certificates/authority/admin/api/acme.go

package api

import (
	"fmt"
	"net/http"

	"go.step.sm/linkedca"

	"github.com/smallstep/certificates/api/render"
	"github.com/smallstep/certificates/authority/admin"
)

// CreateExternalAccountKeyRequest is the type for POST /admin/acme/eab requests
type CreateExternalAccountKeyRequest struct {
	Reference string `json:"reference"`
}

// Validate validates a new ACME EAB Key request body.
func (r *CreateExternalAccountKeyRequest) Validate() error {
	if len(r.Reference) > 256 { // an arbitrary, but sensible (IMO), limit
		return fmt.Errorf("reference length %d exceeds the maximum (256)", len(r.Reference))
	}
	return nil
}

// GetExternalAccountKeysResponse is the type for GET /admin/acme/eab responses
type GetExternalAccountKeysResponse struct {
	EAKs       []*linkedca.EABKey `json:"eaks"`
	NextCursor string             `json:"nextCursor"`
}

// requireEABEnabled is a middleware that ensures ACME EAB is enabled
// before serving requests that act on ACME EAB credentials.
func (h *Handler) requireEABEnabled(next http.HandlerFunc) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
		ctx := r.Context()
		prov := linkedca.ProvisionerFromContext(ctx)

		details := prov.GetDetails()
		if details == nil {
			render.Error(w, admin.NewErrorISE("error getting details for provisioner '%s'", prov.GetName()))
			return
		}

		acmeProvisioner := details.GetACME()
		if acmeProvisioner == nil {
			render.Error(w, admin.NewErrorISE("error getting ACME details for provisioner '%s'", prov.GetName()))
			return
		}

		if !acmeProvisioner.RequireEab {
			render.Error(w, admin.NewError(admin.ErrorBadRequestType, "ACME EAB not enabled for provisioner '%s'", prov.GetName()))
			return
		}

		next(w, r)
	}
}

type acmeAdminResponderInterface interface {
	GetExternalAccountKeys(w http.ResponseWriter, r *http.Request)
	CreateExternalAccountKey(w http.ResponseWriter, r *http.Request)
	DeleteExternalAccountKey(w http.ResponseWriter, r *http.Request)
}

// ACMEAdminResponder is responsible for writing ACME admin responses
type ACMEAdminResponder struct{}

// NewACMEAdminResponder returns a new ACMEAdminResponder
func NewACMEAdminResponder() *ACMEAdminResponder {
	return &ACMEAdminResponder{}
}

// GetExternalAccountKeys writes the response for the EAB keys GET endpoint
func (h *ACMEAdminResponder) GetExternalAccountKeys(w http.ResponseWriter, r *http.Request) {
	render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
}

// CreateExternalAccountKey writes the response for the EAB key POST endpoint
func (h *ACMEAdminResponder) CreateExternalAccountKey(w http.ResponseWriter, r *http.Request) {
	render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
}

// DeleteExternalAccountKey writes the response for the EAB key DELETE endpoint
func (h *ACMEAdminResponder) DeleteExternalAccountKey(w http.ResponseWriter, r *http.Request) {
	render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
}
Fix missing ACME EAB API endpoints 2021-07-23 15:41:24 +02:00			`package api`

			`import (`
Add additional tests for ACME EAB Admin 2021-12-09 09:36:03 +01:00			`"fmt"`
Fix missing ACME EAB API endpoints 2021-07-23 15:41:24 +02:00			`"net/http"`

Fix ACME order tests with mock ACME CA 2022-03-24 18:34:04 +01:00			`"go.step.sm/linkedca"`

api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package 2022-03-30 11:22:22 +03:00			`"github.com/smallstep/certificates/api/render"`
Fix missing ACME EAB API endpoints 2021-07-23 15:41:24 +02:00			`"github.com/smallstep/certificates/authority/admin"`
Refactor ACME EAB queries The ACME EAB keys are now also indexed by the provisioner. This solves part of the issue in which too many EAB keys may be in memory at a given time. 2022-01-07 16:59:55 +01:00			`)`

Fix missing ACME EAB API endpoints 2021-07-23 15:41:24 +02:00			`// CreateExternalAccountKeyRequest is the type for POST /admin/acme/eab requests`
			`type CreateExternalAccountKeyRequest struct {`
Refactor retrieval of provisioner into middleware 2021-10-08 14:29:44 +02:00			Reference string `json:"reference"`
Fix missing ACME EAB API endpoints 2021-07-23 15:41:24 +02:00			`}`

Fix PR comments 2021-09-16 23:09:24 +02:00			`// Validate validates a new ACME EAB Key request body.`
Use LinkedCA.EABKey type in ACME EAB API 2021-08-27 12:39:37 +02:00			`func (r *CreateExternalAccountKeyRequest) Validate() error {`
Add additional tests for ACME EAB Admin 2021-12-09 09:36:03 +01:00			`if len(r.Reference) > 256 { // an arbitrary, but sensible (IMO), limit`
			`return fmt.Errorf("reference length %d exceeds the maximum (256)", len(r.Reference))`
			`}`
Use LinkedCA.EABKey type in ACME EAB API 2021-08-27 12:39:37 +02:00			`return nil`
Fix missing ACME EAB API endpoints 2021-07-23 15:41:24 +02:00			`}`

			`// GetExternalAccountKeysResponse is the type for GET /admin/acme/eab responses`
			`type GetExternalAccountKeysResponse struct {`
Add cursor and limit to ACME EAB DB interface 2022-01-24 14:03:56 +01:00			EAKs []*linkedca.EABKey `json:"eaks"`
			NextCursor string `json:"nextCursor"`
Fix missing ACME EAB API endpoints 2021-07-23 15:41:24 +02:00			`}`

Refactor retrieval of provisioner into middleware 2021-10-08 14:29:44 +02:00			`// requireEABEnabled is a middleware that ensures ACME EAB is enabled`
			`// before serving requests that act on ACME EAB credentials.`
Add authority policy API 2022-03-30 14:21:39 +02:00			`func (h *Handler) requireEABEnabled(next http.HandlerFunc) http.HandlerFunc {`
Refactor retrieval of provisioner into middleware 2021-10-08 14:29:44 +02:00			`return func(w http.ResponseWriter, r *http.Request) {`
Refactor ACME EAB queries The ACME EAB keys are now also indexed by the provisioner. This solves part of the issue in which too many EAB keys may be in memory at a given time. 2022-01-07 16:59:55 +01:00			`ctx := r.Context()`
Improve middleware test coverage 2022-03-30 18:21:25 +02:00			`prov := linkedca.ProvisionerFromContext(ctx)`

			`details := prov.GetDetails()`
			`if details == nil {`
			`render.Error(w, admin.NewErrorISE("error getting details for provisioner '%s'", prov.GetName()))`
Refactor retrieval of provisioner into middleware 2021-10-08 14:29:44 +02:00			`return`
			`}`
Improve middleware test coverage 2022-03-30 18:21:25 +02:00
			`acmeProvisioner := details.GetACME()`
			`if acmeProvisioner == nil {`
			`render.Error(w, admin.NewErrorISE("error getting ACME details for provisioner '%s'", prov.GetName()))`
Refactor retrieval of provisioner into middleware 2021-10-08 14:29:44 +02:00			`return`
			`}`
Fix PR comments 2021-09-16 23:09:24 +02:00
Improve middleware test coverage 2022-03-30 18:21:25 +02:00			`if !acmeProvisioner.RequireEab {`
			`render.Error(w, admin.NewError(admin.ErrorBadRequestType, "ACME EAB not enabled for provisioner '%s'", prov.GetName()))`
			`return`
			`}`
Fix PR comments 2021-09-16 23:09:24 +02:00
Fix (most) PR comments 2022-03-31 16:12:29 +02:00			`next(w, r)`
Fix PR comments 2021-09-16 23:09:24 +02:00			`}`
Refactor ACME EAB queries The ACME EAB keys are now also indexed by the provisioner. This solves part of the issue in which too many EAB keys may be in memory at a given time. 2022-01-07 16:59:55 +01:00			`}`

Refactor ACME Admin API 2022-02-08 13:26:30 +01:00			`type acmeAdminResponderInterface interface {`
			`GetExternalAccountKeys(w http.ResponseWriter, r *http.Request)`
			`CreateExternalAccountKey(w http.ResponseWriter, r *http.Request)`
			`DeleteExternalAccountKey(w http.ResponseWriter, r *http.Request)`
Fix PR comments 2021-09-16 23:09:24 +02:00			`}`

Refactor ACME Admin API 2022-02-08 13:26:30 +01:00			`// ACMEAdminResponder is responsible for writing ACME admin responses`
			`type ACMEAdminResponder struct{}`
Fix missing ACME EAB API endpoints 2021-07-23 15:41:24 +02:00
Refactor ACME Admin API 2022-02-08 13:26:30 +01:00			`// NewACMEAdminResponder returns a new ACMEAdminResponder`
			`func NewACMEAdminResponder() *ACMEAdminResponder {`
			`return &ACMEAdminResponder{}`
Fix missing ACME EAB API endpoints 2021-07-23 15:41:24 +02:00			`}`

Refactor ACME Admin API 2022-02-08 13:26:30 +01:00			`// GetExternalAccountKeys writes the response for the EAB keys GET endpoint`
			`func (h ACMEAdminResponder) GetExternalAccountKeys(w http.ResponseWriter, r http.Request) {`
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package 2022-03-30 11:22:22 +03:00			`render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))`
Add support for deleting ACME EAB keys 2021-08-27 14:10:00 +02:00			`}`

Refactor ACME Admin API 2022-02-08 13:26:30 +01:00			`// CreateExternalAccountKey writes the response for the EAB key POST endpoint`
			`func (h ACMEAdminResponder) CreateExternalAccountKey(w http.ResponseWriter, r http.Request) {`
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package 2022-03-30 11:22:22 +03:00			`render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))`
Refactor ACME Admin API 2022-02-08 13:26:30 +01:00			`}`
Add endpoint for listing ACME EAB keys 2021-08-27 16:58:04 +02:00
Refactor ACME Admin API 2022-02-08 13:26:30 +01:00			`// DeleteExternalAccountKey writes the response for the EAB key DELETE endpoint`
			`func (h ACMEAdminResponder) DeleteExternalAccountKey(w http.ResponseWriter, r http.Request) {`
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package 2022-03-30 11:22:22 +03:00			`render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))`
Fix missing ACME EAB API endpoints 2021-07-23 15:41:24 +02:00			`}`