Fix ACME order tests with mock ACME CA

This commit is contained in:
Herman Slatman 2022-03-24 18:34:04 +01:00
parent cf34b32e61
commit b49307f326
No known key found for this signature in database
GPG key ID: F4D8A44EA0A75A4F
6 changed files with 17 additions and 26 deletions

View file

@ -667,6 +667,7 @@ func TestHandler_NewOrder(t *testing.T) {
baseURL.String(), escProvName) baseURL.String(), escProvName)
type test struct { type test struct {
ca acme.CertificateAuthority
db acme.DB db acme.DB
ctx context.Context ctx context.Context
nor *NewOrderRequest nor *NewOrderRequest
@ -771,6 +772,7 @@ func TestHandler_NewOrder(t *testing.T) {
return test{ return test{
ctx: ctx, ctx: ctx,
statusCode: 500, statusCode: 500,
ca: &mockCA{},
db: &acme.MockDB{ db: &acme.MockDB{
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error { MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
assert.Equals(t, ch.AccountID, "accID") assert.Equals(t, ch.AccountID, "accID")
@ -804,6 +806,7 @@ func TestHandler_NewOrder(t *testing.T) {
return test{ return test{
ctx: ctx, ctx: ctx,
statusCode: 500, statusCode: 500,
ca: &mockCA{},
db: &acme.MockDB{ db: &acme.MockDB{
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error { MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
switch count { switch count {
@ -876,6 +879,7 @@ func TestHandler_NewOrder(t *testing.T) {
ctx: ctx, ctx: ctx,
statusCode: 201, statusCode: 201,
nor: nor, nor: nor,
ca: &mockCA{},
db: &acme.MockDB{ db: &acme.MockDB{
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error { MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
switch chCount { switch chCount {
@ -991,6 +995,7 @@ func TestHandler_NewOrder(t *testing.T) {
ctx: ctx, ctx: ctx,
statusCode: 201, statusCode: 201,
nor: nor, nor: nor,
ca: &mockCA{},
db: &acme.MockDB{ db: &acme.MockDB{
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error { MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
switch count { switch count {
@ -1083,6 +1088,7 @@ func TestHandler_NewOrder(t *testing.T) {
ctx: ctx, ctx: ctx,
statusCode: 201, statusCode: 201,
nor: nor, nor: nor,
ca: &mockCA{},
db: &acme.MockDB{ db: &acme.MockDB{
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error { MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
switch count { switch count {
@ -1174,6 +1180,7 @@ func TestHandler_NewOrder(t *testing.T) {
ctx: ctx, ctx: ctx,
statusCode: 201, statusCode: 201,
nor: nor, nor: nor,
ca: &mockCA{},
db: &acme.MockDB{ db: &acme.MockDB{
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error { MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
switch count { switch count {
@ -1266,6 +1273,7 @@ func TestHandler_NewOrder(t *testing.T) {
ctx: ctx, ctx: ctx,
statusCode: 201, statusCode: 201,
nor: nor, nor: nor,
ca: &mockCA{},
db: &acme.MockDB{ db: &acme.MockDB{
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error { MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
switch count { switch count {
@ -1334,7 +1342,7 @@ func TestHandler_NewOrder(t *testing.T) {
for name, run := range tests { for name, run := range tests {
tc := run(t) tc := run(t)
t.Run(name, func(t *testing.T) { t.Run(name, func(t *testing.T) {
h := &Handler{linker: NewLinker("dns", "acme"), db: tc.db} h := &Handler{linker: NewLinker("dns", "acme"), db: tc.db, ca: tc.ca}
req := httptest.NewRequest("GET", u, nil) req := httptest.NewRequest("GET", u, nil)
req = req.WithContext(tc.ctx) req = req.WithContext(tc.ctx)
w := httptest.NewRecorder() w := httptest.NewRecorder()

View file

@ -6,15 +6,12 @@ import (
"net/http" "net/http"
"github.com/go-chi/chi" "github.com/go-chi/chi"
"go.step.sm/linkedca"
"github.com/smallstep/certificates/api" "github.com/smallstep/certificates/api"
"github.com/smallstep/certificates/authority/admin" "github.com/smallstep/certificates/authority/admin"
"github.com/smallstep/certificates/authority/provisioner" "github.com/smallstep/certificates/authority/provisioner"
"go.step.sm/linkedca"
)
const (
// provisionerContextKey provisioner key
provisionerContextKey = admin.ContextKey("provisioner")
) )
// CreateExternalAccountKeyRequest is the type for POST /admin/acme/eab requests // CreateExternalAccountKeyRequest is the type for POST /admin/acme/eab requests
@ -51,7 +48,7 @@ func (h *Handler) requireEABEnabled(next nextHTTP) nextHTTP {
api.WriteError(w, admin.NewError(admin.ErrorBadRequestType, "ACME EAB not enabled for provisioner %s", prov.GetName())) api.WriteError(w, admin.NewError(admin.ErrorBadRequestType, "ACME EAB not enabled for provisioner %s", prov.GetName()))
return return
} }
ctx = context.WithValue(ctx, provisionerContextKey, prov) ctx = linkedca.NewContextWithProvisioner(ctx, prov)
next(w, r.WithContext(ctx)) next(w, r.WithContext(ctx))
} }
} }

View file

@ -42,7 +42,7 @@ func (h *Handler) extractAuthorizeTokenAdmin(next nextHTTP) nextHTTP {
return return
} }
ctx := linkedca.WithAdmin(r.Context(), adm) ctx := linkedca.NewContextWithAdmin(r.Context(), adm)
next(w, r.WithContext(ctx)) next(w, r.WithContext(ctx))
} }
} }
@ -57,8 +57,8 @@ func (h *Handler) checkAction(next nextHTTP, supportedInStandalone bool) nextHTT
return return
} }
// when not in standalone mode and using a nosql.DB backend, // when an action is not supported in standalone mode and when
// actions are not supported // using a nosql.DB backend, actions are not supported
if _, ok := h.adminDB.(*nosql.DB); ok { if _, ok := h.adminDB.(*nosql.DB); ok {
api.WriteError(w, admin.NewError(admin.ErrorNotImplementedType, api.WriteError(w, admin.NewError(admin.ErrorNotImplementedType,
"operation not supported in standalone mode")) "operation not supported in standalone mode"))

View file

@ -1,10 +0,0 @@
package admin
// ContextKey is the key type for storing and searching for
// Admin API objects in request contexts.
type ContextKey string
const (
// AdminContextKey account key
AdminContextKey = ContextKey("admin")
)

View file

@ -34,9 +34,9 @@ type SCEP struct {
Options *Options `json:"options,omitempty"` Options *Options `json:"options,omitempty"`
Claims *Claims `json:"claims,omitempty"` Claims *Claims `json:"claims,omitempty"`
ctl *Controller ctl *Controller
x509Policy policy.X509Policy
secretChallengePassword string secretChallengePassword string
encryptionAlgorithm int encryptionAlgorithm int
x509Policy policy.X509Policy
} }
// GetID returns the provisioner unique identifier. // GetID returns the provisioner unique identifier.

View file

@ -231,10 +231,6 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign
} }
// isAllowedToSign checks if the Authority is allowed to sign the X.509 certificate. // isAllowedToSign checks if the Authority is allowed to sign the X.509 certificate.
// It first checks if the certificate contains an admin subject that exists in the
// collection of admins. The CA is always allowed to sign those. If the cert contains
// different names and a policy is configured, the policy will be executed against
// the cert to see if the CA is allowed to sign it.
func (a *Authority) isAllowedToSign(cert *x509.Certificate) (bool, error) { func (a *Authority) isAllowedToSign(cert *x509.Certificate) (bool, error) {
// if no policy is configured, the cert is implicitly allowed // if no policy is configured, the cert is implicitly allowed