Merge branch 'master' into allow_custom_tls_config

smallstep · Feb 14, 2024 · 503e504 · 503e504
2 parents beea482 + 073fcb7
commit 503e504
Show file tree

Hide file tree

Showing 17 changed files with 747 additions and 234 deletions.
diff --git a/authority/authority.go b/authority/authority.go
@@ -104,6 +104,9 @@ type Authority struct {
 
 	// If true, do not output initialization logs
 	quietInit bool
+
+	// Called whenever applicable, in order to instrument the authority.
+	meter Meter
 }
 
 // Info contains information about the authority.
@@ -126,6 +129,7 @@ func New(cfg *config.Config, opts ...Option) (*Authority, error) {
 		config:       cfg,
 		certificates: new(sync.Map),
 		validateSCEP: true,
+		meter:        noopMeter{},
 	}
 
 	// Apply options.
@@ -134,6 +138,9 @@ func New(cfg *config.Config, opts ...Option) (*Authority, error) {
 			return nil, err
 		}
 	}
+	if a.keyManager != nil {
+		a.keyManager = &instrumentedKeyManager{a.keyManager, a.meter}
+	}
 
 	if !a.skipInit {
 		// Initialize authority from options or configuration.
@@ -151,6 +158,7 @@ func NewEmbedded(opts ...Option) (*Authority, error) {
 	a := &Authority{
 		config:       &config.Config{},
 		certificates: new(sync.Map),
+		meter:        noopMeter{},
 	}
 
 	// Apply options.
@@ -159,6 +167,9 @@ func NewEmbedded(opts ...Option) (*Authority, error) {
 			return nil, err
 		}
 	}
+	if a.keyManager != nil {
+		a.keyManager = &instrumentedKeyManager{a.keyManager, a.meter}
+	}
 
 	// Validate required options
 	switch {
@@ -337,6 +348,8 @@ func (a *Authority) init() error {
 		if err != nil {
 			return err
 		}
+
+		a.keyManager = &instrumentedKeyManager{a.keyManager, a.meter}
 	}
 
 	// Initialize linkedca client if necessary. On a linked RA, the issuer

diff --git a/authority/authorize.go b/authority/authorize.go
@@ -286,16 +286,16 @@ func (a *Authority) authorizeRevoke(ctx context.Context, token string) error {
 // extra extension cannot be found, authorize the renewal by default.
 //
 // TODO(mariano): should we authorize by default?
-func (a *Authority) authorizeRenew(ctx context.Context, cert *x509.Certificate) error {
+func (a *Authority) authorizeRenew(ctx context.Context, cert *x509.Certificate) (provisioner.Interface, error) {
 	serial := cert.SerialNumber.String()
 	var opts = []interface{}{errs.WithKeyVal("serialNumber", serial)}
 
 	isRevoked, err := a.IsRevoked(serial)
 	if err != nil {
-		return errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...)
+		return nil, errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...)
 	}
 	if isRevoked {
-		return errs.Unauthorized("authority.authorizeRenew: certificate has been revoked", opts...)
+		return nil, errs.Unauthorized("authority.authorizeRenew: certificate has been revoked", opts...)
 	}
 	p, err := a.LoadProvisionerByCertificate(cert)
 	if err != nil {
@@ -305,13 +305,13 @@ func (a *Authority) authorizeRenew(ctx context.Context, cert *x509.Certificate)
 		// returns the noop provisioner if this happens, and it allows
 		// certificate renewals.
 		if p, ok = a.provisioners.LoadByCertificate(cert); !ok {
-			return errs.Unauthorized("authority.authorizeRenew: provisioner not found", opts...)
+			return nil, errs.Unauthorized("authority.authorizeRenew: provisioner not found", opts...)
 		}
 	}
 	if err := p.AuthorizeRenew(ctx, cert); err != nil {
-		return errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...)
+		return nil, errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...)
 	}
-	return nil
+	return p, nil
 }
 
 // authorizeSSHCertificate returns an error if the given certificate is revoked.

diff --git a/authority/authorize_test.go b/authority/authorize_test.go
@@ -876,7 +876,7 @@ func TestAuthority_authorizeRenew(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			tc := genTestCase(t)
 
-			err := tc.auth.authorizeRenew(context.Background(), tc.cert)
+			_, err := tc.auth.authorizeRenew(context.Background(), tc.cert)
 			if err != nil {
 				if assert.NotNil(t, tc.err) {
 					var sc render.StatusCodedError

diff --git a/authority/config/config.go b/authority/config/config.go
@@ -83,6 +83,7 @@ type Config struct {
 	Templates        *templates.Templates `json:"templates,omitempty"`
 	CommonName       string               `json:"commonName,omitempty"`
 	CRL              *CRLConfig           `json:"crl,omitempty"`
+	MetricsAddress   string               `json:"metricsAddress,omitempty"`
 	SkipValidation   bool                 `json:"-"`
 
 	// Keeps record of the filename the Config is read from
@@ -327,6 +328,12 @@ func (c *Config) Validate() error {
 		return errors.Errorf("invalid address %s", c.Address)
 	}
 
+	if addr := c.MetricsAddress; addr != "" {
+		if _, _, err := net.SplitHostPort(addr); err != nil {
+			return errors.Errorf("invalid metrics address %q", c.Address)
+		}
+	}
+
 	if c.TLS == nil {
 		c.TLS = &DefaultTLSOptions
 	} else {

diff --git a/authority/meter.go b/authority/meter.go
@@ -0,0 +1,87 @@
+package authority
+
+import (
+	"crypto"
+	"io"
+
+	"go.step.sm/crypto/kms"
+	kmsapi "go.step.sm/crypto/kms/apiv1"
+
+	"github.com/smallstep/certificates/authority/provisioner"
+)
+
+// Meter wraps the set of defined callbacks for metrics gatherers.
+type Meter interface {
+	// X509Signed is called whenever an X509 certificate is signed.
+	X509Signed(provisioner.Interface, error)
+
+	// X509Renewed is called whenever an X509 certificate is renewed.
+	X509Renewed(provisioner.Interface, error)
+
+	// X509Rekeyed is called whenever an X509 certificate is rekeyed.
+	X509Rekeyed(provisioner.Interface, error)
+
+	// X509WebhookAuthorized is called whenever an X509 authoring webhook is called.
+	X509WebhookAuthorized(provisioner.Interface, error)
+
+	// X509WebhookEnriched is called whenever an X509 enriching webhook is called.
+	X509WebhookEnriched(provisioner.Interface, error)
+
+	// SSHSigned is called whenever an SSH certificate is signed.
+	SSHSigned(provisioner.Interface, error)
+
+	// SSHRenewed is called whenever an SSH certificate is renewed.
+	SSHRenewed(provisioner.Interface, error)
+
+	// SSHRekeyed is called whenever an SSH certificate is rekeyed.
+	SSHRekeyed(provisioner.Interface, error)
+
+	// SSHWebhookAuthorized is called whenever an SSH authoring webhook is called.
+	SSHWebhookAuthorized(provisioner.Interface, error)
+
+	// SSHWebhookEnriched is called whenever an SSH enriching webhook is called.
+	SSHWebhookEnriched(provisioner.Interface, error)
+
+	// KMSSigned is called per KMS signer signature.
+	KMSSigned(error)
+}
+
+// noopMeter implements a noop [Meter].
+type noopMeter struct{}
+
+func (noopMeter) SSHRekeyed(provisioner.Interface, error)            {}
+func (noopMeter) SSHRenewed(provisioner.Interface, error)            {}
+func (noopMeter) SSHSigned(provisioner.Interface, error)             {}
+func (noopMeter) SSHWebhookAuthorized(provisioner.Interface, error)  {}
+func (noopMeter) SSHWebhookEnriched(provisioner.Interface, error)    {}
+func (noopMeter) X509Rekeyed(provisioner.Interface, error)           {}
+func (noopMeter) X509Renewed(provisioner.Interface, error)           {}
+func (noopMeter) X509Signed(provisioner.Interface, error)            {}
+func (noopMeter) X509WebhookAuthorized(provisioner.Interface, error) {}
+func (noopMeter) X509WebhookEnriched(provisioner.Interface, error)   {}
+func (noopMeter) KMSSigned(error)                                    {}
+
+type instrumentedKeyManager struct {
+	kms.KeyManager
+	meter Meter
+}
+
+func (i *instrumentedKeyManager) CreateSigner(req *kmsapi.CreateSignerRequest) (s crypto.Signer, err error) {
+	if s, err = i.KeyManager.CreateSigner(req); err == nil {
+		s = &instrumentedKMSSigner{s, i.meter}
+	}
+
+	return
+}
+
+type instrumentedKMSSigner struct {
+	crypto.Signer
+	meter Meter
+}
+
+func (i *instrumentedKMSSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error) {
+	signature, err = i.Signer.Sign(rand, digest, opts)
+	i.meter.KMSSigned(err)
+
+	return
+}
diff --git a/authority/options.go b/authority/options.go
@@ -167,6 +167,15 @@ func WithKeyManager(k kms.KeyManager) Option {
 	}
 }
 
+// WithX509CAService allows the consumer to provide an externally implemented
+// API implementation of apiv1.CertificateAuthorityService
+func WithX509CAService(svc casapi.CertificateAuthorityService) Option {
+	return func(a *Authority) error {
+		a.x509CAService = svc
+		return nil
+	}
+}
+
 // WithX509Signer defines the signer used to sign X509 certificates.
 func WithX509Signer(crt *x509.Certificate, s crypto.Signer) Option {
 	return WithX509SignerChain([]*x509.Certificate{crt}, s)
@@ -381,3 +390,16 @@ func readCertificateBundle(pemCerts []byte) ([]*x509.Certificate, error) {
 	}
 	return certs, nil
 }
+
+// WithMeter is an option that sets the authority's [Meter] to the provided one.
+func WithMeter(m Meter) Option {
+	if m == nil {
+		m = noopMeter{}
+	}
+
+	return func(a *Authority) (_ error) {
+		a.meter = m
+
+		return
+	}
+}
diff --git a/authority/provisioner/aws_certificates.pem b/authority/provisioner/aws_certificates.pem
@@ -1,4 +1,5 @@
 # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-signature.html
+# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/regions-certs.html use RSA format
 
 # default certificate for "other regions"
 -----BEGIN CERTIFICATE-----
@@ -244,4 +245,20 @@ Af8ECDAGAQH/AgEAMA0GCSqGSIb3DQEBCwUAA4GBACrKjWj460GUPZCGm3/z0dIz
 M2BPuH769wcOsqfFZcMKEysSFK91tVtUb1soFwH4/Lb/T0PqNrvtEwD1Nva5k0h2
 xZhNNRmDuhOhW1K9wCcnHGRBwY5t4lYL6hNV6hcrqYwGMjTjcAjBG2yMgznSNFle
 Rwi/S3BFXISixNx9cILu
+-----END CERTIFICATE-----
+
+# certificate for ca-west-1
+-----BEGIN CERTIFICATE-----
+MIICMzCCAZygAwIBAgIGAYPou9weMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNVBAYT
+AlVTMRkwFwYDVQQIDBBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHDAdTZWF0dGxl
+MSAwHgYDVQQKDBdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAgFw0yMjEwMTgwMTM2
+MDlaGA8yMjAxMTAxODAxMzYwOVowXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgMEFdh
+c2hpbmd0b24gU3RhdGUxEDAOBgNVBAcMB1NlYXR0bGUxIDAeBgNVBAoMF0FtYXpv
+biBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDK
+1kIcG5Q6adBXQM75GldfTSiXl7tn54p10TnspI0ErDdb2B6q2Ji/v4XBVH13ZCMg
+qlRHMqV8AWI5iO6gFn2A9sN3AZXTMqwtZeiDdebq3k6Wt7ieYvpXTg0qvgsjQIov
+RZWaBDBJy9x8C2hW+w9lMQjFHkJ7Jy/PHCJ69EzebQIDAQABMA0GCSqGSIb3DQEB
+BQUAA4GBAGe9Snkz1A6rHBH6/5kDtYvtPYwhx2sXNxztbhkXErFk40Nw5l459NZx
+EeudxJBLoCkkSgYjhRcOZ/gvDVtWG7qyb6fAqgoisyAbk8K9LzxSim2S1nmT9vD8
+4B/t/VvwQBylc+ej8kRxMH7fquZLp7IXfmtBzyUqu6Dpbne+chG2
 -----END CERTIFICATE-----
diff --git a/authority/provisioner/aws_test.go b/authority/provisioner/aws_test.go
@@ -896,5 +896,5 @@ func TestAWS_HardcodedCertificates(t *testing.T) {
 		assert.True(t, cert.NotAfter.After(time.Now()))
 		certs = append(certs, cert)
 	}
-	assert.Len(t, 14, certs, "expected 14 certificates in aws_certificates.pem")
+	assert.Len(t, 15, certs, "expected 15 certificates in aws_certificates.pem")
 }