forked from smallstep/cli
-
Notifications
You must be signed in to change notification settings - Fork 0
/
bootstrap.go
126 lines (107 loc) · 3.4 KB
/
bootstrap.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
package ca
import (
"encoding/json"
"os"
"path/filepath"
"github.com/pkg/errors"
"github.com/smallstep/certificates/ca"
"github.com/smallstep/cli/command"
"github.com/smallstep/cli/config"
"github.com/smallstep/cli/crypto/pemutil"
"github.com/smallstep/cli/crypto/pki"
"github.com/smallstep/cli/errs"
"github.com/smallstep/cli/flags"
"github.com/smallstep/cli/ui"
"github.com/smallstep/cli/utils"
"github.com/smallstep/truststore"
"github.com/urfave/cli"
)
func bootstrapCommand() cli.Command {
return cli.Command{
Name: "bootstrap",
Action: command.ActionFunc(bootstrapAction),
Usage: "initialize the environment to use the CA commands",
UsageText: `**step ca bootstrap** [**--ca-url**=<uri>] [**--fingerprint**=<fingerprint>] [**--install**]`,
Description: `**step ca bootstrap** downloads the root certificate from the certificate
authority and sets up the current environment to use it.
Bootstrap will store the root certificate in <$STEPPATH/certs/root_ca.crt> and
create a configuration file in <$STEPPATH/configs/defaults.json> with the CA
url, the root certificate location and its fingerprint.
After the bootstrap, ca commands do not need to specify the flags
--ca-url, --root or --fingerprint if we want to use the same environment.`,
Flags: []cli.Flag{
caURLFlag,
fingerprintFlag,
cli.BoolFlag{
Name: "install",
Usage: "Install the root certificate into the system truststore.",
},
flags.Force},
}
}
type bootstrapConfig struct {
CA string `json:"ca-url"`
Fingerprint string `json:"fingerprint"`
Root string `json:"root"`
}
func bootstrapAction(ctx *cli.Context) error {
caURL := ctx.String("ca-url")
fingerprint := ctx.String("fingerprint")
rootFile := pki.GetRootCAPath()
configFile := filepath.Join(config.StepPath(), "config", "defaults.json")
switch {
case len(caURL) == 0:
return errs.RequiredFlag(ctx, "ca-url")
case len(fingerprint) == 0:
return errs.RequiredFlag(ctx, "fingerprint")
}
tr := getInsecureTransport()
client, err := ca.NewClient(caURL, ca.WithTransport(tr))
if err != nil {
return err
}
// Root already validates the certificate
resp, err := client.Root(fingerprint)
if err != nil {
return errors.Wrap(err, "error downloading root certificate")
}
if err := os.MkdirAll(filepath.Dir(rootFile), 0700); err != nil {
return errs.FileError(err, rootFile)
}
if err := os.MkdirAll(filepath.Dir(configFile), 0700); err != nil {
return errs.FileError(err, configFile)
}
// Serialize root
_, err = pemutil.Serialize(resp.RootPEM.Certificate, pemutil.ToFile(rootFile, 0600))
if err != nil {
return err
}
ui.Printf("The root certificate has been saved in %s.\n", rootFile)
// make sure to store the url with https
caURL, err = completeURL(caURL)
if err != nil {
return err
}
// Serialize defaults.json
b, err := json.MarshalIndent(bootstrapConfig{
CA: caURL,
Fingerprint: fingerprint,
Root: pki.GetRootCAPath(),
}, "", " ")
if err != nil {
return errors.Wrap(err, "error marshaling defaults.json")
}
if err := utils.WriteFile(configFile, b, 0644); err != nil {
return err
}
ui.Printf("Your configuration has been saved in %s.\n", configFile)
if ctx.Bool("install") {
ui.Printf("Installing the root certificate in the system truststore... ")
if err := truststore.InstallFile(rootFile); err != nil {
ui.Println()
return err
}
ui.Println("done.")
}
return nil
}