Merge branch 'master' into ssh-cert-templates

Author: maraino

.golangci.yml

@@ -64,6 +64,7 @@ issues:
     - should have a package comment, unless it's in another file for this package
     - error strings should not be capitalized or end with punctuation or a newline
     - Wrapf call needs 1 arg but has 2 args
+    - cs.NegotiatedProtocolIsMutual is deprecated
 # golangci.com configuration
 # https://github.com/golangci/golangci/wiki/Configuration
 service:

.travis.yml

@@ -1,30 +1,34 @@
 language: go
+os: linux
+dist: focal
+services:
+  - docker
 go:
-- 1.14.x
+  - 1.14.x
 addons:
   apt:
     packages:
-    - debhelper
-    - fakeroot
-    - bash-completion
-    - libpcsclite-dev
+      - debhelper
+      - fakeroot
+      - bash-completion
+      - libpcsclite-dev
 env:
   global:
-  - V=1
+    - V=1
 before_script:
-- make bootstrap
+  - make bootstrap
 script:
-- make
-- make artifacts
+  - make
+  - make artifacts
 after_success:
-- bash <(curl -s https://codecov.io/bash) -t "$CODECOV_TOKEN" || echo "Codecov did
-  not collect coverage reports"
+  - bash <(curl -s https://codecov.io/bash) -t "$CODECOV_TOKEN" || echo "Codecov did
+    not collect coverage reports"
 notifications:
   email: false
 deploy:
   provider: releases
-  skip_cleanup: true
-  api_key:
+  cleanup: false
+  token:
     secure: EVV43Vkqn67hhKGYn4WhQp2YO6KFmUDSkLXjYXYGX07Fm8p5KjRFBPOz9LV83QrvVmLigvg0CtR8Jqqcnq2SUhus3nhZaN2g19NhMypZLioyOVP0kAkas8ocuvxkwz3YxIK/yMrmTKbQ7JGXtbc8IjAox9ovNo1fFIQmVMAzPfu++OWBJ0j+gUqKtpaNA7gzsSv8UOw3/T3hNm6E1IbpWxl9BPSOzUOE9F/QOThANzifGfdxvqNJFkAgqu5DVPz8zQNbMrz4zH+KwASKxd6hjhzSSMzouKzOEHTA/elDCHEjke0Jos29MkGWHcIydLtCD95DGecqM8BFSC9f2acHDjmUO1rdfoLA3Pt+UiZJuTwyQm/jrHHhRnH8oJpK15G5LvxSqzY9YDWpAk38+jMw/udW6wt7BGAU8FEXLbq0bsFL3yfTepeWjmzT5WS0YXdiBz2SEK+Og9R2bSdtl4owghRzKNio5DNPuYAbqbpi+jqzqQVLj27x7LWoQ0MHvZcz9U+oO00r6M1tDCmFVRdtfgb2H+MIDY69qYGo5qoGMfH1btCWR8bA9wSYB/Z7hW/xZT9r7f/d5/P40k8yKINmTZqyUTQeplrE3y4BPVzKksclczBZa67syIUQ49I35QppnH4GFQHUwlra7r3W9zfZRvaLnp5qOIKAQe3MAIZqtLg=
   file_glob: true
   file: .travis-releases/*

Makefile

@@ -46,17 +46,25 @@ VERSION ?= $(shell [ -d .git ] && git describe --tags --always --dirty="-dev")
 # If we are not in an active git dir then try reading the version from .VERSION.
 # .VERSION contains a slug populated by `git archive`.
 VERSION := $(or $(VERSION),$(shell ./.version.sh .VERSION))
+	ifeq ($(TRAVIS_BRANCH),master)
 PUSHTYPE := master
+	else
+PUSHTYPE := branch
+	endif
 endif
 
 VERSION := $(shell echo $(VERSION) | sed 's/^v//')
+DEB_VERSION := $(shell echo $(VERSION) | sed 's/-/~/g')
 
 ifdef V
 $(info    TRAVIS_TAG is $(TRAVIS_TAG))
 $(info    VERSION is $(VERSION))
+$(info    DEB_VERSION is $(DEB_VERSION))
 $(info    PUSHTYPE is $(PUSHTYPE))
 endif
 
+include make/docker.mk
+
 #########################################
 # Build
 #########################################
@@ -134,13 +142,15 @@ lint:
 
 INSTALL_PREFIX?=/usr/
 
-install: $(PREFIX)bin/$(BINNAME) $(PREFIX)bin/$(CLOUDKMS_BINNAME)
+install: $(PREFIX)bin/$(BINNAME) $(PREFIX)bin/$(CLOUDKMS_BINNAME) $(PREFIX)bin/$(AWSKMS_BINNAME)
 	$Q install -D $(PREFIX)bin/$(BINNAME) $(DESTDIR)$(INSTALL_PREFIX)bin/$(BINNAME)
 	$Q install -D $(PREFIX)bin/$(CLOUDKMS_BINNAME) $(DESTDIR)$(INSTALL_PREFIX)bin/$(CLOUDKMS_BINNAME)
+	$Q install -D $(PREFIX)bin/$(AWSKMS_BINNAME) $(DESTDIR)$(INSTALL_PREFIX)bin/$(AWSKMS_BINNAME)
 
 uninstall:
 	$Q rm -f $(DESTDIR)$(INSTALL_PREFIX)/bin/$(BINNAME)
 	$Q rm -f $(DESTDIR)$(INSTALL_PREFIX)/bin/$(CLOUDKMS_BINNAME)
+	$Q rm -f $(DESTDIR)$(INSTALL_PREFIX)/bin/$(AWSKMS_BINNAME)
 
 .PHONY: install uninstall
 
@@ -155,6 +165,12 @@ endif
 ifneq ($(CLOUDKMS_BINNAME),"")
 	$Q rm -f bin/$(CLOUDKMS_BINNAME)
 endif
+ifneq ($(AWSKMS_BINNAME),"")
+	$Q rm -f bin/$(AWSKMS_BINNAME)
+endif
+ifneq ($(YUBIKEY_BINNAME),"")
+	$Q rm -f bin/$(YUBIKEY_BINNAME)
+endif
 
 .PHONY: clean
 
@@ -167,82 +183,12 @@ run:
 
 .PHONY: run
 
-#########################################
-# Building Docker Image
-#
-# Builds a dockerfile for step by building a linux version of the step-cli and
-# then copying the specific binary when building the container.
-#
-# This ensures the container is as small as possible without having to deal
-# with getting access to private repositories inside the container during build
-# time.
-#########################################
-
-# XXX We put the output for the build in 'output' so we don't mess with how we
-# do rule overriding from the base Makefile (if you name it 'build' it messes up
-# the wildcarding).
-DOCKER_OUTPUT=$(OUTPUT_ROOT)docker/
-
-DOCKER_MAKE=V=$V GOOS_OVERRIDE='GOOS=linux GOARCH=amd64' PREFIX=$(1) make $(1)bin/$(2)
-DOCKER_BUILD=$Q docker build -t smallstep/$(1):latest -f docker/$(2) --build-arg BINPATH=$(DOCKER_OUTPUT)bin/$(1) .
-
-docker: docker-make docker/Dockerfile.step-ca
-	$(call DOCKER_BUILD,step-ca,Dockerfile.step-ca)
-
-docker-make:
-	mkdir -p $(DOCKER_OUTPUT)
-	$(call DOCKER_MAKE,$(DOCKER_OUTPUT),step-ca)
-
-.PHONY: docker docker-make
-
-#################################################
-# Releasing Docker Images
-#
-# Using the docker build infrastructure, this section is responsible for
-# logging into docker hub and pushing the built docker containers up with the
-# appropriate tags.
-#################################################
-
-DOCKER_TAG=docker tag smallstep/$(1):latest smallstep/$(1):$(2)
-DOCKER_PUSH=docker push smallstep/$(1):$(2)
-
-docker-tag:
-	$(call DOCKER_TAG,step-ca,$(VERSION))
-
-docker-push-tag: docker-tag
-	$(call DOCKER_PUSH,step-ca,$(VERSION))
-
-docker-push-tag-latest:
-	$(call DOCKER_PUSH,step-ca,latest)
-
-# Rely on DOCKER_USERNAME and DOCKER_PASSWORD being set inside the CI or
-# equivalent environment
-docker-login:
-	$Q docker login -u="$(DOCKER_USERNAME)" -p="$(DOCKER_PASSWORD)"
-
-.PHONY: docker-login docker-tag docker-push-tag docker-push-tag-latest
-
-#################################################
-# Targets for pushing the docker images
-#################################################
-
-# For all builds we build the docker container
-docker-master: docker
-
-# For all builds with a release candidate tag
-docker-release-candidate: docker-master docker-login docker-push-tag
-
-# For all builds with a release tag
-docker-release: docker-release-candidate docker-push-tag-latest
-
-.PHONY: docker-master docker-release-candidate docker-release
-
 #########################################
 # Debian
 #########################################
 
 changelog:
-	$Q echo "step-certificates ($(VERSION)) unstable; urgency=medium" > debian/changelog
+	$Q echo "step-certificates ($(DEB_VERSION)) unstable; urgency=medium" > debian/changelog
 	$Q echo >> debian/changelog
 	$Q echo "  * See https://github.com/smallstep/certificates/releases" >> debian/changelog
 	$Q echo >> debian/changelog
@@ -270,7 +216,7 @@ define BUNDLE_MAKE
 	# $(2) -- Go Architecture (e.g. amd64, arm, arm64, etc.)
 	# $(3) -- Go ARM architectural family (e.g. 7, 8, etc.)
 	# $(4) -- Parent directory for executables generated by 'make'.
-	$(q) GOOS_OVERRIDE='GOOS=$(1) GOARCH=$(2) GOARM=$(3)' PREFIX=$(4) make $(4)bin/$(BINNAME) $(4)bin/$(CLOUDKMS_BINNAME)
+	$(q) GOOS_OVERRIDE='GOOS=$(1) GOARCH=$(2) GOARM=$(3)' PREFIX=$(4) make $(4)bin/$(BINNAME) $(4)bin/$(CLOUDKMS_BINNAME) $(4)bin/$(AWSKMS_BINNAME)
 endef
 
 binary-linux:
@@ -290,16 +236,16 @@ define BUNDLE
 	# $(2) -- Step Platform Name
 	# $(3) -- Step Binary Architecture
 	# $(4) -- Step Binary Name (For Windows Comaptibility)
-	$(q) ./make/bundle.sh "$(BINARY_OUTPUT)$(1)" "$(RELEASE)" "$(VERSION)" "$(2)" "$(3)" "$(4)" "$(5)"
+	$(q) ./make/bundle.sh "$(BINARY_OUTPUT)$(1)" "$(RELEASE)" "$(VERSION)" "$(2)" "$(3)" "$(4)" "$(5)" "$(6)"
 endef
 
 bundle-linux: binary-linux binary-linux-arm64 binary-linux-armv7
-	$(call BUNDLE,linux,linux,amd64,$(BINNAME),$(CLOUDKMS_BINNAME))
-	$(call BUNDLE,linux.arm64,linux,arm64,$(BINNAME),$(CLOUDKMS_BINNAME))
-	$(call BUNDLE,linux.armv7,linux,armv7,$(BINNAME),$(CLOUDKMS_BINNAME))
+	$(call BUNDLE,linux,linux,amd64,$(BINNAME),$(CLOUDKMS_BINNAME),$(AWSKMS_BINNAME))
+	$(call BUNDLE,linux.arm64,linux,arm64,$(BINNAME),$(CLOUDKMS_BINNAME),$(AWSKMS_BINNAME))
+	$(call BUNDLE,linux.armv7,linux,armv7,$(BINNAME),$(CLOUDKMS_BINNAME),$(AWSKMS_BINNAME))
 
 bundle-darwin: binary-darwin
-	$(call BUNDLE,darwin,darwin,amd64,$(BINNAME),$(CLOUDKMS_BINNAME))
+	$(call BUNDLE,darwin,darwin,amd64,$(BINNAME),$(CLOUDKMS_BINNAME),$(AWSKMS_BINNAME))
 
 .PHONY: binary-linux binary-darwin bundle-linux bundle-darwin
 
@@ -323,6 +269,9 @@ artifacts-tag: artifacts-linux-tag artifacts-darwin-tag artifacts-archive-tag
 # Targets for creating step artifacts
 #################################################
 
+# For all builds that are not tagged and not on the master branch
+artifacts-branch:
+
 # For all builds that are not tagged
 artifacts-master:
 

acme/api/handler.go

@@ -2,6 +2,8 @@ package api
 
 import (
 	"context"
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 	"net/http"
 
@@ -162,6 +164,18 @@ func (h *Handler) GetCertificate(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	block, _ := pem.Decode(certBytes)
+	if block == nil {
+		api.WriteError(w, acme.ServerInternalErr(errors.New("failed to decode any certificates from generated certBytes")))
+		return
+	}
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		api.WriteError(w, acme.Wrap(err, "failed to parse generated leaf certificate"))
+		return
+	}
+
+	api.LogCertificate(w, cert)
 	w.Header().Set("Content-Type", "application/pem-certificate-chain; charset=utf-8")
 	w.Write(certBytes)
 }

acme/api/handler_test.go

@@ -526,6 +526,43 @@ func TestHandlerGetCertificate(t *testing.T) {
 				problem:    acme.ServerInternalErr(errors.New("force")),
 			}
 		},
+		"fail/decode-leaf-for-loggger": func(t *testing.T) test {
+			acc := &acme.Account{ID: "accID"}
+			ctx := context.WithValue(context.Background(), acme.AccContextKey, acc)
+			ctx = context.WithValue(ctx, chi.RouteCtxKey, chiCtx)
+			return test{
+				auth: &mockAcmeAuthority{
+					getCertificate: func(accID, id string) ([]byte, error) {
+						assert.Equals(t, accID, acc.ID)
+						assert.Equals(t, id, certID)
+						return []byte("foo"), nil
+					},
+				},
+				ctx:        ctx,
+				statusCode: 500,
+				problem:    acme.ServerInternalErr(errors.New("failed to decode any certificates from generated certBytes")),
+			}
+		},
+		"fail/parse-x509-leaf-for-logger": func(t *testing.T) test {
+			acc := &acme.Account{ID: "accID"}
+			ctx := context.WithValue(context.Background(), acme.AccContextKey, acc)
+			ctx = context.WithValue(ctx, chi.RouteCtxKey, chiCtx)
+			return test{
+				auth: &mockAcmeAuthority{
+					getCertificate: func(accID, id string) ([]byte, error) {
+						assert.Equals(t, accID, acc.ID)
+						assert.Equals(t, id, certID)
+						return pem.EncodeToMemory(&pem.Block{
+							Type:  "CERTIFICATE REQUEST",
+							Bytes: []byte("foo"),
+						}), nil
+					},
+				},
+				ctx:        ctx,
+				statusCode: 500,
+				problem:    acme.ServerInternalErr(errors.New("failed to parse generated leaf certificate")),
+			}
+		},
 		"ok": func(t *testing.T) test {
 			acc := &acme.Account{ID: "accID"}
 			ctx := context.WithValue(context.Background(), acme.AccContextKey, acc)
@@ -565,7 +602,7 @@ func TestHandlerGetCertificate(t *testing.T) {
 				prob := tc.problem.ToACME()
 
 				assert.Equals(t, ae.Type, prob.Type)
-				assert.Equals(t, ae.Detail, prob.Detail)
+				assert.HasPrefix(t, ae.Detail, prob.Detail)
 				assert.Equals(t, ae.Identifier, prob.Identifier)
 				assert.Equals(t, ae.Subproblems, prob.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})

api/api.go

@@ -394,7 +394,8 @@ func logOtt(w http.ResponseWriter, token string) {
 	}
 }
 
-func logCertificate(w http.ResponseWriter, cert *x509.Certificate) {
+// LogCertificate add certificate fields to the log message.
+func LogCertificate(w http.ResponseWriter, cert *x509.Certificate) {
 	if rl, ok := w.(logging.ResponseLogger); ok {
 		m := map[string]interface{}{
 			"serial":      cert.SerialNumber,
@@ -412,7 +413,11 @@ func logCertificate(w http.ResponseWriter, cert *x509.Certificate) {
 				if err != nil || len(rest) > 0 {
 					break
 				}
-				m["provisioner"] = fmt.Sprintf("%s (%s)", val.Name, val.CredentialID)
+				if len(val.CredentialID) > 0 {
+					m["provisioner"] = fmt.Sprintf("%s (%s)", val.Name, val.CredentialID)
+				} else {
+					m["provisioner"] = fmt.Sprintf("%s", val.Name)
+				}
 				break
 			}
 		}

api/rekey.go

@@ -54,7 +54,7 @@ func (h *caHandler) Rekey(w http.ResponseWriter, r *http.Request) {
 		caPEM = certChainPEM[1]
 	}
 
-	logCertificate(w, certChain[0])
+	LogCertificate(w, certChain[0])
 	JSONStatus(w, &SignResponse{
 		ServerPEM:    certChainPEM[0],
 		CaPEM:        caPEM,

api/renew.go

@@ -25,7 +25,7 @@ func (h *caHandler) Renew(w http.ResponseWriter, r *http.Request) {
 		caPEM = certChainPEM[1]
 	}
 
-	logCertificate(w, certChain[0])
+	LogCertificate(w, certChain[0])
 	JSONStatus(w, &SignResponse{
 		ServerPEM:    certChainPEM[0],
 		CaPEM:        caPEM,

api/revoke.go

@@ -91,7 +91,7 @@ func (h *caHandler) Revoke(w http.ResponseWriter, r *http.Request) {
 		// TODO: should probably be checking if the certificate was revoked here.
 		// Will need to thread that request down to the authority, so will need
 		// to add API for that.
-		logCertificate(w, opts.Crt)
+		LogCertificate(w, opts.Crt)
 		opts.MTLS = true
 	}
 

api/sign.go

@@ -82,7 +82,7 @@ func (h *caHandler) Sign(w http.ResponseWriter, r *http.Request) {
 	if len(certChainPEM) > 1 {
 		caPEM = certChainPEM[1]
 	}
-	logCertificate(w, certChain[0])
+	LogCertificate(w, certChain[0])
 	JSONStatus(w, &SignResponse{
 		ServerPEM:    certChainPEM[0],
 		CaPEM:        caPEM,