forked from smallstep/cli
-
Notifications
You must be signed in to change notification settings - Fork 0
/
add.go
303 lines (270 loc) 路 8.55 KB
/
add.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
package provisioner
import (
"net/url"
"strings"
"github.com/pkg/errors"
"github.com/smallstep/certificates/authority"
"github.com/smallstep/certificates/authority/provisioner"
"github.com/smallstep/cli/errs"
"github.com/smallstep/cli/flags"
"github.com/smallstep/cli/jose"
"github.com/smallstep/cli/ui"
"github.com/smallstep/cli/utils"
"github.com/urfave/cli"
)
const (
jwkType = "JWK"
oidcType = "OIDC"
)
func addCommand() cli.Command {
return cli.Command{
Name: "add",
Action: cli.ActionFunc(addAction),
Usage: "add one or more provisioners the CA configuration",
UsageText: `**step ca provisioner add** <name> <jwk-file> [<jwk-file> ...]
[**--ca-config**=<file>] [**--create**] [**--password-file**=<file>]`,
Flags: []cli.Flag{
cli.StringFlag{
Name: "ca-config",
Usage: "The <file> containing the CA configuration.",
},
cli.StringFlag{
Name: "type",
Value: jwkType,
Usage: `The <type> of provisioner to create. Type is a case-insensitive string
and must be one of:
**JWK**
: Uses an JWK key pair to sign bootstrap tokens. (default)
**OIDC**
: Uses an OpenID Connect provider to sign bootstrap tokens.
`,
},
cli.BoolFlag{
Name: "create",
Usage: `Create a new ECDSA key pair using curve P-256 and populate a new JWK
provisioner with it.`,
},
cli.StringFlag{
Name: "client-id",
Usage: `The <id> used to validate the audience in an OpenID Connect token.`,
},
cli.StringFlag{
Name: "client-secret",
Usage: `The <secret> used to obtain the OpenID Connect tokens.`,
},
cli.StringFlag{
Name: "configuration-endpoint",
Usage: `OpenID Connect configuration <url>.`,
},
cli.StringSliceFlag{
Name: "admin",
Usage: `The <email> of an admin user in an OpenID Connect provisioner, this user
will not have restrictions in the certificates to sign. Use the
'--admin' flag multiple times to configure multiple administrators.`,
},
cli.StringSliceFlag{
Name: "domain",
Usage: `The <domain> used to validate the email claim in an OpenID Connect provisioner.
Use the '--domain' flag multiple times to configure multiple domains.`,
},
flags.PasswordFile,
},
Description: `**step ca provisioner add** adds one or more provisioners
to the configuration and writes the new configuration back to the CA config.
## POSITIONAL ARGUMENTS
<name>
: The name of the provisioners, if a list of JWK files are passed, this name
will be linked to all the keys.
<jwk-path>
: List of private (or public) keys in JWK or PEM format.
## EXAMPLES
Add a single JWK provisioner:
'''
$ step ca provisioner add max@smallstep.com ./max-laptop.jwk --ca-config ca.json
'''
Add a single JWK provisioner using an auto-generated asymmetric key pair:
'''
$ step ca provisioner add max@smallstep.com --ca-config ca.json \
--create
'''
Add a list of provisioners for a single name:
'''
$ step ca provisioner add max@smallstep.com ./max-laptop.jwk ./max-phone.pem ./max-work.pem \
--ca-config ca.json
'''
Add a single OIDC provisioner:
'''
$ step ca provisioner add Google --type oidc --ca-config ca.json \
--client-id 1087160488420-8qt7bavg3qesdhs6it824mhnfgcfe8il.apps.googleusercontent.com \
--configuration-endpoint https://accounts.google.com/.well-known/openid-configuration
'''
Add an OIDC provisioner with two administrators:
'''
$ step ca provisioner add Google --type oidc --ca-config ca.json \
--client-id 1087160488420-8qt7bavg3qesdhs6it824mhnfgcfe8il.apps.googleusercontent.com \
--client-secret udTrOT3gzrO7W9fDPgZQLfYJ \
--configuration-endpoint https://accounts.google.com/.well-known/openid-configuration \
--admin mariano@smallstep.com --admin max@smallstep.com \
--domain smallstep.com
''' `,
}
}
func addAction(ctx *cli.Context) (err error) {
if ctx.NArg() < 1 {
return errs.TooFewArguments(ctx)
}
args := ctx.Args()
name := args[0]
config := ctx.String("ca-config")
if len(config) == 0 {
return errs.RequiredFlag(ctx, "ca-config")
}
c, err := authority.LoadConfiguration(config)
if err != nil {
return errors.Wrapf(err, "error loading configuration")
}
typ := strings.ToUpper(ctx.String("type"))
if typ != jwkType && typ != oidcType {
return errs.InvalidFlagValue(ctx, "type", typ, "JWK, OIDC")
}
provMap := make(map[string]bool)
for _, p := range c.AuthorityConfig.Provisioners {
provMap[p.GetID()] = true
}
var list provisioner.List
switch typ {
case jwkType:
if list, err = addJWKProvider(ctx, name, provMap); err != nil {
return err
}
case oidcType:
if list, err = addOIDCProvider(ctx, name, provMap); err != nil {
return err
}
default:
return errors.Errorf("unknown type %s: this should not happen", typ)
}
c.AuthorityConfig.Provisioners = append(c.AuthorityConfig.Provisioners, list...)
return c.Save(config)
}
func addJWKProvider(ctx *cli.Context, name string, provMap map[string]bool) (list provisioner.List, err error) {
var password string
if passwordFile := ctx.String("password-file"); len(passwordFile) > 0 {
password, err = utils.ReadStringPasswordFromFile(passwordFile)
if err != nil {
return nil, err
}
}
if ctx.Bool("create") {
if ctx.NArg() > 1 {
return nil, errs.IncompatibleFlag(ctx, "create", "<jwk-path> positional arg")
}
pass, err := ui.PromptPasswordGenerate("Please enter a password to encrypt the provisioner private key? [leave empty and we'll generate one]", ui.WithValue(password))
if err != nil {
return nil, err
}
jwk, jwe, err := jose.GenerateDefaultKeyPair(pass)
if err != nil {
return nil, err
}
encryptedKey, err := jwe.CompactSerialize()
if err != nil {
return nil, errors.Wrap(err, "error serializing private key")
}
// Create provisioner
p := &provisioner.JWK{
Type: jwkType,
Name: name,
Key: jwk,
EncryptedKey: encryptedKey,
}
// Check for duplicates
if _, ok := provMap[p.GetID()]; !ok {
provMap[p.GetID()] = true
} else {
return nil, errors.Errorf("duplicated provisioner: CA config already contains a provisioner with name=%s and kid=%s", name, jwk.KeyID)
}
list = append(list, p)
return list, nil
}
// Add multiple provisioners using JWK files.
if ctx.NArg() < 2 {
return nil, errs.TooFewArguments(ctx)
}
jwkFiles := ctx.Args()[1:]
for _, filename := range jwkFiles {
jwk, err := jose.ParseKey(filename)
if err != nil {
return nil, errs.FileError(err, filename)
}
// Only use asymmetric cryptography
if _, ok := jwk.Key.([]byte); ok {
return nil, errors.New("invalid JWK: a symmetric key cannot be used as a provisioner")
}
// Create kid if not present
if len(jwk.KeyID) == 0 {
jwk.KeyID, err = jose.Thumbprint(jwk)
if err != nil {
return nil, err
}
}
key := jwk.Public()
// Initialize provisioner and check for duplicates
p := &provisioner.JWK{
Type: jwkType,
Name: name,
Key: &key,
}
if _, ok := provMap[p.GetID()]; !ok {
provMap[p.GetID()] = true
} else {
return nil, errors.Errorf("duplicated provisioner: CA config already contains a provisioner with name=%s and kid=%s", name, jwk.KeyID)
}
// Encrypt JWK
if !jwk.IsPublic() {
jwe, err := jose.EncryptJWK(jwk)
if err != nil {
return nil, err
}
encryptedKey, err := jwe.CompactSerialize()
if err != nil {
return nil, errors.Wrap(err, "error serializing private key")
}
p.EncryptedKey = encryptedKey
}
list = append(list, p)
}
return list, nil
}
func addOIDCProvider(ctx *cli.Context, name string, provMap map[string]bool) (list provisioner.List, err error) {
clientID := ctx.String("client-id")
if len(clientID) == 0 {
return nil, errs.RequiredWithFlagValue(ctx, "type", ctx.String("type"), "client-id")
}
confURL := ctx.String("configuration-endpoint")
if len(confURL) == 0 {
return nil, errs.RequiredWithFlagValue(ctx, "type", ctx.String("type"), "configuration-endpoint")
}
u, err := url.Parse(confURL)
if err != nil || (u.Scheme != "https" && u.Scheme != "http") {
return nil, errs.InvalidFlagValue(ctx, "configuration-endpoint", confURL, "")
}
// Create provisioner
p := &provisioner.OIDC{
Type: oidcType,
Name: name,
ClientID: clientID,
ClientSecret: ctx.String("client-secret"),
ConfigurationEndpoint: confURL,
Admins: ctx.StringSlice("admin"),
Domains: ctx.StringSlice("domain"),
}
// Check for duplicates
if _, ok := provMap[p.GetID()]; !ok {
provMap[p.GetID()] = true
} else {
return nil, errors.Errorf("duplicated provisioner: CA config already contains a provisioner with name=%s and client-id=%s", p.GetName(), p.GetID())
}
list = append(list, p)
return
}