Add an option to avoid password prompts on step cas

When we are using `step ca init` to create a stepcas RA we don't have access to the password for verify the provisioner.
2021-08-04 16:16:35 -07:00 · 2021-08-04 16:16:35 -07:00 · de719eb6f0
commit de719eb6f0
parent de292fbed6
3 changed files with 29 additions and 6 deletions
--- a/cas/apiv1/options.go
+++ b/cas/apiv1/options.go
@ -38,10 +38,17 @@ type Options struct {
 	CertificateChain []*x509.Certificate `json:"-"`
 	Signer           crypto.Signer       `json:"-"`

-	// IsCreator is set to true when we're creating a certificate authority. Is
-	// used to skip some validations when initializing a CertificateAuthority.
+	// IsCreator is set to true when we're creating a certificate authority. It
+	// is used to skip some validations when initializing a
+	// CertificateAuthority. This option is used on SoftCAS and CloudCAS.
 	IsCreator bool `json:"-"`

+	// IsCAGetter is set to true when we're just using the
+	// CertificateAuthorityGetter interface to retrieve the root certificate. It
+	// is used to skip some validations when initializing a
+	// CertificateAuthority. This option is used on StepCAS.
+	IsCAGetter bool `json:"-"`
+
 	// KeyManager is the KMS used to generate keys in SoftCAS.
 	KeyManager kms.KeyManager `json:"-"`

--- a/cas/stepcas/stepcas.go
+++ b/cas/stepcas/stepcas.go
@ -47,10 +47,13 @@ func New(ctx context.Context, opts apiv1.Options) (*StepCAS, error) {
 		return nil, err
 	}

-	// Create configured issuer
-	iss, err := newStepIssuer(caURL, client, opts.CertificateIssuer)
-	if err != nil {
-		return nil, err
+	var iss stepIssuer
+	// Create configured issuer unless we only want to use GetCertificateAuthority.
+	// This avoid the request for the password if not provided.
+	if !opts.IsCAGetter {
+		if iss, err = newStepIssuer(caURL, client, opts.CertificateIssuer); err != nil {
+			return nil, err
+		}
 	}

 	return &StepCAS{
--- a/cas/stepcas/stepcas_test.go
+++ b/cas/stepcas/stepcas_test.go
@ -411,6 +411,19 @@ func TestNew(t *testing.T) {
 			client:      client,
 			fingerprint: testRootFingerprint,
 		}, false},
+		{"ok ca getter", args{context.TODO(), apiv1.Options{
+			IsCAGetter:                      true,
+			CertificateAuthority:            caURL.String(),
+			CertificateAuthorityFingerprint: testRootFingerprint,
+			CertificateIssuer: &apiv1.CertificateIssuer{
+				Type:        "jwk",
+				Provisioner: "ra@doe.org",
+			},
+		}}, &StepCAS{
+			iss:         nil,
+			client:      client,
+			fingerprint: testRootFingerprint,
+		}, false},
 		{"fail authority", args{context.TODO(), apiv1.Options{
 			CertificateAuthority:            "",
 			CertificateAuthorityFingerprint: testRootFingerprint,