From 25b8d196d84542c97a946a963782a4d20c3c9ca9 Mon Sep 17 00:00:00 2001 From: max furman Date: Wed, 11 May 2022 17:04:43 -0700 Subject: [PATCH] Couple changes in response to PR - add skipInit option to skip authority initialization - check admin API status when removing provisioners - no need to check admins when not using Admin API --- authority/authority.go | 32 +++++++++++++------------------- authority/options.go | 9 +++++++++ authority/provisioners.go | 30 ++++++++++++++++-------------- 3 files changed, 38 insertions(+), 33 deletions(-) diff --git a/authority/authority.go b/authority/authority.go index 63375351..5b08ec40 100644 --- a/authority/authority.go +++ b/authority/authority.go @@ -78,8 +78,12 @@ type Authority struct { authorizeSSHRenewFunc provisioner.AuthorizeSSHRenewFunc adminMutex sync.RWMutex + + // Do Not initialize the authority + skipInit bool } +// Info contains information about the authority. type Info struct { StartTime time.Time RootX509Certs []*x509.Certificate @@ -107,25 +111,13 @@ func New(cfg *config.Config, opts ...Option) (*Authority, error) { } } - // Initialize authority from options or configuration. - if err := a.init(); err != nil { - return nil, err - } - - return a, nil -} - -// FromOptions creates an Authority exclusively using the passed in options -// and does not initialize the Authority. -func FromOptions(opts ...Option) (*Authority, error) { - var a = new(Authority) - - // Apply options. - for _, fn := range opts { - if err := fn(a); err != nil { + if !a.skipInit { + // Initialize authority from options or configuration. + if err := a.init(); err != nil { return nil, err } } + return a, nil } @@ -159,9 +151,11 @@ func NewEmbedded(opts ...Option) (*Authority, error) { // Initialize config required fields. a.config.Init() - // Initialize authority from options or configuration. - if err := a.init(); err != nil { - return nil, err + if !a.skipInit { + // Initialize authority from options or configuration. + if err := a.init(); err != nil { + return nil, err + } } return a, nil diff --git a/authority/options.go b/authority/options.go index 1c154577..b583bb89 100644 --- a/authority/options.go +++ b/authority/options.go @@ -284,6 +284,15 @@ func WithX509Enforcers(ces ...provisioner.CertificateEnforcer) Option { } } +// WithSkipInit is an option that allows the constructor to skip initializtion +// of the authority. +func WithSkipInit() Option { + return func(a *Authority) error { + a.skipInit = true + return nil + } +} + func readCertificateBundle(pemCerts []byte) ([]*x509.Certificate, error) { var block *pem.Block var certs []*x509.Certificate diff --git a/authority/provisioners.go b/authority/provisioners.go index 5944f007..642bb5b1 100644 --- a/authority/provisioners.go +++ b/authority/provisioners.go @@ -243,27 +243,29 @@ func (a *Authority) RemoveProvisioner(ctx context.Context, id string) error { } provName, provID := p.GetName(), p.GetID() - // Validate - // - Check that there will be SUPER_ADMINs that remain after we - // remove this provisioner. - if a.admins.SuperCount() == a.admins.SuperCountByProvisioner(provName) { - return admin.NewError(admin.ErrorBadRequestType, - "cannot remove provisioner %s because no super admins will remain", provName) - } + if a.IsAdminAPIEnabled() { + // Validate + // - Check that there will be SUPER_ADMINs that remain after we + // remove this provisioner. + if a.IsAdminAPIEnabled() && a.admins.SuperCount() == a.admins.SuperCountByProvisioner(provName) { + return admin.NewError(admin.ErrorBadRequestType, + "cannot remove provisioner %s because no super admins will remain", provName) + } - // Delete all admins associated with the provisioner. - admins, ok := a.admins.LoadByProvisioner(provName) - if ok { - for _, adm := range admins { - if err := a.removeAdmin(ctx, adm.Id); err != nil { - return admin.WrapErrorISE(err, "error deleting admin %s, as part of provisioner %s deletion", adm.Subject, provName) + // Delete all admins associated with the provisioner. + admins, ok := a.admins.LoadByProvisioner(provName) + if ok { + for _, adm := range admins { + if err := a.removeAdmin(ctx, adm.Id); err != nil { + return admin.WrapErrorISE(err, "error deleting admin %s, as part of provisioner %s deletion", adm.Subject, provName) + } } } } // Remove provisioner from authority caches. if err := a.provisioners.Remove(provID); err != nil { - return admin.WrapErrorISE(err, "error removing admin from authority cache") + return admin.WrapErrorISE(err, "error removing provisioner from authority cache") } // Remove provisioner from database. if err := a.adminDB.DeleteProvisioner(ctx, provID); err != nil {