forked from TrueCloudLab/certificates
136 lines
3.6 KiB
Go
136 lines
3.6 KiB
Go
package mgmt
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
|
|
"github.com/pkg/errors"
|
|
"github.com/smallstep/certificates/authority/config"
|
|
)
|
|
|
|
const (
|
|
// DefaultAuthorityID is the default AuthorityID. This will be the ID
|
|
// of the first Authority created, as well as the default AuthorityID
|
|
// if one is not specified in the configuration.
|
|
DefaultAuthorityID = "00000000-0000-0000-0000-000000000000"
|
|
)
|
|
|
|
// StatusType is the type for status.
|
|
type StatusType int
|
|
|
|
const (
|
|
// StatusActive active
|
|
StatusActive StatusType = iota
|
|
// StatusDeleted deleted
|
|
StatusDeleted
|
|
)
|
|
|
|
func (st StatusType) String() string {
|
|
switch st {
|
|
case StatusActive:
|
|
return "active"
|
|
case StatusDeleted:
|
|
return "deleted"
|
|
default:
|
|
return fmt.Sprintf("status %d not found", st)
|
|
}
|
|
}
|
|
|
|
// Claims encapsulates all x509 and ssh claims applied to the authority
|
|
// configuration. E.g. maxTLSCertDuration, defaultSSHCertDuration, etc.
|
|
type Claims struct {
|
|
X509 *X509Claims `json:"x509Claims"`
|
|
SSH *SSHClaims `json:"sshClaims"`
|
|
DisableRenewal bool `json:"disableRenewal"`
|
|
}
|
|
|
|
// X509Claims are the x509 claims applied to the authority.
|
|
type X509Claims struct {
|
|
Durations *Durations `json:"durations"`
|
|
}
|
|
|
|
// SSHClaims are the ssh claims applied to the authority.
|
|
type SSHClaims struct {
|
|
Enabled bool `json:"enabled"`
|
|
UserDurations *Durations `json:"userDurations"`
|
|
HostDurations *Durations `json:"hostDurations"`
|
|
}
|
|
|
|
// Durations represents min, max, default, duration.
|
|
type Durations struct {
|
|
Min string `json:"min"`
|
|
Max string `json:"max"`
|
|
Default string `json:"default"`
|
|
}
|
|
|
|
func NewDefaultClaims() *Claims {
|
|
return &Claims{
|
|
X509: &X509Claims{
|
|
Durations: &Durations{
|
|
Min: config.GlobalProvisionerClaims.MinTLSDur.String(),
|
|
Max: config.GlobalProvisionerClaims.MaxTLSDur.String(),
|
|
Default: config.GlobalProvisionerClaims.DefaultTLSDur.String(),
|
|
},
|
|
},
|
|
SSH: &SSHClaims{
|
|
UserDurations: &Durations{
|
|
Min: config.GlobalProvisionerClaims.MinUserSSHDur.String(),
|
|
Max: config.GlobalProvisionerClaims.MaxUserSSHDur.String(),
|
|
Default: config.GlobalProvisionerClaims.DefaultUserSSHDur.String(),
|
|
},
|
|
HostDurations: &Durations{
|
|
Min: config.GlobalProvisionerClaims.MinHostSSHDur.String(),
|
|
Max: config.GlobalProvisionerClaims.MaxHostSSHDur.String(),
|
|
Default: config.GlobalProvisionerClaims.DefaultHostSSHDur.String(),
|
|
},
|
|
},
|
|
DisableRenewal: config.DefaultDisableRenewal,
|
|
}
|
|
}
|
|
|
|
type AuthorityOption func(*AuthConfig) error
|
|
|
|
func WithDefaultAuthorityID(ac *AuthConfig) error {
|
|
ac.ID = DefaultAuthorityID
|
|
return nil
|
|
}
|
|
|
|
func CreateDefaultAuthority(ctx context.Context, db DB) (*AuthConfig, error) {
|
|
options := []AuthorityOption{WithDefaultAuthorityID}
|
|
|
|
return CreateAuthority(ctx, db, options...)
|
|
}
|
|
|
|
func CreateAuthority(ctx context.Context, db DB, options ...AuthorityOption) (*AuthConfig, error) {
|
|
ac := NewDefaultAuthConfig()
|
|
|
|
for _, o := range options {
|
|
if err := o(ac); err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
if err := db.CreateAuthConfig(ctx, ac); err != nil {
|
|
return nil, errors.Wrap(err, "error creating authConfig")
|
|
}
|
|
|
|
// Generate default JWK provisioner.
|
|
|
|
provOpts := []ProvisionerOption{WithPassword("pass")}
|
|
prov, err := CreateProvisioner(ctx, db, "JWK", "changeme", provOpts...)
|
|
if err != nil {
|
|
// TODO should we try to clean up?
|
|
return nil, WrapErrorISE(err, "error creating first provisioner")
|
|
}
|
|
|
|
admin, err := CreateAdmin(ctx, db, "Change Me", prov.ID, true)
|
|
if err != nil {
|
|
// TODO should we try to clean up?
|
|
return nil, WrapErrorISE(err, "error creating first provisioner")
|
|
}
|
|
|
|
ac.Provisioners = []*Provisioner{prov}
|
|
ac.Admins = []*Admin{admin}
|
|
|
|
return ac, nil
|
|
}
|