Fix more PR comments

This commit is contained in:
Herman Slatman 2022-04-26 10:15:17 +02:00
parent 76112c2da1
commit 2a7620641f
No known key found for this signature in database
GPG key ID: F4D8A44EA0A75A4F
21 changed files with 298 additions and 331 deletions

View file

@ -91,7 +91,7 @@ func (p *Policy) IsWildcardLiteralAllowed() bool {
// ShouldVerifySubjectCommonName returns true by default // ShouldVerifySubjectCommonName returns true by default
// for ACME account policies, as this is embedded in the // for ACME account policies, as this is embedded in the
// protocol. // protocol.
func (p *Policy) ShouldVerifySubjectCommonName() bool { func (p *Policy) ShouldVerifyCommonName() bool {
return true return true
} }
@ -101,7 +101,7 @@ type ExternalAccountKey struct {
ProvisionerID string `json:"provisionerID"` ProvisionerID string `json:"provisionerID"`
Reference string `json:"reference"` Reference string `json:"reference"`
AccountID string `json:"-"` AccountID string `json:"-"`
KeyBytes []byte `json:"-"` HmacKey []byte `json:"-"`
CreatedAt time.Time `json:"createdAt"` CreatedAt time.Time `json:"createdAt"`
BoundAt time.Time `json:"boundAt,omitempty"` BoundAt time.Time `json:"boundAt,omitempty"`
Policy *Policy `json:"policy,omitempty"` Policy *Policy `json:"policy,omitempty"`
@ -121,6 +121,6 @@ func (eak *ExternalAccountKey) BindTo(account *Account) error {
} }
eak.AccountID = account.ID eak.AccountID = account.ID
eak.BoundAt = time.Now() eak.BoundAt = time.Now()
eak.KeyBytes = []byte{} // clearing the key bytes; can only be used once eak.HmacKey = []byte{} // clearing the key bytes; can only be used once
return nil return nil
} }

View file

@ -7,8 +7,9 @@ import (
"time" "time"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/smallstep/assert"
"go.step.sm/crypto/jose" "go.step.sm/crypto/jose"
"github.com/smallstep/assert"
) )
func TestKeyToID(t *testing.T) { func TestKeyToID(t *testing.T) {
@ -95,7 +96,7 @@ func TestExternalAccountKey_BindTo(t *testing.T) {
ID: "eakID", ID: "eakID",
ProvisionerID: "provID", ProvisionerID: "provID",
Reference: "ref", Reference: "ref",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
}, },
acct: &Account{ acct: &Account{
ID: "accountID", ID: "accountID",
@ -108,7 +109,7 @@ func TestExternalAccountKey_BindTo(t *testing.T) {
ID: "eakID", ID: "eakID",
ProvisionerID: "provID", ProvisionerID: "provID",
Reference: "ref", Reference: "ref",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
AccountID: "someAccountID", AccountID: "someAccountID",
BoundAt: boundAt, BoundAt: boundAt,
}, },
@ -138,7 +139,7 @@ func TestExternalAccountKey_BindTo(t *testing.T) {
assert.Equals(t, ae.Subproblems, tt.err.Subproblems) assert.Equals(t, ae.Subproblems, tt.err.Subproblems)
} else { } else {
assert.Equals(t, eak.AccountID, acct.ID) assert.Equals(t, eak.AccountID, acct.ID)
assert.Equals(t, eak.KeyBytes, []byte{}) assert.Equals(t, eak.HmacKey, []byte{})
assert.NotNil(t, eak.BoundAt) assert.NotNil(t, eak.BoundAt)
} }
}) })

View file

@ -582,7 +582,7 @@ func TestHandler_NewAccount(t *testing.T) {
ID: "eakID", ID: "eakID",
ProvisionerID: provID, ProvisionerID: provID,
Reference: "testeak", Reference: "testeak",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: time.Now(), CreatedAt: time.Now(),
} }
return test{ return test{
@ -759,7 +759,7 @@ func TestHandler_NewAccount(t *testing.T) {
ID: "eakID", ID: "eakID",
ProvisionerID: provID, ProvisionerID: provID,
Reference: "testeak", Reference: "testeak",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: time.Now(), CreatedAt: time.Now(),
}, nil }, nil
}, },

View file

@ -60,7 +60,7 @@ func (h *Handler) validateExternalAccountBinding(ctx context.Context, nar *NewAc
return nil, acme.NewError(acme.ErrorUnauthorizedType, "the field 'kid' references an unknown key") return nil, acme.NewError(acme.ErrorUnauthorizedType, "the field 'kid' references an unknown key")
} }
if len(externalAccountKey.KeyBytes) == 0 { if len(externalAccountKey.HmacKey) == 0 {
return nil, acme.NewError(acme.ErrorServerInternalType, "external account binding key with id '%s' does not have secret bytes", keyID) return nil, acme.NewError(acme.ErrorServerInternalType, "external account binding key with id '%s' does not have secret bytes", keyID)
} }
@ -68,7 +68,7 @@ func (h *Handler) validateExternalAccountBinding(ctx context.Context, nar *NewAc
return nil, acme.NewError(acme.ErrorUnauthorizedType, "external account binding key with id '%s' was already bound to account '%s' on %s", keyID, externalAccountKey.AccountID, externalAccountKey.BoundAt) return nil, acme.NewError(acme.ErrorUnauthorizedType, "external account binding key with id '%s' was already bound to account '%s' on %s", keyID, externalAccountKey.AccountID, externalAccountKey.BoundAt)
} }
payload, err := eabJWS.Verify(externalAccountKey.KeyBytes) payload, err := eabJWS.Verify(externalAccountKey.HmacKey)
if err != nil { if err != nil {
return nil, acme.WrapErrorISE(err, "error verifying externalAccountBinding signature") return nil, acme.WrapErrorISE(err, "error verifying externalAccountBinding signature")
} }

View file

@ -156,7 +156,7 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
ID: "eakID", ID: "eakID",
ProvisionerID: provID, ProvisionerID: provID,
Reference: "testeak", Reference: "testeak",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: createdAt, CreatedAt: createdAt,
}, nil }, nil
}, },
@ -170,7 +170,7 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
ID: "eakID", ID: "eakID",
ProvisionerID: provID, ProvisionerID: provID,
Reference: "testeak", Reference: "testeak",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: createdAt, CreatedAt: createdAt,
}, },
err: nil, err: nil,
@ -523,7 +523,7 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
Reference: "testeak", Reference: "testeak",
CreatedAt: createdAt, CreatedAt: createdAt,
AccountID: "some-account-id", AccountID: "some-account-id",
KeyBytes: []byte{}, HmacKey: []byte{},
}, nil }, nil
}, },
}, },
@ -630,7 +630,7 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
Reference: "testeak", Reference: "testeak",
CreatedAt: createdAt, CreatedAt: createdAt,
AccountID: "some-account-id", AccountID: "some-account-id",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
BoundAt: boundAt, BoundAt: boundAt,
}, nil }, nil
}, },
@ -686,7 +686,7 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
ID: "eakID", ID: "eakID",
ProvisionerID: provID, ProvisionerID: provID,
Reference: "testeak", Reference: "testeak",
KeyBytes: []byte{1, 2, 3, 4}, HmacKey: []byte{1, 2, 3, 4},
CreatedAt: time.Now(), CreatedAt: time.Now(),
}, nil }, nil
}, },
@ -744,7 +744,7 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
ID: "eakID", ID: "eakID",
ProvisionerID: provID, ProvisionerID: provID,
Reference: "testeak", Reference: "testeak",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: time.Now(), CreatedAt: time.Now(),
}, nil }, nil
}, },
@ -799,7 +799,7 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
ID: "eakID", ID: "eakID",
ProvisionerID: provID, ProvisionerID: provID,
Reference: "testeak", Reference: "testeak",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: time.Now(), CreatedAt: time.Now(),
}, nil }, nil
}, },
@ -855,7 +855,7 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
ID: "eakID", ID: "eakID",
ProvisionerID: provID, ProvisionerID: provID,
Reference: "testeak", Reference: "testeak",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: time.Now(), CreatedAt: time.Now(),
}, nil }, nil
}, },
@ -898,7 +898,7 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
} else { } else {
assert.NotNil(t, tc.eak) assert.NotNil(t, tc.eak)
assert.Equals(t, got.ID, tc.eak.ID) assert.Equals(t, got.ID, tc.eak.ID)
assert.Equals(t, got.KeyBytes, tc.eak.KeyBytes) assert.Equals(t, got.HmacKey, tc.eak.HmacKey)
assert.Equals(t, got.ProvisionerID, tc.eak.ProvisionerID) assert.Equals(t, got.ProvisionerID, tc.eak.ProvisionerID)
assert.Equals(t, got.Reference, tc.eak.Reference) assert.Equals(t, got.Reference, tc.eak.Reference)
assert.Equals(t, got.CreatedAt, tc.eak.CreatedAt) assert.Equals(t, got.CreatedAt, tc.eak.CreatedAt)

View file

@ -8,6 +8,7 @@ import (
"time" "time"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/smallstep/certificates/acme" "github.com/smallstep/certificates/acme"
nosqlDB "github.com/smallstep/nosql" nosqlDB "github.com/smallstep/nosql"
) )
@ -23,7 +24,7 @@ type dbExternalAccountKey struct {
ProvisionerID string `json:"provisionerID"` ProvisionerID string `json:"provisionerID"`
Reference string `json:"reference"` Reference string `json:"reference"`
AccountID string `json:"accountID,omitempty"` AccountID string `json:"accountID,omitempty"`
KeyBytes []byte `json:"key"` HmacKey []byte `json:"key"`
CreatedAt time.Time `json:"createdAt"` CreatedAt time.Time `json:"createdAt"`
BoundAt time.Time `json:"boundAt"` BoundAt time.Time `json:"boundAt"`
} }
@ -72,7 +73,7 @@ func (db *DB) CreateExternalAccountKey(ctx context.Context, provisionerID, refer
ID: keyID, ID: keyID,
ProvisionerID: provisionerID, ProvisionerID: provisionerID,
Reference: reference, Reference: reference,
KeyBytes: random, HmacKey: random,
CreatedAt: clock.Now(), CreatedAt: clock.Now(),
} }
@ -99,7 +100,7 @@ func (db *DB) CreateExternalAccountKey(ctx context.Context, provisionerID, refer
ProvisionerID: dbeak.ProvisionerID, ProvisionerID: dbeak.ProvisionerID,
Reference: dbeak.Reference, Reference: dbeak.Reference,
AccountID: dbeak.AccountID, AccountID: dbeak.AccountID,
KeyBytes: dbeak.KeyBytes, HmacKey: dbeak.HmacKey,
CreatedAt: dbeak.CreatedAt, CreatedAt: dbeak.CreatedAt,
BoundAt: dbeak.BoundAt, BoundAt: dbeak.BoundAt,
}, nil }, nil
@ -124,7 +125,7 @@ func (db *DB) GetExternalAccountKey(ctx context.Context, provisionerID, keyID st
ProvisionerID: dbeak.ProvisionerID, ProvisionerID: dbeak.ProvisionerID,
Reference: dbeak.Reference, Reference: dbeak.Reference,
AccountID: dbeak.AccountID, AccountID: dbeak.AccountID,
KeyBytes: dbeak.KeyBytes, HmacKey: dbeak.HmacKey,
CreatedAt: dbeak.CreatedAt, CreatedAt: dbeak.CreatedAt,
BoundAt: dbeak.BoundAt, BoundAt: dbeak.BoundAt,
}, nil }, nil
@ -191,7 +192,7 @@ func (db *DB) GetExternalAccountKeys(ctx context.Context, provisionerID, cursor
} }
keys = append(keys, &acme.ExternalAccountKey{ keys = append(keys, &acme.ExternalAccountKey{
ID: eak.ID, ID: eak.ID,
KeyBytes: eak.KeyBytes, HmacKey: eak.HmacKey,
ProvisionerID: eak.ProvisionerID, ProvisionerID: eak.ProvisionerID,
Reference: eak.Reference, Reference: eak.Reference,
AccountID: eak.AccountID, AccountID: eak.AccountID,
@ -256,7 +257,7 @@ func (db *DB) UpdateExternalAccountKey(ctx context.Context, provisionerID string
ProvisionerID: eak.ProvisionerID, ProvisionerID: eak.ProvisionerID,
Reference: eak.Reference, Reference: eak.Reference,
AccountID: eak.AccountID, AccountID: eak.AccountID,
KeyBytes: eak.KeyBytes, HmacKey: eak.HmacKey,
CreatedAt: eak.CreatedAt, CreatedAt: eak.CreatedAt,
BoundAt: eak.BoundAt, BoundAt: eak.BoundAt,
} }

View file

@ -8,6 +8,7 @@ import (
"github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/smallstep/assert" "github.com/smallstep/assert"
"github.com/smallstep/certificates/acme" "github.com/smallstep/certificates/acme"
certdb "github.com/smallstep/certificates/db" certdb "github.com/smallstep/certificates/db"
@ -32,7 +33,7 @@ func TestDB_getDBExternalAccountKey(t *testing.T) {
ProvisionerID: provID, ProvisionerID: provID,
Reference: "ref", Reference: "ref",
AccountID: "", AccountID: "",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: now, CreatedAt: now,
} }
b, err := json.Marshal(dbeak) b, err := json.Marshal(dbeak)
@ -108,7 +109,7 @@ func TestDB_getDBExternalAccountKey(t *testing.T) {
} }
} else if assert.Nil(t, tc.err) { } else if assert.Nil(t, tc.err) {
assert.Equals(t, dbeak.ID, tc.dbeak.ID) assert.Equals(t, dbeak.ID, tc.dbeak.ID)
assert.Equals(t, dbeak.KeyBytes, tc.dbeak.KeyBytes) assert.Equals(t, dbeak.HmacKey, tc.dbeak.HmacKey)
assert.Equals(t, dbeak.ProvisionerID, tc.dbeak.ProvisionerID) assert.Equals(t, dbeak.ProvisionerID, tc.dbeak.ProvisionerID)
assert.Equals(t, dbeak.Reference, tc.dbeak.Reference) assert.Equals(t, dbeak.Reference, tc.dbeak.Reference)
assert.Equals(t, dbeak.CreatedAt, tc.dbeak.CreatedAt) assert.Equals(t, dbeak.CreatedAt, tc.dbeak.CreatedAt)
@ -136,7 +137,7 @@ func TestDB_GetExternalAccountKey(t *testing.T) {
ProvisionerID: provID, ProvisionerID: provID,
Reference: "ref", Reference: "ref",
AccountID: "", AccountID: "",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: now, CreatedAt: now,
} }
b, err := json.Marshal(dbeak) b, err := json.Marshal(dbeak)
@ -154,7 +155,7 @@ func TestDB_GetExternalAccountKey(t *testing.T) {
ProvisionerID: provID, ProvisionerID: provID,
Reference: "ref", Reference: "ref",
AccountID: "", AccountID: "",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: now, CreatedAt: now,
}, },
} }
@ -179,7 +180,7 @@ func TestDB_GetExternalAccountKey(t *testing.T) {
ProvisionerID: "aDifferentProvID", ProvisionerID: "aDifferentProvID",
Reference: "ref", Reference: "ref",
AccountID: "", AccountID: "",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: now, CreatedAt: now,
} }
b, err := json.Marshal(dbeak) b, err := json.Marshal(dbeak)
@ -197,7 +198,7 @@ func TestDB_GetExternalAccountKey(t *testing.T) {
ProvisionerID: provID, ProvisionerID: provID,
Reference: "ref", Reference: "ref",
AccountID: "", AccountID: "",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: now, CreatedAt: now,
}, },
acmeErr: acme.NewError(acme.ErrorUnauthorizedType, "provisioner does not match provisioner for which the EAB key was created"), acmeErr: acme.NewError(acme.ErrorUnauthorizedType, "provisioner does not match provisioner for which the EAB key was created"),
@ -225,7 +226,7 @@ func TestDB_GetExternalAccountKey(t *testing.T) {
} }
} else if assert.Nil(t, tc.err) { } else if assert.Nil(t, tc.err) {
assert.Equals(t, eak.ID, tc.eak.ID) assert.Equals(t, eak.ID, tc.eak.ID)
assert.Equals(t, eak.KeyBytes, tc.eak.KeyBytes) assert.Equals(t, eak.HmacKey, tc.eak.HmacKey)
assert.Equals(t, eak.ProvisionerID, tc.eak.ProvisionerID) assert.Equals(t, eak.ProvisionerID, tc.eak.ProvisionerID)
assert.Equals(t, eak.Reference, tc.eak.Reference) assert.Equals(t, eak.Reference, tc.eak.Reference)
assert.Equals(t, eak.CreatedAt, tc.eak.CreatedAt) assert.Equals(t, eak.CreatedAt, tc.eak.CreatedAt)
@ -255,7 +256,7 @@ func TestDB_GetExternalAccountKeyByReference(t *testing.T) {
ProvisionerID: provID, ProvisionerID: provID,
Reference: ref, Reference: ref,
AccountID: "", AccountID: "",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: now, CreatedAt: now,
} }
dbref := &dbExternalAccountKeyReference{ dbref := &dbExternalAccountKeyReference{
@ -288,7 +289,7 @@ func TestDB_GetExternalAccountKeyByReference(t *testing.T) {
ProvisionerID: provID, ProvisionerID: provID,
Reference: ref, Reference: ref,
AccountID: "", AccountID: "",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: now, CreatedAt: now,
}, },
err: nil, err: nil,
@ -392,7 +393,7 @@ func TestDB_GetExternalAccountKeyByReference(t *testing.T) {
assert.Equals(t, eak.AccountID, tc.eak.AccountID) assert.Equals(t, eak.AccountID, tc.eak.AccountID)
assert.Equals(t, eak.BoundAt, tc.eak.BoundAt) assert.Equals(t, eak.BoundAt, tc.eak.BoundAt)
assert.Equals(t, eak.CreatedAt, tc.eak.CreatedAt) assert.Equals(t, eak.CreatedAt, tc.eak.CreatedAt)
assert.Equals(t, eak.KeyBytes, tc.eak.KeyBytes) assert.Equals(t, eak.HmacKey, tc.eak.HmacKey)
assert.Equals(t, eak.ProvisionerID, tc.eak.ProvisionerID) assert.Equals(t, eak.ProvisionerID, tc.eak.ProvisionerID)
assert.Equals(t, eak.Reference, tc.eak.Reference) assert.Equals(t, eak.Reference, tc.eak.Reference)
} }
@ -420,7 +421,7 @@ func TestDB_GetExternalAccountKeys(t *testing.T) {
ProvisionerID: provID, ProvisionerID: provID,
Reference: ref, Reference: ref,
AccountID: "", AccountID: "",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: now, CreatedAt: now,
} }
b1, err := json.Marshal(dbeak1) b1, err := json.Marshal(dbeak1)
@ -430,7 +431,7 @@ func TestDB_GetExternalAccountKeys(t *testing.T) {
ProvisionerID: provID, ProvisionerID: provID,
Reference: ref, Reference: ref,
AccountID: "", AccountID: "",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: now, CreatedAt: now,
} }
b2, err := json.Marshal(dbeak2) b2, err := json.Marshal(dbeak2)
@ -440,7 +441,7 @@ func TestDB_GetExternalAccountKeys(t *testing.T) {
ProvisionerID: "aDifferentProvID", ProvisionerID: "aDifferentProvID",
Reference: ref, Reference: ref,
AccountID: "", AccountID: "",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: now, CreatedAt: now,
} }
b3, err := json.Marshal(dbeak3) b3, err := json.Marshal(dbeak3)
@ -513,7 +514,7 @@ func TestDB_GetExternalAccountKeys(t *testing.T) {
ProvisionerID: provID, ProvisionerID: provID,
Reference: ref, Reference: ref,
AccountID: "", AccountID: "",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: now, CreatedAt: now,
}, },
{ {
@ -521,7 +522,7 @@ func TestDB_GetExternalAccountKeys(t *testing.T) {
ProvisionerID: provID, ProvisionerID: provID,
Reference: ref, Reference: ref,
AccountID: "", AccountID: "",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: now, CreatedAt: now,
}, },
}, },
@ -598,7 +599,7 @@ func TestDB_GetExternalAccountKeys(t *testing.T) {
assert.Equals(t, "", nextCursor) assert.Equals(t, "", nextCursor)
for i, eak := range eaks { for i, eak := range eaks {
assert.Equals(t, eak.ID, tc.eaks[i].ID) assert.Equals(t, eak.ID, tc.eaks[i].ID)
assert.Equals(t, eak.KeyBytes, tc.eaks[i].KeyBytes) assert.Equals(t, eak.HmacKey, tc.eaks[i].HmacKey)
assert.Equals(t, eak.ProvisionerID, tc.eaks[i].ProvisionerID) assert.Equals(t, eak.ProvisionerID, tc.eaks[i].ProvisionerID)
assert.Equals(t, eak.Reference, tc.eaks[i].Reference) assert.Equals(t, eak.Reference, tc.eaks[i].Reference)
assert.Equals(t, eak.CreatedAt, tc.eaks[i].CreatedAt) assert.Equals(t, eak.CreatedAt, tc.eaks[i].CreatedAt)
@ -627,7 +628,7 @@ func TestDB_DeleteExternalAccountKey(t *testing.T) {
ProvisionerID: provID, ProvisionerID: provID,
Reference: ref, Reference: ref,
AccountID: "", AccountID: "",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: now, CreatedAt: now,
} }
dbref := &dbExternalAccountKeyReference{ dbref := &dbExternalAccountKeyReference{
@ -707,7 +708,7 @@ func TestDB_DeleteExternalAccountKey(t *testing.T) {
ProvisionerID: "aDifferentProvID", ProvisionerID: "aDifferentProvID",
Reference: ref, Reference: ref,
AccountID: "", AccountID: "",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: now, CreatedAt: now,
} }
b, err := json.Marshal(dbeak) b, err := json.Marshal(dbeak)
@ -730,7 +731,7 @@ func TestDB_DeleteExternalAccountKey(t *testing.T) {
ProvisionerID: provID, ProvisionerID: provID,
Reference: ref, Reference: ref,
AccountID: "", AccountID: "",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: now, CreatedAt: now,
} }
dbref := &dbExternalAccountKeyReference{ dbref := &dbExternalAccountKeyReference{
@ -780,7 +781,7 @@ func TestDB_DeleteExternalAccountKey(t *testing.T) {
ProvisionerID: provID, ProvisionerID: provID,
Reference: ref, Reference: ref,
AccountID: "", AccountID: "",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: now, CreatedAt: now,
} }
dbref := &dbExternalAccountKeyReference{ dbref := &dbExternalAccountKeyReference{
@ -830,7 +831,7 @@ func TestDB_DeleteExternalAccountKey(t *testing.T) {
ProvisionerID: provID, ProvisionerID: provID,
Reference: ref, Reference: ref,
AccountID: "", AccountID: "",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: now, CreatedAt: now,
} }
dbref := &dbExternalAccountKeyReference{ dbref := &dbExternalAccountKeyReference{
@ -953,7 +954,7 @@ func TestDB_CreateExternalAccountKey(t *testing.T) {
assert.Equals(t, string(key), dbeak.ID) assert.Equals(t, string(key), dbeak.ID)
assert.Equals(t, eak.ProvisionerID, dbeak.ProvisionerID) assert.Equals(t, eak.ProvisionerID, dbeak.ProvisionerID)
assert.Equals(t, eak.Reference, dbeak.Reference) assert.Equals(t, eak.Reference, dbeak.Reference)
assert.Equals(t, 32, len(dbeak.KeyBytes)) assert.Equals(t, 32, len(dbeak.HmacKey))
assert.False(t, dbeak.CreatedAt.IsZero()) assert.False(t, dbeak.CreatedAt.IsZero())
assert.Equals(t, dbeak.AccountID, eak.AccountID) assert.Equals(t, dbeak.AccountID, eak.AccountID)
assert.True(t, dbeak.BoundAt.IsZero()) assert.True(t, dbeak.BoundAt.IsZero())
@ -1078,7 +1079,7 @@ func TestDB_UpdateExternalAccountKey(t *testing.T) {
ProvisionerID: provID, ProvisionerID: provID,
Reference: ref, Reference: ref,
AccountID: "", AccountID: "",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: now, CreatedAt: now,
} }
b, err := json.Marshal(dbeak) b, err := json.Marshal(dbeak)
@ -1096,7 +1097,7 @@ func TestDB_UpdateExternalAccountKey(t *testing.T) {
ProvisionerID: provID, ProvisionerID: provID,
Reference: ref, Reference: ref,
AccountID: "", AccountID: "",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: now, CreatedAt: now,
} }
return test{ return test{
@ -1120,7 +1121,7 @@ func TestDB_UpdateExternalAccountKey(t *testing.T) {
assert.Equals(t, dbNew.AccountID, dbeak.AccountID) assert.Equals(t, dbNew.AccountID, dbeak.AccountID)
assert.Equals(t, dbNew.CreatedAt, dbeak.CreatedAt) assert.Equals(t, dbNew.CreatedAt, dbeak.CreatedAt)
assert.Equals(t, dbNew.BoundAt, dbeak.BoundAt) assert.Equals(t, dbNew.BoundAt, dbeak.BoundAt)
assert.Equals(t, dbNew.KeyBytes, dbeak.KeyBytes) assert.Equals(t, dbNew.HmacKey, dbeak.HmacKey)
return nu, true, nil return nu, true, nil
}, },
}, },
@ -1148,7 +1149,7 @@ func TestDB_UpdateExternalAccountKey(t *testing.T) {
ProvisionerID: "aDifferentProvID", ProvisionerID: "aDifferentProvID",
Reference: ref, Reference: ref,
AccountID: "", AccountID: "",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: now, CreatedAt: now,
} }
b, err := json.Marshal(newDBEAK) b, err := json.Marshal(newDBEAK)
@ -1174,7 +1175,7 @@ func TestDB_UpdateExternalAccountKey(t *testing.T) {
ProvisionerID: provID, ProvisionerID: provID,
Reference: ref, Reference: ref,
AccountID: "", AccountID: "",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: now, CreatedAt: now,
} }
b, err := json.Marshal(newDBEAK) b, err := json.Marshal(newDBEAK)
@ -1200,7 +1201,7 @@ func TestDB_UpdateExternalAccountKey(t *testing.T) {
ProvisionerID: provID, ProvisionerID: provID,
Reference: ref, Reference: ref,
AccountID: "", AccountID: "",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: now, CreatedAt: now,
} }
b, err := json.Marshal(newDBEAK) b, err := json.Marshal(newDBEAK)
@ -1237,7 +1238,7 @@ func TestDB_UpdateExternalAccountKey(t *testing.T) {
assert.Equals(t, dbeak.AccountID, tc.eak.AccountID) assert.Equals(t, dbeak.AccountID, tc.eak.AccountID)
assert.Equals(t, dbeak.CreatedAt, tc.eak.CreatedAt) assert.Equals(t, dbeak.CreatedAt, tc.eak.CreatedAt)
assert.Equals(t, dbeak.BoundAt, tc.eak.BoundAt) assert.Equals(t, dbeak.BoundAt, tc.eak.BoundAt)
assert.Equals(t, dbeak.KeyBytes, tc.eak.KeyBytes) assert.Equals(t, dbeak.HmacKey, tc.eak.HmacKey)
} }
}) })
} }

View file

@ -90,7 +90,7 @@ func eakToLinked(k *acme.ExternalAccountKey) *linkedca.EABKey {
eak := &linkedca.EABKey{ eak := &linkedca.EABKey{
Id: k.ID, Id: k.ID,
HmacKey: k.KeyBytes, HmacKey: k.HmacKey,
Provisioner: k.ProvisionerID, Provisioner: k.ProvisionerID,
Reference: k.Reference, Reference: k.Reference,
Account: k.AccountID, Account: k.AccountID,
@ -124,7 +124,7 @@ func linkedEAKToCertificates(k *linkedca.EABKey) *acme.ExternalAccountKey {
ProvisionerID: k.Provisioner, ProvisionerID: k.Provisioner,
Reference: k.Reference, Reference: k.Reference,
AccountID: k.Account, AccountID: k.Account,
KeyBytes: k.HmacKey, HmacKey: k.HmacKey,
CreatedAt: k.CreatedAt.AsTime(), CreatedAt: k.CreatedAt.AsTime(),
BoundAt: k.BoundAt.AsTime(), BoundAt: k.BoundAt.AsTime(),
} }

View file

@ -364,7 +364,7 @@ func Test_eakToLinked(t *testing.T) {
ProvisionerID: "provID", ProvisionerID: "provID",
Reference: "ref", Reference: "ref",
AccountID: "accID", AccountID: "accID",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour), CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour),
BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC), BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC),
Policy: nil, Policy: nil,
@ -387,7 +387,7 @@ func Test_eakToLinked(t *testing.T) {
ProvisionerID: "provID", ProvisionerID: "provID",
Reference: "ref", Reference: "ref",
AccountID: "accID", AccountID: "accID",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour), CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour),
BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC), BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC),
Policy: &acme.Policy{ Policy: &acme.Policy{
@ -463,7 +463,7 @@ func Test_linkedEAKToCertificates(t *testing.T) {
ProvisionerID: "provID", ProvisionerID: "provID",
Reference: "ref", Reference: "ref",
AccountID: "accID", AccountID: "accID",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour), CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour),
BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC), BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC),
Policy: nil, Policy: nil,
@ -486,7 +486,7 @@ func Test_linkedEAKToCertificates(t *testing.T) {
ProvisionerID: "provID", ProvisionerID: "provID",
Reference: "ref", Reference: "ref",
AccountID: "accID", AccountID: "accID",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour), CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour),
BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC), BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC),
Policy: &acme.Policy{}, Policy: &acme.Policy{},
@ -520,7 +520,7 @@ func Test_linkedEAKToCertificates(t *testing.T) {
ProvisionerID: "provID", ProvisionerID: "provID",
Reference: "ref", Reference: "ref",
AccountID: "accID", AccountID: "accID",
KeyBytes: []byte{1, 3, 3, 7}, HmacKey: []byte{1, 3, 3, 7},
CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour), CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour),
BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC), BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC),
Policy: &acme.Policy{ Policy: &acme.Policy{

View file

@ -30,19 +30,25 @@ type policyAdminResponderInterface interface {
// PolicyAdminResponder is responsible for writing ACME admin responses // PolicyAdminResponder is responsible for writing ACME admin responses
type PolicyAdminResponder struct { type PolicyAdminResponder struct {
auth adminAuthority auth adminAuthority
adminDB admin.DB adminDB admin.DB
acmeDB acme.DB acmeDB acme.DB
deploymentType string isLinkedCA bool
} }
// NewACMEAdminResponder returns a new ACMEAdminResponder // NewACMEAdminResponder returns a new ACMEAdminResponder
func NewPolicyAdminResponder(auth adminAuthority, adminDB admin.DB, acmeDB acme.DB, deploymentType string) *PolicyAdminResponder { func NewPolicyAdminResponder(auth adminAuthority, adminDB admin.DB, acmeDB acme.DB) *PolicyAdminResponder {
var isLinkedCA bool
if a, ok := adminDB.(interface{ IsLinkedCA() bool }); ok {
isLinkedCA = a.IsLinkedCA()
}
return &PolicyAdminResponder{ return &PolicyAdminResponder{
auth: auth, auth: auth,
adminDB: adminDB, adminDB: adminDB,
acmeDB: acmeDB, acmeDB: acmeDB,
deploymentType: deploymentType, isLinkedCA: isLinkedCA,
} }
} }
@ -435,8 +441,8 @@ func (par *PolicyAdminResponder) DeleteACMEAccountPolicy(w http.ResponseWriter,
// blockLinkedCA blocks all API operations on linked deployments // blockLinkedCA blocks all API operations on linked deployments
func (par *PolicyAdminResponder) blockLinkedCA() error { func (par *PolicyAdminResponder) blockLinkedCA() error {
// temporary blocking linked deployments based on string comparison (preventing import cycle) // temporary blocking linked deployments
if par.deploymentType == "linked" { if par.isLinkedCA {
return admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments") return admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
} }
return nil return nil

View file

@ -21,15 +21,22 @@ import (
"github.com/smallstep/certificates/authority/admin" "github.com/smallstep/certificates/authority/admin"
) )
type fakeLinkedCA struct {
admin.MockDB
}
func (f *fakeLinkedCA) IsLinkedCA() bool {
return true
}
func TestPolicyAdminResponder_GetAuthorityPolicy(t *testing.T) { func TestPolicyAdminResponder_GetAuthorityPolicy(t *testing.T) {
type test struct { type test struct {
auth adminAuthority auth adminAuthority
deploymentType string adminDB admin.DB
adminDB admin.DB ctx context.Context
ctx context.Context err *admin.Error
err *admin.Error policy *linkedca.Policy
policy *linkedca.Policy statusCode int
statusCode int
} }
var tests = map[string]func(t *testing.T) test{ var tests = map[string]func(t *testing.T) test{
"fail/linkedca": func(t *testing.T) test { "fail/linkedca": func(t *testing.T) test {
@ -37,10 +44,10 @@ func TestPolicyAdminResponder_GetAuthorityPolicy(t *testing.T) {
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments") err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
err.Message = "policy operations not yet supported in linked deployments" err.Message = "policy operations not yet supported in linked deployments"
return test{ return test{
ctx: ctx, ctx: ctx,
deploymentType: "linked", adminDB: &fakeLinkedCA{},
err: err, err: err,
statusCode: 501, statusCode: 501,
} }
}, },
"fail/auth.GetAuthorityPolicy-error": func(t *testing.T) test { "fail/auth.GetAuthorityPolicy-error": func(t *testing.T) test {
@ -97,11 +104,8 @@ func TestPolicyAdminResponder_GetAuthorityPolicy(t *testing.T) {
for name, prep := range tests { for name, prep := range tests {
tc := prep(t) tc := prep(t)
t.Run(name, func(t *testing.T) { t.Run(name, func(t *testing.T) {
par := &PolicyAdminResponder{
auth: tc.auth, par := NewPolicyAdminResponder(tc.auth, tc.adminDB, nil)
adminDB: tc.adminDB,
deploymentType: tc.deploymentType,
}
req := httptest.NewRequest("GET", "/foo", nil) req := httptest.NewRequest("GET", "/foo", nil)
req = req.WithContext(tc.ctx) req = req.WithContext(tc.ctx)
@ -139,15 +143,14 @@ func TestPolicyAdminResponder_GetAuthorityPolicy(t *testing.T) {
func TestPolicyAdminResponder_CreateAuthorityPolicy(t *testing.T) { func TestPolicyAdminResponder_CreateAuthorityPolicy(t *testing.T) {
type test struct { type test struct {
auth adminAuthority auth adminAuthority
deploymentType string adminDB admin.DB
adminDB admin.DB body []byte
body []byte ctx context.Context
ctx context.Context acmeDB acme.DB
acmeDB acme.DB err *admin.Error
err *admin.Error policy *linkedca.Policy
policy *linkedca.Policy statusCode int
statusCode int
} }
var tests = map[string]func(t *testing.T) test{ var tests = map[string]func(t *testing.T) test{
"fail/linkedca": func(t *testing.T) test { "fail/linkedca": func(t *testing.T) test {
@ -155,10 +158,10 @@ func TestPolicyAdminResponder_CreateAuthorityPolicy(t *testing.T) {
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments") err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
err.Message = "policy operations not yet supported in linked deployments" err.Message = "policy operations not yet supported in linked deployments"
return test{ return test{
ctx: ctx, ctx: ctx,
deploymentType: "linked", adminDB: &fakeLinkedCA{},
err: err, err: err,
statusCode: 501, statusCode: 501,
} }
}, },
"fail/auth.GetAuthorityPolicy-error": func(t *testing.T) test { "fail/auth.GetAuthorityPolicy-error": func(t *testing.T) test {
@ -343,12 +346,8 @@ func TestPolicyAdminResponder_CreateAuthorityPolicy(t *testing.T) {
for name, prep := range tests { for name, prep := range tests {
tc := prep(t) tc := prep(t)
t.Run(name, func(t *testing.T) { t.Run(name, func(t *testing.T) {
par := &PolicyAdminResponder{
auth: tc.auth, par := NewPolicyAdminResponder(tc.auth, tc.adminDB, tc.acmeDB)
adminDB: tc.adminDB,
acmeDB: tc.acmeDB,
deploymentType: tc.deploymentType,
}
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body))) req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
req = req.WithContext(tc.ctx) req = req.WithContext(tc.ctx)
@ -395,15 +394,14 @@ func TestPolicyAdminResponder_CreateAuthorityPolicy(t *testing.T) {
func TestPolicyAdminResponder_UpdateAuthorityPolicy(t *testing.T) { func TestPolicyAdminResponder_UpdateAuthorityPolicy(t *testing.T) {
type test struct { type test struct {
auth adminAuthority auth adminAuthority
deploymentType string adminDB admin.DB
adminDB admin.DB body []byte
body []byte ctx context.Context
ctx context.Context acmeDB acme.DB
acmeDB acme.DB err *admin.Error
err *admin.Error policy *linkedca.Policy
policy *linkedca.Policy statusCode int
statusCode int
} }
var tests = map[string]func(t *testing.T) test{ var tests = map[string]func(t *testing.T) test{
"fail/linkedca": func(t *testing.T) test { "fail/linkedca": func(t *testing.T) test {
@ -411,10 +409,10 @@ func TestPolicyAdminResponder_UpdateAuthorityPolicy(t *testing.T) {
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments") err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
err.Message = "policy operations not yet supported in linked deployments" err.Message = "policy operations not yet supported in linked deployments"
return test{ return test{
ctx: ctx, ctx: ctx,
deploymentType: "linked", adminDB: &fakeLinkedCA{},
err: err, err: err,
statusCode: 501, statusCode: 501,
} }
}, },
"fail/auth.GetAuthorityPolicy-error": func(t *testing.T) test { "fail/auth.GetAuthorityPolicy-error": func(t *testing.T) test {
@ -606,12 +604,8 @@ func TestPolicyAdminResponder_UpdateAuthorityPolicy(t *testing.T) {
for name, prep := range tests { for name, prep := range tests {
tc := prep(t) tc := prep(t)
t.Run(name, func(t *testing.T) { t.Run(name, func(t *testing.T) {
par := &PolicyAdminResponder{
auth: tc.auth, par := NewPolicyAdminResponder(tc.auth, tc.adminDB, tc.acmeDB)
adminDB: tc.adminDB,
acmeDB: tc.acmeDB,
deploymentType: tc.deploymentType,
}
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body))) req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
req = req.WithContext(tc.ctx) req = req.WithContext(tc.ctx)
@ -658,14 +652,13 @@ func TestPolicyAdminResponder_UpdateAuthorityPolicy(t *testing.T) {
func TestPolicyAdminResponder_DeleteAuthorityPolicy(t *testing.T) { func TestPolicyAdminResponder_DeleteAuthorityPolicy(t *testing.T) {
type test struct { type test struct {
auth adminAuthority auth adminAuthority
deploymentType string adminDB admin.DB
adminDB admin.DB body []byte
body []byte ctx context.Context
ctx context.Context acmeDB acme.DB
acmeDB acme.DB err *admin.Error
err *admin.Error statusCode int
statusCode int
} }
var tests = map[string]func(t *testing.T) test{ var tests = map[string]func(t *testing.T) test{
@ -674,10 +667,10 @@ func TestPolicyAdminResponder_DeleteAuthorityPolicy(t *testing.T) {
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments") err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
err.Message = "policy operations not yet supported in linked deployments" err.Message = "policy operations not yet supported in linked deployments"
return test{ return test{
ctx: ctx, ctx: ctx,
deploymentType: "linked", adminDB: &fakeLinkedCA{},
err: err, err: err,
statusCode: 501, statusCode: 501,
} }
}, },
"fail/auth.GetAuthorityPolicy-error": func(t *testing.T) test { "fail/auth.GetAuthorityPolicy-error": func(t *testing.T) test {
@ -762,12 +755,8 @@ func TestPolicyAdminResponder_DeleteAuthorityPolicy(t *testing.T) {
for name, prep := range tests { for name, prep := range tests {
tc := prep(t) tc := prep(t)
t.Run(name, func(t *testing.T) { t.Run(name, func(t *testing.T) {
par := &PolicyAdminResponder{
auth: tc.auth, par := NewPolicyAdminResponder(tc.auth, tc.adminDB, tc.acmeDB)
adminDB: tc.adminDB,
acmeDB: tc.acmeDB,
deploymentType: tc.deploymentType,
}
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body))) req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
req = req.WithContext(tc.ctx) req = req.WithContext(tc.ctx)
@ -809,14 +798,13 @@ func TestPolicyAdminResponder_DeleteAuthorityPolicy(t *testing.T) {
func TestPolicyAdminResponder_GetProvisionerPolicy(t *testing.T) { func TestPolicyAdminResponder_GetProvisionerPolicy(t *testing.T) {
type test struct { type test struct {
auth adminAuthority auth adminAuthority
deploymentType string adminDB admin.DB
adminDB admin.DB ctx context.Context
ctx context.Context acmeDB acme.DB
acmeDB acme.DB err *admin.Error
err *admin.Error policy *linkedca.Policy
policy *linkedca.Policy statusCode int
statusCode int
} }
var tests = map[string]func(t *testing.T) test{ var tests = map[string]func(t *testing.T) test{
"fail/linkedca": func(t *testing.T) test { "fail/linkedca": func(t *testing.T) test {
@ -824,10 +812,10 @@ func TestPolicyAdminResponder_GetProvisionerPolicy(t *testing.T) {
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments") err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
err.Message = "policy operations not yet supported in linked deployments" err.Message = "policy operations not yet supported in linked deployments"
return test{ return test{
ctx: ctx, ctx: ctx,
deploymentType: "linked", adminDB: &fakeLinkedCA{},
err: err, err: err,
statusCode: 501, statusCode: 501,
} }
}, },
"fail/prov-no-policy": func(t *testing.T) test { "fail/prov-no-policy": func(t *testing.T) test {
@ -863,12 +851,8 @@ func TestPolicyAdminResponder_GetProvisionerPolicy(t *testing.T) {
for name, prep := range tests { for name, prep := range tests {
tc := prep(t) tc := prep(t)
t.Run(name, func(t *testing.T) { t.Run(name, func(t *testing.T) {
par := &PolicyAdminResponder{
auth: tc.auth, par := NewPolicyAdminResponder(tc.auth, tc.adminDB, tc.acmeDB)
adminDB: tc.adminDB,
acmeDB: tc.acmeDB,
deploymentType: tc.deploymentType,
}
req := httptest.NewRequest("GET", "/foo", nil) req := httptest.NewRequest("GET", "/foo", nil)
req = req.WithContext(tc.ctx) req = req.WithContext(tc.ctx)
@ -906,13 +890,13 @@ func TestPolicyAdminResponder_GetProvisionerPolicy(t *testing.T) {
func TestPolicyAdminResponder_CreateProvisionerPolicy(t *testing.T) { func TestPolicyAdminResponder_CreateProvisionerPolicy(t *testing.T) {
type test struct { type test struct {
auth adminAuthority auth adminAuthority
deploymentType string adminDB admin.DB
body []byte body []byte
ctx context.Context ctx context.Context
err *admin.Error err *admin.Error
policy *linkedca.Policy policy *linkedca.Policy
statusCode int statusCode int
} }
var tests = map[string]func(t *testing.T) test{ var tests = map[string]func(t *testing.T) test{
"fail/linkedca": func(t *testing.T) test { "fail/linkedca": func(t *testing.T) test {
@ -920,10 +904,10 @@ func TestPolicyAdminResponder_CreateProvisionerPolicy(t *testing.T) {
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments") err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
err.Message = "policy operations not yet supported in linked deployments" err.Message = "policy operations not yet supported in linked deployments"
return test{ return test{
ctx: ctx, ctx: ctx,
deploymentType: "linked", adminDB: &fakeLinkedCA{},
err: err, err: err,
statusCode: 501, statusCode: 501,
} }
}, },
"fail/existing-policy": func(t *testing.T) test { "fail/existing-policy": func(t *testing.T) test {
@ -1067,10 +1051,8 @@ func TestPolicyAdminResponder_CreateProvisionerPolicy(t *testing.T) {
for name, prep := range tests { for name, prep := range tests {
tc := prep(t) tc := prep(t)
t.Run(name, func(t *testing.T) { t.Run(name, func(t *testing.T) {
par := &PolicyAdminResponder{
auth: tc.auth, par := NewPolicyAdminResponder(tc.auth, tc.adminDB, nil)
deploymentType: tc.deploymentType,
}
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body))) req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
req = req.WithContext(tc.ctx) req = req.WithContext(tc.ctx)
@ -1117,13 +1099,13 @@ func TestPolicyAdminResponder_CreateProvisionerPolicy(t *testing.T) {
func TestPolicyAdminResponder_UpdateProvisionerPolicy(t *testing.T) { func TestPolicyAdminResponder_UpdateProvisionerPolicy(t *testing.T) {
type test struct { type test struct {
auth adminAuthority auth adminAuthority
deploymentType string body []byte
body []byte adminDB admin.DB
ctx context.Context ctx context.Context
err *admin.Error err *admin.Error
policy *linkedca.Policy policy *linkedca.Policy
statusCode int statusCode int
} }
var tests = map[string]func(t *testing.T) test{ var tests = map[string]func(t *testing.T) test{
"fail/linkedca": func(t *testing.T) test { "fail/linkedca": func(t *testing.T) test {
@ -1131,10 +1113,10 @@ func TestPolicyAdminResponder_UpdateProvisionerPolicy(t *testing.T) {
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments") err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
err.Message = "policy operations not yet supported in linked deployments" err.Message = "policy operations not yet supported in linked deployments"
return test{ return test{
ctx: ctx, ctx: ctx,
deploymentType: "linked", adminDB: &fakeLinkedCA{},
err: err, err: err,
statusCode: 501, statusCode: 501,
} }
}, },
"fail/no-existing-policy": func(t *testing.T) test { "fail/no-existing-policy": func(t *testing.T) test {
@ -1280,10 +1262,8 @@ func TestPolicyAdminResponder_UpdateProvisionerPolicy(t *testing.T) {
for name, prep := range tests { for name, prep := range tests {
tc := prep(t) tc := prep(t)
t.Run(name, func(t *testing.T) { t.Run(name, func(t *testing.T) {
par := &PolicyAdminResponder{
auth: tc.auth, par := NewPolicyAdminResponder(tc.auth, tc.adminDB, nil)
deploymentType: tc.deploymentType,
}
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body))) req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
req = req.WithContext(tc.ctx) req = req.WithContext(tc.ctx)
@ -1330,14 +1310,13 @@ func TestPolicyAdminResponder_UpdateProvisionerPolicy(t *testing.T) {
func TestPolicyAdminResponder_DeleteProvisionerPolicy(t *testing.T) { func TestPolicyAdminResponder_DeleteProvisionerPolicy(t *testing.T) {
type test struct { type test struct {
auth adminAuthority auth adminAuthority
deploymentType string adminDB admin.DB
adminDB admin.DB body []byte
body []byte ctx context.Context
ctx context.Context acmeDB acme.DB
acmeDB acme.DB err *admin.Error
err *admin.Error statusCode int
statusCode int
} }
var tests = map[string]func(t *testing.T) test{ var tests = map[string]func(t *testing.T) test{
@ -1346,10 +1325,10 @@ func TestPolicyAdminResponder_DeleteProvisionerPolicy(t *testing.T) {
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments") err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
err.Message = "policy operations not yet supported in linked deployments" err.Message = "policy operations not yet supported in linked deployments"
return test{ return test{
ctx: ctx, ctx: ctx,
deploymentType: "linked", adminDB: &fakeLinkedCA{},
err: err, err: err,
statusCode: 501, statusCode: 501,
} }
}, },
"fail/no-existing-policy": func(t *testing.T) test { "fail/no-existing-policy": func(t *testing.T) test {
@ -1404,12 +1383,8 @@ func TestPolicyAdminResponder_DeleteProvisionerPolicy(t *testing.T) {
for name, prep := range tests { for name, prep := range tests {
tc := prep(t) tc := prep(t)
t.Run(name, func(t *testing.T) { t.Run(name, func(t *testing.T) {
par := &PolicyAdminResponder{
auth: tc.auth, par := NewPolicyAdminResponder(tc.auth, tc.adminDB, tc.acmeDB)
adminDB: tc.adminDB,
acmeDB: tc.acmeDB,
deploymentType: tc.deploymentType,
}
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body))) req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
req = req.WithContext(tc.ctx) req = req.WithContext(tc.ctx)
@ -1451,12 +1426,12 @@ func TestPolicyAdminResponder_DeleteProvisionerPolicy(t *testing.T) {
func TestPolicyAdminResponder_GetACMEAccountPolicy(t *testing.T) { func TestPolicyAdminResponder_GetACMEAccountPolicy(t *testing.T) {
type test struct { type test struct {
deploymentType string ctx context.Context
ctx context.Context acmeDB acme.DB
acmeDB acme.DB adminDB admin.DB
err *admin.Error err *admin.Error
policy *linkedca.Policy policy *linkedca.Policy
statusCode int statusCode int
} }
var tests = map[string]func(t *testing.T) test{ var tests = map[string]func(t *testing.T) test{
"fail/linkedca": func(t *testing.T) test { "fail/linkedca": func(t *testing.T) test {
@ -1464,10 +1439,10 @@ func TestPolicyAdminResponder_GetACMEAccountPolicy(t *testing.T) {
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments") err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
err.Message = "policy operations not yet supported in linked deployments" err.Message = "policy operations not yet supported in linked deployments"
return test{ return test{
ctx: ctx, ctx: ctx,
deploymentType: "linked", adminDB: &fakeLinkedCA{},
err: err, err: err,
statusCode: 501, statusCode: 501,
} }
}, },
"fail/no-policy": func(t *testing.T) test { "fail/no-policy": func(t *testing.T) test {
@ -1514,10 +1489,8 @@ func TestPolicyAdminResponder_GetACMEAccountPolicy(t *testing.T) {
for name, prep := range tests { for name, prep := range tests {
tc := prep(t) tc := prep(t)
t.Run(name, func(t *testing.T) { t.Run(name, func(t *testing.T) {
par := &PolicyAdminResponder{
acmeDB: tc.acmeDB, par := NewPolicyAdminResponder(nil, tc.adminDB, tc.acmeDB)
deploymentType: tc.deploymentType,
}
req := httptest.NewRequest("GET", "/foo", nil) req := httptest.NewRequest("GET", "/foo", nil)
req = req.WithContext(tc.ctx) req = req.WithContext(tc.ctx)
@ -1555,13 +1528,13 @@ func TestPolicyAdminResponder_GetACMEAccountPolicy(t *testing.T) {
func TestPolicyAdminResponder_CreateACMEAccountPolicy(t *testing.T) { func TestPolicyAdminResponder_CreateACMEAccountPolicy(t *testing.T) {
type test struct { type test struct {
deploymentType string acmeDB acme.DB
acmeDB acme.DB adminDB admin.DB
body []byte body []byte
ctx context.Context ctx context.Context
err *admin.Error err *admin.Error
policy *linkedca.Policy policy *linkedca.Policy
statusCode int statusCode int
} }
var tests = map[string]func(t *testing.T) test{ var tests = map[string]func(t *testing.T) test{
"fail/linkedca": func(t *testing.T) test { "fail/linkedca": func(t *testing.T) test {
@ -1569,10 +1542,10 @@ func TestPolicyAdminResponder_CreateACMEAccountPolicy(t *testing.T) {
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments") err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
err.Message = "policy operations not yet supported in linked deployments" err.Message = "policy operations not yet supported in linked deployments"
return test{ return test{
ctx: ctx, ctx: ctx,
deploymentType: "linked", adminDB: &fakeLinkedCA{},
err: err, err: err,
statusCode: 501, statusCode: 501,
} }
}, },
"fail/existing-policy": func(t *testing.T) test { "fail/existing-policy": func(t *testing.T) test {
@ -1691,10 +1664,8 @@ func TestPolicyAdminResponder_CreateACMEAccountPolicy(t *testing.T) {
for name, prep := range tests { for name, prep := range tests {
tc := prep(t) tc := prep(t)
t.Run(name, func(t *testing.T) { t.Run(name, func(t *testing.T) {
par := &PolicyAdminResponder{
acmeDB: tc.acmeDB, par := NewPolicyAdminResponder(nil, tc.adminDB, tc.acmeDB)
deploymentType: tc.deploymentType,
}
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body))) req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
req = req.WithContext(tc.ctx) req = req.WithContext(tc.ctx)
@ -1741,13 +1712,13 @@ func TestPolicyAdminResponder_CreateACMEAccountPolicy(t *testing.T) {
func TestPolicyAdminResponder_UpdateACMEAccountPolicy(t *testing.T) { func TestPolicyAdminResponder_UpdateACMEAccountPolicy(t *testing.T) {
type test struct { type test struct {
deploymentType string acmeDB acme.DB
acmeDB acme.DB adminDB admin.DB
body []byte body []byte
ctx context.Context ctx context.Context
err *admin.Error err *admin.Error
policy *linkedca.Policy policy *linkedca.Policy
statusCode int statusCode int
} }
var tests = map[string]func(t *testing.T) test{ var tests = map[string]func(t *testing.T) test{
"fail/linkedca": func(t *testing.T) test { "fail/linkedca": func(t *testing.T) test {
@ -1755,10 +1726,10 @@ func TestPolicyAdminResponder_UpdateACMEAccountPolicy(t *testing.T) {
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments") err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
err.Message = "policy operations not yet supported in linked deployments" err.Message = "policy operations not yet supported in linked deployments"
return test{ return test{
ctx: ctx, ctx: ctx,
deploymentType: "linked", adminDB: &fakeLinkedCA{},
err: err, err: err,
statusCode: 501, statusCode: 501,
} }
}, },
"fail/no-existing-policy": func(t *testing.T) test { "fail/no-existing-policy": func(t *testing.T) test {
@ -1879,10 +1850,8 @@ func TestPolicyAdminResponder_UpdateACMEAccountPolicy(t *testing.T) {
for name, prep := range tests { for name, prep := range tests {
tc := prep(t) tc := prep(t)
t.Run(name, func(t *testing.T) { t.Run(name, func(t *testing.T) {
par := &PolicyAdminResponder{
acmeDB: tc.acmeDB, par := NewPolicyAdminResponder(nil, tc.adminDB, tc.acmeDB)
deploymentType: tc.deploymentType,
}
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body))) req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
req = req.WithContext(tc.ctx) req = req.WithContext(tc.ctx)
@ -1929,12 +1898,12 @@ func TestPolicyAdminResponder_UpdateACMEAccountPolicy(t *testing.T) {
func TestPolicyAdminResponder_DeleteACMEAccountPolicy(t *testing.T) { func TestPolicyAdminResponder_DeleteACMEAccountPolicy(t *testing.T) {
type test struct { type test struct {
deploymentType string body []byte
body []byte adminDB admin.DB
ctx context.Context ctx context.Context
acmeDB acme.DB acmeDB acme.DB
err *admin.Error err *admin.Error
statusCode int statusCode int
} }
var tests = map[string]func(t *testing.T) test{ var tests = map[string]func(t *testing.T) test{
@ -1943,10 +1912,10 @@ func TestPolicyAdminResponder_DeleteACMEAccountPolicy(t *testing.T) {
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments") err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
err.Message = "policy operations not yet supported in linked deployments" err.Message = "policy operations not yet supported in linked deployments"
return test{ return test{
ctx: ctx, ctx: ctx,
deploymentType: "linked", adminDB: &fakeLinkedCA{},
err: err, err: err,
statusCode: 501, statusCode: 501,
} }
}, },
"fail/no-existing-policy": func(t *testing.T) test { "fail/no-existing-policy": func(t *testing.T) test {
@ -2033,10 +2002,8 @@ func TestPolicyAdminResponder_DeleteACMEAccountPolicy(t *testing.T) {
for name, prep := range tests { for name, prep := range tests {
tc := prep(t) tc := prep(t)
t.Run(name, func(t *testing.T) { t.Run(name, func(t *testing.T) {
par := &PolicyAdminResponder{
acmeDB: tc.acmeDB, par := NewPolicyAdminResponder(nil, tc.adminDB, tc.acmeDB)
deploymentType: tc.deploymentType,
}
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body))) req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
req = req.WithContext(tc.ctx) req = req.WithContext(tc.ctx)

View file

@ -122,6 +122,13 @@ func newLinkedCAClient(token string) (*linkedCaClient, error) {
}, nil }, nil
} }
// IsLinkedCA is a sentinel function that can be used to
// check if a linkedCaClient is the underlying type of an
// admin.DB interface.
func (c *linkedCaClient) IsLinkedCA() bool {
return true
}
func (c *linkedCaClient) Run() { func (c *linkedCaClient) Run() {
c.renewer.Run() c.renewer.Run()
} }

View file

@ -15,8 +15,7 @@ import (
type policyErrorType int type policyErrorType int
const ( const (
_ policyErrorType = iota AdminLockOut policyErrorType = iota + 1
AdminLockOut
StoreFailure StoreFailure
ReloadFailure ReloadFailure
ConfigurationFailure ConfigurationFailure
@ -345,7 +344,7 @@ func policyToCertificates(p *linkedca.Policy) *authPolicy.Options {
} }
opts.X509.AllowWildcardLiteral = x509.AllowWildcardLiteral opts.X509.AllowWildcardLiteral = x509.AllowWildcardLiteral
opts.X509.DisableSubjectCommonNameVerification = x509.DisableSubjectCommonNameVerification opts.X509.DisableCommonNameVerification = x509.DisableSubjectCommonNameVerification
} }
// fill ssh policy configuration // fill ssh policy configuration

View file

@ -31,7 +31,7 @@ type X509PolicyOptionsInterface interface {
GetAllowedNameOptions() *X509NameOptions GetAllowedNameOptions() *X509NameOptions
GetDeniedNameOptions() *X509NameOptions GetDeniedNameOptions() *X509NameOptions
IsWildcardLiteralAllowed() bool IsWildcardLiteralAllowed() bool
ShouldVerifySubjectCommonName() bool ShouldVerifyCommonName() bool
} }
// X509PolicyOptions is a container for x509 allowed and denied // X509PolicyOptions is a container for x509 allowed and denied
@ -39,15 +39,19 @@ type X509PolicyOptionsInterface interface {
type X509PolicyOptions struct { type X509PolicyOptions struct {
// AllowedNames contains the x509 allowed names // AllowedNames contains the x509 allowed names
AllowedNames *X509NameOptions `json:"allow,omitempty"` AllowedNames *X509NameOptions `json:"allow,omitempty"`
// DeniedNames contains the x509 denied names // DeniedNames contains the x509 denied names
DeniedNames *X509NameOptions `json:"deny,omitempty"` DeniedNames *X509NameOptions `json:"deny,omitempty"`
// AllowWildcardLiteral indicates if literal wildcard names // AllowWildcardLiteral indicates if literal wildcard names
// such as *.example.com and @example.com are allowed. Defaults // such as *.example.com and @example.com are allowed. Defaults
// to false. // to false.
AllowWildcardLiteral bool `json:"allow_wildcard_literal,omitempty"` AllowWildcardLiteral bool `json:"allowWildcardLiteral,omitempty"`
// DisableSubjectCommonNameVerification indicates if the Subject Common Name
// is verified in addition to the SANs. Defaults to false. // DisableCommonNameVerification indicates if the Subject Common Name
DisableSubjectCommonNameVerification bool `json:"disable_subject_common_name_verification,omitempty"` // is verified in addition to the SANs. Defaults to false, resulting in
// Common Names being verified.
DisableCommonNameVerification bool `json:"disableCommonNameVerification,omitempty"`
} }
// X509NameOptions models the X509 name policy configuration. // X509NameOptions models the X509 name policy configuration.
@ -92,13 +96,13 @@ func (o *X509PolicyOptions) IsWildcardLiteralAllowed() bool {
return o.AllowWildcardLiteral return o.AllowWildcardLiteral
} }
// ShouldVerifySubjectCommonName returns whether the authority // ShouldVerifyCommonName returns whether the authority
// should verify the Subject Common Name in addition to the SANs. // should verify the Subject Common Name in addition to the SANs.
func (o *X509PolicyOptions) ShouldVerifySubjectCommonName() bool { func (o *X509PolicyOptions) ShouldVerifyCommonName() bool {
if o == nil { if o == nil {
return false return false
} }
return !o.DisableSubjectCommonNameVerification return !o.DisableCommonNameVerification
} }
// SSHPolicyOptionsInterface is an interface for providers of // SSHPolicyOptionsInterface is an interface for providers of

View file

@ -63,21 +63,21 @@ func TestX509PolicyOptions_ShouldVerifySubjectCommonName(t *testing.T) {
{ {
name: "set-true", name: "set-true",
options: &X509PolicyOptions{ options: &X509PolicyOptions{
DisableSubjectCommonNameVerification: true, DisableCommonNameVerification: true,
}, },
want: false, want: false,
}, },
{ {
name: "set-false", name: "set-false",
options: &X509PolicyOptions{ options: &X509PolicyOptions{
DisableSubjectCommonNameVerification: false, DisableCommonNameVerification: false,
}, },
want: true, want: true,
}, },
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
if got := tt.options.ShouldVerifySubjectCommonName(); got != tt.want { if got := tt.options.ShouldVerifyCommonName(); got != tt.want {
t.Errorf("X509PolicyOptions.ShouldVerifySubjectCommonName() = %v, want %v", got, tt.want) t.Errorf("X509PolicyOptions.ShouldVerifySubjectCommonName() = %v, want %v", got, tt.want)
} }
}) })

View file

@ -50,7 +50,7 @@ func NewX509PolicyEngine(policyOptions X509PolicyOptionsInterface) (X509Policy,
return nil, nil return nil, nil
} }
if policyOptions.ShouldVerifySubjectCommonName() { if policyOptions.ShouldVerifyCommonName() {
options = append(options, policy.WithSubjectCommonNameVerification()) options = append(options, policy.WithSubjectCommonNameVerification())
} }

View file

@ -227,8 +227,8 @@ func Test_policyToCertificates(t *testing.T) {
AllowedNames: &policy.X509NameOptions{ AllowedNames: &policy.X509NameOptions{
DNSDomains: []string{"*.local"}, DNSDomains: []string{"*.local"},
}, },
AllowWildcardLiteral: false, AllowWildcardLiteral: false,
DisableSubjectCommonNameVerification: false, DisableCommonNameVerification: false,
}, },
}, },
}, },
@ -290,8 +290,8 @@ func Test_policyToCertificates(t *testing.T) {
EmailAddresses: []string{"badhost.example.com"}, EmailAddresses: []string{"badhost.example.com"},
URIDomains: []string{"https://badhost.local"}, URIDomains: []string{"https://badhost.local"},
}, },
AllowWildcardLiteral: true, AllowWildcardLiteral: true,
DisableSubjectCommonNameVerification: false, DisableCommonNameVerification: false,
}, },
SSH: &policy.SSHPolicyOptions{ SSH: &policy.SSHPolicyOptions{
Host: &policy.SSHHostCertificateOptions{ Host: &policy.SSHHostCertificateOptions{
@ -364,8 +364,8 @@ func TestAuthority_reloadPolicyEngines(t *testing.T) {
DeniedNames: &policy.X509NameOptions{ DeniedNames: &policy.X509NameOptions{
DNSDomains: []string{"badhost.local"}, DNSDomains: []string{"badhost.local"},
}, },
AllowWildcardLiteral: true, AllowWildcardLiteral: true,
DisableSubjectCommonNameVerification: false, DisableCommonNameVerification: false,
}) })
assert.NoError(t, err) assert.NoError(t, err)
@ -648,8 +648,8 @@ func TestAuthority_reloadPolicyEngines(t *testing.T) {
DeniedNames: &policy.X509NameOptions{ DeniedNames: &policy.X509NameOptions{
DNSDomains: []string{"badhost.local"}, DNSDomains: []string{"badhost.local"},
}, },
AllowWildcardLiteral: true, AllowWildcardLiteral: true,
DisableSubjectCommonNameVerification: false, DisableCommonNameVerification: false,
}, },
}, },
}, },
@ -768,8 +768,8 @@ func TestAuthority_reloadPolicyEngines(t *testing.T) {
DeniedNames: &policy.X509NameOptions{ DeniedNames: &policy.X509NameOptions{
DNSDomains: []string{"badhost.local"}, DNSDomains: []string{"badhost.local"},
}, },
AllowWildcardLiteral: true, AllowWildcardLiteral: true,
DisableSubjectCommonNameVerification: false, DisableCommonNameVerification: false,
}, },
SSH: &policy.SSHPolicyOptions{ SSH: &policy.SSHPolicyOptions{
Host: &policy.SSHHostCertificateOptions{ Host: &policy.SSHHostCertificateOptions{

View file

@ -69,10 +69,12 @@ type X509Options struct {
// AllowWildcardLiteral indicates if literal wildcard names // AllowWildcardLiteral indicates if literal wildcard names
// such as *.example.com and @example.com are allowed. Defaults // such as *.example.com and @example.com are allowed. Defaults
// to false. // to false.
AllowWildcardLiteral *bool `json:"-"` AllowWildcardLiteral bool `json:"-"`
// VerifySubjectCommonName indicates if the Subject Common Name
// is verified in addition to the SANs. Defaults to true. // DisableCommonNameVerification indicates if the Subject Common Name
VerifySubjectCommonName *bool `json:"-"` // is verified in addition to the SANs. Defaults to false, resulting
// in Common Names to be verified.
DisableCommonNameVerification bool `json:"-"`
} }
// HasTemplate returns true if a template is defined in the provisioner options. // HasTemplate returns true if a template is defined in the provisioner options.
@ -102,17 +104,14 @@ func (o *X509Options) IsWildcardLiteralAllowed() bool {
if o == nil { if o == nil {
return true return true
} }
return o.AllowWildcardLiteral != nil && *o.AllowWildcardLiteral return o.AllowWildcardLiteral
} }
func (o *X509Options) ShouldVerifySubjectCommonName() bool { func (o *X509Options) ShouldVerifyCommonName() bool {
if o == nil { if o == nil {
return false return false
} }
if o.VerifySubjectCommonName == nil { return !o.DisableCommonNameVerification
return true
}
return *o.VerifySubjectCommonName
} }
// TemplateOptions generates a CertificateOptions with the template and data // TemplateOptions generates a CertificateOptions with the template and data

View file

@ -289,8 +289,6 @@ func Test_unsafeParseSigned(t *testing.T) {
} }
func TestX509Options_IsWildcardLiteralAllowed(t *testing.T) { func TestX509Options_IsWildcardLiteralAllowed(t *testing.T) {
trueValue := true
falseValue := false
tests := []struct { tests := []struct {
name string name string
options *X509Options options *X509Options
@ -301,24 +299,17 @@ func TestX509Options_IsWildcardLiteralAllowed(t *testing.T) {
options: nil, options: nil,
want: true, want: true,
}, },
{
name: "nil",
options: &X509Options{
AllowWildcardLiteral: nil,
},
want: false,
},
{ {
name: "set-true", name: "set-true",
options: &X509Options{ options: &X509Options{
AllowWildcardLiteral: &trueValue, AllowWildcardLiteral: true,
}, },
want: true, want: true,
}, },
{ {
name: "set-false", name: "set-false",
options: &X509Options{ options: &X509Options{
AllowWildcardLiteral: &falseValue, AllowWildcardLiteral: false,
}, },
want: false, want: false,
}, },
@ -333,8 +324,6 @@ func TestX509Options_IsWildcardLiteralAllowed(t *testing.T) {
} }
func TestX509Options_ShouldVerifySubjectCommonName(t *testing.T) { func TestX509Options_ShouldVerifySubjectCommonName(t *testing.T) {
trueValue := true
falseValue := false
tests := []struct { tests := []struct {
name string name string
options *X509Options options *X509Options
@ -345,31 +334,24 @@ func TestX509Options_ShouldVerifySubjectCommonName(t *testing.T) {
options: nil, options: nil,
want: false, want: false,
}, },
{
name: "nil",
options: &X509Options{
VerifySubjectCommonName: nil,
},
want: true,
},
{ {
name: "set-true", name: "set-true",
options: &X509Options{ options: &X509Options{
VerifySubjectCommonName: &trueValue, DisableCommonNameVerification: true,
}, },
want: true, want: false,
}, },
{ {
name: "set-false", name: "set-false",
options: &X509Options{ options: &X509Options{
VerifySubjectCommonName: &falseValue, DisableCommonNameVerification: false,
}, },
want: false, want: true,
}, },
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
if got := tt.options.ShouldVerifySubjectCommonName(); got != tt.want { if got := tt.options.ShouldVerifyCommonName(); got != tt.want {
t.Errorf("X509PolicyOptions.ShouldVerifySubjectCommonName() = %v, want %v", got, tt.want) t.Errorf("X509PolicyOptions.ShouldVerifySubjectCommonName() = %v, want %v", got, tt.want)
} }
}) })

View file

@ -700,7 +700,7 @@ ZYtQ9Ot36qc=
AllowedNames: &policy.X509NameOptions{ AllowedNames: &policy.X509NameOptions{
DNSDomains: []string{"*.smallstep.com"}, DNSDomains: []string{"*.smallstep.com"},
}, },
DisableSubjectCommonNameVerification: true, // allows "smallstep test" DisableCommonNameVerification: true, // TODO(hs): allows "smallstep test"; do we want to keep it like this?
} }
engine, err := policy.NewX509PolicyEngine(policyOptions) engine, err := policy.NewX509PolicyEngine(policyOptions)
assert.FatalError(t, err) assert.FatalError(t, err)

View file

@ -219,7 +219,7 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
adminDB := auth.GetAdminDatabase() adminDB := auth.GetAdminDatabase()
if adminDB != nil { if adminDB != nil {
acmeAdminResponder := adminAPI.NewACMEAdminResponder() acmeAdminResponder := adminAPI.NewACMEAdminResponder()
policyAdminResponder := adminAPI.NewPolicyAdminResponder(auth, adminDB, acmeDB, cfg.AuthorityConfig.DeploymentType) policyAdminResponder := adminAPI.NewPolicyAdminResponder(auth, adminDB, acmeDB)
adminHandler := adminAPI.NewHandler(auth, adminDB, acmeDB, acmeAdminResponder, policyAdminResponder) adminHandler := adminAPI.NewHandler(auth, adminDB, acmeDB, acmeAdminResponder, policyAdminResponder)
mux.Route("/admin", func(r chi.Router) { mux.Route("/admin", func(r chi.Router) {
adminHandler.Route(r) adminHandler.Route(r)