RootShell-coder
diff --git a/Diff for: ‎acme/db/nosql/nosql.go
+4-3 b/Diff for: ‎acme/db/nosql/nosql.go
+4-3
diff --git a/Diff for: ‎api/api.go
+2-1 b/Diff for: ‎api/api.go
+2-1
diff --git a/Diff for: ‎api/sign.go
+6-6 b/Diff for: ‎api/sign.go
+6-6
diff --git a/Diff for: ‎api/ssh.go
+8-7 b/Diff for: ‎api/ssh.go
+8-7
diff --git a/Diff for: ‎authority/admin.go
+12 b/Diff for: ‎authority/admin.go
+12
diff --git a/Diff for: ‎authority/authority.go
+29-12 b/Diff for: ‎authority/authority.go
+29-12
diff --git a/Diff for: ‎authority/config.go renamed to ‎authority/config/config.go
+16-10 b/Diff for: ‎authority/config.go renamed to ‎authority/config/config.go
+16-10
diff --git a/Diff for: ‎authority/config_test.go renamed to ‎authority/config/config_test.go
+1-1 b/Diff for: ‎authority/config_test.go renamed to ‎authority/config/config_test.go
+1-1
diff --git a/Diff for: ‎authority/config/ssh.go
+94 b/Diff for: ‎authority/config/ssh.go
+94
@@ -23,11 +23,12 @@ var (
 
 // DB is a struct that implements the AcmeDB interface.
 type DB struct {
-	db nosqlDB.DB
+	db          nosqlDB.DB
+	authorityID string
 }
 
 // New configures and returns a new ACME DB backend implemented using a nosql DB.
-func New(db nosqlDB.DB) (*DB, error) {
+func New(db nosqlDB.DB, authorityID string) (*DB, error) {
 	tables := [][]byte{accountTable, accountByKeyIDTable, authzTable,
 		challengeTable, nonceTable, orderTable, ordersByAccountIDTable, certTable}
 	for _, b := range tables {
@@ -36,7 +37,7 @@ func New(db nosqlDB.DB) (*DB, error) {
 				string(b))
 		}
 	}
-	return &DB{db}, nil
+	return &DB{db, authorityID}, nil
 }
 
 // save writes the new data to the database, overwriting the old data if it
 
@@ -21,6 +21,7 @@ import (
 	"github.com/go-chi/chi"
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/authority"
+	"github.com/smallstep/certificates/authority/config"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/errs"
 	"github.com/smallstep/certificates/logging"
@@ -32,7 +33,7 @@ type Authority interface {
 	// context specifies the Authorize[Sign|Revoke|etc.] method.
 	Authorize(ctx context.Context, ott string) ([]provisioner.SignOption, error)
 	AuthorizeSign(ott string) ([]provisioner.SignOption, error)
-	GetTLSOptions() *authority.TLSOptions
+	GetTLSOptions() *config.TLSOptions
 	Root(shasum string) (*x509.Certificate, error)
 	Sign(cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
 	Renew(peer *x509.Certificate) ([]*x509.Certificate, error)
 
@@ -5,7 +5,7 @@ import (
 	"encoding/json"
 	"net/http"
 
-	"github.com/smallstep/certificates/authority"
+	"github.com/smallstep/certificates/authority/config"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/errs"
 )
@@ -37,11 +37,11 @@ func (s *SignRequest) Validate() error {
 
 // SignResponse is the response object of the certificate signature request.
 type SignResponse struct {
-	ServerPEM    Certificate           `json:"crt"`
-	CaPEM        Certificate           `json:"ca"`
-	CertChainPEM []Certificate         `json:"certChain"`
-	TLSOptions   *authority.TLSOptions `json:"tlsOptions,omitempty"`
-	TLS          *tls.ConnectionState  `json:"-"`
+	ServerPEM    Certificate          `json:"crt"`
+	CaPEM        Certificate          `json:"ca"`
+	CertChainPEM []Certificate        `json:"certChain"`
+	TLSOptions   *config.TLSOptions   `json:"tlsOptions,omitempty"`
+	TLS          *tls.ConnectionState `json:"-"`
 }
 
 // Sign is an HTTP handler that reads a certificate request and an
 
@@ -10,6 +10,7 @@ import (
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/authority"
+	"github.com/smallstep/certificates/authority/config"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/errs"
 	"github.com/smallstep/certificates/templates"
@@ -22,12 +23,12 @@ type SSHAuthority interface {
 	RenewSSH(ctx context.Context, cert *ssh.Certificate) (*ssh.Certificate, error)
 	RekeySSH(ctx context.Context, cert *ssh.Certificate, key ssh.PublicKey, signOpts ...provisioner.SignOption) (*ssh.Certificate, error)
 	SignSSHAddUser(ctx context.Context, key ssh.PublicKey, cert *ssh.Certificate) (*ssh.Certificate, error)
-	GetSSHRoots(ctx context.Context) (*authority.SSHKeys, error)
-	GetSSHFederation(ctx context.Context) (*authority.SSHKeys, error)
+	GetSSHRoots(ctx context.Context) (*config.SSHKeys, error)
+	GetSSHFederation(ctx context.Context) (*config.SSHKeys, error)
 	GetSSHConfig(ctx context.Context, typ string, data map[string]string) ([]templates.Output, error)
 	CheckSSHHost(ctx context.Context, principal string, token string) (bool, error)
-	GetSSHHosts(ctx context.Context, cert *x509.Certificate) ([]authority.Host, error)
-	GetSSHBastion(ctx context.Context, user string, hostname string) (*authority.Bastion, error)
+	GetSSHHosts(ctx context.Context, cert *x509.Certificate) ([]config.Host, error)
+	GetSSHBastion(ctx context.Context, user string, hostname string) (*config.Bastion, error)
 }
 
 // SSHSignRequest is the request body of an SSH certificate request.
@@ -86,7 +87,7 @@ type SSHCertificate struct {
 // SSHGetHostsResponse is the response object that returns the list of valid
 // hosts for SSH.
 type SSHGetHostsResponse struct {
-	Hosts []authority.Host `json:"hosts"`
+	Hosts []config.Host `json:"hosts"`
 }
 
 // MarshalJSON implements the json.Marshaler interface. Returns a quoted,
@@ -239,8 +240,8 @@ func (r *SSHBastionRequest) Validate() error {
 // SSHBastionResponse is the response body used to return the bastion for a
 // given host.
 type SSHBastionResponse struct {
-	Hostname string             `json:"hostname"`
-	Bastion  *authority.Bastion `json:"bastion,omitempty"`
+	Hostname string          `json:"hostname"`
+	Bastion  *config.Bastion `json:"bastion,omitempty"`
 }
 
 // SSHSign is an HTTP handler that reads an SignSSHRequest with a one-time-token
 
@@ -0,0 +1,12 @@
+package authority
+
+// Admin is the type definining Authority admins. Admins can update Authority
+// configuration, provisioners, and even other admins.
+type Admin struct {
+	ID           string `json:"-"`
+	AuthorityID  string `json:"-"`
+	Name         string `json:"name"`
+	Provisioner  string `json:"provisioner"`
+	IsSuperAdmin bool   `json:"isSuperAdmin"`
+	IsDeleted    bool   `json:"isDeleted"`
+}
@@ -13,24 +13,25 @@ import (
 	"github.com/smallstep/certificates/cas"
 
 	"github.com/pkg/errors"
+	"github.com/smallstep/certificates/authority/config"
+	"github.com/smallstep/certificates/authority/mgmt"
+	authMgmtNosql "github.com/smallstep/certificates/authority/mgmt/db/nosql"
 	"github.com/smallstep/certificates/authority/provisioner"
 	casapi "github.com/smallstep/certificates/cas/apiv1"
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/certificates/kms"
 	kmsapi "github.com/smallstep/certificates/kms/apiv1"
 	"github.com/smallstep/certificates/kms/sshagentkms"
 	"github.com/smallstep/certificates/templates"
+	"github.com/smallstep/nosql"
 	"go.step.sm/crypto/pemutil"
 	"golang.org/x/crypto/ssh"
 )
 
-const (
-	legacyAuthority = "step-certificate-authority"
-)
-
 // Authority implements the Certificate Authority internal interface.
 type Authority struct {
-	config       *Config
+	config       *config.Config
+	mgmtDB       *mgmt.DB
 	keyManager   kms.KeyManager
 	provisioners *provisioner.Collection
 	db           db.AuthDB
@@ -55,14 +56,14 @@ type Authority struct {
 	startTime time.Time
 
 	// Custom functions
-	sshBastionFunc   func(ctx context.Context, user, hostname string) (*Bastion, error)
+	sshBastionFunc   func(ctx context.Context, user, hostname string) (*config.Bastion, error)
 	sshCheckHostFunc func(ctx context.Context, principal string, tok string, roots []*x509.Certificate) (bool, error)
-	sshGetHostsFunc  func(ctx context.Context, cert *x509.Certificate) ([]Host, error)
+	sshGetHostsFunc  func(ctx context.Context, cert *x509.Certificate) ([]config.Host, error)
 	getIdentityFunc  provisioner.GetIdentityFunc
 }
 
 // New creates and initiates a new Authority type.
-func New(config *Config, opts ...Option) (*Authority, error) {
+func New(config *config.Config, opts ...Option) (*Authority, error) {
 	err := config.Validate()
 	if err != nil {
 		return nil, err
@@ -92,7 +93,7 @@ func New(config *Config, opts ...Option) (*Authority, error) {
 // project without the limitations of the config.
 func NewEmbedded(opts ...Option) (*Authority, error) {
 	a := &Authority{
-		config:       &Config{},
+		config:       &config.Config{},
 		certificates: new(sync.Map),
 	}
 
@@ -116,7 +117,7 @@ func NewEmbedded(opts ...Option) (*Authority, error) {
 	}
 
 	// Initialize config required fields.
-	a.config.init()
+	a.config.Init()
 
 	// Initialize authority from options or configuration.
 	if err := a.init(); err != nil {
@@ -143,6 +144,22 @@ func (a *Authority) init() error {
 		}
 	}
 
+	// Pull AuthConfig from DB.
+	if true {
+		mgmtDB, err := authMgmtNosql.New(a.db.(nosql.DB), mgmt.DefaultAuthorityID)
+		if err != nil {
+			return err
+		}
+		_ac, err := mgmtDB.GetAuthConfig(context.Background(), mgmt.DefaultAuthorityID)
+		if err != nil {
+			return err
+		}
+		a.config.AuthorityConfig, err = _ac.ToCertificates()
+		if err != nil {
+			return err
+		}
+	}
+
 	// Initialize key manager if it has not been set in the options.
 	if a.keyManager == nil {
 		var options kmsapi.Options
@@ -314,7 +331,7 @@ func (a *Authority) init() error {
 	}
 
 	// Merge global and configuration claims
-	claimer, err := provisioner.NewClaimer(a.config.AuthorityConfig.Claims, globalProvisionerClaims)
+	claimer, err := provisioner.NewClaimer(a.config.AuthorityConfig.Claims, config.GlobalProvisionerClaims)
 	if err != nil {
 		return err
 	}
@@ -326,7 +343,7 @@ func (a *Authority) init() error {
 		return err
 	}
 	// Initialize provisioners
-	audiences := a.config.getAudiences()
+	audiences := a.config.GetAudiences()
 	a.provisioners = provisioner.NewCollection(audiences)
 	config := provisioner.Config{
 		Claims:    claimer.Claims(),
 
@@ -1,4 +1,4 @@
-package authority
+package config
 
 import (
 	"encoding/json"
@@ -15,6 +15,10 @@ import (
 	"github.com/smallstep/certificates/templates"
 )
 
+const (
+	legacyAuthority = "step-certificate-authority"
+)
+
 var (
 	// DefaultTLSOptions represents the default TLS version as well as the cipher
 	// suites used in the TLS certificates.
@@ -28,10 +32,12 @@ var (
 		MaxVersion:    1.2,
 		Renegotiation: false,
 	}
-	defaultBackdate         = time.Minute
-	defaultDisableRenewal   = false
-	defaultEnableSSHCA      = false
-	globalProvisionerClaims = provisioner.Claims{
+	defaultBackdate       = time.Minute
+	defaultDisableRenewal = false
+	defaultEnableSSHCA    = false
+	// GlobalProvisionerClaims default claims for the Authority. Can be overriden
+	// by provisioner specific claims.
+	GlobalProvisionerClaims = provisioner.Claims{
 		MinTLSDur:         &provisioner.Duration{Duration: 5 * time.Minute}, // TLS certs
 		MaxTLSDur:         &provisioner.Duration{Duration: 24 * time.Hour},
 		DefaultTLSDur:     &provisioner.Duration{Duration: 24 * time.Hour},
@@ -151,9 +157,9 @@ func LoadConfiguration(filename string) (*Config, error) {
 	return &c, nil
 }
 
-// initializes the minimal configuration required to create an authority. This
+// Init initializes the minimal configuration required to create an authority. This
 // is mainly used on embedded authorities.
-func (c *Config) init() {
+func (c *Config) Init() {
 	if c.DNSNames == nil {
 		c.DNSNames = []string{"localhost", "127.0.0.1", "::1"}
 	}
@@ -246,13 +252,13 @@ func (c *Config) Validate() error {
 		return err
 	}
 
-	return c.AuthorityConfig.Validate(c.getAudiences())
+	return c.AuthorityConfig.Validate(c.GetAudiences())
 }
 
-// getAudiences returns the legacy and possible urls without the ports that will
+// GetAudiences returns the legacy and possible urls without the ports that will
 // be used as the default provisioner audiences. The CA might have proxies in
 // front so we cannot rely on the port.
-func (c *Config) getAudiences() provisioner.Audiences {
+func (c *Config) GetAudiences() provisioner.Audiences {
 	audiences := provisioner.Audiences{
 		Sign:      []string{legacyAuthority},
 		Revoke:    []string{legacyAuthority},
 
@@ -1,4 +1,4 @@
-package authority
+package config
 
 import (
 	"fmt"
 
@@ -0,0 +1,94 @@
+package config
+
+import (
+	"github.com/pkg/errors"
+	"github.com/smallstep/certificates/authority/provisioner"
+	"go.step.sm/crypto/jose"
+	"golang.org/x/crypto/ssh"
+)
+
+// SSHConfig contains the user and host keys.
+type SSHConfig struct {
+	HostKey          string          `json:"hostKey"`
+	UserKey          string          `json:"userKey"`
+	Keys             []*SSHPublicKey `json:"keys,omitempty"`
+	AddUserPrincipal string          `json:"addUserPrincipal,omitempty"`
+	AddUserCommand   string          `json:"addUserCommand,omitempty"`
+	Bastion          *Bastion        `json:"bastion,omitempty"`
+}
+
+// Bastion contains the custom properties used on bastion.
+type Bastion struct {
+	Hostname string `json:"hostname"`
+	User     string `json:"user,omitempty"`
+	Port     string `json:"port,omitempty"`
+	Command  string `json:"cmd,omitempty"`
+	Flags    string `json:"flags,omitempty"`
+}
+
+// HostTag are tagged with k,v pairs. These tags are how a user is ultimately
+// associated with a host.
+type HostTag struct {
+	ID    string
+	Name  string
+	Value string
+}
+
+// Host defines expected attributes for an ssh host.
+type Host struct {
+	HostID   string    `json:"hid"`
+	HostTags []HostTag `json:"host_tags"`
+	Hostname string    `json:"hostname"`
+}
+
+// Validate checks the fields in SSHConfig.
+func (c *SSHConfig) Validate() error {
+	if c == nil {
+		return nil
+	}
+	for _, k := range c.Keys {
+		if err := k.Validate(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// SSHPublicKey contains a public key used by federated CAs to keep old signing
+// keys for this ca.
+type SSHPublicKey struct {
+	Type      string          `json:"type"`
+	Federated bool            `json:"federated"`
+	Key       jose.JSONWebKey `json:"key"`
+	publicKey ssh.PublicKey
+}
+
+// Validate checks the fields in SSHPublicKey.
+func (k *SSHPublicKey) Validate() error {
+	switch {
+	case k.Type == "":
+		return errors.New("type cannot be empty")
+	case k.Type != provisioner.SSHHostCert && k.Type != provisioner.SSHUserCert:
+		return errors.Errorf("invalid type %s, it must be user or host", k.Type)
+	case !k.Key.IsPublic():
+		return errors.New("invalid key type, it must be a public key")
+	}
+
+	key, err := ssh.NewPublicKey(k.Key.Key)
+	if err != nil {
+		return errors.Wrap(err, "error creating ssh key")
+	}
+	k.publicKey = key
+	return nil
+}
+
+// PublicKey returns the ssh public key.
+func (k *SSHPublicKey) PublicKey() ssh.PublicKey {
+	return k.publicKey
+}
+
+// SSHKeys represents the SSH User and Host public keys.
+type SSHKeys struct {
+	UserKeys []ssh.PublicKey
+	HostKeys []ssh.PublicKey
+}
Original file line number	Diff line number	Diff line change
`@@ -23,11 +23,12 @@ var (`
`23`	`23`
`24`	`24`	`// DB is a struct that implements the AcmeDB interface.`
`25`	`25`	`type DB struct {`
`26`		`- db nosqlDB.DB`
	`26`	`+ db nosqlDB.DB`
	`27`	`+ authorityID string`
`27`	`28`	`}`
`28`	`29`
`29`	`30`	`// New configures and returns a new ACME DB backend implemented using a nosql DB.`
`30`		`-func New(db nosqlDB.DB) (*DB, error) {`
	`31`	`+func New(db nosqlDB.DB, authorityID string) (*DB, error) {`
`31`	`32`	`tables := [][]byte{accountTable, accountByKeyIDTable, authzTable,`
`32`	`33`	`challengeTable, nonceTable, orderTable, ordersByAccountIDTable, certTable}`
`33`	`34`	`for _, b := range tables {`
`@@ -36,7 +37,7 @@ func New(db nosqlDB.DB) (*DB, error) {`
`36`	`37`	`string(b))`
`37`	`38`	`}`
`38`	`39`	`}`
`39`		`- return &DB{db}, nil`
	`40`	`+ return &DB{db, authorityID}, nil`
`40`	`41`	`}`
`41`	`42`
`42`	`43`	`// save writes the new data to the database, overwriting the old data if it`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-package authority`
	`1`	`+package config`
`2`	`2`
`3`	`3`	`import (`
`4`	`4`	`"fmt"`