Refactor the initialization of KeyManagers.

This commit is contained in:
Mariano Cano 2020-05-11 18:47:22 -07:00
parent c02fe77998
commit 63e36ecd7a
7 changed files with 81 additions and 62 deletions

View file

@ -1,11 +1,28 @@
package apiv1 package apiv1
import ( import (
"crypto"
"crypto/x509"
"strings" "strings"
"github.com/pkg/errors" "github.com/pkg/errors"
) )
// KeyManager is the interface implemented by all the KMS.
type KeyManager interface {
GetPublicKey(req *GetPublicKeyRequest) (crypto.PublicKey, error)
CreateKey(req *CreateKeyRequest) (*CreateKeyResponse, error)
CreateSigner(req *CreateSignerRequest) (crypto.Signer, error)
Close() error
}
// CertificateManager is the interface implemented by the KMS that can load and
// store x509.Certificates.
type CertificateManager interface {
LoadCerticate(req *LoadCertificateRequest) (*x509.Certificate, error)
StoreCertificate(req *StoreCertificateRequest) error
}
// ErrNotImplemented // ErrNotImplemented
type ErrNotImplemented struct { type ErrNotImplemented struct {
msg string msg string

27
kms/apiv1/registry.go Normal file
View file

@ -0,0 +1,27 @@
package apiv1
import (
"context"
"sync"
)
var registry = new(sync.Map)
// KeyManagerNewFunc is the type that represents the method to initialize a new
// KeyManager.
type KeyManagerNewFunc func(ctx context.Context, opts Options) (KeyManager, error)
// Register adds to the registry a method to create a KeyManager of type t.
func Register(t Type, fn KeyManagerNewFunc) {
registry.Store(t, fn)
}
// LoadKeyManagerNewFunc returns the function initialize a KayManager.
func LoadKeyManagerNewFunc(t Type) (KeyManagerNewFunc, bool) {
v, ok := registry.Load(t)
if !ok {
return nil, false
}
fn, ok := v.(KeyManagerNewFunc)
return fn, ok
}

View file

@ -93,6 +93,12 @@ func New(ctx context.Context, opts apiv1.Options) (*CloudKMS, error) {
}, nil }, nil
} }
func init() {
apiv1.Register(apiv1.CloudKMS, func(ctx context.Context, opts apiv1.Options) (apiv1.KeyManager, error) {
return New(ctx, opts)
})
}
// NewCloudKMS creates a CloudKMS with a given client. // NewCloudKMS creates a CloudKMS with a given client.
func NewCloudKMS(client KeyManagementClient) *CloudKMS { func NewCloudKMS(client KeyManagementClient) *CloudKMS {
return &CloudKMS{ return &CloudKMS{

View file

@ -2,30 +2,18 @@ package kms
import ( import (
"context" "context"
"crypto"
"crypto/x509"
"strings" "strings"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/smallstep/certificates/kms/apiv1" "github.com/smallstep/certificates/kms/apiv1"
"github.com/smallstep/certificates/kms/cloudkms"
"github.com/smallstep/certificates/kms/softkms"
"github.com/smallstep/certificates/kms/yubikey"
) )
// KeyManager is the interface implemented by all the KMS. // KeyManager is the interface implemented by all the KMS.
type KeyManager interface { type KeyManager = apiv1.KeyManager
GetPublicKey(req *apiv1.GetPublicKeyRequest) (crypto.PublicKey, error)
CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyResponse, error)
CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer, error)
Close() error
}
// CertificateManager is the interface implemented by the KMS that can load and store x509.Certificates. // CertificateManager is the interface implemented by the KMS that can load and
type CertificateManager interface { // store x509.Certificates.
LoadCerticate(req *apiv1.LoadCertificateRequest) (*x509.Certificate, error) type CertificateManager = apiv1.CertificateManager
StoreCertificate(req *apiv1.StoreCertificateRequest) error
}
// New initializes a new KMS from the given type. // New initializes a new KMS from the given type.
func New(ctx context.Context, opts apiv1.Options) (KeyManager, error) { func New(ctx context.Context, opts apiv1.Options) (KeyManager, error) {
@ -33,14 +21,14 @@ func New(ctx context.Context, opts apiv1.Options) (KeyManager, error) {
return nil, err return nil, err
} }
switch apiv1.Type(strings.ToLower(opts.Type)) { t := apiv1.Type(strings.ToLower(opts.Type))
case apiv1.DefaultKMS, apiv1.SoftKMS: if t == apiv1.DefaultKMS {
return softkms.New(ctx, opts) t = apiv1.SoftKMS
case apiv1.CloudKMS: }
return cloudkms.New(ctx, opts)
case apiv1.YubiKey: fn, ok := apiv1.LoadKeyManagerNewFunc(t)
return yubikey.New(ctx, opts) if !ok {
default:
return nil, errors.Errorf("unsupported kms type '%s'", opts.Type) return nil, errors.Errorf("unsupported kms type '%s'", opts.Type)
} }
return fn(ctx, opts)
} }

View file

@ -52,6 +52,12 @@ func New(ctx context.Context, opts apiv1.Options) (*SoftKMS, error) {
return &SoftKMS{}, nil return &SoftKMS{}, nil
} }
func init() {
apiv1.Register(apiv1.SoftKMS, func(ctx context.Context, opts apiv1.Options) (apiv1.KeyManager, error) {
return New(ctx, opts)
})
}
// Close is a noop that just returns nil. // Close is a noop that just returns nil.
func (k *SoftKMS) Close() error { func (k *SoftKMS) Close() error {
return nil return nil

View file

@ -42,6 +42,12 @@ func New(ctx context.Context, opts apiv1.Options) (*YubiKey, error) {
}, nil }, nil
} }
func init() {
apiv1.Register(apiv1.YubiKey, func(ctx context.Context, opts apiv1.Options) (apiv1.KeyManager, error) {
return New(ctx, opts)
})
}
// LoadCertificate implements kms.CertificateManager and loads a certificate // LoadCertificate implements kms.CertificateManager and loads a certificate
// from the YubiKey. // from the YubiKey.
func (k *YubiKey) LoadCertificate(req *apiv1.LoadCertificateRequest) (*x509.Certificate, error) { func (k *YubiKey) LoadCertificate(req *apiv1.LoadCertificateRequest) (*x509.Certificate, error) {

View file

@ -4,47 +4,16 @@ package yubikey
import ( import (
"context" "context"
"crypto" "os"
"crypto/x509" "path/filepath"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/smallstep/certificates/kms/apiv1" "github.com/smallstep/certificates/kms/apiv1"
) )
// YubiKey implements the KMS interface on a YubiKey. func init() {
type YubiKey struct{} apiv1.Register(apiv1.YubiKey, func(ctx context.Context, opts apiv1.Options) (apiv1.KeyManager, error) {
name := filepath.Base(os.Args[0])
// New always fails without CGO. return nil, errors.Errorf("unsupported kms type 'yubikey': %s is compiled without cgo support", name)
func New(ctx context.Context, opts apiv1.Options) (*YubiKey, error) { })
return nil, errors.New("YubiKey is not supported without cgo")
}
// LoadCertificate always fails without CGO.
func (k *YubiKey) LoadCertificate(req *apiv1.LoadCertificateRequest) (*x509.Certificate, error) {
return nil, errors.New("YubiKey is not supported without cgo")
}
// StoreCertificate always fails without CGO.
func (k *YubiKey) StoreCertificate(req *apiv1.StoreCertificateRequest) error {
return errors.New("YubiKey is not supported without cgo")
}
// GetPublicKey always fails without CGO.
func (k *YubiKey) GetPublicKey(req *apiv1.GetPublicKeyRequest) (crypto.PublicKey, error) {
return nil, errors.New("YubiKey is not supported without cgo")
}
// CreateKey always fails without CGO.
func (k *YubiKey) CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyResponse, error) {
return nil, errors.New("YubiKey is not supported without cgo")
}
// CreateSigner always fails without CGO.
func (k *YubiKey) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer, error) {
return nil, errors.New("YubiKey is not supported without cgo")
}
// Close always fails without CGO.
func (k *YubiKey) Close() error {
return errors.New("YubiKey is not supported without cgo")
} }