certificates/authority/admin/api/handler.go

package api

import (
	"net/http"

	"github.com/smallstep/certificates/acme"
	"github.com/smallstep/certificates/api"
	"github.com/smallstep/certificates/authority/admin"
)

// Handler is the Admin API request handler.
type Handler struct {
	adminDB         admin.DB
	auth            adminAuthority
	acmeDB          acme.DB
	acmeResponder   acmeAdminResponderInterface
	policyResponder policyAdminResponderInterface
}

// NewHandler returns a new Authority Config Handler.
func NewHandler(auth adminAuthority, adminDB admin.DB, acmeDB acme.DB, acmeResponder acmeAdminResponderInterface, policyResponder policyAdminResponderInterface) api.RouterHandler {
	return &Handler{
		auth:            auth,
		adminDB:         adminDB,
		acmeDB:          acmeDB,
		acmeResponder:   acmeResponder,
		policyResponder: policyResponder,
	}
}

// Route traffic and implement the Router interface.
func (h *Handler) Route(r api.Router) {

	authnz := func(next http.HandlerFunc) http.HandlerFunc {
		return h.extractAuthorizeTokenAdmin(h.requireAPIEnabled(next))
	}

	requireEABEnabled := func(next http.HandlerFunc) http.HandlerFunc {
		return h.requireEABEnabled(next)
	}

	enabledInStandalone := func(next http.HandlerFunc) http.HandlerFunc {
		return h.checkAction(next, true)
	}

	disabledInStandalone := func(next http.HandlerFunc) http.HandlerFunc {
		return h.checkAction(next, false)
	}

	// Provisioners
	r.MethodFunc("GET", "/provisioners/{name}", authnz(h.GetProvisioner))
	r.MethodFunc("GET", "/provisioners", authnz(h.GetProvisioners))
	r.MethodFunc("POST", "/provisioners", authnz(h.CreateProvisioner))
	r.MethodFunc("PUT", "/provisioners/{name}", authnz(h.UpdateProvisioner))
	r.MethodFunc("DELETE", "/provisioners/{name}", authnz(h.DeleteProvisioner))

	// Admins
	r.MethodFunc("GET", "/admins/{id}", authnz(h.GetAdmin))
	r.MethodFunc("GET", "/admins", authnz(h.GetAdmins))
	r.MethodFunc("POST", "/admins", authnz(h.CreateAdmin))
	r.MethodFunc("PATCH", "/admins/{id}", authnz(h.UpdateAdmin))
	r.MethodFunc("DELETE", "/admins/{id}", authnz(h.DeleteAdmin))

	// ACME External Account Binding Keys
	r.MethodFunc("GET", "/acme/eab/{provisionerName}/{reference}", authnz(requireEABEnabled(h.acmeResponder.GetExternalAccountKeys)))
	r.MethodFunc("GET", "/acme/eab/{provisionerName}", authnz(requireEABEnabled(h.acmeResponder.GetExternalAccountKeys)))
	r.MethodFunc("POST", "/acme/eab/{provisionerName}", authnz(requireEABEnabled(h.acmeResponder.CreateExternalAccountKey)))
	r.MethodFunc("DELETE", "/acme/eab/{provisionerName}/{id}", authnz(requireEABEnabled(h.acmeResponder.DeleteExternalAccountKey)))

	// Policy - Authority
	r.MethodFunc("GET", "/policy", authnz(enabledInStandalone(h.policyResponder.GetAuthorityPolicy)))
	r.MethodFunc("POST", "/policy", authnz(enabledInStandalone(h.policyResponder.CreateAuthorityPolicy)))
	r.MethodFunc("PUT", "/policy", authnz(enabledInStandalone(h.policyResponder.UpdateAuthorityPolicy)))
	r.MethodFunc("DELETE", "/policy", authnz(enabledInStandalone(h.policyResponder.DeleteAuthorityPolicy)))

	// Policy - Provisioner
	//r.MethodFunc("GET", "/provisioners/{name}/policy", noauth(h.policyResponder.GetProvisionerPolicy))
	r.MethodFunc("GET", "/provisioners/{provisionerName}/policy", authnz(disabledInStandalone(h.loadProvisionerByName(h.policyResponder.GetProvisionerPolicy))))
	r.MethodFunc("POST", "/provisioners/{provisionerName}/policy", authnz(disabledInStandalone(h.loadProvisionerByName(h.policyResponder.CreateProvisionerPolicy))))
	r.MethodFunc("PUT", "/provisioners/{provisionerName}/policy", authnz(disabledInStandalone(h.loadProvisionerByName(h.policyResponder.UpdateProvisionerPolicy))))
	r.MethodFunc("DELETE", "/provisioners/{provisionerName}/policy", authnz(disabledInStandalone(h.loadProvisionerByName(h.policyResponder.DeleteProvisionerPolicy))))

	// Policy - ACME Account
	// TODO: ensure we don't clash with eab; might want to change eab paths slightly (as long as we don't have it released completely; needs changes in adminClient too)
	r.MethodFunc("GET", "/acme/{provisionerName}/{accountID}/policy", authnz(disabledInStandalone(h.policyResponder.GetACMEAccountPolicy)))
	r.MethodFunc("POST", "/acme/{provisionerName}/{accountID}/policy", authnz(disabledInStandalone(h.policyResponder.CreateACMEAccountPolicy)))
	r.MethodFunc("PUT", "/acme/{provisionerName}/{accountID}/policy", authnz(disabledInStandalone(h.policyResponder.UpdateACMEAccountPolicy)))
	r.MethodFunc("DELETE", "/acme/{provisionerName}/{accountID}/policy", authnz(disabledInStandalone(h.policyResponder.DeleteACMEAccountPolicy)))
}
Admin level API for provisioner mgmt v1 2021-05-03 19:48:20 +00:00			`package api`

			`import (`
Add authority policy API 2022-03-30 12:21:39 +00:00			`"net/http"`

Fix PR comments 2021-07-22 21:48:41 +00:00			`"github.com/smallstep/certificates/acme"`
Admin level API for provisioner mgmt v1 2021-05-03 19:48:20 +00:00			`"github.com/smallstep/certificates/api"`
			`"github.com/smallstep/certificates/authority/admin"`
			`)`

Add tests for ACME EAB Admin Refactored some of the existing bits for testing the Authority API by creation of a new LinkedAuthority interface and changing visibility of the MockAuthority to be usable by other packages. At this time, not all of the functions of MockAuthority it usable yet. Will refactor when needed or requested. 2021-12-08 14:19:38 +00:00			`// Handler is the Admin API request handler.`
Admin level API for provisioner mgmt v1 2021-05-03 19:48:20 +00:00			`type Handler struct {`
Add API implementation for authority and provisioner policy 2022-03-15 14:51:45 +00:00			`adminDB admin.DB`
			`auth adminAuthority`
			`acmeDB acme.DB`
			`acmeResponder acmeAdminResponderInterface`
			`policyResponder policyAdminResponderInterface`
Admin level API for provisioner mgmt v1 2021-05-03 19:48:20 +00:00			`}`

			`// NewHandler returns a new Authority Config Handler.`
Add API implementation for authority and provisioner policy 2022-03-15 14:51:45 +00:00			`func NewHandler(auth adminAuthority, adminDB admin.DB, acmeDB acme.DB, acmeResponder acmeAdminResponderInterface, policyResponder policyAdminResponderInterface) api.RouterHandler {`
Fix PR comments 2021-07-22 21:48:41 +00:00			`return &Handler{`
Add API implementation for authority and provisioner policy 2022-03-15 14:51:45 +00:00			`auth: auth,`
			`adminDB: adminDB,`
			`acmeDB: acmeDB,`
			`acmeResponder: acmeResponder,`
			`policyResponder: policyResponder,`
Fix PR comments 2021-07-22 21:48:41 +00:00			`}`
Admin level API for provisioner mgmt v1 2021-05-03 19:48:20 +00:00			`}`

			`// Route traffic and implement the Router interface.`
			`func (h *Handler) Route(r api.Router) {`
Add API implementation for authority and provisioner policy 2022-03-15 14:51:45 +00:00
Add authority policy API 2022-03-30 12:21:39 +00:00			`authnz := func(next http.HandlerFunc) http.HandlerFunc {`
Check admin subjects before changing policy 2022-03-21 14:53:59 +00:00			`return h.extractAuthorizeTokenAdmin(h.requireAPIEnabled(next))`
Admin level API for provisioner mgmt v1 2021-05-03 19:48:20 +00:00			`}`

Add authority policy API 2022-03-30 12:21:39 +00:00			`requireEABEnabled := func(next http.HandlerFunc) http.HandlerFunc {`
Refactor retrieval of provisioner into middleware 2021-10-08 12:29:44 +00:00			`return h.requireEABEnabled(next)`
			`}`

Add authority policy API 2022-03-30 12:21:39 +00:00			`enabledInStandalone := func(next http.HandlerFunc) http.HandlerFunc {`
Add API implementation for authority and provisioner policy 2022-03-15 14:51:45 +00:00			`return h.checkAction(next, true)`
			`}`

Add authority policy API 2022-03-30 12:21:39 +00:00			`disabledInStandalone := func(next http.HandlerFunc) http.HandlerFunc {`
Add API implementation for authority and provisioner policy 2022-03-15 14:51:45 +00:00			`return h.checkAction(next, false)`
			`}`

Admin level API for provisioner mgmt v1 2021-05-03 19:48:20 +00:00			`// Provisioners`
			`r.MethodFunc("GET", "/provisioners/{name}", authnz(h.GetProvisioner))`
			`r.MethodFunc("GET", "/provisioners", authnz(h.GetProvisioners))`
			`r.MethodFunc("POST", "/provisioners", authnz(h.CreateProvisioner))`
			`r.MethodFunc("PUT", "/provisioners/{name}", authnz(h.UpdateProvisioner))`
			`r.MethodFunc("DELETE", "/provisioners/{name}", authnz(h.DeleteProvisioner))`

			`// Admins`
			`r.MethodFunc("GET", "/admins/{id}", authnz(h.GetAdmin))`
			`r.MethodFunc("GET", "/admins", authnz(h.GetAdmins))`
			`r.MethodFunc("POST", "/admins", authnz(h.CreateAdmin))`
			`r.MethodFunc("PATCH", "/admins/{id}", authnz(h.UpdateAdmin))`
			`r.MethodFunc("DELETE", "/admins/{id}", authnz(h.DeleteAdmin))`
Add first working version of External Account Binding 2021-07-17 15:35:44 +00:00
Change ACME EAB endpoint 2021-07-23 13:16:11 +00:00			`// ACME External Account Binding Keys`
Refactor ACME Admin API 2022-02-08 12:26:30 +00:00			`r.MethodFunc("GET", "/acme/eab/{provisionerName}/{reference}", authnz(requireEABEnabled(h.acmeResponder.GetExternalAccountKeys)))`
			`r.MethodFunc("GET", "/acme/eab/{provisionerName}", authnz(requireEABEnabled(h.acmeResponder.GetExternalAccountKeys)))`
			`r.MethodFunc("POST", "/acme/eab/{provisionerName}", authnz(requireEABEnabled(h.acmeResponder.CreateExternalAccountKey)))`
			`r.MethodFunc("DELETE", "/acme/eab/{provisionerName}/{id}", authnz(requireEABEnabled(h.acmeResponder.DeleteExternalAccountKey)))`
Add API implementation for authority and provisioner policy 2022-03-15 14:51:45 +00:00
			`// Policy - Authority`
			`r.MethodFunc("GET", "/policy", authnz(enabledInStandalone(h.policyResponder.GetAuthorityPolicy)))`
			`r.MethodFunc("POST", "/policy", authnz(enabledInStandalone(h.policyResponder.CreateAuthorityPolicy)))`
			`r.MethodFunc("PUT", "/policy", authnz(enabledInStandalone(h.policyResponder.UpdateAuthorityPolicy)))`
			`r.MethodFunc("DELETE", "/policy", authnz(enabledInStandalone(h.policyResponder.DeleteAuthorityPolicy)))`

			`// Policy - Provisioner`
			`//r.MethodFunc("GET", "/provisioners/{name}/policy", noauth(h.policyResponder.GetProvisionerPolicy))`
Add authority policy API 2022-03-30 12:21:39 +00:00			`r.MethodFunc("GET", "/provisioners/{provisionerName}/policy", authnz(disabledInStandalone(h.loadProvisionerByName(h.policyResponder.GetProvisionerPolicy))))`
			`r.MethodFunc("POST", "/provisioners/{provisionerName}/policy", authnz(disabledInStandalone(h.loadProvisionerByName(h.policyResponder.CreateProvisionerPolicy))))`
			`r.MethodFunc("PUT", "/provisioners/{provisionerName}/policy", authnz(disabledInStandalone(h.loadProvisionerByName(h.policyResponder.UpdateProvisionerPolicy))))`
			`r.MethodFunc("DELETE", "/provisioners/{provisionerName}/policy", authnz(disabledInStandalone(h.loadProvisionerByName(h.policyResponder.DeleteProvisionerPolicy))))`
Add API implementation for authority and provisioner policy 2022-03-15 14:51:45 +00:00
			`// Policy - ACME Account`
			`// TODO: ensure we don't clash with eab; might want to change eab paths slightly (as long as we don't have it released completely; needs changes in adminClient too)`
			`r.MethodFunc("GET", "/acme/{provisionerName}/{accountID}/policy", authnz(disabledInStandalone(h.policyResponder.GetACMEAccountPolicy)))`
			`r.MethodFunc("POST", "/acme/{provisionerName}/{accountID}/policy", authnz(disabledInStandalone(h.policyResponder.CreateACMEAccountPolicy)))`
			`r.MethodFunc("PUT", "/acme/{provisionerName}/{accountID}/policy", authnz(disabledInStandalone(h.policyResponder.UpdateACMEAccountPolicy)))`
			`r.MethodFunc("DELETE", "/acme/{provisionerName}/{accountID}/policy", authnz(disabledInStandalone(h.policyResponder.DeleteACMEAccountPolicy)))`
Admin level API for provisioner mgmt v1 2021-05-03 19:48:20 +00:00			`}`