Fix ACME order tests with mock ACME CA

acme/api/order_test.go

@@ -667,6 +667,7 @@ func TestHandler_NewOrder(t *testing.T) {
 		baseURL.String(), escProvName)
 
 	type test struct {
+		ca         acme.CertificateAuthority
 		db         acme.DB
 		ctx        context.Context
 		nor        *NewOrderRequest
@@ -771,6 +772,7 @@ func TestHandler_NewOrder(t *testing.T) {
 			return test{
 				ctx:        ctx,
 				statusCode: 500,
+				ca:         &mockCA{},
 				db: &acme.MockDB{
 					MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
 						assert.Equals(t, ch.AccountID, "accID")
@@ -804,6 +806,7 @@ func TestHandler_NewOrder(t *testing.T) {
 			return test{
 				ctx:        ctx,
 				statusCode: 500,
+				ca:         &mockCA{},
 				db: &acme.MockDB{
 					MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
 						switch count {
@@ -876,6 +879,7 @@ func TestHandler_NewOrder(t *testing.T) {
 				ctx:        ctx,
 				statusCode: 201,
 				nor:        nor,
+				ca:         &mockCA{},
 				db: &acme.MockDB{
 					MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
 						switch chCount {
@@ -991,6 +995,7 @@ func TestHandler_NewOrder(t *testing.T) {
 				ctx:        ctx,
 				statusCode: 201,
 				nor:        nor,
+				ca:         &mockCA{},
 				db: &acme.MockDB{
 					MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
 						switch count {
@@ -1083,6 +1088,7 @@ func TestHandler_NewOrder(t *testing.T) {
 				ctx:        ctx,
 				statusCode: 201,
 				nor:        nor,
+				ca:         &mockCA{},
 				db: &acme.MockDB{
 					MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
 						switch count {
@@ -1174,6 +1180,7 @@ func TestHandler_NewOrder(t *testing.T) {
 				ctx:        ctx,
 				statusCode: 201,
 				nor:        nor,
+				ca:         &mockCA{},
 				db: &acme.MockDB{
 					MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
 						switch count {
@@ -1266,6 +1273,7 @@ func TestHandler_NewOrder(t *testing.T) {
 				ctx:        ctx,
 				statusCode: 201,
 				nor:        nor,
+				ca:         &mockCA{},
 				db: &acme.MockDB{
 					MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
 						switch count {
@@ -1334,7 +1342,7 @@ func TestHandler_NewOrder(t *testing.T) {
 	for name, run := range tests {
 		tc := run(t)
 		t.Run(name, func(t *testing.T) {
-			h := &Handler{linker: NewLinker("dns", "acme"), db: tc.db}
+			h := &Handler{linker: NewLinker("dns", "acme"), db: tc.db, ca: tc.ca}
 			req := httptest.NewRequest("GET", u, nil)
 			req = req.WithContext(tc.ctx)
 			w := httptest.NewRecorder()

authority/admin/api/acme.go

@@ -6,15 +6,12 @@ import (
 	"net/http"
 
 	"github.com/go-chi/chi"
+
+	"go.step.sm/linkedca"
+
 	"github.com/smallstep/certificates/api"
 	"github.com/smallstep/certificates/authority/admin"
 	"github.com/smallstep/certificates/authority/provisioner"
-	"go.step.sm/linkedca"
-)
-
-const (
-	// provisionerContextKey provisioner key
-	provisionerContextKey = admin.ContextKey("provisioner")
 )
 
 // CreateExternalAccountKeyRequest is the type for POST /admin/acme/eab requests
@@ -51,7 +48,7 @@ func (h *Handler) requireEABEnabled(next nextHTTP) nextHTTP {
 			api.WriteError(w, admin.NewError(admin.ErrorBadRequestType, "ACME EAB not enabled for provisioner %s", prov.GetName()))
 			return
 		}
-		ctx = context.WithValue(ctx, provisionerContextKey, prov)
+		ctx = linkedca.NewContextWithProvisioner(ctx, prov)
 		next(w, r.WithContext(ctx))
 	}
 }

authority/admin/api/middleware.go

@@ -42,7 +42,7 @@ func (h *Handler) extractAuthorizeTokenAdmin(next nextHTTP) nextHTTP {
 			return
 		}
 
-		ctx := linkedca.WithAdmin(r.Context(), adm)
+		ctx := linkedca.NewContextWithAdmin(r.Context(), adm)
 		next(w, r.WithContext(ctx))
 	}
 }
@@ -57,8 +57,8 @@ func (h *Handler) checkAction(next nextHTTP, supportedInStandalone bool) nextHTT
 			return
 		}
 
-		// when not in standalone mode and using a nosql.DB backend,
-		// actions are not supported
+		// when an action is not supported in standalone mode and when
+		// using a nosql.DB backend, actions are not supported
 		if _, ok := h.adminDB.(*nosql.DB); ok {
 			api.WriteError(w, admin.NewError(admin.ErrorNotImplementedType,
 				"operation not supported in standalone mode"))

authority/admin/context.go

@@ -1,10 +0,0 @@
-package admin
-
-// ContextKey is the key type for storing and searching for
-// Admin API objects in request contexts.
-type ContextKey string
-
-const (
-	// AdminContextKey account key
-	AdminContextKey = ContextKey("admin")
-)

authority/provisioner/scep.go

@@ -34,9 +34,9 @@ type SCEP struct {
 	Options                       *Options `json:"options,omitempty"`
 	Claims                        *Claims  `json:"claims,omitempty"`
 	ctl                           *Controller
-	x509Policy                    policy.X509Policy
 	secretChallengePassword       string
 	encryptionAlgorithm           int
+	x509Policy                    policy.X509Policy
 }
 
 // GetID returns the provisioner unique identifier.

authority/tls.go

@@ -231,10 +231,6 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign
 }
 
 // isAllowedToSign checks if the Authority is allowed to sign the X.509 certificate.
-// It first checks if the certificate contains an admin subject that exists in the
-// collection of admins. The CA is always allowed to sign those. If the cert contains
-// different names and a policy is configured, the policy will be executed against
-// the cert to see if the CA is allowed to sign it.
 func (a *Authority) isAllowedToSign(cert *x509.Certificate) (bool, error) {
 
 	// if no policy is configured, the cert is implicitly allowed