[acme db interface] wip more errors

This commit is contained in:
max furman 2021-02-28 23:33:18 -08:00
parent 2ae43ef2dc
commit 03ba229bcb
7 changed files with 123 additions and 117 deletions

View file

@ -10,7 +10,6 @@ import (
"net/url"
"time"
"github.com/pkg/errors"
"github.com/smallstep/certificates/authority/provisioner"
"go.step.sm/crypto/jose"
)
@ -125,7 +124,7 @@ func (a *Authority) UseNonce(ctx context.Context, nonce string) error {
// NewAccount creates, stores, and returns a new ACME account.
func (a *Authority) NewAccount(ctx context.Context, acc *Account) error {
if err := a.db.CreateAccount(ctx, acc); err != nil {
return ErrorWrap(ErrorServerInternalType, err, "newAccount: error creating account")
return ErrorWrap(ErrorServerInternalType, err, "error creating account")
}
return nil
}
@ -137,14 +136,18 @@ func (a *Authority) UpdateAccount(ctx context.Context, acc *Account) (*Account,
acc.Status = auo.Status
*/
if err := a.db.UpdateAccount(ctx, acc); err != nil {
return nil, ErrorWrap(ErrorServerInternalType, err, "authority.UpdateAccount - database update failed"
return nil, ErrorWrap(ErrorServerInternalType, err, "error updating account")
}
return acc, nil
}
// GetAccount returns an ACME account.
func (a *Authority) GetAccount(ctx context.Context, id string) (*Account, error) {
return a.db.GetAccount(ctx, id)
acc, err := a.db.GetAccount(ctx, id)
if err != nil {
return nil, ErrorWrap(ErrorServerInternalType, err, "error retrieving account")
}
return acc, nil
}
// GetAccountByKey returns the ACME associated with the jwk id.
@ -165,18 +168,18 @@ func (a *Authority) GetOrder(ctx context.Context, accID, orderID string) (*Order
}
o, err := a.db.GetOrder(ctx, orderID)
if err != nil {
return nil, ServerInternalErr(err)
return nil, ErrorWrap(ErrorServerInternalType, err, "error retrieving order")
}
if accID != o.AccountID {
log.Printf("account-id from request ('%s') does not match order account-id ('%s')", accID, o.AccountID)
return nil, UnauthorizedErr(errors.New("account does not own order"))
return nil, NewError(ErrorUnauthorizedType, "account does not own order")
}
if prov.GetID() != o.ProvisionerID {
log.Printf("provisioner-id from request ('%s') does not match order provisioner-id ('%s')", prov.GetID(), o.ProvisionerID)
return nil, UnauthorizedErr(errors.New("provisioner does not own order"))
return nil, NewError(ErrorUnauthorizedType, "provisioner does not own order")
}
if err = o.UpdateStatus(ctx, a.db); err != nil {
return nil, err
return nil, ErrorWrap(ErrorServerInternalType, err, "error updating order")
}
return o, nil
}
@ -212,7 +215,7 @@ func (a *Authority) NewOrder(ctx context.Context, o *Order) (*Order, error) {
o.ProvisionerID = prov.GetID()
if err = a.db.CreateOrder(ctx, o); err != nil {
return nil, ServerInternalErr(err)
return nil, ErrorWrap(ErrorServerInternalType, err, "error creating order")
}
return o, nil
}
@ -225,18 +228,18 @@ func (a *Authority) FinalizeOrder(ctx context.Context, accID, orderID string, cs
}
o, err := a.db.GetOrder(ctx, orderID)
if err != nil {
return nil, err
return nil, ErrorWrap(ErrorServerInternalType, err, "error retrieving order")
}
if accID != o.AccountID {
log.Printf("account-id from request ('%s') does not match order account-id ('%s')", accID, o.AccountID)
return nil, UnauthorizedErr(errors.New("account does not own order"))
return nil, NewError(ErrorUnauthorizedType, "account does not own order")
}
if prov.GetID() != o.ProvisionerID {
log.Printf("provisioner-id from request ('%s') does not match order provisioner-id ('%s')", prov.GetID(), o.ProvisionerID)
return nil, UnauthorizedErr(errors.New("provisioner does not own order"))
return nil, NewError(ErrorUnauthorizedType, "provisioner does not own order")
}
if err = o.Finalize(ctx, a.db, csr, a.signAuth, prov); err != nil {
return nil, Wrap(err, "error finalizing order")
return nil, ErrorWrap(ErrorServerInternalType, err, "error finalizing order")
}
return o, nil
}
@ -246,14 +249,14 @@ func (a *Authority) FinalizeOrder(ctx context.Context, accID, orderID string, cs
func (a *Authority) GetAuthz(ctx context.Context, accID, authzID string) (*Authorization, error) {
az, err := a.db.GetAuthorization(ctx, authzID)
if err != nil {
return nil, err
return nil, ErrorWrap(ErrorServerInternalType, err, "error retrieving authorization")
}
if accID != az.AccountID {
log.Printf("account-id from request ('%s') does not match authz account-id ('%s')", accID, az.AccountID)
return nil, UnauthorizedErr(errors.New("account does not own authz"))
return nil, NewError(ErrorUnauthorizedType, "account does not own order")
}
if err = az.UpdateStatus(ctx, a.db); err != nil {
return nil, Wrap(err, "error updating authz status")
return nil, ErrorWrap(ErrorServerInternalType, err, "error updating authorization status")
}
return az, nil
}
@ -262,11 +265,11 @@ func (a *Authority) GetAuthz(ctx context.Context, accID, authzID string) (*Autho
func (a *Authority) ValidateChallenge(ctx context.Context, accID, chID string, jwk *jose.JSONWebKey) (*Challenge, error) {
ch, err := a.db.GetChallenge(ctx, chID, "todo")
if err != nil {
return nil, err
return nil, ErrorWrap(ErrorServerInternalType, err, "error retrieving challenge")
}
if accID != ch.AccountID {
log.Printf("account-id from request ('%s') does not match challenge account-id ('%s')", accID, ch.AccountID)
return nil, UnauthorizedErr(errors.New("account does not own challenge"))
return nil, NewError(ErrorUnauthorizedType, "account does not own order")
}
client := http.Client{
Timeout: time.Duration(30 * time.Second),
@ -281,7 +284,7 @@ func (a *Authority) ValidateChallenge(ctx context.Context, accID, chID string, j
return tls.DialWithDialer(dialer, network, addr, config)
},
}); err != nil {
return nil, Wrap(err, "error attempting challenge validation")
return nil, ErrorWrap(ErrorServerInternalType, err, "error validating challenge")
}
return ch, nil
}
@ -290,11 +293,11 @@ func (a *Authority) ValidateChallenge(ctx context.Context, accID, chID string, j
func (a *Authority) GetCertificate(ctx context.Context, accID, certID string) ([]byte, error) {
cert, err := a.db.GetCertificate(ctx, certID)
if err != nil {
return nil, err
return nil, ErrorWrap(ErrorServerInternalType, err, "error retrieving certificate")
}
if cert.AccountID != accID {
log.Printf("account-id from request ('%s') does not match challenge account-id ('%s')", accID, cert.AccountID)
return nil, UnauthorizedErr(errors.New("account does not own challenge"))
return nil, NewError(ErrorUnauthorizedType, "account does not own order")
}
return cert.ToACME(ctx)
}

View file

@ -4,8 +4,6 @@ import (
"context"
"encoding/json"
"time"
"github.com/pkg/errors"
)
// Authorization representst an ACME Authorization.
@ -23,7 +21,7 @@ type Authorization struct {
func (az *Authorization) ToLog() (interface{}, error) {
b, err := json.Marshal(az)
if err != nil {
return nil, ServerInternalErr(errors.Wrap(err, "error marshaling authz for logging"))
return nil, ErrorInternalServerWrap(err, "error marshaling authz for logging")
}
return string(b), nil
}
@ -34,7 +32,7 @@ func (az *Authorization) UpdateStatus(ctx context.Context, db DB) error {
now := time.Now().UTC()
expiry, err := time.Parse(time.RFC3339, az.Expires)
if err != nil {
return ServerInternalErr(errors.Wrap(err, "error converting expiry string to time"))
return ErrorInternalServerWrap(err, "error converting expiry string to time")
}
switch az.Status {
@ -62,11 +60,11 @@ func (az *Authorization) UpdateStatus(ctx context.Context, db DB) error {
}
az.Status = StatusValid
default:
return ServerInternalErr(errors.Errorf("unrecognized authorization status: %s", az.Status))
return NewError(ErrorServerInternalType, "unrecognized authorization status: %s", az.Status)
}
if err = db.UpdateAuthorization(ctx, az); err != nil {
return ServerInternalErr(err)
return ErrorInternalServerWrap(err, "error updating authorization")
}
return nil
}

View file

@ -17,29 +17,28 @@ import (
"strings"
"time"
"github.com/pkg/errors"
"go.step.sm/crypto/jose"
)
// Challenge represents an ACME response Challenge type.
type Challenge struct {
Type string `json:"type"`
Status Status `json:"status"`
Token string `json:"token"`
Validated string `json:"validated,omitempty"`
URL string `json:"url"`
Error *AError `json:"error,omitempty"`
ID string `json:"-"`
AuthzID string `json:"-"`
AccountID string `json:"-"`
Value string `json:"-"`
Type string `json:"type"`
Status Status `json:"status"`
Token string `json:"token"`
Validated string `json:"validated,omitempty"`
URL string `json:"url"`
Error *Error `json:"error,omitempty"`
ID string `json:"-"`
AuthzID string `json:"-"`
AccountID string `json:"-"`
Value string `json:"-"`
}
// ToLog enables response logging.
func (ch *Challenge) ToLog() (interface{}, error) {
b, err := json.Marshal(ch)
if err != nil {
return nil, ServerInternalErr(errors.Wrap(err, "error marshaling challenge for logging"))
return nil, ErrorInternalServerWrap(err, "error marshaling challenge for logging")
}
return string(b), nil
}
@ -61,7 +60,7 @@ func (ch *Challenge) Validate(ctx context.Context, db DB, jwk *jose.JSONWebKey,
case "tls-alpn-01":
return tlsalpn01Validate(ctx, ch, db, jwk, vo)
default:
return ServerInternalErr(errors.Errorf("unexpected challenge type '%s'", ch.Type))
return NewError(ErrorServerInternalType, "unexpected challenge type '%s'", ch.Type)
}
}
@ -70,19 +69,19 @@ func http01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWeb
resp, err := vo.httpGet(url)
if err != nil {
return storeError(ctx, ch, db, ConnectionErr(errors.Wrapf(err,
"error doing http GET for url %s", url)))
return storeError(ctx, ch, db, ErrorWrap(ErrorConnectionType, err,
"error doing http GET for url %s", url))
}
if resp.StatusCode >= 400 {
return storeError(ctx, ch, db, ConnectionErr(errors.Errorf("error doing http GET for url %s with status code %d",
url, resp.StatusCode)))
return storeError(ctx, ch, db, NewError(ErrorConnectionType,
"error doing http GET for url %s with status code %d", url, resp.StatusCode))
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
return ServerInternalErr(errors.Wrapf(err, "error reading "+
"response body for url %s", url))
return ErrorInternalServerWrap(err, "error reading "+
"response body for url %s", url)
}
keyAuth := strings.Trim(string(body), "\r\n")
@ -91,8 +90,8 @@ func http01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWeb
return err
}
if keyAuth != expected {
return storeError(ctx, ch, db, RejectedIdentifierErr(errors.Errorf("keyAuthorization does not match; "+
"expected %s, but got %s", expected, keyAuth)))
return storeError(ctx, ch, db, NewError(ErrorRejectedIdentifierType,
"keyAuthorization does not match; expected %s, but got %s", expected, keyAuth))
}
// Update and store the challenge.
@ -100,7 +99,10 @@ func http01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWeb
ch.Error = nil
ch.Validated = clock.Now().Format(time.RFC3339)
return ServerInternalErr(db.UpdateChallenge(ctx, ch))
if err = db.UpdateChallenge(ctx, ch); err != nil {
return ErrorInternalServerWrap(err, "error updating challenge")
}
return nil
}
func tlsalpn01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebKey, vo validateOptions) error {
@ -114,8 +116,8 @@ func tlsalpn01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSON
conn, err := vo.tlsDial("tcp", hostPort, config)
if err != nil {
return storeError(ctx, ch, db, ConnectionErr(errors.Wrapf(err,
"error doing TLS dial for %s", hostPort)))
return storeError(ctx, ch, db, ErrorWrap(ErrorConnectionType, err,
"error doing TLS dial for %s", hostPort))
}
defer conn.Close()
@ -123,20 +125,20 @@ func tlsalpn01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSON
certs := cs.PeerCertificates
if len(certs) == 0 {
return storeError(ctx, ch, db, RejectedIdentifierErr(errors.Errorf("%s "+
"challenge for %s resulted in no certificates", ch.Type, ch.Value)))
return storeError(ctx, ch, db, NewError(ErrorRejectedIdentifierType,
"%s challenge for %s resulted in no certificates", ch.Type, ch.Value))
}
if !cs.NegotiatedProtocolIsMutual || cs.NegotiatedProtocol != "acme-tls/1" {
return storeError(ctx, ch, db, RejectedIdentifierErr(errors.Errorf("cannot "+
"negotiate ALPN acme-tls/1 protocol for tls-alpn-01 challenge")))
return storeError(ctx, ch, db, NewError(ErrorRejectedIdentifierType,
"cannot negotiate ALPN acme-tls/1 protocol for tls-alpn-01 challenge"))
}
leafCert := certs[0]
if len(leafCert.DNSNames) != 1 || !strings.EqualFold(leafCert.DNSNames[0], ch.Value) {
return storeError(ctx, ch, db, RejectedIdentifierErr(errors.Errorf("incorrect certificate for tls-alpn-01 challenge: "+
"leaf certificate must contain a single DNS name, %v", ch.Value)))
return storeError(ctx, ch, db, NewError(ErrorRejectedIdentifierType,
"incorrect certificate for tls-alpn-01 challenge: leaf certificate must contain a single DNS name, %v", ch.Value))
}
idPeAcmeIdentifier := asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 31}
@ -152,22 +154,23 @@ func tlsalpn01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSON
for _, ext := range leafCert.Extensions {
if idPeAcmeIdentifier.Equal(ext.Id) {
if !ext.Critical {
return storeError(ctx, ch, db, RejectedIdentifierErr(errors.Errorf("incorrect "+
"certificate for tls-alpn-01 challenge: acmeValidationV1 extension not critical")))
return storeError(ctx, ch, db, NewError(ErrorRejectedIdentifierType,
"incorrect certificate for tls-alpn-01 challenge: acmeValidationV1 extension not critical"))
}
var extValue []byte
rest, err := asn1.Unmarshal(ext.Value, &extValue)
if err != nil || len(rest) > 0 || len(hashedKeyAuth) != len(extValue) {
return storeError(ctx, ch, db, RejectedIdentifierErr(errors.Errorf("incorrect "+
"certificate for tls-alpn-01 challenge: malformed acmeValidationV1 extension value")))
return storeError(ctx, ch, db, NewError(ErrorRejectedIdentifierType,
"incorrect certificate for tls-alpn-01 challenge: malformed acmeValidationV1 extension value"))
}
if subtle.ConstantTimeCompare(hashedKeyAuth[:], extValue) != 1 {
return storeError(ctx, ch, db, RejectedIdentifierErr(errors.Errorf("incorrect certificate for tls-alpn-01 challenge: "+
"expected acmeValidationV1 extension value %s for this challenge but got %s",
hex.EncodeToString(hashedKeyAuth[:]), hex.EncodeToString(extValue))))
return storeError(ctx, ch, db, NewError(ErrorRejectedIdentifierType,
"incorrect certificate for tls-alpn-01 challenge: "+
"expected acmeValidationV1 extension value %s for this challenge but got %s",
hex.EncodeToString(hashedKeyAuth[:]), hex.EncodeToString(extValue)))
}
ch.Status = StatusValid
@ -175,7 +178,7 @@ func tlsalpn01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSON
ch.Validated = clock.Now().Format(time.RFC3339)
if err = db.UpdateChallenge(ctx, ch); err != nil {
return ServerInternalErr(errors.Wrap(err, "tlsalpn01ValidateChallenge - error updating challenge"))
return ErrorInternalServerWrap(err, "tlsalpn01ValidateChallenge - error updating challenge")
}
return nil
}
@ -186,12 +189,12 @@ func tlsalpn01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSON
}
if foundIDPeAcmeIdentifierV1Obsolete {
return storeError(ctx, ch, db, RejectedIdentifierErr(errors.Errorf("incorrect "+
"certificate for tls-alpn-01 challenge: obsolete id-pe-acmeIdentifier in acmeValidationV1 extension")))
return storeError(ctx, ch, db, NewError(ErrorRejectedIdentifierType,
"incorrect certificate for tls-alpn-01 challenge: obsolete id-pe-acmeIdentifier in acmeValidationV1 extension"))
}
return storeError(ctx, ch, db, RejectedIdentifierErr(errors.Errorf("incorrect "+
"certificate for tls-alpn-01 challenge: missing acmeValidationV1 extension")))
return storeError(ctx, ch, db, NewError(ErrorRejectedIdentifierType,
"incorrect certificate for tls-alpn-01 challenge: missing acmeValidationV1 extension"))
}
func dns01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebKey, vo validateOptions) error {
@ -203,8 +206,8 @@ func dns01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebK
txtRecords, err := vo.lookupTxt("_acme-challenge." + domain)
if err != nil {
return storeError(ctx, ch, db, DNSErr(errors.Wrapf(err, "error looking up TXT "+
"records for domain %s", domain)))
return storeError(ctx, ch, db, ErrorWrap(ErrorDNSType, err,
"error looking up TXT records for domain %s", domain))
}
expectedKeyAuth, err := KeyAuthorization(ch.Token, jwk)
@ -221,8 +224,8 @@ func dns01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebK
}
}
if !found {
return storeError(ctx, ch, db, RejectedIdentifierErr(errors.Errorf("keyAuthorization "+
"does not match; expected %s, but got %s", expectedKeyAuth, txtRecords)))
return storeError(ctx, ch, db, NewError(ErrorRejectedIdentifierType,
"keyAuthorization does not match; expected %s, but got %s", expectedKeyAuth, txtRecords))
}
// Update and store the challenge.
@ -230,7 +233,10 @@ func dns01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebK
ch.Error = nil
ch.Validated = clock.Now().UTC().Format(time.RFC3339)
return ServerInternalErr(db.UpdateChallenge(ctx, ch))
if err = db.UpdateChallenge(ctx, ch); err != nil {
return ErrorInternalServerWrap(err, "error updating challenge")
}
return nil
}
// KeyAuthorization creates the ACME key authorization value from a token
@ -238,7 +244,7 @@ func dns01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebK
func KeyAuthorization(token string, jwk *jose.JSONWebKey) (string, error) {
thumbprint, err := jwk.Thumbprint(crypto.SHA256)
if err != nil {
return "", ServerInternalErr(errors.Wrap(err, "error generating JWK thumbprint"))
return "", ErrorInternalServerWrap(err, "error generating JWK thumbprint")
}
encPrint := base64.RawURLEncoding.EncodeToString(thumbprint)
return fmt.Sprintf("%s.%s", token, encPrint), nil
@ -246,9 +252,9 @@ func KeyAuthorization(token string, jwk *jose.JSONWebKey) (string, error) {
// storeError the given error to an ACME error and saves using the DB interface.
func storeError(ctx context.Context, ch *Challenge, db DB, err *Error) error {
ch.Error = err.ToACME()
ch.Error = err
if err := db.UpdateChallenge(ctx, ch); err != nil {
return ServerInternalErr(errors.Wrap(err, "failure saving error to acme challenge"))
return ErrorInternalServerWrap(err, "failure saving error to acme challenge")
}
return nil
}

View file

@ -6,7 +6,6 @@ import (
"net/url"
"time"
"github.com/pkg/errors"
"github.com/smallstep/certificates/authority/provisioner"
"go.step.sm/crypto/jose"
)
@ -96,7 +95,7 @@ const (
func AccountFromContext(ctx context.Context) (*Account, error) {
val, ok := ctx.Value(AccContextKey).(*Account)
if !ok || val == nil {
return nil, AccountDoesNotExistErr(nil)
return nil, NewError(ErrorServerInternalType, "account not in context")
}
return val, nil
}
@ -114,7 +113,7 @@ func BaseURLFromContext(ctx context.Context) *url.URL {
func JwkFromContext(ctx context.Context) (*jose.JSONWebKey, error) {
val, ok := ctx.Value(JwkContextKey).(*jose.JSONWebKey)
if !ok || val == nil {
return nil, ServerInternalErr(errors.Errorf("jwk expected in request context"))
return nil, NewError(ErrorServerInternalType, "jwk expected in request context")
}
return val, nil
}
@ -123,7 +122,7 @@ func JwkFromContext(ctx context.Context) (*jose.JSONWebKey, error) {
func JwsFromContext(ctx context.Context) (*jose.JSONWebSignature, error) {
val, ok := ctx.Value(JwsContextKey).(*jose.JSONWebSignature)
if !ok || val == nil {
return nil, ServerInternalErr(errors.Errorf("jws expected in request context"))
return nil, NewError(ErrorServerInternalType, "jws expected in request context")
}
return val, nil
}
@ -133,11 +132,11 @@ func JwsFromContext(ctx context.Context) (*jose.JSONWebSignature, error) {
func ProvisionerFromContext(ctx context.Context) (Provisioner, error) {
val := ctx.Value(ProvisionerContextKey)
if val == nil {
return nil, ServerInternalErr(errors.Errorf("provisioner expected in request context"))
return nil, NewError(ErrorServerInternalType, "provisioner expected in request context")
}
pval, ok := val.(Provisioner)
if !ok || pval == nil {
return nil, ServerInternalErr(errors.Errorf("provisioner in context is not an ACME provisioner"))
return nil, NewError(ErrorServerInternalType, "provisioner in context is not an ACME provisioner")
}
return pval, nil
}

View file

@ -5,8 +5,6 @@ import (
"encoding/json"
"fmt"
"net/url"
"github.com/pkg/errors"
)
// Directory represents an ACME directory for configuring clients.
@ -23,7 +21,7 @@ type Directory struct {
func (d *Directory) ToLog() (interface{}, error) {
b, err := json.Marshal(d)
if err != nil {
return nil, ServerInternalErr(errors.Wrap(err, "error marshaling directory for logging"))
return nil, ErrorInternalServerWrap(err, "error marshaling directory for logging")
}
return string(b), nil
}

View file

@ -93,8 +93,6 @@ func (ap ProblemType) String() string {
return "externalAccountRequired"
case ErrorInvalidContactType:
return "incorrectResponse"
case ErrorInvalidContactType:
return "invalidContact"
case ErrorMalformedType:
return "malformed"
case ErrorOrderNotReadyType:
@ -133,13 +131,11 @@ var (
officialACMEPrefix = "urn:ietf:params:acme:error:"
stepACMEPrefix = "urn:step:acme:error:"
errorServerInternalMetadata = errorMetadata{
ErrorAccountDoesNotExistType: {
typ: officialACMEPrefix + ErrorServerInternalType.String(),
details: "The server experienced an internal error",
status: 500,
},
typ: officialACMEPrefix + ErrorServerInternalType.String(),
details: "The server experienced an internal error",
status: 500,
}
errorMap = [ProblemType]errorMetadata{
errorMap = map[ProblemType]errorMetadata{
ErrorAccountDoesNotExistType: {
typ: officialACMEPrefix + ErrorAccountDoesNotExistType.String(),
details: "Account does not exist",
@ -267,7 +263,7 @@ var (
// Error represents an ACME
type Error struct {
Type string `json:"type"`
Detail string `json:"detail"`
Details string `json:"detail"`
Subproblems []interface{} `json:"subproblems,omitempty"`
Identifier interface{} `json:"identifier,omitempty"`
Err error `json:"-"`
@ -275,13 +271,13 @@ type Error struct {
}
func NewError(pt ProblemType, msg string, args ...interface{}) *Error {
meta, ok := errorMetadata[typ]
meta, ok := errorMap[pt]
if !ok {
meta = errorServerInternalMetadata
return &Error{
Type: meta.typ,
Details: meta.details,
Status: meta.Status,
Status: meta.status,
Err: errors.Errorf("unrecognized problemType %v", pt),
}
}
@ -301,7 +297,7 @@ func ErrorWrap(typ ProblemType, err error, msg string, args ...interface{}) *Err
return nil
case *Error:
if e.Err == nil {
e.Err = errors.Errorf(msg+"; "+e.Detail, args...)
e.Err = errors.Errorf(msg+"; "+e.Details, args...)
} else {
e.Err = errors.Wrapf(e.Err, msg, args...)
}
@ -311,6 +307,11 @@ func ErrorWrap(typ ProblemType, err error, msg string, args ...interface{}) *Err
}
}
// ErrorInternalServerWrap shortcut to wrap an internal server error type.
func ErrorInternalServerWrap(err error, msg string, args ...interface{}) *Error {
return ErrorWrap(ErrorServerInternalType, err, msg, args...)
}
// StatusCode returns the status code and implements the StatusCoder interface.
func (e *Error) StatusCode() int {
return e.Status
@ -318,13 +319,13 @@ func (e *Error) StatusCode() int {
// Error allows AError to implement the error interface.
func (e *Error) Error() string {
return e.Detail
return e.Details
}
// Cause returns the internal error and implements the Causer interface.
func (e *Error) Cause() error {
if e.Err == nil {
return errors.New(e.Detail)
return errors.New(e.Details)
}
return e.Err
}

View file

@ -8,7 +8,6 @@ import (
"strings"
"time"
"github.com/pkg/errors"
"github.com/smallstep/certificates/authority/provisioner"
"go.step.sm/crypto/x509util"
)
@ -41,7 +40,7 @@ type Order struct {
func (o *Order) ToLog() (interface{}, error) {
b, err := json.Marshal(o)
if err != nil {
return nil, ServerInternalErr(errors.Wrap(err, "error marshaling order for logging"))
return nil, ErrorInternalServerWrap(err, "error marshaling order for logging")
}
return string(b), nil
}
@ -52,7 +51,7 @@ func (o *Order) UpdateStatus(ctx context.Context, db DB) error {
now := time.Now().UTC()
expiry, err := time.Parse(time.RFC3339, o.Expires)
if err != nil {
return ServerInternalErr(errors.Wrap(err, "order.UpdateStatus - error converting expiry string to time"))
return ErrorInternalServerWrap(err, "order.UpdateStatus - error converting expiry string to time")
}
switch o.Status {
@ -64,7 +63,7 @@ func (o *Order) UpdateStatus(ctx context.Context, db DB) error {
// Check expiry
if now.After(expiry) {
o.Status = StatusInvalid
o.Error = MalformedErr(errors.New("order has expired"))
o.Error = NewError(ErrorMalformedType, "order has expired")
break
}
return nil
@ -72,7 +71,7 @@ func (o *Order) UpdateStatus(ctx context.Context, db DB) error {
// Check expiry
if now.After(expiry) {
o.Status = StatusInvalid
o.Error = MalformedErr(errors.New("order has expired"))
o.Error = NewError(ErrorMalformedType, "order has expired")
break
}
@ -105,10 +104,10 @@ func (o *Order) UpdateStatus(ctx context.Context, db DB) error {
o.Status = StatusReady
default:
return ServerInternalErr(errors.New("unexpected authz status"))
return NewError(ErrorServerInternalType, "unexpected authz status")
}
default:
return ServerInternalErr(errors.Errorf("unrecognized order status: %s", o.Status))
return NewError(ErrorServerInternalType, "unrecognized order status: %s", o.Status)
}
return db.UpdateOrder(ctx, o)
}
@ -122,15 +121,15 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques
switch o.Status {
case StatusInvalid:
return OrderNotReadyErr(errors.Errorf("order %s has been abandoned", o.ID))
return NewError(ErrorOrderNotReadyType, "order %s has been abandoned", o.ID)
case StatusValid:
return nil
case StatusPending:
return OrderNotReadyErr(errors.Errorf("order %s is not ready", o.ID))
return NewError(ErrorOrderNotReadyType, "order %s is not ready", o.ID)
case StatusReady:
break
default:
return ServerInternalErr(errors.Errorf("unexpected status %s for order %s", o.Status, o.ID))
return NewError(ErrorServerInternalType, "unexpected status %s for order %s", o.Status, o.ID)
}
// RFC8555: The CSR MUST indicate the exact same set of requested
@ -154,13 +153,15 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques
// absence of other SANs as they will only be set if the templates allows
// them.
if len(csr.DNSNames) != len(orderNames) {
return BadCSRErr(errors.Errorf("CSR names do not match identifiers exactly: CSR names = %v, Order names = %v", csr.DNSNames, orderNames))
return NewError(ErrorBadCSRType, "CSR names do not match identifiers exactly: "+
"CSR names = %v, Order names = %v", csr.DNSNames, orderNames)
}
sans := make([]x509util.SubjectAlternativeName, len(csr.DNSNames))
for i := range csr.DNSNames {
if csr.DNSNames[i] != orderNames[i] {
return BadCSRErr(errors.Errorf("CSR names do not match identifiers exactly: CSR names = %v, Order names = %v", csr.DNSNames, orderNames))
return NewError(ErrorBadCSRType, "CSR names do not match identifiers exactly: "+
"CSR names = %v, Order names = %v", csr.DNSNames, orderNames)
}
sans[i] = x509util.SubjectAlternativeName{
Type: x509util.DNSType,
@ -172,7 +173,7 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques
ctx = provisioner.NewContextWithMethod(ctx, provisioner.SignMethod)
signOps, err := p.AuthorizeSign(ctx, "")
if err != nil {
return ServerInternalErr(errors.Wrapf(err, "error retrieving authorization options from ACME provisioner"))
return ErrorInternalServerWrap(err, "error retrieving authorization options from ACME provisioner")
}
// Template data
@ -182,17 +183,17 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques
templateOptions, err := provisioner.TemplateOptions(p.GetOptions(), data)
if err != nil {
return ServerInternalErr(errors.Wrapf(err, "error creating template options from ACME provisioner"))
return ErrorInternalServerWrap(err, "error creating template options from ACME provisioner")
}
signOps = append(signOps, templateOptions)
nbf, err := time.Parse(time.RFC3339, o.NotBefore)
if err != nil {
return ServerInternalErr(errors.Wrap(err, "error parsing order NotBefore"))
return ErrorInternalServerWrap(err, "error parsing order NotBefore")
}
naf, err := time.Parse(time.RFC3339, o.NotAfter)
if err != nil {
return ServerInternalErr(errors.Wrap(err, "error parsing order NotAfter"))
return ErrorInternalServerWrap(err, "error parsing order NotAfter")
}
// Sign a new certificate.
@ -201,7 +202,7 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques
NotAfter: provisioner.NewTimeDuration(naf),
}, signOps...)
if err != nil {
return ServerInternalErr(errors.Wrapf(err, "error signing certificate for order %s", o.ID))
return ErrorInternalServerWrap(err, "error signing certificate for order %s", o.ID)
}
cert := &Certificate{