forked from TrueCloudLab/certificates
Use LinkedCA.EABKey type in ACME EAB API
This commit is contained in:
Herman Slatman
parent
f31ca4f6a4
commit
1dba8698e3
3 changed files with 27 additions and 22 deletions
|
|
@ -265,7 +265,6 @@ func (h *Handler) validateExternalAccountBinding(ctx context.Context, nar *NewAc
|
|||
return nil, acme.WrapErrorISE(err, "error parsing externalAccountBinding jws")
|
||||
}
|
||||
|
||||
// TODO: verify supported algorithms against the incoming alg (and corresponding settings)?
|
||||
// TODO: implement strategy pattern to allow for different ways of verification (i.e. webhook call) based on configuration
|
||||
|
||||
keyID := eabJWS.Signatures[0].Protected.KeyID
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@ import (
|
|||
|
||||
"github.com/smallstep/certificates/api"
|
||||
"github.com/smallstep/certificates/authority/admin"
|
||||
"go.step.sm/linkedca"
|
||||
)
|
||||
|
||||
// CreateExternalAccountKeyRequest is the type for POST /admin/acme/eab requests
|
||||
|
|
@ -13,29 +14,35 @@ type CreateExternalAccountKeyRequest struct {
|
|||
Name string `json:"name"`
|
||||
}
|
||||
|
||||
// CreateExternalAccountKeyResponse is the type for POST /admin/acme/eab responses
|
||||
type CreateExternalAccountKeyResponse struct {
|
||||
ProvisionerName string `json:"provisioner"`
|
||||
KeyID string `json:"keyID"`
|
||||
Name string `json:"name"`
|
||||
Key []byte `json:"key"`
|
||||
// Validate validates a new-admin request body.
|
||||
func (r *CreateExternalAccountKeyRequest) Validate() error {
|
||||
if r.ProvisionerName == "" {
|
||||
return admin.NewError(admin.ErrorBadRequestType, "provisioner name cannot be empty")
|
||||
}
|
||||
if r.Name == "" {
|
||||
return admin.NewError(admin.ErrorBadRequestType, "name / reference cannot be empty")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// GetExternalAccountKeysResponse is the type for GET /admin/acme/eab responses
|
||||
type GetExternalAccountKeysResponse struct {
|
||||
EAKs []*CreateExternalAccountKeyResponse `json:"eaks"`
|
||||
NextCursor string `json:"nextCursor"`
|
||||
EAKs []*linkedca.EABKey `json:"eaks"`
|
||||
NextCursor string `json:"nextCursor"`
|
||||
}
|
||||
|
||||
// CreateExternalAccountKey creates a new External Account Binding key
|
||||
func (h *Handler) CreateExternalAccountKey(w http.ResponseWriter, r *http.Request) {
|
||||
var body CreateExternalAccountKeyRequest
|
||||
if err := api.ReadJSON(r.Body, &body); err != nil { // TODO: rewrite into protobuf json (likely)
|
||||
api.WriteError(w, err)
|
||||
api.WriteError(w, admin.WrapError(admin.ErrorBadRequestType, err, "error reading request body"))
|
||||
return
|
||||
}
|
||||
|
||||
// TODO: Validate input
|
||||
if err := body.Validate(); err != nil {
|
||||
api.WriteError(w, err)
|
||||
return
|
||||
}
|
||||
|
||||
eak, err := h.acmeDB.CreateExternalAccountKey(r.Context(), body.ProvisionerName, body.Name)
|
||||
if err != nil {
|
||||
|
|
@ -43,14 +50,14 @@ func (h *Handler) CreateExternalAccountKey(w http.ResponseWriter, r *http.Reques
|
|||
return
|
||||
}
|
||||
|
||||
eakResponse := CreateExternalAccountKeyResponse{
|
||||
response := &linkedca.EABKey{
|
||||
EabKid: eak.ID,
|
||||
EabHmacKey: eak.KeyBytes,
|
||||
ProvisionerName: eak.ProvisionerName,
|
||||
KeyID: eak.ID,
|
||||
Name: eak.Name,
|
||||
Key: eak.KeyBytes,
|
||||
}
|
||||
|
||||
api.JSONStatus(w, eakResponse, http.StatusCreated) // TODO: rewrite into protobuf json (likely)
|
||||
api.ProtoJSONStatus(w, response, http.StatusCreated)
|
||||
}
|
||||
|
||||
// GetExternalAccountKeys returns a segment of ACME EAB Keys.
|
||||
|
|
|
|||
|
|
@ -12,7 +12,6 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/pkg/errors"
|
||||
"github.com/smallstep/certificates/api"
|
||||
"github.com/smallstep/certificates/authority/admin"
|
||||
adminAPI "github.com/smallstep/certificates/authority/admin/api"
|
||||
"github.com/smallstep/certificates/authority/provisioner"
|
||||
|
|
@ -600,7 +599,7 @@ retry:
|
|||
}
|
||||
|
||||
// CreateExternalAccountKey performs the POST /admin/acme/eab request to the CA.
|
||||
func (c *AdminClient) CreateExternalAccountKey(eakRequest *adminAPI.CreateExternalAccountKeyRequest) (*adminAPI.CreateExternalAccountKeyResponse, error) {
|
||||
func (c *AdminClient) CreateExternalAccountKey(eakRequest *adminAPI.CreateExternalAccountKeyRequest) (*linkedca.EABKey, error) {
|
||||
var retried bool
|
||||
body, err := json.Marshal(eakRequest)
|
||||
if err != nil {
|
||||
|
|
@ -628,18 +627,18 @@ retry:
|
|||
}
|
||||
return nil, readAdminError(resp.Body)
|
||||
}
|
||||
var eakResp = new(adminAPI.CreateExternalAccountKeyResponse)
|
||||
if err := api.ReadJSON(resp.Body, &eakResp); err != nil {
|
||||
var eabKey = new(linkedca.EABKey)
|
||||
if err := readProtoJSON(resp.Body, eabKey); err != nil {
|
||||
return nil, errors.Wrapf(err, "error reading %s", u)
|
||||
}
|
||||
return eakResp, nil
|
||||
return eabKey, nil
|
||||
}
|
||||
|
||||
// GetExternalAccountKeys returns all ACME EAB Keys from the GET /admin/acme/eab request to the CA.
|
||||
func (c *AdminClient) GetExternalAccountKeys(opts ...AdminOption) ([]*adminAPI.CreateExternalAccountKeyResponse, error) {
|
||||
func (c *AdminClient) GetExternalAccountKeys(opts ...AdminOption) ([]*linkedca.EABKey, error) {
|
||||
var (
|
||||
cursor = ""
|
||||
eaks = []*adminAPI.CreateExternalAccountKeyResponse{}
|
||||
eaks = []*linkedca.EABKey{}
|
||||
)
|
||||
for {
|
||||
resp, err := c.GetExternalAccountKeysPaginate(WithAdminCursor(cursor), WithAdminLimit(100))
|
||||
|
|
|
|||
Loading…
Reference in a new issue