MCPcopy
hub / github.com/smallstep/cli / OfflineTokenFlow

Function OfflineTokenFlow

utils/cautils/token_flow.go:212–273  ·  view source on GitHub ↗

OfflineTokenFlow generates a provisioning token using either 1. static configuration from ca.json (created with `step ca init`) 2. input from command line flags These two options are mutually exclusive and priority is given to ca.json.

(ctx *cli.Context, typ int, subject string, sans []string, notBefore, notAfter time.Time, certNotBefore, certNotAfter provisioner.TimeDuration)

Source from the content-addressed store, hash-verified

210//
211// These two options are mutually exclusive and priority is given to ca.json.
212func OfflineTokenFlow(ctx *cli.Context, typ int, subject string, sans []string, notBefore, notAfter time.Time, certNotBefore, certNotAfter provisioner.TimeDuration) (string, error) {
213 caConfig := ctx.String("ca-config")
214 if caConfig == "" {
215 return "", errs.InvalidFlagValue(ctx, "ca-config", "", "")
216 }
217
218 // Using the offline CA
219 if utils.FileExists(caConfig) {
220 offlineCA, err := NewOfflineCA(ctx, caConfig)
221 if err != nil {
222 return "", err
223 }
224 return offlineCA.GenerateToken(ctx, typ, subject, sans, notBefore, notAfter, certNotBefore, certNotAfter)
225 }
226
227 kid := ctx.String("kid")
228 provisionerName, flag := flags.FirstStringOf(ctx, "provisioner", "issuer")
229
230 // Require provisionerName and keyFile if ca.json does not exists.
231 // kid can be passed or created using jwk.Thumbprint.
232 switch {
233 case provisionerName == "":
234 return "", errs.RequiredWithFlag(ctx, "offline", flag)
235 case ctx.String("key") == "":
236 return "", errs.RequiredWithFlag(ctx, "offline", "key")
237 }
238
239 // Get audience from ca-url
240 audience, err := parseAudience(ctx, typ)
241 if err != nil {
242 return "", err
243 }
244
245 // Get root from argument or default location
246 root := ctx.String("root")
247 if root == "" {
248 root = pki.GetRootCAPath()
249 if utils.FileExists(root) {
250 return "", errs.RequiredFlag(ctx, "root")
251 }
252 }
253
254 tokAttrs := tokenAttrs{
255 subject: subject,
256 root: root,
257 audience: audience,
258 provisionerName: provisionerName,
259 kid: kid,
260 sans: sans,
261 notBefore: notBefore,
262 notAfter: notAfter,
263 certNotBefore: certNotBefore,
264 certNotAfter: certNotAfter,
265 }
266
267 switch {
268 case ctx.IsSet("x5c-cert") || ctx.IsSet("x5c-key"):
269 return generateX5CToken(ctx, nil, typ, tokAttrs)

Callers 1

tokenActionFunction · 0.92

Calls 8

GenerateTokenMethod · 0.95
FileExistsFunction · 0.92
FirstStringOfFunction · 0.92
NewOfflineCAFunction · 0.85
parseAudienceFunction · 0.85
generateX5CTokenFunction · 0.85
generateJWKTokenFunction · 0.85
StringMethod · 0.65

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…