forked from TrueCloudLab/certificates
Refactor ACME EAB queries
The ACME EAB keys are now also indexed by the provisioner. This solves part of the issue in which too many EAB keys may be in memory at a given time.
This commit is contained in:
parent
30859d3c83
commit
ef16febf40
10 changed files with 766 additions and 553 deletions
|
@ -45,13 +45,13 @@ func KeyToID(jwk *jose.JSONWebKey) (string, error) {
|
||||||
|
|
||||||
// ExternalAccountKey is an ACME External Account Binding key.
|
// ExternalAccountKey is an ACME External Account Binding key.
|
||||||
type ExternalAccountKey struct {
|
type ExternalAccountKey struct {
|
||||||
ID string `json:"id"`
|
ID string `json:"id"`
|
||||||
Provisioner string `json:"provisioner"`
|
ProvisionerID string `json:"provisionerID"`
|
||||||
Reference string `json:"reference"`
|
Reference string `json:"reference"`
|
||||||
AccountID string `json:"-"`
|
AccountID string `json:"-"`
|
||||||
KeyBytes []byte `json:"-"`
|
KeyBytes []byte `json:"-"`
|
||||||
CreatedAt time.Time `json:"createdAt"`
|
CreatedAt time.Time `json:"createdAt"`
|
||||||
BoundAt time.Time `json:"boundAt,omitempty"`
|
BoundAt time.Time `json:"boundAt,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// AlreadyBound returns whether this EAK is already bound to
|
// AlreadyBound returns whether this EAK is already bound to
|
||||||
|
|
|
@ -92,10 +92,10 @@ func TestExternalAccountKey_BindTo(t *testing.T) {
|
||||||
{
|
{
|
||||||
name: "ok",
|
name: "ok",
|
||||||
eak: &ExternalAccountKey{
|
eak: &ExternalAccountKey{
|
||||||
ID: "eakID",
|
ID: "eakID",
|
||||||
Provisioner: "prov",
|
ProvisionerID: "provID",
|
||||||
Reference: "ref",
|
Reference: "ref",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
},
|
},
|
||||||
acct: &Account{
|
acct: &Account{
|
||||||
ID: "accountID",
|
ID: "accountID",
|
||||||
|
@ -105,12 +105,12 @@ func TestExternalAccountKey_BindTo(t *testing.T) {
|
||||||
{
|
{
|
||||||
name: "fail/already-bound",
|
name: "fail/already-bound",
|
||||||
eak: &ExternalAccountKey{
|
eak: &ExternalAccountKey{
|
||||||
ID: "eakID",
|
ID: "eakID",
|
||||||
Provisioner: "prov",
|
ProvisionerID: "provID",
|
||||||
Reference: "ref",
|
Reference: "ref",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
AccountID: "someAccountID",
|
AccountID: "someAccountID",
|
||||||
BoundAt: boundAt,
|
BoundAt: boundAt,
|
||||||
},
|
},
|
||||||
acct: &Account{
|
acct: &Account{
|
||||||
ID: "accountID",
|
ID: "accountID",
|
||||||
|
|
|
@ -144,7 +144,7 @@ func (h *Handler) NewAccount(w http.ResponseWriter, r *http.Request) {
|
||||||
api.WriteError(w, err)
|
api.WriteError(w, err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
if err := h.db.UpdateExternalAccountKey(ctx, prov.Name, eak); err != nil {
|
if err := h.db.UpdateExternalAccountKey(ctx, prov.ID, eak); err != nil {
|
||||||
api.WriteError(w, acme.WrapErrorISE(err, "error updating external account binding key"))
|
api.WriteError(w, acme.WrapErrorISE(err, "error updating external account binding key"))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -274,7 +274,7 @@ func (h *Handler) validateExternalAccountBinding(ctx context.Context, nar *NewAc
|
||||||
return nil, acmeErr
|
return nil, acmeErr
|
||||||
}
|
}
|
||||||
|
|
||||||
externalAccountKey, err := h.db.GetExternalAccountKey(ctx, acmeProv.Name, keyID)
|
externalAccountKey, err := h.db.GetExternalAccountKey(ctx, acmeProv.ID, keyID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if _, ok := err.(*acme.Error); ok {
|
if _, ok := err.(*acme.Error); ok {
|
||||||
return nil, acme.WrapError(acme.ErrorUnauthorizedType, err, "the field 'kid' references an unknown key")
|
return nil, acme.WrapError(acme.ErrorUnauthorizedType, err, "the field 'kid' references an unknown key")
|
||||||
|
|
|
@ -351,6 +351,7 @@ func TestHandler_NewAccount(t *testing.T) {
|
||||||
prov := newProv()
|
prov := newProv()
|
||||||
escProvName := url.PathEscape(prov.GetName())
|
escProvName := url.PathEscape(prov.GetName())
|
||||||
baseURL := &url.URL{Scheme: "https", Host: "test.ca.smallstep.com"}
|
baseURL := &url.URL{Scheme: "https", Host: "test.ca.smallstep.com"}
|
||||||
|
provID := prov.GetID()
|
||||||
|
|
||||||
type test struct {
|
type test struct {
|
||||||
db acme.DB
|
db acme.DB
|
||||||
|
@ -554,11 +555,11 @@ func TestHandler_NewAccount(t *testing.T) {
|
||||||
ctx = context.WithValue(ctx, provisionerContextKey, prov)
|
ctx = context.WithValue(ctx, provisionerContextKey, prov)
|
||||||
ctx = context.WithValue(ctx, jwsContextKey, parsedJWS)
|
ctx = context.WithValue(ctx, jwsContextKey, parsedJWS)
|
||||||
eak := &acme.ExternalAccountKey{
|
eak := &acme.ExternalAccountKey{
|
||||||
ID: "eakID",
|
ID: "eakID",
|
||||||
Provisioner: escProvName,
|
ProvisionerID: provID,
|
||||||
Reference: "testeak",
|
Reference: "testeak",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: time.Now(),
|
CreatedAt: time.Now(),
|
||||||
}
|
}
|
||||||
return test{
|
return test{
|
||||||
db: &acme.MockDB{
|
db: &acme.MockDB{
|
||||||
|
@ -731,11 +732,11 @@ func TestHandler_NewAccount(t *testing.T) {
|
||||||
},
|
},
|
||||||
MockGetExternalAccountKey: func(ctx context.Context, provisionerName, keyID string) (*acme.ExternalAccountKey, error) {
|
MockGetExternalAccountKey: func(ctx context.Context, provisionerName, keyID string) (*acme.ExternalAccountKey, error) {
|
||||||
return &acme.ExternalAccountKey{
|
return &acme.ExternalAccountKey{
|
||||||
ID: "eakID",
|
ID: "eakID",
|
||||||
Provisioner: escProvName,
|
ProvisionerID: provID,
|
||||||
Reference: "testeak",
|
Reference: "testeak",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: time.Now(),
|
CreatedAt: time.Now(),
|
||||||
}, nil
|
}, nil
|
||||||
},
|
},
|
||||||
MockUpdateExternalAccountKey: func(ctx context.Context, provisionerName string, eak *acme.ExternalAccountKey) error {
|
MockUpdateExternalAccountKey: func(ctx context.Context, provisionerName string, eak *acme.ExternalAccountKey) error {
|
||||||
|
@ -1056,6 +1057,7 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
|
||||||
acmeProv := newACMEProv(t)
|
acmeProv := newACMEProv(t)
|
||||||
escProvName := url.PathEscape(acmeProv.GetName())
|
escProvName := url.PathEscape(acmeProv.GetName())
|
||||||
baseURL := &url.URL{Scheme: "https", Host: "test.ca.smallstep.com"}
|
baseURL := &url.URL{Scheme: "https", Host: "test.ca.smallstep.com"}
|
||||||
|
provID := acmeProv.GetID()
|
||||||
type test struct {
|
type test struct {
|
||||||
db acme.DB
|
db acme.DB
|
||||||
ctx context.Context
|
ctx context.Context
|
||||||
|
@ -1128,11 +1130,11 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
|
||||||
db: &acme.MockDB{
|
db: &acme.MockDB{
|
||||||
MockGetExternalAccountKey: func(ctx context.Context, provisionerName, keyID string) (*acme.ExternalAccountKey, error) {
|
MockGetExternalAccountKey: func(ctx context.Context, provisionerName, keyID string) (*acme.ExternalAccountKey, error) {
|
||||||
return &acme.ExternalAccountKey{
|
return &acme.ExternalAccountKey{
|
||||||
ID: "eakID",
|
ID: "eakID",
|
||||||
Provisioner: escProvName,
|
ProvisionerID: provID,
|
||||||
Reference: "testeak",
|
Reference: "testeak",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: createdAt,
|
CreatedAt: createdAt,
|
||||||
}, nil
|
}, nil
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -1142,11 +1144,11 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
|
||||||
ExternalAccountBinding: eab,
|
ExternalAccountBinding: eab,
|
||||||
},
|
},
|
||||||
eak: &acme.ExternalAccountKey{
|
eak: &acme.ExternalAccountKey{
|
||||||
ID: "eakID",
|
ID: "eakID",
|
||||||
Provisioner: escProvName,
|
ProvisionerID: provID,
|
||||||
Reference: "testeak",
|
Reference: "testeak",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: createdAt,
|
CreatedAt: createdAt,
|
||||||
},
|
},
|
||||||
err: nil,
|
err: nil,
|
||||||
}
|
}
|
||||||
|
@ -1492,12 +1494,12 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
|
||||||
db: &acme.MockDB{
|
db: &acme.MockDB{
|
||||||
MockGetExternalAccountKey: func(ctx context.Context, provisionerName, keyID string) (*acme.ExternalAccountKey, error) {
|
MockGetExternalAccountKey: func(ctx context.Context, provisionerName, keyID string) (*acme.ExternalAccountKey, error) {
|
||||||
return &acme.ExternalAccountKey{
|
return &acme.ExternalAccountKey{
|
||||||
ID: "eakID",
|
ID: "eakID",
|
||||||
Provisioner: escProvName,
|
ProvisionerID: provID,
|
||||||
Reference: "testeak",
|
Reference: "testeak",
|
||||||
CreatedAt: createdAt,
|
CreatedAt: createdAt,
|
||||||
AccountID: "some-account-id",
|
AccountID: "some-account-id",
|
||||||
BoundAt: boundAt,
|
BoundAt: boundAt,
|
||||||
}, nil
|
}, nil
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -1549,11 +1551,11 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
|
||||||
db: &acme.MockDB{
|
db: &acme.MockDB{
|
||||||
MockGetExternalAccountKey: func(ctx context.Context, provisionerName, keyID string) (*acme.ExternalAccountKey, error) {
|
MockGetExternalAccountKey: func(ctx context.Context, provisionerName, keyID string) (*acme.ExternalAccountKey, error) {
|
||||||
return &acme.ExternalAccountKey{
|
return &acme.ExternalAccountKey{
|
||||||
ID: "eakID",
|
ID: "eakID",
|
||||||
Provisioner: escProvName,
|
ProvisionerID: provID,
|
||||||
Reference: "testeak",
|
Reference: "testeak",
|
||||||
KeyBytes: []byte{1, 2, 3, 4},
|
KeyBytes: []byte{1, 2, 3, 4},
|
||||||
CreatedAt: time.Now(),
|
CreatedAt: time.Now(),
|
||||||
}, nil
|
}, nil
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -1607,11 +1609,11 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
|
||||||
db: &acme.MockDB{
|
db: &acme.MockDB{
|
||||||
MockGetExternalAccountKey: func(ctx context.Context, provisionerName, keyID string) (*acme.ExternalAccountKey, error) {
|
MockGetExternalAccountKey: func(ctx context.Context, provisionerName, keyID string) (*acme.ExternalAccountKey, error) {
|
||||||
return &acme.ExternalAccountKey{
|
return &acme.ExternalAccountKey{
|
||||||
ID: "eakID",
|
ID: "eakID",
|
||||||
Provisioner: escProvName,
|
ProvisionerID: provID,
|
||||||
Reference: "testeak",
|
Reference: "testeak",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: time.Now(),
|
CreatedAt: time.Now(),
|
||||||
}, nil
|
}, nil
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -1662,11 +1664,11 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
|
||||||
db: &acme.MockDB{
|
db: &acme.MockDB{
|
||||||
MockGetExternalAccountKey: func(ctx context.Context, provisionerName, keyID string) (*acme.ExternalAccountKey, error) {
|
MockGetExternalAccountKey: func(ctx context.Context, provisionerName, keyID string) (*acme.ExternalAccountKey, error) {
|
||||||
return &acme.ExternalAccountKey{
|
return &acme.ExternalAccountKey{
|
||||||
ID: "eakID",
|
ID: "eakID",
|
||||||
Provisioner: escProvName,
|
ProvisionerID: provID,
|
||||||
Reference: "testeak",
|
Reference: "testeak",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: time.Now(),
|
CreatedAt: time.Now(),
|
||||||
}, nil
|
}, nil
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -1718,11 +1720,11 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
|
||||||
db: &acme.MockDB{
|
db: &acme.MockDB{
|
||||||
MockGetExternalAccountKey: func(ctx context.Context, provisionerName, keyID string) (*acme.ExternalAccountKey, error) {
|
MockGetExternalAccountKey: func(ctx context.Context, provisionerName, keyID string) (*acme.ExternalAccountKey, error) {
|
||||||
return &acme.ExternalAccountKey{
|
return &acme.ExternalAccountKey{
|
||||||
ID: "eakID",
|
ID: "eakID",
|
||||||
Provisioner: escProvName,
|
ProvisionerID: provID,
|
||||||
Reference: "testeak",
|
Reference: "testeak",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: time.Now(),
|
CreatedAt: time.Now(),
|
||||||
}, nil
|
}, nil
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -1765,7 +1767,7 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
|
||||||
assert.NotNil(t, tc.eak)
|
assert.NotNil(t, tc.eak)
|
||||||
assert.Equals(t, got.ID, tc.eak.ID)
|
assert.Equals(t, got.ID, tc.eak.ID)
|
||||||
assert.Equals(t, got.KeyBytes, tc.eak.KeyBytes)
|
assert.Equals(t, got.KeyBytes, tc.eak.KeyBytes)
|
||||||
assert.Equals(t, got.Provisioner, tc.eak.Provisioner)
|
assert.Equals(t, got.ProvisionerID, tc.eak.ProvisionerID)
|
||||||
assert.Equals(t, got.Reference, tc.eak.Reference)
|
assert.Equals(t, got.Reference, tc.eak.Reference)
|
||||||
assert.Equals(t, got.CreatedAt, tc.eak.CreatedAt)
|
assert.Equals(t, got.CreatedAt, tc.eak.CreatedAt)
|
||||||
assert.Equals(t, got.AccountID, tc.eak.AccountID)
|
assert.Equals(t, got.AccountID, tc.eak.AccountID)
|
||||||
|
|
48
acme/db.go
48
acme/db.go
|
@ -19,12 +19,12 @@ type DB interface {
|
||||||
GetAccountByKeyID(ctx context.Context, kid string) (*Account, error)
|
GetAccountByKeyID(ctx context.Context, kid string) (*Account, error)
|
||||||
UpdateAccount(ctx context.Context, acc *Account) error
|
UpdateAccount(ctx context.Context, acc *Account) error
|
||||||
|
|
||||||
CreateExternalAccountKey(ctx context.Context, provisionerName, reference string) (*ExternalAccountKey, error)
|
CreateExternalAccountKey(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error)
|
||||||
GetExternalAccountKey(ctx context.Context, provisionerName, keyID string) (*ExternalAccountKey, error)
|
GetExternalAccountKey(ctx context.Context, provisionerID, keyID string) (*ExternalAccountKey, error)
|
||||||
GetExternalAccountKeys(ctx context.Context, provisionerName string) ([]*ExternalAccountKey, error)
|
GetExternalAccountKeys(ctx context.Context, provisionerID string) ([]*ExternalAccountKey, error)
|
||||||
GetExternalAccountKeyByReference(ctx context.Context, provisionerName, reference string) (*ExternalAccountKey, error)
|
GetExternalAccountKeyByReference(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error)
|
||||||
DeleteExternalAccountKey(ctx context.Context, provisionerName, keyID string) error
|
DeleteExternalAccountKey(ctx context.Context, provisionerID, keyID string) error
|
||||||
UpdateExternalAccountKey(ctx context.Context, provisionerName string, eak *ExternalAccountKey) error
|
UpdateExternalAccountKey(ctx context.Context, provisionerID string, eak *ExternalAccountKey) error
|
||||||
|
|
||||||
CreateNonce(ctx context.Context) (Nonce, error)
|
CreateNonce(ctx context.Context) (Nonce, error)
|
||||||
DeleteNonce(ctx context.Context, nonce Nonce) error
|
DeleteNonce(ctx context.Context, nonce Nonce) error
|
||||||
|
@ -56,12 +56,12 @@ type MockDB struct {
|
||||||
MockGetAccountByKeyID func(ctx context.Context, kid string) (*Account, error)
|
MockGetAccountByKeyID func(ctx context.Context, kid string) (*Account, error)
|
||||||
MockUpdateAccount func(ctx context.Context, acc *Account) error
|
MockUpdateAccount func(ctx context.Context, acc *Account) error
|
||||||
|
|
||||||
MockCreateExternalAccountKey func(ctx context.Context, provisionerName, reference string) (*ExternalAccountKey, error)
|
MockCreateExternalAccountKey func(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error)
|
||||||
MockGetExternalAccountKey func(ctx context.Context, provisionerName, keyID string) (*ExternalAccountKey, error)
|
MockGetExternalAccountKey func(ctx context.Context, provisionerID, keyID string) (*ExternalAccountKey, error)
|
||||||
MockGetExternalAccountKeys func(ctx context.Context, provisionerName string) ([]*ExternalAccountKey, error)
|
MockGetExternalAccountKeys func(ctx context.Context, provisionerID string) ([]*ExternalAccountKey, error)
|
||||||
MockGetExternalAccountKeyByReference func(ctx context.Context, provisionerName, reference string) (*ExternalAccountKey, error)
|
MockGetExternalAccountKeyByReference func(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error)
|
||||||
MockDeleteExternalAccountKey func(ctx context.Context, provisionerName, keyID string) error
|
MockDeleteExternalAccountKey func(ctx context.Context, provisionerID, keyID string) error
|
||||||
MockUpdateExternalAccountKey func(ctx context.Context, provisionerName string, eak *ExternalAccountKey) error
|
MockUpdateExternalAccountKey func(ctx context.Context, provisionerID string, eak *ExternalAccountKey) error
|
||||||
|
|
||||||
MockCreateNonce func(ctx context.Context) (Nonce, error)
|
MockCreateNonce func(ctx context.Context) (Nonce, error)
|
||||||
MockDeleteNonce func(ctx context.Context, nonce Nonce) error
|
MockDeleteNonce func(ctx context.Context, nonce Nonce) error
|
||||||
|
@ -129,9 +129,9 @@ func (m *MockDB) UpdateAccount(ctx context.Context, acc *Account) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// CreateExternalAccountKey mock
|
// CreateExternalAccountKey mock
|
||||||
func (m *MockDB) CreateExternalAccountKey(ctx context.Context, provisionerName, reference string) (*ExternalAccountKey, error) {
|
func (m *MockDB) CreateExternalAccountKey(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error) {
|
||||||
if m.MockCreateExternalAccountKey != nil {
|
if m.MockCreateExternalAccountKey != nil {
|
||||||
return m.MockCreateExternalAccountKey(ctx, provisionerName, reference)
|
return m.MockCreateExternalAccountKey(ctx, provisionerID, reference)
|
||||||
} else if m.MockError != nil {
|
} else if m.MockError != nil {
|
||||||
return nil, m.MockError
|
return nil, m.MockError
|
||||||
}
|
}
|
||||||
|
@ -139,9 +139,9 @@ func (m *MockDB) CreateExternalAccountKey(ctx context.Context, provisionerName,
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetExternalAccountKey mock
|
// GetExternalAccountKey mock
|
||||||
func (m *MockDB) GetExternalAccountKey(ctx context.Context, provisionerName, keyID string) (*ExternalAccountKey, error) {
|
func (m *MockDB) GetExternalAccountKey(ctx context.Context, provisionerID, keyID string) (*ExternalAccountKey, error) {
|
||||||
if m.MockGetExternalAccountKey != nil {
|
if m.MockGetExternalAccountKey != nil {
|
||||||
return m.MockGetExternalAccountKey(ctx, provisionerName, keyID)
|
return m.MockGetExternalAccountKey(ctx, provisionerID, keyID)
|
||||||
} else if m.MockError != nil {
|
} else if m.MockError != nil {
|
||||||
return nil, m.MockError
|
return nil, m.MockError
|
||||||
}
|
}
|
||||||
|
@ -149,9 +149,9 @@ func (m *MockDB) GetExternalAccountKey(ctx context.Context, provisionerName, key
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetExternalAccountKeys mock
|
// GetExternalAccountKeys mock
|
||||||
func (m *MockDB) GetExternalAccountKeys(ctx context.Context, provisionerName string) ([]*ExternalAccountKey, error) {
|
func (m *MockDB) GetExternalAccountKeys(ctx context.Context, provisionerID string) ([]*ExternalAccountKey, error) {
|
||||||
if m.MockGetExternalAccountKeys != nil {
|
if m.MockGetExternalAccountKeys != nil {
|
||||||
return m.MockGetExternalAccountKeys(ctx, provisionerName)
|
return m.MockGetExternalAccountKeys(ctx, provisionerID)
|
||||||
} else if m.MockError != nil {
|
} else if m.MockError != nil {
|
||||||
return nil, m.MockError
|
return nil, m.MockError
|
||||||
}
|
}
|
||||||
|
@ -159,9 +159,9 @@ func (m *MockDB) GetExternalAccountKeys(ctx context.Context, provisionerName str
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetExternalAccountKeyByReference mock
|
// GetExternalAccountKeyByReference mock
|
||||||
func (m *MockDB) GetExternalAccountKeyByReference(ctx context.Context, provisionerName, reference string) (*ExternalAccountKey, error) {
|
func (m *MockDB) GetExternalAccountKeyByReference(ctx context.Context, provisionerID, reference string) (*ExternalAccountKey, error) {
|
||||||
if m.MockGetExternalAccountKeyByReference != nil {
|
if m.MockGetExternalAccountKeyByReference != nil {
|
||||||
return m.MockGetExternalAccountKeyByReference(ctx, provisionerName, reference)
|
return m.MockGetExternalAccountKeyByReference(ctx, provisionerID, reference)
|
||||||
} else if m.MockError != nil {
|
} else if m.MockError != nil {
|
||||||
return nil, m.MockError
|
return nil, m.MockError
|
||||||
}
|
}
|
||||||
|
@ -169,9 +169,9 @@ func (m *MockDB) GetExternalAccountKeyByReference(ctx context.Context, provision
|
||||||
}
|
}
|
||||||
|
|
||||||
// DeleteExternalAccountKey mock
|
// DeleteExternalAccountKey mock
|
||||||
func (m *MockDB) DeleteExternalAccountKey(ctx context.Context, provisionerName, keyID string) error {
|
func (m *MockDB) DeleteExternalAccountKey(ctx context.Context, provisionerID, keyID string) error {
|
||||||
if m.MockDeleteExternalAccountKey != nil {
|
if m.MockDeleteExternalAccountKey != nil {
|
||||||
return m.MockDeleteExternalAccountKey(ctx, provisionerName, keyID)
|
return m.MockDeleteExternalAccountKey(ctx, provisionerID, keyID)
|
||||||
} else if m.MockError != nil {
|
} else if m.MockError != nil {
|
||||||
return m.MockError
|
return m.MockError
|
||||||
}
|
}
|
||||||
|
@ -179,9 +179,9 @@ func (m *MockDB) DeleteExternalAccountKey(ctx context.Context, provisionerName,
|
||||||
}
|
}
|
||||||
|
|
||||||
// UpdateExternalAccountKey mock
|
// UpdateExternalAccountKey mock
|
||||||
func (m *MockDB) UpdateExternalAccountKey(ctx context.Context, provisionerName string, eak *ExternalAccountKey) error {
|
func (m *MockDB) UpdateExternalAccountKey(ctx context.Context, provisionerID string, eak *ExternalAccountKey) error {
|
||||||
if m.MockUpdateExternalAccountKey != nil {
|
if m.MockUpdateExternalAccountKey != nil {
|
||||||
return m.MockUpdateExternalAccountKey(ctx, provisionerName, eak)
|
return m.MockUpdateExternalAccountKey(ctx, provisionerID, eak)
|
||||||
} else if m.MockError != nil {
|
} else if m.MockError != nil {
|
||||||
return m.MockError
|
return m.MockError
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,6 +4,7 @@ import (
|
||||||
"context"
|
"context"
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
|
@ -12,6 +13,9 @@ import (
|
||||||
"go.step.sm/crypto/jose"
|
"go.step.sm/crypto/jose"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// Mutex for locking referencesByProvisioner index operations.
|
||||||
|
var referencesByProvisionerIndexMux sync.Mutex
|
||||||
|
|
||||||
// dbAccount represents an ACME account.
|
// dbAccount represents an ACME account.
|
||||||
type dbAccount struct {
|
type dbAccount struct {
|
||||||
ID string `json:"id"`
|
ID string `json:"id"`
|
||||||
|
@ -28,13 +32,13 @@ func (dba *dbAccount) clone() *dbAccount {
|
||||||
}
|
}
|
||||||
|
|
||||||
type dbExternalAccountKey struct {
|
type dbExternalAccountKey struct {
|
||||||
ID string `json:"id"`
|
ID string `json:"id"`
|
||||||
Provisioner string `json:"provisioner"`
|
ProvisionerID string `json:"provisionerID"`
|
||||||
Reference string `json:"reference"`
|
Reference string `json:"reference"`
|
||||||
AccountID string `json:"accountID,omitempty"`
|
AccountID string `json:"accountID,omitempty"`
|
||||||
KeyBytes []byte `json:"key"`
|
KeyBytes []byte `json:"key"`
|
||||||
CreatedAt time.Time `json:"createdAt"`
|
CreatedAt time.Time `json:"createdAt"`
|
||||||
BoundAt time.Time `json:"boundAt"`
|
BoundAt time.Time `json:"boundAt"`
|
||||||
}
|
}
|
||||||
|
|
||||||
type dbExternalAccountKeyReference struct {
|
type dbExternalAccountKeyReference struct {
|
||||||
|
@ -170,7 +174,7 @@ func (db *DB) UpdateAccount(ctx context.Context, acc *acme.Account) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// CreateExternalAccountKey creates a new External Account Binding key with a name
|
// CreateExternalAccountKey creates a new External Account Binding key with a name
|
||||||
func (db *DB) CreateExternalAccountKey(ctx context.Context, provisionerName, reference string) (*acme.ExternalAccountKey, error) {
|
func (db *DB) CreateExternalAccountKey(ctx context.Context, provisionerID, reference string) (*acme.ExternalAccountKey, error) {
|
||||||
keyID, err := randID()
|
keyID, err := randID()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -183,106 +187,125 @@ func (db *DB) CreateExternalAccountKey(ctx context.Context, provisionerName, ref
|
||||||
}
|
}
|
||||||
|
|
||||||
dbeak := &dbExternalAccountKey{
|
dbeak := &dbExternalAccountKey{
|
||||||
ID: keyID,
|
ID: keyID,
|
||||||
Provisioner: provisionerName,
|
ProvisionerID: provisionerID,
|
||||||
Reference: reference,
|
Reference: reference,
|
||||||
KeyBytes: random,
|
KeyBytes: random,
|
||||||
CreatedAt: clock.Now(),
|
CreatedAt: clock.Now(),
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := db.save(ctx, keyID, dbeak, nil, "external_account_key", externalAccountKeyTable); err != nil {
|
if err := db.save(ctx, keyID, dbeak, nil, "external_account_key", externalAccountKeyTable); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if err := db.addEAKID(ctx, provisionerID, dbeak.ID); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
if dbeak.Reference != "" {
|
if dbeak.Reference != "" {
|
||||||
dbExternalAccountKeyReference := &dbExternalAccountKeyReference{
|
dbExternalAccountKeyReference := &dbExternalAccountKeyReference{
|
||||||
Reference: dbeak.Reference,
|
Reference: dbeak.Reference,
|
||||||
ExternalAccountKeyID: dbeak.ID,
|
ExternalAccountKeyID: dbeak.ID,
|
||||||
}
|
}
|
||||||
if err := db.save(ctx, dbeak.Reference, dbExternalAccountKeyReference, nil, "external_account_key_reference", externalAccountKeysByReferenceTable); err != nil {
|
if err := db.save(ctx, referenceKey(provisionerID, dbeak.Reference), dbExternalAccountKeyReference, nil, "external_account_key_reference", externalAccountKeysByReferenceTable); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return &acme.ExternalAccountKey{
|
return &acme.ExternalAccountKey{
|
||||||
ID: dbeak.ID,
|
ID: dbeak.ID,
|
||||||
Provisioner: dbeak.Provisioner,
|
ProvisionerID: dbeak.ProvisionerID,
|
||||||
Reference: dbeak.Reference,
|
Reference: dbeak.Reference,
|
||||||
AccountID: dbeak.AccountID,
|
AccountID: dbeak.AccountID,
|
||||||
KeyBytes: dbeak.KeyBytes,
|
KeyBytes: dbeak.KeyBytes,
|
||||||
CreatedAt: dbeak.CreatedAt,
|
CreatedAt: dbeak.CreatedAt,
|
||||||
BoundAt: dbeak.BoundAt,
|
BoundAt: dbeak.BoundAt,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetExternalAccountKey retrieves an External Account Binding key by KeyID
|
// GetExternalAccountKey retrieves an External Account Binding key by KeyID
|
||||||
func (db *DB) GetExternalAccountKey(ctx context.Context, provisionerName, keyID string) (*acme.ExternalAccountKey, error) {
|
func (db *DB) GetExternalAccountKey(ctx context.Context, provisionerID, keyID string) (*acme.ExternalAccountKey, error) {
|
||||||
dbeak, err := db.getDBExternalAccountKey(ctx, keyID)
|
dbeak, err := db.getDBExternalAccountKey(ctx, keyID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if dbeak.Provisioner != provisionerName {
|
if dbeak.ProvisionerID != provisionerID {
|
||||||
return nil, acme.NewError(acme.ErrorUnauthorizedType, "name of provisioner does not match provisioner for which the EAB key was created")
|
return nil, acme.NewError(acme.ErrorUnauthorizedType, "provisioner does not match provisioner for which the EAB key was created")
|
||||||
}
|
}
|
||||||
|
|
||||||
return &acme.ExternalAccountKey{
|
return &acme.ExternalAccountKey{
|
||||||
ID: dbeak.ID,
|
ID: dbeak.ID,
|
||||||
Provisioner: dbeak.Provisioner,
|
ProvisionerID: dbeak.ProvisionerID,
|
||||||
Reference: dbeak.Reference,
|
Reference: dbeak.Reference,
|
||||||
AccountID: dbeak.AccountID,
|
AccountID: dbeak.AccountID,
|
||||||
KeyBytes: dbeak.KeyBytes,
|
KeyBytes: dbeak.KeyBytes,
|
||||||
CreatedAt: dbeak.CreatedAt,
|
CreatedAt: dbeak.CreatedAt,
|
||||||
BoundAt: dbeak.BoundAt,
|
BoundAt: dbeak.BoundAt,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (db *DB) DeleteExternalAccountKey(ctx context.Context, provisionerName, keyID string) error {
|
func (db *DB) DeleteExternalAccountKey(ctx context.Context, provisionerID, keyID string) error {
|
||||||
dbeak, err := db.getDBExternalAccountKey(ctx, keyID)
|
dbeak, err := db.getDBExternalAccountKey(ctx, keyID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errors.Wrapf(err, "error loading ACME EAB Key with Key ID %s", keyID)
|
return errors.Wrapf(err, "error loading ACME EAB Key with Key ID %s", keyID)
|
||||||
}
|
}
|
||||||
if dbeak.Provisioner != provisionerName {
|
|
||||||
return errors.New("name of provisioner does not match provisioner for which the EAB key was created")
|
if dbeak.ProvisionerID != provisionerID {
|
||||||
|
return errors.New("provisioner does not match provisioner for which the EAB key was created")
|
||||||
}
|
}
|
||||||
|
|
||||||
if dbeak.Reference != "" {
|
if dbeak.Reference != "" {
|
||||||
err = db.db.Del(externalAccountKeysByReferenceTable, []byte(dbeak.Reference))
|
if err := db.db.Del(externalAccountKeysByReferenceTable, []byte(referenceKey(provisionerID, dbeak.Reference))); err != nil {
|
||||||
if err != nil {
|
return errors.Wrapf(err, "error deleting ACME EAB Key reference with Key ID %s and reference %s", keyID, dbeak.Reference)
|
||||||
return errors.Wrapf(err, "error deleting ACME EAB Key Reference with Key ID %s and reference %s", keyID, dbeak.Reference)
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if err = db.db.Del(externalAccountKeyTable, []byte(keyID)); err != nil {
|
if err := db.db.Del(externalAccountKeyTable, []byte(keyID)); err != nil {
|
||||||
return errors.Wrapf(err, "error deleting ACME EAB Key with Key ID %s", keyID)
|
return errors.Wrapf(err, "error deleting ACME EAB Key with Key ID %s", keyID)
|
||||||
}
|
}
|
||||||
|
if err := db.deleteEAKID(ctx, provisionerID, keyID); err != nil {
|
||||||
|
return errors.Wrapf(err, "error removing ACME EAB Key ID %s", keyID)
|
||||||
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetExternalAccountKeys retrieves all External Account Binding keys for a provisioner
|
// GetExternalAccountKeys retrieves all External Account Binding keys for a provisioner
|
||||||
func (db *DB) GetExternalAccountKeys(ctx context.Context, provisionerName string) ([]*acme.ExternalAccountKey, error) {
|
func (db *DB) GetExternalAccountKeys(ctx context.Context, provisionerID string) ([]*acme.ExternalAccountKey, error) {
|
||||||
|
|
||||||
// TODO: lookup by provisioner based on index
|
// TODO: mutex?
|
||||||
entries, err := db.db.List(externalAccountKeyTable)
|
|
||||||
|
var eakIDs []string
|
||||||
|
r, err := db.db.Get(externalAccountKeysByProvisionerIDTable, []byte(provisionerID))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
if !nosqlDB.IsErrNotFound(err) {
|
||||||
|
return nil, errors.Wrapf(err, "error loading ACME EAB Key IDs for provisioner %s", provisionerID)
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if err := json.Unmarshal(r, &eakIDs); err != nil {
|
||||||
|
return nil, errors.Wrapf(err, "error unmarshaling ACME EAB Key IDs for provisioner %s", provisionerID)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
keys := []*acme.ExternalAccountKey{}
|
keys := []*acme.ExternalAccountKey{}
|
||||||
for _, entry := range entries { // entries is sorted alphabetically on the key (ID) of the EAK; no need to sort this again.
|
for _, eakID := range eakIDs {
|
||||||
dbeak := new(dbExternalAccountKey)
|
if eakID == "" {
|
||||||
if err = json.Unmarshal(entry.Value, dbeak); err != nil {
|
continue // shouldn't happen; just in case
|
||||||
return nil, errors.Wrapf(err, "error unmarshaling external account key %s into ExternalAccountKey", string(entry.Key))
|
|
||||||
}
|
}
|
||||||
if dbeak.Provisioner != provisionerName {
|
eak, err := db.getDBExternalAccountKey(ctx, eakID)
|
||||||
continue
|
if err != nil {
|
||||||
|
if !nosqlDB.IsErrNotFound(err) {
|
||||||
|
return nil, errors.Wrapf(err, "error retrieving ACME EAB Key for provisioner %s and keyID %s", provisionerID, eakID)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
keys = append(keys, &acme.ExternalAccountKey{
|
keys = append(keys, &acme.ExternalAccountKey{
|
||||||
ID: dbeak.ID,
|
ID: eak.ID,
|
||||||
KeyBytes: dbeak.KeyBytes,
|
KeyBytes: eak.KeyBytes,
|
||||||
Provisioner: dbeak.Provisioner,
|
ProvisionerID: eak.ProvisionerID,
|
||||||
Reference: dbeak.Reference,
|
Reference: eak.Reference,
|
||||||
AccountID: dbeak.AccountID,
|
AccountID: eak.AccountID,
|
||||||
CreatedAt: dbeak.CreatedAt,
|
CreatedAt: eak.CreatedAt,
|
||||||
BoundAt: dbeak.BoundAt,
|
BoundAt: eak.BoundAt,
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -290,11 +313,12 @@ func (db *DB) GetExternalAccountKeys(ctx context.Context, provisionerName string
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetExternalAccountKeyByReference retrieves an External Account Binding key with unique reference
|
// GetExternalAccountKeyByReference retrieves an External Account Binding key with unique reference
|
||||||
func (db *DB) GetExternalAccountKeyByReference(ctx context.Context, provisionerName, reference string) (*acme.ExternalAccountKey, error) {
|
func (db *DB) GetExternalAccountKeyByReference(ctx context.Context, provisionerID, reference string) (*acme.ExternalAccountKey, error) {
|
||||||
if reference == "" {
|
if reference == "" {
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
k, err := db.db.Get(externalAccountKeysByReferenceTable, []byte(reference))
|
|
||||||
|
k, err := db.db.Get(externalAccountKeysByReferenceTable, []byte(referenceKey(provisionerID, reference)))
|
||||||
if nosqlDB.IsErrNotFound(err) {
|
if nosqlDB.IsErrNotFound(err) {
|
||||||
return nil, acme.ErrNotFound
|
return nil, acme.ErrNotFound
|
||||||
} else if err != nil {
|
} else if err != nil {
|
||||||
|
@ -304,28 +328,139 @@ func (db *DB) GetExternalAccountKeyByReference(ctx context.Context, provisionerN
|
||||||
if err := json.Unmarshal(k, dbExternalAccountKeyReference); err != nil {
|
if err := json.Unmarshal(k, dbExternalAccountKeyReference); err != nil {
|
||||||
return nil, errors.Wrapf(err, "error unmarshaling ACME EAB key for reference %s", reference)
|
return nil, errors.Wrapf(err, "error unmarshaling ACME EAB key for reference %s", reference)
|
||||||
}
|
}
|
||||||
return db.GetExternalAccountKey(ctx, provisionerName, dbExternalAccountKeyReference.ExternalAccountKeyID)
|
|
||||||
|
return db.GetExternalAccountKey(ctx, provisionerID, dbExternalAccountKeyReference.ExternalAccountKeyID)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (db *DB) UpdateExternalAccountKey(ctx context.Context, provisionerName string, eak *acme.ExternalAccountKey) error {
|
func (db *DB) UpdateExternalAccountKey(ctx context.Context, provisionerID string, eak *acme.ExternalAccountKey) error {
|
||||||
old, err := db.getDBExternalAccountKey(ctx, eak.ID)
|
old, err := db.getDBExternalAccountKey(ctx, eak.ID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if old.Provisioner != provisionerName {
|
if old.ProvisionerID != provisionerID {
|
||||||
return errors.New("name of provisioner does not match provisioner for which the EAB key was created")
|
return errors.New("provisioner does not match provisioner for which the EAB key was created")
|
||||||
|
}
|
||||||
|
|
||||||
|
if old.ProvisionerID != eak.ProvisionerID {
|
||||||
|
return errors.New("cannot change provisioner for an existing ACME EAB Key")
|
||||||
|
}
|
||||||
|
|
||||||
|
if old.Reference != eak.Reference {
|
||||||
|
return errors.New("cannot change reference for an existing ACME EAB Key")
|
||||||
}
|
}
|
||||||
|
|
||||||
nu := dbExternalAccountKey{
|
nu := dbExternalAccountKey{
|
||||||
ID: eak.ID,
|
ID: eak.ID,
|
||||||
Provisioner: eak.Provisioner,
|
ProvisionerID: eak.ProvisionerID,
|
||||||
Reference: eak.Reference,
|
Reference: eak.Reference,
|
||||||
AccountID: eak.AccountID,
|
AccountID: eak.AccountID,
|
||||||
KeyBytes: eak.KeyBytes,
|
KeyBytes: eak.KeyBytes,
|
||||||
CreatedAt: eak.CreatedAt,
|
CreatedAt: eak.CreatedAt,
|
||||||
BoundAt: eak.BoundAt,
|
BoundAt: eak.BoundAt,
|
||||||
}
|
}
|
||||||
|
|
||||||
return db.save(ctx, nu.ID, nu, old, "external_account_key", externalAccountKeyTable)
|
return db.save(ctx, nu.ID, nu, old, "external_account_key", externalAccountKeyTable)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (db *DB) addEAKID(ctx context.Context, provisionerID, eakID string) error {
|
||||||
|
referencesByProvisionerIndexMux.Lock()
|
||||||
|
defer referencesByProvisionerIndexMux.Unlock()
|
||||||
|
|
||||||
|
var eakIDs []string
|
||||||
|
b, err := db.db.Get(externalAccountKeysByProvisionerIDTable, []byte(provisionerID))
|
||||||
|
if err != nil {
|
||||||
|
if !nosqlDB.IsErrNotFound(err) {
|
||||||
|
return errors.Wrapf(err, "error loading eakIDs for provisioner %s", provisionerID)
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if err := json.Unmarshal(b, &eakIDs); err != nil {
|
||||||
|
return errors.Wrapf(err, "error unmarshaling eakIDs for provisioner %s", provisionerID)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
var newEAKIDs []string
|
||||||
|
newEAKIDs = append(newEAKIDs, eakIDs...)
|
||||||
|
newEAKIDs = append(newEAKIDs, eakID)
|
||||||
|
var (
|
||||||
|
_old interface{} = eakIDs
|
||||||
|
_new interface{} = newEAKIDs
|
||||||
|
)
|
||||||
|
|
||||||
|
if len(eakIDs) == 0 {
|
||||||
|
_old = nil
|
||||||
|
}
|
||||||
|
|
||||||
|
if err = db.save(ctx, provisionerID, _new, _old, "externalAccountKeysByProvisionerID", externalAccountKeysByProvisionerIDTable); err != nil {
|
||||||
|
return errors.Wrapf(err, "error saving eakIDs index for provisioner %s", provisionerID)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (db *DB) deleteEAKID(ctx context.Context, provisionerID, eakID string) error {
|
||||||
|
referencesByProvisionerIndexMux.Lock()
|
||||||
|
defer referencesByProvisionerIndexMux.Unlock()
|
||||||
|
|
||||||
|
var eakIDs []string
|
||||||
|
b, err := db.db.Get(externalAccountKeysByProvisionerIDTable, []byte(provisionerID))
|
||||||
|
if err != nil {
|
||||||
|
if !nosqlDB.IsErrNotFound(err) {
|
||||||
|
return errors.Wrapf(err, "error loading reference IDs for provisioner %s", provisionerID)
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if err := json.Unmarshal(b, &eakIDs); err != nil {
|
||||||
|
return errors.Wrapf(err, "error unmarshaling eakIDs for provisioner %s", provisionerID)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
newEAKIDs := removeElement(eakIDs, eakID)
|
||||||
|
var (
|
||||||
|
_old interface{} = eakIDs
|
||||||
|
_new interface{} = newEAKIDs
|
||||||
|
)
|
||||||
|
|
||||||
|
switch {
|
||||||
|
case len(eakIDs) == 0:
|
||||||
|
_old = nil
|
||||||
|
case len(newEAKIDs) == 0:
|
||||||
|
_new = nil
|
||||||
|
}
|
||||||
|
|
||||||
|
if err = db.save(ctx, provisionerID, _new, _old, "externalAccountKeysByProvisionerID", externalAccountKeysByProvisionerIDTable); err != nil {
|
||||||
|
return errors.Wrapf(err, "error saving referenceIDs index for provisioner %s", provisionerID)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// referenceKey returns a unique key for a reference per provisioner
|
||||||
|
func referenceKey(provisionerID, reference string) string {
|
||||||
|
return provisionerID + "." + reference
|
||||||
|
}
|
||||||
|
|
||||||
|
// sliceIndex finds the index of item in slice
|
||||||
|
func sliceIndex(slice []string, item string) int {
|
||||||
|
for i := range slice {
|
||||||
|
if slice[i] == item {
|
||||||
|
return i
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return -1
|
||||||
|
}
|
||||||
|
|
||||||
|
// removeElement deletes the item if it exists in the
|
||||||
|
// slice. It returns a new slice, keeping the old one intact.
|
||||||
|
func removeElement(slice []string, item string) []string {
|
||||||
|
|
||||||
|
newSlice := make([]string, 0)
|
||||||
|
index := sliceIndex(slice, item)
|
||||||
|
if index < 0 {
|
||||||
|
newSlice = append(newSlice, slice...)
|
||||||
|
return newSlice
|
||||||
|
}
|
||||||
|
|
||||||
|
newSlice = append(newSlice, slice[:index]...)
|
||||||
|
|
||||||
|
return append(newSlice, slice[index+1:]...)
|
||||||
|
}
|
||||||
|
|
|
@ -3,6 +3,7 @@ package nosql
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
|
"fmt"
|
||||||
"testing"
|
"testing"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
@ -307,7 +308,7 @@ func TestDB_GetAccountByKeyID(t *testing.T) {
|
||||||
assert.Equals(t, string(key), accID)
|
assert.Equals(t, string(key), accID)
|
||||||
return nil, errors.New("force")
|
return nil, errors.New("force")
|
||||||
default:
|
default:
|
||||||
assert.FatalError(t, errors.Errorf("unrecognized bucket %s", string(bucket)))
|
assert.FatalError(t, errors.Errorf("unexpected bucket %s", string(bucket)))
|
||||||
return nil, errors.New("force")
|
return nil, errors.New("force")
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -340,7 +341,7 @@ func TestDB_GetAccountByKeyID(t *testing.T) {
|
||||||
assert.Equals(t, string(key), accID)
|
assert.Equals(t, string(key), accID)
|
||||||
return b, nil
|
return b, nil
|
||||||
default:
|
default:
|
||||||
assert.FatalError(t, errors.Errorf("unrecognized bucket %s", string(bucket)))
|
assert.FatalError(t, errors.Errorf("unexpected bucket %s", string(bucket)))
|
||||||
return nil, errors.New("force")
|
return nil, errors.New("force")
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -462,7 +463,7 @@ func TestDB_CreateAccount(t *testing.T) {
|
||||||
assert.True(t, dbacc.DeactivatedAt.IsZero())
|
assert.True(t, dbacc.DeactivatedAt.IsZero())
|
||||||
return nil, false, errors.New("force")
|
return nil, false, errors.New("force")
|
||||||
default:
|
default:
|
||||||
assert.FatalError(t, errors.Errorf("unrecognized bucket %s", string(bucket)))
|
assert.FatalError(t, errors.Errorf("unexpected bucket %s", string(bucket)))
|
||||||
return nil, false, errors.New("force")
|
return nil, false, errors.New("force")
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -506,7 +507,7 @@ func TestDB_CreateAccount(t *testing.T) {
|
||||||
assert.True(t, dbacc.DeactivatedAt.IsZero())
|
assert.True(t, dbacc.DeactivatedAt.IsZero())
|
||||||
return nu, true, nil
|
return nu, true, nil
|
||||||
default:
|
default:
|
||||||
assert.FatalError(t, errors.Errorf("unrecognized bucket %s", string(bucket)))
|
assert.FatalError(t, errors.Errorf("unexpected bucket %s", string(bucket)))
|
||||||
return nil, false, errors.New("force")
|
return nil, false, errors.New("force")
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -699,6 +700,7 @@ func TestDB_UpdateAccount(t *testing.T) {
|
||||||
|
|
||||||
func TestDB_getDBExternalAccountKey(t *testing.T) {
|
func TestDB_getDBExternalAccountKey(t *testing.T) {
|
||||||
keyID := "keyID"
|
keyID := "keyID"
|
||||||
|
provID := "provID"
|
||||||
type test struct {
|
type test struct {
|
||||||
db nosql.DB
|
db nosql.DB
|
||||||
err error
|
err error
|
||||||
|
@ -709,12 +711,12 @@ func TestDB_getDBExternalAccountKey(t *testing.T) {
|
||||||
"ok": func(t *testing.T) test {
|
"ok": func(t *testing.T) test {
|
||||||
now := clock.Now()
|
now := clock.Now()
|
||||||
dbeak := &dbExternalAccountKey{
|
dbeak := &dbExternalAccountKey{
|
||||||
ID: keyID,
|
ID: keyID,
|
||||||
Provisioner: "prov",
|
ProvisionerID: provID,
|
||||||
Reference: "ref",
|
Reference: "ref",
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
b, err := json.Marshal(dbeak)
|
b, err := json.Marshal(dbeak)
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
|
@ -790,7 +792,7 @@ func TestDB_getDBExternalAccountKey(t *testing.T) {
|
||||||
} else if assert.Nil(t, tc.err) {
|
} else if assert.Nil(t, tc.err) {
|
||||||
assert.Equals(t, dbeak.ID, tc.dbeak.ID)
|
assert.Equals(t, dbeak.ID, tc.dbeak.ID)
|
||||||
assert.Equals(t, dbeak.KeyBytes, tc.dbeak.KeyBytes)
|
assert.Equals(t, dbeak.KeyBytes, tc.dbeak.KeyBytes)
|
||||||
assert.Equals(t, dbeak.Provisioner, tc.dbeak.Provisioner)
|
assert.Equals(t, dbeak.ProvisionerID, tc.dbeak.ProvisionerID)
|
||||||
assert.Equals(t, dbeak.Reference, tc.dbeak.Reference)
|
assert.Equals(t, dbeak.Reference, tc.dbeak.Reference)
|
||||||
assert.Equals(t, dbeak.CreatedAt, tc.dbeak.CreatedAt)
|
assert.Equals(t, dbeak.CreatedAt, tc.dbeak.CreatedAt)
|
||||||
assert.Equals(t, dbeak.AccountID, tc.dbeak.AccountID)
|
assert.Equals(t, dbeak.AccountID, tc.dbeak.AccountID)
|
||||||
|
@ -802,7 +804,7 @@ func TestDB_getDBExternalAccountKey(t *testing.T) {
|
||||||
|
|
||||||
func TestDB_GetExternalAccountKey(t *testing.T) {
|
func TestDB_GetExternalAccountKey(t *testing.T) {
|
||||||
keyID := "keyID"
|
keyID := "keyID"
|
||||||
prov := "acmeProv"
|
provID := "provID"
|
||||||
type test struct {
|
type test struct {
|
||||||
db nosql.DB
|
db nosql.DB
|
||||||
err error
|
err error
|
||||||
|
@ -813,12 +815,12 @@ func TestDB_GetExternalAccountKey(t *testing.T) {
|
||||||
"ok": func(t *testing.T) test {
|
"ok": func(t *testing.T) test {
|
||||||
now := clock.Now()
|
now := clock.Now()
|
||||||
dbeak := &dbExternalAccountKey{
|
dbeak := &dbExternalAccountKey{
|
||||||
ID: keyID,
|
ID: keyID,
|
||||||
Provisioner: prov,
|
ProvisionerID: provID,
|
||||||
Reference: "ref",
|
Reference: "ref",
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
b, err := json.Marshal(dbeak)
|
b, err := json.Marshal(dbeak)
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
|
@ -831,12 +833,12 @@ func TestDB_GetExternalAccountKey(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
eak: &acme.ExternalAccountKey{
|
eak: &acme.ExternalAccountKey{
|
||||||
ID: keyID,
|
ID: keyID,
|
||||||
Provisioner: prov,
|
ProvisionerID: provID,
|
||||||
Reference: "ref",
|
Reference: "ref",
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -856,12 +858,12 @@ func TestDB_GetExternalAccountKey(t *testing.T) {
|
||||||
"fail/non-matching-provisioner": func(t *testing.T) test {
|
"fail/non-matching-provisioner": func(t *testing.T) test {
|
||||||
now := clock.Now()
|
now := clock.Now()
|
||||||
dbeak := &dbExternalAccountKey{
|
dbeak := &dbExternalAccountKey{
|
||||||
ID: keyID,
|
ID: keyID,
|
||||||
Provisioner: "aDifferentProv",
|
ProvisionerID: "aDifferentProvID",
|
||||||
Reference: "ref",
|
Reference: "ref",
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
b, err := json.Marshal(dbeak)
|
b, err := json.Marshal(dbeak)
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
|
@ -874,14 +876,14 @@ func TestDB_GetExternalAccountKey(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
eak: &acme.ExternalAccountKey{
|
eak: &acme.ExternalAccountKey{
|
||||||
ID: keyID,
|
ID: keyID,
|
||||||
Provisioner: prov,
|
ProvisionerID: provID,
|
||||||
Reference: "ref",
|
Reference: "ref",
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
},
|
},
|
||||||
acmeErr: acme.NewError(acme.ErrorUnauthorizedType, "name of provisioner does not match provisioner for which the EAB key was created"),
|
acmeErr: acme.NewError(acme.ErrorUnauthorizedType, "provisioner does not match provisioner for which the EAB key was created"),
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
@ -889,7 +891,7 @@ func TestDB_GetExternalAccountKey(t *testing.T) {
|
||||||
tc := run(t)
|
tc := run(t)
|
||||||
t.Run(name, func(t *testing.T) {
|
t.Run(name, func(t *testing.T) {
|
||||||
d := DB{db: tc.db}
|
d := DB{db: tc.db}
|
||||||
if eak, err := d.GetExternalAccountKey(context.Background(), prov, keyID); err != nil {
|
if eak, err := d.GetExternalAccountKey(context.Background(), provID, keyID); err != nil {
|
||||||
switch k := err.(type) {
|
switch k := err.(type) {
|
||||||
case *acme.Error:
|
case *acme.Error:
|
||||||
if assert.NotNil(t, tc.acmeErr) {
|
if assert.NotNil(t, tc.acmeErr) {
|
||||||
|
@ -907,7 +909,7 @@ func TestDB_GetExternalAccountKey(t *testing.T) {
|
||||||
} else if assert.Nil(t, tc.err) {
|
} else if assert.Nil(t, tc.err) {
|
||||||
assert.Equals(t, eak.ID, tc.eak.ID)
|
assert.Equals(t, eak.ID, tc.eak.ID)
|
||||||
assert.Equals(t, eak.KeyBytes, tc.eak.KeyBytes)
|
assert.Equals(t, eak.KeyBytes, tc.eak.KeyBytes)
|
||||||
assert.Equals(t, eak.Provisioner, tc.eak.Provisioner)
|
assert.Equals(t, eak.ProvisionerID, tc.eak.ProvisionerID)
|
||||||
assert.Equals(t, eak.Reference, tc.eak.Reference)
|
assert.Equals(t, eak.Reference, tc.eak.Reference)
|
||||||
assert.Equals(t, eak.CreatedAt, tc.eak.CreatedAt)
|
assert.Equals(t, eak.CreatedAt, tc.eak.CreatedAt)
|
||||||
assert.Equals(t, eak.AccountID, tc.eak.AccountID)
|
assert.Equals(t, eak.AccountID, tc.eak.AccountID)
|
||||||
|
@ -919,7 +921,7 @@ func TestDB_GetExternalAccountKey(t *testing.T) {
|
||||||
|
|
||||||
func TestDB_GetExternalAccountKeyByReference(t *testing.T) {
|
func TestDB_GetExternalAccountKeyByReference(t *testing.T) {
|
||||||
keyID := "keyID"
|
keyID := "keyID"
|
||||||
prov := "acmeProv"
|
provID := "provID"
|
||||||
ref := "ref"
|
ref := "ref"
|
||||||
type test struct {
|
type test struct {
|
||||||
db nosql.DB
|
db nosql.DB
|
||||||
|
@ -932,12 +934,12 @@ func TestDB_GetExternalAccountKeyByReference(t *testing.T) {
|
||||||
"ok": func(t *testing.T) test {
|
"ok": func(t *testing.T) test {
|
||||||
now := clock.Now()
|
now := clock.Now()
|
||||||
dbeak := &dbExternalAccountKey{
|
dbeak := &dbExternalAccountKey{
|
||||||
ID: keyID,
|
ID: keyID,
|
||||||
Provisioner: prov,
|
ProvisionerID: provID,
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
dbref := &dbExternalAccountKeyReference{
|
dbref := &dbExternalAccountKeyReference{
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
|
@ -953,24 +955,24 @@ func TestDB_GetExternalAccountKeyByReference(t *testing.T) {
|
||||||
MGet: func(bucket, key []byte) ([]byte, error) {
|
MGet: func(bucket, key []byte) ([]byte, error) {
|
||||||
switch string(bucket) {
|
switch string(bucket) {
|
||||||
case string(externalAccountKeysByReferenceTable):
|
case string(externalAccountKeysByReferenceTable):
|
||||||
assert.Equals(t, string(key), ref)
|
assert.Equals(t, string(key), provID+"."+ref)
|
||||||
return dbrefBytes, nil
|
return dbrefBytes, nil
|
||||||
case string(externalAccountKeyTable):
|
case string(externalAccountKeyTable):
|
||||||
assert.Equals(t, string(key), keyID)
|
assert.Equals(t, string(key), keyID)
|
||||||
return b, nil
|
return b, nil
|
||||||
default:
|
default:
|
||||||
assert.FatalError(t, errors.Errorf("unrecognized bucket %s", string(bucket)))
|
assert.FatalError(t, errors.Errorf("unexpected bucket %s", string(bucket)))
|
||||||
return nil, errors.New("force")
|
return nil, errors.New("force")
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
eak: &acme.ExternalAccountKey{
|
eak: &acme.ExternalAccountKey{
|
||||||
ID: keyID,
|
ID: keyID,
|
||||||
Provisioner: prov,
|
ProvisionerID: provID,
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
},
|
},
|
||||||
err: nil,
|
err: nil,
|
||||||
}
|
}
|
||||||
|
@ -988,7 +990,7 @@ func TestDB_GetExternalAccountKeyByReference(t *testing.T) {
|
||||||
db: &db.MockNoSQLDB{
|
db: &db.MockNoSQLDB{
|
||||||
MGet: func(bucket, key []byte) ([]byte, error) {
|
MGet: func(bucket, key []byte) ([]byte, error) {
|
||||||
assert.Equals(t, string(bucket), string(externalAccountKeysByReferenceTable))
|
assert.Equals(t, string(bucket), string(externalAccountKeysByReferenceTable))
|
||||||
assert.Equals(t, string(key), ref)
|
assert.Equals(t, string(key), provID+"."+ref)
|
||||||
return nil, nosqldb.ErrNotFound
|
return nil, nosqldb.ErrNotFound
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -1001,7 +1003,7 @@ func TestDB_GetExternalAccountKeyByReference(t *testing.T) {
|
||||||
db: &db.MockNoSQLDB{
|
db: &db.MockNoSQLDB{
|
||||||
MGet: func(bucket, key []byte) ([]byte, error) {
|
MGet: func(bucket, key []byte) ([]byte, error) {
|
||||||
assert.Equals(t, string(bucket), string(externalAccountKeysByReferenceTable))
|
assert.Equals(t, string(bucket), string(externalAccountKeysByReferenceTable))
|
||||||
assert.Equals(t, string(key), ref)
|
assert.Equals(t, string(key), provID+"."+ref)
|
||||||
return nil, errors.New("force")
|
return nil, errors.New("force")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -1014,7 +1016,7 @@ func TestDB_GetExternalAccountKeyByReference(t *testing.T) {
|
||||||
db: &db.MockNoSQLDB{
|
db: &db.MockNoSQLDB{
|
||||||
MGet: func(bucket, key []byte) ([]byte, error) {
|
MGet: func(bucket, key []byte) ([]byte, error) {
|
||||||
assert.Equals(t, string(bucket), string(externalAccountKeysByReferenceTable))
|
assert.Equals(t, string(bucket), string(externalAccountKeysByReferenceTable))
|
||||||
assert.Equals(t, string(key), ref)
|
assert.Equals(t, string(key), provID+"."+ref)
|
||||||
return []byte{0}, nil
|
return []byte{0}, nil
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -1034,13 +1036,13 @@ func TestDB_GetExternalAccountKeyByReference(t *testing.T) {
|
||||||
MGet: func(bucket, key []byte) ([]byte, error) {
|
MGet: func(bucket, key []byte) ([]byte, error) {
|
||||||
switch string(bucket) {
|
switch string(bucket) {
|
||||||
case string(externalAccountKeysByReferenceTable):
|
case string(externalAccountKeysByReferenceTable):
|
||||||
assert.Equals(t, string(key), ref)
|
assert.Equals(t, string(key), provID+"."+ref)
|
||||||
return dbrefBytes, nil
|
return dbrefBytes, nil
|
||||||
case string(externalAccountKeyTable):
|
case string(externalAccountKeyTable):
|
||||||
assert.Equals(t, string(key), keyID)
|
assert.Equals(t, string(key), keyID)
|
||||||
return nil, errors.New("force")
|
return nil, errors.New("force")
|
||||||
default:
|
default:
|
||||||
assert.FatalError(t, errors.Errorf("unrecognized bucket %s", string(bucket)))
|
assert.FatalError(t, errors.Errorf("unexpected bucket %s", string(bucket)))
|
||||||
return nil, errors.New("force")
|
return nil, errors.New("force")
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -1053,7 +1055,7 @@ func TestDB_GetExternalAccountKeyByReference(t *testing.T) {
|
||||||
tc := run(t)
|
tc := run(t)
|
||||||
t.Run(name, func(t *testing.T) {
|
t.Run(name, func(t *testing.T) {
|
||||||
d := DB{db: tc.db}
|
d := DB{db: tc.db}
|
||||||
if eak, err := d.GetExternalAccountKeyByReference(context.Background(), prov, tc.ref); err != nil {
|
if eak, err := d.GetExternalAccountKeyByReference(context.Background(), provID, tc.ref); err != nil {
|
||||||
switch k := err.(type) {
|
switch k := err.(type) {
|
||||||
case *acme.Error:
|
case *acme.Error:
|
||||||
if assert.NotNil(t, tc.acmeErr) {
|
if assert.NotNil(t, tc.acmeErr) {
|
||||||
|
@ -1074,7 +1076,7 @@ func TestDB_GetExternalAccountKeyByReference(t *testing.T) {
|
||||||
assert.Equals(t, eak.BoundAt, tc.eak.BoundAt)
|
assert.Equals(t, eak.BoundAt, tc.eak.BoundAt)
|
||||||
assert.Equals(t, eak.CreatedAt, tc.eak.CreatedAt)
|
assert.Equals(t, eak.CreatedAt, tc.eak.CreatedAt)
|
||||||
assert.Equals(t, eak.KeyBytes, tc.eak.KeyBytes)
|
assert.Equals(t, eak.KeyBytes, tc.eak.KeyBytes)
|
||||||
assert.Equals(t, eak.Provisioner, tc.eak.Provisioner)
|
assert.Equals(t, eak.ProvisionerID, tc.eak.ProvisionerID)
|
||||||
assert.Equals(t, eak.Reference, tc.eak.Reference)
|
assert.Equals(t, eak.Reference, tc.eak.Reference)
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
@ -1085,7 +1087,7 @@ func TestDB_GetExternalAccountKeys(t *testing.T) {
|
||||||
keyID1 := "keyID1"
|
keyID1 := "keyID1"
|
||||||
keyID2 := "keyID2"
|
keyID2 := "keyID2"
|
||||||
keyID3 := "keyID3"
|
keyID3 := "keyID3"
|
||||||
prov := "acmeProv"
|
provID := "provID"
|
||||||
ref := "ref"
|
ref := "ref"
|
||||||
type test struct {
|
type test struct {
|
||||||
db nosql.DB
|
db nosql.DB
|
||||||
|
@ -1097,105 +1099,147 @@ func TestDB_GetExternalAccountKeys(t *testing.T) {
|
||||||
"ok": func(t *testing.T) test {
|
"ok": func(t *testing.T) test {
|
||||||
now := clock.Now()
|
now := clock.Now()
|
||||||
dbeak1 := &dbExternalAccountKey{
|
dbeak1 := &dbExternalAccountKey{
|
||||||
ID: keyID1,
|
ID: keyID1,
|
||||||
Provisioner: prov,
|
ProvisionerID: provID,
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
b1, err := json.Marshal(dbeak1)
|
b1, err := json.Marshal(dbeak1)
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
dbeak2 := &dbExternalAccountKey{
|
dbeak2 := &dbExternalAccountKey{
|
||||||
ID: keyID2,
|
ID: keyID2,
|
||||||
Provisioner: prov,
|
ProvisionerID: provID,
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
b2, err := json.Marshal(dbeak2)
|
b2, err := json.Marshal(dbeak2)
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
dbeak3 := &dbExternalAccountKey{
|
dbeak3 := &dbExternalAccountKey{
|
||||||
ID: keyID3,
|
ID: keyID3,
|
||||||
Provisioner: "differentProvisioner",
|
ProvisionerID: "aDifferentProvID",
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
b3, err := json.Marshal(dbeak3)
|
b3, err := json.Marshal(dbeak3)
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
return test{
|
return test{
|
||||||
db: &db.MockNoSQLDB{
|
db: &db.MockNoSQLDB{
|
||||||
|
MGet: func(bucket, key []byte) ([]byte, error) {
|
||||||
|
switch string(bucket) {
|
||||||
|
case string(externalAccountKeysByProvisionerIDTable):
|
||||||
|
keys := []string{keyID1, keyID2}
|
||||||
|
b, err := json.Marshal(keys)
|
||||||
|
assert.FatalError(t, err)
|
||||||
|
return b, nil
|
||||||
|
case string(externalAccountKeyTable):
|
||||||
|
switch string(key) {
|
||||||
|
case keyID1:
|
||||||
|
return b1, nil
|
||||||
|
case keyID2:
|
||||||
|
return b2, nil
|
||||||
|
default:
|
||||||
|
assert.FatalError(t, errors.Errorf("unexpected key %s", string(key)))
|
||||||
|
return nil, errors.New("force")
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
assert.FatalError(t, errors.Errorf("unexpected bucket %s", string(bucket)))
|
||||||
|
return nil, errors.New("force")
|
||||||
|
}
|
||||||
|
},
|
||||||
|
// TODO: remove the MList
|
||||||
MList: func(bucket []byte) ([]*nosqldb.Entry, error) {
|
MList: func(bucket []byte) ([]*nosqldb.Entry, error) {
|
||||||
assert.Equals(t, bucket, externalAccountKeyTable)
|
switch string(bucket) {
|
||||||
return []*nosqldb.Entry{
|
case string(externalAccountKeyTable):
|
||||||
{
|
return []*nosqldb.Entry{
|
||||||
Bucket: bucket,
|
{
|
||||||
Key: []byte(keyID1),
|
Bucket: bucket,
|
||||||
Value: b1,
|
Key: []byte(keyID1),
|
||||||
},
|
Value: b1,
|
||||||
{
|
},
|
||||||
Bucket: bucket,
|
{
|
||||||
Key: []byte(keyID2),
|
Bucket: bucket,
|
||||||
Value: b2,
|
Key: []byte(keyID2),
|
||||||
},
|
Value: b2,
|
||||||
{
|
},
|
||||||
Bucket: bucket,
|
{
|
||||||
Key: []byte(keyID3),
|
Bucket: bucket,
|
||||||
Value: b3,
|
Key: []byte(keyID3),
|
||||||
},
|
Value: b3,
|
||||||
}, nil
|
},
|
||||||
|
}, nil
|
||||||
|
case string(externalAccountKeysByProvisionerIDTable):
|
||||||
|
keys := []string{keyID1, keyID2}
|
||||||
|
b, err := json.Marshal(keys)
|
||||||
|
assert.FatalError(t, err)
|
||||||
|
return []*nosqldb.Entry{
|
||||||
|
{
|
||||||
|
Bucket: bucket,
|
||||||
|
Key: []byte(provID),
|
||||||
|
Value: b,
|
||||||
|
},
|
||||||
|
}, nil
|
||||||
|
default:
|
||||||
|
assert.FatalError(t, errors.Errorf("unexpected bucket %s", string(bucket)))
|
||||||
|
return nil, errors.New("force default")
|
||||||
|
}
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
eaks: []*acme.ExternalAccountKey{
|
eaks: []*acme.ExternalAccountKey{
|
||||||
{
|
{
|
||||||
ID: keyID1,
|
ID: keyID1,
|
||||||
Provisioner: prov,
|
ProvisionerID: provID,
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
ID: keyID2,
|
ID: keyID2,
|
||||||
Provisioner: prov,
|
ProvisionerID: provID,
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"fail/db.List-error": func(t *testing.T) test {
|
"fail/db.Get-externalAccountKeysByProvisionerIDTable": func(t *testing.T) test {
|
||||||
return test{
|
return test{
|
||||||
db: &db.MockNoSQLDB{
|
db: &db.MockNoSQLDB{
|
||||||
MList: func(bucket []byte) ([]*nosqldb.Entry, error) {
|
MGet: func(bucket, key []byte) ([]byte, error) {
|
||||||
assert.Equals(t, string(bucket), string(externalAccountKeyTable))
|
assert.Equals(t, string(bucket), string(externalAccountKeysByProvisionerIDTable))
|
||||||
return nil, errors.New("force")
|
return nil, errors.New("force")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
err: errors.New("force"),
|
err: errors.New("error loading ACME EAB Key IDs for provisioner provID: force"),
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"fail/unmarshal-error": func(t *testing.T) test {
|
"fail/db.getDBExternalAccountKey": func(t *testing.T) test {
|
||||||
return test{
|
return test{
|
||||||
db: &db.MockNoSQLDB{
|
db: &db.MockNoSQLDB{
|
||||||
MList: func(bucket []byte) ([]*nosqldb.Entry, error) {
|
MGet: func(bucket, key []byte) ([]byte, error) {
|
||||||
assert.Equals(t, bucket, externalAccountKeyTable)
|
switch string(bucket) {
|
||||||
return []*nosqldb.Entry{
|
case string(externalAccountKeysByProvisionerIDTable):
|
||||||
{
|
keys := []string{keyID1, keyID2}
|
||||||
Bucket: bucket,
|
b, err := json.Marshal(keys)
|
||||||
Key: []byte(keyID1),
|
assert.FatalError(t, err)
|
||||||
Value: []byte("foo"),
|
return b, nil
|
||||||
},
|
case string(externalAccountKeyTable):
|
||||||
}, nil
|
return nil, errors.New("force")
|
||||||
|
default:
|
||||||
|
assert.FatalError(t, errors.Errorf("unexpected bucket %s", string(bucket)))
|
||||||
|
return nil, errors.New("force bucket")
|
||||||
|
}
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
eaks: []*acme.ExternalAccountKey{},
|
err: errors.New("error retrieving ACME EAB Key for provisioner provID and keyID keyID1: error loading external account key keyID1: force"),
|
||||||
err: errors.Errorf("error unmarshaling external account key %s into ExternalAccountKey", keyID1),
|
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
@ -1203,7 +1247,7 @@ func TestDB_GetExternalAccountKeys(t *testing.T) {
|
||||||
tc := run(t)
|
tc := run(t)
|
||||||
t.Run(name, func(t *testing.T) {
|
t.Run(name, func(t *testing.T) {
|
||||||
d := DB{db: tc.db}
|
d := DB{db: tc.db}
|
||||||
if eaks, err := d.GetExternalAccountKeys(context.Background(), prov); err != nil {
|
if eaks, err := d.GetExternalAccountKeys(context.Background(), provID); err != nil {
|
||||||
switch k := err.(type) {
|
switch k := err.(type) {
|
||||||
case *acme.Error:
|
case *acme.Error:
|
||||||
if assert.NotNil(t, tc.acmeErr) {
|
if assert.NotNil(t, tc.acmeErr) {
|
||||||
|
@ -1215,7 +1259,7 @@ func TestDB_GetExternalAccountKeys(t *testing.T) {
|
||||||
}
|
}
|
||||||
default:
|
default:
|
||||||
if assert.NotNil(t, tc.err) {
|
if assert.NotNil(t, tc.err) {
|
||||||
assert.HasPrefix(t, err.Error(), tc.err.Error())
|
assert.Equals(t, tc.err.Error(), err.Error())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else if assert.Nil(t, tc.err) {
|
} else if assert.Nil(t, tc.err) {
|
||||||
|
@ -1223,7 +1267,7 @@ func TestDB_GetExternalAccountKeys(t *testing.T) {
|
||||||
for i, eak := range eaks {
|
for i, eak := range eaks {
|
||||||
assert.Equals(t, eak.ID, tc.eaks[i].ID)
|
assert.Equals(t, eak.ID, tc.eaks[i].ID)
|
||||||
assert.Equals(t, eak.KeyBytes, tc.eaks[i].KeyBytes)
|
assert.Equals(t, eak.KeyBytes, tc.eaks[i].KeyBytes)
|
||||||
assert.Equals(t, eak.Provisioner, tc.eaks[i].Provisioner)
|
assert.Equals(t, eak.ProvisionerID, tc.eaks[i].ProvisionerID)
|
||||||
assert.Equals(t, eak.Reference, tc.eaks[i].Reference)
|
assert.Equals(t, eak.Reference, tc.eaks[i].Reference)
|
||||||
assert.Equals(t, eak.CreatedAt, tc.eaks[i].CreatedAt)
|
assert.Equals(t, eak.CreatedAt, tc.eaks[i].CreatedAt)
|
||||||
assert.Equals(t, eak.AccountID, tc.eaks[i].AccountID)
|
assert.Equals(t, eak.AccountID, tc.eaks[i].AccountID)
|
||||||
|
@ -1236,7 +1280,7 @@ func TestDB_GetExternalAccountKeys(t *testing.T) {
|
||||||
|
|
||||||
func TestDB_DeleteExternalAccountKey(t *testing.T) {
|
func TestDB_DeleteExternalAccountKey(t *testing.T) {
|
||||||
keyID := "keyID"
|
keyID := "keyID"
|
||||||
prov := "acmeProv"
|
provID := "provID"
|
||||||
ref := "ref"
|
ref := "ref"
|
||||||
type test struct {
|
type test struct {
|
||||||
db nosql.DB
|
db nosql.DB
|
||||||
|
@ -1247,12 +1291,12 @@ func TestDB_DeleteExternalAccountKey(t *testing.T) {
|
||||||
"ok": func(t *testing.T) test {
|
"ok": func(t *testing.T) test {
|
||||||
now := clock.Now()
|
now := clock.Now()
|
||||||
dbeak := &dbExternalAccountKey{
|
dbeak := &dbExternalAccountKey{
|
||||||
ID: keyID,
|
ID: keyID,
|
||||||
Provisioner: prov,
|
ProvisionerID: provID,
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
dbref := &dbExternalAccountKeyReference{
|
dbref := &dbExternalAccountKeyReference{
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
|
@ -1267,27 +1311,46 @@ func TestDB_DeleteExternalAccountKey(t *testing.T) {
|
||||||
MGet: func(bucket, key []byte) ([]byte, error) {
|
MGet: func(bucket, key []byte) ([]byte, error) {
|
||||||
switch string(bucket) {
|
switch string(bucket) {
|
||||||
case string(externalAccountKeysByReferenceTable):
|
case string(externalAccountKeysByReferenceTable):
|
||||||
assert.Equals(t, string(key), ref)
|
assert.Equals(t, string(key), provID+"."+ref)
|
||||||
return dbrefBytes, nil
|
return dbrefBytes, nil
|
||||||
case string(externalAccountKeyTable):
|
case string(externalAccountKeyTable):
|
||||||
assert.Equals(t, string(key), keyID)
|
assert.Equals(t, string(key), keyID)
|
||||||
return b, nil
|
return b, nil
|
||||||
|
case string(externalAccountKeysByProvisionerIDTable):
|
||||||
|
assert.Equals(t, provID, string(key))
|
||||||
|
b, err := json.Marshal([]string{keyID})
|
||||||
|
assert.FatalError(t, err)
|
||||||
|
return b, nil
|
||||||
default:
|
default:
|
||||||
assert.FatalError(t, errors.Errorf("unrecognized bucket %s", string(bucket)))
|
assert.FatalError(t, errors.Errorf("unexpected bucket %s", string(bucket)))
|
||||||
return nil, errors.New("force")
|
return nil, errors.New("force default")
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
MDel: func(bucket, key []byte) error {
|
MDel: func(bucket, key []byte) error {
|
||||||
switch string(bucket) {
|
switch string(bucket) {
|
||||||
case string(externalAccountKeysByReferenceTable):
|
case string(externalAccountKeysByReferenceTable):
|
||||||
assert.Equals(t, string(key), ref)
|
assert.Equals(t, string(key), provID+"."+ref)
|
||||||
return nil
|
return nil
|
||||||
case string(externalAccountKeyTable):
|
case string(externalAccountKeyTable):
|
||||||
assert.Equals(t, string(key), keyID)
|
assert.Equals(t, string(key), keyID)
|
||||||
return nil
|
return nil
|
||||||
default:
|
default:
|
||||||
assert.FatalError(t, errors.Errorf("unrecognized bucket %s", string(bucket)))
|
assert.FatalError(t, errors.Errorf("unexpected bucket %s", string(bucket)))
|
||||||
return errors.New("force")
|
return errors.New("force default")
|
||||||
|
}
|
||||||
|
},
|
||||||
|
MCmpAndSwap: func(bucket, key, old, new []byte) ([]byte, bool, error) {
|
||||||
|
fmt.Println(string(bucket))
|
||||||
|
switch string(bucket) {
|
||||||
|
case string(externalAccountKeysByReferenceTable):
|
||||||
|
assert.Equals(t, provID+"."+ref, string(key))
|
||||||
|
return nil, true, nil
|
||||||
|
case string(externalAccountKeysByProvisionerIDTable):
|
||||||
|
assert.Equals(t, provID, string(key))
|
||||||
|
return nil, true, nil
|
||||||
|
default:
|
||||||
|
assert.FatalError(t, errors.Errorf("unexpected bucket %s", string(bucket)))
|
||||||
|
return nil, false, errors.New("force default")
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -1302,18 +1365,18 @@ func TestDB_DeleteExternalAccountKey(t *testing.T) {
|
||||||
return nil, nosqldb.ErrNotFound
|
return nil, nosqldb.ErrNotFound
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
err: errors.New("error loading ACME EAB Key with Key ID keyID"),
|
err: errors.New("error loading ACME EAB Key with Key ID keyID: not found"),
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"fail/non-matching-provisioner": func(t *testing.T) test {
|
"fail/non-matching-provisioner": func(t *testing.T) test {
|
||||||
now := clock.Now()
|
now := clock.Now()
|
||||||
dbeak := &dbExternalAccountKey{
|
dbeak := &dbExternalAccountKey{
|
||||||
ID: keyID,
|
ID: keyID,
|
||||||
Provisioner: "differentProvisioner",
|
ProvisionerID: "aDifferentProvID",
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
b, err := json.Marshal(dbeak)
|
b, err := json.Marshal(dbeak)
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
|
@ -1325,18 +1388,18 @@ func TestDB_DeleteExternalAccountKey(t *testing.T) {
|
||||||
return b, nil
|
return b, nil
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
err: errors.New("name of provisioner does not match provisioner for which the EAB key was created"),
|
err: errors.New("provisioner does not match provisioner for which the EAB key was created"),
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"fail/delete-reference": func(t *testing.T) test {
|
"fail/delete-reference": func(t *testing.T) test {
|
||||||
now := clock.Now()
|
now := clock.Now()
|
||||||
dbeak := &dbExternalAccountKey{
|
dbeak := &dbExternalAccountKey{
|
||||||
ID: keyID,
|
ID: keyID,
|
||||||
Provisioner: prov,
|
ProvisionerID: provID,
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
dbref := &dbExternalAccountKeyReference{
|
dbref := &dbExternalAccountKeyReference{
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
|
@ -1357,36 +1420,36 @@ func TestDB_DeleteExternalAccountKey(t *testing.T) {
|
||||||
assert.Equals(t, string(key), keyID)
|
assert.Equals(t, string(key), keyID)
|
||||||
return b, nil
|
return b, nil
|
||||||
default:
|
default:
|
||||||
assert.FatalError(t, errors.Errorf("unrecognized bucket %s", string(bucket)))
|
assert.FatalError(t, errors.Errorf("unexpected bucket %s", string(bucket)))
|
||||||
return nil, errors.New("force")
|
return nil, errors.New("force default")
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
MDel: func(bucket, key []byte) error {
|
MDel: func(bucket, key []byte) error {
|
||||||
switch string(bucket) {
|
switch string(bucket) {
|
||||||
case string(externalAccountKeysByReferenceTable):
|
case string(externalAccountKeysByReferenceTable):
|
||||||
assert.Equals(t, string(key), ref)
|
assert.Equals(t, string(key), provID+"."+ref)
|
||||||
return errors.New("force")
|
return errors.New("force")
|
||||||
case string(externalAccountKeyTable):
|
case string(externalAccountKeyTable):
|
||||||
assert.Equals(t, string(key), keyID)
|
assert.Equals(t, string(key), keyID)
|
||||||
return nil
|
return nil
|
||||||
default:
|
default:
|
||||||
assert.FatalError(t, errors.Errorf("unrecognized bucket %s", string(bucket)))
|
assert.FatalError(t, errors.Errorf("unexpected bucket %s", string(bucket)))
|
||||||
return errors.New("force")
|
return errors.New("force default")
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
err: errors.New("error deleting ACME EAB Key Reference with Key ID keyID and reference ref"),
|
err: errors.New("error deleting ACME EAB Key reference with Key ID keyID and reference ref: force"),
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"fail/delete-eak": func(t *testing.T) test {
|
"fail/delete-eak": func(t *testing.T) test {
|
||||||
now := clock.Now()
|
now := clock.Now()
|
||||||
dbeak := &dbExternalAccountKey{
|
dbeak := &dbExternalAccountKey{
|
||||||
ID: keyID,
|
ID: keyID,
|
||||||
Provisioner: prov,
|
ProvisionerID: provID,
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
dbref := &dbExternalAccountKeyReference{
|
dbref := &dbExternalAccountKeyReference{
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
|
@ -1407,25 +1470,25 @@ func TestDB_DeleteExternalAccountKey(t *testing.T) {
|
||||||
assert.Equals(t, string(key), keyID)
|
assert.Equals(t, string(key), keyID)
|
||||||
return b, nil
|
return b, nil
|
||||||
default:
|
default:
|
||||||
assert.FatalError(t, errors.Errorf("unrecognized bucket %s", string(bucket)))
|
assert.FatalError(t, errors.Errorf("unexpected bucket %s", string(bucket)))
|
||||||
return nil, errors.New("force")
|
return nil, errors.New("force")
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
MDel: func(bucket, key []byte) error {
|
MDel: func(bucket, key []byte) error {
|
||||||
switch string(bucket) {
|
switch string(bucket) {
|
||||||
case string(externalAccountKeysByReferenceTable):
|
case string(externalAccountKeysByReferenceTable):
|
||||||
assert.Equals(t, string(key), ref)
|
assert.Equals(t, string(key), provID+"."+ref)
|
||||||
return nil
|
return nil
|
||||||
case string(externalAccountKeyTable):
|
case string(externalAccountKeyTable):
|
||||||
assert.Equals(t, string(key), keyID)
|
assert.Equals(t, string(key), keyID)
|
||||||
return errors.New("force")
|
return errors.New("force")
|
||||||
default:
|
default:
|
||||||
assert.FatalError(t, errors.Errorf("unrecognized bucket %s", string(bucket)))
|
assert.FatalError(t, errors.Errorf("unexpected bucket %s", string(bucket)))
|
||||||
return errors.New("force")
|
return errors.New("force")
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
err: errors.New("error deleting ACME EAB Key with Key ID keyID"),
|
err: errors.New("error deleting ACME EAB Key with Key ID keyID: force"),
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
@ -1433,7 +1496,7 @@ func TestDB_DeleteExternalAccountKey(t *testing.T) {
|
||||||
tc := run(t)
|
tc := run(t)
|
||||||
t.Run(name, func(t *testing.T) {
|
t.Run(name, func(t *testing.T) {
|
||||||
d := DB{db: tc.db}
|
d := DB{db: tc.db}
|
||||||
if err := d.DeleteExternalAccountKey(context.Background(), prov, keyID); err != nil {
|
if err := d.DeleteExternalAccountKey(context.Background(), provID, keyID); err != nil {
|
||||||
switch k := err.(type) {
|
switch k := err.(type) {
|
||||||
case *acme.Error:
|
case *acme.Error:
|
||||||
if assert.NotNil(t, tc.acmeErr) {
|
if assert.NotNil(t, tc.acmeErr) {
|
||||||
|
@ -1445,7 +1508,7 @@ func TestDB_DeleteExternalAccountKey(t *testing.T) {
|
||||||
}
|
}
|
||||||
default:
|
default:
|
||||||
if assert.NotNil(t, tc.err) {
|
if assert.NotNil(t, tc.err) {
|
||||||
assert.HasPrefix(t, err.Error(), tc.err.Error())
|
assert.Equals(t, err.Error(), tc.err.Error())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
|
@ -1457,7 +1520,7 @@ func TestDB_DeleteExternalAccountKey(t *testing.T) {
|
||||||
|
|
||||||
func TestDB_CreateExternalAccountKey(t *testing.T) {
|
func TestDB_CreateExternalAccountKey(t *testing.T) {
|
||||||
keyID := "keyID"
|
keyID := "keyID"
|
||||||
prov := "acmeProv"
|
provID := "provID"
|
||||||
ref := "ref"
|
ref := "ref"
|
||||||
type test struct {
|
type test struct {
|
||||||
db nosql.DB
|
db nosql.DB
|
||||||
|
@ -1473,30 +1536,38 @@ func TestDB_CreateExternalAccountKey(t *testing.T) {
|
||||||
)
|
)
|
||||||
now := clock.Now()
|
now := clock.Now()
|
||||||
eak := &acme.ExternalAccountKey{
|
eak := &acme.ExternalAccountKey{
|
||||||
ID: keyID,
|
ID: keyID,
|
||||||
Provisioner: prov,
|
ProvisionerID: provID,
|
||||||
Reference: "ref",
|
Reference: "ref",
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
return test{
|
return test{
|
||||||
db: &db.MockNoSQLDB{
|
db: &db.MockNoSQLDB{
|
||||||
|
MGet: func(bucket, key []byte) ([]byte, error) {
|
||||||
|
assert.Equals(t, string(bucket), string(externalAccountKeysByProvisionerIDTable))
|
||||||
|
assert.Equals(t, provID, string(key))
|
||||||
|
b, _ := json.Marshal([]string{})
|
||||||
|
return b, nil
|
||||||
|
},
|
||||||
MCmpAndSwap: func(bucket, key, old, nu []byte) ([]byte, bool, error) {
|
MCmpAndSwap: func(bucket, key, old, nu []byte) ([]byte, bool, error) {
|
||||||
|
|
||||||
switch string(bucket) {
|
switch string(bucket) {
|
||||||
|
case string(externalAccountKeysByProvisionerIDTable):
|
||||||
|
assert.Equals(t, provID, string(key))
|
||||||
|
return nu, true, nil
|
||||||
case string(externalAccountKeysByReferenceTable):
|
case string(externalAccountKeysByReferenceTable):
|
||||||
assert.Equals(t, string(key), ref)
|
assert.Equals(t, provID+"."+ref, string(key))
|
||||||
assert.Equals(t, old, nil)
|
assert.Equals(t, nil, old)
|
||||||
return nu, true, nil
|
return nu, true, nil
|
||||||
case string(externalAccountKeyTable):
|
case string(externalAccountKeyTable):
|
||||||
assert.Equals(t, old, nil)
|
assert.Equals(t, nil, old)
|
||||||
|
|
||||||
id = string(key)
|
id = string(key)
|
||||||
|
|
||||||
dbeak := new(dbExternalAccountKey)
|
dbeak := new(dbExternalAccountKey)
|
||||||
assert.FatalError(t, json.Unmarshal(nu, dbeak))
|
assert.FatalError(t, json.Unmarshal(nu, dbeak))
|
||||||
assert.Equals(t, string(key), dbeak.ID)
|
assert.Equals(t, string(key), dbeak.ID)
|
||||||
assert.Equals(t, eak.Provisioner, dbeak.Provisioner)
|
assert.Equals(t, eak.ProvisionerID, dbeak.ProvisionerID)
|
||||||
assert.Equals(t, eak.Reference, dbeak.Reference)
|
assert.Equals(t, eak.Reference, dbeak.Reference)
|
||||||
assert.Equals(t, 32, len(dbeak.KeyBytes))
|
assert.Equals(t, 32, len(dbeak.KeyBytes))
|
||||||
assert.False(t, dbeak.CreatedAt.IsZero())
|
assert.False(t, dbeak.CreatedAt.IsZero())
|
||||||
|
@ -1504,8 +1575,8 @@ func TestDB_CreateExternalAccountKey(t *testing.T) {
|
||||||
assert.True(t, dbeak.BoundAt.IsZero())
|
assert.True(t, dbeak.BoundAt.IsZero())
|
||||||
return nu, true, nil
|
return nu, true, nil
|
||||||
default:
|
default:
|
||||||
assert.FatalError(t, errors.Errorf("unrecognized bucket %s", string(bucket)))
|
assert.FatalError(t, errors.Errorf("unexpected bucket %s", string(bucket)))
|
||||||
return nil, false, errors.New("force")
|
return nil, false, errors.New("force default")
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -1527,34 +1598,42 @@ func TestDB_CreateExternalAccountKey(t *testing.T) {
|
||||||
assert.Equals(t, old, nil)
|
assert.Equals(t, old, nil)
|
||||||
return nu, true, errors.New("force")
|
return nu, true, errors.New("force")
|
||||||
default:
|
default:
|
||||||
assert.FatalError(t, errors.Errorf("unrecognized bucket %s", string(bucket)))
|
assert.FatalError(t, errors.Errorf("unexpected bucket %s", string(bucket)))
|
||||||
return nil, false, errors.New("force")
|
return nil, false, errors.New("force")
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
err: errors.New("error saving acme external_account_key"),
|
err: errors.New("error saving acme external_account_key: force"),
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"fail/externalAccountKeyReference-cmpAndSwap-error": func(t *testing.T) test {
|
"fail/externalAccountKeyReference-cmpAndSwap-error": func(t *testing.T) test {
|
||||||
return test{
|
return test{
|
||||||
db: &db.MockNoSQLDB{
|
db: &db.MockNoSQLDB{
|
||||||
|
MGet: func(bucket, key []byte) ([]byte, error) {
|
||||||
|
assert.Equals(t, string(bucket), string(externalAccountKeysByProvisionerIDTable))
|
||||||
|
assert.Equals(t, provID, string(key))
|
||||||
|
b, _ := json.Marshal([]string{})
|
||||||
|
return b, nil
|
||||||
|
},
|
||||||
MCmpAndSwap: func(bucket, key, old, nu []byte) ([]byte, bool, error) {
|
MCmpAndSwap: func(bucket, key, old, nu []byte) ([]byte, bool, error) {
|
||||||
|
|
||||||
switch string(bucket) {
|
switch string(bucket) {
|
||||||
|
case string(externalAccountKeysByProvisionerIDTable):
|
||||||
|
assert.Equals(t, provID, string(key))
|
||||||
|
return nu, true, nil
|
||||||
case string(externalAccountKeysByReferenceTable):
|
case string(externalAccountKeysByReferenceTable):
|
||||||
assert.Equals(t, string(key), ref)
|
assert.Equals(t, provID+"."+ref, string(key))
|
||||||
assert.Equals(t, old, nil)
|
assert.Equals(t, old, nil)
|
||||||
return nu, true, errors.New("force")
|
return nu, true, errors.New("force")
|
||||||
case string(externalAccountKeyTable):
|
case string(externalAccountKeyTable):
|
||||||
assert.Equals(t, old, nil)
|
assert.Equals(t, old, nil)
|
||||||
return nu, true, nil
|
return nu, true, nil
|
||||||
default:
|
default:
|
||||||
assert.FatalError(t, errors.Errorf("unrecognized bucket %s", string(bucket)))
|
assert.FatalError(t, errors.Errorf("unexpected bucket %s", string(bucket)))
|
||||||
return nil, false, errors.New("force")
|
return nil, false, errors.New("force")
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
err: errors.New("error saving acme external_account_key"),
|
err: errors.New("error saving acme external_account_key_reference: force"),
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
@ -1562,14 +1641,15 @@ func TestDB_CreateExternalAccountKey(t *testing.T) {
|
||||||
tc := run(t)
|
tc := run(t)
|
||||||
t.Run(name, func(t *testing.T) {
|
t.Run(name, func(t *testing.T) {
|
||||||
d := DB{db: tc.db}
|
d := DB{db: tc.db}
|
||||||
eak, err := d.CreateExternalAccountKey(context.Background(), prov, ref)
|
eak, err := d.CreateExternalAccountKey(context.Background(), provID, ref)
|
||||||
|
fmt.Println(name, err)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if assert.NotNil(t, tc.err) {
|
if assert.NotNil(t, tc.err) {
|
||||||
assert.HasPrefix(t, err.Error(), tc.err.Error())
|
assert.Equals(t, err.Error(), tc.err.Error())
|
||||||
}
|
}
|
||||||
} else if assert.Nil(t, tc.err) {
|
} else if assert.Nil(t, tc.err) {
|
||||||
assert.Equals(t, *tc._id, eak.ID)
|
assert.Equals(t, *tc._id, eak.ID)
|
||||||
assert.Equals(t, prov, eak.Provisioner)
|
assert.Equals(t, provID, eak.ProvisionerID)
|
||||||
assert.Equals(t, ref, eak.Reference)
|
assert.Equals(t, ref, eak.Reference)
|
||||||
assert.Equals(t, "", eak.AccountID)
|
assert.Equals(t, "", eak.AccountID)
|
||||||
assert.False(t, eak.CreatedAt.IsZero())
|
assert.False(t, eak.CreatedAt.IsZero())
|
||||||
|
@ -1582,16 +1662,16 @@ func TestDB_CreateExternalAccountKey(t *testing.T) {
|
||||||
|
|
||||||
func TestDB_UpdateExternalAccountKey(t *testing.T) {
|
func TestDB_UpdateExternalAccountKey(t *testing.T) {
|
||||||
keyID := "keyID"
|
keyID := "keyID"
|
||||||
prov := "acmeProv"
|
provID := "provID"
|
||||||
ref := "ref"
|
ref := "ref"
|
||||||
now := clock.Now()
|
now := clock.Now()
|
||||||
dbeak := &dbExternalAccountKey{
|
dbeak := &dbExternalAccountKey{
|
||||||
ID: keyID,
|
ID: keyID,
|
||||||
Provisioner: prov,
|
ProvisionerID: provID,
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
b, err := json.Marshal(dbeak)
|
b, err := json.Marshal(dbeak)
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
|
@ -1604,12 +1684,12 @@ func TestDB_UpdateExternalAccountKey(t *testing.T) {
|
||||||
|
|
||||||
"ok": func(t *testing.T) test {
|
"ok": func(t *testing.T) test {
|
||||||
eak := &acme.ExternalAccountKey{
|
eak := &acme.ExternalAccountKey{
|
||||||
ID: keyID,
|
ID: keyID,
|
||||||
Provisioner: prov,
|
ProvisionerID: provID,
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
return test{
|
return test{
|
||||||
eak: eak,
|
eak: eak,
|
||||||
|
@ -1627,7 +1707,7 @@ func TestDB_UpdateExternalAccountKey(t *testing.T) {
|
||||||
dbNew := new(dbExternalAccountKey)
|
dbNew := new(dbExternalAccountKey)
|
||||||
assert.FatalError(t, json.Unmarshal(nu, dbNew))
|
assert.FatalError(t, json.Unmarshal(nu, dbNew))
|
||||||
assert.Equals(t, dbNew.ID, dbeak.ID)
|
assert.Equals(t, dbNew.ID, dbeak.ID)
|
||||||
assert.Equals(t, dbNew.Provisioner, dbeak.Provisioner)
|
assert.Equals(t, dbNew.ProvisionerID, dbeak.ProvisionerID)
|
||||||
assert.Equals(t, dbNew.Reference, dbeak.Reference)
|
assert.Equals(t, dbNew.Reference, dbeak.Reference)
|
||||||
assert.Equals(t, dbNew.AccountID, dbeak.AccountID)
|
assert.Equals(t, dbNew.AccountID, dbeak.AccountID)
|
||||||
assert.Equals(t, dbNew.CreatedAt, dbeak.CreatedAt)
|
assert.Equals(t, dbNew.CreatedAt, dbeak.CreatedAt)
|
||||||
|
@ -1640,12 +1720,12 @@ func TestDB_UpdateExternalAccountKey(t *testing.T) {
|
||||||
},
|
},
|
||||||
"fail/provisioner-mismatch": func(t *testing.T) test {
|
"fail/provisioner-mismatch": func(t *testing.T) test {
|
||||||
newDBEAK := &dbExternalAccountKey{
|
newDBEAK := &dbExternalAccountKey{
|
||||||
ID: keyID,
|
ID: keyID,
|
||||||
Provisioner: "differentProvisioner",
|
ProvisionerID: "aDifferentProvID",
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
b, err := json.Marshal(newDBEAK)
|
b, err := json.Marshal(newDBEAK)
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
|
@ -1661,7 +1741,7 @@ func TestDB_UpdateExternalAccountKey(t *testing.T) {
|
||||||
return b, nil
|
return b, nil
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
err: errors.New("name of provisioner does not match provisioner for which the EAB key was created"),
|
err: errors.New("provisioner does not match provisioner for which the EAB key was created"),
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"fail/db.Get-error": func(t *testing.T) test {
|
"fail/db.Get-error": func(t *testing.T) test {
|
||||||
|
@ -1685,13 +1765,13 @@ func TestDB_UpdateExternalAccountKey(t *testing.T) {
|
||||||
tc := run(t)
|
tc := run(t)
|
||||||
t.Run(name, func(t *testing.T) {
|
t.Run(name, func(t *testing.T) {
|
||||||
d := DB{db: tc.db}
|
d := DB{db: tc.db}
|
||||||
if err := d.UpdateExternalAccountKey(context.Background(), prov, tc.eak); err != nil {
|
if err := d.UpdateExternalAccountKey(context.Background(), provID, tc.eak); err != nil {
|
||||||
if assert.NotNil(t, tc.err) {
|
if assert.NotNil(t, tc.err) {
|
||||||
assert.HasPrefix(t, err.Error(), tc.err.Error())
|
assert.HasPrefix(t, err.Error(), tc.err.Error())
|
||||||
}
|
}
|
||||||
} else if assert.Nil(t, tc.err) {
|
} else if assert.Nil(t, tc.err) {
|
||||||
assert.Equals(t, dbeak.ID, tc.eak.ID)
|
assert.Equals(t, dbeak.ID, tc.eak.ID)
|
||||||
assert.Equals(t, dbeak.Provisioner, tc.eak.Provisioner)
|
assert.Equals(t, dbeak.ProvisionerID, tc.eak.ProvisionerID)
|
||||||
assert.Equals(t, dbeak.Reference, tc.eak.Reference)
|
assert.Equals(t, dbeak.Reference, tc.eak.Reference)
|
||||||
assert.Equals(t, dbeak.AccountID, tc.eak.AccountID)
|
assert.Equals(t, dbeak.AccountID, tc.eak.AccountID)
|
||||||
assert.Equals(t, dbeak.CreatedAt, tc.eak.CreatedAt)
|
assert.Equals(t, dbeak.CreatedAt, tc.eak.CreatedAt)
|
||||||
|
|
|
@ -11,17 +11,18 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
accountTable = []byte("acme_accounts")
|
accountTable = []byte("acme_accounts")
|
||||||
accountByKeyIDTable = []byte("acme_keyID_accountID_index")
|
accountByKeyIDTable = []byte("acme_keyID_accountID_index")
|
||||||
authzTable = []byte("acme_authzs")
|
authzTable = []byte("acme_authzs")
|
||||||
challengeTable = []byte("acme_challenges")
|
challengeTable = []byte("acme_challenges")
|
||||||
nonceTable = []byte("nonces")
|
nonceTable = []byte("nonces")
|
||||||
orderTable = []byte("acme_orders")
|
orderTable = []byte("acme_orders")
|
||||||
ordersByAccountIDTable = []byte("acme_account_orders_index")
|
ordersByAccountIDTable = []byte("acme_account_orders_index")
|
||||||
certTable = []byte("acme_certs")
|
certTable = []byte("acme_certs")
|
||||||
certBySerialTable = []byte("acme_serial_certs_index")
|
certBySerialTable = []byte("acme_serial_certs_index")
|
||||||
externalAccountKeyTable = []byte("acme_external_account_keys")
|
externalAccountKeyTable = []byte("acme_external_account_keys")
|
||||||
externalAccountKeysByReferenceTable = []byte("acme_external_account_key_reference_index")
|
externalAccountKeysByReferenceTable = []byte("acme_external_account_key_reference_index")
|
||||||
|
externalAccountKeysByProvisionerIDTable = []byte("acme_external_account_keyID_provisionerID_index")
|
||||||
)
|
)
|
||||||
|
|
||||||
// DB is a struct that implements the AcmeDB interface.
|
// DB is a struct that implements the AcmeDB interface.
|
||||||
|
@ -33,7 +34,8 @@ type DB struct {
|
||||||
func New(db nosqlDB.DB) (*DB, error) {
|
func New(db nosqlDB.DB) (*DB, error) {
|
||||||
tables := [][]byte{accountTable, accountByKeyIDTable, authzTable,
|
tables := [][]byte{accountTable, accountByKeyIDTable, authzTable,
|
||||||
challengeTable, nonceTable, orderTable, ordersByAccountIDTable,
|
challengeTable, nonceTable, orderTable, ordersByAccountIDTable,
|
||||||
certTable, certBySerialTable, externalAccountKeyTable, externalAccountKeysByReferenceTable,
|
certTable, certBySerialTable, externalAccountKeyTable,
|
||||||
|
externalAccountKeysByReferenceTable, externalAccountKeysByProvisionerIDTable,
|
||||||
}
|
}
|
||||||
for _, b := range tables {
|
for _, b := range tables {
|
||||||
if err := db.CreateTable(b); err != nil {
|
if err := db.CreateTable(b); err != nil {
|
||||||
|
|
|
@ -15,6 +15,11 @@ import (
|
||||||
"google.golang.org/protobuf/types/known/timestamppb"
|
"google.golang.org/protobuf/types/known/timestamppb"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
// provisionerContextKey provisioner key
|
||||||
|
provisionerContextKey = ContextKey("provisioner")
|
||||||
|
)
|
||||||
|
|
||||||
// CreateExternalAccountKeyRequest is the type for POST /admin/acme/eab requests
|
// CreateExternalAccountKeyRequest is the type for POST /admin/acme/eab requests
|
||||||
type CreateExternalAccountKeyRequest struct {
|
type CreateExternalAccountKeyRequest struct {
|
||||||
Reference string `json:"reference"`
|
Reference string `json:"reference"`
|
||||||
|
@ -37,47 +42,63 @@ type GetExternalAccountKeysResponse struct {
|
||||||
// before serving requests that act on ACME EAB credentials.
|
// before serving requests that act on ACME EAB credentials.
|
||||||
func (h *Handler) requireEABEnabled(next nextHTTP) nextHTTP {
|
func (h *Handler) requireEABEnabled(next nextHTTP) nextHTTP {
|
||||||
return func(w http.ResponseWriter, r *http.Request) {
|
return func(w http.ResponseWriter, r *http.Request) {
|
||||||
prov := chi.URLParam(r, "prov")
|
ctx := r.Context()
|
||||||
eabEnabled, err := h.provisionerHasEABEnabled(r.Context(), prov)
|
provName := chi.URLParam(r, "prov")
|
||||||
|
eabEnabled, prov, err := h.provisionerHasEABEnabled(ctx, provName)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
api.WriteError(w, err)
|
api.WriteError(w, err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
if !eabEnabled {
|
if !eabEnabled {
|
||||||
api.WriteError(w, admin.NewError(admin.ErrorBadRequestType, "ACME EAB not enabled for provisioner %s", prov))
|
api.WriteError(w, admin.NewError(admin.ErrorBadRequestType, "ACME EAB not enabled for provisioner %s", prov.GetName()))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
next(w, r)
|
ctx = context.WithValue(ctx, provisionerContextKey, prov)
|
||||||
|
next(w, r.WithContext(ctx))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// provisionerHasEABEnabled determines if the "requireEAB" setting for an ACME
|
// provisionerHasEABEnabled determines if the "requireEAB" setting for an ACME
|
||||||
// provisioner is set to true and thus has EAB enabled.
|
// provisioner is set to true and thus has EAB enabled.
|
||||||
func (h *Handler) provisionerHasEABEnabled(ctx context.Context, provisionerName string) (bool, error) {
|
func (h *Handler) provisionerHasEABEnabled(ctx context.Context, provisionerName string) (bool, *linkedca.Provisioner, error) {
|
||||||
var (
|
var (
|
||||||
p provisioner.Interface
|
p provisioner.Interface
|
||||||
err error
|
err error
|
||||||
)
|
)
|
||||||
if p, err = h.auth.LoadProvisionerByName(provisionerName); err != nil {
|
if p, err = h.auth.LoadProvisionerByName(provisionerName); err != nil {
|
||||||
return false, admin.WrapErrorISE(err, "error loading provisioner %s", provisionerName)
|
return false, nil, admin.WrapErrorISE(err, "error loading provisioner %s", provisionerName)
|
||||||
}
|
}
|
||||||
|
|
||||||
prov, err := h.db.GetProvisioner(ctx, p.GetID())
|
prov, err := h.db.GetProvisioner(ctx, p.GetID())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return false, admin.WrapErrorISE(err, "error getting provisioner with ID: %s", p.GetID())
|
return false, nil, admin.WrapErrorISE(err, "error getting provisioner with ID: %s", p.GetID())
|
||||||
}
|
}
|
||||||
|
|
||||||
details := prov.GetDetails()
|
details := prov.GetDetails()
|
||||||
if details == nil {
|
if details == nil {
|
||||||
return false, admin.NewErrorISE("error getting details for provisioner with ID: %s", p.GetID())
|
return false, nil, admin.NewErrorISE("error getting details for provisioner with ID: %s", p.GetID())
|
||||||
}
|
}
|
||||||
|
|
||||||
acmeProvisioner := details.GetACME()
|
acmeProvisioner := details.GetACME()
|
||||||
if acmeProvisioner == nil {
|
if acmeProvisioner == nil {
|
||||||
return false, admin.NewErrorISE("error getting ACME details for provisioner with ID: %s", p.GetID())
|
return false, nil, admin.NewErrorISE("error getting ACME details for provisioner with ID: %s", p.GetID())
|
||||||
}
|
}
|
||||||
|
|
||||||
return acmeProvisioner.GetRequireEab(), nil
|
return acmeProvisioner.GetRequireEab(), prov, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// provisionerFromContext searches the context for a provisioner. Returns the
|
||||||
|
// provisioner or an error.
|
||||||
|
func provisionerFromContext(ctx context.Context) (*linkedca.Provisioner, error) {
|
||||||
|
val := ctx.Value(provisionerContextKey)
|
||||||
|
if val == nil {
|
||||||
|
return nil, admin.NewErrorISE("provisioner expected in request context")
|
||||||
|
}
|
||||||
|
pval, ok := val.(*linkedca.Provisioner)
|
||||||
|
if !ok || pval == nil {
|
||||||
|
return nil, admin.NewErrorISE("provisioner in context is not a linkedca.Provisioner")
|
||||||
|
}
|
||||||
|
return pval, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// CreateExternalAccountKey creates a new External Account Binding key
|
// CreateExternalAccountKey creates a new External Account Binding key
|
||||||
|
@ -93,12 +114,17 @@ func (h *Handler) CreateExternalAccountKey(w http.ResponseWriter, r *http.Reques
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
prov := chi.URLParam(r, "prov")
|
ctx := r.Context()
|
||||||
reference := body.Reference
|
prov, err := provisionerFromContext(ctx)
|
||||||
|
if err != nil {
|
||||||
|
api.WriteError(w, admin.WrapErrorISE(err, "error getting provisioner from context"))
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
// check if a key with the reference does not exist (only when a reference was in the request)
|
// check if a key with the reference does not exist (only when a reference was in the request)
|
||||||
|
reference := body.Reference
|
||||||
if reference != "" {
|
if reference != "" {
|
||||||
k, err := h.acmeDB.GetExternalAccountKeyByReference(r.Context(), prov, reference)
|
k, err := h.acmeDB.GetExternalAccountKeyByReference(ctx, prov.GetId(), reference)
|
||||||
// retrieving an EAB key from DB results in an error if it doesn't exist, which is what we're looking for,
|
// retrieving an EAB key from DB results in an error if it doesn't exist, which is what we're looking for,
|
||||||
// but other errors can also happen. Return early if that happens; continuing if it was acme.ErrNotFound.
|
// but other errors can also happen. Return early if that happens; continuing if it was acme.ErrNotFound.
|
||||||
if shouldWriteError := err != nil && !errors.Is(err, acme.ErrNotFound); shouldWriteError {
|
if shouldWriteError := err != nil && !errors.Is(err, acme.ErrNotFound); shouldWriteError {
|
||||||
|
@ -107,7 +133,7 @@ func (h *Handler) CreateExternalAccountKey(w http.ResponseWriter, r *http.Reques
|
||||||
}
|
}
|
||||||
// if a key was found, return HTTP 409 conflict
|
// if a key was found, return HTTP 409 conflict
|
||||||
if k != nil {
|
if k != nil {
|
||||||
err := admin.NewError(admin.ErrorBadRequestType, "an ACME EAB key for provisioner %s with reference %s already exists", prov, reference)
|
err := admin.NewError(admin.ErrorBadRequestType, "an ACME EAB key for provisioner '%s' with reference '%s' already exists", prov.GetName(), reference)
|
||||||
err.Status = 409
|
err.Status = 409
|
||||||
api.WriteError(w, err)
|
api.WriteError(w, err)
|
||||||
return
|
return
|
||||||
|
@ -115,9 +141,9 @@ func (h *Handler) CreateExternalAccountKey(w http.ResponseWriter, r *http.Reques
|
||||||
// continue execution if no key was found for the reference
|
// continue execution if no key was found for the reference
|
||||||
}
|
}
|
||||||
|
|
||||||
eak, err := h.acmeDB.CreateExternalAccountKey(r.Context(), prov, reference)
|
eak, err := h.acmeDB.CreateExternalAccountKey(ctx, prov.GetId(), reference)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
msg := fmt.Sprintf("error creating ACME EAB key for provisioner '%s'", prov)
|
msg := fmt.Sprintf("error creating ACME EAB key for provisioner '%s'", prov.GetName())
|
||||||
if reference != "" {
|
if reference != "" {
|
||||||
msg += fmt.Sprintf(" and reference '%s'", reference)
|
msg += fmt.Sprintf(" and reference '%s'", reference)
|
||||||
}
|
}
|
||||||
|
@ -128,7 +154,7 @@ func (h *Handler) CreateExternalAccountKey(w http.ResponseWriter, r *http.Reques
|
||||||
response := &linkedca.EABKey{
|
response := &linkedca.EABKey{
|
||||||
Id: eak.ID,
|
Id: eak.ID,
|
||||||
HmacKey: eak.KeyBytes,
|
HmacKey: eak.KeyBytes,
|
||||||
Provisioner: eak.Provisioner,
|
Provisioner: prov.GetName(),
|
||||||
Reference: eak.Reference,
|
Reference: eak.Reference,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -137,10 +163,17 @@ func (h *Handler) CreateExternalAccountKey(w http.ResponseWriter, r *http.Reques
|
||||||
|
|
||||||
// DeleteExternalAccountKey deletes an ACME External Account Key.
|
// DeleteExternalAccountKey deletes an ACME External Account Key.
|
||||||
func (h *Handler) DeleteExternalAccountKey(w http.ResponseWriter, r *http.Request) {
|
func (h *Handler) DeleteExternalAccountKey(w http.ResponseWriter, r *http.Request) {
|
||||||
prov := chi.URLParam(r, "prov")
|
|
||||||
keyID := chi.URLParam(r, "id")
|
keyID := chi.URLParam(r, "id")
|
||||||
|
|
||||||
if err := h.acmeDB.DeleteExternalAccountKey(r.Context(), prov, keyID); err != nil {
|
ctx := r.Context()
|
||||||
|
prov, err := provisionerFromContext(ctx)
|
||||||
|
if err != nil {
|
||||||
|
api.WriteError(w, admin.WrapErrorISE(err, "error getting provisioner from context"))
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := h.acmeDB.DeleteExternalAccountKey(ctx, prov.GetId(), keyID); err != nil {
|
||||||
api.WriteError(w, admin.WrapErrorISE(err, "error deleting ACME EAB Key '%s'", keyID))
|
api.WriteError(w, admin.WrapErrorISE(err, "error deleting ACME EAB Key '%s'", keyID))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -152,8 +185,6 @@ func (h *Handler) DeleteExternalAccountKey(w http.ResponseWriter, r *http.Reques
|
||||||
// only the ExternalAccountKey with that reference is returned. Otherwise all
|
// only the ExternalAccountKey with that reference is returned. Otherwise all
|
||||||
// ExternalAccountKeys in the system for a specific provisioner are returned.
|
// ExternalAccountKeys in the system for a specific provisioner are returned.
|
||||||
func (h *Handler) GetExternalAccountKeys(w http.ResponseWriter, r *http.Request) {
|
func (h *Handler) GetExternalAccountKeys(w http.ResponseWriter, r *http.Request) {
|
||||||
prov := chi.URLParam(r, "prov")
|
|
||||||
reference := chi.URLParam(r, "ref")
|
|
||||||
|
|
||||||
var (
|
var (
|
||||||
key *acme.ExternalAccountKey
|
key *acme.ExternalAccountKey
|
||||||
|
@ -161,8 +192,16 @@ func (h *Handler) GetExternalAccountKeys(w http.ResponseWriter, r *http.Request)
|
||||||
err error
|
err error
|
||||||
)
|
)
|
||||||
|
|
||||||
|
ctx := r.Context()
|
||||||
|
prov, err := provisionerFromContext(ctx)
|
||||||
|
if err != nil {
|
||||||
|
api.WriteError(w, admin.WrapErrorISE(err, "error getting provisioner from context"))
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
reference := chi.URLParam(r, "ref")
|
||||||
if reference != "" {
|
if reference != "" {
|
||||||
if key, err = h.acmeDB.GetExternalAccountKeyByReference(r.Context(), prov, reference); err != nil {
|
if key, err = h.acmeDB.GetExternalAccountKeyByReference(ctx, prov.GetId(), reference); err != nil {
|
||||||
api.WriteError(w, admin.WrapErrorISE(err, "error retrieving external account key with reference '%s'", reference))
|
api.WriteError(w, admin.WrapErrorISE(err, "error retrieving external account key with reference '%s'", reference))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -170,18 +209,19 @@ func (h *Handler) GetExternalAccountKeys(w http.ResponseWriter, r *http.Request)
|
||||||
keys = []*acme.ExternalAccountKey{key}
|
keys = []*acme.ExternalAccountKey{key}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if keys, err = h.acmeDB.GetExternalAccountKeys(r.Context(), prov); err != nil {
|
if keys, err = h.acmeDB.GetExternalAccountKeys(ctx, prov.GetId()); err != nil {
|
||||||
api.WriteError(w, admin.WrapErrorISE(err, "error retrieving external account keys"))
|
api.WriteError(w, admin.WrapErrorISE(err, "error retrieving external account keys"))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
provisionerName := prov.GetName()
|
||||||
eaks := make([]*linkedca.EABKey, len(keys))
|
eaks := make([]*linkedca.EABKey, len(keys))
|
||||||
for i, k := range keys {
|
for i, k := range keys {
|
||||||
eaks[i] = &linkedca.EABKey{
|
eaks[i] = &linkedca.EABKey{
|
||||||
Id: k.ID,
|
Id: k.ID,
|
||||||
HmacKey: []byte{},
|
HmacKey: []byte{},
|
||||||
Provisioner: k.Provisioner,
|
Provisioner: provisionerName,
|
||||||
Reference: k.Reference,
|
Reference: k.Reference,
|
||||||
Account: k.AccountID,
|
Account: k.AccountID,
|
||||||
CreatedAt: timestamppb.New(k.CreatedAt),
|
CreatedAt: timestamppb.New(k.CreatedAt),
|
||||||
|
|
|
@ -368,12 +368,13 @@ func TestHandler_provisionerHasEABEnabled(t *testing.T) {
|
||||||
auth: tc.auth,
|
auth: tc.auth,
|
||||||
acmeDB: nil,
|
acmeDB: nil,
|
||||||
}
|
}
|
||||||
got, err := h.provisionerHasEABEnabled(context.TODO(), tc.provisionerName)
|
got, prov, err := h.provisionerHasEABEnabled(context.TODO(), tc.provisionerName)
|
||||||
if (err != nil) != (tc.err != nil) {
|
if (err != nil) != (tc.err != nil) {
|
||||||
t.Errorf("Handler.provisionerHasEABEnabled() error = %v, want err %v", err, tc.err)
|
t.Errorf("Handler.provisionerHasEABEnabled() error = %v, want err %v", err, tc.err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
if tc.err != nil {
|
if tc.err != nil {
|
||||||
|
assert.Type(t, &linkedca.Provisioner{}, prov)
|
||||||
assert.Type(t, &admin.Error{}, err)
|
assert.Type(t, &admin.Error{}, err)
|
||||||
adminError, _ := err.(*admin.Error)
|
adminError, _ := err.(*admin.Error)
|
||||||
assert.Equals(t, tc.err.Type, adminError.Type)
|
assert.Equals(t, tc.err.Type, adminError.Type)
|
||||||
|
@ -434,6 +435,10 @@ func TestCreateExternalAccountKeyRequest_Validate(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestHandler_CreateExternalAccountKey(t *testing.T) {
|
func TestHandler_CreateExternalAccountKey(t *testing.T) {
|
||||||
|
prov := &linkedca.Provisioner{
|
||||||
|
Id: "provID",
|
||||||
|
Name: "provName",
|
||||||
|
}
|
||||||
type test struct {
|
type test struct {
|
||||||
ctx context.Context
|
ctx context.Context
|
||||||
db acme.DB
|
db acme.DB
|
||||||
|
@ -487,14 +492,15 @@ func TestHandler_CreateExternalAccountKey(t *testing.T) {
|
||||||
chiCtx := chi.NewRouteContext()
|
chiCtx := chi.NewRouteContext()
|
||||||
chiCtx.URLParams.Add("prov", "provName")
|
chiCtx.URLParams.Add("prov", "provName")
|
||||||
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
||||||
|
ctx = context.WithValue(ctx, provisionerContextKey, prov)
|
||||||
req := CreateExternalAccountKeyRequest{
|
req := CreateExternalAccountKeyRequest{
|
||||||
Reference: "an-external-key-reference",
|
Reference: "an-external-key-reference",
|
||||||
}
|
}
|
||||||
body, err := json.Marshal(req)
|
body, err := json.Marshal(req)
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
db := &acme.MockDB{
|
db := &acme.MockDB{
|
||||||
MockGetExternalAccountKeyByReference: func(ctx context.Context, provisionerName, reference string) (*acme.ExternalAccountKey, error) {
|
MockGetExternalAccountKeyByReference: func(ctx context.Context, provisionerID, reference string) (*acme.ExternalAccountKey, error) {
|
||||||
assert.Equals(t, "provName", provisionerName)
|
assert.Equals(t, "provID", provisionerID)
|
||||||
assert.Equals(t, "an-external-key-reference", reference)
|
assert.Equals(t, "an-external-key-reference", reference)
|
||||||
return nil, errors.New("force")
|
return nil, errors.New("force")
|
||||||
},
|
},
|
||||||
|
@ -517,22 +523,23 @@ func TestHandler_CreateExternalAccountKey(t *testing.T) {
|
||||||
chiCtx := chi.NewRouteContext()
|
chiCtx := chi.NewRouteContext()
|
||||||
chiCtx.URLParams.Add("prov", "provName")
|
chiCtx.URLParams.Add("prov", "provName")
|
||||||
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
||||||
|
ctx = context.WithValue(ctx, provisionerContextKey, prov)
|
||||||
req := CreateExternalAccountKeyRequest{
|
req := CreateExternalAccountKeyRequest{
|
||||||
Reference: "an-external-key-reference",
|
Reference: "an-external-key-reference",
|
||||||
}
|
}
|
||||||
body, err := json.Marshal(req)
|
body, err := json.Marshal(req)
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
db := &acme.MockDB{
|
db := &acme.MockDB{
|
||||||
MockGetExternalAccountKeyByReference: func(ctx context.Context, provisionerName, reference string) (*acme.ExternalAccountKey, error) {
|
MockGetExternalAccountKeyByReference: func(ctx context.Context, provisionerID, reference string) (*acme.ExternalAccountKey, error) {
|
||||||
assert.Equals(t, "provName", provisionerName)
|
assert.Equals(t, "provID", provisionerID)
|
||||||
assert.Equals(t, "an-external-key-reference", reference)
|
assert.Equals(t, "an-external-key-reference", reference)
|
||||||
past := time.Now().Add(-24 * time.Hour)
|
past := time.Now().Add(-24 * time.Hour)
|
||||||
return &acme.ExternalAccountKey{
|
return &acme.ExternalAccountKey{
|
||||||
ID: "eakID",
|
ID: "eakID",
|
||||||
Provisioner: "provName",
|
ProvisionerID: "provID",
|
||||||
Reference: "an-external-key-reference",
|
Reference: "an-external-key-reference",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: past,
|
CreatedAt: past,
|
||||||
}, nil
|
}, nil
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
@ -546,7 +553,7 @@ func TestHandler_CreateExternalAccountKey(t *testing.T) {
|
||||||
Type: admin.ErrorBadRequestType.String(),
|
Type: admin.ErrorBadRequestType.String(),
|
||||||
Status: 409,
|
Status: 409,
|
||||||
Detail: "bad request",
|
Detail: "bad request",
|
||||||
Message: "an ACME EAB key for provisioner provName with reference an-external-key-reference already exists",
|
Message: "an ACME EAB key for provisioner 'provName' with reference 'an-external-key-reference' already exists",
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -554,14 +561,15 @@ func TestHandler_CreateExternalAccountKey(t *testing.T) {
|
||||||
chiCtx := chi.NewRouteContext()
|
chiCtx := chi.NewRouteContext()
|
||||||
chiCtx.URLParams.Add("prov", "provName")
|
chiCtx.URLParams.Add("prov", "provName")
|
||||||
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
||||||
|
ctx = context.WithValue(ctx, provisionerContextKey, prov)
|
||||||
req := CreateExternalAccountKeyRequest{
|
req := CreateExternalAccountKeyRequest{
|
||||||
Reference: "",
|
Reference: "",
|
||||||
}
|
}
|
||||||
body, err := json.Marshal(req)
|
body, err := json.Marshal(req)
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
db := &acme.MockDB{
|
db := &acme.MockDB{
|
||||||
MockCreateExternalAccountKey: func(ctx context.Context, provisionerName, reference string) (*acme.ExternalAccountKey, error) {
|
MockCreateExternalAccountKey: func(ctx context.Context, provisionerID, reference string) (*acme.ExternalAccountKey, error) {
|
||||||
assert.Equals(t, "provName", provisionerName)
|
assert.Equals(t, "provID", provisionerID)
|
||||||
assert.Equals(t, "", reference)
|
assert.Equals(t, "", reference)
|
||||||
return nil, errors.New("force")
|
return nil, errors.New("force")
|
||||||
},
|
},
|
||||||
|
@ -583,19 +591,20 @@ func TestHandler_CreateExternalAccountKey(t *testing.T) {
|
||||||
chiCtx := chi.NewRouteContext()
|
chiCtx := chi.NewRouteContext()
|
||||||
chiCtx.URLParams.Add("prov", "provName")
|
chiCtx.URLParams.Add("prov", "provName")
|
||||||
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
||||||
|
ctx = context.WithValue(ctx, provisionerContextKey, prov)
|
||||||
req := CreateExternalAccountKeyRequest{
|
req := CreateExternalAccountKeyRequest{
|
||||||
Reference: "an-external-key-reference",
|
Reference: "an-external-key-reference",
|
||||||
}
|
}
|
||||||
body, err := json.Marshal(req)
|
body, err := json.Marshal(req)
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
db := &acme.MockDB{
|
db := &acme.MockDB{
|
||||||
MockGetExternalAccountKeyByReference: func(ctx context.Context, provisionerName, reference string) (*acme.ExternalAccountKey, error) {
|
MockGetExternalAccountKeyByReference: func(ctx context.Context, provisionerID, reference string) (*acme.ExternalAccountKey, error) {
|
||||||
assert.Equals(t, "provName", provisionerName)
|
assert.Equals(t, "provID", provisionerID)
|
||||||
assert.Equals(t, "an-external-key-reference", reference)
|
assert.Equals(t, "an-external-key-reference", reference)
|
||||||
return nil, acme.ErrNotFound // simulating not found; skipping 409 conflict
|
return nil, acme.ErrNotFound // simulating not found; skipping 409 conflict
|
||||||
},
|
},
|
||||||
MockCreateExternalAccountKey: func(ctx context.Context, provisionerName, reference string) (*acme.ExternalAccountKey, error) {
|
MockCreateExternalAccountKey: func(ctx context.Context, provisionerID, reference string) (*acme.ExternalAccountKey, error) {
|
||||||
assert.Equals(t, "provName", provisionerName)
|
assert.Equals(t, "provID", provisionerID)
|
||||||
assert.Equals(t, "an-external-key-reference", reference)
|
assert.Equals(t, "an-external-key-reference", reference)
|
||||||
return nil, errors.New("force")
|
return nil, errors.New("force")
|
||||||
},
|
},
|
||||||
|
@ -617,6 +626,7 @@ func TestHandler_CreateExternalAccountKey(t *testing.T) {
|
||||||
chiCtx := chi.NewRouteContext()
|
chiCtx := chi.NewRouteContext()
|
||||||
chiCtx.URLParams.Add("prov", "provName")
|
chiCtx.URLParams.Add("prov", "provName")
|
||||||
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
||||||
|
ctx = context.WithValue(ctx, provisionerContextKey, prov)
|
||||||
req := CreateExternalAccountKeyRequest{
|
req := CreateExternalAccountKeyRequest{
|
||||||
Reference: "",
|
Reference: "",
|
||||||
}
|
}
|
||||||
|
@ -624,15 +634,15 @@ func TestHandler_CreateExternalAccountKey(t *testing.T) {
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
now := time.Now()
|
now := time.Now()
|
||||||
db := &acme.MockDB{
|
db := &acme.MockDB{
|
||||||
MockCreateExternalAccountKey: func(ctx context.Context, provisionerName, reference string) (*acme.ExternalAccountKey, error) {
|
MockCreateExternalAccountKey: func(ctx context.Context, provisionerID, reference string) (*acme.ExternalAccountKey, error) {
|
||||||
assert.Equals(t, "provName", provisionerName)
|
assert.Equals(t, "provID", provisionerID)
|
||||||
assert.Equals(t, "", reference)
|
assert.Equals(t, "", reference)
|
||||||
return &acme.ExternalAccountKey{
|
return &acme.ExternalAccountKey{
|
||||||
ID: "eakID",
|
ID: "eakID",
|
||||||
Provisioner: "provName",
|
ProvisionerID: "provID",
|
||||||
Reference: "",
|
Reference: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}, nil
|
}, nil
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
@ -653,6 +663,7 @@ func TestHandler_CreateExternalAccountKey(t *testing.T) {
|
||||||
chiCtx := chi.NewRouteContext()
|
chiCtx := chi.NewRouteContext()
|
||||||
chiCtx.URLParams.Add("prov", "provName")
|
chiCtx.URLParams.Add("prov", "provName")
|
||||||
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
||||||
|
ctx = context.WithValue(ctx, provisionerContextKey, prov)
|
||||||
req := CreateExternalAccountKeyRequest{
|
req := CreateExternalAccountKeyRequest{
|
||||||
Reference: "an-external-key-reference",
|
Reference: "an-external-key-reference",
|
||||||
}
|
}
|
||||||
|
@ -660,20 +671,20 @@ func TestHandler_CreateExternalAccountKey(t *testing.T) {
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
now := time.Now()
|
now := time.Now()
|
||||||
db := &acme.MockDB{
|
db := &acme.MockDB{
|
||||||
MockGetExternalAccountKeyByReference: func(ctx context.Context, provisionerName, reference string) (*acme.ExternalAccountKey, error) {
|
MockGetExternalAccountKeyByReference: func(ctx context.Context, provisionerID, reference string) (*acme.ExternalAccountKey, error) {
|
||||||
assert.Equals(t, "provName", provisionerName)
|
assert.Equals(t, "provID", provisionerID)
|
||||||
assert.Equals(t, "an-external-key-reference", reference)
|
assert.Equals(t, "an-external-key-reference", reference)
|
||||||
return nil, acme.ErrNotFound // simulating not found; skipping 409 conflict
|
return nil, acme.ErrNotFound // simulating not found; skipping 409 conflict
|
||||||
},
|
},
|
||||||
MockCreateExternalAccountKey: func(ctx context.Context, provisionerName, reference string) (*acme.ExternalAccountKey, error) {
|
MockCreateExternalAccountKey: func(ctx context.Context, provisionerID, reference string) (*acme.ExternalAccountKey, error) {
|
||||||
assert.Equals(t, "provName", provisionerName)
|
assert.Equals(t, "provID", provisionerID)
|
||||||
assert.Equals(t, "an-external-key-reference", reference)
|
assert.Equals(t, "an-external-key-reference", reference)
|
||||||
return &acme.ExternalAccountKey{
|
return &acme.ExternalAccountKey{
|
||||||
ID: "eakID",
|
ID: "eakID",
|
||||||
Provisioner: "provName",
|
ProvisionerID: "provID",
|
||||||
Reference: "an-external-key-reference",
|
Reference: "an-external-key-reference",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}, nil
|
}, nil
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
@ -737,6 +748,10 @@ func TestHandler_CreateExternalAccountKey(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestHandler_DeleteExternalAccountKey(t *testing.T) {
|
func TestHandler_DeleteExternalAccountKey(t *testing.T) {
|
||||||
|
prov := &linkedca.Provisioner{
|
||||||
|
Id: "provID",
|
||||||
|
Name: "provName",
|
||||||
|
}
|
||||||
type test struct {
|
type test struct {
|
||||||
ctx context.Context
|
ctx context.Context
|
||||||
db acme.DB
|
db acme.DB
|
||||||
|
@ -749,9 +764,10 @@ func TestHandler_DeleteExternalAccountKey(t *testing.T) {
|
||||||
chiCtx.URLParams.Add("prov", "provName")
|
chiCtx.URLParams.Add("prov", "provName")
|
||||||
chiCtx.URLParams.Add("id", "keyID")
|
chiCtx.URLParams.Add("id", "keyID")
|
||||||
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
||||||
|
ctx = context.WithValue(ctx, provisionerContextKey, prov)
|
||||||
db := &acme.MockDB{
|
db := &acme.MockDB{
|
||||||
MockDeleteExternalAccountKey: func(ctx context.Context, provisionerName, keyID string) error {
|
MockDeleteExternalAccountKey: func(ctx context.Context, provisionerID, keyID string) error {
|
||||||
assert.Equals(t, "provName", provisionerName)
|
assert.Equals(t, "provID", provisionerID)
|
||||||
assert.Equals(t, "keyID", keyID)
|
assert.Equals(t, "keyID", keyID)
|
||||||
return errors.New("force")
|
return errors.New("force")
|
||||||
},
|
},
|
||||||
|
@ -773,9 +789,10 @@ func TestHandler_DeleteExternalAccountKey(t *testing.T) {
|
||||||
chiCtx.URLParams.Add("prov", "provName")
|
chiCtx.URLParams.Add("prov", "provName")
|
||||||
chiCtx.URLParams.Add("id", "keyID")
|
chiCtx.URLParams.Add("id", "keyID")
|
||||||
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
||||||
|
ctx = context.WithValue(ctx, provisionerContextKey, prov)
|
||||||
db := &acme.MockDB{
|
db := &acme.MockDB{
|
||||||
MockDeleteExternalAccountKey: func(ctx context.Context, provisionerName, keyID string) error {
|
MockDeleteExternalAccountKey: func(ctx context.Context, provisionerID, keyID string) error {
|
||||||
assert.Equals(t, "provName", provisionerName)
|
assert.Equals(t, "provID", provisionerID)
|
||||||
assert.Equals(t, "keyID", keyID)
|
assert.Equals(t, "keyID", keyID)
|
||||||
return nil
|
return nil
|
||||||
},
|
},
|
||||||
|
@ -831,6 +848,10 @@ func TestHandler_DeleteExternalAccountKey(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestHandler_GetExternalAccountKeys(t *testing.T) {
|
func TestHandler_GetExternalAccountKeys(t *testing.T) {
|
||||||
|
prov := &linkedca.Provisioner{
|
||||||
|
Id: "provID",
|
||||||
|
Name: "provName",
|
||||||
|
}
|
||||||
type test struct {
|
type test struct {
|
||||||
ctx context.Context
|
ctx context.Context
|
||||||
db acme.DB
|
db acme.DB
|
||||||
|
@ -846,9 +867,10 @@ func TestHandler_GetExternalAccountKeys(t *testing.T) {
|
||||||
chiCtx.URLParams.Add("ref", "an-external-key-reference")
|
chiCtx.URLParams.Add("ref", "an-external-key-reference")
|
||||||
req := httptest.NewRequest("GET", "/foo", nil)
|
req := httptest.NewRequest("GET", "/foo", nil)
|
||||||
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
||||||
|
ctx = context.WithValue(ctx, provisionerContextKey, prov)
|
||||||
db := &acme.MockDB{
|
db := &acme.MockDB{
|
||||||
MockGetExternalAccountKeyByReference: func(ctx context.Context, provisionerName, reference string) (*acme.ExternalAccountKey, error) {
|
MockGetExternalAccountKeyByReference: func(ctx context.Context, provisionerID, reference string) (*acme.ExternalAccountKey, error) {
|
||||||
assert.Equals(t, "provName", provisionerName)
|
assert.Equals(t, "provID", provisionerID)
|
||||||
assert.Equals(t, "an-external-key-reference", reference)
|
assert.Equals(t, "an-external-key-reference", reference)
|
||||||
return nil, errors.New("force")
|
return nil, errors.New("force")
|
||||||
},
|
},
|
||||||
|
@ -871,9 +893,10 @@ func TestHandler_GetExternalAccountKeys(t *testing.T) {
|
||||||
chiCtx.URLParams.Add("prov", "provName")
|
chiCtx.URLParams.Add("prov", "provName")
|
||||||
req := httptest.NewRequest("GET", "/foo", nil)
|
req := httptest.NewRequest("GET", "/foo", nil)
|
||||||
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
||||||
|
ctx = context.WithValue(ctx, provisionerContextKey, prov)
|
||||||
db := &acme.MockDB{
|
db := &acme.MockDB{
|
||||||
MockGetExternalAccountKeys: func(ctx context.Context, provisionerName string) ([]*acme.ExternalAccountKey, error) {
|
MockGetExternalAccountKeys: func(ctx context.Context, provisionerID string) ([]*acme.ExternalAccountKey, error) {
|
||||||
assert.Equals(t, "provName", provisionerName)
|
assert.Equals(t, "provID", provisionerID)
|
||||||
return nil, errors.New("force")
|
return nil, errors.New("force")
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
@ -896,9 +919,10 @@ func TestHandler_GetExternalAccountKeys(t *testing.T) {
|
||||||
chiCtx.URLParams.Add("ref", "an-external-key-reference")
|
chiCtx.URLParams.Add("ref", "an-external-key-reference")
|
||||||
req := httptest.NewRequest("GET", "/foo", nil)
|
req := httptest.NewRequest("GET", "/foo", nil)
|
||||||
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
||||||
|
ctx = context.WithValue(ctx, provisionerContextKey, prov)
|
||||||
db := &acme.MockDB{
|
db := &acme.MockDB{
|
||||||
MockGetExternalAccountKeyByReference: func(ctx context.Context, provisionerName, reference string) (*acme.ExternalAccountKey, error) {
|
MockGetExternalAccountKeyByReference: func(ctx context.Context, provisionerID, reference string) (*acme.ExternalAccountKey, error) {
|
||||||
assert.Equals(t, "provName", provisionerName)
|
assert.Equals(t, "provID", provisionerID)
|
||||||
assert.Equals(t, "an-external-key-reference", reference)
|
assert.Equals(t, "an-external-key-reference", reference)
|
||||||
return nil, nil // returning nil; no key found
|
return nil, nil // returning nil; no key found
|
||||||
},
|
},
|
||||||
|
@ -920,17 +944,18 @@ func TestHandler_GetExternalAccountKeys(t *testing.T) {
|
||||||
chiCtx.URLParams.Add("ref", "an-external-key-reference")
|
chiCtx.URLParams.Add("ref", "an-external-key-reference")
|
||||||
req := httptest.NewRequest("GET", "/foo", nil)
|
req := httptest.NewRequest("GET", "/foo", nil)
|
||||||
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
||||||
|
ctx = context.WithValue(ctx, provisionerContextKey, prov)
|
||||||
createdAt := time.Now().Add(-24 * time.Hour)
|
createdAt := time.Now().Add(-24 * time.Hour)
|
||||||
var boundAt time.Time
|
var boundAt time.Time
|
||||||
db := &acme.MockDB{
|
db := &acme.MockDB{
|
||||||
MockGetExternalAccountKeyByReference: func(ctx context.Context, provisionerName, reference string) (*acme.ExternalAccountKey, error) {
|
MockGetExternalAccountKeyByReference: func(ctx context.Context, provisionerID, reference string) (*acme.ExternalAccountKey, error) {
|
||||||
assert.Equals(t, "provName", provisionerName)
|
assert.Equals(t, "provID", provisionerID)
|
||||||
assert.Equals(t, "an-external-key-reference", reference)
|
assert.Equals(t, "an-external-key-reference", reference)
|
||||||
return &acme.ExternalAccountKey{
|
return &acme.ExternalAccountKey{
|
||||||
ID: "eakID",
|
ID: "eakID",
|
||||||
Provisioner: "provName",
|
ProvisionerID: "provID",
|
||||||
Reference: "an-external-key-reference",
|
Reference: "an-external-key-reference",
|
||||||
CreatedAt: createdAt,
|
CreatedAt: createdAt,
|
||||||
}, nil
|
}, nil
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
@ -958,107 +983,36 @@ func TestHandler_GetExternalAccountKeys(t *testing.T) {
|
||||||
chiCtx.URLParams.Add("prov", "provName")
|
chiCtx.URLParams.Add("prov", "provName")
|
||||||
req := httptest.NewRequest("GET", "/foo", nil)
|
req := httptest.NewRequest("GET", "/foo", nil)
|
||||||
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
||||||
|
ctx = context.WithValue(ctx, provisionerContextKey, prov)
|
||||||
createdAt := time.Now().Add(-24 * time.Hour)
|
createdAt := time.Now().Add(-24 * time.Hour)
|
||||||
var boundAt time.Time
|
var boundAt time.Time
|
||||||
boundAtSet := time.Now().Add(-12 * time.Hour)
|
boundAtSet := time.Now().Add(-12 * time.Hour)
|
||||||
db := &acme.MockDB{
|
db := &acme.MockDB{
|
||||||
MockGetExternalAccountKeys: func(ctx context.Context, provisionerName string) ([]*acme.ExternalAccountKey, error) {
|
MockGetExternalAccountKeys: func(ctx context.Context, provisionerID string) ([]*acme.ExternalAccountKey, error) {
|
||||||
assert.Equals(t, "provName", provisionerName)
|
assert.Equals(t, "provID", provisionerID)
|
||||||
return []*acme.ExternalAccountKey{
|
return []*acme.ExternalAccountKey{
|
||||||
{
|
{
|
||||||
ID: "eakID1",
|
ID: "eakID1",
|
||||||
Provisioner: "provName",
|
ProvisionerID: "provID",
|
||||||
Reference: "some-external-key-reference",
|
Reference: "some-external-key-reference",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: createdAt,
|
CreatedAt: createdAt,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
ID: "eakID2",
|
ID: "eakID2",
|
||||||
Provisioner: "provName",
|
ProvisionerID: "provID",
|
||||||
Reference: "some-other-external-key-reference",
|
Reference: "some-other-external-key-reference",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: createdAt.Add(1 * time.Hour),
|
CreatedAt: createdAt.Add(1 * time.Hour),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
ID: "eakID3",
|
ID: "eakID3",
|
||||||
Provisioner: "provName",
|
ProvisionerID: "provID",
|
||||||
Reference: "another-external-key-reference",
|
Reference: "another-external-key-reference",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
KeyBytes: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: createdAt,
|
CreatedAt: createdAt,
|
||||||
BoundAt: boundAtSet,
|
BoundAt: boundAtSet,
|
||||||
AccountID: "accountID",
|
AccountID: "accountID",
|
||||||
},
|
|
||||||
}, nil
|
|
||||||
},
|
|
||||||
}
|
|
||||||
return test{
|
|
||||||
ctx: ctx,
|
|
||||||
statusCode: 200,
|
|
||||||
req: req,
|
|
||||||
resp: GetExternalAccountKeysResponse{
|
|
||||||
EAKs: []*linkedca.EABKey{
|
|
||||||
{
|
|
||||||
Id: "eakID1",
|
|
||||||
Provisioner: "provName",
|
|
||||||
Reference: "some-external-key-reference",
|
|
||||||
CreatedAt: timestamppb.New(createdAt),
|
|
||||||
BoundAt: timestamppb.New(boundAt),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
Id: "eakID2",
|
|
||||||
Provisioner: "provName",
|
|
||||||
Reference: "some-other-external-key-reference",
|
|
||||||
CreatedAt: timestamppb.New(createdAt.Add(1 * time.Hour)),
|
|
||||||
BoundAt: timestamppb.New(boundAt),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
Id: "eakID3",
|
|
||||||
Provisioner: "provName",
|
|
||||||
Reference: "another-external-key-reference",
|
|
||||||
CreatedAt: timestamppb.New(createdAt),
|
|
||||||
BoundAt: timestamppb.New(boundAtSet),
|
|
||||||
Account: "accountID",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
db: db,
|
|
||||||
err: nil,
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"ok/multiple-keys-with-cursor-and-limit": func(t *testing.T) test {
|
|
||||||
chiCtx := chi.NewRouteContext()
|
|
||||||
chiCtx.URLParams.Add("prov", "provName")
|
|
||||||
req := httptest.NewRequest("GET", "/foo?cursor=eakID1&limit=10", nil)
|
|
||||||
ctx := context.WithValue(context.Background(), chi.RouteCtxKey, chiCtx)
|
|
||||||
createdAt := time.Now().Add(-24 * time.Hour)
|
|
||||||
var boundAt time.Time
|
|
||||||
boundAtSet := time.Now().Add(-12 * time.Hour)
|
|
||||||
db := &acme.MockDB{
|
|
||||||
MockGetExternalAccountKeys: func(ctx context.Context, provisionerName string) ([]*acme.ExternalAccountKey, error) {
|
|
||||||
assert.Equals(t, "provName", provisionerName)
|
|
||||||
return []*acme.ExternalAccountKey{
|
|
||||||
{
|
|
||||||
ID: "eakID1",
|
|
||||||
Provisioner: "provName",
|
|
||||||
Reference: "some-external-key-reference",
|
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
|
||||||
CreatedAt: createdAt,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
ID: "eakID2",
|
|
||||||
Provisioner: "provName",
|
|
||||||
Reference: "some-other-external-key-reference",
|
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
|
||||||
CreatedAt: createdAt.Add(1 * time.Hour),
|
|
||||||
},
|
|
||||||
{
|
|
||||||
ID: "eakID3",
|
|
||||||
Provisioner: "provName",
|
|
||||||
Reference: "another-external-key-reference",
|
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
|
||||||
CreatedAt: createdAt,
|
|
||||||
BoundAt: boundAtSet,
|
|
||||||
AccountID: "accountID",
|
|
||||||
},
|
},
|
||||||
}, nil
|
}, nil
|
||||||
},
|
},
|
||||||
|
|
Loading…
Reference in a new issue