forked from gravitational/teleport
-
Notifications
You must be signed in to change notification settings - Fork 0
/
trust.go
102 lines (93 loc) · 2.91 KB
/
trust.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
package local
import (
"github.com/gravitational/teleport/lib/backend"
"github.com/gravitational/teleport/lib/services"
"github.com/gravitational/trace"
)
// CA is local implementation of Trust service that
// is using local backend
type CA struct {
backend.Backend
}
// NewCAService returns new instance of CAService
func NewCAService(backend backend.Backend) *CA {
return &CA{
Backend: backend,
}
}
// DeleteAllCertAuthorities deletes all certificate authorities of a certain type
func (s *CA) DeleteAllCertAuthorities(caType services.CertAuthType) error {
return s.DeleteBucket([]string{"authorities"}, string(caType))
}
// UpsertCertAuthority updates or inserts a new certificate authority
func (s *CA) UpsertCertAuthority(ca services.CertAuthority) error {
if err := ca.Check(); err != nil {
return trace.Wrap(err)
}
data, err := services.GetCertAuthorityMarshaler().MarshalCertAuthority(ca)
if err != nil {
return trace.Wrap(err)
}
ttl := backend.TTL(s.Clock(), ca.GetMetadata().Expires)
err = s.UpsertVal([]string{"authorities", string(ca.GetType())}, ca.GetName(), data, ttl)
if err != nil {
return trace.Wrap(err)
}
return nil
}
// DeleteCertAuthority deletes particular certificate authority
func (s *CA) DeleteCertAuthority(id services.CertAuthID) error {
if err := id.Check(); err != nil {
return trace.Wrap(err)
}
err := s.DeleteKey([]string{"authorities", string(id.Type)}, id.DomainName)
if err != nil {
return trace.Wrap(err)
}
return nil
}
// GetCertAuthority returns certificate authority by given id. Parameter loadSigningKeys
// controls if signing keys are loaded
func (s *CA) GetCertAuthority(id services.CertAuthID, loadSigningKeys bool) (services.CertAuthority, error) {
if err := id.Check(); err != nil {
return nil, trace.Wrap(err)
}
data, err := s.GetVal([]string{"authorities", string(id.Type)}, id.DomainName)
if err != nil {
return nil, trace.Wrap(err)
}
ca, err := services.GetCertAuthorityMarshaler().UnmarshalCertAuthority(data)
if err != nil {
return nil, trace.Wrap(err)
}
if err := ca.Check(); err != nil {
return nil, trace.Wrap(err)
}
if !loadSigningKeys {
ca.SetSigningKeys(nil)
}
return ca, nil
}
// GetCertAuthorities returns a list of authorities of a given type
// loadSigningKeys controls whether signing keys should be loaded or not
func (s *CA) GetCertAuthorities(caType services.CertAuthType, loadSigningKeys bool) ([]services.CertAuthority, error) {
cas := []services.CertAuthority{}
if err := caType.Check(); err != nil {
return nil, trace.Wrap(err)
}
domains, err := s.GetKeys([]string{"authorities", string(caType)})
if err != nil {
if trace.IsNotFound(err) {
return cas, nil
}
return nil, trace.Wrap(err)
}
for _, domain := range domains {
ca, err := s.GetCertAuthority(services.CertAuthID{DomainName: domain, Type: caType}, loadSigningKeys)
if err != nil {
return nil, trace.Wrap(err)
}
cas = append(cas, ca)
}
return cas, nil
}