wip

Author: dopey

api/api.go

@@ -316,7 +316,7 @@ func certChainToPEM(certChain []*x509.Certificate) []Certificate {
 
 // Provisioners returns the list of provisioners configured in the authority.
 func (h *caHandler) Provisioners(w http.ResponseWriter, r *http.Request) {
-	cursor, limit, err := parseCursor(r)
+	cursor, limit, err := ParseCursor(r)
 	if err != nil {
 		WriteError(w, errs.BadRequestErr(err))
 		return
@@ -427,7 +427,8 @@ func LogCertificate(w http.ResponseWriter, cert *x509.Certificate) {
 	}
 }
 
-func parseCursor(r *http.Request) (cursor string, limit int, err error) {
+// ParseCursor parses the cursor and limit from the request query params.
+func ParseCursor(r *http.Request) (cursor string, limit int, err error) {
 	q := r.URL.Query()
 	cursor = q.Get("cursor")
 	if v := q.Get("limit"); len(v) > 0 {

authority/admin/admin.go

@@ -1,15 +1,25 @@
 package admin
 
-// Type specifies the type of administrator privileges the admin has.
+import "github.com/smallstep/certificates/authority/status"
+
+// Type specifies the type of the admin. e.g. SUPER_ADMIN, REGULAR
 type Type string
 
+var (
+	// TypeSuper superadmin
+	TypeSuper = Type("SUPER_ADMIN")
+	// TypeRegular regular
+	TypeRegular = Type("REGULAR")
+)
+
 // Admin type.
 type Admin struct {
-	ID              string `json:"id"`
-	AuthorityID     string `json:"-"`
-	Subject         string `json:"subject"`
-	ProvisionerName string `json:"provisionerName"`
-	ProvisionerType string `json:"provisionerType"`
-	ProvisionerID   string `json:"provisionerID"`
-	Type            Type   `json:"type"`
+	ID              string      `json:"id"`
+	AuthorityID     string      `json:"-"`
+	Subject         string      `json:"subject"`
+	ProvisionerName string      `json:"provisionerName"`
+	ProvisionerType string      `json:"provisionerType"`
+	ProvisionerID   string      `json:"provisionerID"`
+	Type            Type        `json:"type"`
+	Status          status.Type `json:"status"`
 }

authority/admin/collection.go

@@ -2,56 +2,54 @@ package admin
 
 import (
 	"crypto/sha1"
+	"encoding/binary"
+	"encoding/hex"
+	"fmt"
+	"sort"
+	"strings"
 	"sync"
 
 	"github.com/pkg/errors"
-	"go.step.sm/crypto/jose"
+	"github.com/smallstep/certificates/authority/provisioner"
 )
 
-// DefaultProvisionersLimit is the default limit for listing provisioners.
-const DefaultProvisionersLimit = 20
+// DefaultAdminLimit is the default limit for listing provisioners.
+const DefaultAdminLimit = 20
 
-// DefaultProvisionersMax is the maximum limit for listing provisioners.
-const DefaultProvisionersMax = 100
+// DefaultAdminMax is the maximum limit for listing provisioners.
+const DefaultAdminMax = 100
 
-/*
-type uidProvisioner struct {
-	provisioner Interface
-	uid         string
+type uidAdmin struct {
+	admin *Admin
+	uid   string
 }
 
-type provisionerSlice []uidProvisioner
-
-func (p provisionerSlice) Len() int           { return len(p) }
-func (p provisionerSlice) Less(i, j int) bool { return p[i].uid < p[j].uid }
-func (p provisionerSlice) Swap(i, j int)      { p[i], p[j] = p[j], p[i] }
-*/
+type adminSlice []uidAdmin
 
-// loadByTokenPayload is a payload used to extract the id used to load the
-// provisioner.
-type loadByTokenPayload struct {
-	jose.Claims
-	AuthorizedParty string `json:"azp"` // OIDC client id
-	TenantID        string `json:"tid"` // Microsoft Azure tenant id
-}
+func (p adminSlice) Len() int           { return len(p) }
+func (p adminSlice) Less(i, j int) bool { return p[i].uid < p[j].uid }
+func (p adminSlice) Swap(i, j int)      { p[i], p[j] = p[j], p[i] }
 
 // Collection is a memory map of admins.
 type Collection struct {
 	byID               *sync.Map
 	bySubProv          *sync.Map
 	byProv             *sync.Map
+	sorted             adminSlice
+	provisioners       *provisioner.Collection
 	count              int
 	countByProvisioner map[string]int
 }
 
 // NewCollection initializes a collection of provisioners. The given list of
 // audiences are the audiences used by the JWT provisioner.
-func NewCollection() *Collection {
+func NewCollection(provisioners *provisioner.Collection) *Collection {
 	return &Collection{
 		byID:               new(sync.Map),
 		byProv:             new(sync.Map),
 		bySubProv:          new(sync.Map),
 		countByProvisioner: map[string]int{},
+		provisioners:       provisioners,
 	}
 }
 
@@ -88,12 +86,18 @@ func (c *Collection) LoadByProvisioner(provName string) ([]*Admin, bool) {
 // Store adds an admin to the collection and enforces the uniqueness of
 // admin IDs and amdin subject <-> provisioner name combos.
 func (c *Collection) Store(adm *Admin) error {
-	provName := adm.ProvisionerName
+	p, ok := c.provisioners.Load(adm.ProvisionerID)
+	if !ok {
+		return fmt.Errorf("provisioner %s not found", adm.ProvisionerID)
+	}
+	adm.ProvisionerName = p.GetName()
+	adm.ProvisionerType = p.GetType().String()
 	// Store admin always in byID. ID must be unique.
 	if _, loaded := c.byID.LoadOrStore(adm.ID, adm); loaded {
 		return errors.New("cannot add multiple admins with the same id")
 	}
 
+	provName := adm.ProvisionerName
 	// Store admin alwasy in bySubProv. Subject <-> ProvisionerName must be unique.
 	if _, loaded := c.bySubProv.LoadOrStore(subProvNameHash(adm.Subject, provName), adm); loaded {
 		c.byID.Delete(adm.ID)
@@ -109,6 +113,21 @@ func (c *Collection) Store(adm *Admin) error {
 	}
 	c.count++
 
+	// Store sorted admins.
+	// Use the first 4 bytes (32bit) of the sum to insert the order
+	// Using big endian format to get the strings sorted:
+	// 0x00000000, 0x00000001, 0x00000002, ...
+	bi := make([]byte, 4)
+	_sum := sha1.Sum([]byte(adm.ID))
+	sum := _sum[:]
+	binary.BigEndian.PutUint32(bi, uint32(c.sorted.Len()))
+	sum[0], sum[1], sum[2], sum[3] = bi[0], bi[1], bi[2], bi[3]
+	c.sorted = append(c.sorted, uidAdmin{
+		admin: adm,
+		uid:   hex.EncodeToString(sum),
+	})
+	sort.Sort(c.sorted)
+
 	return nil
 }
 
@@ -125,31 +144,29 @@ func (c *Collection) CountByProvisioner(provName string) int {
 	return 0
 }
 
-/*
 // Find implements pagination on a list of sorted provisioners.
-func (c *Collection) Find(cursor string, limit int) (List, string) {
+func (c *Collection) Find(cursor string, limit int) ([]*Admin, string) {
 	switch {
 	case limit <= 0:
-		limit = DefaultProvisionersLimit
-	case limit > DefaultProvisionersMax:
-		limit = DefaultProvisionersMax
+		limit = DefaultAdminLimit
+	case limit > DefaultAdminMax:
+		limit = DefaultAdminMax
 	}
 
 	n := c.sorted.Len()
 	cursor = fmt.Sprintf("%040s", cursor)
 	i := sort.Search(n, func(i int) bool { return c.sorted[i].uid >= cursor })
 
-	slice := List{}
+	slice := []*Admin{}
 	for ; i < n && len(slice) < limit; i++ {
-		slice = append(slice, c.sorted[i].provisioner)
+		slice = append(slice, c.sorted[i].admin)
 	}
 
 	if i < n {
 		return slice, strings.TrimLeft(c.sorted[i].uid, "0")
 	}
 	return slice, ""
 }
-*/
 
 func loadAdmin(m *sync.Map, key string) (*Admin, bool) {
 	a, ok := m.Load(key)

authority/authority.go

@@ -175,7 +175,7 @@ func (a *Authority) ReloadAuthConfig() error {
 		}
 	}
 	// Store all the admins
-	a.admins = admin.NewCollection()
+	a.admins = admin.NewCollection(a.provisioners)
 	for _, adm := range a.config.AuthorityConfig.Admins {
 		if err := a.admins.Store(adm); err != nil {
 			return err
@@ -431,7 +431,7 @@ func (a *Authority) init() error {
 		}
 	}
 	// Store all the admins
-	a.admins = admin.NewCollection()
+	a.admins = admin.NewCollection(a.provisioners)
 	for _, adm := range a.config.AuthorityConfig.Admins {
 		if err := a.admins.Store(adm); err != nil {
 			return err

authority/mgmt/admin.go

@@ -1,55 +1,23 @@
 package mgmt
 
 import (
-	"context"
-
 	"github.com/smallstep/certificates/authority/admin"
 )
 
 // AdminType specifies the type of the admin. e.g. SUPER_ADMIN, REGULAR
-type AdminType string
+type AdminType admin.Type
 
 var (
 	// AdminTypeSuper superadmin
-	AdminTypeSuper = AdminType("SUPER_ADMIN")
+	AdminTypeSuper = admin.TypeSuper
 	// AdminTypeRegular regular
-	AdminTypeRegular = AdminType("REGULAR")
+	AdminTypeRegular = admin.TypeRegular
 )
 
 // Admin type.
-type Admin struct {
-	ID              string     `json:"id"`
-	AuthorityID     string     `json:"-"`
-	ProvisionerID   string     `json:"provisionerID"`
-	Subject         string     `json:"subject"`
-	ProvisionerName string     `json:"provisionerName"`
-	ProvisionerType string     `json:"provisionerType"`
-	Type            AdminType  `json:"type"`
-	Status          StatusType `json:"status"`
-}
-
-// CreateAdmin builds and stores an admin type in the DB.
-func CreateAdmin(ctx context.Context, db DB, provName, sub string, typ AdminType) (*Admin, error) {
-	adm := &Admin{
-		Subject:         sub,
-		ProvisionerName: provName,
-		Type:            typ,
-		Status:          StatusActive,
-	}
-	if err := db.CreateAdmin(ctx, adm); err != nil {
-		return nil, WrapErrorISE(err, "error creating admin")
-	}
-	return adm, nil
-}
+type Admin admin.Admin
 
 // ToCertificates converts an Admin to the Admin type expected by the authority.
 func (adm *Admin) ToCertificates() (*admin.Admin, error) {
-	return &admin.Admin{
-		ID:              adm.ID,
-		Subject:         adm.Subject,
-		ProvisionerID:   adm.ProvisionerID,
-		ProvisionerName: adm.ProvisionerName,
-		ProvisionerType: adm.ProvisionerType,
-		Type:            admin.Type(adm.Type),
-	}, nil
+	return (*admin.Admin)(adm), nil
 }