Couple changes in response to PR

- add skipInit option to skip authority initialization
- check admin API status when removing provisioners - no need to check
  admins when not using Admin API
This commit is contained in:
max furman 2022-05-11 17:04:43 -07:00
parent 4cb74e7d8b
commit 25b8d196d8
3 changed files with 38 additions and 33 deletions

View file

@ -78,8 +78,12 @@ type Authority struct {
authorizeSSHRenewFunc provisioner.AuthorizeSSHRenewFunc
adminMutex sync.RWMutex
// Do Not initialize the authority
skipInit bool
}
// Info contains information about the authority.
type Info struct {
StartTime time.Time
RootX509Certs []*x509.Certificate
@ -107,25 +111,13 @@ func New(cfg *config.Config, opts ...Option) (*Authority, error) {
}
}
// Initialize authority from options or configuration.
if err := a.init(); err != nil {
return nil, err
}
return a, nil
}
// FromOptions creates an Authority exclusively using the passed in options
// and does not initialize the Authority.
func FromOptions(opts ...Option) (*Authority, error) {
var a = new(Authority)
// Apply options.
for _, fn := range opts {
if err := fn(a); err != nil {
if !a.skipInit {
// Initialize authority from options or configuration.
if err := a.init(); err != nil {
return nil, err
}
}
return a, nil
}
@ -159,9 +151,11 @@ func NewEmbedded(opts ...Option) (*Authority, error) {
// Initialize config required fields.
a.config.Init()
// Initialize authority from options or configuration.
if err := a.init(); err != nil {
return nil, err
if !a.skipInit {
// Initialize authority from options or configuration.
if err := a.init(); err != nil {
return nil, err
}
}
return a, nil

View file

@ -284,6 +284,15 @@ func WithX509Enforcers(ces ...provisioner.CertificateEnforcer) Option {
}
}
// WithSkipInit is an option that allows the constructor to skip initializtion
// of the authority.
func WithSkipInit() Option {
return func(a *Authority) error {
a.skipInit = true
return nil
}
}
func readCertificateBundle(pemCerts []byte) ([]*x509.Certificate, error) {
var block *pem.Block
var certs []*x509.Certificate

View file

@ -243,27 +243,29 @@ func (a *Authority) RemoveProvisioner(ctx context.Context, id string) error {
}
provName, provID := p.GetName(), p.GetID()
// Validate
// - Check that there will be SUPER_ADMINs that remain after we
// remove this provisioner.
if a.admins.SuperCount() == a.admins.SuperCountByProvisioner(provName) {
return admin.NewError(admin.ErrorBadRequestType,
"cannot remove provisioner %s because no super admins will remain", provName)
}
if a.IsAdminAPIEnabled() {
// Validate
// - Check that there will be SUPER_ADMINs that remain after we
// remove this provisioner.
if a.IsAdminAPIEnabled() && a.admins.SuperCount() == a.admins.SuperCountByProvisioner(provName) {
return admin.NewError(admin.ErrorBadRequestType,
"cannot remove provisioner %s because no super admins will remain", provName)
}
// Delete all admins associated with the provisioner.
admins, ok := a.admins.LoadByProvisioner(provName)
if ok {
for _, adm := range admins {
if err := a.removeAdmin(ctx, adm.Id); err != nil {
return admin.WrapErrorISE(err, "error deleting admin %s, as part of provisioner %s deletion", adm.Subject, provName)
// Delete all admins associated with the provisioner.
admins, ok := a.admins.LoadByProvisioner(provName)
if ok {
for _, adm := range admins {
if err := a.removeAdmin(ctx, adm.Id); err != nil {
return admin.WrapErrorISE(err, "error deleting admin %s, as part of provisioner %s deletion", adm.Subject, provName)
}
}
}
}
// Remove provisioner from authority caches.
if err := a.provisioners.Remove(provID); err != nil {
return admin.WrapErrorISE(err, "error removing admin from authority cache")
return admin.WrapErrorISE(err, "error removing provisioner from authority cache")
}
// Remove provisioner from database.
if err := a.adminDB.DeleteProvisioner(ctx, provID); err != nil {