forked from TrueCloudLab/certificates
Fix ACME order tests with mock ACME CA
This commit is contained in:
parent
cf34b32e61
commit
b49307f326
6 changed files with 17 additions and 26 deletions
|
@ -667,6 +667,7 @@ func TestHandler_NewOrder(t *testing.T) {
|
||||||
baseURL.String(), escProvName)
|
baseURL.String(), escProvName)
|
||||||
|
|
||||||
type test struct {
|
type test struct {
|
||||||
|
ca acme.CertificateAuthority
|
||||||
db acme.DB
|
db acme.DB
|
||||||
ctx context.Context
|
ctx context.Context
|
||||||
nor *NewOrderRequest
|
nor *NewOrderRequest
|
||||||
|
@ -771,6 +772,7 @@ func TestHandler_NewOrder(t *testing.T) {
|
||||||
return test{
|
return test{
|
||||||
ctx: ctx,
|
ctx: ctx,
|
||||||
statusCode: 500,
|
statusCode: 500,
|
||||||
|
ca: &mockCA{},
|
||||||
db: &acme.MockDB{
|
db: &acme.MockDB{
|
||||||
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
|
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
|
||||||
assert.Equals(t, ch.AccountID, "accID")
|
assert.Equals(t, ch.AccountID, "accID")
|
||||||
|
@ -804,6 +806,7 @@ func TestHandler_NewOrder(t *testing.T) {
|
||||||
return test{
|
return test{
|
||||||
ctx: ctx,
|
ctx: ctx,
|
||||||
statusCode: 500,
|
statusCode: 500,
|
||||||
|
ca: &mockCA{},
|
||||||
db: &acme.MockDB{
|
db: &acme.MockDB{
|
||||||
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
|
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
|
||||||
switch count {
|
switch count {
|
||||||
|
@ -876,6 +879,7 @@ func TestHandler_NewOrder(t *testing.T) {
|
||||||
ctx: ctx,
|
ctx: ctx,
|
||||||
statusCode: 201,
|
statusCode: 201,
|
||||||
nor: nor,
|
nor: nor,
|
||||||
|
ca: &mockCA{},
|
||||||
db: &acme.MockDB{
|
db: &acme.MockDB{
|
||||||
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
|
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
|
||||||
switch chCount {
|
switch chCount {
|
||||||
|
@ -991,6 +995,7 @@ func TestHandler_NewOrder(t *testing.T) {
|
||||||
ctx: ctx,
|
ctx: ctx,
|
||||||
statusCode: 201,
|
statusCode: 201,
|
||||||
nor: nor,
|
nor: nor,
|
||||||
|
ca: &mockCA{},
|
||||||
db: &acme.MockDB{
|
db: &acme.MockDB{
|
||||||
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
|
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
|
||||||
switch count {
|
switch count {
|
||||||
|
@ -1083,6 +1088,7 @@ func TestHandler_NewOrder(t *testing.T) {
|
||||||
ctx: ctx,
|
ctx: ctx,
|
||||||
statusCode: 201,
|
statusCode: 201,
|
||||||
nor: nor,
|
nor: nor,
|
||||||
|
ca: &mockCA{},
|
||||||
db: &acme.MockDB{
|
db: &acme.MockDB{
|
||||||
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
|
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
|
||||||
switch count {
|
switch count {
|
||||||
|
@ -1174,6 +1180,7 @@ func TestHandler_NewOrder(t *testing.T) {
|
||||||
ctx: ctx,
|
ctx: ctx,
|
||||||
statusCode: 201,
|
statusCode: 201,
|
||||||
nor: nor,
|
nor: nor,
|
||||||
|
ca: &mockCA{},
|
||||||
db: &acme.MockDB{
|
db: &acme.MockDB{
|
||||||
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
|
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
|
||||||
switch count {
|
switch count {
|
||||||
|
@ -1266,6 +1273,7 @@ func TestHandler_NewOrder(t *testing.T) {
|
||||||
ctx: ctx,
|
ctx: ctx,
|
||||||
statusCode: 201,
|
statusCode: 201,
|
||||||
nor: nor,
|
nor: nor,
|
||||||
|
ca: &mockCA{},
|
||||||
db: &acme.MockDB{
|
db: &acme.MockDB{
|
||||||
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
|
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
|
||||||
switch count {
|
switch count {
|
||||||
|
@ -1334,7 +1342,7 @@ func TestHandler_NewOrder(t *testing.T) {
|
||||||
for name, run := range tests {
|
for name, run := range tests {
|
||||||
tc := run(t)
|
tc := run(t)
|
||||||
t.Run(name, func(t *testing.T) {
|
t.Run(name, func(t *testing.T) {
|
||||||
h := &Handler{linker: NewLinker("dns", "acme"), db: tc.db}
|
h := &Handler{linker: NewLinker("dns", "acme"), db: tc.db, ca: tc.ca}
|
||||||
req := httptest.NewRequest("GET", u, nil)
|
req := httptest.NewRequest("GET", u, nil)
|
||||||
req = req.WithContext(tc.ctx)
|
req = req.WithContext(tc.ctx)
|
||||||
w := httptest.NewRecorder()
|
w := httptest.NewRecorder()
|
||||||
|
|
|
@ -6,15 +6,12 @@ import (
|
||||||
"net/http"
|
"net/http"
|
||||||
|
|
||||||
"github.com/go-chi/chi"
|
"github.com/go-chi/chi"
|
||||||
|
|
||||||
|
"go.step.sm/linkedca"
|
||||||
|
|
||||||
"github.com/smallstep/certificates/api"
|
"github.com/smallstep/certificates/api"
|
||||||
"github.com/smallstep/certificates/authority/admin"
|
"github.com/smallstep/certificates/authority/admin"
|
||||||
"github.com/smallstep/certificates/authority/provisioner"
|
"github.com/smallstep/certificates/authority/provisioner"
|
||||||
"go.step.sm/linkedca"
|
|
||||||
)
|
|
||||||
|
|
||||||
const (
|
|
||||||
// provisionerContextKey provisioner key
|
|
||||||
provisionerContextKey = admin.ContextKey("provisioner")
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// CreateExternalAccountKeyRequest is the type for POST /admin/acme/eab requests
|
// CreateExternalAccountKeyRequest is the type for POST /admin/acme/eab requests
|
||||||
|
@ -51,7 +48,7 @@ func (h *Handler) requireEABEnabled(next nextHTTP) nextHTTP {
|
||||||
api.WriteError(w, admin.NewError(admin.ErrorBadRequestType, "ACME EAB not enabled for provisioner %s", prov.GetName()))
|
api.WriteError(w, admin.NewError(admin.ErrorBadRequestType, "ACME EAB not enabled for provisioner %s", prov.GetName()))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
ctx = context.WithValue(ctx, provisionerContextKey, prov)
|
ctx = linkedca.NewContextWithProvisioner(ctx, prov)
|
||||||
next(w, r.WithContext(ctx))
|
next(w, r.WithContext(ctx))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -42,7 +42,7 @@ func (h *Handler) extractAuthorizeTokenAdmin(next nextHTTP) nextHTTP {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
ctx := linkedca.WithAdmin(r.Context(), adm)
|
ctx := linkedca.NewContextWithAdmin(r.Context(), adm)
|
||||||
next(w, r.WithContext(ctx))
|
next(w, r.WithContext(ctx))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -57,8 +57,8 @@ func (h *Handler) checkAction(next nextHTTP, supportedInStandalone bool) nextHTT
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// when not in standalone mode and using a nosql.DB backend,
|
// when an action is not supported in standalone mode and when
|
||||||
// actions are not supported
|
// using a nosql.DB backend, actions are not supported
|
||||||
if _, ok := h.adminDB.(*nosql.DB); ok {
|
if _, ok := h.adminDB.(*nosql.DB); ok {
|
||||||
api.WriteError(w, admin.NewError(admin.ErrorNotImplementedType,
|
api.WriteError(w, admin.NewError(admin.ErrorNotImplementedType,
|
||||||
"operation not supported in standalone mode"))
|
"operation not supported in standalone mode"))
|
||||||
|
|
|
@ -1,10 +0,0 @@
|
||||||
package admin
|
|
||||||
|
|
||||||
// ContextKey is the key type for storing and searching for
|
|
||||||
// Admin API objects in request contexts.
|
|
||||||
type ContextKey string
|
|
||||||
|
|
||||||
const (
|
|
||||||
// AdminContextKey account key
|
|
||||||
AdminContextKey = ContextKey("admin")
|
|
||||||
)
|
|
|
@ -34,9 +34,9 @@ type SCEP struct {
|
||||||
Options *Options `json:"options,omitempty"`
|
Options *Options `json:"options,omitempty"`
|
||||||
Claims *Claims `json:"claims,omitempty"`
|
Claims *Claims `json:"claims,omitempty"`
|
||||||
ctl *Controller
|
ctl *Controller
|
||||||
x509Policy policy.X509Policy
|
|
||||||
secretChallengePassword string
|
secretChallengePassword string
|
||||||
encryptionAlgorithm int
|
encryptionAlgorithm int
|
||||||
|
x509Policy policy.X509Policy
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetID returns the provisioner unique identifier.
|
// GetID returns the provisioner unique identifier.
|
||||||
|
|
|
@ -231,10 +231,6 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign
|
||||||
}
|
}
|
||||||
|
|
||||||
// isAllowedToSign checks if the Authority is allowed to sign the X.509 certificate.
|
// isAllowedToSign checks if the Authority is allowed to sign the X.509 certificate.
|
||||||
// It first checks if the certificate contains an admin subject that exists in the
|
|
||||||
// collection of admins. The CA is always allowed to sign those. If the cert contains
|
|
||||||
// different names and a policy is configured, the policy will be executed against
|
|
||||||
// the cert to see if the CA is allowed to sign it.
|
|
||||||
func (a *Authority) isAllowedToSign(cert *x509.Certificate) (bool, error) {
|
func (a *Authority) isAllowedToSign(cert *x509.Certificate) (bool, error) {
|
||||||
|
|
||||||
// if no policy is configured, the cert is implicitly allowed
|
// if no policy is configured, the cert is implicitly allowed
|
||||||
|
|
Loading…
Reference in a new issue