certificates/acme/db/nosql/order.go

package nosql

import (
	"context"
	"encoding/json"
	"sync"
	"time"

	"github.com/pkg/errors"
	"github.com/smallstep/certificates/acme"
	"github.com/smallstep/nosql"
)

var defaultOrderExpiry = time.Hour * 24

// Mutex for locking ordersByAccount index operations.
var ordersByAccountMux sync.Mutex

type dbOrder struct {
	ID             string       `json:"id"`
	AccountID      string       `json:"accountID"`
	ProvisionerID  string       `json:"provisionerID"`
	Created        time.Time    `json:"created"`
	Expires        time.Time    `json:"expires,omitempty"`
	Status         string       `json:"status"`
	Identifiers    []Identifier `json:"identifiers"`
	NotBefore      time.Time    `json:"notBefore,omitempty"`
	NotAfter       time.Time    `json:"notAfter,omitempty"`
	Error          *Error       `json:"error,omitempty"`
	Authorizations []string     `json:"authorizations"`
	Certificate    string       `json:"certificate,omitempty"`
}

// getDBOrder retrieves and unmarshals an ACME Order type from the database.
func (db *DB) getDBOrder(id string) (*dbOrder, error) {
	b, err := db.db.Get(orderTable, []byte(id))
	if nosql.IsErrNotFound(err) {
		return nil, MalformedErr(errors.Wrapf(err, "order %s not found", id))
	} else if err != nil {
		return nil, ServerInternalErr(errors.Wrapf(err, "error loading order %s", id))
	}
	o := new(dbOrder)
	if err := json.Unmarshal(b, &o); err != nil {
		return nil, ServerInternalErr(errors.Wrap(err, "error unmarshaling order"))
	}
	return o, nil
}

// GetOrder retrieves an ACME Order from the database.
func (db *DB) GetOrder(id string) (*acme.Order, error) {
	dbo, err := db.getDBOrder(id)

	azs := make([]string, len(dbo.Authorizations))
	for i, aid := range dbo.Authorizations {
		azs[i] = dir.getLink(ctx, AuthzLink, true, aid)
	}
	o := &Order{
		Status:         dbo.Status,
		Expires:        dbo.Expires.Format(time.RFC3339),
		Identifiers:    dbo.Identifiers,
		NotBefore:      dbo.NotBefore.Format(time.RFC3339),
		NotAfter:       dbo.NotAfter.Format(time.RFC3339),
		Authorizations: azs,
		Finalize:       dir.getLink(ctx, FinalizeLink, true, o.ID),
		ID:             dbo.ID,
		ProvisionerID:  dbo.ProvisionerID,
	}

	if dbo.Certificate != "" {
		o.Certificate = dir.getLink(ctx, CertificateLink, true, o.Certificate)
	}
	return o, nil
}

// CreateOrder creates ACME Order resources and saves them to the DB.
func (db *DB) CreateOrder(ctx context.Context, o *acme.Order) error {
	if len(o.AccountID) == 0 {
		return ServerInternalErr(errors.New("account-id cannot be empty"))
	}
	if len(o.ProvisionerID) == 0 {
		return ServerInternalErr(errors.New("provisioner-id cannot be empty"))
	}
	if len(o.Identifiers) == 0 {
		return ServerInternalErr(errors.New("identifiers cannot be empty"))
	}
	if o.DefaultDuration == 0 {
		return ServerInternalErr(errors.New("default-duration cannot be empty"))
	}

	o.ID, err = randID()
	if err != nil {
		return nil, err
	}

	azIDs := make([]string, len(ops.Identifiers))
	for i, identifier := range ops.Identifiers {
		az, err = db.CreateAuthorzation(&types.Authorization{
			AccountID:  o.AccountID,
			Identifier: o.Identifier,
		})
		if err != nil {
			return err
		}
		azIDs[i] = az.ID
	}

	now := clock.Now()
	var backdate time.Duration
	nbf := o.NotBefore
	if nbf.IsZero() {
		nbf = now
		backdate = -1 * o.Backdate
	}
	naf := o.NotAfter
	if naf.IsZero() {
		naf = nbf.Add(o.DefaultDuration)
	}

	dbo := &dbOrder{
		ID:             o.ID,
		AccountID:      o.AccountID,
		ProvisionerID:  o.ProvisionerID,
		Created:        now,
		Status:         StatusPending,
		Expires:        now.Add(defaultOrderExpiry),
		Identifiers:    ops.Identifiers,
		NotBefore:      nbf.Add(backdate),
		NotAfter:       naf,
		Authorizations: azIDs,
	}
	if err := db.save(ctx, o.ID, dbo, nil, orderTable); err != nil {
		return nil, err
	}

	var oidHelper = orderIDsByAccount{}
	_, err = oidHelper.addOrderID(db, o.AccountID, o.ID)
	if err != nil {
		return nil, err
	}
	return o, nil
}

type orderIDsByAccount struct{}

// addOrderID adds an order ID to a users index of in progress order IDs.
// This method will also cull any orders that are no longer in the `pending`
// state from the index before returning it.
func (oiba orderIDsByAccount) addOrderID(db nosql.DB, accID string, oid string) ([]string, error) {
	ordersByAccountMux.Lock()
	defer ordersByAccountMux.Unlock()

	// Update the "order IDs by account ID" index
	oids, err := oiba.unsafeGetOrderIDsByAccount(db, accID)
	if err != nil {
		return nil, err
	}
	newOids := append(oids, oid)
	if err = orderIDs(newOids).save(db, oids, accID); err != nil {
		// Delete the entire order if storing the index fails.
		db.Del(orderTable, []byte(oid))
		return nil, err
	}
	return newOids, nil
}

// unsafeGetOrderIDsByAccount retrieves a list of Order IDs that were created by the
// account.
func (oiba orderIDsByAccount) unsafeGetOrderIDsByAccount(db nosql.DB, accID string) ([]string, error) {
	b, err := db.Get(ordersByAccountIDTable, []byte(accID))
	if err != nil {
		if nosql.IsErrNotFound(err) {
			return []string{}, nil
		}
		return nil, ServerInternalErr(errors.Wrapf(err, "error loading orderIDs for account %s", accID))
	}
	var oids []string
	if err := json.Unmarshal(b, &oids); err != nil {
		return nil, ServerInternalErr(errors.Wrapf(err, "error unmarshaling orderIDs for account %s", accID))
	}

	// Remove any order that is not in PENDING state and update the stored list
	// before returning.
	//
	// According to RFC 8555:
	// The server SHOULD include pending orders and SHOULD NOT include orders
	// that are invalid in the array of URLs.
	pendOids := []string{}
	for _, oid := range oids {
		o, err := getOrder(db, oid)
		if err != nil {
			return nil, ServerInternalErr(errors.Wrapf(err, "error loading order %s for account %s", oid, accID))
		}
		if o, err = o.UpdateStatus(db); err != nil {
			return nil, ServerInternalErr(errors.Wrapf(err, "error updating order %s for account %s", oid, accID))
		}
		if o.Status == StatusPending {
			pendOids = append(pendOids, oid)
		}
	}
	// If the number of pending orders is less than the number of orders in the
	// list, then update the pending order list.
	if len(pendOids) != len(oids) {
		if err = orderIDs(pendOiUs).save(db, oids, accID); err != nil {
			return nil, ServerInternalErr(errors.Wrapf(err, "error storing orderIDs as part of getOrderIDsByAccount logic: "+
				"len(orderIDs) = %d", len(pendOids)))
		}
	}

	return pendOids, nil
}

type orderIDs []string

// save is used to update the list of orderIDs keyed by ACME account ID
// stored in the database.
//
// This method always converts empty lists to 'nil' when storing to the DB. We
// do this to avoid any confusion between an empty list and a nil value in the
// db.
func (oids orderIDs) save(db nosql.DB, old orderIDs, accID string) error {
	var (
		err  error
		oldb []byte
		newb []byte
	)
	if len(old) == 0 {
		oldb = nil
	} else {
		oldb, err = json.Marshal(old)
		if err != nil {
			return ServerInternalErr(errors.Wrap(err, "error marshaling old order IDs slice"))
		}
	}
	if len(oids) == 0 {
		newb = nil
	} else {
		newb, err = json.Marshal(oids)
		if err != nil {
			return ServerInternalErr(errors.Wrap(err, "error marshaling new order IDs slice"))
		}
	}
	_, swapped, err := db.CmpAndSwap(ordersByAccountIDTable, []byte(accID), oldb, newb)
	switch {
	case err != nil:
		return ServerInternalErr(errors.Wrapf(err, "error storing order IDs for account %s", accID))
	case !swapped:
		return ServerInternalErr(errors.Errorf("error storing order IDs "+
			"for account %s; order IDs changed since last read", accID))
	default:
		return nil
	}
}
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`package nosql`

			`import (`
			`"context"`
			`"encoding/json"`
			`"sync"`
			`"time"`

			`"github.com/pkg/errors"`
[acme db interface] wip 2021-02-28 01:05:37 +00:00			`"github.com/smallstep/certificates/acme"`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`"github.com/smallstep/nosql"`
			`)`

			`var defaultOrderExpiry = time.Hour * 24`

			`// Mutex for locking ordersByAccount index operations.`
			`var ordersByAccountMux sync.Mutex`

			`type dbOrder struct {`
			ID string `json:"id"`
			AccountID string `json:"accountID"`
[acme db interface] wip 2021-02-28 01:05:37 +00:00			ProvisionerID string `json:"provisionerID"`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			Created time.Time `json:"created"`
			Expires time.Time `json:"expires,omitempty"`
			Status string `json:"status"`
			Identifiers []Identifier `json:"identifiers"`
			NotBefore time.Time `json:"notBefore,omitempty"`
			NotAfter time.Time `json:"notAfter,omitempty"`
			Error *Error `json:"error,omitempty"`
			Authorizations []string `json:"authorizations"`
			Certificate string `json:"certificate,omitempty"`
			`}`

			`// getDBOrder retrieves and unmarshals an ACME Order type from the database.`
			`func (db DB) getDBOrder(id string) (dbOrder, error) {`
			`b, err := db.db.Get(orderTable, []byte(id))`
			`if nosql.IsErrNotFound(err) {`
			`return nil, MalformedErr(errors.Wrapf(err, "order %s not found", id))`
			`} else if err != nil {`
			`return nil, ServerInternalErr(errors.Wrapf(err, "error loading order %s", id))`
			`}`
			`o := new(dbOrder)`
			`if err := json.Unmarshal(b, &o); err != nil {`
			`return nil, ServerInternalErr(errors.Wrap(err, "error unmarshaling order"))`
			`}`
			`return o, nil`
			`}`

			`// GetOrder retrieves an ACME Order from the database.`
[acme db interface] wip 2021-02-28 01:05:37 +00:00			`func (db DB) GetOrder(id string) (acme.Order, error) {`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`dbo, err := db.getDBOrder(id)`

			`azs := make([]string, len(dbo.Authorizations))`
			`for i, aid := range dbo.Authorizations {`
			`azs[i] = dir.getLink(ctx, AuthzLink, true, aid)`
			`}`
			`o := &Order{`
			`Status: dbo.Status,`
			`Expires: dbo.Expires.Format(time.RFC3339),`
			`Identifiers: dbo.Identifiers,`
			`NotBefore: dbo.NotBefore.Format(time.RFC3339),`
			`NotAfter: dbo.NotAfter.Format(time.RFC3339),`
			`Authorizations: azs,`
			`Finalize: dir.getLink(ctx, FinalizeLink, true, o.ID),`
			`ID: dbo.ID,`
[acme db interface] wip 2021-02-28 01:05:37 +00:00			`ProvisionerID: dbo.ProvisionerID,`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`}`

			`if dbo.Certificate != "" {`
			`o.Certificate = dir.getLink(ctx, CertificateLink, true, o.Certificate)`
			`}`
			`return o, nil`
			`}`

[acme db interface] wip 2021-02-28 01:05:37 +00:00			`// CreateOrder creates ACME Order resources and saves them to the DB.`
			`func (db DB) CreateOrder(ctx context.Context, o acme.Order) error {`
			`if len(o.AccountID) == 0 {`
			`return ServerInternalErr(errors.New("account-id cannot be empty"))`
			`}`
			`if len(o.ProvisionerID) == 0 {`
			`return ServerInternalErr(errors.New("provisioner-id cannot be empty"))`
			`}`
			`if len(o.Identifiers) == 0 {`
			`return ServerInternalErr(errors.New("identifiers cannot be empty"))`
			`}`
			`if o.DefaultDuration == 0 {`
			`return ServerInternalErr(errors.New("default-duration cannot be empty"))`
			`}`

			`o.ID, err = randID()`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`if err != nil {`
			`return nil, err`
			`}`

[acme db interface] wip 2021-02-28 01:05:37 +00:00			`azIDs := make([]string, len(ops.Identifiers))`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`for i, identifier := range ops.Identifiers {`
[acme db interface] wip 2021-02-28 01:05:37 +00:00			`az, err = db.CreateAuthorzation(&types.Authorization{`
			`AccountID: o.AccountID,`
			`Identifier: o.Identifier,`
			`})`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`if err != nil {`
[acme db interface] wip 2021-02-28 01:05:37 +00:00			`return err`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`}`
[acme db interface] wip 2021-02-28 01:05:37 +00:00			`azIDs[i] = az.ID`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`}`

			`now := clock.Now()`
			`var backdate time.Duration`
[acme db interface] wip 2021-02-28 01:05:37 +00:00			`nbf := o.NotBefore`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`if nbf.IsZero() {`
			`nbf = now`
[acme db interface] wip 2021-02-28 01:05:37 +00:00			`backdate = -1 * o.Backdate`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`}`
[acme db interface] wip 2021-02-28 01:05:37 +00:00			`naf := o.NotAfter`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`if naf.IsZero() {`
[acme db interface] wip 2021-02-28 01:05:37 +00:00			`naf = nbf.Add(o.DefaultDuration)`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`}`

[acmedb] (wip) 2021-02-26 18:17:18 +00:00			`dbo := &dbOrder{`
[acme db interface] wip 2021-02-28 01:05:37 +00:00			`ID: o.ID,`
			`AccountID: o.AccountID,`
			`ProvisionerID: o.ProvisionerID,`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`Created: now,`
			`Status: StatusPending,`
			`Expires: now.Add(defaultOrderExpiry),`
			`Identifiers: ops.Identifiers,`
			`NotBefore: nbf.Add(backdate),`
			`NotAfter: naf,`
[acme db interface] wip 2021-02-28 01:05:37 +00:00			`Authorizations: azIDs,`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`}`
[acme db interface] wip 2021-02-28 01:05:37 +00:00			`if err := db.save(ctx, o.ID, dbo, nil, orderTable); err != nil {`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`return nil, err`
			`}`

			`var oidHelper = orderIDsByAccount{}`
[acme db interface] wip 2021-02-28 01:05:37 +00:00			`_, err = oidHelper.addOrderID(db, o.AccountID, o.ID)`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`return o, nil`
			`}`

			`type orderIDsByAccount struct{}`

			`// addOrderID adds an order ID to a users index of in progress order IDs.`
			// This method will also cull any orders that are no longer in the `pending`
			`// state from the index before returning it.`
			`func (oiba orderIDsByAccount) addOrderID(db nosql.DB, accID string, oid string) ([]string, error) {`
			`ordersByAccountMux.Lock()`
			`defer ordersByAccountMux.Unlock()`

			`// Update the "order IDs by account ID" index`
			`oids, err := oiba.unsafeGetOrderIDsByAccount(db, accID)`
			`if err != nil {`
			`return nil, err`
			`}`
			`newOids := append(oids, oid)`
			`if err = orderIDs(newOids).save(db, oids, accID); err != nil {`
			`// Delete the entire order if storing the index fails.`
			`db.Del(orderTable, []byte(oid))`
			`return nil, err`
			`}`
			`return newOids, nil`
			`}`

			`// unsafeGetOrderIDsByAccount retrieves a list of Order IDs that were created by the`
			`// account.`
			`func (oiba orderIDsByAccount) unsafeGetOrderIDsByAccount(db nosql.DB, accID string) ([]string, error) {`
			`b, err := db.Get(ordersByAccountIDTable, []byte(accID))`
			`if err != nil {`
			`if nosql.IsErrNotFound(err) {`
			`return []string{}, nil`
			`}`
			`return nil, ServerInternalErr(errors.Wrapf(err, "error loading orderIDs for account %s", accID))`
			`}`
			`var oids []string`
			`if err := json.Unmarshal(b, &oids); err != nil {`
			`return nil, ServerInternalErr(errors.Wrapf(err, "error unmarshaling orderIDs for account %s", accID))`
			`}`

			`// Remove any order that is not in PENDING state and update the stored list`
			`// before returning.`
			`//`
			`// According to RFC 8555:`
			`// The server SHOULD include pending orders and SHOULD NOT include orders`
			`// that are invalid in the array of URLs.`
			`pendOids := []string{}`
			`for _, oid := range oids {`
			`o, err := getOrder(db, oid)`
			`if err != nil {`
			`return nil, ServerInternalErr(errors.Wrapf(err, "error loading order %s for account %s", oid, accID))`
			`}`
[acme db interface] wip 2021-02-28 01:05:37 +00:00			`if o, err = o.UpdateStatus(db); err != nil {`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`return nil, ServerInternalErr(errors.Wrapf(err, "error updating order %s for account %s", oid, accID))`
			`}`
			`if o.Status == StatusPending {`
			`pendOids = append(pendOids, oid)`
			`}`
			`}`
			`// If the number of pending orders is less than the number of orders in the`
			`// list, then update the pending order list.`
			`if len(pendOids) != len(oids) {`
[acme db interface] wip 2021-02-28 01:05:37 +00:00			`if err = orderIDs(pendOiUs).save(db, oids, accID); err != nil {`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`return nil, ServerInternalErr(errors.Wrapf(err, "error storing orderIDs as part of getOrderIDsByAccount logic: "+`
			`"len(orderIDs) = %d", len(pendOids)))`
			`}`
			`}`

			`return pendOids, nil`
			`}`

			`type orderIDs []string`

			`// save is used to update the list of orderIDs keyed by ACME account ID`
			`// stored in the database.`
			`//`
			`// This method always converts empty lists to 'nil' when storing to the DB. We`
			`// do this to avoid any confusion between an empty list and a nil value in the`
			`// db.`
			`func (oids orderIDs) save(db nosql.DB, old orderIDs, accID string) error {`
			`var (`
			`err error`
			`oldb []byte`
			`newb []byte`
			`)`
			`if len(old) == 0 {`
			`oldb = nil`
			`} else {`
			`oldb, err = json.Marshal(old)`
			`if err != nil {`
			`return ServerInternalErr(errors.Wrap(err, "error marshaling old order IDs slice"))`
			`}`
			`}`
			`if len(oids) == 0 {`
			`newb = nil`
			`} else {`
			`newb, err = json.Marshal(oids)`
			`if err != nil {`
			`return ServerInternalErr(errors.Wrap(err, "error marshaling new order IDs slice"))`
			`}`
			`}`
			`_, swapped, err := db.CmpAndSwap(ordersByAccountIDTable, []byte(accID), oldb, newb)`
			`switch {`
			`case err != nil:`
			`return ServerInternalErr(errors.Wrapf(err, "error storing order IDs for account %s", accID))`
			`case !swapped:`
			`return ServerInternalErr(errors.Errorf("error storing order IDs "+`
			`"for account %s; order IDs changed since last read", accID))`
			`default:`
			`return nil`
			`}`
			`}`