alexvanin/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

Fix linting issues

Browse source
This commit is contained in:
Herman Slatman 2022-03-24 13:10:49 +01:00
parent dc23fd23bf
commit 613c99f00f
No known key found for this signature in database
GPG key ID: F4D8A44EA0A75A4F
11 changed files with 37 additions and 122 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
api/utils.go
View file

@ -83,13 +83,13 @@ func ReadProtoJSONWithCheck(w http.ResponseWriter, r io.Reader, m proto.Message)
Status: http.StatusBadRequest, Status: http.StatusBadRequest,
Message: err.Error(), Message: err.Error(),
} }
data, err := json.Marshal(wrapper) // TODO(hs): handle err; even though it's very unlikely to fail errData, err := json.Marshal(wrapper)
if err != nil { if err != nil {
panic(err) panic(err)
} }
w.Header().Set("Content-Type", "application/json") w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusBadRequest) w.WriteHeader(http.StatusBadRequest)
w.Write(data) w.Write(errData)
return false return false
} }
if err := protojson.Unmarshal(data, m); err != nil { if err := protojson.Unmarshal(data, m); err != nil {
@ -99,13 +99,13 @@ func ReadProtoJSONWithCheck(w http.ResponseWriter, r io.Reader, m proto.Message)
}{ }{
Message: err.Error(), Message: err.Error(),
} }
data, err := json.Marshal(wrapper) // TODO(hs): handle err; even though it's very unlikely to fail errData, err := json.Marshal(wrapper)
if err != nil { if err != nil {
panic(err) panic(err)
} }
w.Header().Set("Content-Type", "application/json") w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusBadRequest) w.WriteHeader(http.StatusBadRequest)
w.Write(data) w.Write(errData)
return false return false
} }

4
authority/admin/api/admin_test.go
View file

@ -141,11 +141,11 @@ func (m *mockAdminAuthority) GetAuthorityPolicy(ctx context.Context) (*linkedca.
return nil, errors.New("not implemented yet") return nil, errors.New("not implemented yet")
} }
func (m *mockAdminAuthority) CreateAuthorityPolicy(ctx context.Context, admin *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error) { func (m *mockAdminAuthority) CreateAuthorityPolicy(ctx context.Context, adm *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error) {
return nil, errors.New("not implemented yet") return nil, errors.New("not implemented yet")
} }
func (m *mockAdminAuthority) UpdateAuthorityPolicy(ctx context.Context, admin *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error) { func (m *mockAdminAuthority) UpdateAuthorityPolicy(ctx context.Context, adm *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error) {
return nil, errors.New("not implemented yet") return nil, errors.New("not implemented yet")
} }

11
authority/admin/api/middleware.go
View file

@ -1,7 +1,6 @@
package api package api
import ( import (
"context"
"net/http" "net/http"
"go.step.sm/linkedca" "go.step.sm/linkedca"
@ -70,13 +69,3 @@ func (h *Handler) checkAction(next nextHTTP, supportedInStandalone bool) nextHTT
next(w, r) next(w, r)
} }
} }
// adminFromContext searches the context for a *linkedca.Admin.
// Returns the admin or an error.
func adminFromContext(ctx context.Context) (*linkedca.Admin, error) {
val, ok := ctx.Value(admin.AdminContextKey).(*linkedca.Admin)
if !ok || val == nil {
return nil, admin.NewError(admin.ErrorBadRequestType, "admin not in context")
}
return val, nil
}

7
authority/admin/api/middleware_test.go
View file

@ -169,12 +169,7 @@ func TestHandler_extractAuthorizeTokenAdmin(t *testing.T) {
} }
next := func(w http.ResponseWriter, r *http.Request) { next := func(w http.ResponseWriter, r *http.Request) {
ctx := r.Context() ctx := r.Context()
a := ctx.Value(admin.AdminContextKey) // verifying that the context now has a linkedca.Admin adm := linkedca.AdminFromContext(ctx) // verifying that the context now has a linkedca.Admin
adm, ok := a.(*linkedca.Admin)
if !ok {
t.Errorf("expected *linkedca.Admin; got %T", a)
return
}
opts := []cmp.Option{cmpopts.IgnoreUnexported(linkedca.Admin{}, timestamppb.Timestamp{})} opts := []cmp.Option{cmpopts.IgnoreUnexported(linkedca.Admin{}, timestamppb.Timestamp{})}
if !cmp.Equal(adm, adm, opts...) { if !cmp.Equal(adm, adm, opts...) {
t.Errorf("linkedca.Admin diff =\n%s", cmp.Diff(adm, adm, opts...)) t.Errorf("linkedca.Admin diff =\n%s", cmp.Diff(adm, adm, opts...))

10
authority/admin/api/policy.go
View file

@ -8,6 +8,7 @@ import (
"go.step.sm/linkedca" "go.step.sm/linkedca"
"github.com/smallstep/certificates/api" "github.com/smallstep/certificates/api"
"github.com/smallstep/certificates/api/read"
"github.com/smallstep/certificates/authority/admin" "github.com/smallstep/certificates/authority/admin"
"github.com/smallstep/certificates/authority/provisioner" "github.com/smallstep/certificates/authority/provisioner"
) )
@ -121,7 +122,7 @@ func (par *PolicyAdminResponder) UpdateAuthorityPolicy(w http.ResponseWriter, r
} }
var newPolicy = new(linkedca.Policy) var newPolicy = new(linkedca.Policy)
if err := api.ReadProtoJSON(r.Body, newPolicy); err != nil { if err := read.ProtoJSON(r.Body, newPolicy); err != nil {
api.WriteError(w, err) api.WriteError(w, err)
return return
} }
@ -220,7 +221,7 @@ func (par *PolicyAdminResponder) CreateProvisionerPolicy(w http.ResponseWriter,
} }
var newPolicy = new(linkedca.Policy) var newPolicy = new(linkedca.Policy)
if err := api.ReadProtoJSON(r.Body, newPolicy); err != nil { if err := read.ProtoJSON(r.Body, newPolicy); err != nil {
api.WriteError(w, err) api.WriteError(w, err)
return return
} }
@ -256,7 +257,7 @@ func (par *PolicyAdminResponder) UpdateProvisionerPolicy(w http.ResponseWriter,
} }
var policy = new(linkedca.Policy) var policy = new(linkedca.Policy)
if err := api.ReadProtoJSON(r.Body, policy); err != nil { if err := read.ProtoJSON(r.Body, policy); err != nil {
api.WriteError(w, err) api.WriteError(w, err)
return return
} }
@ -271,7 +272,7 @@ func (par *PolicyAdminResponder) UpdateProvisionerPolicy(w http.ResponseWriter,
api.ProtoJSONStatus(w, policy, http.StatusOK) api.ProtoJSONStatus(w, policy, http.StatusOK)
} }
// DeleteProvisionerPolicy ... // DeleteProvisionerPolicy handles the DELETE /admin/provisioners/{name}/policy request
func (par *PolicyAdminResponder) DeleteProvisionerPolicy(w http.ResponseWriter, r *http.Request) { func (par *PolicyAdminResponder) DeleteProvisionerPolicy(w http.ResponseWriter, r *http.Request) {
ctx := r.Context() ctx := r.Context()
@ -308,7 +309,6 @@ func (par *PolicyAdminResponder) DeleteProvisionerPolicy(w http.ResponseWriter,
api.JSON(w, &DeleteResponse{Status: "ok"}) api.JSON(w, &DeleteResponse{Status: "ok"})
} }
// GetACMEAccountPolicy ...
func (par *PolicyAdminResponder) GetACMEAccountPolicy(w http.ResponseWriter, r *http.Request) { func (par *PolicyAdminResponder) GetACMEAccountPolicy(w http.ResponseWriter, r *http.Request) {
api.JSON(w, "ok") api.JSON(w, "ok")
} }

14
authority/admin/db/nosql/policy.go
View file

@ -63,13 +63,13 @@ func (db *DB) getDBAuthorityPolicy(ctx context.Context, authorityID string) (*db
return dbap, nil return dbap, nil
} }
func (db *DB) unmarshalAuthorityPolicy(data []byte, authorityID string) (*linkedca.Policy, error) { // func (db *DB) unmarshalAuthorityPolicy(data []byte, authorityID string) (*linkedca.Policy, error) {
dbap, err := db.unmarshalDBAuthorityPolicy(data, authorityID) // dbap, err := db.unmarshalDBAuthorityPolicy(data, authorityID)
if err != nil { // if err != nil {
return nil, err // return nil, err
} // }
return dbap.convert(), nil // return dbap.convert(), nil
} // }
func (db *DB) CreateAuthorityPolicy(ctx context.Context, policy *linkedca.Policy) error { func (db *DB) CreateAuthorityPolicy(ctx context.Context, policy *linkedca.Policy) error {

25
authority/policy.go
View file

@ -17,23 +17,23 @@ func (a *Authority) GetAuthorityPolicy(ctx context.Context) (*linkedca.Policy, e
a.adminMutex.Lock() a.adminMutex.Lock()
defer a.adminMutex.Unlock() defer a.adminMutex.Unlock()
policy, err := a.adminDB.GetAuthorityPolicy(ctx) p, err := a.adminDB.GetAuthorityPolicy(ctx)
if err != nil { if err != nil {
return nil, err return nil, err
} }
return policy, nil return p, nil
} }
func (a *Authority) CreateAuthorityPolicy(ctx context.Context, adm *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error) { func (a *Authority) CreateAuthorityPolicy(ctx context.Context, adm *linkedca.Admin, p *linkedca.Policy) (*linkedca.Policy, error) {
a.adminMutex.Lock() a.adminMutex.Lock()
defer a.adminMutex.Unlock() defer a.adminMutex.Unlock()
if err := a.checkPolicy(ctx, adm, policy); err != nil { if err := a.checkPolicy(ctx, adm, p); err != nil {
return nil, err return nil, err
} }
if err := a.adminDB.CreateAuthorityPolicy(ctx, policy); err != nil { if err := a.adminDB.CreateAuthorityPolicy(ctx, p); err != nil {
return nil, err return nil, err
} }
@ -41,18 +41,18 @@ func (a *Authority) CreateAuthorityPolicy(ctx context.Context, adm *linkedca.Adm
return nil, admin.WrapErrorISE(err, "error reloading policy engines when creating authority policy") return nil, admin.WrapErrorISE(err, "error reloading policy engines when creating authority policy")
} }
return policy, nil // TODO: return the newly stored policy return p, nil // TODO: return the newly stored policy
} }
func (a *Authority) UpdateAuthorityPolicy(ctx context.Context, adm *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error) { func (a *Authority) UpdateAuthorityPolicy(ctx context.Context, adm *linkedca.Admin, p *linkedca.Policy) (*linkedca.Policy, error) {
a.adminMutex.Lock() a.adminMutex.Lock()
defer a.adminMutex.Unlock() defer a.adminMutex.Unlock()
if err := a.checkPolicy(ctx, adm, policy); err != nil { if err := a.checkPolicy(ctx, adm, p); err != nil {
return nil, err return nil, err
} }
if err := a.adminDB.UpdateAuthorityPolicy(ctx, policy); err != nil { if err := a.adminDB.UpdateAuthorityPolicy(ctx, p); err != nil {
return nil, err return nil, err
} }
@ -60,7 +60,7 @@ func (a *Authority) UpdateAuthorityPolicy(ctx context.Context, adm *linkedca.Adm
return nil, admin.WrapErrorISE(err, "error reloading policy engines when updating authority policy") return nil, admin.WrapErrorISE(err, "error reloading policy engines when updating authority policy")
} }
return policy, nil // TODO: return the updated stored policy return p, nil // TODO: return the updated stored policy
} }
func (a *Authority) RemoveAuthorityPolicy(ctx context.Context) error { func (a *Authority) RemoveAuthorityPolicy(ctx context.Context) error {
@ -111,11 +111,10 @@ func isAllowed(engine authPolicy.X509Policy, sans []string) error {
) )
if allowed, err = engine.AreSANsAllowed(sans); err != nil { if allowed, err = engine.AreSANsAllowed(sans); err != nil {
var policyErr *policy.NamePolicyError var policyErr *policy.NamePolicyError
if errors.As(err, &policyErr); policyErr.Reason == policy.NotAuthorizedForThisName { if isPolicyErr := errors.As(err, &policyErr); isPolicyErr && policyErr.Reason == policy.NotAuthorizedForThisName {
return fmt.Errorf("the provided policy would lock out %s from the CA. Please update your policy to include %s as an allowed name", sans, sans) return fmt.Errorf("the provided policy would lock out %s from the CA. Please update your policy to include %s as an allowed name", sans, sans)
} else {
return err
} }
return err
} }
if !allowed { if !allowed {

5
authority/provisioner/aws.go
View file

@ -266,7 +266,6 @@ type AWS struct {
Claims *Claims `json:"claims,omitempty"` Claims *Claims `json:"claims,omitempty"`
Options *Options `json:"options,omitempty"` Options *Options `json:"options,omitempty"`
config *awsConfig config *awsConfig
audiences Audiences
ctl *Controller ctl *Controller
x509Policy policy.X509Policy x509Policy policy.X509Policy
sshHostPolicy policy.HostPolicy sshHostPolicy policy.HostPolicy
@ -557,7 +556,7 @@ func (p *AWS) readURL(url string) ([]byte, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
return nil, fmt.Errorf("Request for metadata returned non-successful status code %d", return nil, fmt.Errorf("request for metadata returned non-successful status code %d",
resp.StatusCode) resp.StatusCode)
} }
@ -590,7 +589,7 @@ func (p *AWS) readURLv2(url string) (*http.Response, error) {
} }
defer resp.Body.Close() defer resp.Body.Close()
if resp.StatusCode >= 400 { if resp.StatusCode >= 400 {
return nil, fmt.Errorf("Request for API token returned non-successful status code %d", resp.StatusCode) return nil, fmt.Errorf("request for API token returned non-successful status code %d", resp.StatusCode)
} }
token, err := io.ReadAll(resp.Body) token, err := io.ReadAll(resp.Body)
if err != nil { if err != nil {

9
authority/provisioner/sign_options.go
View file

@ -6,7 +6,6 @@ import (
"crypto/rsa" "crypto/rsa"
"crypto/x509" "crypto/x509"
"crypto/x509/pkix" "crypto/x509/pkix"
"encoding/asn1"
"encoding/json" "encoding/json"
"net" "net"
"net/http" "net/http"
@ -427,10 +426,10 @@ func (v *x509NamePolicyValidator) Valid(cert *x509.Certificate, _ SignOptions) e
return err return err
} }
var ( // var (
stepOIDRoot = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37476, 9000, 64} // stepOIDRoot = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37476, 9000, 64}
stepOIDProvisioner = append(asn1.ObjectIdentifier(nil), append(stepOIDRoot, 1)...) // stepOIDProvisioner = append(asn1.ObjectIdentifier(nil), append(stepOIDRoot, 1)...)
) // )
// type stepProvisionerASN1 struct { // type stepProvisionerASN1 struct {
// Type int // Type int

40
authority/tls.go
View file

@ -237,14 +237,6 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign
// the cert to see if the CA is allowed to sign it. // the cert to see if the CA is allowed to sign it.
func (a *Authority) isAllowedToSign(cert *x509.Certificate) (bool, error) { func (a *Authority) isAllowedToSign(cert *x509.Certificate) (bool, error) {
// // check if certificate is an admin identity token certificate and the admin subject exists
// b := isAdminIdentityTokenCertificate(cert)
// _ = b
// if isAdminIdentityTokenCertificate(cert) && a.admins.HasSubject(cert.Subject.CommonName) {
// return true, nil
// }
// if no policy is configured, the cert is implicitly allowed // if no policy is configured, the cert is implicitly allowed
if a.x509Policy == nil { if a.x509Policy == nil {
return true, nil return true, nil
@ -253,38 +245,6 @@ func (a *Authority) isAllowedToSign(cert *x509.Certificate) (bool, error) {
return a.x509Policy.AreCertificateNamesAllowed(cert) return a.x509Policy.AreCertificateNamesAllowed(cert)
} }
func isAdminIdentityTokenCertificate(cert *x509.Certificate) bool {
// TODO: remove this check
if cert.Issuer.CommonName != "" {
return false
}
subject := cert.Subject.CommonName
if subject == "" {
return false
}
dnsNames := cert.DNSNames
if len(dnsNames) != 1 {
return false
}
if dnsNames[0] != subject {
return false
}
extras := cert.ExtraExtensions
if len(extras) != 1 {
return false
}
extra := extras[0]
return extra.Id.Equal(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37476, 9000, 64, 1})
}
// Renew creates a new Certificate identical to the old certificate, except // Renew creates a new Certificate identical to the old certificate, except
// with a validity window that begins 'now'. // with a validity window that begins 'now'.
func (a *Authority) Renew(oldCert *x509.Certificate) ([]*x509.Certificate, error) { func (a *Authority) Renew(oldCert *x509.Certificate) ([]*x509.Certificate, error) {

26
policy/engine.go
View file

@ -4,9 +4,7 @@ import (
"bytes" "bytes"
"crypto/x509" "crypto/x509"
"crypto/x509/pkix" "crypto/x509/pkix"
"errors"
"fmt" "fmt"
"io"
"net" "net"
"net/url" "net/url"
"reflect" "reflect"
@ -42,30 +40,6 @@ type NamePolicyError struct {
Detail string Detail string
} }
type NameError struct {
error
Reason NamePolicyReason
}
func a() {
err := io.EOF
var ne *NameError
errors.As(err, ne)
errors.Is(err, ne)
}
func newPolicyError(reason NamePolicyReason, err error) error {
return &NameError{
error: err,
Reason: reason,
}
}
func newPolicyErrorf(reason NamePolicyReason, format string, args ...interface{}) error {
err := fmt.Errorf(format, args...)
return newPolicyError(reason, err)
}
func (e *NamePolicyError) Error() string { func (e *NamePolicyError) Error() string {
switch e.Reason { switch e.Reason {
case NotAuthorizedForThisName: case NotAuthorizedForThisName: