NewTokenFlow implements the common flow used to generate a token
(ctx *cli.Context, tokType int, subject string, sans []string, caURL, root string, notBefore, notAfter time.Time, certNotBefore, certNotAfter provisioner.TimeDuration, opts ...Option)
| 99 | |
| 100 | // NewTokenFlow implements the common flow used to generate a token |
| 101 | func NewTokenFlow(ctx *cli.Context, tokType int, subject string, sans []string, caURL, root string, notBefore, notAfter time.Time, certNotBefore, certNotAfter provisioner.TimeDuration, opts ...Option) (string, error) { |
| 102 | // Apply options to shared context |
| 103 | for _, opt := range opts { |
| 104 | opt.apply(&sharedContext) |
| 105 | } |
| 106 | |
| 107 | // Get audience from ca-url |
| 108 | audience, err := parseAudience(ctx, tokType) |
| 109 | if err != nil { |
| 110 | return "", err |
| 111 | } |
| 112 | |
| 113 | // All provisioners use the same type of tokens to do a X.509 renewal. |
| 114 | if tokType == RenewType { |
| 115 | return generateRenewToken(ctx, audience, subject) |
| 116 | } |
| 117 | |
| 118 | provisioners, err := pki.GetProvisioners(caURL, root) |
| 119 | if err != nil { |
| 120 | return "", err |
| 121 | } |
| 122 | p, err := provisionerPrompt(ctx, provisioners) |
| 123 | if err != nil { |
| 124 | return "", err |
| 125 | } |
| 126 | |
| 127 | if subject == "" { |
| 128 | // For OIDC provisioners the CA automatically generates the principals |
| 129 | // from the email address. |
| 130 | if _, ok := p.(*provisioner.OIDC); !ok { |
| 131 | q := "What DNS names or IP addresses would you like to use? (e.g. internal.smallstep.com)" |
| 132 | if tokType == SSHUserSignType { |
| 133 | q = "What user principal would you like to use? (e.g. alice)" |
| 134 | } |
| 135 | subject, err = ui.Prompt(q, ui.WithValidateNotEmpty()) |
| 136 | if err != nil { |
| 137 | return "", err |
| 138 | } |
| 139 | } |
| 140 | } |
| 141 | |
| 142 | tokAttrs := tokenAttrs{ |
| 143 | subject: subject, |
| 144 | root: root, |
| 145 | caURL: caURL, |
| 146 | audience: audience, |
| 147 | sans: sans, |
| 148 | notBefore: notBefore, |
| 149 | notAfter: notAfter, |
| 150 | certNotBefore: certNotBefore, |
| 151 | certNotAfter: certNotAfter, |
| 152 | } |
| 153 | |
| 154 | switch p := p.(type) { |
| 155 | case *provisioner.JWK: // Get the step standard JWT. |
| 156 | return generateJWKToken(ctx, p, tokType, tokAttrs) |
| 157 | case *provisioner.OIDC: // Run step oauth. |
| 158 | return generateOIDCToken(ctx, p) |
no test coverage detected
searching dependent graphs…