Refactor the initialization of KeyManagers.

This commit is contained in:
Mariano Cano 2020-05-11 18:47:22 -07:00
parent c02fe77998
commit 63e36ecd7a
7 changed files with 81 additions and 62 deletions

View file

@ -1,11 +1,28 @@
package apiv1
import (
"crypto"
"crypto/x509"
"strings"
"github.com/pkg/errors"
)
// KeyManager is the interface implemented by all the KMS.
type KeyManager interface {
GetPublicKey(req *GetPublicKeyRequest) (crypto.PublicKey, error)
CreateKey(req *CreateKeyRequest) (*CreateKeyResponse, error)
CreateSigner(req *CreateSignerRequest) (crypto.Signer, error)
Close() error
}
// CertificateManager is the interface implemented by the KMS that can load and
// store x509.Certificates.
type CertificateManager interface {
LoadCerticate(req *LoadCertificateRequest) (*x509.Certificate, error)
StoreCertificate(req *StoreCertificateRequest) error
}
// ErrNotImplemented
type ErrNotImplemented struct {
msg string

27
kms/apiv1/registry.go Normal file
View file

@ -0,0 +1,27 @@
package apiv1
import (
"context"
"sync"
)
var registry = new(sync.Map)
// KeyManagerNewFunc is the type that represents the method to initialize a new
// KeyManager.
type KeyManagerNewFunc func(ctx context.Context, opts Options) (KeyManager, error)
// Register adds to the registry a method to create a KeyManager of type t.
func Register(t Type, fn KeyManagerNewFunc) {
registry.Store(t, fn)
}
// LoadKeyManagerNewFunc returns the function initialize a KayManager.
func LoadKeyManagerNewFunc(t Type) (KeyManagerNewFunc, bool) {
v, ok := registry.Load(t)
if !ok {
return nil, false
}
fn, ok := v.(KeyManagerNewFunc)
return fn, ok
}

View file

@ -93,6 +93,12 @@ func New(ctx context.Context, opts apiv1.Options) (*CloudKMS, error) {
}, nil
}
func init() {
apiv1.Register(apiv1.CloudKMS, func(ctx context.Context, opts apiv1.Options) (apiv1.KeyManager, error) {
return New(ctx, opts)
})
}
// NewCloudKMS creates a CloudKMS with a given client.
func NewCloudKMS(client KeyManagementClient) *CloudKMS {
return &CloudKMS{

View file

@ -2,30 +2,18 @@ package kms
import (
"context"
"crypto"
"crypto/x509"
"strings"
"github.com/pkg/errors"
"github.com/smallstep/certificates/kms/apiv1"
"github.com/smallstep/certificates/kms/cloudkms"
"github.com/smallstep/certificates/kms/softkms"
"github.com/smallstep/certificates/kms/yubikey"
)
// KeyManager is the interface implemented by all the KMS.
type KeyManager interface {
GetPublicKey(req *apiv1.GetPublicKeyRequest) (crypto.PublicKey, error)
CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyResponse, error)
CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer, error)
Close() error
}
type KeyManager = apiv1.KeyManager
// CertificateManager is the interface implemented by the KMS that can load and store x509.Certificates.
type CertificateManager interface {
LoadCerticate(req *apiv1.LoadCertificateRequest) (*x509.Certificate, error)
StoreCertificate(req *apiv1.StoreCertificateRequest) error
}
// CertificateManager is the interface implemented by the KMS that can load and
// store x509.Certificates.
type CertificateManager = apiv1.CertificateManager
// New initializes a new KMS from the given type.
func New(ctx context.Context, opts apiv1.Options) (KeyManager, error) {
@ -33,14 +21,14 @@ func New(ctx context.Context, opts apiv1.Options) (KeyManager, error) {
return nil, err
}
switch apiv1.Type(strings.ToLower(opts.Type)) {
case apiv1.DefaultKMS, apiv1.SoftKMS:
return softkms.New(ctx, opts)
case apiv1.CloudKMS:
return cloudkms.New(ctx, opts)
case apiv1.YubiKey:
return yubikey.New(ctx, opts)
default:
t := apiv1.Type(strings.ToLower(opts.Type))
if t == apiv1.DefaultKMS {
t = apiv1.SoftKMS
}
fn, ok := apiv1.LoadKeyManagerNewFunc(t)
if !ok {
return nil, errors.Errorf("unsupported kms type '%s'", opts.Type)
}
return fn(ctx, opts)
}

View file

@ -52,6 +52,12 @@ func New(ctx context.Context, opts apiv1.Options) (*SoftKMS, error) {
return &SoftKMS{}, nil
}
func init() {
apiv1.Register(apiv1.SoftKMS, func(ctx context.Context, opts apiv1.Options) (apiv1.KeyManager, error) {
return New(ctx, opts)
})
}
// Close is a noop that just returns nil.
func (k *SoftKMS) Close() error {
return nil

View file

@ -42,6 +42,12 @@ func New(ctx context.Context, opts apiv1.Options) (*YubiKey, error) {
}, nil
}
func init() {
apiv1.Register(apiv1.YubiKey, func(ctx context.Context, opts apiv1.Options) (apiv1.KeyManager, error) {
return New(ctx, opts)
})
}
// LoadCertificate implements kms.CertificateManager and loads a certificate
// from the YubiKey.
func (k *YubiKey) LoadCertificate(req *apiv1.LoadCertificateRequest) (*x509.Certificate, error) {

View file

@ -4,47 +4,16 @@ package yubikey
import (
"context"
"crypto"
"crypto/x509"
"os"
"path/filepath"
"github.com/pkg/errors"
"github.com/smallstep/certificates/kms/apiv1"
)
// YubiKey implements the KMS interface on a YubiKey.
type YubiKey struct{}
// New always fails without CGO.
func New(ctx context.Context, opts apiv1.Options) (*YubiKey, error) {
return nil, errors.New("YubiKey is not supported without cgo")
}
// LoadCertificate always fails without CGO.
func (k *YubiKey) LoadCertificate(req *apiv1.LoadCertificateRequest) (*x509.Certificate, error) {
return nil, errors.New("YubiKey is not supported without cgo")
}
// StoreCertificate always fails without CGO.
func (k *YubiKey) StoreCertificate(req *apiv1.StoreCertificateRequest) error {
return errors.New("YubiKey is not supported without cgo")
}
// GetPublicKey always fails without CGO.
func (k *YubiKey) GetPublicKey(req *apiv1.GetPublicKeyRequest) (crypto.PublicKey, error) {
return nil, errors.New("YubiKey is not supported without cgo")
}
// CreateKey always fails without CGO.
func (k *YubiKey) CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyResponse, error) {
return nil, errors.New("YubiKey is not supported without cgo")
}
// CreateSigner always fails without CGO.
func (k *YubiKey) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer, error) {
return nil, errors.New("YubiKey is not supported without cgo")
}
// Close always fails without CGO.
func (k *YubiKey) Close() error {
return errors.New("YubiKey is not supported without cgo")
func init() {
apiv1.Register(apiv1.YubiKey, func(ctx context.Context, opts apiv1.Options) (apiv1.KeyManager, error) {
name := filepath.Base(os.Args[0])
return nil, errors.Errorf("unsupported kms type 'yubikey': %s is compiled without cgo support", name)
})
}