forked from TrueCloudLab/certificates
Disallow creation of EAB keys with non-unique references
This commit is contained in:
Herman Slatman
parent
9c0020352b
commit
746c5c9fd9
2 changed files with 20 additions and 4 deletions
|
|
@ -282,6 +282,9 @@ func (db *DB) GetExternalAccountKeys(ctx context.Context, provisionerName string
|
||||||
|
|
||||||
// GetExternalAccountKeyByReference retrieves an External Account Binding key with unique reference
|
// GetExternalAccountKeyByReference retrieves an External Account Binding key with unique reference
|
||||||
func (db *DB) GetExternalAccountKeyByReference(ctx context.Context, provisionerName string, reference string) (*acme.ExternalAccountKey, error) {
|
func (db *DB) GetExternalAccountKeyByReference(ctx context.Context, provisionerName string, reference string) (*acme.ExternalAccountKey, error) {
|
||||||
|
if reference == "" {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
k, err := db.db.Get(externalAccountKeysByReferenceTable, []byte(reference))
|
k, err := db.db.Get(externalAccountKeysByReferenceTable, []byte(reference))
|
||||||
if nosql.IsErrNotFound(err) {
|
if nosql.IsErrNotFound(err) {
|
||||||
return nil, errors.Errorf("ACME EAB key for reference %s not found", reference)
|
return nil, errors.Errorf("ACME EAB key for reference %s not found", reference)
|
||||||
|
|
|
||||||
|
|
@ -78,20 +78,33 @@ func (h *Handler) CreateExternalAccountKey(w http.ResponseWriter, r *http.Reques
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
eabEnabled, err := h.provisionerHasEABEnabled(r.Context(), body.Provisioner)
|
provisioner := body.Provisioner
|
||||||
|
reference := body.Reference
|
||||||
|
|
||||||
|
eabEnabled, err := h.provisionerHasEABEnabled(r.Context(), provisioner)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
api.WriteError(w, err)
|
api.WriteError(w, err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if !eabEnabled {
|
if !eabEnabled {
|
||||||
api.WriteError(w, admin.NewError(admin.ErrorBadRequestType, "ACME EAB not enabled for provisioner %s", body.Provisioner))
|
api.WriteError(w, admin.NewError(admin.ErrorBadRequestType, "ACME EAB not enabled for provisioner %s", provisioner))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
eak, err := h.acmeDB.CreateExternalAccountKey(r.Context(), body.Provisioner, body.Reference)
|
if reference != "" {
|
||||||
|
k, err := h.acmeDB.GetExternalAccountKeyByReference(r.Context(), provisioner, reference)
|
||||||
|
if err == nil || k != nil {
|
||||||
|
err := admin.NewError(admin.ErrorBadRequestType, "an ACME EAB key for provisioner %s with reference %s already exists", provisioner, reference)
|
||||||
|
err.Status = 409
|
||||||
|
api.WriteError(w, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
eak, err := h.acmeDB.CreateExternalAccountKey(r.Context(), provisioner, reference)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
api.WriteError(w, admin.WrapErrorISE(err, "error creating external account key %s for provisioner %s", body.Reference, body.Provisioner))
|
api.WriteError(w, admin.WrapErrorISE(err, "error creating ACME EAB key for provisioner %s and reference %s", provisioner, reference))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue