Offline mode for step ca commands #86
Conversation
Codecov Report
@@ Coverage Diff @@
## master #86 +/- ##
==========================================
- Coverage 68.46% 68.28% -0.19%
==========================================
Files 59 59
Lines 8008 8037 +29
==========================================
+ Hits 5483 5488 +5
- Misses 2161 2185 +24
Partials 364 364
Continue to review full report at Codecov.
|
command/ca/ca.go
Outdated
| offlineFlag = cli.BoolFlag{ | ||
| Name: "offline", | ||
| Usage: `Creates a certificate without contacting the certificate authority. Offline mode | ||
| requires the CA configuration file given using the '--ca-config>' flag.`, |
There was a problem hiding this comment.
I would be more clear here. It doesn't actually require that flag, because the flag can be inferred.
command/ca/certificate.go
Outdated
| ''' | ||
|
|
||
| Request a new certificate using the offline mode, requires the configuration | ||
| files, certificates and keys created with **step ca init**: |
There was a problem hiding this comment.
certificates, and keys (oxford comma) - yes I'm an asshole.
command/ca/certificate.go
Outdated
| token := ctx.String("token") | ||
| offline := ctx.Bool("offline") | ||
|
|
||
| // ofline and token are incompatible because the token is generated before |
command/ca/certificate.go
Outdated
| // Start token flow | ||
| if tok, err := signCertificateTokenFlow(ctx, hostname); err == nil { | ||
| sans := ctx.StringSlice("san") | ||
| if tok, err := flow.GenerateToken(ctx, hostname, sans); err == nil { |
There was a problem hiding this comment.
if token, err = flow.GenerateToken(ctx, hostname, sans); err != nil {
return err
}
command/ca/offline.go
Outdated
| Renew(tr http.RoundTripper) (*api.SignResponse, error) | ||
| } | ||
|
|
||
| // oflineCA is a wrapper on top of the certificates authority methods that |
command/ca/offline.go
Outdated
| return c.config.Root.First() | ||
| } | ||
|
|
||
| // Provisioners returns the list of provisioners configured. |
There was a problem hiding this comment.
configured provisioners. (grammar)
command/ca/offline.go
Outdated
| return nil, errors.Wrap(err, "error parsing certificate") | ||
| } | ||
| // renew cert using authority | ||
| cert, root, err := c.authority.Renew(peer) |
There was a problem hiding this comment.
technically it's the intermediate ... got confused when I saw root here.
command/ca/offline.go
Outdated
|
|
||
| // GenerateToken creates the token used by the authority to sign certificates. | ||
| func (c *offlineCA) GenerateToken(ctx *cli.Context, subject string, sans []string) (string, error) { | ||
| // Use always ca.json information root and audience |
There was a problem hiding this comment.
"Use ca.json configuration for the root and audience"
command/ca/renew.go
Outdated
| ''' | ||
|
|
||
| Renew a certificate using the offline mode, requires the configuration | ||
| files, certificates and keys created with **step ca init**: |
command/ca/sign.go
Outdated
| return errors.Errorf("error parsing %s: file is not a certificate request", csrFile) | ||
| } | ||
|
|
||
| // ofline and token are incompatible because the token is generated before |
| @@ -388,6 +374,67 @@ func newTokenFlow(ctx *cli.Context, subject string, sans []string, caURL, root, | |||
| return generateToken(subject, sans, kid, issuer, audience, root, notBefore, notAfter, jwk) | |||
| } | |||
|
|
|||
There was a problem hiding this comment.
// offlineTokenFlow generates a provisioning token using either
// 1. static configuration from ca.json (created with `step ca init`)
// 2. input from command line flags
// These two options are mutually exclusive and priority is given to ca.json.
Leave this comment above the method. Was confused since I forgot step ca token had an older, more complex implementation.
command/ca/token.go
Outdated
|
|
||
| // Require kid, issuer and keyFile if ca.json does not exists | ||
| switch { | ||
| case len(kid) == 0: |
There was a problem hiding this comment.
Can't we assume the kid here since the user passes the keyFile and the default is to just use jose.Thumbprint(jwk)?
Description
This PR adds a new offline mode to the following
step cacommands:certificatesignrenewtokenThe offline mode is activated with the flag
--offline. It requires the file ca.json as well as all the certs and keys that are created with thestep ca initcommand.step ca tokenalready has a more complex offline mode that will be used if ca.json does not exist.