You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
176 lines
4.8 KiB
Go
176 lines
4.8 KiB
Go
package api
|
|
|
|
import (
|
|
"net/http"
|
|
|
|
"github.com/go-chi/chi"
|
|
"github.com/smallstep/certificates/api"
|
|
"github.com/smallstep/certificates/authority"
|
|
"github.com/smallstep/certificates/authority/admin"
|
|
"github.com/smallstep/certificates/authority/provisioner"
|
|
"github.com/smallstep/certificates/errs"
|
|
"go.step.sm/linkedca"
|
|
)
|
|
|
|
// GetProvisionersResponse is the type for GET /admin/provisioners responses.
|
|
type GetProvisionersResponse struct {
|
|
Provisioners provisioner.List `json:"provisioners"`
|
|
NextCursor string `json:"nextCursor"`
|
|
}
|
|
|
|
// GetProvisioner returns the requested provisioner, or an error.
|
|
func (h *Handler) GetProvisioner(w http.ResponseWriter, r *http.Request) {
|
|
ctx := r.Context()
|
|
|
|
id := r.URL.Query().Get("id")
|
|
name := chi.URLParam(r, "name")
|
|
|
|
var (
|
|
p provisioner.Interface
|
|
err error
|
|
)
|
|
if len(id) > 0 {
|
|
if p, err = h.auth.LoadProvisionerByID(id); err != nil {
|
|
api.WriteError(w, admin.WrapErrorISE(err, "error loading provisioner %s", id))
|
|
return
|
|
}
|
|
} else {
|
|
if p, err = h.auth.LoadProvisionerByName(name); err != nil {
|
|
api.WriteError(w, admin.WrapErrorISE(err, "error loading provisioner %s", name))
|
|
return
|
|
}
|
|
}
|
|
|
|
prov, err := h.db.GetProvisioner(ctx, p.GetID())
|
|
if err != nil {
|
|
api.WriteError(w, err)
|
|
return
|
|
}
|
|
api.ProtoJSON(w, prov)
|
|
}
|
|
|
|
// GetProvisioners returns the given segment of provisioners associated with the authority.
|
|
func (h *Handler) GetProvisioners(w http.ResponseWriter, r *http.Request) {
|
|
cursor, limit, err := api.ParseCursor(r)
|
|
if err != nil {
|
|
api.WriteError(w, admin.WrapError(admin.ErrorBadRequestType, err,
|
|
"error parsing cursor & limit query params"))
|
|
return
|
|
}
|
|
|
|
p, next, err := h.auth.GetProvisioners(cursor, limit)
|
|
if err != nil {
|
|
api.WriteError(w, errs.InternalServerErr(err))
|
|
return
|
|
}
|
|
api.JSON(w, &GetProvisionersResponse{
|
|
Provisioners: p,
|
|
NextCursor: next,
|
|
})
|
|
}
|
|
|
|
// CreateProvisioner creates a new prov.
|
|
func (h *Handler) CreateProvisioner(w http.ResponseWriter, r *http.Request) {
|
|
var prov = new(linkedca.Provisioner)
|
|
if err := api.ReadProtoJSON(r.Body, prov); err != nil {
|
|
api.WriteError(w, err)
|
|
return
|
|
}
|
|
|
|
// TODO: Validate inputs
|
|
if err := authority.ValidateClaims(prov.Claims); err != nil {
|
|
api.WriteError(w, err)
|
|
return
|
|
}
|
|
|
|
if err := h.auth.StoreProvisioner(r.Context(), prov); err != nil {
|
|
api.WriteError(w, admin.WrapErrorISE(err, "error storing provisioner %s", prov.Name))
|
|
return
|
|
}
|
|
api.ProtoJSONStatus(w, prov, http.StatusCreated)
|
|
}
|
|
|
|
// DeleteProvisioner deletes a provisioner.
|
|
func (h *Handler) DeleteProvisioner(w http.ResponseWriter, r *http.Request) {
|
|
id := r.URL.Query().Get("id")
|
|
name := chi.URLParam(r, "name")
|
|
|
|
var (
|
|
p provisioner.Interface
|
|
err error
|
|
)
|
|
if len(id) > 0 {
|
|
if p, err = h.auth.LoadProvisionerByID(id); err != nil {
|
|
api.WriteError(w, admin.WrapErrorISE(err, "error loading provisioner %s", id))
|
|
return
|
|
}
|
|
} else {
|
|
if p, err = h.auth.LoadProvisionerByName(name); err != nil {
|
|
api.WriteError(w, admin.WrapErrorISE(err, "error loading provisioner %s", name))
|
|
return
|
|
}
|
|
}
|
|
|
|
if err := h.auth.RemoveProvisioner(r.Context(), p.GetID()); err != nil {
|
|
api.WriteError(w, admin.WrapErrorISE(err, "error removing provisioner %s", p.GetName()))
|
|
return
|
|
}
|
|
|
|
api.JSON(w, &DeleteResponse{Status: "ok"})
|
|
}
|
|
|
|
// UpdateProvisioner updates an existing prov.
|
|
func (h *Handler) UpdateProvisioner(w http.ResponseWriter, r *http.Request) {
|
|
var nu = new(linkedca.Provisioner)
|
|
if err := api.ReadProtoJSON(r.Body, nu); err != nil {
|
|
api.WriteError(w, err)
|
|
return
|
|
}
|
|
|
|
name := chi.URLParam(r, "name")
|
|
_old, err := h.auth.LoadProvisionerByName(name)
|
|
if err != nil {
|
|
api.WriteError(w, admin.WrapErrorISE(err, "error loading provisioner from cached configuration '%s'", name))
|
|
return
|
|
}
|
|
|
|
old, err := h.db.GetProvisioner(r.Context(), _old.GetID())
|
|
if err != nil {
|
|
api.WriteError(w, admin.WrapErrorISE(err, "error loading provisioner from db '%s'", _old.GetID()))
|
|
return
|
|
}
|
|
|
|
if nu.Id != old.Id {
|
|
api.WriteError(w, admin.NewErrorISE("cannot change provisioner ID"))
|
|
return
|
|
}
|
|
if nu.Type != old.Type {
|
|
api.WriteError(w, admin.NewErrorISE("cannot change provisioner type"))
|
|
return
|
|
}
|
|
if nu.AuthorityId != old.AuthorityId {
|
|
api.WriteError(w, admin.NewErrorISE("cannot change provisioner authorityID"))
|
|
return
|
|
}
|
|
if !nu.CreatedAt.AsTime().Equal(old.CreatedAt.AsTime()) {
|
|
api.WriteError(w, admin.NewErrorISE("cannot change provisioner createdAt"))
|
|
return
|
|
}
|
|
if !nu.DeletedAt.AsTime().Equal(old.DeletedAt.AsTime()) {
|
|
api.WriteError(w, admin.NewErrorISE("cannot change provisioner deletedAt"))
|
|
return
|
|
}
|
|
|
|
// TODO: Validate inputs
|
|
if err := authority.ValidateClaims(nu.Claims); err != nil {
|
|
api.WriteError(w, err)
|
|
return
|
|
}
|
|
|
|
if err := h.auth.UpdateProvisioner(r.Context(), nu); err != nil {
|
|
api.WriteError(w, err)
|
|
return
|
|
}
|
|
api.ProtoJSONStatus(w, nu, http.StatusOK)
|
|
}
|