forked from TrueCloudLab/certificates
87 lines
2.3 KiB
Go
87 lines
2.3 KiB
Go
package provisioner
|
|
|
|
import (
|
|
"context"
|
|
"crypto/x509"
|
|
|
|
"github.com/pkg/errors"
|
|
)
|
|
|
|
// ACME is the acme provisioner type, an entity that can authorize the ACME
|
|
// provisioning flow.
|
|
type ACME struct {
|
|
Type string `json:"type"`
|
|
Name string `json:"name"`
|
|
Claims *Claims `json:"claims,omitempty"`
|
|
claimer *Claimer
|
|
}
|
|
|
|
// GetID returns the provisioner unique identifier.
|
|
func (p ACME) GetID() string {
|
|
return "acme/" + p.Name
|
|
}
|
|
|
|
// GetTokenID returns the identifier of the token.
|
|
func (p *ACME) GetTokenID(ott string) (string, error) {
|
|
return "", errors.New("acme provisioner does not implement GetTokenID")
|
|
}
|
|
|
|
// GetName returns the name of the provisioner.
|
|
func (p *ACME) GetName() string {
|
|
return p.Name
|
|
}
|
|
|
|
// GetType returns the type of provisioner.
|
|
func (p *ACME) GetType() Type {
|
|
return TypeACME
|
|
}
|
|
|
|
// GetEncryptedKey returns the base provisioner encrypted key if it's defined.
|
|
func (p *ACME) GetEncryptedKey() (string, string, bool) {
|
|
return "", "", false
|
|
}
|
|
|
|
// Init initializes and validates the fields of a JWK type.
|
|
func (p *ACME) Init(config Config) (err error) {
|
|
switch {
|
|
case p.Type == "":
|
|
return errors.New("provisioner type cannot be empty")
|
|
case p.Name == "":
|
|
return errors.New("provisioner name cannot be empty")
|
|
}
|
|
|
|
// Update claims with global ones
|
|
if p.claimer, err = NewClaimer(p.Claims, config.Claims); err != nil {
|
|
return err
|
|
}
|
|
|
|
return err
|
|
}
|
|
|
|
// AuthorizeRevoke is not implemented yet for the ACME provisioner.
|
|
func (p *ACME) AuthorizeRevoke(token string) error {
|
|
return nil
|
|
}
|
|
|
|
// AuthorizeSign validates the given token.
|
|
func (p *ACME) AuthorizeSign(ctx context.Context, _ string) ([]SignOption, error) {
|
|
if m := MethodFromContext(ctx); m != SignMethod {
|
|
return nil, errors.Errorf("unexpected method type %d in context", m)
|
|
}
|
|
return []SignOption{
|
|
// modifiers / withOptions
|
|
newProvisionerExtensionOption(TypeACME, p.Name, ""),
|
|
profileDefaultDuration(p.claimer.DefaultTLSCertDuration()),
|
|
// validators
|
|
defaultPublicKeyValidator{},
|
|
newValidityValidator(p.claimer.MinTLSCertDuration(), p.claimer.MaxTLSCertDuration()),
|
|
}, nil
|
|
}
|
|
|
|
// AuthorizeRenewal is not implemented for the ACME provisioner.
|
|
func (p *ACME) AuthorizeRenewal(cert *x509.Certificate) error {
|
|
if p.claimer.IsDisableRenewal() {
|
|
return errors.Errorf("renew is disabled for provisioner %s", p.GetID())
|
|
}
|
|
return nil
|
|
}
|