2022-03-15 14:51:45 +00:00
|
|
|
package api
|
|
|
|
|
|
|
|
import (
|
|
|
|
"net/http"
|
|
|
|
|
2022-03-24 09:54:45 +00:00
|
|
|
"go.step.sm/linkedca"
|
|
|
|
|
2022-03-24 12:10:49 +00:00
|
|
|
"github.com/smallstep/certificates/api/read"
|
2022-03-30 12:50:14 +00:00
|
|
|
"github.com/smallstep/certificates/api/render"
|
2022-03-15 14:51:45 +00:00
|
|
|
"github.com/smallstep/certificates/authority/admin"
|
|
|
|
)
|
|
|
|
|
|
|
|
type policyAdminResponderInterface interface {
|
|
|
|
GetAuthorityPolicy(w http.ResponseWriter, r *http.Request)
|
|
|
|
CreateAuthorityPolicy(w http.ResponseWriter, r *http.Request)
|
|
|
|
UpdateAuthorityPolicy(w http.ResponseWriter, r *http.Request)
|
|
|
|
DeleteAuthorityPolicy(w http.ResponseWriter, r *http.Request)
|
|
|
|
GetProvisionerPolicy(w http.ResponseWriter, r *http.Request)
|
|
|
|
CreateProvisionerPolicy(w http.ResponseWriter, r *http.Request)
|
|
|
|
UpdateProvisionerPolicy(w http.ResponseWriter, r *http.Request)
|
|
|
|
DeleteProvisionerPolicy(w http.ResponseWriter, r *http.Request)
|
|
|
|
GetACMEAccountPolicy(w http.ResponseWriter, r *http.Request)
|
|
|
|
CreateACMEAccountPolicy(w http.ResponseWriter, r *http.Request)
|
|
|
|
UpdateACMEAccountPolicy(w http.ResponseWriter, r *http.Request)
|
|
|
|
DeleteACMEAccountPolicy(w http.ResponseWriter, r *http.Request)
|
|
|
|
}
|
|
|
|
|
|
|
|
// PolicyAdminResponder is responsible for writing ACME admin responses
|
|
|
|
type PolicyAdminResponder struct {
|
|
|
|
auth adminAuthority
|
|
|
|
adminDB admin.DB
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewACMEAdminResponder returns a new ACMEAdminResponder
|
|
|
|
func NewPolicyAdminResponder(auth adminAuthority, adminDB admin.DB) *PolicyAdminResponder {
|
|
|
|
return &PolicyAdminResponder{
|
|
|
|
auth: auth,
|
|
|
|
adminDB: adminDB,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetAuthorityPolicy handles the GET /admin/authority/policy request
|
|
|
|
func (par *PolicyAdminResponder) GetAuthorityPolicy(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
|
|
|
policy, err := par.auth.GetAuthorityPolicy(r.Context())
|
|
|
|
if ae, ok := err.(*admin.Error); ok {
|
|
|
|
if !ae.IsType(admin.ErrorNotFoundType) {
|
2022-03-30 12:50:14 +00:00
|
|
|
render.Error(w, admin.WrapErrorISE(ae, "error retrieving authority policy"))
|
2022-03-15 14:51:45 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if policy == nil {
|
2022-03-30 12:50:14 +00:00
|
|
|
render.Error(w, admin.NewError(admin.ErrorNotFoundType, "authority policy does not exist"))
|
2022-03-15 14:51:45 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-03-30 12:50:14 +00:00
|
|
|
render.ProtoJSONStatus(w, policy, http.StatusOK)
|
2022-03-15 14:51:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// CreateAuthorityPolicy handles the POST /admin/authority/policy request
|
|
|
|
func (par *PolicyAdminResponder) CreateAuthorityPolicy(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
|
|
|
ctx := r.Context()
|
|
|
|
policy, err := par.auth.GetAuthorityPolicy(ctx)
|
|
|
|
|
|
|
|
shouldWriteError := false
|
|
|
|
if ae, ok := err.(*admin.Error); ok {
|
|
|
|
shouldWriteError = !ae.IsType(admin.ErrorNotFoundType)
|
|
|
|
}
|
|
|
|
|
|
|
|
if shouldWriteError {
|
2022-03-30 12:50:14 +00:00
|
|
|
render.Error(w, admin.WrapErrorISE(err, "error retrieving authority policy"))
|
2022-03-15 14:51:45 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if policy != nil {
|
|
|
|
adminErr := admin.NewError(admin.ErrorBadRequestType, "authority already has a policy")
|
|
|
|
adminErr.Status = http.StatusConflict
|
2022-03-30 12:50:14 +00:00
|
|
|
render.Error(w, adminErr)
|
2022-03-15 14:51:45 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
var newPolicy = new(linkedca.Policy)
|
2022-03-30 12:50:14 +00:00
|
|
|
if !read.ProtoJSONWithCheck(w, r.Body, newPolicy) {
|
2022-03-15 14:51:45 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-03-24 09:54:45 +00:00
|
|
|
adm := linkedca.AdminFromContext(ctx)
|
2022-03-21 14:53:59 +00:00
|
|
|
|
2022-03-24 09:54:45 +00:00
|
|
|
var createdPolicy *linkedca.Policy
|
|
|
|
if createdPolicy, err = par.auth.CreateAuthorityPolicy(ctx, adm, newPolicy); err != nil {
|
2022-03-30 12:50:14 +00:00
|
|
|
render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error storing authority policy"))
|
2022-03-15 14:51:45 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-03-30 12:50:14 +00:00
|
|
|
render.JSONStatus(w, createdPolicy, http.StatusCreated)
|
2022-03-15 14:51:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// UpdateAuthorityPolicy handles the PUT /admin/authority/policy request
|
|
|
|
func (par *PolicyAdminResponder) UpdateAuthorityPolicy(w http.ResponseWriter, r *http.Request) {
|
2022-03-21 14:53:59 +00:00
|
|
|
|
|
|
|
ctx := r.Context()
|
|
|
|
policy, err := par.auth.GetAuthorityPolicy(ctx)
|
|
|
|
|
|
|
|
shouldWriteError := false
|
|
|
|
if ae, ok := err.(*admin.Error); ok {
|
|
|
|
shouldWriteError = !ae.IsType(admin.ErrorNotFoundType)
|
|
|
|
}
|
|
|
|
|
|
|
|
if shouldWriteError {
|
2022-03-30 12:50:14 +00:00
|
|
|
render.Error(w, admin.WrapErrorISE(err, "error retrieving authority policy"))
|
2022-03-21 14:53:59 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if policy == nil {
|
2022-03-30 12:50:14 +00:00
|
|
|
render.Error(w, admin.NewError(admin.ErrorNotFoundType, "authority policy does not exist"))
|
2022-03-21 14:53:59 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
var newPolicy = new(linkedca.Policy)
|
2022-03-24 12:10:49 +00:00
|
|
|
if err := read.ProtoJSON(r.Body, newPolicy); err != nil {
|
2022-03-30 12:50:14 +00:00
|
|
|
render.Error(w, err)
|
2022-03-15 14:51:45 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-03-24 09:54:45 +00:00
|
|
|
adm := linkedca.AdminFromContext(ctx)
|
2022-03-21 14:53:59 +00:00
|
|
|
|
2022-03-24 09:54:45 +00:00
|
|
|
var updatedPolicy *linkedca.Policy
|
|
|
|
if updatedPolicy, err = par.auth.UpdateAuthorityPolicy(ctx, adm, newPolicy); err != nil {
|
2022-03-30 12:50:14 +00:00
|
|
|
render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error updating authority policy"))
|
2022-03-15 14:51:45 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-03-30 12:50:14 +00:00
|
|
|
render.ProtoJSONStatus(w, updatedPolicy, http.StatusOK)
|
2022-03-15 14:51:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// DeleteAuthorityPolicy handles the DELETE /admin/authority/policy request
|
|
|
|
func (par *PolicyAdminResponder) DeleteAuthorityPolicy(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
|
|
|
ctx := r.Context()
|
|
|
|
policy, err := par.auth.GetAuthorityPolicy(ctx)
|
|
|
|
|
|
|
|
if ae, ok := err.(*admin.Error); ok {
|
|
|
|
if !ae.IsType(admin.ErrorNotFoundType) {
|
2022-03-30 12:50:14 +00:00
|
|
|
render.Error(w, admin.WrapErrorISE(ae, "error retrieving authority policy"))
|
2022-03-15 14:51:45 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if policy == nil {
|
2022-03-30 12:50:14 +00:00
|
|
|
render.Error(w, admin.NewError(admin.ErrorNotFoundType, "authority policy does not exist"))
|
2022-03-15 14:51:45 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
err = par.auth.RemoveAuthorityPolicy(ctx)
|
|
|
|
if err != nil {
|
2022-03-30 12:50:14 +00:00
|
|
|
render.Error(w, admin.WrapErrorISE(err, "error deleting authority policy"))
|
2022-03-15 14:51:45 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-03-30 12:50:14 +00:00
|
|
|
render.JSONStatus(w, DeleteResponse{Status: "ok"}, http.StatusOK)
|
2022-03-15 14:51:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// GetProvisionerPolicy handles the GET /admin/provisioners/{name}/policy request
|
|
|
|
func (par *PolicyAdminResponder) GetProvisionerPolicy(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
2022-03-30 12:21:39 +00:00
|
|
|
prov := linkedca.ProvisionerFromContext(r.Context())
|
2022-03-15 14:51:45 +00:00
|
|
|
|
|
|
|
policy := prov.GetPolicy()
|
|
|
|
if policy == nil {
|
2022-03-30 12:50:14 +00:00
|
|
|
render.Error(w, admin.NewError(admin.ErrorNotFoundType, "provisioner policy does not exist"))
|
2022-03-15 14:51:45 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-03-30 12:50:14 +00:00
|
|
|
render.ProtoJSONStatus(w, policy, http.StatusOK)
|
2022-03-15 14:51:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// CreateProvisionerPolicy handles the POST /admin/provisioners/{name}/policy request
|
|
|
|
func (par *PolicyAdminResponder) CreateProvisionerPolicy(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
2022-03-30 12:21:39 +00:00
|
|
|
ctx := r.Context()
|
|
|
|
prov := linkedca.ProvisionerFromContext(ctx)
|
2022-03-15 14:51:45 +00:00
|
|
|
|
|
|
|
policy := prov.GetPolicy()
|
|
|
|
if policy != nil {
|
2022-03-30 12:21:39 +00:00
|
|
|
adminErr := admin.NewError(admin.ErrorBadRequestType, "provisioner %s already has a policy", prov.Name)
|
2022-03-15 14:51:45 +00:00
|
|
|
adminErr.Status = http.StatusConflict
|
2022-03-30 12:50:14 +00:00
|
|
|
render.Error(w, adminErr)
|
2022-03-30 12:21:39 +00:00
|
|
|
return
|
2022-03-15 14:51:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
var newPolicy = new(linkedca.Policy)
|
2022-03-30 12:50:14 +00:00
|
|
|
if !read.ProtoJSONWithCheck(w, r.Body, newPolicy) {
|
2022-03-15 14:51:45 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
prov.Policy = newPolicy
|
|
|
|
|
2022-03-30 12:21:39 +00:00
|
|
|
err := par.auth.UpdateProvisioner(ctx, prov)
|
2022-03-15 14:51:45 +00:00
|
|
|
if err != nil {
|
2022-03-30 12:50:14 +00:00
|
|
|
render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error creating provisioner policy"))
|
2022-03-15 14:51:45 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-03-30 12:50:14 +00:00
|
|
|
render.ProtoJSONStatus(w, newPolicy, http.StatusCreated)
|
2022-03-15 14:51:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// UpdateProvisionerPolicy handles the PUT /admin/provisioners/{name}/policy request
|
|
|
|
func (par *PolicyAdminResponder) UpdateProvisionerPolicy(w http.ResponseWriter, r *http.Request) {
|
2022-03-30 12:21:39 +00:00
|
|
|
|
2022-03-15 14:51:45 +00:00
|
|
|
ctx := r.Context()
|
2022-03-30 12:21:39 +00:00
|
|
|
prov := linkedca.ProvisionerFromContext(ctx)
|
2022-03-15 14:51:45 +00:00
|
|
|
|
2022-03-30 12:21:39 +00:00
|
|
|
if prov.Policy == nil {
|
2022-03-30 12:50:14 +00:00
|
|
|
render.Error(w, admin.NewError(admin.ErrorNotFoundType, "provisioner policy does not exist"))
|
2022-03-15 14:51:45 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-03-30 12:21:39 +00:00
|
|
|
var newPolicy = new(linkedca.Policy)
|
2022-03-30 12:50:14 +00:00
|
|
|
if !read.ProtoJSONWithCheck(w, r.Body, newPolicy) {
|
2022-03-15 14:51:45 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-03-30 12:21:39 +00:00
|
|
|
prov.Policy = newPolicy
|
|
|
|
err := par.auth.UpdateProvisioner(ctx, prov)
|
2022-03-15 14:51:45 +00:00
|
|
|
if err != nil {
|
2022-03-30 12:50:14 +00:00
|
|
|
render.Error(w, admin.WrapError(admin.ErrorBadRequestType, err, "error updating provisioner policy"))
|
2022-03-15 14:51:45 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-03-30 12:50:14 +00:00
|
|
|
render.ProtoJSONStatus(w, newPolicy, http.StatusOK)
|
2022-03-15 14:51:45 +00:00
|
|
|
}
|
|
|
|
|
2022-03-24 12:10:49 +00:00
|
|
|
// DeleteProvisionerPolicy handles the DELETE /admin/provisioners/{name}/policy request
|
2022-03-15 14:51:45 +00:00
|
|
|
func (par *PolicyAdminResponder) DeleteProvisionerPolicy(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
|
|
|
ctx := r.Context()
|
2022-03-30 12:21:39 +00:00
|
|
|
prov := linkedca.ProvisionerFromContext(ctx)
|
2022-03-15 14:51:45 +00:00
|
|
|
|
|
|
|
if prov.Policy == nil {
|
2022-03-30 12:50:14 +00:00
|
|
|
render.Error(w, admin.NewError(admin.ErrorNotFoundType, "provisioner policy does not exist"))
|
2022-03-15 14:51:45 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// remove the policy
|
|
|
|
prov.Policy = nil
|
|
|
|
|
2022-03-30 12:21:39 +00:00
|
|
|
err := par.auth.UpdateProvisioner(ctx, prov)
|
2022-03-15 14:51:45 +00:00
|
|
|
if err != nil {
|
2022-03-30 12:50:14 +00:00
|
|
|
render.Error(w, err)
|
2022-03-15 14:51:45 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-03-30 12:50:14 +00:00
|
|
|
render.JSONStatus(w, DeleteResponse{Status: "ok"}, http.StatusOK)
|
2022-03-15 14:51:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (par *PolicyAdminResponder) GetACMEAccountPolicy(w http.ResponseWriter, r *http.Request) {
|
2022-03-30 12:50:14 +00:00
|
|
|
render.JSON(w, "not implemented yet")
|
2022-03-15 14:51:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (par *PolicyAdminResponder) CreateACMEAccountPolicy(w http.ResponseWriter, r *http.Request) {
|
2022-03-30 12:50:14 +00:00
|
|
|
render.JSON(w, "not implemented yet")
|
2022-03-15 14:51:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (par *PolicyAdminResponder) UpdateACMEAccountPolicy(w http.ResponseWriter, r *http.Request) {
|
2022-03-30 12:50:14 +00:00
|
|
|
render.JSON(w, "not implemented yet")
|
2022-03-15 14:51:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (par *PolicyAdminResponder) DeleteACMEAccountPolicy(w http.ResponseWriter, r *http.Request) {
|
2022-03-30 12:50:14 +00:00
|
|
|
render.JSON(w, "not implemented yet")
|
2022-03-15 14:51:45 +00:00
|
|
|
}
|