Add support for the provisioner controller

The claimer, audiences and custom callback methods are now managed
by the provisioner controller in an uniform way.

Author: maraino

Diff for: authority/authorize.go

@@ -276,14 +276,14 @@ func (a *Authority) authorizeRevoke(ctx context.Context, token string) error {
 func (a *Authority) authorizeRenew(cert *x509.Certificate) error {
 	serial := cert.SerialNumber.String()
 	var opts = []interface{}{errs.WithKeyVal("serialNumber", serial)}
+
 	isRevoked, err := a.IsRevoked(serial)
 	if err != nil {
 		return errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...)
 	}
 	if isRevoked {
 		return errs.Unauthorized("authority.authorizeRenew: certificate has been revoked", opts...)
 	}
-
 	p, ok := a.provisioners.LoadByCertificate(cert)
 	if !ok {
 		return errs.Unauthorized("authority.authorizeRenew: provisioner not found", opts...)

Diff for: authority/authorize_test.go

@@ -753,6 +753,7 @@ func TestAuthority_Authorize(t *testing.T) {
 
 func TestAuthority_authorizeRenew(t *testing.T) {
 	fooCrt, err := pemutil.ReadCertificate("testdata/certs/foo.crt")
+	fooCrt.NotAfter = time.Now().Add(time.Hour)
 	assert.FatalError(t, err)
 
 	renewDisabledCrt, err := pemutil.ReadCertificate("testdata/certs/renew-disabled.crt")
@@ -822,7 +823,7 @@ func TestAuthority_authorizeRenew(t *testing.T) {
 			return &authorizeTest{
 				auth: a,
 				cert: renewDisabledCrt,
-				err:  errors.New("authority.authorizeRenew: jwk.AuthorizeRenew; renew is disabled for jwk provisioner 'renew_disabled'"),
+				err:  errors.New("authority.authorizeRenew: renew is disabled for provisioner 'renew_disabled'"),
 				code: http.StatusUnauthorized,
 			}
 		},
@@ -909,6 +910,7 @@ func generateSSHToken(sub, iss, aud string, iat time.Time, sshOpts *provisioner.
 }
 
 func createSSHCert(cert *ssh.Certificate, signer ssh.Signer) (*ssh.Certificate, *jose.JSONWebKey, error) {
+	now := time.Now()
 	jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "foo", 0)
 	if err != nil {
 		return nil, nil, err
@@ -917,6 +919,12 @@ func createSSHCert(cert *ssh.Certificate, signer ssh.Signer) (*ssh.Certificate,
 	if err != nil {
 		return nil, nil, err
 	}
+	if cert.ValidAfter == 0 {
+		cert.ValidAfter = uint64(now.Unix())
+	}
+	if cert.ValidBefore == 0 {
+		cert.ValidBefore = uint64(now.Add(time.Hour).Unix())
+	}
 	if err := cert.SignCert(rand.Reader, signer); err != nil {
 		return nil, nil, err
 	}

Diff for: authority/provisioner/acme.go

@@ -6,7 +6,6 @@ import (
 	"time"
 
 	"github.com/pkg/errors"
-	"github.com/smallstep/certificates/errs"
 )
 
 // ACME is the acme provisioner type, an entity that can authorize the ACME
@@ -24,7 +23,7 @@ type ACME struct {
 	RequireEAB bool     `json:"requireEAB,omitempty"`
 	Claims     *Claims  `json:"claims,omitempty"`
 	Options    *Options `json:"options,omitempty"`
-	claimer    *Claimer
+	ctl        *Controller
 }
 
 // GetID returns the provisioner unique identifier.
@@ -69,7 +68,7 @@ func (p *ACME) GetOptions() *Options {
 // DefaultTLSCertDuration returns the default TLS cert duration enforced by
 // the provisioner.
 func (p *ACME) DefaultTLSCertDuration() time.Duration {
-	return p.claimer.DefaultTLSCertDuration()
+	return p.ctl.Claimer.DefaultTLSCertDuration()
 }
 
 // Init initializes and validates the fields of a JWK type.
@@ -81,12 +80,8 @@ func (p *ACME) Init(config Config) (err error) {
 		return errors.New("provisioner name cannot be empty")
 	}
 
-	// Update claims with global ones
-	if p.claimer, err = NewClaimer(p.Claims, config.Claims); err != nil {
-		return err
-	}
-
-	return err
+	p.ctl, err = NewController(p, p.Claims, config)
+	return
 }
 
 // AuthorizeSign does not do any validation, because all validation is handled
@@ -97,10 +92,10 @@ func (p *ACME) AuthorizeSign(ctx context.Context, token string) ([]SignOption, e
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeACME, p.Name, ""),
 		newForceCNOption(p.ForceCN),
-		profileDefaultDuration(p.claimer.DefaultTLSCertDuration()),
+		profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
 		// validators
 		defaultPublicKeyValidator{},
-		newValidityValidator(p.claimer.MinTLSCertDuration(), p.claimer.MaxTLSCertDuration()),
+		newValidityValidator(p.ctl.Claimer.MinTLSCertDuration(), p.ctl.Claimer.MaxTLSCertDuration()),
 	}, nil
 }
 
@@ -118,8 +113,5 @@ func (p *ACME) AuthorizeRevoke(ctx context.Context, token string) error {
 // revocation status. Just confirms that the provisioner that created the
 // certificate was configured to allow renewals.
 func (p *ACME) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error {
-	if p.claimer.IsDisableRenewal() {
-		return errs.Unauthorized("acme.AuthorizeRenew; renew is disabled for acme provisioner '%s'", p.GetName())
-	}
-	return nil
+	return p.ctl.AuthorizeRenew(ctx, cert)
 }

Diff for: authority/provisioner/acme_test.go

@@ -91,6 +91,7 @@ func TestACME_Init(t *testing.T) {
 }
 
 func TestACME_AuthorizeRenew(t *testing.T) {
+	now := time.Now()
 	type test struct {
 		p    *ACME
 		cert *x509.Certificate
@@ -104,21 +105,27 @@ func TestACME_AuthorizeRenew(t *testing.T) {
 			// disable renewal
 			disable := true
 			p.Claims = &Claims{DisableRenewal: &disable}
-			p.claimer, err = NewClaimer(p.Claims, globalProvisionerClaims)
+			p.ctl.Claimer, err = NewClaimer(p.Claims, globalProvisionerClaims)
 			assert.FatalError(t, err)
 			return test{
-				p:    p,
-				cert: &x509.Certificate{},
+				p: p,
+				cert: &x509.Certificate{
+					NotBefore: now,
+					NotAfter:  now.Add(time.Hour),
+				},
 				code: http.StatusUnauthorized,
-				err:  errors.Errorf("acme.AuthorizeRenew; renew is disabled for acme provisioner '%s'", p.GetName()),
+				err:  errors.Errorf("renew is disabled for provisioner '%s'", p.GetName()),
 			}
 		},
 		"ok": func(t *testing.T) test {
 			p, err := generateACME()
 			assert.FatalError(t, err)
 			return test{
-				p:    p,
-				cert: &x509.Certificate{},
+				p: p,
+				cert: &x509.Certificate{
+					NotBefore: now,
+					NotAfter:  now.Add(time.Hour),
+				},
 			}
 		},
 	}
@@ -179,11 +186,11 @@ func TestACME_AuthorizeSign(t *testing.T) {
 						case *forceCNOption:
 							assert.Equals(t, v.ForceCN, tc.p.ForceCN)
 						case profileDefaultDuration:
-							assert.Equals(t, time.Duration(v), tc.p.claimer.DefaultTLSCertDuration())
+							assert.Equals(t, time.Duration(v), tc.p.ctl.Claimer.DefaultTLSCertDuration())
 						case defaultPublicKeyValidator:
 						case *validityValidator:
-							assert.Equals(t, v.min, tc.p.claimer.MinTLSCertDuration())
-							assert.Equals(t, v.max, tc.p.claimer.MaxTLSCertDuration())
+							assert.Equals(t, v.min, tc.p.ctl.Claimer.MinTLSCertDuration())
+							assert.Equals(t, v.max, tc.p.ctl.Claimer.MaxTLSCertDuration())
 						default:
 							assert.FatalError(t, errors.Errorf("unexpected sign option of type %T", v))
 						}

Diff for: authority/provisioner/aws.go

@@ -264,9 +264,8 @@ type AWS struct {
 	IIDRoots               string   `json:"iidRoots,omitempty"`
 	Claims                 *Claims  `json:"claims,omitempty"`
 	Options                *Options `json:"options,omitempty"`
-	claimer                *Claimer
 	config                 *awsConfig
-	audiences              Audiences
+	ctl                    *Controller
 }
 
 // GetID returns the provisioner unique identifier.
@@ -400,15 +399,11 @@ func (p *AWS) Init(config Config) (err error) {
 	case p.InstanceAge.Value() < 0:
 		return errors.New("provisioner instanceAge cannot be negative")
 	}
-	// Update claims with global ones
-	if p.claimer, err = NewClaimer(p.Claims, config.Claims); err != nil {
-		return err
-	}
+
 	// Add default config
 	if p.config, err = newAWSConfig(p.IIDRoots); err != nil {
 		return err
 	}
-	p.audiences = config.Audiences.WithFragment(p.GetIDForToken())
 
 	// validate IMDS versions
 	if len(p.IMDSVersions) == 0 {
@@ -425,7 +420,9 @@ func (p *AWS) Init(config Config) (err error) {
 		}
 	}
 
-	return nil
+	config.Audiences = config.Audiences.WithFragment(p.GetIDForToken())
+	p.ctl, err = NewController(p, p.Claims, config)
+	return
 }
 
 // AuthorizeSign validates the given token and returns the sign options that
@@ -473,11 +470,11 @@ func (p *AWS) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 		templateOptions,
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeAWS, p.Name, doc.AccountID, "InstanceID", doc.InstanceID),
-		profileDefaultDuration(p.claimer.DefaultTLSCertDuration()),
+		profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
 		// validators
 		defaultPublicKeyValidator{},
 		commonNameValidator(payload.Claims.Subject),
-		newValidityValidator(p.claimer.MinTLSCertDuration(), p.claimer.MaxTLSCertDuration()),
+		newValidityValidator(p.ctl.Claimer.MinTLSCertDuration(), p.ctl.Claimer.MaxTLSCertDuration()),
 	), nil
 }
 
@@ -486,10 +483,7 @@ func (p *AWS) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 // revocation status. Just confirms that the provisioner that created the
 // certificate was configured to allow renewals.
 func (p *AWS) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error {
-	if p.claimer.IsDisableRenewal() {
-		return errs.Unauthorized("aws.AuthorizeRenew; renew is disabled for aws provisioner '%s'", p.GetName())
-	}
-	return nil
+	return p.ctl.AuthorizeRenew(ctx, cert)
 }
 
 // assertConfig initializes the config if it has not been initialized
@@ -664,7 +658,7 @@ func (p *AWS) authorizeToken(token string) (*awsPayload, error) {
 	}
 
 	// validate audiences with the defaults
-	if !matchesAudience(payload.Audience, p.audiences.Sign) {
+	if !matchesAudience(payload.Audience, p.ctl.Audiences.Sign) {
 		return nil, errs.Unauthorized("aws.authorizeToken; invalid token - invalid audience claim (aud)")
 	}
 
@@ -704,7 +698,7 @@ func (p *AWS) authorizeToken(token string) (*awsPayload, error) {
 
 // AuthorizeSSHSign returns the list of SignOption for a SignSSH request.
 func (p *AWS) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) {
-	if !p.claimer.IsSSHCAEnabled() {
+	if !p.ctl.Claimer.IsSSHCAEnabled() {
 		return nil, errs.Unauthorized("aws.AuthorizeSSHSign; ssh ca is disabled for aws provisioner '%s'", p.GetName())
 	}
 	claims, err := p.authorizeToken(token)
@@ -752,11 +746,11 @@ func (p *AWS) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
 		// Validate user SignSSHOptions.
 		sshCertOptionsValidator(defaults),
 		// Set the validity bounds if not set.
-		&sshDefaultDuration{p.claimer},
+		&sshDefaultDuration{p.ctl.Claimer},
 		// Validate public key
 		&sshDefaultPublicKeyValidator{},
 		// Validate the validity period.
-		&sshCertValidityValidator{p.claimer},
+		&sshCertValidityValidator{p.ctl.Claimer},
 		// Require all the fields in the SSH certificate
 		&sshCertDefaultValidator{},
 	), nil

Diff for: authority/provisioner/aws_test.go

@@ -682,13 +682,13 @@ func TestAWS_AuthorizeSign(t *testing.T) {
 						assert.Equals(t, v.CredentialID, tt.aws.Accounts[0])
 						assert.Len(t, 2, v.KeyValuePairs)
 					case profileDefaultDuration:
-						assert.Equals(t, time.Duration(v), tt.aws.claimer.DefaultTLSCertDuration())
+						assert.Equals(t, time.Duration(v), tt.aws.ctl.Claimer.DefaultTLSCertDuration())
 					case commonNameValidator:
 						assert.Equals(t, string(v), tt.args.cn)
 					case defaultPublicKeyValidator:
 					case *validityValidator:
-						assert.Equals(t, v.min, tt.aws.claimer.MinTLSCertDuration())
-						assert.Equals(t, v.max, tt.aws.claimer.MaxTLSCertDuration())
+						assert.Equals(t, v.min, tt.aws.ctl.Claimer.MinTLSCertDuration())
+						assert.Equals(t, v.max, tt.aws.ctl.Claimer.MaxTLSCertDuration())
 					case ipAddressesValidator:
 						assert.Equals(t, []net.IP(v), []net.IP{net.ParseIP("127.0.0.1")})
 					case emailAddressesValidator:
@@ -726,7 +726,7 @@ func TestAWS_AuthorizeSSHSign(t *testing.T) {
 	// disable sshCA
 	disable := false
 	p3.Claims = &Claims{EnableSSHCA: &disable}
-	p3.claimer, err = NewClaimer(p3.Claims, globalProvisionerClaims)
+	p3.ctl.Claimer, err = NewClaimer(p3.Claims, globalProvisionerClaims)
 	assert.FatalError(t, err)
 
 	t1, err := p1.GetIdentityToken("127.0.0.1", "https://ca.smallstep.com")
@@ -747,7 +747,7 @@ func TestAWS_AuthorizeSSHSign(t *testing.T) {
 	rsa1024, err := rsa.GenerateKey(rand.Reader, 1024)
 	assert.FatalError(t, err)
 
-	hostDuration := p1.claimer.DefaultHostSSHCertDuration()
+	hostDuration := p1.ctl.Claimer.DefaultHostSSHCertDuration()
 	expectedHostOptions := &SignSSHOptions{
 		CertType: "host", Principals: []string{"127.0.0.1", "ip-127-0-0-1.us-west-1.compute.internal"},
 		ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(hostDuration)),
@@ -824,6 +824,7 @@ func TestAWS_AuthorizeSSHSign(t *testing.T) {
 }
 
 func TestAWS_AuthorizeRenew(t *testing.T) {
+	now := time.Now()
 	p1, err := generateAWS()
 	assert.FatalError(t, err)
 	p2, err := generateAWS()
@@ -832,7 +833,7 @@ func TestAWS_AuthorizeRenew(t *testing.T) {
 	// disable renewal
 	disable := true
 	p2.Claims = &Claims{DisableRenewal: &disable}
-	p2.claimer, err = NewClaimer(p2.Claims, globalProvisionerClaims)
+	p2.ctl.Claimer, err = NewClaimer(p2.Claims, globalProvisionerClaims)
 	assert.FatalError(t, err)
 
 	type args struct {
@@ -845,8 +846,14 @@ func TestAWS_AuthorizeRenew(t *testing.T) {
 		code    int
 		wantErr bool
 	}{
-		{"ok", p1, args{nil}, http.StatusOK, false},
-		{"fail/renew-disabled", p2, args{nil}, http.StatusUnauthorized, true},
+		{"ok", p1, args{&x509.Certificate{
+			NotBefore: now,
+			NotAfter:  now.Add(time.Hour),
+		}}, http.StatusOK, false},
+		{"fail/renew-disabled", p2, args{&x509.Certificate{
+			NotBefore: now,
+			NotAfter:  now.Add(time.Hour),
+		}}, http.StatusUnauthorized, true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {