-
Notifications
You must be signed in to change notification settings - Fork 445
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not fail if a provisioner cannot be initialized #1765
Conversation
@dopey @hslatman, I still need to make sure this works as expected in all cases. Should I write the reason in the provisioner list, as I'm doing right now? $ step ca certificate --token ... mariano@smallstep.com mariano.crt mariano.key
✔ CA: https://ca.smallstep.com:9000
provisioner "Google" is disabled due to an initialization error
Re-run with STEPDEBUG=1 for more info.
$ curl -s https://ca.smallstep.com:9000/provisioners | jq '.provisioners[] | select(.name=="Google")'
{
"type": "OIDC",
"name": "Google",
"...": "...",
"disabled": true,
"disabledReason": "failed to connect to https://localhost:9000/.well-known/openid-configuration: Get \"https://localhost:9000/.well-known/openid-configuration\": dial tcp [::1]:9000: connect: connection refused"
} |
@maraino EDIT: I realized if I took the |
@maraino the approach makes sense to me. Only thing I can think of now is that it maybe needs to be a more specific state, such as Admittedly, that's a different thing than this issue, but the behavior is related to what's in this PR. It would probably make things slightly more complex because the state of the provisioner would have to be taken into account in more places, but I don't think that's a bad thing per se. As long as the current changes are mostly internal, and our JSON outputs not being documented in formal API docs, I think we can change/break the property names and/or uses in the future too, so I don't view the above as a blocker for the current state to go in as is, and to change it in the future. |
This commit allows to inject a custom key manger for SCEP.
8ad6c02
to
06a9d2e
Compare
This commit renames the Disabled provisioner to Uninitialized and adds an state instead of just a boolean. It also adds tests.
This commit will mark a provisioner as disabled if it fails to initialize. The provisioner will be visible, but authorizing a token with a disabled provisioner will always fail.
Fixes: #589, #1757