wip

authority/authority.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/smallstep/certificates/cas"
+	"github.com/smallstep/certificates/linkedca"
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/authority/admin"
@@ -129,15 +130,18 @@ func NewEmbedded(opts ...Option) (*Authority, error) {
 	return a, nil
 }
 
-func (a *Authority) ReloadAuthConfig() error {
-	mgmtAuthConfig, err := a.adminDB.GetAuthConfig(context.Background(), mgmt.DefaultAuthorityID)
+func (a *Authority) ReloadAuthConfig(ctx context.Context) error {
+	provs, err := a.adminDB.GetProvisioners(ctx)
 	if err != nil {
-		return mgmt.WrapErrorISE(err, "error getting authConfig from db")
+		return mgmt.WrapErrorISE(err, "error getting provisioners to initialize authority")
 	}
-
-	a.config.AuthorityConfig, err = mgmtAuthConfig.ToCertificates()
+	a.config.AuthorityConfig.Provisioners, err = provisionerListToCertificates(provs)
+	if err != nil {
+		return mgmt.WrapErrorISE(err, "error converting provisioner list to certificates")
+	}
+	a.config.AuthorityConfig.Admins, err = a.adminDB.GetAdmins(ctx)
 	if err != nil {
-		return mgmt.WrapErrorISE(err, "error converting mgmt authConfig to certificates authConfig")
+		return mgmt.WrapErrorISE(err, "error getting provisioners to initialize authority")
 	}
 
 	// Merge global and configuration claims
@@ -148,7 +152,7 @@ func (a *Authority) ReloadAuthConfig() error {
 	// TODO: should we also be combining the ssh federated roots here?
 	// If we rotate ssh roots keys, sshpop provisioner will lose ability to
 	// validate old SSH certificates, unless they are added as federated certs.
-	sshKeys, err := a.GetSSHRoots(context.Background())
+	sshKeys, err := a.GetSSHRoots(ctx)
 	if err != nil {
 		return err
 	}
@@ -201,30 +205,52 @@ func (a *Authority) init() error {
 		}
 	}
 
-	// Initialize step-ca Admin Database if it's not already initialized using
-	// WithAdminDB.
-	if a.adminDB == nil {
-		// Check if AuthConfig already exists
-		a.adminDB, err = authMgmtNosql.New(a.db.(nosql.DB), mgmt.DefaultAuthorityID)
-		if err != nil {
-			return err
-		}
-		mgmtAuthConfig, err := a.adminDB.GetAuthConfig(context.Background(), mgmt.DefaultAuthorityID)
-		if err != nil {
-			if k, ok := err.(*mgmt.Error); ok && k.IsType(mgmt.ErrorNotFoundType) {
-				mgmtAuthConfig, err = mgmt.CreateAuthority(context.Background(), a.adminDB, mgmt.WithDefaultAuthorityID)
-				if err != nil {
-					return mgmt.WrapErrorISE(err, "error creating authConfig")
-				}
-			} else {
-				return mgmt.WrapErrorISE(err, "error getting authConfig from db")
+	if len(a.config.AuthorityConfig.Provisioners) == 0 {
+		// Initialize step-ca Admin Database if it's not already initialized using
+		// WithAdminDB.
+		if a.adminDB == nil {
+			// Check if AuthConfig already exists
+			a.adminDB, err = authMgmtNosql.New(a.db.(nosql.DB), mgmt.DefaultAuthorityID)
+			if err != nil {
+				return err
 			}
 		}
 
-		a.config.AuthorityConfig, err = mgmtAuthConfig.ToCertificates()
+		provs, err := a.adminDB.GetProvisioners(context.Background())
 		if err != nil {
 			return err
 		}
+		if len(provs) == 0 {
+			// Create First Provisioner
+			prov, err := mgmt.CreateFirstProvisioner(context.Background(), a.adminDB, a.config.Password)
+			if err != nil {
+				return err
+			}
+			// Create First Admin
+			adm := &linkedca.Admin{
+				ProvisionerId: prov.Id,
+				Subject:       "step",
+				Type:          linkedca.Admin_SUPER_ADMIN,
+			}
+			if err := a.adminDB.CreateAdmin(context.Background(), adm); err != nil {
+				// TODO should we try to clean up?
+				return mgmt.WrapErrorISE(err, "error creating first admin")
+			}
+			a.config.AuthorityConfig.Admins = []*linkedca.Admin{adm}
+		} else {
+			provs, err := a.adminDB.GetProvisioners(context.Background())
+			if err != nil {
+				return mgmt.WrapErrorISE(err, "error getting provisioners to initialize authority")
+			}
+			a.config.AuthorityConfig.Provisioners, err = provisionerListToCertificates(provs)
+			if err != nil {
+				return mgmt.WrapErrorISE(err, "error converting provisioner list to certificates")
+			}
+			a.config.AuthorityConfig.Admins, err = a.adminDB.GetAdmins(context.Background())
+			if err != nil {
+				return mgmt.WrapErrorISE(err, "error getting provisioners to initialize authority")
+			}
+		}
 	}
 
 	// Initialize key manager if it has not been set in the options.

authority/mgmt/api/admin.go

@@ -8,14 +8,14 @@ import (
 	"github.com/smallstep/certificates/api"
 	"github.com/smallstep/certificates/authority/admin"
 	"github.com/smallstep/certificates/authority/mgmt"
-	"github.com/smallstep/certificates/authority/status"
+	"github.com/smallstep/certificates/linkedca"
 )
 
 // CreateAdminRequest represents the body for a CreateAdmin request.
 type CreateAdminRequest struct {
-	Subject     string     `json:"subject"`
-	Provisioner string     `json:"provisioner"`
-	Type        admin.Type `json:"type"`
+	Subject     string              `json:"subject"`
+	Provisioner string              `json:"provisioner"`
+	Type        linkedca.Admin_Type `json:"type"`
 }
 
 // Validate validates a new-admin request body.
@@ -29,13 +29,13 @@ func (car *CreateAdminRequest) Validate(c *admin.Collection) error {
 
 // GetAdminsResponse for returning a list of admins.
 type GetAdminsResponse struct {
-	Admins     []*admin.Admin `json:"admins"`
-	NextCursor string         `json:"nextCursor"`
+	Admins     []*linkedca.Admin `json:"admins"`
+	NextCursor string            `json:"nextCursor"`
 }
 
 // UpdateAdminRequest represents the body for a UpdateAdmin request.
 type UpdateAdminRequest struct {
-	Type admin.Type `json:"type"`
+	Type linkedca.Admin_Type `json:"type"`
 }
 
 // Validate validates a new-admin request body.
@@ -98,20 +98,17 @@ func (h *Handler) CreateAdmin(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	adm := &mgmt.Admin{
-		ProvisionerID: p.GetID(),
+	adm := &linkedca.Admin{
+		ProvisionerId: p.GetID(),
 		Subject:       body.Subject,
 		Type:          body.Type,
-		Status:        status.Active,
 	}
 	if err := h.db.CreateAdmin(ctx, adm); err != nil {
 		api.WriteError(w, mgmt.WrapErrorISE(err, "error creating admin"))
 		return
 	}
-	adm.ProvisionerName = p.GetName()
-	adm.ProvisionerType = p.GetType().String()
 	api.JSON(w, adm)
-	if err := h.auth.ReloadAuthConfig(); err != nil {
+	if err := h.auth.ReloadAuthConfig(ctx); err != nil {
 		fmt.Printf("err = %+v\n", err)
 	}
 }
@@ -126,18 +123,13 @@ func (h *Handler) DeleteAdmin(w http.ResponseWriter, r *http.Request) {
 	}
 
 	ctx := r.Context()
-	adm, err := h.db.GetAdmin(ctx, id)
-	if err != nil {
-		api.WriteError(w, mgmt.WrapErrorISE(err, "error retrieiving admin %s", id))
-		return
-	}
-	adm.Status = status.Deleted
-	if err := h.db.UpdateAdmin(ctx, adm); err != nil {
-		api.WriteError(w, mgmt.WrapErrorISE(err, "error updating admin %s", id))
+	if err := h.db.DeleteAdmin(ctx, id); err != nil {
+		api.WriteError(w, mgmt.WrapErrorISE(err, "error deleting admin %s", id))
 		return
 	}
 	api.JSON(w, &DeleteResponse{Status: "ok"})
-	if err := h.auth.ReloadAuthConfig(); err != nil {
+
+	if err := h.auth.ReloadAuthConfig(ctx); err != nil {
 		fmt.Printf("err = %+v\n", err)
 	}
 }
@@ -166,12 +158,12 @@ func (h *Handler) UpdateAdmin(w http.ResponseWriter, r *http.Request) {
 
 	adm.Type = body.Type
 
-	if err := h.db.UpdateAdmin(ctx, (*mgmt.Admin)(adm)); err != nil {
+	if err := h.db.UpdateAdmin(ctx, (*linkedca.Admin)(adm)); err != nil {
 		api.WriteError(w, mgmt.WrapErrorISE(err, "error updating admin %s", id))
 		return
 	}
 	api.JSON(w, adm)
-	if err := h.auth.ReloadAuthConfig(); err != nil {
+	if err := h.auth.ReloadAuthConfig(ctx); err != nil {
 		fmt.Printf("err = %+v\n", err)
 	}
 }

authority/mgmt/api/handler.go

@@ -44,8 +44,4 @@ func (h *Handler) Route(r api.Router) {
 	r.MethodFunc("POST", "/admins", h.CreateAdmin)
 	r.MethodFunc("PATCH", "/admins/{id}", h.UpdateAdmin)
 	r.MethodFunc("DELETE", "/admins/{id}", h.DeleteAdmin)
-
-	// AuthConfig
-	r.MethodFunc("GET", "/authconfigs/{id}", h.GetAuthConfig)
-	r.MethodFunc("PUT", "/authconfigs/{id}", h.UpdateAuthConfig)
 }