TrueCloudLab/certificates
17
0
Fork 2
Code Issues 1 Pull requests 1 Releases Activity Actions

Improve test coverage for Policy Admin API

Browse source
This commit is contained in:
Herman Slatman 2022-04-15 10:43:10 +02:00
parent 256fe113f7
commit 30d5d89a13
No known key found for this signature in database
GPG key ID: F4D8A44EA0A75A4F
9 changed files with 2387 additions and 70 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
api/read/read.go
View file

@ -35,6 +35,7 @@ func ProtoJSON(r io.Reader, m proto.Message) error {
// ProtoJSONWithCheck reads JSON from the request body and stores it in the value // ProtoJSONWithCheck reads JSON from the request body and stores it in the value
// pointed to by m. Returns false if an error was written; true if not. // pointed to by m. Returns false if an error was written; true if not.
// TODO(hs): refactor this after the API flow changes are in (or before if that works)
func ProtoJSONWithCheck(w http.ResponseWriter, r io.Reader, m proto.Message) bool { func ProtoJSONWithCheck(w http.ResponseWriter, r io.Reader, m proto.Message) bool {
data, err := io.ReadAll(r) data, err := io.ReadAll(r)
if err != nil { if err != nil {
@ -57,9 +58,12 @@ func ProtoJSONWithCheck(w http.ResponseWriter, r io.Reader, m proto.Message) boo
if err := protojson.Unmarshal(data, m); err != nil { if err := protojson.Unmarshal(data, m); err != nil {
if errors.Is(err, proto.Error) { if errors.Is(err, proto.Error) {
var wrapper = struct { var wrapper = struct {
// TODO(hs): more properties in the error response? Type string `json:"type"`
Detail string `json:"detail"`
Message string `json:"message"` Message string `json:"message"`
}{ }{
Type: "badRequest",
Detail: "bad request",
Message: err.Error(), Message: err.Error(),
} }
errData, err := json.Marshal(wrapper) errData, err := json.Marshal(wrapper)

213
authority/admin/api/acme_test.go
View file

@ -7,17 +7,19 @@ import (
"io" "io"
"net/http" "net/http"
"net/http/httptest" "net/http/httptest"
"reflect"
"strings" "strings"
"testing" "testing"
"time"
"github.com/go-chi/chi" "github.com/go-chi/chi"
"github.com/smallstep/assert"
"github.com/smallstep/certificates/acme"
"github.com/smallstep/certificates/authority/admin"
"go.step.sm/linkedca"
"google.golang.org/protobuf/encoding/protojson" "google.golang.org/protobuf/encoding/protojson"
"google.golang.org/protobuf/proto" "google.golang.org/protobuf/proto"
"google.golang.org/protobuf/types/known/timestamppb"
"go.step.sm/linkedca"
"github.com/smallstep/assert"
"github.com/smallstep/certificates/authority/admin"
) )
func readProtoJSON(r io.ReadCloser, m proto.Message) error { func readProtoJSON(r io.ReadCloser, m proto.Message) error {
@ -341,3 +343,204 @@ func TestHandler_GetExternalAccountKeys(t *testing.T) {
}) })
} }
} }
func Test_eakToLinked(t *testing.T) {
tests := []struct {
name string
k *acme.ExternalAccountKey
want *linkedca.EABKey
}{
{
name: "no-key",
k: nil,
want: nil,
},
{
name: "no-policy",
k: &acme.ExternalAccountKey{
ID: "keyID",
ProvisionerID: "provID",
Reference: "ref",
AccountID: "accID",
KeyBytes: []byte{1, 3, 3, 7},
CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour),
BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC),
Policy: nil,
},
want: &linkedca.EABKey{
Id: "keyID",
Provisioner: "provID",
HmacKey: []byte{1, 3, 3, 7},
Reference: "ref",
Account: "accID",
CreatedAt: timestamppb.New(time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour)),
BoundAt: timestamppb.New(time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC)),
Policy: nil,
},
},
{
name: "with-policy",
k: &acme.ExternalAccountKey{
ID: "keyID",
ProvisionerID: "provID",
Reference: "ref",
AccountID: "accID",
KeyBytes: []byte{1, 3, 3, 7},
CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour),
BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC),
Policy: &acme.Policy{
X509: acme.X509Policy{
Allowed: acme.PolicyNames{
DNSNames: []string{"*.local"},
IPRanges: []string{"10.0.0.0/24"},
},
Denied: acme.PolicyNames{
DNSNames: []string{"badhost.local"},
IPRanges: []string{"10.0.0.30"},
},
},
},
},
want: &linkedca.EABKey{
Id: "keyID",
Provisioner: "provID",
HmacKey: []byte{1, 3, 3, 7},
Reference: "ref",
Account: "accID",
CreatedAt: timestamppb.New(time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour)),
BoundAt: timestamppb.New(time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC)),
Policy: &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
Ips: []string{"10.0.0.0/24"},
},
Deny: &linkedca.X509Names{
Dns: []string{"badhost.local"},
Ips: []string{"10.0.0.30"},
},
},
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := eakToLinked(tt.k); !reflect.DeepEqual(got, tt.want) {
t.Errorf("eakToLinked() = %v, want %v", got, tt.want)
}
})
}
}
func Test_linkedEAKToCertificates(t *testing.T) {
tests := []struct {
name string
k *linkedca.EABKey
want *acme.ExternalAccountKey
}{
{
name: "no-key",
k: nil,
want: nil,
},
{
name: "no-policy",
k: &linkedca.EABKey{
Id: "keyID",
Provisioner: "provID",
HmacKey: []byte{1, 3, 3, 7},
Reference: "ref",
Account: "accID",
CreatedAt: timestamppb.New(time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour)),
BoundAt: timestamppb.New(time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC)),
Policy: nil,
},
want: &acme.ExternalAccountKey{
ID: "keyID",
ProvisionerID: "provID",
Reference: "ref",
AccountID: "accID",
KeyBytes: []byte{1, 3, 3, 7},
CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour),
BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC),
Policy: nil,
},
},
{
name: "no-x509-policy",
k: &linkedca.EABKey{
Id: "keyID",
Provisioner: "provID",
HmacKey: []byte{1, 3, 3, 7},
Reference: "ref",
Account: "accID",
CreatedAt: timestamppb.New(time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour)),
BoundAt: timestamppb.New(time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC)),
Policy: &linkedca.Policy{},
},
want: &acme.ExternalAccountKey{
ID: "keyID",
ProvisionerID: "provID",
Reference: "ref",
AccountID: "accID",
KeyBytes: []byte{1, 3, 3, 7},
CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour),
BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC),
Policy: &acme.Policy{},
},
},
{
name: "with-x509-policy",
k: &linkedca.EABKey{
Id: "keyID",
Provisioner: "provID",
HmacKey: []byte{1, 3, 3, 7},
Reference: "ref",
Account: "accID",
CreatedAt: timestamppb.New(time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour)),
BoundAt: timestamppb.New(time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC)),
Policy: &linkedca.Policy{
X509: &linkedca.X509Policy{
Allow: &linkedca.X509Names{
Dns: []string{"*.local"},
Ips: []string{"10.0.0.0/24"},
},
Deny: &linkedca.X509Names{
Dns: []string{"badhost.local"},
Ips: []string{"10.0.0.30"},
},
},
},
},
want: &acme.ExternalAccountKey{
ID: "keyID",
ProvisionerID: "provID",
Reference: "ref",
AccountID: "accID",
KeyBytes: []byte{1, 3, 3, 7},
CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour),
BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC),
Policy: &acme.Policy{
X509: acme.X509Policy{
Allowed: acme.PolicyNames{
DNSNames: []string{"*.local"},
IPRanges: []string{"10.0.0.0/24"},
},
Denied: acme.PolicyNames{
DNSNames: []string{"badhost.local"},
IPRanges: []string{"10.0.0.30"},
},
},
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := linkedEAKToCertificates(tt.k); !reflect.DeepEqual(got, tt.want) {
t.Errorf("linkedEAKToCertificates() = %v, want %v", got, tt.want)
}
})
}
}

24
authority/admin/api/admin_test.go
View file

@ -41,8 +41,8 @@ type mockAdminAuthority struct {
MockRemoveProvisioner func(ctx context.Context, id string) error MockRemoveProvisioner func(ctx context.Context, id string) error
MockGetAuthorityPolicy func(ctx context.Context) (*linkedca.Policy, error) MockGetAuthorityPolicy func(ctx context.Context) (*linkedca.Policy, error)
MockCreateAuthorityPolicy func(ctx context.Context, policy *linkedca.Policy) (*linkedca.Policy, error) MockCreateAuthorityPolicy func(ctx context.Context, adm *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error)
MockUpdateAuthorityPolicy func(ctx context.Context, policy *linkedca.Policy) error MockUpdateAuthorityPolicy func(ctx context.Context, adm *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error)
MockRemoveAuthorityPolicy func(ctx context.Context) error MockRemoveAuthorityPolicy func(ctx context.Context) error
} }
@ -138,19 +138,31 @@ func (m *mockAdminAuthority) RemoveProvisioner(ctx context.Context, id string) e
} }
func (m *mockAdminAuthority) GetAuthorityPolicy(ctx context.Context) (*linkedca.Policy, error) { func (m *mockAdminAuthority) GetAuthorityPolicy(ctx context.Context) (*linkedca.Policy, error) {
return nil, errors.New("not implemented yet") if m.MockGetAuthorityPolicy != nil {
return m.MockGetAuthorityPolicy(ctx)
}
return m.MockRet1.(*linkedca.Policy), m.MockErr
} }
func (m *mockAdminAuthority) CreateAuthorityPolicy(ctx context.Context, adm *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error) { func (m *mockAdminAuthority) CreateAuthorityPolicy(ctx context.Context, adm *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error) {
return nil, errors.New("not implemented yet") if m.MockCreateAuthorityPolicy != nil {
return m.MockCreateAuthorityPolicy(ctx, adm, policy)
}
return m.MockRet1.(*linkedca.Policy), m.MockErr
} }
func (m *mockAdminAuthority) UpdateAuthorityPolicy(ctx context.Context, adm *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error) { func (m *mockAdminAuthority) UpdateAuthorityPolicy(ctx context.Context, adm *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error) {
return nil, errors.New("not implemented yet") if m.MockUpdateAuthorityPolicy != nil {
return m.MockUpdateAuthorityPolicy(ctx, adm, policy)
}
return m.MockRet1.(*linkedca.Policy), m.MockErr
} }
func (m *mockAdminAuthority) RemoveAuthorityPolicy(ctx context.Context) error { func (m *mockAdminAuthority) RemoveAuthorityPolicy(ctx context.Context) error {
return errors.New("not implemented yet") if m.MockRemoveAuthorityPolicy != nil {
return m.MockRemoveAuthorityPolicy(ctx)
}
return m.MockErr
} }
func TestCreateAdminRequest_Validate(t *testing.T) { func TestCreateAdminRequest_Validate(t *testing.T) {

17
authority/admin/api/middleware.go
View file

@ -1,6 +1,7 @@
package api package api
import ( import (
"errors"
"net/http" "net/http"
"github.com/go-chi/chi" "github.com/go-chi/chi"
@ -82,13 +83,6 @@ func (h *Handler) loadProvisionerByName(next http.HandlerFunc) http.HandlerFunc
func (h *Handler) checkAction(next http.HandlerFunc, supportedInStandalone bool) http.HandlerFunc { func (h *Handler) checkAction(next http.HandlerFunc, supportedInStandalone bool) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) { return func(w http.ResponseWriter, r *http.Request) {
// // temporarily only support the admin nosql DB
// if _, ok := h.adminDB.(*nosql.DB); !ok {
// render.Error(w, admin.NewError(admin.ErrorNotImplementedType,
// "operation not supported"))
// return
// }
// actions allowed in standalone mode are always supported // actions allowed in standalone mode are always supported
if supportedInStandalone { if supportedInStandalone {
next(w, r) next(w, r)
@ -130,13 +124,16 @@ func (h *Handler) loadExternalAccountKey(next http.HandlerFunc) http.HandlerFunc
} }
if err != nil { if err != nil {
// TODO: handle error; not found vs. some internal server error if errors.Is(err, acme.ErrNotFound) {
render.Error(w, admin.WrapErrorISE(err, "error retrieving ACME External Account key")) render.Error(w, admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found"))
return
}
render.Error(w, admin.WrapErrorISE(err, "error retrieving ACME External Account Key"))
return return
} }
if eak == nil { if eak == nil {
render.Error(w, admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key does not exist")) render.Error(w, admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found"))
return return
} }

285
authority/admin/api/middleware_test.go
View file

@ -19,6 +19,7 @@ import (
"go.step.sm/linkedca" "go.step.sm/linkedca"
"github.com/smallstep/assert" "github.com/smallstep/assert"
"github.com/smallstep/certificates/acme"
"github.com/smallstep/certificates/authority/admin" "github.com/smallstep/certificates/authority/admin"
"github.com/smallstep/certificates/authority/admin/db/nosql" "github.com/smallstep/certificates/authority/admin/db/nosql"
"github.com/smallstep/certificates/authority/provisioner" "github.com/smallstep/certificates/authority/provisioner"
@ -359,7 +360,6 @@ func TestHandler_loadProvisionerByName(t *testing.T) {
} }
func TestHandler_checkAction(t *testing.T) { func TestHandler_checkAction(t *testing.T) {
type test struct { type test struct {
adminDB admin.DB adminDB admin.DB
next http.HandlerFunc next http.HandlerFunc
@ -368,15 +368,6 @@ func TestHandler_checkAction(t *testing.T) {
statusCode int statusCode int
} }
var tests = map[string]func(t *testing.T) test{ var tests = map[string]func(t *testing.T) test{
// "standalone-mockdb-supported": func(t *testing.T) test {
// err := admin.NewError(admin.ErrorNotImplementedType, "operation not supported")
// err.Message = "operation not supported"
// return test{
// adminDB: &admin.MockDB{},
// statusCode: 501,
// err: err,
// }
// },
"standalone-nosql-supported": func(t *testing.T) test { "standalone-nosql-supported": func(t *testing.T) test {
return test{ return test{
supportedInStandalone: true, supportedInStandalone: true,
@ -393,27 +384,23 @@ func TestHandler_checkAction(t *testing.T) {
return test{ return test{
supportedInStandalone: false, supportedInStandalone: false,
adminDB: &nosql.DB{}, adminDB: &nosql.DB{},
statusCode: 501,
err: err,
}
},
"standalone-no-nosql-not-supported": func(t *testing.T) test {
err := admin.NewError(admin.ErrorNotImplementedType, "operation not supported")
err.Message = "operation not supported"
return test{
supportedInStandalone: false,
adminDB: &admin.MockDB{},
next: func(w http.ResponseWriter, r *http.Request) { next: func(w http.ResponseWriter, r *http.Request) {
w.Write(nil) // mock response with status 200 w.Write(nil) // mock response with status 200
}, },
statusCode: 501, statusCode: 200,
err: err, err: err,
} }
}, },
// "standalone-no-nosql-not-supported": func(t *testing.T) test {
// // TODO(hs): temporarily expects an error instead of an OK response
// err := admin.NewError(admin.ErrorNotImplementedType, "operation not supported")
// err.Message = "operation not supported"
// return test{
// supportedInStandalone: false,
// adminDB: &admin.MockDB{},
// next: func(w http.ResponseWriter, r *http.Request) {
// w.Write(nil) // mock response with status 200
// },
// statusCode: 501,
// err: err,
// }
// },
} }
for name, prep := range tests { for name, prep := range tests {
tc := prep(t) tc := prep(t)
@ -448,3 +435,251 @@ func TestHandler_checkAction(t *testing.T) {
}) })
} }
} }
func TestHandler_loadExternalAccountKey(t *testing.T) {
type test struct {
ctx context.Context
acmeDB acme.DB
next http.HandlerFunc
err *admin.Error
statusCode int
}
var tests = map[string]func(t *testing.T) test{
"fail/keyID-not-found-error": func(t *testing.T) test {
prov := &linkedca.Provisioner{
Id: "provID",
}
chiCtx := chi.NewRouteContext()
chiCtx.URLParams.Add("keyID", "key")
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
ctx = linkedca.NewContextWithProvisioner(ctx, prov)
err := admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found")
err.Message = "ACME External Account Key not found"
return test{
ctx: ctx,
acmeDB: &acme.MockDB{
MockGetExternalAccountKey: func(ctx context.Context, provisionerID, keyID string) (*acme.ExternalAccountKey, error) {
assert.Equals(t, "provID", provisionerID)
assert.Equals(t, "key", keyID)
return nil, acme.ErrNotFound
},
},
err: err,
statusCode: 404,
}
},
"fail/keyID-error": func(t *testing.T) test {
prov := &linkedca.Provisioner{
Id: "provID",
}
chiCtx := chi.NewRouteContext()
chiCtx.URLParams.Add("keyID", "key")
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
ctx = linkedca.NewContextWithProvisioner(ctx, prov)
err := admin.WrapErrorISE(errors.New("force"), "error retrieving ACME External Account Key")
err.Message = "error retrieving ACME External Account Key: force"
return test{
ctx: ctx,
acmeDB: &acme.MockDB{
MockGetExternalAccountKey: func(ctx context.Context, provisionerID, keyID string) (*acme.ExternalAccountKey, error) {
assert.Equals(t, "provID", provisionerID)
assert.Equals(t, "key", keyID)
return nil, errors.New("force")
},
},
err: err,
statusCode: 500,
}
},
"fail/reference-not-found-error": func(t *testing.T) test {
prov := &linkedca.Provisioner{
Id: "provID",
}
chiCtx := chi.NewRouteContext()
chiCtx.URLParams.Add("reference", "ref")
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
ctx = linkedca.NewContextWithProvisioner(ctx, prov)
err := admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found")
err.Message = "ACME External Account Key not found"
return test{
ctx: ctx,
acmeDB: &acme.MockDB{
MockGetExternalAccountKeyByReference: func(ctx context.Context, provisionerID, reference string) (*acme.ExternalAccountKey, error) {
assert.Equals(t, "provID", provisionerID)
assert.Equals(t, "ref", reference)
return nil, acme.ErrNotFound
},
},
err: err,
statusCode: 404,
}
},
"fail/reference-error": func(t *testing.T) test {
prov := &linkedca.Provisioner{
Id: "provID",
}
chiCtx := chi.NewRouteContext()
chiCtx.URLParams.Add("reference", "ref")
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
ctx = linkedca.NewContextWithProvisioner(ctx, prov)
err := admin.WrapErrorISE(errors.New("force"), "error retrieving ACME External Account Key")
err.Message = "error retrieving ACME External Account Key: force"
return test{
ctx: ctx,
acmeDB: &acme.MockDB{
MockGetExternalAccountKeyByReference: func(ctx context.Context, provisionerID, reference string) (*acme.ExternalAccountKey, error) {
assert.Equals(t, "provID", provisionerID)
assert.Equals(t, "ref", reference)
return nil, errors.New("force")
},
},
err: err,
statusCode: 500,
}
},
"fail/no-key": func(t *testing.T) test {
prov := &linkedca.Provisioner{
Id: "provID",
}
chiCtx := chi.NewRouteContext()
chiCtx.URLParams.Add("reference", "ref")
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
ctx = linkedca.NewContextWithProvisioner(ctx, prov)
err := admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found")
err.Message = "ACME External Account Key not found"
return test{
ctx: ctx,
acmeDB: &acme.MockDB{
MockGetExternalAccountKeyByReference: func(ctx context.Context, provisionerID, reference string) (*acme.ExternalAccountKey, error) {
assert.Equals(t, "provID", provisionerID)
assert.Equals(t, "ref", reference)
return nil, nil
},
},
err: err,
statusCode: 404,
}
},
"ok/keyID": func(t *testing.T) test {
prov := &linkedca.Provisioner{
Id: "provID",
}
chiCtx := chi.NewRouteContext()
chiCtx.URLParams.Add("keyID", "eakID")
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
ctx = linkedca.NewContextWithProvisioner(ctx, prov)
err := admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found")
err.Message = "ACME External Account Key not found"
createdAt := time.Now().Add(-1 * time.Hour)
var boundAt time.Time
eak := &acme.ExternalAccountKey{
ID: "eakID",
ProvisionerID: "provID",
CreatedAt: createdAt,
BoundAt: boundAt,
}
return test{
ctx: ctx,
acmeDB: &acme.MockDB{
MockGetExternalAccountKey: func(ctx context.Context, provisionerID, keyID string) (*acme.ExternalAccountKey, error) {
assert.Equals(t, "provID", provisionerID)
assert.Equals(t, "eakID", keyID)
return eak, nil
},
},
next: func(w http.ResponseWriter, r *http.Request) {
contextEAK := linkedca.ExternalAccountKeyFromContext(r.Context())
assert.NotNil(t, eak)
exp := &linkedca.EABKey{
Id: "eakID",
Provisioner: "provID",
CreatedAt: timestamppb.New(createdAt),
BoundAt: timestamppb.New(boundAt),
}
assert.Equals(t, exp, contextEAK)
w.Write(nil) // mock response with status 200
},
err: nil,
statusCode: 200,
}
},
"ok/reference": func(t *testing.T) test {
prov := &linkedca.Provisioner{
Id: "provID",
}
chiCtx := chi.NewRouteContext()
chiCtx.URLParams.Add("reference", "ref")
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
ctx = linkedca.NewContextWithProvisioner(ctx, prov)
err := admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found")
err.Message = "ACME External Account Key not found"
createdAt := time.Now().Add(-1 * time.Hour)
var boundAt time.Time
eak := &acme.ExternalAccountKey{
ID: "eakID",
ProvisionerID: "provID",
Reference: "ref",
CreatedAt: createdAt,
BoundAt: boundAt,
}
return test{
ctx: ctx,
acmeDB: &acme.MockDB{
MockGetExternalAccountKeyByReference: func(ctx context.Context, provisionerID, reference string) (*acme.ExternalAccountKey, error) {
assert.Equals(t, "provID", provisionerID)
assert.Equals(t, "ref", reference)
return eak, nil
},
},
next: func(w http.ResponseWriter, r *http.Request) {
contextEAK := linkedca.ExternalAccountKeyFromContext(r.Context())
assert.NotNil(t, eak)
exp := &linkedca.EABKey{
Id: "eakID",
Provisioner: "provID",
Reference: "ref",
CreatedAt: timestamppb.New(createdAt),
BoundAt: timestamppb.New(boundAt),
}
assert.Equals(t, exp, contextEAK)
w.Write(nil) // mock response with status 200
},
err: nil,
statusCode: 200,
}
},
}
for name, prep := range tests {
tc := prep(t)
t.Run(name, func(t *testing.T) {
h := &Handler{
acmeDB: tc.acmeDB,
}
req := httptest.NewRequest("GET", "/foo", nil)
req = req.WithContext(tc.ctx)
w := httptest.NewRecorder()
h.loadExternalAccountKey(tc.next)(w, req)
res := w.Result()
assert.Equals(t, tc.statusCode, res.StatusCode)
body, err := io.ReadAll(res.Body)
res.Body.Close()
assert.FatalError(t, err)
if res.StatusCode >= 400 {
err := admin.Error{}
assert.FatalError(t, json.Unmarshal(bytes.TrimSpace(body), &err))
assert.Equals(t, tc.err.Type, err.Type)
assert.Equals(t, tc.err.Message, err.Message)
assert.Equals(t, tc.err.StatusCode(), res.StatusCode)
assert.Equals(t, tc.err.Detail, err.Detail)
assert.Equals(t, []string{"application/json"}, res.Header["Content-Type"])
return
}
})
}
}

5
authority/admin/api/policy.go
View file

@ -120,8 +120,7 @@ func (par *PolicyAdminResponder) UpdateAuthorityPolicy(w http.ResponseWriter, r
} }
var newPolicy = new(linkedca.Policy) var newPolicy = new(linkedca.Policy)
if err := read.ProtoJSON(r.Body, newPolicy); err != nil { if !read.ProtoJSONWithCheck(w, r.Body, newPolicy) {
render.Error(w, err)
return return
} }
@ -242,7 +241,7 @@ func (par *PolicyAdminResponder) UpdateProvisionerPolicy(w http.ResponseWriter,
return return
} }
render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error updating provisioner policy")) render.Error(w, admin.WrapErrorISE(err, "error updating provisioner policy"))
return return
} }

1867
authority/admin/api/policy_test.go Normal file
View file

File diff suppressed because it is too large Load diff

30
authority/policy.go
View file

@ -25,11 +25,11 @@ const (
type PolicyError struct { type PolicyError struct {
Typ policyErrorType Typ policyErrorType
err error Err error
} }
func (p *PolicyError) Error() string { func (p *PolicyError) Error() string {
return p.err.Error() return p.Err.Error()
} }
func (a *Authority) GetAuthorityPolicy(ctx context.Context) (*linkedca.Policy, error) { func (a *Authority) GetAuthorityPolicy(ctx context.Context) (*linkedca.Policy, error) {
@ -51,21 +51,21 @@ func (a *Authority) CreateAuthorityPolicy(ctx context.Context, adm *linkedca.Adm
if err := a.checkAuthorityPolicy(ctx, adm, p); err != nil { if err := a.checkAuthorityPolicy(ctx, adm, p); err != nil {
return nil, &PolicyError{ return nil, &PolicyError{
Typ: AdminLockOut, Typ: AdminLockOut,
err: err, Err: err,
} }
} }
if err := a.adminDB.CreateAuthorityPolicy(ctx, p); err != nil { if err := a.adminDB.CreateAuthorityPolicy(ctx, p); err != nil {
return nil, &PolicyError{ return nil, &PolicyError{
Typ: StoreFailure, Typ: StoreFailure,
err: err, Err: err,
} }
} }
if err := a.reloadPolicyEngines(ctx); err != nil { if err := a.reloadPolicyEngines(ctx); err != nil {
return nil, &PolicyError{ return nil, &PolicyError{
Typ: ReloadFailure, Typ: ReloadFailure,
err: fmt.Errorf("error reloading policy engines when creating authority policy: %w", err), Err: fmt.Errorf("error reloading policy engines when creating authority policy: %w", err),
} }
} }
@ -83,14 +83,14 @@ func (a *Authority) UpdateAuthorityPolicy(ctx context.Context, adm *linkedca.Adm
if err := a.adminDB.UpdateAuthorityPolicy(ctx, p); err != nil { if err := a.adminDB.UpdateAuthorityPolicy(ctx, p); err != nil {
return nil, &PolicyError{ return nil, &PolicyError{
Typ: StoreFailure, Typ: StoreFailure,
err: err, Err: err,
} }
} }
if err := a.reloadPolicyEngines(ctx); err != nil { if err := a.reloadPolicyEngines(ctx); err != nil {
return nil, &PolicyError{ return nil, &PolicyError{
Typ: ReloadFailure, Typ: ReloadFailure,
err: fmt.Errorf("error reloading policy engines when updating authority policy %w", err), Err: fmt.Errorf("error reloading policy engines when updating authority policy %w", err),
} }
} }
@ -104,14 +104,14 @@ func (a *Authority) RemoveAuthorityPolicy(ctx context.Context) error {
if err := a.adminDB.DeleteAuthorityPolicy(ctx); err != nil { if err := a.adminDB.DeleteAuthorityPolicy(ctx); err != nil {
return &PolicyError{ return &PolicyError{
Typ: StoreFailure, Typ: StoreFailure,
err: err, Err: err,
} }
} }
if err := a.reloadPolicyEngines(ctx); err != nil { if err := a.reloadPolicyEngines(ctx); err != nil {
return &PolicyError{ return &PolicyError{
Typ: ReloadFailure, Typ: ReloadFailure,
err: fmt.Errorf("error reloading policy engines when deleting authority policy %w", err), Err: fmt.Errorf("error reloading policy engines when deleting authority policy %w", err),
} }
} }
@ -130,7 +130,7 @@ func (a *Authority) checkAuthorityPolicy(ctx context.Context, currentAdmin *link
if err != nil { if err != nil {
return &PolicyError{ return &PolicyError{
Typ: InternalFailure, Typ: InternalFailure,
err: fmt.Errorf("error retrieving admins: %w", err), Err: fmt.Errorf("error retrieving admins: %w", err),
} }
} }
@ -149,7 +149,7 @@ func (a *Authority) checkProvisionerPolicy(ctx context.Context, currentAdmin *li
if !ok { if !ok {
return &PolicyError{ return &PolicyError{
Typ: InternalFailure, Typ: InternalFailure,
err: errors.New("error retrieving admins by provisioner"), Err: errors.New("error retrieving admins by provisioner"),
} }
} }
@ -170,7 +170,7 @@ func (a *Authority) checkPolicy(ctx context.Context, currentAdmin *linkedca.Admi
if err != nil { if err != nil {
return &PolicyError{ return &PolicyError{
Typ: ConfigurationFailure, Typ: ConfigurationFailure,
err: err, Err: err,
} }
} }
@ -217,19 +217,19 @@ func isAllowed(engine authPolicy.X509Policy, sans []string) error {
if isNamePolicyError && policyErr.Reason == policy.NotAuthorizedForThisName { if isNamePolicyError && policyErr.Reason == policy.NotAuthorizedForThisName {
return &PolicyError{ return &PolicyError{
Typ: AdminLockOut, Typ: AdminLockOut,
err: fmt.Errorf("the provided policy would lock out %s from the CA. Please update your policy to include %s as an allowed name", sans, sans), Err: fmt.Errorf("the provided policy would lock out %s from the CA. Please update your policy to include %s as an allowed name", sans, sans),
} }
} }
return &PolicyError{ return &PolicyError{
Typ: EvaluationFailure, Typ: EvaluationFailure,
err: err, Err: err,
} }
} }
if !allowed { if !allowed {
return &PolicyError{ return &PolicyError{
Typ: AdminLockOut, Typ: AdminLockOut,
err: fmt.Errorf("the provided policy would lock out %s from the CA. Please update your policy to include %s as an allowed name", sans, sans), Err: fmt.Errorf("the provided policy would lock out %s from the CA. Please update your policy to include %s as an allowed name", sans, sans),
} }
} }

10
authority/policy_test.go
View file

@ -34,7 +34,7 @@ func TestAuthority_checkPolicy(t *testing.T) {
}, },
err: &PolicyError{ err: &PolicyError{
Typ: ConfigurationFailure, Typ: ConfigurationFailure,
err: errors.New("cannot parse permitted domain constraint \"**.local\": domain constraint \"**.local\" can only have wildcard as starting character"), Err: errors.New("cannot parse permitted domain constraint \"**.local\": domain constraint \"**.local\" can only have wildcard as starting character"),
}, },
} }
}, },
@ -52,7 +52,7 @@ func TestAuthority_checkPolicy(t *testing.T) {
}, },
err: &PolicyError{ err: &PolicyError{
Typ: EvaluationFailure, Typ: EvaluationFailure,
err: errors.New("cannot parse domain: dns \"*\" cannot be converted to ASCII"), Err: errors.New("cannot parse domain: dns \"*\" cannot be converted to ASCII"),
}, },
} }
}, },
@ -74,7 +74,7 @@ func TestAuthority_checkPolicy(t *testing.T) {
}, },
err: &PolicyError{ err: &PolicyError{
Typ: AdminLockOut, Typ: AdminLockOut,
err: errors.New("the provided policy would lock out [step] from the CA. Please update your policy to include [step] as an allowed name"), Err: errors.New("the provided policy would lock out [step] from the CA. Please update your policy to include [step] as an allowed name"),
}, },
} }
}, },
@ -99,7 +99,7 @@ func TestAuthority_checkPolicy(t *testing.T) {
}, },
err: &PolicyError{ err: &PolicyError{
Typ: EvaluationFailure, Typ: EvaluationFailure,
err: errors.New("cannot parse domain: dns \"**\" cannot be converted to ASCII"), Err: errors.New("cannot parse domain: dns \"**\" cannot be converted to ASCII"),
}, },
} }
}, },
@ -121,7 +121,7 @@ func TestAuthority_checkPolicy(t *testing.T) {
}, },
err: &PolicyError{ err: &PolicyError{
Typ: AdminLockOut, Typ: AdminLockOut,
err: errors.New("the provided policy would lock out [otherAdmin] from the CA. Please update your policy to include [otherAdmin] as an allowed name"), Err: errors.New("the provided policy would lock out [otherAdmin] from the CA. Please update your policy to include [otherAdmin] as an allowed name"),
}, },
} }
}, },