forked from TrueCloudLab/certificates
Fix PR comments
This commit is contained in:
parent
49718f1bbb
commit
fd38dd34f9
2 changed files with 28 additions and 40 deletions
|
@ -633,23 +633,11 @@ func (a *Authority) init() error {
|
||||||
|
|
||||||
c := a.config
|
c := a.config
|
||||||
if c.WasLoadedFromFile() {
|
if c.WasLoadedFromFile() {
|
||||||
// TODO(hs): check if prerequisites for writing files look OK (user/group, permission bits, etc) as
|
// The provisioners in the configuration file can be deleted from
|
||||||
// extra safety check before trying to write at all?
|
// the file by editing it. Automatic rewriting of the file was considered
|
||||||
|
// to be too surprising for users and not the right solution for all
|
||||||
// Remove the existing provisioners from the authority configuration
|
// use cases, so we leave it up to users to this themselves.
|
||||||
// and commit it to the existing configuration file. NOTE: committing
|
a.initLogf("Provisioners that were migrated can now be removed from `ca.json` by editing it.")
|
||||||
// the configuration at this point also writes other properties that
|
|
||||||
// have been initialized with default values, such as the `backdate` and
|
|
||||||
// `template` settings in the `authority`.
|
|
||||||
oldProvisioners := c.AuthorityConfig.Provisioners
|
|
||||||
c.AuthorityConfig.Provisioners = []provisioner.Interface{}
|
|
||||||
if err := c.Commit(); err != nil {
|
|
||||||
// Restore the provisioners in in-memory representation for consistency
|
|
||||||
// when writing the updated configuration fails. This is considered a soft
|
|
||||||
// error, so execution can continue.
|
|
||||||
c.AuthorityConfig.Provisioners = oldProvisioners
|
|
||||||
a.initLogf("Failed removing provisioners from configuration: %v", err)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
a.initLogf("Finished migrating provisioners")
|
a.initLogf("Finished migrating provisioners")
|
||||||
|
@ -673,16 +661,16 @@ func (a *Authority) init() error {
|
||||||
// case if `step` isn't allowed to be signed by Name Constraints or the X.509 policy.
|
// case if `step` isn't allowed to be signed by Name Constraints or the X.509 policy.
|
||||||
// We have protection for that when creating and updating a policy, but if a policy or
|
// We have protection for that when creating and updating a policy, but if a policy or
|
||||||
// Name Constraints are in use at the time of migration, that could lock the user out.
|
// Name Constraints are in use at the time of migration, that could lock the user out.
|
||||||
firstSuperAdminSubject := "step"
|
superAdminSubject := "step"
|
||||||
if err := a.adminDB.CreateAdmin(ctx, &linkedca.Admin{
|
if err := a.adminDB.CreateAdmin(ctx, &linkedca.Admin{
|
||||||
ProvisionerId: firstJWKProvisioner.Id,
|
ProvisionerId: firstJWKProvisioner.Id,
|
||||||
Subject: firstSuperAdminSubject,
|
Subject: superAdminSubject,
|
||||||
Type: linkedca.Admin_SUPER_ADMIN,
|
Type: linkedca.Admin_SUPER_ADMIN,
|
||||||
}); err != nil {
|
}); err != nil {
|
||||||
return admin.WrapErrorISE(err, "error creating first admin")
|
return admin.WrapErrorISE(err, "error creating first admin")
|
||||||
}
|
}
|
||||||
|
|
||||||
a.initLogf("Created super admin %q for JWK provisioner %q", firstSuperAdminSubject, firstJWKProvisioner.GetName())
|
a.initLogf("Created super admin %q for JWK provisioner %q", superAdminSubject, firstJWKProvisioner.GetName())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
40
pki/pki.go
40
pki/pki.go
|
@ -175,19 +175,19 @@ func GetProvisionerKey(caURL, rootFile, kid string) (string, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
type options struct {
|
type options struct {
|
||||||
provisioner string
|
provisioner string
|
||||||
firstSuperAdminSubject string
|
superAdminSubject string
|
||||||
pkiOnly bool
|
pkiOnly bool
|
||||||
enableACME bool
|
enableACME bool
|
||||||
enableSSH bool
|
enableSSH bool
|
||||||
enableAdmin bool
|
enableAdmin bool
|
||||||
noDB bool
|
noDB bool
|
||||||
isHelm bool
|
isHelm bool
|
||||||
deploymentType DeploymentType
|
deploymentType DeploymentType
|
||||||
rootKeyURI string
|
rootKeyURI string
|
||||||
intermediateKeyURI string
|
intermediateKeyURI string
|
||||||
hostKeyURI string
|
hostKeyURI string
|
||||||
userKeyURI string
|
userKeyURI string
|
||||||
}
|
}
|
||||||
|
|
||||||
// Option is the type of a configuration option on the pki constructor.
|
// Option is the type of a configuration option on the pki constructor.
|
||||||
|
@ -221,12 +221,12 @@ func WithProvisioner(s string) Option {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// WithFirstSuperAdminSubject defines the subject of the first
|
// WithSuperAdminSubject defines the subject of the first
|
||||||
// super admin for use with the Admin API. The admin will belong
|
// super admin for use with the Admin API. The admin will belong
|
||||||
// to the first JWK provisioner.
|
// to the first JWK provisioner.
|
||||||
func WithFirstSuperAdminSubject(s string) Option {
|
func WithSuperAdminSubject(s string) Option {
|
||||||
return func(p *PKI) {
|
return func(p *PKI) {
|
||||||
p.options.firstSuperAdminSubject = s
|
p.options.superAdminSubject = s
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -924,13 +924,13 @@ func (p *PKI) GenerateConfig(opt ...ConfigOption) (*authconfig.Config, error) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
// Add the first provisioner as an admin.
|
// Add the first provisioner as an admin.
|
||||||
firstSuperAdminSubject := "step"
|
superAdminSubject := "step"
|
||||||
if p.options.firstSuperAdminSubject != "" {
|
if p.options.superAdminSubject != "" {
|
||||||
firstSuperAdminSubject = p.options.firstSuperAdminSubject
|
superAdminSubject = p.options.superAdminSubject
|
||||||
}
|
}
|
||||||
if err := adminDB.CreateAdmin(context.Background(), &linkedca.Admin{
|
if err := adminDB.CreateAdmin(context.Background(), &linkedca.Admin{
|
||||||
AuthorityId: admin.DefaultAuthorityID,
|
AuthorityId: admin.DefaultAuthorityID,
|
||||||
Subject: firstSuperAdminSubject,
|
Subject: superAdminSubject,
|
||||||
Type: linkedca.Admin_SUPER_ADMIN,
|
Type: linkedca.Admin_SUPER_ADMIN,
|
||||||
ProvisionerId: adminID,
|
ProvisionerId: adminID,
|
||||||
}); err != nil {
|
}); err != nil {
|
||||||
|
|
Loading…
Reference in a new issue