Block all APIs when using linked deployment mode
This commit is contained in:
parent
fb81407d6f
commit
b72430f4ea
4 changed files with 99 additions and 32 deletions
|
@ -129,29 +129,21 @@ func linkedEAKToCertificates(k *linkedca.EABKey) *acme.ExternalAccountKey {
|
||||||
BoundAt: k.BoundAt.AsTime(),
|
BoundAt: k.BoundAt.AsTime(),
|
||||||
}
|
}
|
||||||
|
|
||||||
if k.Policy == nil {
|
if policy := k.GetPolicy(); policy != nil {
|
||||||
return eak
|
eak.Policy = &acme.Policy{}
|
||||||
}
|
if x509 := policy.GetX509(); x509 != nil {
|
||||||
|
eak.Policy.X509 = acme.X509Policy{}
|
||||||
eak.Policy = &acme.Policy{}
|
if allow := x509.GetAllow(); allow != nil {
|
||||||
|
eak.Policy.X509.Allowed = acme.PolicyNames{}
|
||||||
if k.Policy.X509 == nil {
|
eak.Policy.X509.Allowed.DNSNames = allow.Dns
|
||||||
return eak
|
eak.Policy.X509.Allowed.IPRanges = allow.Ips
|
||||||
}
|
}
|
||||||
|
if deny := x509.GetDeny(); deny != nil {
|
||||||
eak.Policy.X509 = acme.X509Policy{
|
eak.Policy.X509.Denied = acme.PolicyNames{}
|
||||||
Allowed: acme.PolicyNames{},
|
eak.Policy.X509.Denied.DNSNames = deny.Dns
|
||||||
Denied: acme.PolicyNames{},
|
eak.Policy.X509.Denied.IPRanges = deny.Ips
|
||||||
}
|
}
|
||||||
|
}
|
||||||
if k.Policy.X509.Allow != nil {
|
|
||||||
eak.Policy.X509.Allowed.DNSNames = k.Policy.X509.Allow.Dns
|
|
||||||
eak.Policy.X509.Allowed.IPRanges = k.Policy.X509.Allow.Ips
|
|
||||||
}
|
|
||||||
|
|
||||||
if k.Policy.X509.Deny != nil {
|
|
||||||
eak.Policy.X509.Denied.DNSNames = k.Policy.X509.Deny.Dns
|
|
||||||
eak.Policy.X509.Denied.IPRanges = k.Policy.X509.Deny.Ips
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return eak
|
return eak
|
||||||
|
|
|
@ -103,7 +103,7 @@ func (h *Handler) checkAction(next http.HandlerFunc, supportedInStandalone bool)
|
||||||
}
|
}
|
||||||
|
|
||||||
// loadExternalAccountKey is a middleware that searches for an ACME
|
// loadExternalAccountKey is a middleware that searches for an ACME
|
||||||
// External Account Key by accountID, keyID or reference and stores it in the context.
|
// External Account Key by reference or keyID and stores it in the context.
|
||||||
func (h *Handler) loadExternalAccountKey(next http.HandlerFunc) http.HandlerFunc {
|
func (h *Handler) loadExternalAccountKey(next http.HandlerFunc) http.HandlerFunc {
|
||||||
return func(w http.ResponseWriter, r *http.Request) {
|
return func(w http.ResponseWriter, r *http.Request) {
|
||||||
ctx := r.Context()
|
ctx := r.Context()
|
||||||
|
|
|
@ -31,23 +31,30 @@ type policyAdminResponderInterface interface {
|
||||||
|
|
||||||
// PolicyAdminResponder is responsible for writing ACME admin responses
|
// PolicyAdminResponder is responsible for writing ACME admin responses
|
||||||
type PolicyAdminResponder struct {
|
type PolicyAdminResponder struct {
|
||||||
auth adminAuthority
|
auth adminAuthority
|
||||||
adminDB admin.DB
|
adminDB admin.DB
|
||||||
acmeDB acme.DB
|
acmeDB acme.DB
|
||||||
|
deploymentType string
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewACMEAdminResponder returns a new ACMEAdminResponder
|
// NewACMEAdminResponder returns a new ACMEAdminResponder
|
||||||
func NewPolicyAdminResponder(auth adminAuthority, adminDB admin.DB, acmeDB acme.DB) *PolicyAdminResponder {
|
func NewPolicyAdminResponder(auth adminAuthority, adminDB admin.DB, acmeDB acme.DB, deploymentType string) *PolicyAdminResponder {
|
||||||
return &PolicyAdminResponder{
|
return &PolicyAdminResponder{
|
||||||
auth: auth,
|
auth: auth,
|
||||||
adminDB: adminDB,
|
adminDB: adminDB,
|
||||||
acmeDB: acmeDB,
|
acmeDB: acmeDB,
|
||||||
|
deploymentType: deploymentType,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetAuthorityPolicy handles the GET /admin/authority/policy request
|
// GetAuthorityPolicy handles the GET /admin/authority/policy request
|
||||||
func (par *PolicyAdminResponder) GetAuthorityPolicy(w http.ResponseWriter, r *http.Request) {
|
func (par *PolicyAdminResponder) GetAuthorityPolicy(w http.ResponseWriter, r *http.Request) {
|
||||||
|
|
||||||
|
if err := par.blockLinkedCA(); err != nil {
|
||||||
|
render.Error(w, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
policy, err := par.auth.GetAuthorityPolicy(r.Context())
|
policy, err := par.auth.GetAuthorityPolicy(r.Context())
|
||||||
if ae, ok := err.(*admin.Error); ok && !ae.IsType(admin.ErrorNotFoundType) {
|
if ae, ok := err.(*admin.Error); ok && !ae.IsType(admin.ErrorNotFoundType) {
|
||||||
render.Error(w, admin.WrapErrorISE(ae, "error retrieving authority policy"))
|
render.Error(w, admin.WrapErrorISE(ae, "error retrieving authority policy"))
|
||||||
|
@ -65,6 +72,11 @@ func (par *PolicyAdminResponder) GetAuthorityPolicy(w http.ResponseWriter, r *ht
|
||||||
// CreateAuthorityPolicy handles the POST /admin/authority/policy request
|
// CreateAuthorityPolicy handles the POST /admin/authority/policy request
|
||||||
func (par *PolicyAdminResponder) CreateAuthorityPolicy(w http.ResponseWriter, r *http.Request) {
|
func (par *PolicyAdminResponder) CreateAuthorityPolicy(w http.ResponseWriter, r *http.Request) {
|
||||||
|
|
||||||
|
if err := par.blockLinkedCA(); err != nil {
|
||||||
|
render.Error(w, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
ctx := r.Context()
|
ctx := r.Context()
|
||||||
policy, err := par.auth.GetAuthorityPolicy(ctx)
|
policy, err := par.auth.GetAuthorityPolicy(ctx)
|
||||||
|
|
||||||
|
@ -111,6 +123,11 @@ func (par *PolicyAdminResponder) CreateAuthorityPolicy(w http.ResponseWriter, r
|
||||||
// UpdateAuthorityPolicy handles the PUT /admin/authority/policy request
|
// UpdateAuthorityPolicy handles the PUT /admin/authority/policy request
|
||||||
func (par *PolicyAdminResponder) UpdateAuthorityPolicy(w http.ResponseWriter, r *http.Request) {
|
func (par *PolicyAdminResponder) UpdateAuthorityPolicy(w http.ResponseWriter, r *http.Request) {
|
||||||
|
|
||||||
|
if err := par.blockLinkedCA(); err != nil {
|
||||||
|
render.Error(w, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
ctx := r.Context()
|
ctx := r.Context()
|
||||||
policy, err := par.auth.GetAuthorityPolicy(ctx)
|
policy, err := par.auth.GetAuthorityPolicy(ctx)
|
||||||
|
|
||||||
|
@ -153,6 +170,11 @@ func (par *PolicyAdminResponder) UpdateAuthorityPolicy(w http.ResponseWriter, r
|
||||||
// DeleteAuthorityPolicy handles the DELETE /admin/authority/policy request
|
// DeleteAuthorityPolicy handles the DELETE /admin/authority/policy request
|
||||||
func (par *PolicyAdminResponder) DeleteAuthorityPolicy(w http.ResponseWriter, r *http.Request) {
|
func (par *PolicyAdminResponder) DeleteAuthorityPolicy(w http.ResponseWriter, r *http.Request) {
|
||||||
|
|
||||||
|
if err := par.blockLinkedCA(); err != nil {
|
||||||
|
render.Error(w, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
ctx := r.Context()
|
ctx := r.Context()
|
||||||
policy, err := par.auth.GetAuthorityPolicy(ctx)
|
policy, err := par.auth.GetAuthorityPolicy(ctx)
|
||||||
|
|
||||||
|
@ -177,6 +199,11 @@ func (par *PolicyAdminResponder) DeleteAuthorityPolicy(w http.ResponseWriter, r
|
||||||
// GetProvisionerPolicy handles the GET /admin/provisioners/{name}/policy request
|
// GetProvisionerPolicy handles the GET /admin/provisioners/{name}/policy request
|
||||||
func (par *PolicyAdminResponder) GetProvisionerPolicy(w http.ResponseWriter, r *http.Request) {
|
func (par *PolicyAdminResponder) GetProvisionerPolicy(w http.ResponseWriter, r *http.Request) {
|
||||||
|
|
||||||
|
if err := par.blockLinkedCA(); err != nil {
|
||||||
|
render.Error(w, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
prov := linkedca.ProvisionerFromContext(r.Context())
|
prov := linkedca.ProvisionerFromContext(r.Context())
|
||||||
|
|
||||||
policy := prov.GetPolicy()
|
policy := prov.GetPolicy()
|
||||||
|
@ -191,6 +218,11 @@ func (par *PolicyAdminResponder) GetProvisionerPolicy(w http.ResponseWriter, r *
|
||||||
// CreateProvisionerPolicy handles the POST /admin/provisioners/{name}/policy request
|
// CreateProvisionerPolicy handles the POST /admin/provisioners/{name}/policy request
|
||||||
func (par *PolicyAdminResponder) CreateProvisionerPolicy(w http.ResponseWriter, r *http.Request) {
|
func (par *PolicyAdminResponder) CreateProvisionerPolicy(w http.ResponseWriter, r *http.Request) {
|
||||||
|
|
||||||
|
if err := par.blockLinkedCA(); err != nil {
|
||||||
|
render.Error(w, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
ctx := r.Context()
|
ctx := r.Context()
|
||||||
prov := linkedca.ProvisionerFromContext(ctx)
|
prov := linkedca.ProvisionerFromContext(ctx)
|
||||||
|
|
||||||
|
@ -231,6 +263,11 @@ func (par *PolicyAdminResponder) CreateProvisionerPolicy(w http.ResponseWriter,
|
||||||
// UpdateProvisionerPolicy handles the PUT /admin/provisioners/{name}/policy request
|
// UpdateProvisionerPolicy handles the PUT /admin/provisioners/{name}/policy request
|
||||||
func (par *PolicyAdminResponder) UpdateProvisionerPolicy(w http.ResponseWriter, r *http.Request) {
|
func (par *PolicyAdminResponder) UpdateProvisionerPolicy(w http.ResponseWriter, r *http.Request) {
|
||||||
|
|
||||||
|
if err := par.blockLinkedCA(); err != nil {
|
||||||
|
render.Error(w, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
ctx := r.Context()
|
ctx := r.Context()
|
||||||
prov := linkedca.ProvisionerFromContext(ctx)
|
prov := linkedca.ProvisionerFromContext(ctx)
|
||||||
|
|
||||||
|
@ -266,6 +303,11 @@ func (par *PolicyAdminResponder) UpdateProvisionerPolicy(w http.ResponseWriter,
|
||||||
// DeleteProvisionerPolicy handles the DELETE /admin/provisioners/{name}/policy request
|
// DeleteProvisionerPolicy handles the DELETE /admin/provisioners/{name}/policy request
|
||||||
func (par *PolicyAdminResponder) DeleteProvisionerPolicy(w http.ResponseWriter, r *http.Request) {
|
func (par *PolicyAdminResponder) DeleteProvisionerPolicy(w http.ResponseWriter, r *http.Request) {
|
||||||
|
|
||||||
|
if err := par.blockLinkedCA(); err != nil {
|
||||||
|
render.Error(w, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
ctx := r.Context()
|
ctx := r.Context()
|
||||||
prov := linkedca.ProvisionerFromContext(ctx)
|
prov := linkedca.ProvisionerFromContext(ctx)
|
||||||
|
|
||||||
|
@ -286,6 +328,12 @@ func (par *PolicyAdminResponder) DeleteProvisionerPolicy(w http.ResponseWriter,
|
||||||
}
|
}
|
||||||
|
|
||||||
func (par *PolicyAdminResponder) GetACMEAccountPolicy(w http.ResponseWriter, r *http.Request) {
|
func (par *PolicyAdminResponder) GetACMEAccountPolicy(w http.ResponseWriter, r *http.Request) {
|
||||||
|
|
||||||
|
if err := par.blockLinkedCA(); err != nil {
|
||||||
|
render.Error(w, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
ctx := r.Context()
|
ctx := r.Context()
|
||||||
eak := linkedca.ExternalAccountKeyFromContext(ctx)
|
eak := linkedca.ExternalAccountKeyFromContext(ctx)
|
||||||
|
|
||||||
|
@ -299,6 +347,12 @@ func (par *PolicyAdminResponder) GetACMEAccountPolicy(w http.ResponseWriter, r *
|
||||||
}
|
}
|
||||||
|
|
||||||
func (par *PolicyAdminResponder) CreateACMEAccountPolicy(w http.ResponseWriter, r *http.Request) {
|
func (par *PolicyAdminResponder) CreateACMEAccountPolicy(w http.ResponseWriter, r *http.Request) {
|
||||||
|
|
||||||
|
if err := par.blockLinkedCA(); err != nil {
|
||||||
|
render.Error(w, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
ctx := r.Context()
|
ctx := r.Context()
|
||||||
prov := linkedca.ProvisionerFromContext(ctx)
|
prov := linkedca.ProvisionerFromContext(ctx)
|
||||||
eak := linkedca.ExternalAccountKeyFromContext(ctx)
|
eak := linkedca.ExternalAccountKeyFromContext(ctx)
|
||||||
|
@ -330,6 +384,12 @@ func (par *PolicyAdminResponder) CreateACMEAccountPolicy(w http.ResponseWriter,
|
||||||
}
|
}
|
||||||
|
|
||||||
func (par *PolicyAdminResponder) UpdateACMEAccountPolicy(w http.ResponseWriter, r *http.Request) {
|
func (par *PolicyAdminResponder) UpdateACMEAccountPolicy(w http.ResponseWriter, r *http.Request) {
|
||||||
|
|
||||||
|
if err := par.blockLinkedCA(); err != nil {
|
||||||
|
render.Error(w, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
ctx := r.Context()
|
ctx := r.Context()
|
||||||
prov := linkedca.ProvisionerFromContext(ctx)
|
prov := linkedca.ProvisionerFromContext(ctx)
|
||||||
eak := linkedca.ExternalAccountKeyFromContext(ctx)
|
eak := linkedca.ExternalAccountKeyFromContext(ctx)
|
||||||
|
@ -359,6 +419,12 @@ func (par *PolicyAdminResponder) UpdateACMEAccountPolicy(w http.ResponseWriter,
|
||||||
}
|
}
|
||||||
|
|
||||||
func (par *PolicyAdminResponder) DeleteACMEAccountPolicy(w http.ResponseWriter, r *http.Request) {
|
func (par *PolicyAdminResponder) DeleteACMEAccountPolicy(w http.ResponseWriter, r *http.Request) {
|
||||||
|
|
||||||
|
if err := par.blockLinkedCA(); err != nil {
|
||||||
|
render.Error(w, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
ctx := r.Context()
|
ctx := r.Context()
|
||||||
prov := linkedca.ProvisionerFromContext(ctx)
|
prov := linkedca.ProvisionerFromContext(ctx)
|
||||||
eak := linkedca.ExternalAccountKeyFromContext(ctx)
|
eak := linkedca.ExternalAccountKeyFromContext(ctx)
|
||||||
|
@ -381,6 +447,15 @@ func (par *PolicyAdminResponder) DeleteACMEAccountPolicy(w http.ResponseWriter,
|
||||||
render.JSONStatus(w, DeleteResponse{Status: "ok"}, http.StatusOK)
|
render.JSONStatus(w, DeleteResponse{Status: "ok"}, http.StatusOK)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// blockLinkedCA blocks all API operations on linked deployments
|
||||||
|
func (par *PolicyAdminResponder) blockLinkedCA() error {
|
||||||
|
// temporary blocking linked deployments based on string comparison (preventing import cycle)
|
||||||
|
if par.deploymentType == "linked" {
|
||||||
|
return admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
// applyConditionalDefaults applies default settings in case they're not provided
|
// applyConditionalDefaults applies default settings in case they're not provided
|
||||||
// in the request body.
|
// in the request body.
|
||||||
func applyConditionalDefaults(p *linkedca.Policy) {
|
func applyConditionalDefaults(p *linkedca.Policy) {
|
||||||
|
|
2
ca/ca.go
2
ca/ca.go
|
@ -219,7 +219,7 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
|
||||||
adminDB := auth.GetAdminDatabase()
|
adminDB := auth.GetAdminDatabase()
|
||||||
if adminDB != nil {
|
if adminDB != nil {
|
||||||
acmeAdminResponder := adminAPI.NewACMEAdminResponder()
|
acmeAdminResponder := adminAPI.NewACMEAdminResponder()
|
||||||
policyAdminResponder := adminAPI.NewPolicyAdminResponder(auth, adminDB, acmeDB)
|
policyAdminResponder := adminAPI.NewPolicyAdminResponder(auth, adminDB, acmeDB, cfg.AuthorityConfig.DeploymentType)
|
||||||
adminHandler := adminAPI.NewHandler(auth, adminDB, acmeDB, acmeAdminResponder, policyAdminResponder)
|
adminHandler := adminAPI.NewHandler(auth, adminDB, acmeDB, acmeAdminResponder, policyAdminResponder)
|
||||||
mux.Route("/admin", func(r chi.Router) {
|
mux.Route("/admin", func(r chi.Router) {
|
||||||
adminHandler.Route(r)
|
adminHandler.Route(r)
|
||||||
|
|
Loading…
Reference in a new issue