diff --git a/acme/api/order_test.go b/acme/api/order_test.go index 1ce034e7..ccaef176 100644 --- a/acme/api/order_test.go +++ b/acme/api/order_test.go @@ -667,6 +667,7 @@ func TestHandler_NewOrder(t *testing.T) { baseURL.String(), escProvName) type test struct { + ca acme.CertificateAuthority db acme.DB ctx context.Context nor *NewOrderRequest @@ -771,6 +772,7 @@ func TestHandler_NewOrder(t *testing.T) { return test{ ctx: ctx, statusCode: 500, + ca: &mockCA{}, db: &acme.MockDB{ MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error { assert.Equals(t, ch.AccountID, "accID") @@ -804,6 +806,7 @@ func TestHandler_NewOrder(t *testing.T) { return test{ ctx: ctx, statusCode: 500, + ca: &mockCA{}, db: &acme.MockDB{ MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error { switch count { @@ -876,6 +879,7 @@ func TestHandler_NewOrder(t *testing.T) { ctx: ctx, statusCode: 201, nor: nor, + ca: &mockCA{}, db: &acme.MockDB{ MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error { switch chCount { @@ -991,6 +995,7 @@ func TestHandler_NewOrder(t *testing.T) { ctx: ctx, statusCode: 201, nor: nor, + ca: &mockCA{}, db: &acme.MockDB{ MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error { switch count { @@ -1083,6 +1088,7 @@ func TestHandler_NewOrder(t *testing.T) { ctx: ctx, statusCode: 201, nor: nor, + ca: &mockCA{}, db: &acme.MockDB{ MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error { switch count { @@ -1174,6 +1180,7 @@ func TestHandler_NewOrder(t *testing.T) { ctx: ctx, statusCode: 201, nor: nor, + ca: &mockCA{}, db: &acme.MockDB{ MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error { switch count { @@ -1266,6 +1273,7 @@ func TestHandler_NewOrder(t *testing.T) { ctx: ctx, statusCode: 201, nor: nor, + ca: &mockCA{}, db: &acme.MockDB{ MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error { switch count { @@ -1334,7 +1342,7 @@ func TestHandler_NewOrder(t *testing.T) { for name, run := range tests { tc := run(t) t.Run(name, func(t *testing.T) { - h := &Handler{linker: NewLinker("dns", "acme"), db: tc.db} + h := &Handler{linker: NewLinker("dns", "acme"), db: tc.db, ca: tc.ca} req := httptest.NewRequest("GET", u, nil) req = req.WithContext(tc.ctx) w := httptest.NewRecorder() diff --git a/authority/admin/api/acme.go b/authority/admin/api/acme.go index 131a8fff..39be50c7 100644 --- a/authority/admin/api/acme.go +++ b/authority/admin/api/acme.go @@ -6,15 +6,12 @@ import ( "net/http" "github.com/go-chi/chi" + + "go.step.sm/linkedca" + "github.com/smallstep/certificates/api" "github.com/smallstep/certificates/authority/admin" "github.com/smallstep/certificates/authority/provisioner" - "go.step.sm/linkedca" -) - -const ( - // provisionerContextKey provisioner key - provisionerContextKey = admin.ContextKey("provisioner") ) // CreateExternalAccountKeyRequest is the type for POST /admin/acme/eab requests @@ -51,7 +48,7 @@ func (h *Handler) requireEABEnabled(next nextHTTP) nextHTTP { api.WriteError(w, admin.NewError(admin.ErrorBadRequestType, "ACME EAB not enabled for provisioner %s", prov.GetName())) return } - ctx = context.WithValue(ctx, provisionerContextKey, prov) + ctx = linkedca.NewContextWithProvisioner(ctx, prov) next(w, r.WithContext(ctx)) } } diff --git a/authority/admin/api/middleware.go b/authority/admin/api/middleware.go index 4ca62bfc..1acc661e 100644 --- a/authority/admin/api/middleware.go +++ b/authority/admin/api/middleware.go @@ -42,7 +42,7 @@ func (h *Handler) extractAuthorizeTokenAdmin(next nextHTTP) nextHTTP { return } - ctx := linkedca.WithAdmin(r.Context(), adm) + ctx := linkedca.NewContextWithAdmin(r.Context(), adm) next(w, r.WithContext(ctx)) } } @@ -57,8 +57,8 @@ func (h *Handler) checkAction(next nextHTTP, supportedInStandalone bool) nextHTT return } - // when not in standalone mode and using a nosql.DB backend, - // actions are not supported + // when an action is not supported in standalone mode and when + // using a nosql.DB backend, actions are not supported if _, ok := h.adminDB.(*nosql.DB); ok { api.WriteError(w, admin.NewError(admin.ErrorNotImplementedType, "operation not supported in standalone mode")) diff --git a/authority/admin/context.go b/authority/admin/context.go deleted file mode 100644 index 87bf3e03..00000000 --- a/authority/admin/context.go +++ /dev/null @@ -1,10 +0,0 @@ -package admin - -// ContextKey is the key type for storing and searching for -// Admin API objects in request contexts. -type ContextKey string - -const ( - // AdminContextKey account key - AdminContextKey = ContextKey("admin") -) diff --git a/authority/provisioner/scep.go b/authority/provisioner/scep.go index 04aac0b7..e5b8e406 100644 --- a/authority/provisioner/scep.go +++ b/authority/provisioner/scep.go @@ -34,9 +34,9 @@ type SCEP struct { Options *Options `json:"options,omitempty"` Claims *Claims `json:"claims,omitempty"` ctl *Controller - x509Policy policy.X509Policy secretChallengePassword string encryptionAlgorithm int + x509Policy policy.X509Policy } // GetID returns the provisioner unique identifier. diff --git a/authority/tls.go b/authority/tls.go index 867e2c51..13babdf1 100644 --- a/authority/tls.go +++ b/authority/tls.go @@ -231,10 +231,6 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign } // isAllowedToSign checks if the Authority is allowed to sign the X.509 certificate. -// It first checks if the certificate contains an admin subject that exists in the -// collection of admins. The CA is always allowed to sign those. If the cert contains -// different names and a policy is configured, the policy will be executed against -// the cert to see if the CA is allowed to sign it. func (a *Authority) isAllowedToSign(cert *x509.Certificate) (bool, error) { // if no policy is configured, the cert is implicitly allowed