certificates/authority/admin/db/nosql/policy.go
2022-03-24 13:10:49 +01:00

144 lines
3.8 KiB
Go

package nosql
import (
"context"
"encoding/json"
"github.com/pkg/errors"
"github.com/smallstep/certificates/authority/admin"
"github.com/smallstep/nosql"
"go.step.sm/linkedca"
)
type dbAuthorityPolicy struct {
ID string `json:"id"`
AuthorityID string `json:"authorityID"`
Policy *linkedca.Policy `json:"policy"`
}
func (dbap *dbAuthorityPolicy) convert() *linkedca.Policy {
return dbap.Policy
}
func (dbap *dbAuthorityPolicy) clone() *dbAuthorityPolicy {
u := *dbap
return &u
}
func (db *DB) getDBAuthorityPolicyBytes(ctx context.Context, authorityID string) ([]byte, error) {
data, err := db.db.Get(authorityPoliciesTable, []byte(authorityID))
if nosql.IsErrNotFound(err) {
return nil, admin.NewError(admin.ErrorNotFoundType, "policy %s not found", authorityID)
} else if err != nil {
return nil, errors.Wrapf(err, "error loading admin %s", authorityID)
}
return data, nil
}
func (db *DB) unmarshalDBAuthorityPolicy(data []byte, authorityID string) (*dbAuthorityPolicy, error) {
var dba = new(dbAuthorityPolicy)
if err := json.Unmarshal(data, dba); err != nil {
return nil, errors.Wrapf(err, "error unmarshaling admin %s into dbAdmin", authorityID)
}
// if !dba.DeletedAt.IsZero() {
// return nil, admin.NewError(admin.ErrorDeletedType, "admin %s is deleted", authorityID)
// }
if dba.AuthorityID != db.authorityID {
return nil, admin.NewError(admin.ErrorAuthorityMismatchType,
"admin %s is not owned by authority %s", dba.ID, db.authorityID)
}
return dba, nil
}
func (db *DB) getDBAuthorityPolicy(ctx context.Context, authorityID string) (*dbAuthorityPolicy, error) {
data, err := db.getDBAuthorityPolicyBytes(ctx, authorityID)
if err != nil {
return nil, err
}
dbap, err := db.unmarshalDBAuthorityPolicy(data, authorityID)
if err != nil {
return nil, err
}
return dbap, nil
}
// func (db *DB) unmarshalAuthorityPolicy(data []byte, authorityID string) (*linkedca.Policy, error) {
// dbap, err := db.unmarshalDBAuthorityPolicy(data, authorityID)
// if err != nil {
// return nil, err
// }
// return dbap.convert(), nil
// }
func (db *DB) CreateAuthorityPolicy(ctx context.Context, policy *linkedca.Policy) error {
dbap := &dbAuthorityPolicy{
ID: db.authorityID,
AuthorityID: db.authorityID,
Policy: policy,
}
old, err := db.getDBAuthorityPolicy(ctx, db.authorityID)
if err != nil {
return err
}
return db.save(ctx, dbap.ID, dbap, old, "authority_policy", authorityPoliciesTable)
}
func (db *DB) GetAuthorityPolicy(ctx context.Context) (*linkedca.Policy, error) {
// policy := &linkedca.Policy{
// X509: &linkedca.X509Policy{
// Allow: &linkedca.X509Names{
// Dns: []string{".localhost"},
// },
// Deny: &linkedca.X509Names{
// Dns: []string{"denied.localhost"},
// },
// },
// Ssh: &linkedca.SSHPolicy{
// User: &linkedca.SSHUserPolicy{
// Allow: &linkedca.SSHUserNames{},
// Deny: &linkedca.SSHUserNames{},
// },
// Host: &linkedca.SSHHostPolicy{
// Allow: &linkedca.SSHHostNames{},
// Deny: &linkedca.SSHHostNames{},
// },
// },
// }
dbap, err := db.getDBAuthorityPolicy(ctx, db.authorityID)
if err != nil {
return nil, err
}
return dbap.convert(), nil
}
func (db *DB) UpdateAuthorityPolicy(ctx context.Context, policy *linkedca.Policy) error {
old, err := db.getDBAuthorityPolicy(ctx, db.authorityID)
if err != nil {
return err
}
dbap := &dbAuthorityPolicy{
ID: db.authorityID,
AuthorityID: db.authorityID,
Policy: policy,
}
return db.save(ctx, dbap.ID, dbap, old, "authority_policy", authorityPoliciesTable)
}
func (db *DB) DeleteAuthorityPolicy(ctx context.Context) error {
dbap, err := db.getDBAuthorityPolicy(ctx, db.authorityID)
if err != nil {
return err
}
old := dbap.clone()
dbap.Policy = nil
return db.save(ctx, dbap.ID, dbap, old, "authority_policy", authorityPoliciesTable)
}