certificates/authority/admin/api/middleware.go

package api

import (
	"net/http"

	"github.com/go-chi/chi"
	"google.golang.org/protobuf/types/known/timestamppb"

	"go.step.sm/linkedca"

	"github.com/smallstep/certificates/acme"
	"github.com/smallstep/certificates/api/render"
	"github.com/smallstep/certificates/authority/admin"
	"github.com/smallstep/certificates/authority/admin/db/nosql"
	"github.com/smallstep/certificates/authority/provisioner"
)

// requireAPIEnabled is a middleware that ensures the Administration API
// is enabled before servicing requests.
func (h *Handler) requireAPIEnabled(next http.HandlerFunc) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
		if !h.auth.IsAdminAPIEnabled() {
			render.Error(w, admin.NewError(admin.ErrorNotImplementedType,
				"administration API not enabled"))
			return
		}
		next(w, r)
	}
}

// extractAuthorizeTokenAdmin is a middleware that extracts and caches the bearer token.
func (h *Handler) extractAuthorizeTokenAdmin(next http.HandlerFunc) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {

		tok := r.Header.Get("Authorization")
		if tok == "" {
			render.Error(w, admin.NewError(admin.ErrorUnauthorizedType,
				"missing authorization header token"))
			return
		}

		adm, err := h.auth.AuthorizeAdminToken(r, tok)
		if err != nil {
			render.Error(w, err)
			return
		}

		ctx := linkedca.NewContextWithAdmin(r.Context(), adm)
		next(w, r.WithContext(ctx))
	}
}

// loadProvisionerByName is a middleware that searches for a provisioner
// by name and stores it in the context.
func (h *Handler) loadProvisionerByName(next http.HandlerFunc) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {

		ctx := r.Context()
		name := chi.URLParam(r, "provisionerName")
		var (
			p   provisioner.Interface
			err error
		)

		// TODO(hs): distinguish 404 vs. 500
		if p, err = h.auth.LoadProvisionerByName(name); err != nil {
			render.Error(w, admin.WrapErrorISE(err, "error loading provisioner %s", name))
			return
		}

		prov, err := h.adminDB.GetProvisioner(ctx, p.GetID())
		if err != nil {
			render.Error(w, admin.WrapErrorISE(err, "error retrieving provisioner %s", name))
			return
		}

		ctx = linkedca.NewContextWithProvisioner(ctx, prov)
		next(w, r.WithContext(ctx))
	}
}

// checkAction checks if an action is supported in standalone or not
func (h *Handler) checkAction(next http.HandlerFunc, supportedInStandalone bool) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {

		// // temporarily only support the admin nosql DB
		// if _, ok := h.adminDB.(*nosql.DB); !ok {
		// 	render.Error(w, admin.NewError(admin.ErrorNotImplementedType,
		// 		"operation not supported"))
		// 	return
		// }

		// actions allowed in standalone mode are always supported
		if supportedInStandalone {
			next(w, r)
			return
		}

		// when an action is not supported in standalone mode and when
		// using a nosql.DB backend, actions are not supported
		if _, ok := h.adminDB.(*nosql.DB); ok {
			render.Error(w, admin.NewError(admin.ErrorNotImplementedType,
				"operation not supported in standalone mode"))
			return
		}

		// continue to next http handler
		next(w, r)
	}
}

// loadExternalAccountKey is a middleware that searches for an ACME
// External Account Key by accountID, keyID or reference and stores it in the context.
func (h *Handler) loadExternalAccountKey(next http.HandlerFunc) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
		ctx := r.Context()
		prov := linkedca.ProvisionerFromContext(ctx)

		reference := chi.URLParam(r, "reference")
		keyID := chi.URLParam(r, "keyID")

		var (
			eak *acme.ExternalAccountKey
			err error
		)

		if keyID != "" {
			eak, err = h.acmeDB.GetExternalAccountKey(ctx, prov.GetId(), keyID)
		} else {
			eak, err = h.acmeDB.GetExternalAccountKeyByReference(ctx, prov.GetId(), reference)
		}

		if err != nil {
			// TODO: handle error; not found vs. some internal server error
			render.Error(w, admin.WrapErrorISE(err, "error retrieving ACME External Account key"))
			return
		}

		if eak == nil {
			render.Error(w, admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key does not exist"))
			return
		}

		linkedEAK := eakToLinked(eak)

		ctx = linkedca.NewContextWithExternalAccountKey(ctx, linkedEAK)

		next(w, r.WithContext(ctx))
	}
}

func eakToLinked(k *acme.ExternalAccountKey) *linkedca.EABKey {

	if k == nil {
		return nil
	}

	eak := &linkedca.EABKey{
		Id:          k.ID,
		HmacKey:     k.KeyBytes,
		Provisioner: k.ProvisionerID,
		Reference:   k.Reference,
		Account:     k.AccountID,
		CreatedAt:   timestamppb.New(k.CreatedAt),
		BoundAt:     timestamppb.New(k.BoundAt),
	}

	if k.Policy != nil {
		eak.Policy = &linkedca.Policy{
			X509: &linkedca.X509Policy{
				Allow: &linkedca.X509Names{},
				Deny:  &linkedca.X509Names{},
			},
		}
		eak.Policy.X509.Allow.Dns = k.Policy.X509.Allowed.DNSNames
		eak.Policy.X509.Allow.Ips = k.Policy.X509.Allowed.IPRanges
		eak.Policy.X509.Deny.Dns = k.Policy.X509.Denied.DNSNames
		eak.Policy.X509.Deny.Ips = k.Policy.X509.Denied.IPRanges
	}

	return eak
}

func linkedEAKToCertificates(k *linkedca.EABKey) *acme.ExternalAccountKey {
	if k == nil {
		return nil
	}

	eak := &acme.ExternalAccountKey{
		ID:            k.Id,
		ProvisionerID: k.Provisioner,
		Reference:     k.Reference,
		AccountID:     k.Account,
		KeyBytes:      k.HmacKey,
		CreatedAt:     k.CreatedAt.AsTime(),
		BoundAt:       k.BoundAt.AsTime(),
	}

	if k.Policy == nil {
		return eak
	}

	eak.Policy = &acme.Policy{}

	if k.Policy.X509 == nil {
		return eak
	}

	eak.Policy.X509 = acme.X509Policy{
		Allowed: acme.PolicyNames{},
		Denied:  acme.PolicyNames{},
	}

	if k.Policy.X509.Allow != nil {
		eak.Policy.X509.Allowed.DNSNames = k.Policy.X509.Allow.Dns
		eak.Policy.X509.Allowed.IPRanges = k.Policy.X509.Allow.Ips
	}

	if k.Policy.X509.Deny != nil {
		eak.Policy.X509.Denied.DNSNames = k.Policy.X509.Deny.Dns
		eak.Policy.X509.Denied.IPRanges = k.Policy.X509.Deny.Ips
	}

	return eak
}
Admin level API for provisioner mgmt v1 2021-05-03 19:48:20 +00:00			`package api`

			`import (`
			`"net/http"`

Add authority policy API 2022-03-30 12:21:39 +00:00			`"github.com/go-chi/chi"`
Add ACME EAB policy 2022-04-07 12:11:53 +00:00			`"google.golang.org/protobuf/types/known/timestamppb"`
Add authority policy API 2022-03-30 12:21:39 +00:00
Merge branch 'master' into herman/allow-deny 2022-03-30 12:50:14 +00:00			`"go.step.sm/linkedca"`

Add ACME EAB policy 2022-04-07 12:11:53 +00:00			`"github.com/smallstep/certificates/acme"`
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package 2022-03-30 08:22:22 +00:00			`"github.com/smallstep/certificates/api/render"`
Admin level API for provisioner mgmt v1 2021-05-03 19:48:20 +00:00			`"github.com/smallstep/certificates/authority/admin"`
Add API implementation for authority and provisioner policy 2022-03-15 14:51:45 +00:00			`"github.com/smallstep/certificates/authority/admin/db/nosql"`
Add authority policy API 2022-03-30 12:21:39 +00:00			`"github.com/smallstep/certificates/authority/provisioner"`
Admin level API for provisioner mgmt v1 2021-05-03 19:48:20 +00:00			`)`

			`// requireAPIEnabled is a middleware that ensures the Administration API`
			`// is enabled before servicing requests.`
Add authority policy API 2022-03-30 12:21:39 +00:00			`func (h *Handler) requireAPIEnabled(next http.HandlerFunc) http.HandlerFunc {`
Admin level API for provisioner mgmt v1 2021-05-03 19:48:20 +00:00			`return func(w http.ResponseWriter, r *http.Request) {`
Addressing comments in PR review - added a bit of validation to admin create and update - using protojson where possible in admin api - fixing a few instances of admin -> acme in errors 2021-07-07 00:14:13 +00:00			`if !h.auth.IsAdminAPIEnabled() {`
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package 2022-03-30 08:22:22 +00:00			`render.Error(w, admin.NewError(admin.ErrorNotImplementedType,`
Admin level API for provisioner mgmt v1 2021-05-03 19:48:20 +00:00			`"administration API not enabled"))`
			`return`
			`}`
			`next(w, r)`
			`}`
			`}`

			`// extractAuthorizeTokenAdmin is a middleware that extracts and caches the bearer token.`
Add authority policy API 2022-03-30 12:21:39 +00:00			`func (h *Handler) extractAuthorizeTokenAdmin(next http.HandlerFunc) http.HandlerFunc {`
Admin level API for provisioner mgmt v1 2021-05-03 19:48:20 +00:00			`return func(w http.ResponseWriter, r *http.Request) {`
Check admin subjects before changing policy 2022-03-21 14:53:59 +00:00
Admin level API for provisioner mgmt v1 2021-05-03 19:48:20 +00:00			`tok := r.Header.Get("Authorization")`
Introduce gocritic linter and address warnings 2021-10-08 18:59:57 +00:00			`if tok == "" {`
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package 2022-03-30 08:22:22 +00:00			`render.Error(w, admin.NewError(admin.ErrorUnauthorizedType,`
Admin level API for provisioner mgmt v1 2021-05-03 19:48:20 +00:00			`"missing authorization header token"))`
			`return`
			`}`

			`adm, err := h.auth.AuthorizeAdminToken(r, tok)`
			`if err != nil {`
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package 2022-03-30 08:22:22 +00:00			`render.Error(w, err)`
Admin level API for provisioner mgmt v1 2021-05-03 19:48:20 +00:00			`return`
			`}`

Fix ACME order tests with mock ACME CA 2022-03-24 17:34:04 +00:00			`ctx := linkedca.NewContextWithAdmin(r.Context(), adm)`
Admin level API for provisioner mgmt v1 2021-05-03 19:48:20 +00:00			`next(w, r.WithContext(ctx))`
			`}`
			`}`

Fix (most) PR comments 2022-03-31 14:12:29 +00:00			`// loadProvisionerByName is a middleware that searches for a provisioner`
Add authority policy API 2022-03-30 12:21:39 +00:00			`// by name and stores it in the context.`
			`func (h *Handler) loadProvisionerByName(next http.HandlerFunc) http.HandlerFunc {`
			`return func(w http.ResponseWriter, r *http.Request) {`

			`ctx := r.Context()`
			`name := chi.URLParam(r, "provisionerName")`
			`var (`
			`p provisioner.Interface`
			`err error`
			`)`
Improve middleware test coverage 2022-03-30 16:21:25 +00:00
			`// TODO(hs): distinguish 404 vs. 500`
Add authority policy API 2022-03-30 12:21:39 +00:00			`if p, err = h.auth.LoadProvisionerByName(name); err != nil {`
Merge branch 'master' into herman/allow-deny 2022-03-30 12:50:14 +00:00			`render.Error(w, admin.WrapErrorISE(err, "error loading provisioner %s", name))`
Add authority policy API 2022-03-30 12:21:39 +00:00			`return`
			`}`

			`prov, err := h.adminDB.GetProvisioner(ctx, p.GetID())`
			`if err != nil {`
Improve middleware test coverage 2022-03-30 16:21:25 +00:00			`render.Error(w, admin.WrapErrorISE(err, "error retrieving provisioner %s", name))`
Add authority policy API 2022-03-30 12:21:39 +00:00			`return`
			`}`

			`ctx = linkedca.NewContextWithProvisioner(ctx, prov)`
			`next(w, r.WithContext(ctx))`
			`}`
			`}`

Add API implementation for authority and provisioner policy 2022-03-15 14:51:45 +00:00			`// checkAction checks if an action is supported in standalone or not`
Add authority policy API 2022-03-30 12:21:39 +00:00			`func (h *Handler) checkAction(next http.HandlerFunc, supportedInStandalone bool) http.HandlerFunc {`
Add API implementation for authority and provisioner policy 2022-03-15 14:51:45 +00:00			`return func(w http.ResponseWriter, r *http.Request) {`

Add ACME EAB policy 2022-04-07 12:11:53 +00:00			`// // temporarily only support the admin nosql DB`
			`// if _, ok := h.adminDB.(*nosql.DB); !ok {`
			`// render.Error(w, admin.NewError(admin.ErrorNotImplementedType,`
			`// "operation not supported"))`
			`// return`
			`// }`
Fix (most) PR comments 2022-03-31 14:12:29 +00:00
Check admin subjects before changing policy 2022-03-21 14:53:59 +00:00			`// actions allowed in standalone mode are always supported`
Add API implementation for authority and provisioner policy 2022-03-15 14:51:45 +00:00			`if supportedInStandalone {`
			`next(w, r)`
			`return`
			`}`

Fix ACME order tests with mock ACME CA 2022-03-24 17:34:04 +00:00			`// when an action is not supported in standalone mode and when`
			`// using a nosql.DB backend, actions are not supported`
Add API implementation for authority and provisioner policy 2022-03-15 14:51:45 +00:00			`if _, ok := h.adminDB.(*nosql.DB); ok {`
Merge branch 'master' into herman/allow-deny 2022-03-30 12:50:14 +00:00			`render.Error(w, admin.NewError(admin.ErrorNotImplementedType,`
Add API implementation for authority and provisioner policy 2022-03-15 14:51:45 +00:00			`"operation not supported in standalone mode"))`
			`return`
			`}`

			`// continue to next http handler`
			`next(w, r)`
			`}`
			`}`
Add ACME EAB policy 2022-04-07 12:11:53 +00:00
			`// loadExternalAccountKey is a middleware that searches for an ACME`
			`// External Account Key by accountID, keyID or reference and stores it in the context.`
			`func (h *Handler) loadExternalAccountKey(next http.HandlerFunc) http.HandlerFunc {`
			`return func(w http.ResponseWriter, r *http.Request) {`
			`ctx := r.Context()`
			`prov := linkedca.ProvisionerFromContext(ctx)`

			`reference := chi.URLParam(r, "reference")`
			`keyID := chi.URLParam(r, "keyID")`

			`var (`
			`eak *acme.ExternalAccountKey`
			`err error`
			`)`

			`if keyID != "" {`
			`eak, err = h.acmeDB.GetExternalAccountKey(ctx, prov.GetId(), keyID)`
			`} else {`
			`eak, err = h.acmeDB.GetExternalAccountKeyByReference(ctx, prov.GetId(), reference)`
			`}`

			`if err != nil {`
			`// TODO: handle error; not found vs. some internal server error`
			`render.Error(w, admin.WrapErrorISE(err, "error retrieving ACME External Account key"))`
			`return`
			`}`

			`if eak == nil {`
			`render.Error(w, admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key does not exist"))`
			`return`
			`}`

			`linkedEAK := eakToLinked(eak)`

			`ctx = linkedca.NewContextWithExternalAccountKey(ctx, linkedEAK)`

			`next(w, r.WithContext(ctx))`
			`}`
			`}`

			`func eakToLinked(k acme.ExternalAccountKey) linkedca.EABKey {`

			`if k == nil {`
			`return nil`
			`}`

			`eak := &linkedca.EABKey{`
			`Id: k.ID,`
			`HmacKey: k.KeyBytes,`
			`Provisioner: k.ProvisionerID,`
			`Reference: k.Reference,`
			`Account: k.AccountID,`
			`CreatedAt: timestamppb.New(k.CreatedAt),`
			`BoundAt: timestamppb.New(k.BoundAt),`
			`}`

			`if k.Policy != nil {`
			`eak.Policy = &linkedca.Policy{`
			`X509: &linkedca.X509Policy{`
			`Allow: &linkedca.X509Names{},`
			`Deny: &linkedca.X509Names{},`
			`},`
			`}`
			`eak.Policy.X509.Allow.Dns = k.Policy.X509.Allowed.DNSNames`
			`eak.Policy.X509.Allow.Ips = k.Policy.X509.Allowed.IPRanges`
			`eak.Policy.X509.Deny.Dns = k.Policy.X509.Denied.DNSNames`
			`eak.Policy.X509.Deny.Ips = k.Policy.X509.Denied.IPRanges`
			`}`

			`return eak`
			`}`

			`func linkedEAKToCertificates(k linkedca.EABKey) acme.ExternalAccountKey {`
			`if k == nil {`
			`return nil`
			`}`

			`eak := &acme.ExternalAccountKey{`
			`ID: k.Id,`
			`ProvisionerID: k.Provisioner,`
			`Reference: k.Reference,`
			`AccountID: k.Account,`
			`KeyBytes: k.HmacKey,`
			`CreatedAt: k.CreatedAt.AsTime(),`
			`BoundAt: k.BoundAt.AsTime(),`
			`}`

			`if k.Policy == nil {`
			`return eak`
			`}`

			`eak.Policy = &acme.Policy{}`

			`if k.Policy.X509 == nil {`
			`return eak`
			`}`

			`eak.Policy.X509 = acme.X509Policy{`
			`Allowed: acme.PolicyNames{},`
			`Denied: acme.PolicyNames{},`
			`}`

			`if k.Policy.X509.Allow != nil {`
			`eak.Policy.X509.Allowed.DNSNames = k.Policy.X509.Allow.Dns`
			`eak.Policy.X509.Allowed.IPRanges = k.Policy.X509.Allow.Ips`
			`}`

			`if k.Policy.X509.Deny != nil {`
			`eak.Policy.X509.Denied.DNSNames = k.Policy.X509.Deny.Dns`
			`eak.Policy.X509.Denied.IPRanges = k.Policy.X509.Deny.Ips`
			`}`

			`return eak`
			`}`