2021-05-03 19:48:20 +00:00
|
|
|
package api
|
|
|
|
|
|
|
|
import (
|
2022-04-15 08:43:10 +00:00
|
|
|
"errors"
|
2021-05-03 19:48:20 +00:00
|
|
|
"net/http"
|
|
|
|
|
2022-03-30 12:21:39 +00:00
|
|
|
"github.com/go-chi/chi"
|
|
|
|
|
2022-03-30 12:50:14 +00:00
|
|
|
"go.step.sm/linkedca"
|
|
|
|
|
2022-04-07 12:11:53 +00:00
|
|
|
"github.com/smallstep/certificates/acme"
|
2022-03-30 08:22:22 +00:00
|
|
|
"github.com/smallstep/certificates/api/render"
|
2021-05-03 19:48:20 +00:00
|
|
|
"github.com/smallstep/certificates/authority/admin"
|
2022-03-15 14:51:45 +00:00
|
|
|
"github.com/smallstep/certificates/authority/admin/db/nosql"
|
2022-03-30 12:21:39 +00:00
|
|
|
"github.com/smallstep/certificates/authority/provisioner"
|
2021-05-03 19:48:20 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// requireAPIEnabled is a middleware that ensures the Administration API
|
|
|
|
// is enabled before servicing requests.
|
2022-03-30 12:21:39 +00:00
|
|
|
func (h *Handler) requireAPIEnabled(next http.HandlerFunc) http.HandlerFunc {
|
2021-05-03 19:48:20 +00:00
|
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
2021-07-07 00:14:13 +00:00
|
|
|
if !h.auth.IsAdminAPIEnabled() {
|
2022-03-30 08:22:22 +00:00
|
|
|
render.Error(w, admin.NewError(admin.ErrorNotImplementedType,
|
2021-05-03 19:48:20 +00:00
|
|
|
"administration API not enabled"))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
next(w, r)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// extractAuthorizeTokenAdmin is a middleware that extracts and caches the bearer token.
|
2022-03-30 12:21:39 +00:00
|
|
|
func (h *Handler) extractAuthorizeTokenAdmin(next http.HandlerFunc) http.HandlerFunc {
|
2021-05-03 19:48:20 +00:00
|
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
2022-03-21 14:53:59 +00:00
|
|
|
|
2021-05-03 19:48:20 +00:00
|
|
|
tok := r.Header.Get("Authorization")
|
2021-10-08 18:59:57 +00:00
|
|
|
if tok == "" {
|
2022-03-30 08:22:22 +00:00
|
|
|
render.Error(w, admin.NewError(admin.ErrorUnauthorizedType,
|
2021-05-03 19:48:20 +00:00
|
|
|
"missing authorization header token"))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
adm, err := h.auth.AuthorizeAdminToken(r, tok)
|
|
|
|
if err != nil {
|
2022-03-30 08:22:22 +00:00
|
|
|
render.Error(w, err)
|
2021-05-03 19:48:20 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-03-24 17:34:04 +00:00
|
|
|
ctx := linkedca.NewContextWithAdmin(r.Context(), adm)
|
2021-05-03 19:48:20 +00:00
|
|
|
next(w, r.WithContext(ctx))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-03-31 14:12:29 +00:00
|
|
|
// loadProvisionerByName is a middleware that searches for a provisioner
|
2022-03-30 12:21:39 +00:00
|
|
|
// by name and stores it in the context.
|
|
|
|
func (h *Handler) loadProvisionerByName(next http.HandlerFunc) http.HandlerFunc {
|
|
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
|
|
|
ctx := r.Context()
|
|
|
|
name := chi.URLParam(r, "provisionerName")
|
|
|
|
var (
|
|
|
|
p provisioner.Interface
|
|
|
|
err error
|
|
|
|
)
|
2022-03-30 16:21:25 +00:00
|
|
|
|
|
|
|
// TODO(hs): distinguish 404 vs. 500
|
2022-03-30 12:21:39 +00:00
|
|
|
if p, err = h.auth.LoadProvisionerByName(name); err != nil {
|
2022-03-30 12:50:14 +00:00
|
|
|
render.Error(w, admin.WrapErrorISE(err, "error loading provisioner %s", name))
|
2022-03-30 12:21:39 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
prov, err := h.adminDB.GetProvisioner(ctx, p.GetID())
|
|
|
|
if err != nil {
|
2022-03-30 16:21:25 +00:00
|
|
|
render.Error(w, admin.WrapErrorISE(err, "error retrieving provisioner %s", name))
|
2022-03-30 12:21:39 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
ctx = linkedca.NewContextWithProvisioner(ctx, prov)
|
|
|
|
next(w, r.WithContext(ctx))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-03-15 14:51:45 +00:00
|
|
|
// checkAction checks if an action is supported in standalone or not
|
2022-03-30 12:21:39 +00:00
|
|
|
func (h *Handler) checkAction(next http.HandlerFunc, supportedInStandalone bool) http.HandlerFunc {
|
2022-03-15 14:51:45 +00:00
|
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
2022-03-21 14:53:59 +00:00
|
|
|
// actions allowed in standalone mode are always supported
|
2022-03-15 14:51:45 +00:00
|
|
|
if supportedInStandalone {
|
|
|
|
next(w, r)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-03-24 17:34:04 +00:00
|
|
|
// when an action is not supported in standalone mode and when
|
|
|
|
// using a nosql.DB backend, actions are not supported
|
2022-03-15 14:51:45 +00:00
|
|
|
if _, ok := h.adminDB.(*nosql.DB); ok {
|
2022-03-30 12:50:14 +00:00
|
|
|
render.Error(w, admin.NewError(admin.ErrorNotImplementedType,
|
2022-03-15 14:51:45 +00:00
|
|
|
"operation not supported in standalone mode"))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// continue to next http handler
|
|
|
|
next(w, r)
|
|
|
|
}
|
|
|
|
}
|
2022-04-07 12:11:53 +00:00
|
|
|
|
|
|
|
// loadExternalAccountKey is a middleware that searches for an ACME
|
2022-04-21 14:18:55 +00:00
|
|
|
// External Account Key by reference or keyID and stores it in the context.
|
2022-04-07 12:11:53 +00:00
|
|
|
func (h *Handler) loadExternalAccountKey(next http.HandlerFunc) http.HandlerFunc {
|
|
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
ctx := r.Context()
|
|
|
|
prov := linkedca.ProvisionerFromContext(ctx)
|
|
|
|
|
|
|
|
reference := chi.URLParam(r, "reference")
|
|
|
|
keyID := chi.URLParam(r, "keyID")
|
|
|
|
|
|
|
|
var (
|
|
|
|
eak *acme.ExternalAccountKey
|
|
|
|
err error
|
|
|
|
)
|
|
|
|
|
|
|
|
if keyID != "" {
|
|
|
|
eak, err = h.acmeDB.GetExternalAccountKey(ctx, prov.GetId(), keyID)
|
|
|
|
} else {
|
|
|
|
eak, err = h.acmeDB.GetExternalAccountKeyByReference(ctx, prov.GetId(), reference)
|
|
|
|
}
|
|
|
|
|
|
|
|
if err != nil {
|
2022-04-15 08:43:10 +00:00
|
|
|
if errors.Is(err, acme.ErrNotFound) {
|
|
|
|
render.Error(w, admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found"))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
render.Error(w, admin.WrapErrorISE(err, "error retrieving ACME External Account Key"))
|
2022-04-07 12:11:53 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if eak == nil {
|
2022-04-15 08:43:10 +00:00
|
|
|
render.Error(w, admin.NewError(admin.ErrorNotFoundType, "ACME External Account Key not found"))
|
2022-04-07 12:11:53 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
linkedEAK := eakToLinked(eak)
|
|
|
|
|
|
|
|
ctx = linkedca.NewContextWithExternalAccountKey(ctx, linkedEAK)
|
|
|
|
|
|
|
|
next(w, r.WithContext(ctx))
|
|
|
|
}
|
|
|
|
}
|