certificates/cmd/step-ca/main.go

236 lines
7 KiB
Go
Raw Normal View History

2018-10-05 21:48:36 +00:00
package main
import (
"flag"
2018-10-05 21:48:36 +00:00
"fmt"
2019-08-29 22:58:07 +00:00
"html"
2022-09-21 05:12:08 +00:00
"log"
2019-09-12 19:51:07 +00:00
"math/rand"
2018-10-05 21:48:36 +00:00
"net/http"
"os"
2018-11-22 20:59:33 +00:00
"reflect"
"regexp"
2019-08-29 22:58:07 +00:00
"strconv"
2018-11-08 19:45:19 +00:00
"time"
2019-09-12 19:51:07 +00:00
2019-12-12 00:26:38 +00:00
// Server profiler
//nolint:gosec // profile server, if enabled runs on a different port
2019-12-12 00:26:38 +00:00
_ "net/http/pprof"
2019-11-21 01:01:31 +00:00
"github.com/smallstep/certificates/authority"
2019-09-12 19:51:07 +00:00
"github.com/smallstep/certificates/commands"
2018-11-22 20:59:33 +00:00
"github.com/urfave/cli"
"go.step.sm/cli-utils/command"
"go.step.sm/cli-utils/command/version"
2021-08-10 07:38:30 +00:00
"go.step.sm/cli-utils/step"
"go.step.sm/cli-utils/ui"
"go.step.sm/cli-utils/usage"
"go.step.sm/crypto/pemutil"
// Enabled kms interfaces.
2022-08-09 00:58:18 +00:00
_ "go.step.sm/crypto/kms/awskms"
_ "go.step.sm/crypto/kms/azurekms"
_ "go.step.sm/crypto/kms/cloudkms"
_ "go.step.sm/crypto/kms/pkcs11"
_ "go.step.sm/crypto/kms/softkms"
_ "go.step.sm/crypto/kms/sshagentkms"
_ "go.step.sm/crypto/kms/yubikey"
// Enabled cas interfaces.
_ "github.com/smallstep/certificates/cas/cloudcas"
_ "github.com/smallstep/certificates/cas/softcas"
_ "github.com/smallstep/certificates/cas/stepcas"
_ "github.com/smallstep/certificates/cas/vaultcas"
2018-10-05 21:48:36 +00:00
)
2018-11-22 20:59:33 +00:00
// commit and buildTime are filled in during build by the Makefile
var (
BuildTime = "N/A"
Version = "N/A"
)
2018-11-08 19:45:19 +00:00
2019-09-12 19:51:07 +00:00
func init() {
2021-08-10 07:38:30 +00:00
step.Set("Smallstep CA", Version, BuildTime)
2019-11-21 01:01:31 +00:00
authority.GlobalVersion.Version = Version
2023-02-10 01:02:35 +00:00
//nolint:staticcheck // deprecated in Go 1.20
2019-09-12 19:51:07 +00:00
rand.Seed(time.Now().UnixNano())
// Add support for asking passwords
pemutil.PromptPassword = func(msg string) ([]byte, error) {
return ui.PromptPassword(msg)
}
2018-11-08 19:45:19 +00:00
}
2021-10-07 19:43:24 +00:00
func exit(code int) {
ui.Reset()
os.Exit(code)
}
2019-08-29 22:58:07 +00:00
// appHelpTemplate contains the modified template for the main app
var appHelpTemplate = `## NAME
**{{.HelpName}}** -- {{.Usage}}
## USAGE
{{if .UsageText}}{{.UsageText}}{{else}}**{{.HelpName}}**{{if .Commands}} <command>{{end}} {{if .ArgsUsage}}{{.ArgsUsage}}{{else}}_[arguments]_{{end}}{{end}}{{if .Description}}
## DESCRIPTION
{{.Description}}{{end}}{{if .VisibleCommands}}
## COMMANDS
{{range .VisibleCategories}}{{if .Name}}{{.Name}}:{{end}}
|||
|---|---|{{range .VisibleCommands}}
| **{{join .Names ", "}}** | {{.Usage}} |{{end}}
{{end}}{{if .VisibleFlags}}{{end}}
## OPTIONS
2019-08-29 22:58:07 +00:00
{{range $index, $option := .VisibleFlags}}{{if $index}}
{{end}}{{$option}}
{{end}}{{end}}{{if .Copyright}}{{if len .Authors}}
## AUTHOR{{with $length := len .Authors}}{{if ne 1 $length}}S{{end}}{{end}}:
{{range $index, $author := .Authors}}{{if $index}}
{{end}}{{$author}}{{end}}{{end}}{{if .Version}}{{if not .HideVersion}}
## ONLINE
This documentation is available online at https://smallstep.com/docs/certificates
## VERSION
{{.Version}}{{end}}{{end}}
## COPYRIGHT
{{.Copyright}}
## FEEDBACK ` +
html.UnescapeString("&#"+strconv.Itoa(128525)+";") + " " +
html.UnescapeString("&#"+strconv.Itoa(127867)+";") +
`
The **step-ca** utility is not instrumented for usage statistics. It does not phone home.
But your feedback is extremely valuable. Any information you can provide regarding how youre using **step-ca** helps.
Please send us a sentence or two, good or bad: **feedback@smallstep.com** or https://github.com/smallstep/certificates/discussions.
2019-08-29 22:58:07 +00:00
{{end}}
`
2018-10-05 21:48:36 +00:00
func main() {
// Initialize windows terminal
ui.Init()
2018-11-22 20:59:33 +00:00
// Override global framework components
cli.VersionPrinter = func(c *cli.Context) {
2019-09-12 19:51:07 +00:00
version.Command(c)
2018-11-08 19:45:19 +00:00
}
2019-08-29 22:58:07 +00:00
cli.AppHelpTemplate = appHelpTemplate
2018-11-22 20:59:33 +00:00
cli.SubcommandHelpTemplate = usage.SubcommandHelpTemplate
cli.CommandHelpTemplate = usage.CommandHelpTemplate
cli.HelpPrinter = usage.HelpPrinter
cli.FlagNamePrefixer = usage.FlagNamePrefixer
cli.FlagStringer = stringifyFlag
2019-09-12 19:51:07 +00:00
2018-11-22 20:59:33 +00:00
// Configure cli app
app := cli.NewApp()
app.Name = "step-ca"
app.HelpName = "step-ca"
2021-08-10 07:38:30 +00:00
app.Version = step.Version()
2018-11-22 20:59:33 +00:00
app.Usage = "an online certificate authority for secure automated certificate management"
app.UsageText = `**step-ca** [config] [**--context**=<name>] [**--password-file**=<file>]
2021-09-16 19:05:23 +00:00
[**--ssh-host-password-file**=<file>] [**--ssh-user-password-file**=<file>]
[**--issuer-password-file**=<file>] [**--resolver**=<addr>] [**--help**] [**--version**]`
2018-11-22 20:59:33 +00:00
app.Description = `**step-ca** runs the Step Online Certificate Authority
(Step CA) using the given configuration.
See the README.md for more detailed configuration documentation.
## POSITIONAL ARGUMENTS
<config>
: File that configures the operation of the Step CA; this file is generated
when you initialize the Step CA using 'step ca init'
## EXIT CODES
This command will run indefinitely on success and return \>0 if any error occurs.
## EXAMPLES
These examples assume that you have already initialized your PKI by running
'step ca init'. If you have not completed this step please see the 'Getting Started'
section of the README.
2018-11-22 20:59:33 +00:00
Run the Step CA and prompt for password:
'''
$ step-ca $STEPPATH/config/ca.json
'''
Run the Step CA and read the password from a file - this is useful for
automating deployment:
'''
$ step-ca $STEPPATH/config/ca.json --password-file ./password.txt
'''
Run the Step CA for the context selected with step and a custom password file:
'''
$ step context select ssh
$ step-ca --password-file ./password.txt
'''
Run the Step CA for the context named _mybiz_ and prompt for password:
'''
$ step-ca --context=mybiz
'''
Run the Step CA for the context named _mybiz_ and an alternate ca.json file:
'''
$ step-ca --context=mybiz other-ca.json
'''
Run the Step CA for the context named _mybiz_ and read the password from a file - this is useful for
automating deployment:
'''
$ step-ca --context=mybiz --password-file ./password.txt
'''
`
2019-09-12 19:51:07 +00:00
app.Flags = append(app.Flags, commands.AppCommand.Flags...)
app.Flags = append(app.Flags, cli.HelpFlag)
2022-02-16 10:08:26 +00:00
app.Copyright = fmt.Sprintf("(c) 2018-%d Smallstep Labs, Inc.", time.Now().Year())
2018-11-22 20:59:33 +00:00
// All non-successful output should be written to stderr
app.Writer = os.Stdout
app.ErrWriter = os.Stderr
2019-09-12 19:51:07 +00:00
app.Commands = command.Retrieve()
2018-10-05 21:48:36 +00:00
2018-11-22 20:59:33 +00:00
// Start the golang debug logger if environment variable is set.
// See https://golang.org/pkg/net/http/pprof/
debugProfAddr := os.Getenv("STEP_PROF_ADDR")
if debugProfAddr != "" {
go func() {
2022-09-20 22:46:59 +00:00
srv := http.Server{
Addr: debugProfAddr,
ReadHeaderTimeout: 15 * time.Second,
}
2022-09-21 05:12:08 +00:00
log.Println(srv.ListenAndServe())
2018-11-22 20:59:33 +00:00
}()
2018-10-05 21:48:36 +00:00
}
2019-08-29 22:58:07 +00:00
app.Action = func(_ *cli.Context) error {
// Hack to be able to run a the top action as a subcommand
set := flag.NewFlagSet(app.Name, flag.ContinueOnError)
set.Parse(os.Args)
2019-08-29 22:58:07 +00:00
ctx := cli.NewContext(app, set, nil)
2019-09-12 19:51:07 +00:00
return commands.AppCommand.Run(ctx)
2018-10-05 21:48:36 +00:00
}
2018-11-22 20:59:33 +00:00
if err := app.Run(os.Args); err != nil {
if os.Getenv("STEPDEBUG") == "1" {
fmt.Fprintf(os.Stderr, "%+v\n", err)
} else {
fmt.Fprintln(os.Stderr, err)
}
2021-10-07 19:43:24 +00:00
exit(1)
2018-10-05 21:48:36 +00:00
}
2021-10-07 19:43:24 +00:00
exit(0)
2018-10-05 21:48:36 +00:00
}
2018-11-22 20:59:33 +00:00
func flagValue(f cli.Flag) reflect.Value {
fv := reflect.ValueOf(f)
for fv.Kind() == reflect.Ptr {
fv = reflect.Indirect(fv)
}
return fv
}
var placeholderString = regexp.MustCompile(`<.*?>`)
func stringifyFlag(f cli.Flag) string {
fv := flagValue(f)
usg := fv.FieldByName("Usage").String()
placeholder := placeholderString.FindString(usg)
2018-11-22 20:59:33 +00:00
if placeholder == "" {
switch f.(type) {
case cli.BoolFlag, cli.BoolTFlag:
default:
placeholder = "<value>"
}
2018-11-22 20:59:33 +00:00
}
return cli.FlagNamePrefixer(fv.FieldByName("Name").String(), placeholder) + "\t" + usg
2018-11-22 20:59:33 +00:00
}