certificates/authority/admin/api/acme.go

package api

import (
	"context"
	"fmt"
	"net/http"

	"github.com/go-chi/chi"

	"go.step.sm/linkedca"

	"github.com/smallstep/certificates/api/render"
	"github.com/smallstep/certificates/authority/admin"
	"github.com/smallstep/certificates/authority/provisioner"
)

const (
	// provisionerContextKey provisioner key
	provisionerContextKey = ContextKey("provisioner")
)

// CreateExternalAccountKeyRequest is the type for POST /admin/acme/eab requests
type CreateExternalAccountKeyRequest struct {
	Reference string `json:"reference"`
}

// Validate validates a new ACME EAB Key request body.
func (r *CreateExternalAccountKeyRequest) Validate() error {
	if len(r.Reference) > 256 { // an arbitrary, but sensible (IMO), limit
		return fmt.Errorf("reference length %d exceeds the maximum (256)", len(r.Reference))
	}
	return nil
}

// GetExternalAccountKeysResponse is the type for GET /admin/acme/eab responses
type GetExternalAccountKeysResponse struct {
	EAKs       []*linkedca.EABKey `json:"eaks"`
	NextCursor string             `json:"nextCursor"`
}

// requireEABEnabled is a middleware that ensures ACME EAB is enabled
// before serving requests that act on ACME EAB credentials.
func requireEABEnabled(next nextHTTP) nextHTTP {
	return func(w http.ResponseWriter, r *http.Request) {
		ctx := r.Context()
		provName := chi.URLParam(r, "provisionerName")
		eabEnabled, prov, err := provisionerHasEABEnabled(ctx, provName)
		if err != nil {
			render.Error(w, err)
			return
		}
		if !eabEnabled {
			render.Error(w, admin.NewError(admin.ErrorBadRequestType, "ACME EAB not enabled for provisioner %s", prov.GetName()))
			return
		}
		ctx = context.WithValue(ctx, provisionerContextKey, prov)
		next(w, r.WithContext(ctx))
	}
}

// provisionerHasEABEnabled determines if the "requireEAB" setting for an ACME
// provisioner is set to true and thus has EAB enabled.
func provisionerHasEABEnabled(ctx context.Context, provisionerName string) (bool, *linkedca.Provisioner, error) {
	var (
		p   provisioner.Interface
		err error
	)

	auth := mustAuthority(ctx)
	db := admin.MustFromContext(ctx)

	if p, err = auth.LoadProvisionerByName(provisionerName); err != nil {
		return false, nil, admin.WrapErrorISE(err, "error loading provisioner %s", provisionerName)
	}

	prov, err := db.GetProvisioner(ctx, p.GetID())
	if err != nil {
		return false, nil, admin.WrapErrorISE(err, "error getting provisioner with ID: %s", p.GetID())
	}

	details := prov.GetDetails()
	if details == nil {
		return false, nil, admin.NewErrorISE("error getting details for provisioner with ID: %s", p.GetID())
	}

	acmeProvisioner := details.GetACME()
	if acmeProvisioner == nil {
		return false, nil, admin.NewErrorISE("error getting ACME details for provisioner with ID: %s", p.GetID())
	}

	return acmeProvisioner.GetRequireEab(), prov, nil
}

type acmeAdminResponderInterface interface {
	GetExternalAccountKeys(w http.ResponseWriter, r *http.Request)
	CreateExternalAccountKey(w http.ResponseWriter, r *http.Request)
	DeleteExternalAccountKey(w http.ResponseWriter, r *http.Request)
}

// ACMEAdminResponder is responsible for writing ACME admin responses
type ACMEAdminResponder struct{}

// NewACMEAdminResponder returns a new ACMEAdminResponder
func NewACMEAdminResponder() *ACMEAdminResponder {
	return &ACMEAdminResponder{}
}

// GetExternalAccountKeys writes the response for the EAB keys GET endpoint
func (h *ACMEAdminResponder) GetExternalAccountKeys(w http.ResponseWriter, r *http.Request) {
	render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
}

// CreateExternalAccountKey writes the response for the EAB key POST endpoint
func (h *ACMEAdminResponder) CreateExternalAccountKey(w http.ResponseWriter, r *http.Request) {
	render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
}

// DeleteExternalAccountKey writes the response for the EAB key DELETE endpoint
func (h *ACMEAdminResponder) DeleteExternalAccountKey(w http.ResponseWriter, r *http.Request) {
	render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
}
Fix missing ACME EAB API endpoints 2021-07-23 13:41:24 +00:00			`package api`

			`import (`
Fix PR comments 2021-09-16 21:09:24 +00:00			`"context"`
Add additional tests for ACME EAB Admin 2021-12-09 08:36:03 +00:00			`"fmt"`
Fix missing ACME EAB API endpoints 2021-07-23 13:41:24 +00:00			`"net/http"`

Add support for deleting ACME EAB keys 2021-08-27 12:10:00 +00:00			`"github.com/go-chi/chi"`
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package 2022-03-30 08:22:22 +00:00
			`"go.step.sm/linkedca"`

			`"github.com/smallstep/certificates/api/render"`
Fix missing ACME EAB API endpoints 2021-07-23 13:41:24 +00:00			`"github.com/smallstep/certificates/authority/admin"`
Fix PR comments 2021-09-16 21:09:24 +00:00			`"github.com/smallstep/certificates/authority/provisioner"`
Fix missing ACME EAB API endpoints 2021-07-23 13:41:24 +00:00			`)`

Refactor ACME EAB queries The ACME EAB keys are now also indexed by the provisioner. This solves part of the issue in which too many EAB keys may be in memory at a given time. 2022-01-07 15:59:55 +00:00			`const (`
			`// provisionerContextKey provisioner key`
			`provisionerContextKey = ContextKey("provisioner")`
			`)`

Fix missing ACME EAB API endpoints 2021-07-23 13:41:24 +00:00			`// CreateExternalAccountKeyRequest is the type for POST /admin/acme/eab requests`
			`type CreateExternalAccountKeyRequest struct {`
Refactor retrieval of provisioner into middleware 2021-10-08 12:29:44 +00:00			Reference string `json:"reference"`
Fix missing ACME EAB API endpoints 2021-07-23 13:41:24 +00:00			`}`

Fix PR comments 2021-09-16 21:09:24 +00:00			`// Validate validates a new ACME EAB Key request body.`
Use LinkedCA.EABKey type in ACME EAB API 2021-08-27 10:39:37 +00:00			`func (r *CreateExternalAccountKeyRequest) Validate() error {`
Add additional tests for ACME EAB Admin 2021-12-09 08:36:03 +00:00			`if len(r.Reference) > 256 { // an arbitrary, but sensible (IMO), limit`
			`return fmt.Errorf("reference length %d exceeds the maximum (256)", len(r.Reference))`
			`}`
Use LinkedCA.EABKey type in ACME EAB API 2021-08-27 10:39:37 +00:00			`return nil`
Fix missing ACME EAB API endpoints 2021-07-23 13:41:24 +00:00			`}`

			`// GetExternalAccountKeysResponse is the type for GET /admin/acme/eab responses`
			`type GetExternalAccountKeysResponse struct {`
Add cursor and limit to ACME EAB DB interface 2022-01-24 13:03:56 +00:00			EAKs []*linkedca.EABKey `json:"eaks"`
			NextCursor string `json:"nextCursor"`
Fix missing ACME EAB API endpoints 2021-07-23 13:41:24 +00:00			`}`

Refactor retrieval of provisioner into middleware 2021-10-08 12:29:44 +00:00			`// requireEABEnabled is a middleware that ensures ACME EAB is enabled`
			`// before serving requests that act on ACME EAB credentials.`
Use contexts in admin api handlers 2022-04-27 18:59:32 +00:00			`func requireEABEnabled(next nextHTTP) nextHTTP {`
Refactor retrieval of provisioner into middleware 2021-10-08 12:29:44 +00:00			`return func(w http.ResponseWriter, r *http.Request) {`
Refactor ACME EAB queries The ACME EAB keys are now also indexed by the provisioner. This solves part of the issue in which too many EAB keys may be in memory at a given time. 2022-01-07 15:59:55 +00:00			`ctx := r.Context()`
Add cursor and limit to ACME EAB DB interface 2022-01-24 13:03:56 +00:00			`provName := chi.URLParam(r, "provisionerName")`
Use contexts in admin api handlers 2022-04-27 18:59:32 +00:00			`eabEnabled, prov, err := provisionerHasEABEnabled(ctx, provName)`
Refactor retrieval of provisioner into middleware 2021-10-08 12:29:44 +00:00			`if err != nil {`
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package 2022-03-30 08:22:22 +00:00			`render.Error(w, err)`
Refactor retrieval of provisioner into middleware 2021-10-08 12:29:44 +00:00			`return`
			`}`
			`if !eabEnabled {`
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package 2022-03-30 08:22:22 +00:00			`render.Error(w, admin.NewError(admin.ErrorBadRequestType, "ACME EAB not enabled for provisioner %s", prov.GetName()))`
Refactor retrieval of provisioner into middleware 2021-10-08 12:29:44 +00:00			`return`
			`}`
Refactor ACME EAB queries The ACME EAB keys are now also indexed by the provisioner. This solves part of the issue in which too many EAB keys may be in memory at a given time. 2022-01-07 15:59:55 +00:00			`ctx = context.WithValue(ctx, provisionerContextKey, prov)`
			`next(w, r.WithContext(ctx))`
Refactor retrieval of provisioner into middleware 2021-10-08 12:29:44 +00:00			`}`
			`}`

Fix PR comments 2021-09-16 21:09:24 +00:00			`// provisionerHasEABEnabled determines if the "requireEAB" setting for an ACME`
			`// provisioner is set to true and thus has EAB enabled.`
Use contexts in admin api handlers 2022-04-27 18:59:32 +00:00			`func provisionerHasEABEnabled(ctx context.Context, provisionerName string) (bool, *linkedca.Provisioner, error) {`
Fix PR comments 2021-09-16 21:09:24 +00:00			`var (`
			`p provisioner.Interface`
			`err error`
			`)`
Use contexts in admin api handlers 2022-04-27 18:59:32 +00:00
			`auth := mustAuthority(ctx)`
			`db := admin.MustFromContext(ctx)`

			`if p, err = auth.LoadProvisionerByName(provisionerName); err != nil {`
Refactor ACME EAB queries The ACME EAB keys are now also indexed by the provisioner. This solves part of the issue in which too many EAB keys may be in memory at a given time. 2022-01-07 15:59:55 +00:00			`return false, nil, admin.WrapErrorISE(err, "error loading provisioner %s", provisionerName)`
Fix PR comments 2021-09-16 21:09:24 +00:00			`}`

Use contexts in admin api handlers 2022-04-27 18:59:32 +00:00			`prov, err := db.GetProvisioner(ctx, p.GetID())`
Fix PR comments 2021-09-16 21:09:24 +00:00			`if err != nil {`
Refactor ACME EAB queries The ACME EAB keys are now also indexed by the provisioner. This solves part of the issue in which too many EAB keys may be in memory at a given time. 2022-01-07 15:59:55 +00:00			`return false, nil, admin.WrapErrorISE(err, "error getting provisioner with ID: %s", p.GetID())`
Fix PR comments 2021-09-16 21:09:24 +00:00			`}`

			`details := prov.GetDetails()`
			`if details == nil {`
Refactor ACME EAB queries The ACME EAB keys are now also indexed by the provisioner. This solves part of the issue in which too many EAB keys may be in memory at a given time. 2022-01-07 15:59:55 +00:00			`return false, nil, admin.NewErrorISE("error getting details for provisioner with ID: %s", p.GetID())`
Fix PR comments 2021-09-16 21:09:24 +00:00			`}`

Fix remaining gocritic remarks 2021-10-11 21:34:23 +00:00			`acmeProvisioner := details.GetACME()`
			`if acmeProvisioner == nil {`
Refactor ACME EAB queries The ACME EAB keys are now also indexed by the provisioner. This solves part of the issue in which too many EAB keys may be in memory at a given time. 2022-01-07 15:59:55 +00:00			`return false, nil, admin.NewErrorISE("error getting ACME details for provisioner with ID: %s", p.GetID())`
Fix PR comments 2021-09-16 21:09:24 +00:00			`}`

Refactor ACME EAB queries The ACME EAB keys are now also indexed by the provisioner. This solves part of the issue in which too many EAB keys may be in memory at a given time. 2022-01-07 15:59:55 +00:00			`return acmeProvisioner.GetRequireEab(), prov, nil`
			`}`

Refactor ACME Admin API 2022-02-08 12:26:30 +00:00			`type acmeAdminResponderInterface interface {`
			`GetExternalAccountKeys(w http.ResponseWriter, r *http.Request)`
			`CreateExternalAccountKey(w http.ResponseWriter, r *http.Request)`
			`DeleteExternalAccountKey(w http.ResponseWriter, r *http.Request)`
Fix PR comments 2021-09-16 21:09:24 +00:00			`}`

Refactor ACME Admin API 2022-02-08 12:26:30 +00:00			`// ACMEAdminResponder is responsible for writing ACME admin responses`
			`type ACMEAdminResponder struct{}`
Fix missing ACME EAB API endpoints 2021-07-23 13:41:24 +00:00
Refactor ACME Admin API 2022-02-08 12:26:30 +00:00			`// NewACMEAdminResponder returns a new ACMEAdminResponder`
			`func NewACMEAdminResponder() *ACMEAdminResponder {`
			`return &ACMEAdminResponder{}`
Fix missing ACME EAB API endpoints 2021-07-23 13:41:24 +00:00			`}`

Refactor ACME Admin API 2022-02-08 12:26:30 +00:00			`// GetExternalAccountKeys writes the response for the EAB keys GET endpoint`
			`func (h ACMEAdminResponder) GetExternalAccountKeys(w http.ResponseWriter, r http.Request) {`
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package 2022-03-30 08:22:22 +00:00			`render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))`
Add support for deleting ACME EAB keys 2021-08-27 12:10:00 +00:00			`}`

Refactor ACME Admin API 2022-02-08 12:26:30 +00:00			`// CreateExternalAccountKey writes the response for the EAB key POST endpoint`
			`func (h ACMEAdminResponder) CreateExternalAccountKey(w http.ResponseWriter, r http.Request) {`
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package 2022-03-30 08:22:22 +00:00			`render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))`
Refactor ACME Admin API 2022-02-08 12:26:30 +00:00			`}`
Add endpoint for listing ACME EAB keys 2021-08-27 14:58:04 +00:00
Refactor ACME Admin API 2022-02-08 12:26:30 +00:00			`// DeleteExternalAccountKey writes the response for the EAB key DELETE endpoint`
			`func (h ACMEAdminResponder) DeleteExternalAccountKey(w http.ResponseWriter, r http.Request) {`
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package 2022-03-30 08:22:22 +00:00			`render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))`
Fix missing ACME EAB API endpoints 2021-07-23 13:41:24 +00:00			`}`