certificates/authority/admin/api/middleware.go

package api

import (
	"net/http"

	"go.step.sm/linkedca"

	"github.com/smallstep/certificates/api"
	"github.com/smallstep/certificates/authority/admin"
	"github.com/smallstep/certificates/authority/admin/db/nosql"
)

type nextHTTP = func(http.ResponseWriter, *http.Request)

// requireAPIEnabled is a middleware that ensures the Administration API
// is enabled before servicing requests.
func (h *Handler) requireAPIEnabled(next nextHTTP) nextHTTP {
	return func(w http.ResponseWriter, r *http.Request) {
		if !h.auth.IsAdminAPIEnabled() {
			api.WriteError(w, admin.NewError(admin.ErrorNotImplementedType,
				"administration API not enabled"))
			return
		}
		next(w, r)
	}
}

// extractAuthorizeTokenAdmin is a middleware that extracts and caches the bearer token.
func (h *Handler) extractAuthorizeTokenAdmin(next nextHTTP) nextHTTP {
	return func(w http.ResponseWriter, r *http.Request) {

		tok := r.Header.Get("Authorization")
		if tok == "" {
			api.WriteError(w, admin.NewError(admin.ErrorUnauthorizedType,
				"missing authorization header token"))
			return
		}

		adm, err := h.auth.AuthorizeAdminToken(r, tok)
		if err != nil {
			api.WriteError(w, err)
			return
		}

		ctx := linkedca.NewContextWithAdmin(r.Context(), adm)
		next(w, r.WithContext(ctx))
	}
}

// checkAction checks if an action is supported in standalone or not
func (h *Handler) checkAction(next nextHTTP, supportedInStandalone bool) nextHTTP {
	return func(w http.ResponseWriter, r *http.Request) {

		// actions allowed in standalone mode are always supported
		if supportedInStandalone {
			next(w, r)
			return
		}

		// when an action is not supported in standalone mode and when
		// using a nosql.DB backend, actions are not supported
		if _, ok := h.adminDB.(*nosql.DB); ok {
			api.WriteError(w, admin.NewError(admin.ErrorNotImplementedType,
				"operation not supported in standalone mode"))
			return
		}

		// continue to next http handler
		next(w, r)
	}
}
Admin level API for provisioner mgmt v1 2021-05-03 19:48:20 +00:00			`package api`

			`import (`
			`"net/http"`

Improve protobuf unmarshaling error handling 2022-03-24 09:54:45 +00:00			`"go.step.sm/linkedca"`

Admin level API for provisioner mgmt v1 2021-05-03 19:48:20 +00:00			`"github.com/smallstep/certificates/api"`
			`"github.com/smallstep/certificates/authority/admin"`
Add API implementation for authority and provisioner policy 2022-03-15 14:51:45 +00:00			`"github.com/smallstep/certificates/authority/admin/db/nosql"`
Admin level API for provisioner mgmt v1 2021-05-03 19:48:20 +00:00			`)`

			`type nextHTTP = func(http.ResponseWriter, *http.Request)`

			`// requireAPIEnabled is a middleware that ensures the Administration API`
			`// is enabled before servicing requests.`
			`func (h *Handler) requireAPIEnabled(next nextHTTP) nextHTTP {`
			`return func(w http.ResponseWriter, r *http.Request) {`
Addressing comments in PR review - added a bit of validation to admin create and update - using protojson where possible in admin api - fixing a few instances of admin -> acme in errors 2021-07-07 00:14:13 +00:00			`if !h.auth.IsAdminAPIEnabled() {`
Admin level API for provisioner mgmt v1 2021-05-03 19:48:20 +00:00			`api.WriteError(w, admin.NewError(admin.ErrorNotImplementedType,`
			`"administration API not enabled"))`
			`return`
			`}`
			`next(w, r)`
			`}`
			`}`

			`// extractAuthorizeTokenAdmin is a middleware that extracts and caches the bearer token.`
			`func (h *Handler) extractAuthorizeTokenAdmin(next nextHTTP) nextHTTP {`
			`return func(w http.ResponseWriter, r *http.Request) {`
Check admin subjects before changing policy 2022-03-21 14:53:59 +00:00
Admin level API for provisioner mgmt v1 2021-05-03 19:48:20 +00:00			`tok := r.Header.Get("Authorization")`
Introduce gocritic linter and address warnings 2021-10-08 18:59:57 +00:00			`if tok == "" {`
Admin level API for provisioner mgmt v1 2021-05-03 19:48:20 +00:00			`api.WriteError(w, admin.NewError(admin.ErrorUnauthorizedType,`
			`"missing authorization header token"))`
			`return`
			`}`

			`adm, err := h.auth.AuthorizeAdminToken(r, tok)`
			`if err != nil {`
			`api.WriteError(w, err)`
			`return`
			`}`

Fix ACME order tests with mock ACME CA 2022-03-24 17:34:04 +00:00			`ctx := linkedca.NewContextWithAdmin(r.Context(), adm)`
Admin level API for provisioner mgmt v1 2021-05-03 19:48:20 +00:00			`next(w, r.WithContext(ctx))`
			`}`
			`}`

Add API implementation for authority and provisioner policy 2022-03-15 14:51:45 +00:00			`// checkAction checks if an action is supported in standalone or not`
			`func (h *Handler) checkAction(next nextHTTP, supportedInStandalone bool) nextHTTP {`
			`return func(w http.ResponseWriter, r *http.Request) {`

Check admin subjects before changing policy 2022-03-21 14:53:59 +00:00			`// actions allowed in standalone mode are always supported`
Add API implementation for authority and provisioner policy 2022-03-15 14:51:45 +00:00			`if supportedInStandalone {`
			`next(w, r)`
			`return`
			`}`

Fix ACME order tests with mock ACME CA 2022-03-24 17:34:04 +00:00			`// when an action is not supported in standalone mode and when`
			`// using a nosql.DB backend, actions are not supported`
Add API implementation for authority and provisioner policy 2022-03-15 14:51:45 +00:00			`if _, ok := h.adminDB.(*nosql.DB); ok {`
			`api.WriteError(w, admin.NewError(admin.ErrorNotImplementedType,`
			`"operation not supported in standalone mode"))`
			`return`
			`}`

			`// continue to next http handler`
			`next(w, r)`
			`}`
			`}`