certificates/commands/onboard.go
Mariano Cano 23b8f45b37 Address gosec warnings
Most if not all false positives
2022-08-18 17:46:20 -07:00

227 lines
5.6 KiB
Go

package commands
import (
"bytes"
"encoding/json"
"io"
"net/http"
"net/url"
"os"
"github.com/pkg/errors"
"github.com/smallstep/certificates/authority/config"
"github.com/smallstep/certificates/ca"
"github.com/smallstep/certificates/cas/apiv1"
"github.com/smallstep/certificates/pki"
"github.com/urfave/cli"
"go.step.sm/cli-utils/command"
"go.step.sm/cli-utils/errs"
"go.step.sm/cli-utils/fileutil"
"go.step.sm/cli-utils/ui"
"go.step.sm/crypto/randutil"
)
// defaultOnboardingURL is the production onboarding url, to use a development
// url use:
//
// export STEP_CA_ONBOARDING_URL=http://localhost:3002/onboarding/
const defaultOnboardingURL = "https://api.smallstep.com/onboarding/"
type onboardingConfiguration struct {
Name string `json:"name"`
DNS string `json:"dns"`
Address string `json:"address"`
password []byte
}
type onboardingPayload struct {
Fingerprint string `json:"fingerprint"`
}
type onboardingError struct {
StatusCode int `json:"statusCode"`
Message string `json:"message"`
}
func (e onboardingError) Error() string {
return e.Message
}
func init() {
command.Register(cli.Command{
Name: "onboard",
Usage: "configure and run step-ca from the onboarding guide",
UsageText: "**step-ca onboard** <token>",
Action: onboardAction,
Description: `**step-ca onboard** configures step certificates using the onboarding guide.
Open https://smallstep.com/onboarding in your browser and start the CA with the
given token:
'''
$ step-ca onboard <token>
'''
## POSITIONAL ARGUMENTS
<token>
: The token string provided by the onboarding guide.`,
})
}
func onboardAction(ctx *cli.Context) error {
if ctx.NArg() == 0 {
return cli.ShowCommandHelp(ctx, "onboard")
}
if err := errs.NumberOfArguments(ctx, 1); err != nil {
return err
}
// Get onboarding url
onboarding := defaultOnboardingURL
if v := os.Getenv("STEP_CA_ONBOARDING_URL"); v != "" {
onboarding = v
}
u, err := url.Parse(onboarding)
if err != nil {
return errors.Wrapf(err, "error parsing %s", onboarding)
}
ui.Println("Connecting to onboarding guide...")
token := ctx.Args().Get(0)
onboardingURL := u.ResolveReference(&url.URL{Path: token}).String()
// nolint:gosec // onboarding url
res, err := http.Get(onboardingURL)
if err != nil {
return errors.Wrap(err, "error connecting onboarding guide")
}
if res.StatusCode >= 400 {
var msg onboardingError
if err := readJSON(res.Body, &msg); err != nil {
return errors.Wrap(err, "error unmarshaling response")
}
return errors.Wrap(msg, "error receiving onboarding guide")
}
var cfg onboardingConfiguration
if err := readJSON(res.Body, &cfg); err != nil {
return errors.Wrap(err, "error unmarshaling response")
}
password, err := randutil.ASCII(32)
if err != nil {
return err
}
cfg.password = []byte(password)
ui.Println("Initializing step-ca with the following configuration:")
ui.PrintSelected("Name", cfg.Name)
ui.PrintSelected("DNS", cfg.DNS)
ui.PrintSelected("Address", cfg.Address)
ui.PrintSelected("Password", password)
ui.Println()
caConfig, fp, err := onboardPKI(cfg)
if err != nil {
return err
}
payload, err := json.Marshal(onboardingPayload{Fingerprint: fp})
if err != nil {
return errors.Wrap(err, "error marshaling payload")
}
// nolint:gosec // onboarding url
resp, err := http.Post(onboardingURL, "application/json", bytes.NewBuffer(payload))
if err != nil {
return errors.Wrap(err, "error connecting onboarding guide")
}
if resp.StatusCode >= 400 {
var msg onboardingError
if err := readJSON(resp.Body, &msg); err != nil {
ui.Printf("%s {{ \"error unmarshalling response: %v\" | yellow }}\n", ui.IconWarn, err)
} else {
ui.Printf("%s {{ \"error posting fingerprint: %s\" | yellow }}\n", ui.IconWarn, msg.Message)
}
} else {
resp.Body.Close()
}
ui.Println("Initialized!")
ui.Println("Step CA is starting. Please return to the onboarding guide in your browser to continue.")
srv, err := ca.New(caConfig, ca.WithPassword(cfg.password))
if err != nil {
fatal(err)
}
go ca.StopReloaderHandler(srv)
if err := srv.Run(); err != nil && err != http.ErrServerClosed {
fatal(err)
}
return nil
}
func onboardPKI(cfg onboardingConfiguration) (*config.Config, string, error) {
var opts = []pki.Option{
pki.WithAddress(cfg.Address),
pki.WithDNSNames([]string{cfg.DNS}),
pki.WithProvisioner("admin"),
}
p, err := pki.New(apiv1.Options{
Type: apiv1.SoftCAS,
IsCreator: true,
}, opts...)
if err != nil {
return nil, "", err
}
// Generate pki
ui.Println("Generating root certificate...")
root, err := p.GenerateRootCertificate(cfg.Name, cfg.Name, cfg.Name, cfg.password)
if err != nil {
return nil, "", err
}
ui.Println("Generating intermediate certificate...")
err = p.GenerateIntermediateCertificate(cfg.Name, cfg.Name, cfg.Name, root, cfg.password)
if err != nil {
return nil, "", err
}
// Write files to disk
if err := p.WriteFiles(); err != nil {
return nil, "", err
}
// Generate provisioner
ui.Println("Generating admin provisioner...")
if err := p.GenerateKeyPairs(cfg.password); err != nil {
return nil, "", err
}
// Generate and write configuration
caConfig, err := p.GenerateConfig()
if err != nil {
return nil, "", err
}
b, err := json.MarshalIndent(caConfig, "", " ")
if err != nil {
return nil, "", errors.Wrapf(err, "error marshaling %s", p.GetCAConfigPath())
}
if err := fileutil.WriteFile(p.GetCAConfigPath(), b, 0666); err != nil {
return nil, "", errs.FileError(err, p.GetCAConfigPath())
}
return caConfig, p.GetRootFingerprint(), nil
}
func readJSON(r io.ReadCloser, v interface{}) error {
defer r.Close()
return json.NewDecoder(r).Decode(v)
}