalformedType, "order %s not found", id)
|
return nil, acme.NewError(acme.ErrorMalformedType, "order %s not found", id)
|
||||||
|
|
|
@ -301,7 +301,7 @@ func (m *mockSignAuth) LoadProvisionerByName(name string) (provisioner.Interface
|
||||||
return m.ret1.(provisioner.Interface), m.err
|
return m.ret1.(provisioner.Interface), m.err
|
||||||
}
|
}
|
||||||
|
|
||||||
func (m *mockSignAuth) IsRevoked(sn string) (bool, error) {
|
func (m *mockSignAuth) IsRevoked(string) (bool, error) {
|
||||||
return false, nil
|
return false, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -291,7 +291,7 @@ func (h *caHandler) Route(r Router) {
|
||||||
// New creates a new RouterHandler with the CA endpoints.
|
// New creates a new RouterHandler with the CA endpoints.
|
||||||
//
|
//
|
||||||
// Deprecated: Use api.Route(r Router)
|
// Deprecated: Use api.Route(r Router)
|
||||||
func New(auth Authority) RouterHandler {
|
func New(Authority) RouterHandler {
|
||||||
return &caHandler{}
|
return &caHandler{}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -338,7 +338,7 @@ func Version(w http.ResponseWriter, r *http.Request) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Health is an HTTP handler that returns the status of the server.
|
// Health is an HTTP handler that returns the status of the server.
|
||||||
func Health(w http.ResponseWriter, r *http.Request) {
|
func Health(w http.ResponseWriter, _ *http.Request) {
|
||||||
render.JSON(w, HealthResponse{Status: "ok"})
|
render.JSON(w, HealthResponse{Status: "ok"})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -69,17 +69,17 @@ func NewACMEAdminResponder() ACMEAdminResponder {
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetExternalAccountKeys writes the response for the EAB keys GET endpoint
|
// GetExternalAccountKeys writes the response for the EAB keys GET endpoint
|
||||||
func (h *acmeAdminResponder) GetExternalAccountKeys(w http.ResponseWriter, r *http.Request) {
|
func (h *acmeAdminResponder) GetExternalAccountKeys(w http.ResponseWriter, _ *http.Request) {
|
||||||
render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
|
render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
|
||||||
}
|
}
|
||||||
|
|
||||||
// CreateExternalAccountKey writes the response for the EAB key POST endpoint
|
// CreateExternalAccountKey writes the response for the EAB key POST endpoint
|
||||||
func (h *acmeAdminResponder) CreateExternalAccountKey(w http.ResponseWriter, r *http.Request) {
|
func (h *acmeAdminResponder) CreateExternalAccountKey(w http.ResponseWriter, _ *http.Request) {
|
||||||
render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
|
render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
|
||||||
}
|
}
|
||||||
|
|
||||||
// DeleteExternalAccountKey writes the response for the EAB key DELETE endpoint
|
// DeleteExternalAccountKey writes the response for the EAB key DELETE endpoint
|
||||||
func (h *acmeAdminResponder) DeleteExternalAccountKey(w http.ResponseWriter, r *http.Request) {
|
func (h *acmeAdminResponder) DeleteExternalAccountKey(w http.ResponseWriter, _ *http.Request) {
|
||||||
render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
|
render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -40,7 +40,7 @@ func (dba *dbAdmin) clone() *dbAdmin {
|
||||||
return &u
|
return &u
|
||||||
}
|
}
|
||||||
|
|
||||||
func (db *DB) getDBAdminBytes(ctx context.Context, id string) ([]byte, error) {
|
func (db *DB) getDBAdminBytes(_ context.Context, id string) ([]byte, error) {
|
||||||
data, err := db.db.Get(adminsTable, []byte(id))
|
data, err := db.db.Get(adminsTable, []byte(id))
|
||||||
if nosql.IsErrNotFound(err) {
|
if nosql.IsErrNotFound(err) {
|
||||||
return nil, admin.NewError(admin.ErrorNotFoundType, "admin %s not found", id)
|
return nil, admin.NewError(admin.ErrorNotFoundType, "admin %s not found", id)
|
||||||
|
@ -102,7 +102,7 @@ func (db *DB) GetAdmin(ctx context.Context, id string) (*linkedca.Admin, error)
|
||||||
// GetAdmins retrieves and unmarshals all active (not deleted) admins
|
// GetAdmins retrieves and unmarshals all active (not deleted) admins
|
||||||
// from the database.
|
// from the database.
|
||||||
// TODO should we be paginating?
|
// TODO should we be paginating?
|
||||||
func (db *DB) GetAdmins(ctx context.Context) ([]*linkedca.Admin, error) {
|
func (db *DB) GetAdmins(context.Context) ([]*linkedca.Admin, error) {
|
||||||
dbEntries, err := db.db.List(adminsTable)
|
dbEntries, err := db.db.List(adminsTable)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.Wrap(err, "error loading admins")
|
return nil, errors.Wrap(err, "error loading admins")
|
||||||
|
@ -115,13 +115,11 @@ func (db *DB) GetAdmins(ctx context.Context) ([]*linkedca.Admin, error) {
|
||||||
if errors.As(err, &ae) {
|
if errors.As(err, &ae) {
|
||||||
if ae.IsType(admin.ErrorDeletedType) || ae.IsType(admin.ErrorAuthorityMismatchType) {
|
if ae.IsType(admin.ErrorDeletedType) || ae.IsType(admin.ErrorAuthorityMismatchType) {
|
||||||
continue
|
continue
|
||||||
} else {
|
}
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
} else {
|
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
}
|
|
||||||
if adm.AuthorityId != db.authorityID {
|
if adm.AuthorityId != db.authorityID {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
|
@ -36,7 +36,7 @@ func New(db nosqlDB.DB, authorityID string) (*DB, error) {
|
||||||
|
|
||||||
// save writes the new data to the database, overwriting the old data if it
|
// save writes the new data to the database, overwriting the old data if it
|
||||||
// existed.
|
// existed.
|
||||||
func (db *DB) save(ctx context.Context, id string, nu, old interface{}, typ string, table []byte) error {
|
func (db *DB) save(_ context.Context, id string, nu, old interface{}, typ string, table []byte) error {
|
||||||
var (
|
var (
|
||||||
err error
|
err error
|
||||||
newB []byte
|
newB []byte
|
||||||
|
|
|
@ -71,7 +71,7 @@ func (dbap *dbAuthorityPolicy) convert() *linkedca.Policy {
|
||||||
return dbToLinked(dbap.Policy)
|
return dbToLinked(dbap.Policy)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (db *DB) getDBAuthorityPolicyBytes(ctx context.Context, authorityID string) ([]byte, error) {
|
func (db *DB) getDBAuthorityPolicyBytes(_ context.Context, authorityID string) ([]byte, error) {
|
||||||
data, err := db.db.Get(authorityPoliciesTable, []byte(authorityID))
|
data, err := db.db.Get(authorityPoliciesTable, []byte(authorityID))
|
||||||
if nosql.IsErrNotFound(err) {
|
if nosql.IsErrNotFound(err) {
|
||||||
return nil, admin.NewError(admin.ErrorNotFoundType, "authority policy not found")
|
return nil, admin.NewError(admin.ErrorNotFoundType, "authority policy not found")
|
||||||
|
|
|
@ -70,7 +70,7 @@ func (dbp *dbProvisioner) convert2linkedca() (*linkedca.Provisioner, error) {
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (db *DB) getDBProvisionerBytes(ctx context.Context, id string) ([]byte, error) {
|
func (db *DB) getDBProvisionerBytes(_ context.Context, id string) ([]byte, error) {
|
||||||
data, err := db.db.Get(provisionersTable, []byte(id))
|
data, err := db.db.Get(provisionersTable, []byte(id))
|
||||||
if nosql.IsErrNotFound(err) {
|
if nosql.IsErrNotFound(err) {
|
||||||
return nil, admin.NewError(admin.ErrorNotFoundType, "provisioner %s not found", id)
|
return nil, admin.NewError(admin.ErrorNotFoundType, "provisioner %s not found", id)
|
||||||
|
@ -132,7 +132,7 @@ func (db *DB) GetProvisioner(ctx context.Context, id string) (*linkedca.Provisio
|
||||||
|
|
||||||
// GetProvisioners retrieves and unmarshals all active (not deleted) provisioners
|
// GetProvisioners retrieves and unmarshals all active (not deleted) provisioners
|
||||||
// from the database.
|
// from the database.
|
||||||
func (db *DB) GetProvisioners(ctx context.Context) ([]*linkedca.Provisioner, error) {
|
func (db *DB) GetProvisioners(_ context.Context) ([]*linkedca.Provisioner, error) {
|
||||||
dbEntries, err := db.db.List(provisionersTable)
|
dbEntries, err := db.db.List(provisionersTable)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.Wrap(err, "error loading provisioners")
|
return nil, errors.Wrap(err, "error loading provisioners")
|
||||||
|
@ -145,13 +145,11 @@ func (db *DB) GetProvisioners(ctx context.Context) ([]*linkedca.Provisioner, err
|
||||||
if errors.As(err, &ae) {
|
if errors.As(err, &ae) {
|
||||||
if ae.IsType(admin.ErrorDeletedType) || ae.IsType(admin.ErrorAuthorityMismatchType) {
|
if ae.IsType(admin.ErrorDeletedType) || ae.IsType(admin.ErrorAuthorityMismatchType) {
|
||||||
continue
|
continue
|
||||||
} else {
|
}
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
} else {
|
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
}
|
|
||||||
if prov.AuthorityId != db.authorityID {
|
if prov.AuthorityId != db.authorityID {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
|
@ -315,7 +315,7 @@ func (a *Authority) authorizeRenew(ctx context.Context, cert *x509.Certificate)
|
||||||
}
|
}
|
||||||
|
|
||||||
// authorizeSSHCertificate returns an error if the given certificate is revoked.
|
// authorizeSSHCertificate returns an error if the given certificate is revoked.
|
||||||
func (a *Authority) authorizeSSHCertificate(ctx context.Context, cert *ssh.Certificate) error {
|
func (a *Authority) authorizeSSHCertificate(_ context.Context, cert *ssh.Certificate) error {
|
||||||
var err error
|
var err error
|
||||||
var isRevoked bool
|
var isRevoked bool
|
||||||
|
|
||||||
|
@ -394,7 +394,7 @@ func (a *Authority) authorizeSSHRevoke(ctx context.Context, token string) error
|
||||||
|
|
||||||
// AuthorizeRenewToken validates the renew token and returns the leaf
|
// AuthorizeRenewToken validates the renew token and returns the leaf
|
||||||
// certificate in the x5cInsecure header.
|
// certificate in the x5cInsecure header.
|
||||||
func (a *Authority) AuthorizeRenewToken(ctx context.Context, ott string) (*x509.Certificate, error) {
|
func (a *Authority) AuthorizeRenewToken(_ context.Context, ott string) (*x509.Certificate, error) {
|
||||||
var claims jose.Claims
|
var claims jose.Claims
|
||||||
jwt, chain, err := jose.ParseX5cInsecure(ott, a.rootX509Certs)
|
jwt, chain, err := jose.ParseX5cInsecure(ott, a.rootX509Certs)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -182,7 +182,7 @@ func (c *AuthConfig) init() {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Validate validates the authority configuration.
|
// Validate validates the authority configuration.
|
||||||
func (c *AuthConfig) Validate(audiences provisioner.Audiences) error {
|
func (c *AuthConfig) Validate(provisioner.Audiences) error {
|
||||||
if c == nil {
|
if c == nil {
|
||||||
return errors.New("authority cannot be undefined")
|
return errors.New("authority cannot be undefined")
|
||||||
}
|
}
|
||||||
|
|
|
@ -381,19 +381,19 @@ func (c *linkedCaClient) IsSSHRevoked(serial string) (bool, error) {
|
||||||
return resp.Status != linkedca.RevocationStatus_ACTIVE, nil
|
return resp.Status != linkedca.RevocationStatus_ACTIVE, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *linkedCaClient) CreateAuthorityPolicy(ctx context.Context, policy *linkedca.Policy) error {
|
func (c *linkedCaClient) CreateAuthorityPolicy(_ context.Context, _ *linkedca.Policy) error {
|
||||||
return errors.New("not implemented yet")
|
return errors.New("not implemented yet")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *linkedCaClient) GetAuthorityPolicy(ctx context.Context) (*linkedca.Policy, error) {
|
func (c *linkedCaClient) GetAuthorityPolicy(context.Context) (*linkedca.Policy, error) {
|
||||||
return nil, errors.New("not implemented yet")
|
return nil, errors.New("not implemented yet")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *linkedCaClient) UpdateAuthorityPolicy(ctx context.Context, policy *linkedca.Policy) error {
|
func (c *linkedCaClient) UpdateAuthorityPolicy(_ context.Context, _ *linkedca.Policy) error {
|
||||||
return errors.New("not implemented yet")
|
return errors.New("not implemented yet")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *linkedCaClient) DeleteAuthorityPolicy(ctx context.Context) error {
|
func (c *linkedCaClient) DeleteAuthorityPolicy(context.Context) error {
|
||||||
return errors.New("not implemented yet")
|
return errors.New("not implemented yet")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -154,7 +154,7 @@ func (a *Authority) checkProvisionerPolicy(ctx context.Context, provName string,
|
||||||
|
|
||||||
// checkPolicy checks if a new or updated policy configuration results in the user
|
// checkPolicy checks if a new or updated policy configuration results in the user
|
||||||
// locking themselves or other admins out of the CA.
|
// locking themselves or other admins out of the CA.
|
||||||
func (a *Authority) checkPolicy(ctx context.Context, currentAdmin *linkedca.Admin, otherAdmins []*linkedca.Admin, p *linkedca.Policy) error {
|
func (a *Authority) checkPolicy(_ context.Context, currentAdmin *linkedca.Admin, otherAdmins []*linkedca.Admin, p *linkedca.Policy) error {
|
||||||
// convert the policy; return early if nil
|
// convert the policy; return early if nil
|
||||||
policyOptions := authPolicy.LinkedToCertificates(p)
|
policyOptions := authPolicy.LinkedToCertificates(p)
|
||||||
if policyOptions == nil {
|
if policyOptions == nil {
|
||||||
|
|
|
@ -133,7 +133,7 @@ func (p *ACME) GetIDForToken() string {
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetTokenID returns the identifier of the token.
|
// GetTokenID returns the identifier of the token.
|
||||||
func (p *ACME) GetTokenID(ott string) (string, error) {
|
func (p *ACME) GetTokenID(string) (string, error) {
|
||||||
return "", errors.New("acme provisioner does not implement GetTokenID")
|
return "", errors.New("acme provisioner does not implement GetTokenID")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -228,7 +228,7 @@ type ACMEIdentifier struct {
|
||||||
|
|
||||||
// AuthorizeOrderIdentifier verifies the provisioner is allowed to issue a
|
// AuthorizeOrderIdentifier verifies the provisioner is allowed to issue a
|
||||||
// certificate for an ACME Order Identifier.
|
// certificate for an ACME Order Identifier.
|
||||||
func (p *ACME) AuthorizeOrderIdentifier(ctx context.Context, identifier ACMEIdentifier) error {
|
func (p *ACME) AuthorizeOrderIdentifier(_ context.Context, identifier ACMEIdentifier) error {
|
||||||
x509Policy := p.ctl.getPolicy().getX509()
|
x509Policy := p.ctl.getPolicy().getX509()
|
||||||
|
|
||||||
// identifier is allowed if no policy is configured
|
// identifier is allowed if no policy is configured
|
||||||
|
@ -253,7 +253,7 @@ func (p *ACME) AuthorizeOrderIdentifier(ctx context.Context, identifier ACMEIden
|
||||||
// AuthorizeSign does not do any validation, because all validation is handled
|
// AuthorizeSign does not do any validation, because all validation is handled
|
||||||
// in the ACME protocol. This method returns a list of modifiers / constraints
|
// in the ACME protocol. This method returns a list of modifiers / constraints
|
||||||
// on the resulting certificate.
|
// on the resulting certificate.
|
||||||
func (p *ACME) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
|
func (p *ACME) AuthorizeSign(context.Context, string) ([]SignOption, error) {
|
||||||
opts := []SignOption{
|
opts := []SignOption{
|
||||||
p,
|
p,
|
||||||
// modifiers / withOptions
|
// modifiers / withOptions
|
||||||
|
@ -274,7 +274,7 @@ func (p *ACME) AuthorizeSign(ctx context.Context, token string) ([]SignOption, e
|
||||||
// the CA. It can be used to authorize revocation of a certificate. With the
|
// the CA. It can be used to authorize revocation of a certificate. With the
|
||||||
// ACME protocol, revocation authorization is specified and performed as part
|
// ACME protocol, revocation authorization is specified and performed as part
|
||||||
// of the client/server interaction, so this is a no-op.
|
// of the client/server interaction, so this is a no-op.
|
||||||
func (p *ACME) AuthorizeRevoke(ctx context.Context, token string) error {
|
func (p *ACME) AuthorizeRevoke(context.Context, string) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -289,7 +289,7 @@ func (p *ACME) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error
|
||||||
// IsChallengeEnabled checks if the given challenge is enabled. By default
|
// IsChallengeEnabled checks if the given challenge is enabled. By default
|
||||||
// http-01, dns-01 and tls-alpn-01 are enabled, to disable any of them the
|
// http-01, dns-01 and tls-alpn-01 are enabled, to disable any of them the
|
||||||
// Challenge provisioner property should have at least one element.
|
// Challenge provisioner property should have at least one element.
|
||||||
func (p *ACME) IsChallengeEnabled(ctx context.Context, challenge ACMEChallenge) bool {
|
func (p *ACME) IsChallengeEnabled(_ context.Context, challenge ACMEChallenge) bool {
|
||||||
enabledChallenges := []ACMEChallenge{
|
enabledChallenges := []ACMEChallenge{
|
||||||
HTTP_01, DNS_01, TLS_ALPN_01,
|
HTTP_01, DNS_01, TLS_ALPN_01,
|
||||||
}
|
}
|
||||||
|
@ -307,7 +307,7 @@ func (p *ACME) IsChallengeEnabled(ctx context.Context, challenge ACMEChallenge)
|
||||||
// IsAttestationFormatEnabled checks if the given attestation format is enabled.
|
// IsAttestationFormatEnabled checks if the given attestation format is enabled.
|
||||||
// By default apple, step and tpm are enabled, to disable any of them the
|
// By default apple, step and tpm are enabled, to disable any of them the
|
||||||
// AttestationFormat provisioner property should have at least one element.
|
// AttestationFormat provisioner property should have at least one element.
|
||||||
func (p *ACME) IsAttestationFormatEnabled(ctx context.Context, format ACMEAttestationFormat) bool {
|
func (p *ACME) IsAttestationFormatEnabled(_ context.Context, format ACMEAttestationFormat) bool {
|
||||||
enabledFormats := []ACMEAttestationFormat{
|
enabledFormats := []ACMEAttestationFormat{
|
||||||
APPLE, STEP, TPM,
|
APPLE, STEP, TPM,
|
||||||
}
|
}
|
||||||
|
|
|
@ -435,7 +435,7 @@ func (p *AWS) Init(config Config) (err error) {
|
||||||
|
|
||||||
// AuthorizeSign validates the given token and returns the sign options that
|
// AuthorizeSign validates the given token and returns the sign options that
|
||||||
// will be used on certificate creation.
|
// will be used on certificate creation.
|
||||||
func (p *AWS) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
|
func (p *AWS) AuthorizeSign(_ context.Context, token string) ([]SignOption, error) {
|
||||||
payload, err := p.authorizeToken(token)
|
payload, err := p.authorizeToken(token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errs.Wrap(http.StatusInternalServerError, err, "aws.AuthorizeSign")
|
return nil, errs.Wrap(http.StatusInternalServerError, err, "aws.AuthorizeSign")
|
||||||
|
@ -708,7 +708,7 @@ func (p *AWS) authorizeToken(token string) (*awsPayload, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthorizeSSHSign returns the list of SignOption for a SignSSH request.
|
// AuthorizeSSHSign returns the list of SignOption for a SignSSH request.
|
||||||
func (p *AWS) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) {
|
func (p *AWS) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error) {
|
||||||
if !p.ctl.Claimer.IsSSHCAEnabled() {
|
if !p.ctl.Claimer.IsSSHCAEnabled() {
|
||||||
return nil, errs.Unauthorized("aws.AuthorizeSSHSign; ssh ca is disabled for aws provisioner '%s'", p.GetName())
|
return nil, errs.Unauthorized("aws.AuthorizeSSHSign; ssh ca is disabled for aws provisioner '%s'", p.GetName())
|
||||||
}
|
}
|
||||||
|
|
|
@ -182,6 +182,8 @@ func (p *Azure) GetEncryptedKey() (kid, key string, ok bool) {
|
||||||
// GetIdentityToken retrieves from the metadata service the identity token and
|
// GetIdentityToken retrieves from the metadata service the identity token and
|
||||||
// returns it.
|
// returns it.
|
||||||
func (p *Azure) GetIdentityToken(subject, caURL string) (string, error) {
|
func (p *Azure) GetIdentityToken(subject, caURL string) (string, error) {
|
||||||
|
_, _ = subject, caURL // unused input
|
||||||
|
|
||||||
// Initialize the config if this method is used from the cli.
|
// Initialize the config if this method is used from the cli.
|
||||||
p.assertConfig()
|
p.assertConfig()
|
||||||
|
|
||||||
|
@ -313,7 +315,7 @@ func (p *Azure) authorizeToken(token string) (*azurePayload, string, string, str
|
||||||
|
|
||||||
// AuthorizeSign validates the given token and returns the sign options that
|
// AuthorizeSign validates the given token and returns the sign options that
|
||||||
// will be used on certificate creation.
|
// will be used on certificate creation.
|
||||||
func (p *Azure) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
|
func (p *Azure) AuthorizeSign(_ context.Context, token string) ([]SignOption, error) {
|
||||||
_, name, group, subscription, identityObjectID, err := p.authorizeToken(token)
|
_, name, group, subscription, identityObjectID, err := p.authorizeToken(token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errs.Wrap(http.StatusInternalServerError, err, "azure.AuthorizeSign")
|
return nil, errs.Wrap(http.StatusInternalServerError, err, "azure.AuthorizeSign")
|
||||||
|
@ -414,7 +416,7 @@ func (p *Azure) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) erro
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthorizeSSHSign returns the list of SignOption for a SignSSH request.
|
// AuthorizeSSHSign returns the list of SignOption for a SignSSH request.
|
||||||
func (p *Azure) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) {
|
func (p *Azure) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error) {
|
||||||
if !p.ctl.Claimer.IsSSHCAEnabled() {
|
if !p.ctl.Claimer.IsSSHCAEnabled() {
|
||||||
return nil, errs.Unauthorized("azure.AuthorizeSSHSign; sshCA is disabled for provisioner '%s'", p.GetName())
|
return nil, errs.Unauthorized("azure.AuthorizeSSHSign; sshCA is disabled for provisioner '%s'", p.GetName())
|
||||||
}
|
}
|
||||||
|
|
|
@ -111,7 +111,7 @@ type AuthorizeSSHRenewFunc func(ctx context.Context, p *Controller, cert *ssh.Ce
|
||||||
// DefaultIdentityFunc return a default identity depending on the provisioner
|
// DefaultIdentityFunc return a default identity depending on the provisioner
|
||||||
// type. For OIDC email is always present and the usernames might
|
// type. For OIDC email is always present and the usernames might
|
||||||
// contain empty strings.
|
// contain empty strings.
|
||||||
func DefaultIdentityFunc(ctx context.Context, p Interface, email string) (*Identity, error) {
|
func DefaultIdentityFunc(_ context.Context, p Interface, email string) (*Identity, error) {
|
||||||
switch k := p.(type) {
|
switch k := p.(type) {
|
||||||
case *OIDC:
|
case *OIDC:
|
||||||
// OIDC principals would be:
|
// OIDC principals would be:
|
||||||
|
@ -140,7 +140,7 @@ func DefaultIdentityFunc(ctx context.Context, p Interface, email string) (*Ident
|
||||||
// will return an error if the provisioner has the renewal disabled, if the
|
// will return an error if the provisioner has the renewal disabled, if the
|
||||||
// certificate is not yet valid or if the certificate is expired and renew after
|
// certificate is not yet valid or if the certificate is expired and renew after
|
||||||
// expiry is disabled.
|
// expiry is disabled.
|
||||||
func DefaultAuthorizeRenew(ctx context.Context, p *Controller, cert *x509.Certificate) error {
|
func DefaultAuthorizeRenew(_ context.Context, p *Controller, cert *x509.Certificate) error {
|
||||||
if p.Claimer.IsDisableRenewal() {
|
if p.Claimer.IsDisableRenewal() {
|
||||||
return errs.Unauthorized("renew is disabled for provisioner '%s'", p.GetName())
|
return errs.Unauthorized("renew is disabled for provisioner '%s'", p.GetName())
|
||||||
}
|
}
|
||||||
|
@ -162,7 +162,7 @@ func DefaultAuthorizeRenew(ctx context.Context, p *Controller, cert *x509.Certif
|
||||||
// will return an error if the provisioner has the renewal disabled, if the
|
// will return an error if the provisioner has the renewal disabled, if the
|
||||||
// certificate is not yet valid or if the certificate is expired and renew after
|
// certificate is not yet valid or if the certificate is expired and renew after
|
||||||
// expiry is disabled.
|
// expiry is disabled.
|
||||||
func DefaultAuthorizeSSHRenew(ctx context.Context, p *Controller, cert *ssh.Certificate) error {
|
func DefaultAuthorizeSSHRenew(_ context.Context, p *Controller, cert *ssh.Certificate) error {
|
||||||
if p.Claimer.IsDisableRenewal() {
|
if p.Claimer.IsDisableRenewal() {
|
||||||
return errs.Unauthorized("renew is disabled for provisioner '%s'", p.GetName())
|
return errs.Unauthorized("renew is disabled for provisioner '%s'", p.GetName())
|
||||||
}
|
}
|
||||||
|
|
|
@ -169,6 +169,8 @@ func (p *GCP) GetIdentityURL(audience string) string {
|
||||||
|
|
||||||
// GetIdentityToken does an HTTP request to the identity url.
|
// GetIdentityToken does an HTTP request to the identity url.
|
||||||
func (p *GCP) GetIdentityToken(subject, caURL string) (string, error) {
|
func (p *GCP) GetIdentityToken(subject, caURL string) (string, error) {
|
||||||
|
_ = subject // unused input
|
||||||
|
|
||||||
audience, err := generateSignAudience(caURL, p.GetIDForToken())
|
audience, err := generateSignAudience(caURL, p.GetIDForToken())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
|
@ -220,7 +222,7 @@ func (p *GCP) Init(config Config) (err error) {
|
||||||
|
|
||||||
// AuthorizeSign validates the given token and returns the sign options that
|
// AuthorizeSign validates the given token and returns the sign options that
|
||||||
// will be used on certificate creation.
|
// will be used on certificate creation.
|
||||||
func (p *GCP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
|
func (p *GCP) AuthorizeSign(_ context.Context, token string) ([]SignOption, error) {
|
||||||
claims, err := p.authorizeToken(token)
|
claims, err := p.authorizeToken(token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errs.Wrap(http.StatusInternalServerError, err, "gcp.AuthorizeSign")
|
return nil, errs.Wrap(http.StatusInternalServerError, err, "gcp.AuthorizeSign")
|
||||||
|
@ -380,7 +382,7 @@ func (p *GCP) authorizeToken(token string) (*gcpPayload, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthorizeSSHSign returns the list of SignOption for a SignSSH request.
|
// AuthorizeSSHSign returns the list of SignOption for a SignSSH request.
|
||||||
func (p *GCP) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) {
|
func (p *GCP) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error) {
|
||||||
if !p.ctl.Claimer.IsSSHCAEnabled() {
|
if !p.ctl.Claimer.IsSSHCAEnabled() {
|
||||||
return nil, errs.Unauthorized("gcp.AuthorizeSSHSign; sshCA is disabled for gcp provisioner '%s'", p.GetName())
|
return nil, errs.Unauthorized("gcp.AuthorizeSSHSign; sshCA is disabled for gcp provisioner '%s'", p.GetName())
|
||||||
}
|
}
|
||||||
|
|
|
@ -143,14 +143,14 @@ func (p *JWK) authorizeToken(token string, audiences []string) (*jwtPayload, err
|
||||||
|
|
||||||
// AuthorizeRevoke returns an error if the provisioner does not have rights to
|
// AuthorizeRevoke returns an error if the provisioner does not have rights to
|
||||||
// revoke the certificate with serial number in the `sub` property.
|
// revoke the certificate with serial number in the `sub` property.
|
||||||
func (p *JWK) AuthorizeRevoke(ctx context.Context, token string) error {
|
func (p *JWK) AuthorizeRevoke(_ context.Context, token string) error {
|
||||||
_, err := p.authorizeToken(token, p.ctl.Audiences.Revoke)
|
_, err := p.authorizeToken(token, p.ctl.Audiences.Revoke)
|
||||||
// TODO(hs): authorize the SANs using x509 name policy allow/deny rules (also for other provisioners with AuthorizeRevoke)
|
// TODO(hs): authorize the SANs using x509 name policy allow/deny rules (also for other provisioners with AuthorizeRevoke)
|
||||||
return errs.Wrap(http.StatusInternalServerError, err, "jwk.AuthorizeRevoke")
|
return errs.Wrap(http.StatusInternalServerError, err, "jwk.AuthorizeRevoke")
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthorizeSign validates the given token.
|
// AuthorizeSign validates the given token.
|
||||||
func (p *JWK) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
|
func (p *JWK) AuthorizeSign(_ context.Context, token string) ([]SignOption, error) {
|
||||||
claims, err := p.authorizeToken(token, p.ctl.Audiences.Sign)
|
claims, err := p.authorizeToken(token, p.ctl.Audiences.Sign)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errs.Wrap(http.StatusInternalServerError, err, "jwk.AuthorizeSign")
|
return nil, errs.Wrap(http.StatusInternalServerError, err, "jwk.AuthorizeSign")
|
||||||
|
@ -209,7 +209,7 @@ func (p *JWK) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthorizeSSHSign returns the list of SignOption for a SignSSH request.
|
// AuthorizeSSHSign returns the list of SignOption for a SignSSH request.
|
||||||
func (p *JWK) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) {
|
func (p *JWK) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error) {
|
||||||
if !p.ctl.Claimer.IsSSHCAEnabled() {
|
if !p.ctl.Claimer.IsSSHCAEnabled() {
|
||||||
return nil, errs.Unauthorized("jwk.AuthorizeSSHSign; sshCA is disabled for jwk provisioner '%s'", p.GetName())
|
return nil, errs.Unauthorized("jwk.AuthorizeSSHSign; sshCA is disabled for jwk provisioner '%s'", p.GetName())
|
||||||
}
|
}
|
||||||
|
@ -286,7 +286,7 @@ func (p *JWK) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthorizeSSHRevoke returns nil if the token is valid, false otherwise.
|
// AuthorizeSSHRevoke returns nil if the token is valid, false otherwise.
|
||||||
func (p *JWK) AuthorizeSSHRevoke(ctx context.Context, token string) error {
|
func (p *JWK) AuthorizeSSHRevoke(_ context.Context, token string) error {
|
||||||
_, err := p.authorizeToken(token, p.ctl.Audiences.SSHRevoke)
|
_, err := p.authorizeToken(token, p.ctl.Audiences.SSHRevoke)
|
||||||
// TODO(hs): authorize the principals using SSH name policy allow/deny rules (also for other provisioners with AuthorizeSSHRevoke)
|
// TODO(hs): authorize the principals using SSH name policy allow/deny rules (also for other provisioners with AuthorizeSSHRevoke)
|
||||||
return errs.Wrap(http.StatusInternalServerError, err, "jwk.AuthorizeSSHRevoke")
|
return errs.Wrap(http.StatusInternalServerError, err, "jwk.AuthorizeSSHRevoke")
|
||||||
|
|
|
@ -72,7 +72,7 @@ func (p *K8sSA) GetIDForToken() string {
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetTokenID returns an unimplemented error and does not use the input ott.
|
// GetTokenID returns an unimplemented error and does not use the input ott.
|
||||||
func (p *K8sSA) GetTokenID(ott string) (string, error) {
|
func (p *K8sSA) GetTokenID(string) (string, error) {
|
||||||
return "", errors.New("not implemented")
|
return "", errors.New("not implemented")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -148,6 +148,7 @@ func (p *K8sSA) Init(config Config) (err error) {
|
||||||
// claims for case specific downstream parsing.
|
// claims for case specific downstream parsing.
|
||||||
// e.g. a Sign request will auth/validate different fields than a Revoke request.
|
// e.g. a Sign request will auth/validate different fields than a Revoke request.
|
||||||
func (p *K8sSA) authorizeToken(token string, audiences []string) (*k8sSAPayload, error) {
|
func (p *K8sSA) authorizeToken(token string, audiences []string) (*k8sSAPayload, error) {
|
||||||
|
_ = audiences // unused input
|
||||||
jwt, err := jose.ParseSigned(token)
|
jwt, err := jose.ParseSigned(token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errs.Wrap(http.StatusUnauthorized, err,
|
return nil, errs.Wrap(http.StatusUnauthorized, err,
|
||||||
|
@ -207,13 +208,13 @@ func (p *K8sSA) authorizeToken(token string, audiences []string) (*k8sSAPayload,
|
||||||
|
|
||||||
// AuthorizeRevoke returns an error if the provisioner does not have rights to
|
// AuthorizeRevoke returns an error if the provisioner does not have rights to
|
||||||
// revoke the certificate with serial number in the `sub` property.
|
// revoke the certificate with serial number in the `sub` property.
|
||||||
func (p *K8sSA) AuthorizeRevoke(ctx context.Context, token string) error {
|
func (p *K8sSA) AuthorizeRevoke(_ context.Context, token string) error {
|
||||||
_, err := p.authorizeToken(token, p.ctl.Audiences.Revoke)
|
_, err := p.authorizeToken(token, p.ctl.Audiences.Revoke)
|
||||||
return errs.Wrap(http.StatusInternalServerError, err, "k8ssa.AuthorizeRevoke")
|
return errs.Wrap(http.StatusInternalServerError, err, "k8ssa.AuthorizeRevoke")
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthorizeSign validates the given token.
|
// AuthorizeSign validates the given token.
|
||||||
func (p *K8sSA) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
|
func (p *K8sSA) AuthorizeSign(_ context.Context, token string) ([]SignOption, error) {
|
||||||
claims, err := p.authorizeToken(token, p.ctl.Audiences.Sign)
|
claims, err := p.authorizeToken(token, p.ctl.Audiences.Sign)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errs.Wrap(http.StatusInternalServerError, err, "k8ssa.AuthorizeSign")
|
return nil, errs.Wrap(http.StatusInternalServerError, err, "k8ssa.AuthorizeSign")
|
||||||
|
@ -253,7 +254,7 @@ func (p *K8sSA) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) erro
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthorizeSSHSign validates an request for an SSH certificate.
|
// AuthorizeSSHSign validates an request for an SSH certificate.
|
||||||
func (p *K8sSA) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) {
|
func (p *K8sSA) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error) {
|
||||||
if !p.ctl.Claimer.IsSSHCAEnabled() {
|
if !p.ctl.Claimer.IsSSHCAEnabled() {
|
||||||
return nil, errs.Unauthorized("k8ssa.AuthorizeSSHSign; sshCA is disabled for k8sSA provisioner '%s'", p.GetName())
|
return nil, errs.Unauthorized("k8ssa.AuthorizeSSHSign; sshCA is disabled for k8sSA provisioner '%s'", p.GetName())
|
||||||
}
|
}
|
||||||
|
|
|
@ -116,7 +116,7 @@ func (p *Nebula) GetEncryptedKey() (kid, key string, ok bool) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthorizeSign returns the list of SignOption for a Sign request.
|
// AuthorizeSign returns the list of SignOption for a Sign request.
|
||||||
func (p *Nebula) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
|
func (p *Nebula) AuthorizeSign(_ context.Context, token string) ([]SignOption, error) {
|
||||||
crt, claims, err := p.authorizeToken(token, p.ctl.Audiences.Sign)
|
crt, claims, err := p.authorizeToken(token, p.ctl.Audiences.Sign)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -171,7 +171,7 @@ func (p *Nebula) AuthorizeSign(ctx context.Context, token string) ([]SignOption,
|
||||||
|
|
||||||
// AuthorizeSSHSign returns the list of SignOption for a SignSSH request.
|
// AuthorizeSSHSign returns the list of SignOption for a SignSSH request.
|
||||||
// Currently the Nebula provisioner only grants host SSH certificates.
|
// Currently the Nebula provisioner only grants host SSH certificates.
|
||||||
func (p *Nebula) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) {
|
func (p *Nebula) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error) {
|
||||||
if !p.ctl.Claimer.IsSSHCAEnabled() {
|
if !p.ctl.Claimer.IsSSHCAEnabled() {
|
||||||
return nil, errs.Unauthorized("ssh is disabled for nebula provisioner '%s'", p.Name)
|
return nil, errs.Unauthorized("ssh is disabled for nebula provisioner '%s'", p.Name)
|
||||||
}
|
}
|
||||||
|
@ -275,12 +275,12 @@ func (p *Nebula) AuthorizeRenew(ctx context.Context, crt *x509.Certificate) erro
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthorizeRevoke returns an error if the token is not valid.
|
// AuthorizeRevoke returns an error if the token is not valid.
|
||||||
func (p *Nebula) AuthorizeRevoke(ctx context.Context, token string) error {
|
func (p *Nebula) AuthorizeRevoke(_ context.Context, token string) error {
|
||||||
return p.validateToken(token, p.ctl.Audiences.Revoke)
|
return p.validateToken(token, p.ctl.Audiences.Revoke)
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthorizeSSHRevoke returns an error if SSH is disabled or the token is invalid.
|
// AuthorizeSSHRevoke returns an error if SSH is disabled or the token is invalid.
|
||||||
func (p *Nebula) AuthorizeSSHRevoke(ctx context.Context, token string) error {
|
func (p *Nebula) AuthorizeSSHRevoke(_ context.Context, token string) error {
|
||||||
if !p.ctl.Claimer.IsSSHCAEnabled() {
|
if !p.ctl.Claimer.IsSSHCAEnabled() {
|
||||||
return errs.Unauthorized("ssh is disabled for nebula provisioner '%s'", p.Name)
|
return errs.Unauthorized("ssh is disabled for nebula provisioner '%s'", p.Name)
|
||||||
}
|
}
|
||||||
|
@ -291,12 +291,12 @@ func (p *Nebula) AuthorizeSSHRevoke(ctx context.Context, token string) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthorizeSSHRenew returns an unauthorized error.
|
// AuthorizeSSHRenew returns an unauthorized error.
|
||||||
func (p *Nebula) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error) {
|
func (p *Nebula) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error) {
|
||||||
return nil, errs.Unauthorized("nebula provisioner does not support SSH renew")
|
return nil, errs.Unauthorized("nebula provisioner does not support SSH renew")
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthorizeSSHRekey returns an unauthorized error.
|
// AuthorizeSSHRekey returns an unauthorized error.
|
||||||
func (p *Nebula) AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error) {
|
func (p *Nebula) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error) {
|
||||||
return nil, nil, errs.Unauthorized("nebula provisioner does not support SSH rekey")
|
return nil, nil, errs.Unauthorized("nebula provisioner does not support SSH rekey")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -18,7 +18,7 @@ func (p *noop) GetIDForToken() string {
|
||||||
return "noop"
|
return "noop"
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *noop) GetTokenID(token string) (string, error) {
|
func (p *noop) GetTokenID(string) (string, error) {
|
||||||
return "", nil
|
return "", nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -33,35 +33,35 @@ func (p *noop) GetEncryptedKey() (kid, key string, ok bool) {
|
||||||
return "", "", false
|
return "", "", false
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *noop) Init(config Config) error {
|
func (p *noop) Init(Config) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *noop) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
|
func (p *noop) AuthorizeSign(context.Context, string) ([]SignOption, error) {
|
||||||
return []SignOption{p}, nil
|
return []SignOption{p}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *noop) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error {
|
func (p *noop) AuthorizeRenew(context.Context, *x509.Certificate) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *noop) AuthorizeRevoke(ctx context.Context, token string) error {
|
func (p *noop) AuthorizeRevoke(context.Context, string) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *noop) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) {
|
func (p *noop) AuthorizeSSHSign(context.Context, string) ([]SignOption, error) {
|
||||||
return []SignOption{p}, nil
|
return []SignOption{p}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *noop) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error) {
|
func (p *noop) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error) {
|
||||||
//nolint:nilnil // fine for noop
|
//nolint:nilnil // fine for noop
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *noop) AuthorizeSSHRevoke(ctx context.Context, token string) error {
|
func (p *noop) AuthorizeSSHRevoke(context.Context, string) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *noop) AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error) {
|
func (p *noop) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error) {
|
||||||
return nil, []SignOption{}, nil
|
return nil, []SignOption{}, nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -292,7 +292,7 @@ func (o *OIDC) authorizeToken(token string) (*openIDPayload, error) {
|
||||||
// AuthorizeRevoke returns an error if the provisioner does not have rights to
|
// AuthorizeRevoke returns an error if the provisioner does not have rights to
|
||||||
// revoke the certificate with serial number in the `sub` property.
|
// revoke the certificate with serial number in the `sub` property.
|
||||||
// Only tokens generated by an admin have the right to revoke a certificate.
|
// Only tokens generated by an admin have the right to revoke a certificate.
|
||||||
func (o *OIDC) AuthorizeRevoke(ctx context.Context, token string) error {
|
func (o *OIDC) AuthorizeRevoke(_ context.Context, token string) error {
|
||||||
claims, err := o.authorizeToken(token)
|
claims, err := o.authorizeToken(token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeRevoke")
|
return errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeRevoke")
|
||||||
|
@ -307,7 +307,7 @@ func (o *OIDC) AuthorizeRevoke(ctx context.Context, token string) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthorizeSign validates the given token.
|
// AuthorizeSign validates the given token.
|
||||||
func (o *OIDC) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
|
func (o *OIDC) AuthorizeSign(_ context.Context, token string) ([]SignOption, error) {
|
||||||
claims, err := o.authorizeToken(token)
|
claims, err := o.authorizeToken(token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeSign")
|
return nil, errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeSign")
|
||||||
|
@ -463,7 +463,7 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthorizeSSHRevoke returns nil if the token is valid, false otherwise.
|
// AuthorizeSSHRevoke returns nil if the token is valid, false otherwise.
|
||||||
func (o *OIDC) AuthorizeSSHRevoke(ctx context.Context, token string) error {
|
func (o *OIDC) AuthorizeSSHRevoke(_ context.Context, token string) error {
|
||||||
claims, err := o.authorizeToken(token)
|
claims, err := o.authorizeToken(token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeSSHRevoke")
|
return errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeSSHRevoke")
|
||||||
|
|
|
@ -298,43 +298,43 @@ type base struct{}
|
||||||
|
|
||||||
// AuthorizeSign returns an unimplemented error. Provisioners should overwrite
|
// AuthorizeSign returns an unimplemented error. Provisioners should overwrite
|
||||||
// this method if they will support authorizing tokens for signing x509 Certificates.
|
// this method if they will support authorizing tokens for signing x509 Certificates.
|
||||||
func (b *base) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
|
func (b *base) AuthorizeSign(context.Context, string) ([]SignOption, error) {
|
||||||
return nil, errs.Unauthorized("provisioner.AuthorizeSign not implemented")
|
return nil, errs.Unauthorized("provisioner.AuthorizeSign not implemented")
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite
|
// AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite
|
||||||
// this method if they will support authorizing tokens for revoking x509 Certificates.
|
// this method if they will support authorizing tokens for revoking x509 Certificates.
|
||||||
func (b *base) AuthorizeRevoke(ctx context.Context, token string) error {
|
func (b *base) AuthorizeRevoke(context.Context, string) error {
|
||||||
return errs.Unauthorized("provisioner.AuthorizeRevoke not implemented")
|
return errs.Unauthorized("provisioner.AuthorizeRevoke not implemented")
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthorizeRenew returns an unimplemented error. Provisioners should overwrite
|
// AuthorizeRenew returns an unimplemented error. Provisioners should overwrite
|
||||||
// this method if they will support authorizing tokens for renewing x509 Certificates.
|
// this method if they will support authorizing tokens for renewing x509 Certificates.
|
||||||
func (b *base) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error {
|
func (b *base) AuthorizeRenew(context.Context, *x509.Certificate) error {
|
||||||
return errs.Unauthorized("provisioner.AuthorizeRenew not implemented")
|
return errs.Unauthorized("provisioner.AuthorizeRenew not implemented")
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthorizeSSHSign returns an unimplemented error. Provisioners should overwrite
|
// AuthorizeSSHSign returns an unimplemented error. Provisioners should overwrite
|
||||||
// this method if they will support authorizing tokens for signing SSH Certificates.
|
// this method if they will support authorizing tokens for signing SSH Certificates.
|
||||||
func (b *base) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) {
|
func (b *base) AuthorizeSSHSign(context.Context, string) ([]SignOption, error) {
|
||||||
return nil, errs.Unauthorized("provisioner.AuthorizeSSHSign not implemented")
|
return nil, errs.Unauthorized("provisioner.AuthorizeSSHSign not implemented")
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite
|
// AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite
|
||||||
// this method if they will support authorizing tokens for revoking SSH Certificates.
|
// this method if they will support authorizing tokens for revoking SSH Certificates.
|
||||||
func (b *base) AuthorizeSSHRevoke(ctx context.Context, token string) error {
|
func (b *base) AuthorizeSSHRevoke(context.Context, string) error {
|
||||||
return errs.Unauthorized("provisioner.AuthorizeSSHRevoke not implemented")
|
return errs.Unauthorized("provisioner.AuthorizeSSHRevoke not implemented")
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite
|
// AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite
|
||||||
// this method if they will support authorizing tokens for renewing SSH Certificates.
|
// this method if they will support authorizing tokens for renewing SSH Certificates.
|
||||||
func (b *base) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error) {
|
func (b *base) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error) {
|
||||||
return nil, errs.Unauthorized("provisioner.AuthorizeSSHRenew not implemented")
|
return nil, errs.Unauthorized("provisioner.AuthorizeSSHRenew not implemented")
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite
|
// AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite
|
||||||
// this method if they will support authorizing tokens for rekeying SSH Certificates.
|
// this method if they will support authorizing tokens for rekeying SSH Certificates.
|
||||||
func (b *base) AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error) {
|
func (b *base) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error) {
|
||||||
return nil, nil, errs.Unauthorized("provisioner.AuthorizeSSHRekey not implemented")
|
return nil, nil, errs.Unauthorized("provisioner.AuthorizeSSHRekey not implemented")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -73,7 +73,7 @@ func (s *SCEP) GetEncryptedKey() (string, string, bool) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetTokenID returns the identifier of the token.
|
// GetTokenID returns the identifier of the token.
|
||||||
func (s *SCEP) GetTokenID(ott string) (string, error) {
|
func (s *SCEP) GetTokenID(string) (string, error) {
|
||||||
return "", errors.New("scep provisioner does not implement GetTokenID")
|
return "", errors.New("scep provisioner does not implement GetTokenID")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -186,7 +186,7 @@ func (s *SCEP) Init(config Config) (err error) {
|
||||||
// AuthorizeSign does not do any verification, because all verification is handled
|
// AuthorizeSign does not do any verification, because all verification is handled
|
||||||
// in the SCEP protocol. This method returns a list of modifiers / constraints
|
// in the SCEP protocol. This method returns a list of modifiers / constraints
|
||||||
// on the resulting certificate.
|
// on the resulting certificate.
|
||||||
func (s *SCEP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
|
func (s *SCEP) AuthorizeSign(context.Context, string) ([]SignOption, error) {
|
||||||
return []SignOption{
|
return []SignOption{
|
||||||
s,
|
s,
|
||||||
// modifiers / withOptions
|
// modifiers / withOptions
|
||||||
|
|
|
@ -311,7 +311,7 @@ type sshCertDefaultValidator struct{}
|
||||||
// Valid returns an error if the given certificate does not contain the
|
// Valid returns an error if the given certificate does not contain the
|
||||||
// necessary fields. We skip ValidPrincipals and Extensions as with custom
|
// necessary fields. We skip ValidPrincipals and Extensions as with custom
|
||||||
// templates you can set them empty.
|
// templates you can set them empty.
|
||||||
func (v *sshCertDefaultValidator) Valid(cert *ssh.Certificate, o SignSSHOptions) error {
|
func (v *sshCertDefaultValidator) Valid(cert *ssh.Certificate, _ SignSSHOptions) error {
|
||||||
switch {
|
switch {
|
||||||
case len(cert.Nonce) == 0:
|
case len(cert.Nonce) == 0:
|
||||||
return errs.Forbidden("ssh certificate nonce cannot be empty")
|
return errs.Forbidden("ssh certificate nonce cannot be empty")
|
||||||
|
@ -346,7 +346,7 @@ type sshDefaultPublicKeyValidator struct{}
|
||||||
// TODO: this is the only validator that checks the key type. We should execute
|
// TODO: this is the only validator that checks the key type. We should execute
|
||||||
// this before the signing. We should add a new validations interface or extend
|
// this before the signing. We should add a new validations interface or extend
|
||||||
// SSHCertOptionsValidator with the key.
|
// SSHCertOptionsValidator with the key.
|
||||||
func (v sshDefaultPublicKeyValidator) Valid(cert *ssh.Certificate, o SignSSHOptions) error {
|
func (v sshDefaultPublicKeyValidator) Valid(cert *ssh.Certificate, _ SignSSHOptions) error {
|
||||||
if cert.Key == nil {
|
if cert.Key == nil {
|
||||||
return errs.BadRequest("ssh certificate key cannot be nil")
|
return errs.BadRequest("ssh certificate key cannot be nil")
|
||||||
}
|
}
|
||||||
|
|
|
@ -187,7 +187,7 @@ func (p *SSHPOP) authorizeToken(token string, audiences []string, checkValidity
|
||||||
|
|
||||||
// AuthorizeSSHRevoke validates the authorization token and extracts/validates
|
// AuthorizeSSHRevoke validates the authorization token and extracts/validates
|
||||||
// the SSH certificate from the ssh-pop header.
|
// the SSH certificate from the ssh-pop header.
|
||||||
func (p *SSHPOP) AuthorizeSSHRevoke(ctx context.Context, token string) error {
|
func (p *SSHPOP) AuthorizeSSHRevoke(_ context.Context, token string) error {
|
||||||
claims, err := p.authorizeToken(token, p.ctl.Audiences.SSHRevoke, true)
|
claims, err := p.authorizeToken(token, p.ctl.Audiences.SSHRevoke, true)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errs.Wrap(http.StatusInternalServerError, err, "sshpop.AuthorizeSSHRevoke")
|
return errs.Wrap(http.StatusInternalServerError, err, "sshpop.AuthorizeSSHRevoke")
|
||||||
|
@ -213,7 +213,7 @@ func (p *SSHPOP) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Cert
|
||||||
|
|
||||||
// AuthorizeSSHRekey validates the authorization token and extracts/validates
|
// AuthorizeSSHRekey validates the authorization token and extracts/validates
|
||||||
// the SSH certificate from the ssh-pop header.
|
// the SSH certificate from the ssh-pop header.
|
||||||
func (p *SSHPOP) AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error) {
|
func (p *SSHPOP) AuthorizeSSHRekey(_ context.Context, token string) (*ssh.Certificate, []SignOption, error) {
|
||||||
claims, err := p.authorizeToken(token, p.ctl.Audiences.SSHRekey, true)
|
claims, err := p.authorizeToken(token, p.ctl.Audiences.SSHRekey, true)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, errs.Wrap(http.StatusInternalServerError, err, "sshpop.AuthorizeSSHRekey")
|
return nil, nil, errs.Wrap(http.StatusInternalServerError, err, "sshpop.AuthorizeSSHRekey")
|
||||||
|
|
|
@ -187,13 +187,13 @@ func (p *X5C) authorizeToken(token string, audiences []string) (*x5cPayload, err
|
||||||
|
|
||||||
// AuthorizeRevoke returns an error if the provisioner does not have rights to
|
// AuthorizeRevoke returns an error if the provisioner does not have rights to
|
||||||
// revoke the certificate with serial number in the `sub` property.
|
// revoke the certificate with serial number in the `sub` property.
|
||||||
func (p *X5C) AuthorizeRevoke(ctx context.Context, token string) error {
|
func (p *X5C) AuthorizeRevoke(_ context.Context, token string) error {
|
||||||
_, err := p.authorizeToken(token, p.ctl.Audiences.Revoke)
|
_, err := p.authorizeToken(token, p.ctl.Audiences.Revoke)
|
||||||
return errs.Wrap(http.StatusInternalServerError, err, "x5c.AuthorizeRevoke")
|
return errs.Wrap(http.StatusInternalServerError, err, "x5c.AuthorizeRevoke")
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthorizeSign validates the given token.
|
// AuthorizeSign validates the given token.
|
||||||
func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
|
func (p *X5C) AuthorizeSign(_ context.Context, token string) ([]SignOption, error) {
|
||||||
claims, err := p.authorizeToken(token, p.ctl.Audiences.Sign)
|
claims, err := p.authorizeToken(token, p.ctl.Audiences.Sign)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errs.Wrap(http.StatusInternalServerError, err, "x5c.AuthorizeSign")
|
return nil, errs.Wrap(http.StatusInternalServerError, err, "x5c.AuthorizeSign")
|
||||||
|
@ -256,7 +256,7 @@ func (p *X5C) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthorizeSSHSign returns the list of SignOption for a SignSSH request.
|
// AuthorizeSSHSign returns the list of SignOption for a SignSSH request.
|
||||||
func (p *X5C) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) {
|
func (p *X5C) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error) {
|
||||||
if !p.ctl.Claimer.IsSSHCAEnabled() {
|
if !p.ctl.Claimer.IsSSHCAEnabled() {
|
||||||
return nil, errs.Unauthorized("x5c.AuthorizeSSHSign; sshCA is disabled for x5c provisioner '%s'", p.GetName())
|
return nil, errs.Unauthorized("x5c.AuthorizeSSHSign; sshCA is disabled for x5c provisioner '%s'", p.GetName())
|
||||||
}
|
}
|
||||||
|
|
|
@ -52,7 +52,7 @@ func (a *Authority) GetSSHFederation(context.Context) (*config.SSHKeys, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetSSHConfig returns rendered templates for clients (user) or servers (host).
|
// GetSSHConfig returns rendered templates for clients (user) or servers (host).
|
||||||
func (a *Authority) GetSSHConfig(ctx context.Context, typ string, data map[string]string) ([]templates.Output, error) {
|
func (a *Authority) GetSSHConfig(_ context.Context, typ string, data map[string]string) ([]templates.Output, error) {
|
||||||
if a.sshCAUserCertSignKey == nil && a.sshCAHostCertSignKey == nil {
|
if a.sshCAUserCertSignKey == nil && a.sshCAHostCertSignKey == nil {
|
||||||
return nil, errs.NotFound("getSSHConfig: ssh is not configured")
|
return nil, errs.NotFound("getSSHConfig: ssh is not configured")
|
||||||
}
|
}
|
||||||
|
@ -146,7 +146,7 @@ func (a *Authority) GetSSHBastion(ctx context.Context, user, hostname string) (*
|
||||||
}
|
}
|
||||||
|
|
||||||
// SignSSH creates a signed SSH certificate with the given public key and options.
|
// SignSSH creates a signed SSH certificate with the given public key and options.
|
||||||
func (a *Authority) SignSSH(ctx context.Context, key ssh.PublicKey, opts provisioner.SignSSHOptions, signOpts ...provisioner.SignOption) (*ssh.Certificate, error) {
|
func (a *Authority) SignSSH(_ context.Context, key ssh.PublicKey, opts provisioner.SignSSHOptions, signOpts ...provisioner.SignOption) (*ssh.Certificate, error) {
|
||||||
var (
|
var (
|
||||||
certOptions []sshutil.Option
|
certOptions []sshutil.Option
|
||||||
mods []provisioner.SSHCertModifier
|
mods []provisioner.SSHCertModifier
|
||||||
|
@ -663,11 +663,7 @@ func callEnrichingWebhooksSSH(webhookCtl webhookController, cr sshutil.Certifica
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := webhookCtl.Enrich(whEnrichReq); err != nil {
|
return webhookCtl.Enrich(whEnrichReq)
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func callAuthorizingWebhooksSSH(webhookCtl webhookController, cert *sshutil.Certificate, certTpl *ssh.Certificate) error {
|
func callAuthorizingWebhooksSSH(webhookCtl webhookController, cert *sshutil.Certificate, certTpl *ssh.Certificate) error {
|
||||||
|
@ -680,9 +676,5 @@ func callAuthorizingWebhooksSSH(webhookCtl webhookController, cert *sshutil.Cert
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := webhookCtl.Authorize(whAuthBody); err != nil {
|
return webhookCtl.Authorize(whAuthBody)
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -55,7 +55,7 @@ func (m sshTestModifier) Modify(cert *ssh.Certificate, _ provisioner.SignSSHOpti
|
||||||
|
|
||||||
type sshTestCertModifier string
|
type sshTestCertModifier string
|
||||||
|
|
||||||
func (m sshTestCertModifier) Modify(cert *ssh.Certificate, opts provisioner.SignSSHOptions) error {
|
func (m sshTestCertModifier) Modify(*ssh.Certificate, provisioner.SignSSHOptions) error {
|
||||||
if m == "" {
|
if m == "" {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
@ -64,7 +64,7 @@ func (m sshTestCertModifier) Modify(cert *ssh.Certificate, opts provisioner.Sign
|
||||||
|
|
||||||
type sshTestCertValidator string
|
type sshTestCertValidator string
|
||||||
|
|
||||||
func (v sshTestCertValidator) Valid(crt *ssh.Certificate, opts provisioner.SignSSHOptions) error {
|
func (v sshTestCertValidator) Valid(*ssh.Certificate, provisioner.SignSSHOptions) error {
|
||||||
if v == "" {
|
if v == "" {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
@ -73,7 +73,7 @@ func (v sshTestCertValidator) Valid(crt *ssh.Certificate, opts provisioner.SignS
|
||||||
|
|
||||||
type sshTestOptionsValidator string
|
type sshTestOptionsValidator string
|
||||||
|
|
||||||
func (v sshTestOptionsValidator) Valid(opts provisioner.SignSSHOptions) error {
|
func (v sshTestOptionsValidator) Valid(provisioner.SignSSHOptions) error {
|
||||||
if v == "" {
|
if v == "" {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
@ -82,7 +82,7 @@ func (v sshTestOptionsValidator) Valid(opts provisioner.SignSSHOptions) error {
|
||||||
|
|
||||||
type sshTestOptionsModifier string
|
type sshTestOptionsModifier string
|
||||||
|
|
||||||
func (m sshTestOptionsModifier) Modify(cert *ssh.Certificate, opts provisioner.SignSSHOptions) error {
|
func (m sshTestOptionsModifier) Modify(*ssh.Certificate, provisioner.SignSSHOptions) error {
|
||||||
if m == "" {
|
if m == "" {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -303,7 +303,7 @@ func (a *Authority) isAllowedToSignX509Certificate(cert *x509.Certificate) error
|
||||||
|
|
||||||
// AreSANsAllowed evaluates the provided sans against the
|
// AreSANsAllowed evaluates the provided sans against the
|
||||||
// authority X.509 policy.
|
// authority X.509 policy.
|
||||||
func (a *Authority) AreSANsAllowed(ctx context.Context, sans []string) error {
|
func (a *Authority) AreSANsAllowed(_ context.Context, sans []string) error {
|
||||||
return a.policyEngine.AreSANsAllowed(sans)
|
return a.policyEngine.AreSANsAllowed(sans)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -969,11 +969,7 @@ func callEnrichingWebhooksX509(webhookCtl webhookController, attData *provisione
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := webhookCtl.Enrich(whEnrichReq); err != nil {
|
return webhookCtl.Enrich(whEnrichReq)
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func callAuthorizingWebhooksX509(webhookCtl webhookController, cert *x509util.Certificate, leaf *x509.Certificate, attData *provisioner.AttestationData) error {
|
func callAuthorizingWebhooksX509(webhookCtl webhookController, cert *x509util.Certificate, leaf *x509.Certificate, attData *provisioner.AttestationData) error {
|
||||||
|
@ -993,9 +989,5 @@ func callAuthorizingWebhooksX509(webhookCtl webhookController, cert *x509util.Ce
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := webhookCtl.Authorize(whAuthBody); err != nil {
|
return webhookCtl.Authorize(whAuthBody)
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1146,7 +1146,7 @@ func TestAuthority_Renew(t *testing.T) {
|
||||||
assert.False(t, reflect.DeepEqual(ext1, ext2))
|
assert.False(t, reflect.DeepEqual(ext1, ext2))
|
||||||
}
|
}
|
||||||
continue
|
continue
|
||||||
} else {
|
}
|
||||||
found := false
|
found := false
|
||||||
for _, ext2 := range leaf.Extensions {
|
for _, ext2 := range leaf.Extensions {
|
||||||
if reflect.DeepEqual(ext1, ext2) {
|
if reflect.DeepEqual(ext1, ext2) {
|
||||||
|
@ -1159,7 +1159,6 @@ func TestAuthority_Renew(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
realIntermediate, err := x509.ParseCertificate(authIssuer.Raw)
|
realIntermediate, err := x509.ParseCertificate(authIssuer.Raw)
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
|
@ -1363,7 +1362,7 @@ func TestAuthority_Rekey(t *testing.T) {
|
||||||
assert.False(t, reflect.DeepEqual(ext1, ext2))
|
assert.False(t, reflect.DeepEqual(ext1, ext2))
|
||||||
}
|
}
|
||||||
continue
|
continue
|
||||||
} else {
|
}
|
||||||
found := false
|
found := false
|
||||||
for _, ext2 := range leaf.Extensions {
|
for _, ext2 := range leaf.Extensions {
|
||||||
if reflect.DeepEqual(ext1, ext2) {
|
if reflect.DeepEqual(ext1, ext2) {
|
||||||
|
@ -1376,7 +1375,6 @@ func TestAuthority_Rekey(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
realIntermediate, err := x509.ParseCertificate(authIssuer.Raw)
|
realIntermediate, err := x509.ParseCertificate(authIssuer.Raw)
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
|
@ -1936,14 +1934,14 @@ func TestAuthority_CRL(t *testing.T) {
|
||||||
tc := f()
|
tc := f()
|
||||||
t.Run(name, func(t *testing.T) {
|
t.Run(name, func(t *testing.T) {
|
||||||
if crlBytes, err := tc.auth.GetCertificateRevocationList(); err == nil {
|
if crlBytes, err := tc.auth.GetCertificateRevocationList(); err == nil {
|
||||||
crl, parseErr := x509.ParseCRL(crlBytes)
|
crl, parseErr := x509.ParseRevocationList(crlBytes)
|
||||||
if parseErr != nil {
|
if parseErr != nil {
|
||||||
t.Errorf("x509.ParseCertificateRequest() error = %v, wantErr %v", parseErr, nil)
|
t.Errorf("x509.ParseCertificateRequest() error = %v, wantErr %v", parseErr, nil)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
var cmpList []string
|
var cmpList []string
|
||||||
for _, c := range crl.TBSCertList.RevokedCertificates {
|
for _, c := range crl.RevokedCertificates {
|
||||||
cmpList = append(cmpList, c.SerialNumber.String())
|
cmpList = append(cmpList, c.SerialNumber.String())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@ type mockWebhookController struct {
|
||||||
|
|
||||||
var _ webhookController = &mockWebhookController{}
|
var _ webhookController = &mockWebhookController{}
|
||||||
|
|
||||||
func (wc *mockWebhookController) Enrich(req *webhook.RequestBody) error {
|
func (wc *mockWebhookController) Enrich(*webhook.RequestBody) error {
|
||||||
for key, data := range wc.respData {
|
for key, data := range wc.respData {
|
||||||
wc.templateData.SetWebhook(key, data)
|
wc.templateData.SetWebhook(key, data)
|
||||||
}
|
}
|
||||||
|
@ -22,6 +22,6 @@ func (wc *mockWebhookController) Enrich(req *webhook.RequestBody) error {
|
||||||
return wc.enrichErr
|
return wc.enrichErr
|
||||||
}
|
}
|
||||||
|
|
||||||
func (wc *mockWebhookController) Authorize(req *webhook.RequestBody) error {
|
func (wc *mockWebhookController) Authorize(*webhook.RequestBody) error {
|
||||||
return wc.authorizeErr
|
return wc.authorizeErr
|
||||||
}
|
}
|
||||||
|
|
|
@ -269,7 +269,7 @@ retry:
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetAdmins returns all admins from the GET /admin/admins request to the CA.
|
// GetAdmins returns all admins from the GET /admin/admins request to the CA.
|
||||||
func (c *AdminClient) GetAdmins(opts ...AdminOption) ([]*linkedca.Admin, error) {
|
func (c *AdminClient) GetAdmins(...AdminOption) ([]*linkedca.Admin, error) {
|
||||||
var (
|
var (
|
||||||
cursor = ""
|
cursor = ""
|
||||||
admins = []*linkedca.Admin{}
|
admins = []*linkedca.Admin{}
|
||||||
|
@ -474,7 +474,7 @@ retry:
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetProvisioners returns all admins from the GET /admin/admins request to the CA.
|
// GetProvisioners returns all admins from the GET /admin/admins request to the CA.
|
||||||
func (c *AdminClient) GetProvisioners(opts ...AdminOption) (provisioner.List, error) {
|
func (c *AdminClient) GetProvisioners(...AdminOption) (provisioner.List, error) {
|
||||||
var (
|
var (
|
||||||
cursor = ""
|
cursor = ""
|
||||||
provs = provisioner.List{}
|
provs = provisioner.List{}
|
||||||
|
|
|
@ -35,7 +35,7 @@ func newLocalListener() net.Listener {
|
||||||
return l
|
return l
|
||||||
}
|
}
|
||||||
|
|
||||||
func setMinCertDuration(d time.Duration) func() {
|
func setMinCertDuration(time.Duration) func() {
|
||||||
tmp := minCertDuration
|
tmp := minCertDuration
|
||||||
minCertDuration = 1 * time.Second
|
minCertDuration = 1 * time.Second
|
||||||
return func() {
|
return func() {
|
||||||
|
|
|
@ -126,7 +126,7 @@ func parseCertificate(data string) *x509.Certificate {
|
||||||
return cert
|
return cert
|
||||||
}
|
}
|
||||||
|
|
||||||
func parseCertificateRequest(data string) *x509.CertificateRequest {
|
func parseCertificateRequest(string) *x509.CertificateRequest {
|
||||||
block, _ := pem.Decode([]byte(csrPEM))
|
block, _ := pem.Decode([]byte(csrPEM))
|
||||||
if block == nil {
|
if block == nil {
|
||||||
panic("failed to parse certificate request PEM")
|
panic("failed to parse certificate request PEM")
|
||||||
|
|
|
@ -367,7 +367,7 @@ func (r *renewer) GetRootCAs() *x509.CertPool {
|
||||||
return r.pool
|
return r.pool
|
||||||
}
|
}
|
||||||
|
|
||||||
func (r *renewer) Renew(tr http.RoundTripper) (*api.SignResponse, error) {
|
func (r *renewer) Renew(http.RoundTripper) (*api.SignResponse, error) {
|
||||||
return r.sign, r.err
|
return r.sign, r.err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -109,7 +109,7 @@ func (r *TLSRenewer) Stop() bool {
|
||||||
// GetCertificate returns the current server certificate.
|
// GetCertificate returns the current server certificate.
|
||||||
//
|
//
|
||||||
// This method is set in the tls.Config GetCertificate property.
|
// This method is set in the tls.Config GetCertificate property.
|
||||||
func (r *TLSRenewer) GetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
func (r *TLSRenewer) GetCertificate(*tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||||
return r.getCertificate(), nil
|
return r.getCertificate(), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -118,7 +118,7 @@ func (r *TLSRenewer) GetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Cert
|
||||||
// request. It's intended to be use by the certificate authority server.
|
// request. It's intended to be use by the certificate authority server.
|
||||||
//
|
//
|
||||||
// This method is set in the tls.Config GetCertificate property.
|
// This method is set in the tls.Config GetCertificate property.
|
||||||
func (r *TLSRenewer) GetCertificateForCA(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
func (r *TLSRenewer) GetCertificateForCA(*tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||||
return r.getCertificateForCA(), nil
|
return r.getCertificateForCA(), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -12,18 +12,19 @@ type testCAS struct {
|
||||||
name string
|
name string
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t *testCAS) CreateCertificate(req *CreateCertificateRequest) (*CreateCertificateResponse, error) {
|
func (t *testCAS) CreateCertificate(*CreateCertificateRequest) (*CreateCertificateResponse, error) {
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t *testCAS) RenewCertificate(req *RenewCertificateRequest) (*RenewCertificateResponse, error) {
|
func (t *testCAS) RenewCertificate(*RenewCertificateRequest) (*RenewCertificateResponse, error) {
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t *testCAS) RevokeCertificate(req *RevokeCertificateRequest) (*RevokeCertificateResponse, error) {
|
func (t *testCAS) RevokeCertificate(*RevokeCertificateRequest) (*RevokeCertificateResponse, error) {
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
//nolint:gocritic // ignore sloppy test func name
|
||||||
func mockRegister(t *testing.T) {
|
func mockRegister(t *testing.T) {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
Register(SoftCAS, func(ctx context.Context, opts Options) (CertificateAuthorityService, error) {
|
Register(SoftCAS, func(ctx context.Context, opts Options) (CertificateAuthorityService, error) {
|
||||||
|
|
|
@ -18,15 +18,15 @@ import (
|
||||||
|
|
||||||
type mockCAS struct{}
|
type mockCAS struct{}
|
||||||
|
|
||||||
func (m *mockCAS) CreateCertificate(req *apiv1.CreateCertificateRequest) (*apiv1.CreateCertificateResponse, error) {
|
func (m *mockCAS) CreateCertificate(*apiv1.CreateCertificateRequest) (*apiv1.CreateCertificateResponse, error) {
|
||||||
panic("not implemented")
|
panic("not implemented")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (m *mockCAS) RenewCertificate(req *apiv1.RenewCertificateRequest) (*apiv1.RenewCertificateResponse, error) {
|
func (m *mockCAS) RenewCertificate(*apiv1.RenewCertificateRequest) (*apiv1.RenewCertificateResponse, error) {
|
||||||
panic("not implemented")
|
panic("not implemented")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (m *mockCAS) RevokeCertificate(req *apiv1.RevokeCertificateRequest) (*apiv1.RevokeCertificateResponse, error) {
|
func (m *mockCAS) RevokeCertificate(*apiv1.RevokeCertificateRequest) (*apiv1.RevokeCertificateResponse, error) {
|
||||||
panic("not implemented")
|
panic("not implemented")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -194,43 +194,43 @@ func (b *badSigner) Public() crypto.PublicKey {
|
||||||
return b.pub
|
return b.pub
|
||||||
}
|
}
|
||||||
|
|
||||||
func (b *badSigner) Sign(rnd io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
|
func (b *badSigner) Sign(io.Reader, []byte, crypto.SignerOpts) ([]byte, error) {
|
||||||
return nil, fmt.Errorf("💥")
|
return nil, fmt.Errorf("💥")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *testClient) CreateCertificate(ctx context.Context, req *pb.CreateCertificateRequest, opts ...gax.CallOption) (*pb.Certificate, error) {
|
func (c *testClient) CreateCertificate(context.Context, *pb.CreateCertificateRequest, ...gax.CallOption) (*pb.Certificate, error) {
|
||||||
return c.certificate, c.err
|
return c.certificate, c.err
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *testClient) RevokeCertificate(ctx context.Context, req *pb.RevokeCertificateRequest, opts ...gax.CallOption) (*pb.Certificate, error) {
|
func (c *testClient) RevokeCertificate(context.Context, *pb.RevokeCertificateRequest, ...gax.CallOption) (*pb.Certificate, error) {
|
||||||
return c.certificate, c.err
|
return c.certificate, c.err
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *testClient) GetCertificateAuthority(ctx context.Context, req *pb.GetCertificateAuthorityRequest, opts ...gax.CallOption) (*pb.CertificateAuthority, error) {
|
func (c *testClient) GetCertificateAuthority(context.Context, *pb.GetCertificateAuthorityRequest, ...gax.CallOption) (*pb.CertificateAuthority, error) {
|
||||||
return c.certificateAuthority, c.err
|
return c.certificateAuthority, c.err
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *testClient) CreateCertificateAuthority(ctx context.Context, req *pb.CreateCertificateAuthorityRequest, opts ...gax.CallOption) (*privateca.CreateCertificateAuthorityOperation, error) {
|
func (c *testClient) CreateCertificateAuthority(context.Context, *pb.CreateCertificateAuthorityRequest, ...gax.CallOption) (*privateca.CreateCertificateAuthorityOperation, error) {
|
||||||
return nil, errors.New("use NewMockCertificateAuthorityClient")
|
return nil, errors.New("use NewMockCertificateAuthorityClient")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *testClient) FetchCertificateAuthorityCsr(ctx context.Context, req *pb.FetchCertificateAuthorityCsrRequest, opts ...gax.CallOption) (*pb.FetchCertificateAuthorityCsrResponse, error) {
|
func (c *testClient) FetchCertificateAuthorityCsr(context.Context, *pb.FetchCertificateAuthorityCsrRequest, ...gax.CallOption) (*pb.FetchCertificateAuthorityCsrResponse, error) {
|
||||||
return nil, errors.New("use NewMockCertificateAuthorityClient")
|
return nil, errors.New("use NewMockCertificateAuthorityClient")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *testClient) ActivateCertificateAuthority(ctx context.Context, req *pb.ActivateCertificateAuthorityRequest, opts ...gax.CallOption) (*privateca.ActivateCertificateAuthorityOperation, error) {
|
func (c *testClient) ActivateCertificateAuthority(context.Context, *pb.ActivateCertificateAuthorityRequest, ...gax.CallOption) (*privateca.ActivateCertificateAuthorityOperation, error) {
|
||||||
return nil, errors.New("use NewMockCertificateAuthorityClient")
|
return nil, errors.New("use NewMockCertificateAuthorityClient")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *testClient) EnableCertificateAuthority(ctx context.Context, req *pb.EnableCertificateAuthorityRequest, opts ...gax.CallOption) (*privateca.EnableCertificateAuthorityOperation, error) {
|
func (c *testClient) EnableCertificateAuthority(context.Context, *pb.EnableCertificateAuthorityRequest, ...gax.CallOption) (*privateca.EnableCertificateAuthorityOperation, error) {
|
||||||
return nil, errors.New("use NewMockCertificateAuthorityClient")
|
return nil, errors.New("use NewMockCertificateAuthorityClient")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *testClient) GetCaPool(ctx context.Context, req *pb.GetCaPoolRequest, opts ...gax.CallOption) (*pb.CaPool, error) {
|
func (c *testClient) GetCaPool(context.Context, *pb.GetCaPoolRequest, ...gax.CallOption) (*pb.CaPool, error) {
|
||||||
return nil, errors.New("use NewMockCertificateAuthorityClient")
|
return nil, errors.New("use NewMockCertificateAuthorityClient")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *testClient) CreateCaPool(ctx context.Context, req *pb.CreateCaPoolRequest, opts ...gax.CallOption) (*privateca.CreateCaPoolOperation, error) {
|
func (c *testClient) CreateCaPool(context.Context, *pb.CreateCaPoolRequest, ...gax.CallOption) (*privateca.CreateCaPoolOperation, error) {
|
||||||
return nil, errors.New("use NewMockCertificateAuthorityClient")
|
return nil, errors.New("use NewMockCertificateAuthorityClient")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -36,7 +36,7 @@ type SoftCAS struct {
|
||||||
|
|
||||||
// New creates a new CertificateAuthorityService implementation using Golang or KMS
|
// New creates a new CertificateAuthorityService implementation using Golang or KMS
|
||||||
// crypto.
|
// crypto.
|
||||||
func New(ctx context.Context, opts apiv1.Options) (*SoftCAS, error) {
|
func New(_ context.Context, opts apiv1.Options) (*SoftCAS, error) {
|
||||||
if !opts.IsCreator {
|
if !opts.IsCreator {
|
||||||
switch {
|
switch {
|
||||||
case len(opts.CertificateChain) == 0 && opts.CertificateSigner == nil:
|
case len(opts.CertificateChain) == 0 && opts.CertificateSigner == nil:
|
||||||
|
|
|
@ -101,7 +101,7 @@ type mockKeyManager struct {
|
||||||
errClose error
|
errClose error
|
||||||
}
|
}
|
||||||
|
|
||||||
func (m *mockKeyManager) GetPublicKey(req *kmsapi.GetPublicKeyRequest) (crypto.PublicKey, error) {
|
func (m *mockKeyManager) GetPublicKey(*kmsapi.GetPublicKeyRequest) (crypto.PublicKey, error) {
|
||||||
signer := testSigner
|
signer := testSigner
|
||||||
if m.signer != nil {
|
if m.signer != nil {
|
||||||
signer = m.signer
|
signer = m.signer
|
||||||
|
@ -121,7 +121,7 @@ func (m *mockKeyManager) CreateKey(req *kmsapi.CreateKeyRequest) (*kmsapi.Create
|
||||||
}, m.errCreateKey
|
}, m.errCreateKey
|
||||||
}
|
}
|
||||||
|
|
||||||
func (m *mockKeyManager) CreateSigner(req *kmsapi.CreateSignerRequest) (crypto.Signer, error) {
|
func (m *mockKeyManager) CreateSigner(*kmsapi.CreateSignerRequest) (crypto.Signer, error) {
|
||||||
signer := testSigner
|
signer := testSigner
|
||||||
if m.signer != nil {
|
if m.signer != nil {
|
||||||
signer = m.signer
|
signer = m.signer
|
||||||
|
@ -129,7 +129,7 @@ func (m *mockKeyManager) CreateSigner(req *kmsapi.CreateSignerRequest) (crypto.S
|
||||||
return signer, m.errCreatesigner
|
return signer, m.errCreatesigner
|
||||||
}
|
}
|
||||||
|
|
||||||
func (m *mockKeyManager) CreateDecrypter(req *kmsapi.CreateDecrypterRequest) (crypto.Decrypter, error) {
|
func (m *mockKeyManager) CreateDecrypter(*kmsapi.CreateDecrypterRequest) (crypto.Decrypter, error) {
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -147,6 +147,7 @@ func (b *badSigner) Sign(_ io.Reader, _ []byte, _ crypto.SignerOpts) ([]byte, er
|
||||||
return nil, fmt.Errorf("💥")
|
return nil, fmt.Errorf("💥")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
//nolint:gocritic // ignore sloppy test func name
|
||||||
func mockNow(t *testing.T) {
|
func mockNow(t *testing.T) {
|
||||||
tmp := now
|
tmp := now
|
||||||
now = func() time.Time {
|
now = func() time.Time {
|
||||||
|
|
|
@ -15,11 +15,11 @@ import (
|
||||||
|
|
||||||
type mockErrIssuer struct{}
|
type mockErrIssuer struct{}
|
||||||
|
|
||||||
func (m mockErrIssuer) SignToken(subject string, sans []string, info *raInfo) (string, error) {
|
func (m mockErrIssuer) SignToken(string, []string, *raInfo) (string, error) {
|
||||||
return "", apiv1.NotImplementedError{}
|
return "", apiv1.NotImplementedError{}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (m mockErrIssuer) RevokeToken(subject string) (string, error) {
|
func (m mockErrIssuer) RevokeToken(string) (string, error) {
|
||||||
return "", apiv1.NotImplementedError{}
|
return "", apiv1.NotImplementedError{}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -29,7 +29,7 @@ func (m mockErrIssuer) Lifetime(d time.Duration) time.Duration {
|
||||||
|
|
||||||
type mockErrSigner struct{}
|
type mockErrSigner struct{}
|
||||||
|
|
||||||
func (s *mockErrSigner) Sign(payload []byte) (*jose.JSONWebSignature, error) {
|
func (s *mockErrSigner) Sign([]byte) (*jose.JSONWebSignature, error) {
|
||||||
return nil, apiv1.NotImplementedError{}
|
return nil, apiv1.NotImplementedError{}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -157,7 +157,7 @@ func (s *StepCAS) RevokeCertificate(req *apiv1.RevokeCertificateRequest) (*apiv1
|
||||||
|
|
||||||
// GetCertificateAuthority returns the root certificate of the certificate
|
// GetCertificateAuthority returns the root certificate of the certificate
|
||||||
// authority using the configured fingerprint.
|
// authority using the configured fingerprint.
|
||||||
func (s *StepCAS) GetCertificateAuthority(req *apiv1.GetCertificateAuthorityRequest) (*apiv1.GetCertificateAuthorityResponse, error) {
|
func (s *StepCAS) GetCertificateAuthority(*apiv1.GetCertificateAuthorityRequest) (*apiv1.GetCertificateAuthorityResponse, error) {
|
||||||
resp, err := s.client.Root(s.fingerprint)
|
resp, err := s.client.Root(s.fingerprint)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
|
|
@ -22,10 +22,11 @@ func (b noneSigner) Public() crypto.PublicKey {
|
||||||
return []byte(b)
|
return []byte(b)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (b noneSigner) Sign(rnd io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error) {
|
func (b noneSigner) Sign(_ io.Reader, digest []byte, _ crypto.SignerOpts) (signature []byte, err error) {
|
||||||
return digest, nil
|
return digest, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
//nolint:gocritic // ignore sloppy test func name
|
||||||
func fakeTime(t *testing.T) {
|
func fakeTime(t *testing.T) {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
tmp := timeNow
|
tmp := timeNow
|
||||||
|
|
|
@ -127,7 +127,7 @@ func (v *VaultCAS) CreateCertificate(req *apiv1.CreateCertificateRequest) (*apiv
|
||||||
|
|
||||||
// GetCertificateAuthority returns the root certificate of the certificate
|
// GetCertificateAuthority returns the root certificate of the certificate
|
||||||
// authority using the configured fingerprint.
|
// authority using the configured fingerprint.
|
||||||
func (v *VaultCAS) GetCertificateAuthority(req *apiv1.GetCertificateAuthorityRequest) (*apiv1.GetCertificateAuthorityResponse, error) {
|
func (v *VaultCAS) GetCertificateAuthority(*apiv1.GetCertificateAuthorityRequest) (*apiv1.GetCertificateAuthorityResponse, error) {
|
||||||
secret, err := v.client.Logical().Read(v.config.PKIMountPath + "/cert/ca_chain")
|
secret, err := v.client.Logical().Read(v.config.PKIMountPath + "/cert/ca_chain")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("error reading ca chain: %w", err)
|
return nil, fmt.Errorf("error reading ca chain: %w", err)
|
||||||
|
@ -161,7 +161,7 @@ func (v *VaultCAS) GetCertificateAuthority(req *apiv1.GetCertificateAuthorityReq
|
||||||
|
|
||||||
// RenewCertificate will always return a non-implemented error as renewals
|
// RenewCertificate will always return a non-implemented error as renewals
|
||||||
// are not supported yet.
|
// are not supported yet.
|
||||||
func (v *VaultCAS) RenewCertificate(req *apiv1.RenewCertificateRequest) (*apiv1.RenewCertificateResponse, error) {
|
func (v *VaultCAS) RenewCertificate(*apiv1.RenewCertificateRequest) (*apiv1.RenewCertificateResponse, error) {
|
||||||
return nil, apiv1.NotImplementedError{Message: "vaultCAS does not support renewals"}
|
return nil, apiv1.NotImplementedError{Message: "vaultCAS does not support renewals"}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
38
db/simple.go
38
db/simple.go
|
@ -20,24 +20,24 @@ type SimpleDB struct {
|
||||||
usedTokens *sync.Map
|
usedTokens *sync.Map
|
||||||
}
|
}
|
||||||
|
|
||||||
func newSimpleDB(c *Config) (*SimpleDB, error) {
|
func newSimpleDB(*Config) (*SimpleDB, error) {
|
||||||
db := &SimpleDB{}
|
db := &SimpleDB{}
|
||||||
db.usedTokens = new(sync.Map)
|
db.usedTokens = new(sync.Map)
|
||||||
return db, nil
|
return db, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// IsRevoked noop
|
// IsRevoked noop
|
||||||
func (s *SimpleDB) IsRevoked(sn string) (bool, error) {
|
func (s *SimpleDB) IsRevoked(string) (bool, error) {
|
||||||
return false, nil
|
return false, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// IsSSHRevoked noop
|
// IsSSHRevoked noop
|
||||||
func (s *SimpleDB) IsSSHRevoked(sn string) (bool, error) {
|
func (s *SimpleDB) IsSSHRevoked(string) (bool, error) {
|
||||||
return false, nil
|
return false, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Revoke returns a "NotImplemented" error.
|
// Revoke returns a "NotImplemented" error.
|
||||||
func (s *SimpleDB) Revoke(rci *RevokedCertificateInfo) error {
|
func (s *SimpleDB) Revoke(*RevokedCertificateInfo) error {
|
||||||
return ErrNotImplemented
|
return ErrNotImplemented
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -52,22 +52,22 @@ func (s *SimpleDB) GetCRL() (*CertificateRevocationListInfo, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// StoreCRL returns a "NotImplemented" error.
|
// StoreCRL returns a "NotImplemented" error.
|
||||||
func (s *SimpleDB) StoreCRL(crlInfo *CertificateRevocationListInfo) error {
|
func (s *SimpleDB) StoreCRL(*CertificateRevocationListInfo) error {
|
||||||
return ErrNotImplemented
|
return ErrNotImplemented
|
||||||
}
|
}
|
||||||
|
|
||||||
// RevokeSSH returns a "NotImplemented" error.
|
// RevokeSSH returns a "NotImplemented" error.
|
||||||
func (s *SimpleDB) RevokeSSH(rci *RevokedCertificateInfo) error {
|
func (s *SimpleDB) RevokeSSH(*RevokedCertificateInfo) error {
|
||||||
return ErrNotImplemented
|
return ErrNotImplemented
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetCertificate returns a "NotImplemented" error.
|
// GetCertificate returns a "NotImplemented" error.
|
||||||
func (s *SimpleDB) GetCertificate(serialNumber string) (*x509.Certificate, error) {
|
func (s *SimpleDB) GetCertificate(string) (*x509.Certificate, error) {
|
||||||
return nil, ErrNotImplemented
|
return nil, ErrNotImplemented
|
||||||
}
|
}
|
||||||
|
|
||||||
// StoreCertificate returns a "NotImplemented" error.
|
// StoreCertificate returns a "NotImplemented" error.
|
||||||
func (s *SimpleDB) StoreCertificate(crt *x509.Certificate) error {
|
func (s *SimpleDB) StoreCertificate(*x509.Certificate) error {
|
||||||
return ErrNotImplemented
|
return ErrNotImplemented
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -90,12 +90,12 @@ func (s *SimpleDB) UseToken(id, tok string) (bool, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// IsSSHHost returns a "NotImplemented" error.
|
// IsSSHHost returns a "NotImplemented" error.
|
||||||
func (s *SimpleDB) IsSSHHost(principal string) (bool, error) {
|
func (s *SimpleDB) IsSSHHost(string) (bool, error) {
|
||||||
return false, ErrNotImplemented
|
return false, ErrNotImplemented
|
||||||
}
|
}
|
||||||
|
|
||||||
// StoreSSHCertificate returns a "NotImplemented" error.
|
// StoreSSHCertificate returns a "NotImplemented" error.
|
||||||
func (s *SimpleDB) StoreSSHCertificate(crt *ssh.Certificate) error {
|
func (s *SimpleDB) StoreSSHCertificate(*ssh.Certificate) error {
|
||||||
return ErrNotImplemented
|
return ErrNotImplemented
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -112,7 +112,7 @@ func (s *SimpleDB) Shutdown() error {
|
||||||
// nosql.DB interface implementation //
|
// nosql.DB interface implementation //
|
||||||
|
|
||||||
// Open opens the database available with the given options.
|
// Open opens the database available with the given options.
|
||||||
func (s *SimpleDB) Open(dataSourceName string, opt ...database.Option) error {
|
func (s *SimpleDB) Open(string, ...database.Option) error {
|
||||||
return ErrNotImplemented
|
return ErrNotImplemented
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -122,43 +122,43 @@ func (s *SimpleDB) Close() error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Get returns the value stored in the given table/bucket and key.
|
// Get returns the value stored in the given table/bucket and key.
|
||||||
func (s *SimpleDB) Get(bucket, key []byte) ([]byte, error) {
|
func (s *SimpleDB) Get([]byte, []byte) ([]byte, error) {
|
||||||
return nil, ErrNotImplemented
|
return nil, ErrNotImplemented
|
||||||
}
|
}
|
||||||
|
|
||||||
// Set sets the given value in the given table/bucket and key.
|
// Set sets the given value in the given table/bucket and key.
|
||||||
func (s *SimpleDB) Set(bucket, key, value []byte) error {
|
func (s *SimpleDB) Set([]byte, []byte, []byte) error {
|
||||||
return ErrNotImplemented
|
return ErrNotImplemented
|
||||||
}
|
}
|
||||||
|
|
||||||
// CmpAndSwap swaps the value at the given bucket and key if the current
|
// CmpAndSwap swaps the value at the given bucket and key if the current
|
||||||
// value is equivalent to the oldValue input. Returns 'true' if the
|
// value is equivalent to the oldValue input. Returns 'true' if the
|
||||||
// swap was successful and 'false' otherwise.
|
// swap was successful and 'false' otherwise.
|
||||||
func (s *SimpleDB) CmpAndSwap(bucket, key, oldValue, newValue []byte) ([]byte, bool, error) {
|
func (s *SimpleDB) CmpAndSwap([]byte, []byte, []byte, []byte) ([]byte, bool, error) {
|
||||||
return nil, false, ErrNotImplemented
|
return nil, false, ErrNotImplemented
|
||||||
}
|
}
|
||||||
|
|
||||||
// Del deletes the data in the given table/bucket and key.
|
// Del deletes the data in the given table/bucket and key.
|
||||||
func (s *SimpleDB) Del(bucket, key []byte) error {
|
func (s *SimpleDB) Del([]byte, []byte) error {
|
||||||
return ErrNotImplemented
|
return ErrNotImplemented
|
||||||
}
|
}
|
||||||
|
|
||||||
// List returns a list of all the entries in a given table/bucket.
|
// List returns a list of all the entries in a given table/bucket.
|
||||||
func (s *SimpleDB) List(bucket []byte) ([]*database.Entry, error) {
|
func (s *SimpleDB) List([]byte) ([]*database.Entry, error) {
|
||||||
return nil, ErrNotImplemented
|
return nil, ErrNotImplemented
|
||||||
}
|
}
|
||||||
|
|
||||||
// Update performs a transaction with multiple read-write commands.
|
// Update performs a transaction with multiple read-write commands.
|
||||||
func (s *SimpleDB) Update(tx *database.Tx) error {
|
func (s *SimpleDB) Update(*database.Tx) error {
|
||||||
return ErrNotImplemented
|
return ErrNotImplemented
|
||||||
}
|
}
|
||||||
|
|
||||||
// CreateTable creates a table or a bucket in the database.
|
// CreateTable creates a table or a bucket in the database.
|
||||||
func (s *SimpleDB) CreateTable(bucket []byte) error {
|
func (s *SimpleDB) CreateTable([]byte) error {
|
||||||
return ErrNotImplemented
|
return ErrNotImplemented
|
||||||
}
|
}
|
||||||
|
|
||||||
// DeleteTable deletes a table or a bucket in the database.
|
// DeleteTable deletes a table or a bucket in the database.
|
||||||
func (s *SimpleDB) DeleteTable(bucket []byte) error {
|
func (s *SimpleDB) DeleteTable([]byte) error {
|
||||||
return ErrNotImplemented
|
return ErrNotImplemented
|
||||||
}
|
}
|
||||||
|
|
2
go.mod
2
go.mod
|
@ -1,6 +1,6 @@
|
||||||
module github.com/smallstep/certificates
|
module github.com/smallstep/certificates
|
||||||
|
|
||||||
go 1.18
|
go 1.19
|
||||||
|
|
||||||
require (
|
require (
|
||||||
cloud.google.com/go/longrunning v0.4.1
|
cloud.google.com/go/longrunning v0.4.1
|
||||||
|
|
|
@ -196,7 +196,7 @@ func setKeyPair(t *testing.T, p *PKI) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// setCertificates sets some static, gibberish intermediate and root CA certificate and key bytes.
|
// setCertificates sets some static, gibberish intermediate and root CA certificate and key bytes.
|
||||||
func setCertificates(t *testing.T, p *PKI) {
|
func setCertificates(_ *testing.T, p *PKI) {
|
||||||
raw := []byte("these are just some fake root CA cert bytes")
|
raw := []byte("these are just some fake root CA cert bytes")
|
||||||
p.Files[p.Root[0]] = encodeCertificate(&x509.Certificate{Raw: raw})
|
p.Files[p.Root[0]] = encodeCertificate(&x509.Certificate{Raw: raw})
|
||||||
p.Files[p.RootKey[0]] = pem.EncodeToMemory(&pem.Block{
|
p.Files[p.RootKey[0]] = pem.EncodeToMemory(&pem.Block{
|
||||||
|
@ -213,8 +213,7 @@ func setCertificates(t *testing.T, p *PKI) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// setSSHSigningKeys sets some static, gibberish ssh user and host CA certificate and key bytes.
|
// setSSHSigningKeys sets some static, gibberish ssh user and host CA certificate and key bytes.
|
||||||
func setSSHSigningKeys(t *testing.T, p *PKI) {
|
func setSSHSigningKeys(_ *testing.T, p *PKI) {
|
||||||
|
|
||||||
if !p.options.enableSSH {
|
if !p.options.enableSSH {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
|
@ -244,30 +244,21 @@ func (e *NamePolicyEngine) IsX509CertificateRequestAllowed(csr *x509.Certificate
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// AreSANSAllowed verifies that all names in the slice of SANs are allowed.
|
// AreSANsAllowed verifies that all names in the slice of SANs are allowed.
|
||||||
// The SANs are first split into DNS names, IPs, email addresses and URIs.
|
// The SANs are first split into DNS names, IPs, email addresses and URIs.
|
||||||
func (e *NamePolicyEngine) AreSANsAllowed(sans []string) error {
|
func (e *NamePolicyEngine) AreSANsAllowed(sans []string) error {
|
||||||
dnsNames, ips, emails, uris := x509util.SplitSANs(sans)
|
dnsNames, ips, emails, uris := x509util.SplitSANs(sans)
|
||||||
if err := e.validateNames(dnsNames, ips, emails, uris, []string{}); err != nil {
|
return e.validateNames(dnsNames, ips, emails, uris, []string{})
|
||||||
return err
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// IsDNSAllowed verifies a single DNS domain is allowed.
|
// IsDNSAllowed verifies a single DNS domain is allowed.
|
||||||
func (e *NamePolicyEngine) IsDNSAllowed(dns string) error {
|
func (e *NamePolicyEngine) IsDNSAllowed(dns string) error {
|
||||||
if err := e.validateNames([]string{dns}, []net.IP{}, []string{}, []*url.URL{}, []string{}); err != nil {
|
return e.validateNames([]string{dns}, []net.IP{}, []string{}, []*url.URL{}, []string{})
|
||||||
return err
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// IsIPAllowed verifies a single IP domain is allowed.
|
// IsIPAllowed verifies a single IP domain is allowed.
|
||||||
func (e *NamePolicyEngine) IsIPAllowed(ip net.IP) error {
|
func (e *NamePolicyEngine) IsIPAllowed(ip net.IP) error {
|
||||||
if err := e.validateNames([]string{}, []net.IP{ip}, []string{}, []*url.URL{}, []string{}); err != nil {
|
return e.validateNames([]string{}, []net.IP{ip}, []string{}, []*url.URL{}, []string{})
|
||||||
return err
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// IsSSHCertificateAllowed verifies that all principals in an SSH certificate are allowed.
|
// IsSSHCertificateAllowed verifies that all principals in an SSH certificate are allowed.
|
||||||
|
@ -276,10 +267,7 @@ func (e *NamePolicyEngine) IsSSHCertificateAllowed(cert *ssh.Certificate) error
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := e.validateNames(dnsNames, ips, emails, []*url.URL{}, principals); err != nil {
|
return e.validateNames(dnsNames, ips, emails, []*url.URL{}, principals)
|
||||||
return err
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// splitPrincipals splits SSH certificate principals into DNS names, emails and usernames.
|
// splitPrincipals splits SSH certificate principals into DNS names, emails and usernames.
|
||||||
|
|
|
@ -115,7 +115,7 @@ func (a *Authority) GetLinkExplicit(provName string, abs bool, baseURL *url.URL,
|
||||||
|
|
||||||
// getLinkExplicit returns an absolute or partial path to the given resource and a base
|
// getLinkExplicit returns an absolute or partial path to the given resource and a base
|
||||||
// URL dynamically obtained from the request for which the link is being calculated.
|
// URL dynamically obtained from the request for which the link is being calculated.
|
||||||
func (a *Authority) getLinkExplicit(provisionerName string, abs bool, baseURL *url.URL, inputs ...string) string {
|
func (a *Authority) getLinkExplicit(provisionerName string, abs bool, baseURL *url.URL, _ ...string) string {
|
||||||
link := "/" + provisionerName
|
link := "/" + provisionerName
|
||||||
if abs {
|
if abs {
|
||||||
// Copy the baseURL value from the pointer. https://github.com/golang/go/issues/38351
|
// Copy the baseURL value from the pointer. https://github.com/golang/go/issues/38351
|
||||||
|
@ -182,7 +182,7 @@ func (a *Authority) GetCACertificates(ctx context.Context) ([]*x509.Certificate,
|
||||||
}
|
}
|
||||||
|
|
||||||
// DecryptPKIEnvelope decrypts an enveloped message
|
// DecryptPKIEnvelope decrypts an enveloped message
|
||||||
func (a *Authority) DecryptPKIEnvelope(ctx context.Context, msg *PKIMessage) error {
|
func (a *Authority) DecryptPKIEnvelope(_ context.Context, msg *PKIMessage) error {
|
||||||
p7c, err := pkcs7.Parse(msg.P7.Content)
|
p7c, err := pkcs7.Parse(msg.P7.Content)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("error parsing pkcs7 content: %w", err)
|
return fmt.Errorf("error parsing pkcs7 content: %w", err)
|
||||||
|
@ -389,7 +389,7 @@ func (a *Authority) SignCSR(ctx context.Context, csr *x509.CertificateRequest, m
|
||||||
}
|
}
|
||||||
|
|
||||||
// CreateFailureResponse creates an appropriately signed reply for PKI operations
|
// CreateFailureResponse creates an appropriately signed reply for PKI operations
|
||||||
func (a *Authority) CreateFailureResponse(ctx context.Context, csr *x509.CertificateRequest, msg *PKIMessage, info FailInfoName, infoText string) (*PKIMessage, error) {
|
func (a *Authority) CreateFailureResponse(_ context.Context, _ *x509.CertificateRequest, msg *PKIMessage, info FailInfoName, infoText string) (*PKIMessage, error) {
|
||||||
config := pkcs7.SignerInfoConfig{
|
config := pkcs7.SignerInfoConfig{
|
||||||
ExtraSignedAttributes: []pkcs7.Attribute{
|
ExtraSignedAttributes: []pkcs7.Attribute{
|
||||||
{
|
{
|
||||||
|
|
|
@ -13,7 +13,8 @@ type Service struct {
|
||||||
decrypter crypto.Decrypter
|
decrypter crypto.Decrypter
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewService(ctx context.Context, opts Options) (*Service, error) {
|
// NewService returns a new Service type.
|
||||||
|
func NewService(_ context.Context, opts Options) (*Service, error) {
|
||||||
if err := opts.Validate(); err != nil {
|
if err := opts.Validate(); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue