forked from TrueCloudLab/certificates
Fix more PR comments
This commit is contained in:
parent
76112c2da1
commit
2a7620641f
21 changed files with 298 additions and 331 deletions
|
@ -91,7 +91,7 @@ func (p *Policy) IsWildcardLiteralAllowed() bool {
|
||||||
// ShouldVerifySubjectCommonName returns true by default
|
// ShouldVerifySubjectCommonName returns true by default
|
||||||
// for ACME account policies, as this is embedded in the
|
// for ACME account policies, as this is embedded in the
|
||||||
// protocol.
|
// protocol.
|
||||||
func (p *Policy) ShouldVerifySubjectCommonName() bool {
|
func (p *Policy) ShouldVerifyCommonName() bool {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -101,7 +101,7 @@ type ExternalAccountKey struct {
|
||||||
ProvisionerID string `json:"provisionerID"`
|
ProvisionerID string `json:"provisionerID"`
|
||||||
Reference string `json:"reference"`
|
Reference string `json:"reference"`
|
||||||
AccountID string `json:"-"`
|
AccountID string `json:"-"`
|
||||||
KeyBytes []byte `json:"-"`
|
HmacKey []byte `json:"-"`
|
||||||
CreatedAt time.Time `json:"createdAt"`
|
CreatedAt time.Time `json:"createdAt"`
|
||||||
BoundAt time.Time `json:"boundAt,omitempty"`
|
BoundAt time.Time `json:"boundAt,omitempty"`
|
||||||
Policy *Policy `json:"policy,omitempty"`
|
Policy *Policy `json:"policy,omitempty"`
|
||||||
|
@ -121,6 +121,6 @@ func (eak *ExternalAccountKey) BindTo(account *Account) error {
|
||||||
}
|
}
|
||||||
eak.AccountID = account.ID
|
eak.AccountID = account.ID
|
||||||
eak.BoundAt = time.Now()
|
eak.BoundAt = time.Now()
|
||||||
eak.KeyBytes = []byte{} // clearing the key bytes; can only be used once
|
eak.HmacKey = []byte{} // clearing the key bytes; can only be used once
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -7,8 +7,9 @@ import (
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"github.com/smallstep/assert"
|
|
||||||
"go.step.sm/crypto/jose"
|
"go.step.sm/crypto/jose"
|
||||||
|
|
||||||
|
"github.com/smallstep/assert"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestKeyToID(t *testing.T) {
|
func TestKeyToID(t *testing.T) {
|
||||||
|
@ -95,7 +96,7 @@ func TestExternalAccountKey_BindTo(t *testing.T) {
|
||||||
ID: "eakID",
|
ID: "eakID",
|
||||||
ProvisionerID: "provID",
|
ProvisionerID: "provID",
|
||||||
Reference: "ref",
|
Reference: "ref",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
},
|
},
|
||||||
acct: &Account{
|
acct: &Account{
|
||||||
ID: "accountID",
|
ID: "accountID",
|
||||||
|
@ -108,7 +109,7 @@ func TestExternalAccountKey_BindTo(t *testing.T) {
|
||||||
ID: "eakID",
|
ID: "eakID",
|
||||||
ProvisionerID: "provID",
|
ProvisionerID: "provID",
|
||||||
Reference: "ref",
|
Reference: "ref",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
AccountID: "someAccountID",
|
AccountID: "someAccountID",
|
||||||
BoundAt: boundAt,
|
BoundAt: boundAt,
|
||||||
},
|
},
|
||||||
|
@ -138,7 +139,7 @@ func TestExternalAccountKey_BindTo(t *testing.T) {
|
||||||
assert.Equals(t, ae.Subproblems, tt.err.Subproblems)
|
assert.Equals(t, ae.Subproblems, tt.err.Subproblems)
|
||||||
} else {
|
} else {
|
||||||
assert.Equals(t, eak.AccountID, acct.ID)
|
assert.Equals(t, eak.AccountID, acct.ID)
|
||||||
assert.Equals(t, eak.KeyBytes, []byte{})
|
assert.Equals(t, eak.HmacKey, []byte{})
|
||||||
assert.NotNil(t, eak.BoundAt)
|
assert.NotNil(t, eak.BoundAt)
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
|
@ -582,7 +582,7 @@ func TestHandler_NewAccount(t *testing.T) {
|
||||||
ID: "eakID",
|
ID: "eakID",
|
||||||
ProvisionerID: provID,
|
ProvisionerID: provID,
|
||||||
Reference: "testeak",
|
Reference: "testeak",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: time.Now(),
|
CreatedAt: time.Now(),
|
||||||
}
|
}
|
||||||
return test{
|
return test{
|
||||||
|
@ -759,7 +759,7 @@ func TestHandler_NewAccount(t *testing.T) {
|
||||||
ID: "eakID",
|
ID: "eakID",
|
||||||
ProvisionerID: provID,
|
ProvisionerID: provID,
|
||||||
Reference: "testeak",
|
Reference: "testeak",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: time.Now(),
|
CreatedAt: time.Now(),
|
||||||
}, nil
|
}, nil
|
||||||
},
|
},
|
||||||
|
|
|
@ -60,7 +60,7 @@ func (h *Handler) validateExternalAccountBinding(ctx context.Context, nar *NewAc
|
||||||
return nil, acme.NewError(acme.ErrorUnauthorizedType, "the field 'kid' references an unknown key")
|
return nil, acme.NewError(acme.ErrorUnauthorizedType, "the field 'kid' references an unknown key")
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(externalAccountKey.KeyBytes) == 0 {
|
if len(externalAccountKey.HmacKey) == 0 {
|
||||||
return nil, acme.NewError(acme.ErrorServerInternalType, "external account binding key with id '%s' does not have secret bytes", keyID)
|
return nil, acme.NewError(acme.ErrorServerInternalType, "external account binding key with id '%s' does not have secret bytes", keyID)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -68,7 +68,7 @@ func (h *Handler) validateExternalAccountBinding(ctx context.Context, nar *NewAc
|
||||||
return nil, acme.NewError(acme.ErrorUnauthorizedType, "external account binding key with id '%s' was already bound to account '%s' on %s", keyID, externalAccountKey.AccountID, externalAccountKey.BoundAt)
|
return nil, acme.NewError(acme.ErrorUnauthorizedType, "external account binding key with id '%s' was already bound to account '%s' on %s", keyID, externalAccountKey.AccountID, externalAccountKey.BoundAt)
|
||||||
}
|
}
|
||||||
|
|
||||||
payload, err := eabJWS.Verify(externalAccountKey.KeyBytes)
|
payload, err := eabJWS.Verify(externalAccountKey.HmacKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, acme.WrapErrorISE(err, "error verifying externalAccountBinding signature")
|
return nil, acme.WrapErrorISE(err, "error verifying externalAccountBinding signature")
|
||||||
}
|
}
|
||||||
|
|
|
@ -156,7 +156,7 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
|
||||||
ID: "eakID",
|
ID: "eakID",
|
||||||
ProvisionerID: provID,
|
ProvisionerID: provID,
|
||||||
Reference: "testeak",
|
Reference: "testeak",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: createdAt,
|
CreatedAt: createdAt,
|
||||||
}, nil
|
}, nil
|
||||||
},
|
},
|
||||||
|
@ -170,7 +170,7 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
|
||||||
ID: "eakID",
|
ID: "eakID",
|
||||||
ProvisionerID: provID,
|
ProvisionerID: provID,
|
||||||
Reference: "testeak",
|
Reference: "testeak",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: createdAt,
|
CreatedAt: createdAt,
|
||||||
},
|
},
|
||||||
err: nil,
|
err: nil,
|
||||||
|
@ -523,7 +523,7 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
|
||||||
Reference: "testeak",
|
Reference: "testeak",
|
||||||
CreatedAt: createdAt,
|
CreatedAt: createdAt,
|
||||||
AccountID: "some-account-id",
|
AccountID: "some-account-id",
|
||||||
KeyBytes: []byte{},
|
HmacKey: []byte{},
|
||||||
}, nil
|
}, nil
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -630,7 +630,7 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
|
||||||
Reference: "testeak",
|
Reference: "testeak",
|
||||||
CreatedAt: createdAt,
|
CreatedAt: createdAt,
|
||||||
AccountID: "some-account-id",
|
AccountID: "some-account-id",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
BoundAt: boundAt,
|
BoundAt: boundAt,
|
||||||
}, nil
|
}, nil
|
||||||
},
|
},
|
||||||
|
@ -686,7 +686,7 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
|
||||||
ID: "eakID",
|
ID: "eakID",
|
||||||
ProvisionerID: provID,
|
ProvisionerID: provID,
|
||||||
Reference: "testeak",
|
Reference: "testeak",
|
||||||
KeyBytes: []byte{1, 2, 3, 4},
|
HmacKey: []byte{1, 2, 3, 4},
|
||||||
CreatedAt: time.Now(),
|
CreatedAt: time.Now(),
|
||||||
}, nil
|
}, nil
|
||||||
},
|
},
|
||||||
|
@ -744,7 +744,7 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
|
||||||
ID: "eakID",
|
ID: "eakID",
|
||||||
ProvisionerID: provID,
|
ProvisionerID: provID,
|
||||||
Reference: "testeak",
|
Reference: "testeak",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: time.Now(),
|
CreatedAt: time.Now(),
|
||||||
}, nil
|
}, nil
|
||||||
},
|
},
|
||||||
|
@ -799,7 +799,7 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
|
||||||
ID: "eakID",
|
ID: "eakID",
|
||||||
ProvisionerID: provID,
|
ProvisionerID: provID,
|
||||||
Reference: "testeak",
|
Reference: "testeak",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: time.Now(),
|
CreatedAt: time.Now(),
|
||||||
}, nil
|
}, nil
|
||||||
},
|
},
|
||||||
|
@ -855,7 +855,7 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
|
||||||
ID: "eakID",
|
ID: "eakID",
|
||||||
ProvisionerID: provID,
|
ProvisionerID: provID,
|
||||||
Reference: "testeak",
|
Reference: "testeak",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: time.Now(),
|
CreatedAt: time.Now(),
|
||||||
}, nil
|
}, nil
|
||||||
},
|
},
|
||||||
|
@ -898,7 +898,7 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
|
||||||
} else {
|
} else {
|
||||||
assert.NotNil(t, tc.eak)
|
assert.NotNil(t, tc.eak)
|
||||||
assert.Equals(t, got.ID, tc.eak.ID)
|
assert.Equals(t, got.ID, tc.eak.ID)
|
||||||
assert.Equals(t, got.KeyBytes, tc.eak.KeyBytes)
|
assert.Equals(t, got.HmacKey, tc.eak.HmacKey)
|
||||||
assert.Equals(t, got.ProvisionerID, tc.eak.ProvisionerID)
|
assert.Equals(t, got.ProvisionerID, tc.eak.ProvisionerID)
|
||||||
assert.Equals(t, got.Reference, tc.eak.Reference)
|
assert.Equals(t, got.Reference, tc.eak.Reference)
|
||||||
assert.Equals(t, got.CreatedAt, tc.eak.CreatedAt)
|
assert.Equals(t, got.CreatedAt, tc.eak.CreatedAt)
|
||||||
|
|
|
@ -8,6 +8,7 @@ import (
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
|
|
||||||
"github.com/smallstep/certificates/acme"
|
"github.com/smallstep/certificates/acme"
|
||||||
nosqlDB "github.com/smallstep/nosql"
|
nosqlDB "github.com/smallstep/nosql"
|
||||||
)
|
)
|
||||||
|
@ -23,7 +24,7 @@ type dbExternalAccountKey struct {
|
||||||
ProvisionerID string `json:"provisionerID"`
|
ProvisionerID string `json:"provisionerID"`
|
||||||
Reference string `json:"reference"`
|
Reference string `json:"reference"`
|
||||||
AccountID string `json:"accountID,omitempty"`
|
AccountID string `json:"accountID,omitempty"`
|
||||||
KeyBytes []byte `json:"key"`
|
HmacKey []byte `json:"key"`
|
||||||
CreatedAt time.Time `json:"createdAt"`
|
CreatedAt time.Time `json:"createdAt"`
|
||||||
BoundAt time.Time `json:"boundAt"`
|
BoundAt time.Time `json:"boundAt"`
|
||||||
}
|
}
|
||||||
|
@ -72,7 +73,7 @@ func (db *DB) CreateExternalAccountKey(ctx context.Context, provisionerID, refer
|
||||||
ID: keyID,
|
ID: keyID,
|
||||||
ProvisionerID: provisionerID,
|
ProvisionerID: provisionerID,
|
||||||
Reference: reference,
|
Reference: reference,
|
||||||
KeyBytes: random,
|
HmacKey: random,
|
||||||
CreatedAt: clock.Now(),
|
CreatedAt: clock.Now(),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -99,7 +100,7 @@ func (db *DB) CreateExternalAccountKey(ctx context.Context, provisionerID, refer
|
||||||
ProvisionerID: dbeak.ProvisionerID,
|
ProvisionerID: dbeak.ProvisionerID,
|
||||||
Reference: dbeak.Reference,
|
Reference: dbeak.Reference,
|
||||||
AccountID: dbeak.AccountID,
|
AccountID: dbeak.AccountID,
|
||||||
KeyBytes: dbeak.KeyBytes,
|
HmacKey: dbeak.HmacKey,
|
||||||
CreatedAt: dbeak.CreatedAt,
|
CreatedAt: dbeak.CreatedAt,
|
||||||
BoundAt: dbeak.BoundAt,
|
BoundAt: dbeak.BoundAt,
|
||||||
}, nil
|
}, nil
|
||||||
|
@ -124,7 +125,7 @@ func (db *DB) GetExternalAccountKey(ctx context.Context, provisionerID, keyID st
|
||||||
ProvisionerID: dbeak.ProvisionerID,
|
ProvisionerID: dbeak.ProvisionerID,
|
||||||
Reference: dbeak.Reference,
|
Reference: dbeak.Reference,
|
||||||
AccountID: dbeak.AccountID,
|
AccountID: dbeak.AccountID,
|
||||||
KeyBytes: dbeak.KeyBytes,
|
HmacKey: dbeak.HmacKey,
|
||||||
CreatedAt: dbeak.CreatedAt,
|
CreatedAt: dbeak.CreatedAt,
|
||||||
BoundAt: dbeak.BoundAt,
|
BoundAt: dbeak.BoundAt,
|
||||||
}, nil
|
}, nil
|
||||||
|
@ -191,7 +192,7 @@ func (db *DB) GetExternalAccountKeys(ctx context.Context, provisionerID, cursor
|
||||||
}
|
}
|
||||||
keys = append(keys, &acme.ExternalAccountKey{
|
keys = append(keys, &acme.ExternalAccountKey{
|
||||||
ID: eak.ID,
|
ID: eak.ID,
|
||||||
KeyBytes: eak.KeyBytes,
|
HmacKey: eak.HmacKey,
|
||||||
ProvisionerID: eak.ProvisionerID,
|
ProvisionerID: eak.ProvisionerID,
|
||||||
Reference: eak.Reference,
|
Reference: eak.Reference,
|
||||||
AccountID: eak.AccountID,
|
AccountID: eak.AccountID,
|
||||||
|
@ -256,7 +257,7 @@ func (db *DB) UpdateExternalAccountKey(ctx context.Context, provisionerID string
|
||||||
ProvisionerID: eak.ProvisionerID,
|
ProvisionerID: eak.ProvisionerID,
|
||||||
Reference: eak.Reference,
|
Reference: eak.Reference,
|
||||||
AccountID: eak.AccountID,
|
AccountID: eak.AccountID,
|
||||||
KeyBytes: eak.KeyBytes,
|
HmacKey: eak.HmacKey,
|
||||||
CreatedAt: eak.CreatedAt,
|
CreatedAt: eak.CreatedAt,
|
||||||
BoundAt: eak.BoundAt,
|
BoundAt: eak.BoundAt,
|
||||||
}
|
}
|
||||||
|
|
|
@ -8,6 +8,7 @@ import (
|
||||||
|
|
||||||
"github.com/google/go-cmp/cmp"
|
"github.com/google/go-cmp/cmp"
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
|
|
||||||
"github.com/smallstep/assert"
|
"github.com/smallstep/assert"
|
||||||
"github.com/smallstep/certificates/acme"
|
"github.com/smallstep/certificates/acme"
|
||||||
certdb "github.com/smallstep/certificates/db"
|
certdb "github.com/smallstep/certificates/db"
|
||||||
|
@ -32,7 +33,7 @@ func TestDB_getDBExternalAccountKey(t *testing.T) {
|
||||||
ProvisionerID: provID,
|
ProvisionerID: provID,
|
||||||
Reference: "ref",
|
Reference: "ref",
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
b, err := json.Marshal(dbeak)
|
b, err := json.Marshal(dbeak)
|
||||||
|
@ -108,7 +109,7 @@ func TestDB_getDBExternalAccountKey(t *testing.T) {
|
||||||
}
|
}
|
||||||
} else if assert.Nil(t, tc.err) {
|
} else if assert.Nil(t, tc.err) {
|
||||||
assert.Equals(t, dbeak.ID, tc.dbeak.ID)
|
assert.Equals(t, dbeak.ID, tc.dbeak.ID)
|
||||||
assert.Equals(t, dbeak.KeyBytes, tc.dbeak.KeyBytes)
|
assert.Equals(t, dbeak.HmacKey, tc.dbeak.HmacKey)
|
||||||
assert.Equals(t, dbeak.ProvisionerID, tc.dbeak.ProvisionerID)
|
assert.Equals(t, dbeak.ProvisionerID, tc.dbeak.ProvisionerID)
|
||||||
assert.Equals(t, dbeak.Reference, tc.dbeak.Reference)
|
assert.Equals(t, dbeak.Reference, tc.dbeak.Reference)
|
||||||
assert.Equals(t, dbeak.CreatedAt, tc.dbeak.CreatedAt)
|
assert.Equals(t, dbeak.CreatedAt, tc.dbeak.CreatedAt)
|
||||||
|
@ -136,7 +137,7 @@ func TestDB_GetExternalAccountKey(t *testing.T) {
|
||||||
ProvisionerID: provID,
|
ProvisionerID: provID,
|
||||||
Reference: "ref",
|
Reference: "ref",
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
b, err := json.Marshal(dbeak)
|
b, err := json.Marshal(dbeak)
|
||||||
|
@ -154,7 +155,7 @@ func TestDB_GetExternalAccountKey(t *testing.T) {
|
||||||
ProvisionerID: provID,
|
ProvisionerID: provID,
|
||||||
Reference: "ref",
|
Reference: "ref",
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
@ -179,7 +180,7 @@ func TestDB_GetExternalAccountKey(t *testing.T) {
|
||||||
ProvisionerID: "aDifferentProvID",
|
ProvisionerID: "aDifferentProvID",
|
||||||
Reference: "ref",
|
Reference: "ref",
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
b, err := json.Marshal(dbeak)
|
b, err := json.Marshal(dbeak)
|
||||||
|
@ -197,7 +198,7 @@ func TestDB_GetExternalAccountKey(t *testing.T) {
|
||||||
ProvisionerID: provID,
|
ProvisionerID: provID,
|
||||||
Reference: "ref",
|
Reference: "ref",
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
},
|
},
|
||||||
acmeErr: acme.NewError(acme.ErrorUnauthorizedType, "provisioner does not match provisioner for which the EAB key was created"),
|
acmeErr: acme.NewError(acme.ErrorUnauthorizedType, "provisioner does not match provisioner for which the EAB key was created"),
|
||||||
|
@ -225,7 +226,7 @@ func TestDB_GetExternalAccountKey(t *testing.T) {
|
||||||
}
|
}
|
||||||
} else if assert.Nil(t, tc.err) {
|
} else if assert.Nil(t, tc.err) {
|
||||||
assert.Equals(t, eak.ID, tc.eak.ID)
|
assert.Equals(t, eak.ID, tc.eak.ID)
|
||||||
assert.Equals(t, eak.KeyBytes, tc.eak.KeyBytes)
|
assert.Equals(t, eak.HmacKey, tc.eak.HmacKey)
|
||||||
assert.Equals(t, eak.ProvisionerID, tc.eak.ProvisionerID)
|
assert.Equals(t, eak.ProvisionerID, tc.eak.ProvisionerID)
|
||||||
assert.Equals(t, eak.Reference, tc.eak.Reference)
|
assert.Equals(t, eak.Reference, tc.eak.Reference)
|
||||||
assert.Equals(t, eak.CreatedAt, tc.eak.CreatedAt)
|
assert.Equals(t, eak.CreatedAt, tc.eak.CreatedAt)
|
||||||
|
@ -255,7 +256,7 @@ func TestDB_GetExternalAccountKeyByReference(t *testing.T) {
|
||||||
ProvisionerID: provID,
|
ProvisionerID: provID,
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
dbref := &dbExternalAccountKeyReference{
|
dbref := &dbExternalAccountKeyReference{
|
||||||
|
@ -288,7 +289,7 @@ func TestDB_GetExternalAccountKeyByReference(t *testing.T) {
|
||||||
ProvisionerID: provID,
|
ProvisionerID: provID,
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
},
|
},
|
||||||
err: nil,
|
err: nil,
|
||||||
|
@ -392,7 +393,7 @@ func TestDB_GetExternalAccountKeyByReference(t *testing.T) {
|
||||||
assert.Equals(t, eak.AccountID, tc.eak.AccountID)
|
assert.Equals(t, eak.AccountID, tc.eak.AccountID)
|
||||||
assert.Equals(t, eak.BoundAt, tc.eak.BoundAt)
|
assert.Equals(t, eak.BoundAt, tc.eak.BoundAt)
|
||||||
assert.Equals(t, eak.CreatedAt, tc.eak.CreatedAt)
|
assert.Equals(t, eak.CreatedAt, tc.eak.CreatedAt)
|
||||||
assert.Equals(t, eak.KeyBytes, tc.eak.KeyBytes)
|
assert.Equals(t, eak.HmacKey, tc.eak.HmacKey)
|
||||||
assert.Equals(t, eak.ProvisionerID, tc.eak.ProvisionerID)
|
assert.Equals(t, eak.ProvisionerID, tc.eak.ProvisionerID)
|
||||||
assert.Equals(t, eak.Reference, tc.eak.Reference)
|
assert.Equals(t, eak.Reference, tc.eak.Reference)
|
||||||
}
|
}
|
||||||
|
@ -420,7 +421,7 @@ func TestDB_GetExternalAccountKeys(t *testing.T) {
|
||||||
ProvisionerID: provID,
|
ProvisionerID: provID,
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
b1, err := json.Marshal(dbeak1)
|
b1, err := json.Marshal(dbeak1)
|
||||||
|
@ -430,7 +431,7 @@ func TestDB_GetExternalAccountKeys(t *testing.T) {
|
||||||
ProvisionerID: provID,
|
ProvisionerID: provID,
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
b2, err := json.Marshal(dbeak2)
|
b2, err := json.Marshal(dbeak2)
|
||||||
|
@ -440,7 +441,7 @@ func TestDB_GetExternalAccountKeys(t *testing.T) {
|
||||||
ProvisionerID: "aDifferentProvID",
|
ProvisionerID: "aDifferentProvID",
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
b3, err := json.Marshal(dbeak3)
|
b3, err := json.Marshal(dbeak3)
|
||||||
|
@ -513,7 +514,7 @@ func TestDB_GetExternalAccountKeys(t *testing.T) {
|
||||||
ProvisionerID: provID,
|
ProvisionerID: provID,
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -521,7 +522,7 @@ func TestDB_GetExternalAccountKeys(t *testing.T) {
|
||||||
ProvisionerID: provID,
|
ProvisionerID: provID,
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -598,7 +599,7 @@ func TestDB_GetExternalAccountKeys(t *testing.T) {
|
||||||
assert.Equals(t, "", nextCursor)
|
assert.Equals(t, "", nextCursor)
|
||||||
for i, eak := range eaks {
|
for i, eak := range eaks {
|
||||||
assert.Equals(t, eak.ID, tc.eaks[i].ID)
|
assert.Equals(t, eak.ID, tc.eaks[i].ID)
|
||||||
assert.Equals(t, eak.KeyBytes, tc.eaks[i].KeyBytes)
|
assert.Equals(t, eak.HmacKey, tc.eaks[i].HmacKey)
|
||||||
assert.Equals(t, eak.ProvisionerID, tc.eaks[i].ProvisionerID)
|
assert.Equals(t, eak.ProvisionerID, tc.eaks[i].ProvisionerID)
|
||||||
assert.Equals(t, eak.Reference, tc.eaks[i].Reference)
|
assert.Equals(t, eak.Reference, tc.eaks[i].Reference)
|
||||||
assert.Equals(t, eak.CreatedAt, tc.eaks[i].CreatedAt)
|
assert.Equals(t, eak.CreatedAt, tc.eaks[i].CreatedAt)
|
||||||
|
@ -627,7 +628,7 @@ func TestDB_DeleteExternalAccountKey(t *testing.T) {
|
||||||
ProvisionerID: provID,
|
ProvisionerID: provID,
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
dbref := &dbExternalAccountKeyReference{
|
dbref := &dbExternalAccountKeyReference{
|
||||||
|
@ -707,7 +708,7 @@ func TestDB_DeleteExternalAccountKey(t *testing.T) {
|
||||||
ProvisionerID: "aDifferentProvID",
|
ProvisionerID: "aDifferentProvID",
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
b, err := json.Marshal(dbeak)
|
b, err := json.Marshal(dbeak)
|
||||||
|
@ -730,7 +731,7 @@ func TestDB_DeleteExternalAccountKey(t *testing.T) {
|
||||||
ProvisionerID: provID,
|
ProvisionerID: provID,
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
dbref := &dbExternalAccountKeyReference{
|
dbref := &dbExternalAccountKeyReference{
|
||||||
|
@ -780,7 +781,7 @@ func TestDB_DeleteExternalAccountKey(t *testing.T) {
|
||||||
ProvisionerID: provID,
|
ProvisionerID: provID,
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
dbref := &dbExternalAccountKeyReference{
|
dbref := &dbExternalAccountKeyReference{
|
||||||
|
@ -830,7 +831,7 @@ func TestDB_DeleteExternalAccountKey(t *testing.T) {
|
||||||
ProvisionerID: provID,
|
ProvisionerID: provID,
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
dbref := &dbExternalAccountKeyReference{
|
dbref := &dbExternalAccountKeyReference{
|
||||||
|
@ -953,7 +954,7 @@ func TestDB_CreateExternalAccountKey(t *testing.T) {
|
||||||
assert.Equals(t, string(key), dbeak.ID)
|
assert.Equals(t, string(key), dbeak.ID)
|
||||||
assert.Equals(t, eak.ProvisionerID, dbeak.ProvisionerID)
|
assert.Equals(t, eak.ProvisionerID, dbeak.ProvisionerID)
|
||||||
assert.Equals(t, eak.Reference, dbeak.Reference)
|
assert.Equals(t, eak.Reference, dbeak.Reference)
|
||||||
assert.Equals(t, 32, len(dbeak.KeyBytes))
|
assert.Equals(t, 32, len(dbeak.HmacKey))
|
||||||
assert.False(t, dbeak.CreatedAt.IsZero())
|
assert.False(t, dbeak.CreatedAt.IsZero())
|
||||||
assert.Equals(t, dbeak.AccountID, eak.AccountID)
|
assert.Equals(t, dbeak.AccountID, eak.AccountID)
|
||||||
assert.True(t, dbeak.BoundAt.IsZero())
|
assert.True(t, dbeak.BoundAt.IsZero())
|
||||||
|
@ -1078,7 +1079,7 @@ func TestDB_UpdateExternalAccountKey(t *testing.T) {
|
||||||
ProvisionerID: provID,
|
ProvisionerID: provID,
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
b, err := json.Marshal(dbeak)
|
b, err := json.Marshal(dbeak)
|
||||||
|
@ -1096,7 +1097,7 @@ func TestDB_UpdateExternalAccountKey(t *testing.T) {
|
||||||
ProvisionerID: provID,
|
ProvisionerID: provID,
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
return test{
|
return test{
|
||||||
|
@ -1120,7 +1121,7 @@ func TestDB_UpdateExternalAccountKey(t *testing.T) {
|
||||||
assert.Equals(t, dbNew.AccountID, dbeak.AccountID)
|
assert.Equals(t, dbNew.AccountID, dbeak.AccountID)
|
||||||
assert.Equals(t, dbNew.CreatedAt, dbeak.CreatedAt)
|
assert.Equals(t, dbNew.CreatedAt, dbeak.CreatedAt)
|
||||||
assert.Equals(t, dbNew.BoundAt, dbeak.BoundAt)
|
assert.Equals(t, dbNew.BoundAt, dbeak.BoundAt)
|
||||||
assert.Equals(t, dbNew.KeyBytes, dbeak.KeyBytes)
|
assert.Equals(t, dbNew.HmacKey, dbeak.HmacKey)
|
||||||
return nu, true, nil
|
return nu, true, nil
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -1148,7 +1149,7 @@ func TestDB_UpdateExternalAccountKey(t *testing.T) {
|
||||||
ProvisionerID: "aDifferentProvID",
|
ProvisionerID: "aDifferentProvID",
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
b, err := json.Marshal(newDBEAK)
|
b, err := json.Marshal(newDBEAK)
|
||||||
|
@ -1174,7 +1175,7 @@ func TestDB_UpdateExternalAccountKey(t *testing.T) {
|
||||||
ProvisionerID: provID,
|
ProvisionerID: provID,
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
b, err := json.Marshal(newDBEAK)
|
b, err := json.Marshal(newDBEAK)
|
||||||
|
@ -1200,7 +1201,7 @@ func TestDB_UpdateExternalAccountKey(t *testing.T) {
|
||||||
ProvisionerID: provID,
|
ProvisionerID: provID,
|
||||||
Reference: ref,
|
Reference: ref,
|
||||||
AccountID: "",
|
AccountID: "",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
}
|
}
|
||||||
b, err := json.Marshal(newDBEAK)
|
b, err := json.Marshal(newDBEAK)
|
||||||
|
@ -1237,7 +1238,7 @@ func TestDB_UpdateExternalAccountKey(t *testing.T) {
|
||||||
assert.Equals(t, dbeak.AccountID, tc.eak.AccountID)
|
assert.Equals(t, dbeak.AccountID, tc.eak.AccountID)
|
||||||
assert.Equals(t, dbeak.CreatedAt, tc.eak.CreatedAt)
|
assert.Equals(t, dbeak.CreatedAt, tc.eak.CreatedAt)
|
||||||
assert.Equals(t, dbeak.BoundAt, tc.eak.BoundAt)
|
assert.Equals(t, dbeak.BoundAt, tc.eak.BoundAt)
|
||||||
assert.Equals(t, dbeak.KeyBytes, tc.eak.KeyBytes)
|
assert.Equals(t, dbeak.HmacKey, tc.eak.HmacKey)
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
|
@ -90,7 +90,7 @@ func eakToLinked(k *acme.ExternalAccountKey) *linkedca.EABKey {
|
||||||
|
|
||||||
eak := &linkedca.EABKey{
|
eak := &linkedca.EABKey{
|
||||||
Id: k.ID,
|
Id: k.ID,
|
||||||
HmacKey: k.KeyBytes,
|
HmacKey: k.HmacKey,
|
||||||
Provisioner: k.ProvisionerID,
|
Provisioner: k.ProvisionerID,
|
||||||
Reference: k.Reference,
|
Reference: k.Reference,
|
||||||
Account: k.AccountID,
|
Account: k.AccountID,
|
||||||
|
@ -124,7 +124,7 @@ func linkedEAKToCertificates(k *linkedca.EABKey) *acme.ExternalAccountKey {
|
||||||
ProvisionerID: k.Provisioner,
|
ProvisionerID: k.Provisioner,
|
||||||
Reference: k.Reference,
|
Reference: k.Reference,
|
||||||
AccountID: k.Account,
|
AccountID: k.Account,
|
||||||
KeyBytes: k.HmacKey,
|
HmacKey: k.HmacKey,
|
||||||
CreatedAt: k.CreatedAt.AsTime(),
|
CreatedAt: k.CreatedAt.AsTime(),
|
||||||
BoundAt: k.BoundAt.AsTime(),
|
BoundAt: k.BoundAt.AsTime(),
|
||||||
}
|
}
|
||||||
|
|
|
@ -364,7 +364,7 @@ func Test_eakToLinked(t *testing.T) {
|
||||||
ProvisionerID: "provID",
|
ProvisionerID: "provID",
|
||||||
Reference: "ref",
|
Reference: "ref",
|
||||||
AccountID: "accID",
|
AccountID: "accID",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour),
|
CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour),
|
||||||
BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC),
|
BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC),
|
||||||
Policy: nil,
|
Policy: nil,
|
||||||
|
@ -387,7 +387,7 @@ func Test_eakToLinked(t *testing.T) {
|
||||||
ProvisionerID: "provID",
|
ProvisionerID: "provID",
|
||||||
Reference: "ref",
|
Reference: "ref",
|
||||||
AccountID: "accID",
|
AccountID: "accID",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour),
|
CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour),
|
||||||
BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC),
|
BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC),
|
||||||
Policy: &acme.Policy{
|
Policy: &acme.Policy{
|
||||||
|
@ -463,7 +463,7 @@ func Test_linkedEAKToCertificates(t *testing.T) {
|
||||||
ProvisionerID: "provID",
|
ProvisionerID: "provID",
|
||||||
Reference: "ref",
|
Reference: "ref",
|
||||||
AccountID: "accID",
|
AccountID: "accID",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour),
|
CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour),
|
||||||
BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC),
|
BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC),
|
||||||
Policy: nil,
|
Policy: nil,
|
||||||
|
@ -486,7 +486,7 @@ func Test_linkedEAKToCertificates(t *testing.T) {
|
||||||
ProvisionerID: "provID",
|
ProvisionerID: "provID",
|
||||||
Reference: "ref",
|
Reference: "ref",
|
||||||
AccountID: "accID",
|
AccountID: "accID",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour),
|
CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour),
|
||||||
BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC),
|
BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC),
|
||||||
Policy: &acme.Policy{},
|
Policy: &acme.Policy{},
|
||||||
|
@ -520,7 +520,7 @@ func Test_linkedEAKToCertificates(t *testing.T) {
|
||||||
ProvisionerID: "provID",
|
ProvisionerID: "provID",
|
||||||
Reference: "ref",
|
Reference: "ref",
|
||||||
AccountID: "accID",
|
AccountID: "accID",
|
||||||
KeyBytes: []byte{1, 3, 3, 7},
|
HmacKey: []byte{1, 3, 3, 7},
|
||||||
CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour),
|
CreatedAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC).Add(-1 * time.Hour),
|
||||||
BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC),
|
BoundAt: time.Date(2022, 04, 12, 9, 30, 30, 0, time.UTC),
|
||||||
Policy: &acme.Policy{
|
Policy: &acme.Policy{
|
||||||
|
|
|
@ -30,19 +30,25 @@ type policyAdminResponderInterface interface {
|
||||||
|
|
||||||
// PolicyAdminResponder is responsible for writing ACME admin responses
|
// PolicyAdminResponder is responsible for writing ACME admin responses
|
||||||
type PolicyAdminResponder struct {
|
type PolicyAdminResponder struct {
|
||||||
auth adminAuthority
|
auth adminAuthority
|
||||||
adminDB admin.DB
|
adminDB admin.DB
|
||||||
acmeDB acme.DB
|
acmeDB acme.DB
|
||||||
deploymentType string
|
isLinkedCA bool
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewACMEAdminResponder returns a new ACMEAdminResponder
|
// NewACMEAdminResponder returns a new ACMEAdminResponder
|
||||||
func NewPolicyAdminResponder(auth adminAuthority, adminDB admin.DB, acmeDB acme.DB, deploymentType string) *PolicyAdminResponder {
|
func NewPolicyAdminResponder(auth adminAuthority, adminDB admin.DB, acmeDB acme.DB) *PolicyAdminResponder {
|
||||||
|
|
||||||
|
var isLinkedCA bool
|
||||||
|
if a, ok := adminDB.(interface{ IsLinkedCA() bool }); ok {
|
||||||
|
isLinkedCA = a.IsLinkedCA()
|
||||||
|
}
|
||||||
|
|
||||||
return &PolicyAdminResponder{
|
return &PolicyAdminResponder{
|
||||||
auth: auth,
|
auth: auth,
|
||||||
adminDB: adminDB,
|
adminDB: adminDB,
|
||||||
acmeDB: acmeDB,
|
acmeDB: acmeDB,
|
||||||
deploymentType: deploymentType,
|
isLinkedCA: isLinkedCA,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -435,8 +441,8 @@ func (par *PolicyAdminResponder) DeleteACMEAccountPolicy(w http.ResponseWriter,
|
||||||
|
|
||||||
// blockLinkedCA blocks all API operations on linked deployments
|
// blockLinkedCA blocks all API operations on linked deployments
|
||||||
func (par *PolicyAdminResponder) blockLinkedCA() error {
|
func (par *PolicyAdminResponder) blockLinkedCA() error {
|
||||||
// temporary blocking linked deployments based on string comparison (preventing import cycle)
|
// temporary blocking linked deployments
|
||||||
if par.deploymentType == "linked" {
|
if par.isLinkedCA {
|
||||||
return admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
|
return admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
|
|
|
@ -21,15 +21,22 @@ import (
|
||||||
"github.com/smallstep/certificates/authority/admin"
|
"github.com/smallstep/certificates/authority/admin"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
type fakeLinkedCA struct {
|
||||||
|
admin.MockDB
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *fakeLinkedCA) IsLinkedCA() bool {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
func TestPolicyAdminResponder_GetAuthorityPolicy(t *testing.T) {
|
func TestPolicyAdminResponder_GetAuthorityPolicy(t *testing.T) {
|
||||||
type test struct {
|
type test struct {
|
||||||
auth adminAuthority
|
auth adminAuthority
|
||||||
deploymentType string
|
adminDB admin.DB
|
||||||
adminDB admin.DB
|
ctx context.Context
|
||||||
ctx context.Context
|
err *admin.Error
|
||||||
err *admin.Error
|
policy *linkedca.Policy
|
||||||
policy *linkedca.Policy
|
statusCode int
|
||||||
statusCode int
|
|
||||||
}
|
}
|
||||||
var tests = map[string]func(t *testing.T) test{
|
var tests = map[string]func(t *testing.T) test{
|
||||||
"fail/linkedca": func(t *testing.T) test {
|
"fail/linkedca": func(t *testing.T) test {
|
||||||
|
@ -37,10 +44,10 @@ func TestPolicyAdminResponder_GetAuthorityPolicy(t *testing.T) {
|
||||||
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
|
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
|
||||||
err.Message = "policy operations not yet supported in linked deployments"
|
err.Message = "policy operations not yet supported in linked deployments"
|
||||||
return test{
|
return test{
|
||||||
ctx: ctx,
|
ctx: ctx,
|
||||||
deploymentType: "linked",
|
adminDB: &fakeLinkedCA{},
|
||||||
err: err,
|
err: err,
|
||||||
statusCode: 501,
|
statusCode: 501,
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"fail/auth.GetAuthorityPolicy-error": func(t *testing.T) test {
|
"fail/auth.GetAuthorityPolicy-error": func(t *testing.T) test {
|
||||||
|
@ -97,11 +104,8 @@ func TestPolicyAdminResponder_GetAuthorityPolicy(t *testing.T) {
|
||||||
for name, prep := range tests {
|
for name, prep := range tests {
|
||||||
tc := prep(t)
|
tc := prep(t)
|
||||||
t.Run(name, func(t *testing.T) {
|
t.Run(name, func(t *testing.T) {
|
||||||
par := &PolicyAdminResponder{
|
|
||||||
auth: tc.auth,
|
par := NewPolicyAdminResponder(tc.auth, tc.adminDB, nil)
|
||||||
adminDB: tc.adminDB,
|
|
||||||
deploymentType: tc.deploymentType,
|
|
||||||
}
|
|
||||||
|
|
||||||
req := httptest.NewRequest("GET", "/foo", nil)
|
req := httptest.NewRequest("GET", "/foo", nil)
|
||||||
req = req.WithContext(tc.ctx)
|
req = req.WithContext(tc.ctx)
|
||||||
|
@ -139,15 +143,14 @@ func TestPolicyAdminResponder_GetAuthorityPolicy(t *testing.T) {
|
||||||
|
|
||||||
func TestPolicyAdminResponder_CreateAuthorityPolicy(t *testing.T) {
|
func TestPolicyAdminResponder_CreateAuthorityPolicy(t *testing.T) {
|
||||||
type test struct {
|
type test struct {
|
||||||
auth adminAuthority
|
auth adminAuthority
|
||||||
deploymentType string
|
adminDB admin.DB
|
||||||
adminDB admin.DB
|
body []byte
|
||||||
body []byte
|
ctx context.Context
|
||||||
ctx context.Context
|
acmeDB acme.DB
|
||||||
acmeDB acme.DB
|
err *admin.Error
|
||||||
err *admin.Error
|
policy *linkedca.Policy
|
||||||
policy *linkedca.Policy
|
statusCode int
|
||||||
statusCode int
|
|
||||||
}
|
}
|
||||||
var tests = map[string]func(t *testing.T) test{
|
var tests = map[string]func(t *testing.T) test{
|
||||||
"fail/linkedca": func(t *testing.T) test {
|
"fail/linkedca": func(t *testing.T) test {
|
||||||
|
@ -155,10 +158,10 @@ func TestPolicyAdminResponder_CreateAuthorityPolicy(t *testing.T) {
|
||||||
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
|
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
|
||||||
err.Message = "policy operations not yet supported in linked deployments"
|
err.Message = "policy operations not yet supported in linked deployments"
|
||||||
return test{
|
return test{
|
||||||
ctx: ctx,
|
ctx: ctx,
|
||||||
deploymentType: "linked",
|
adminDB: &fakeLinkedCA{},
|
||||||
err: err,
|
err: err,
|
||||||
statusCode: 501,
|
statusCode: 501,
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"fail/auth.GetAuthorityPolicy-error": func(t *testing.T) test {
|
"fail/auth.GetAuthorityPolicy-error": func(t *testing.T) test {
|
||||||
|
@ -343,12 +346,8 @@ func TestPolicyAdminResponder_CreateAuthorityPolicy(t *testing.T) {
|
||||||
for name, prep := range tests {
|
for name, prep := range tests {
|
||||||
tc := prep(t)
|
tc := prep(t)
|
||||||
t.Run(name, func(t *testing.T) {
|
t.Run(name, func(t *testing.T) {
|
||||||
par := &PolicyAdminResponder{
|
|
||||||
auth: tc.auth,
|
par := NewPolicyAdminResponder(tc.auth, tc.adminDB, tc.acmeDB)
|
||||||
adminDB: tc.adminDB,
|
|
||||||
acmeDB: tc.acmeDB,
|
|
||||||
deploymentType: tc.deploymentType,
|
|
||||||
}
|
|
||||||
|
|
||||||
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
|
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
|
||||||
req = req.WithContext(tc.ctx)
|
req = req.WithContext(tc.ctx)
|
||||||
|
@ -395,15 +394,14 @@ func TestPolicyAdminResponder_CreateAuthorityPolicy(t *testing.T) {
|
||||||
|
|
||||||
func TestPolicyAdminResponder_UpdateAuthorityPolicy(t *testing.T) {
|
func TestPolicyAdminResponder_UpdateAuthorityPolicy(t *testing.T) {
|
||||||
type test struct {
|
type test struct {
|
||||||
auth adminAuthority
|
auth adminAuthority
|
||||||
deploymentType string
|
adminDB admin.DB
|
||||||
adminDB admin.DB
|
body []byte
|
||||||
body []byte
|
ctx context.Context
|
||||||
ctx context.Context
|
acmeDB acme.DB
|
||||||
acmeDB acme.DB
|
err *admin.Error
|
||||||
err *admin.Error
|
policy *linkedca.Policy
|
||||||
policy *linkedca.Policy
|
statusCode int
|
||||||
statusCode int
|
|
||||||
}
|
}
|
||||||
var tests = map[string]func(t *testing.T) test{
|
var tests = map[string]func(t *testing.T) test{
|
||||||
"fail/linkedca": func(t *testing.T) test {
|
"fail/linkedca": func(t *testing.T) test {
|
||||||
|
@ -411,10 +409,10 @@ func TestPolicyAdminResponder_UpdateAuthorityPolicy(t *testing.T) {
|
||||||
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
|
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
|
||||||
err.Message = "policy operations not yet supported in linked deployments"
|
err.Message = "policy operations not yet supported in linked deployments"
|
||||||
return test{
|
return test{
|
||||||
ctx: ctx,
|
ctx: ctx,
|
||||||
deploymentType: "linked",
|
adminDB: &fakeLinkedCA{},
|
||||||
err: err,
|
err: err,
|
||||||
statusCode: 501,
|
statusCode: 501,
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"fail/auth.GetAuthorityPolicy-error": func(t *testing.T) test {
|
"fail/auth.GetAuthorityPolicy-error": func(t *testing.T) test {
|
||||||
|
@ -606,12 +604,8 @@ func TestPolicyAdminResponder_UpdateAuthorityPolicy(t *testing.T) {
|
||||||
for name, prep := range tests {
|
for name, prep := range tests {
|
||||||
tc := prep(t)
|
tc := prep(t)
|
||||||
t.Run(name, func(t *testing.T) {
|
t.Run(name, func(t *testing.T) {
|
||||||
par := &PolicyAdminResponder{
|
|
||||||
auth: tc.auth,
|
par := NewPolicyAdminResponder(tc.auth, tc.adminDB, tc.acmeDB)
|
||||||
adminDB: tc.adminDB,
|
|
||||||
acmeDB: tc.acmeDB,
|
|
||||||
deploymentType: tc.deploymentType,
|
|
||||||
}
|
|
||||||
|
|
||||||
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
|
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
|
||||||
req = req.WithContext(tc.ctx)
|
req = req.WithContext(tc.ctx)
|
||||||
|
@ -658,14 +652,13 @@ func TestPolicyAdminResponder_UpdateAuthorityPolicy(t *testing.T) {
|
||||||
|
|
||||||
func TestPolicyAdminResponder_DeleteAuthorityPolicy(t *testing.T) {
|
func TestPolicyAdminResponder_DeleteAuthorityPolicy(t *testing.T) {
|
||||||
type test struct {
|
type test struct {
|
||||||
auth adminAuthority
|
auth adminAuthority
|
||||||
deploymentType string
|
adminDB admin.DB
|
||||||
adminDB admin.DB
|
body []byte
|
||||||
body []byte
|
ctx context.Context
|
||||||
ctx context.Context
|
acmeDB acme.DB
|
||||||
acmeDB acme.DB
|
err *admin.Error
|
||||||
err *admin.Error
|
statusCode int
|
||||||
statusCode int
|
|
||||||
}
|
}
|
||||||
|
|
||||||
var tests = map[string]func(t *testing.T) test{
|
var tests = map[string]func(t *testing.T) test{
|
||||||
|
@ -674,10 +667,10 @@ func TestPolicyAdminResponder_DeleteAuthorityPolicy(t *testing.T) {
|
||||||
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
|
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
|
||||||
err.Message = "policy operations not yet supported in linked deployments"
|
err.Message = "policy operations not yet supported in linked deployments"
|
||||||
return test{
|
return test{
|
||||||
ctx: ctx,
|
ctx: ctx,
|
||||||
deploymentType: "linked",
|
adminDB: &fakeLinkedCA{},
|
||||||
err: err,
|
err: err,
|
||||||
statusCode: 501,
|
statusCode: 501,
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"fail/auth.GetAuthorityPolicy-error": func(t *testing.T) test {
|
"fail/auth.GetAuthorityPolicy-error": func(t *testing.T) test {
|
||||||
|
@ -762,12 +755,8 @@ func TestPolicyAdminResponder_DeleteAuthorityPolicy(t *testing.T) {
|
||||||
for name, prep := range tests {
|
for name, prep := range tests {
|
||||||
tc := prep(t)
|
tc := prep(t)
|
||||||
t.Run(name, func(t *testing.T) {
|
t.Run(name, func(t *testing.T) {
|
||||||
par := &PolicyAdminResponder{
|
|
||||||
auth: tc.auth,
|
par := NewPolicyAdminResponder(tc.auth, tc.adminDB, tc.acmeDB)
|
||||||
adminDB: tc.adminDB,
|
|
||||||
acmeDB: tc.acmeDB,
|
|
||||||
deploymentType: tc.deploymentType,
|
|
||||||
}
|
|
||||||
|
|
||||||
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
|
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
|
||||||
req = req.WithContext(tc.ctx)
|
req = req.WithContext(tc.ctx)
|
||||||
|
@ -809,14 +798,13 @@ func TestPolicyAdminResponder_DeleteAuthorityPolicy(t *testing.T) {
|
||||||
|
|
||||||
func TestPolicyAdminResponder_GetProvisionerPolicy(t *testing.T) {
|
func TestPolicyAdminResponder_GetProvisionerPolicy(t *testing.T) {
|
||||||
type test struct {
|
type test struct {
|
||||||
auth adminAuthority
|
auth adminAuthority
|
||||||
deploymentType string
|
adminDB admin.DB
|
||||||
adminDB admin.DB
|
ctx context.Context
|
||||||
ctx context.Context
|
acmeDB acme.DB
|
||||||
acmeDB acme.DB
|
err *admin.Error
|
||||||
err *admin.Error
|
policy *linkedca.Policy
|
||||||
policy *linkedca.Policy
|
statusCode int
|
||||||
statusCode int
|
|
||||||
}
|
}
|
||||||
var tests = map[string]func(t *testing.T) test{
|
var tests = map[string]func(t *testing.T) test{
|
||||||
"fail/linkedca": func(t *testing.T) test {
|
"fail/linkedca": func(t *testing.T) test {
|
||||||
|
@ -824,10 +812,10 @@ func TestPolicyAdminResponder_GetProvisionerPolicy(t *testing.T) {
|
||||||
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
|
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
|
||||||
err.Message = "policy operations not yet supported in linked deployments"
|
err.Message = "policy operations not yet supported in linked deployments"
|
||||||
return test{
|
return test{
|
||||||
ctx: ctx,
|
ctx: ctx,
|
||||||
deploymentType: "linked",
|
adminDB: &fakeLinkedCA{},
|
||||||
err: err,
|
err: err,
|
||||||
statusCode: 501,
|
statusCode: 501,
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"fail/prov-no-policy": func(t *testing.T) test {
|
"fail/prov-no-policy": func(t *testing.T) test {
|
||||||
|
@ -863,12 +851,8 @@ func TestPolicyAdminResponder_GetProvisionerPolicy(t *testing.T) {
|
||||||
for name, prep := range tests {
|
for name, prep := range tests {
|
||||||
tc := prep(t)
|
tc := prep(t)
|
||||||
t.Run(name, func(t *testing.T) {
|
t.Run(name, func(t *testing.T) {
|
||||||
par := &PolicyAdminResponder{
|
|
||||||
auth: tc.auth,
|
par := NewPolicyAdminResponder(tc.auth, tc.adminDB, tc.acmeDB)
|
||||||
adminDB: tc.adminDB,
|
|
||||||
acmeDB: tc.acmeDB,
|
|
||||||
deploymentType: tc.deploymentType,
|
|
||||||
}
|
|
||||||
|
|
||||||
req := httptest.NewRequest("GET", "/foo", nil)
|
req := httptest.NewRequest("GET", "/foo", nil)
|
||||||
req = req.WithContext(tc.ctx)
|
req = req.WithContext(tc.ctx)
|
||||||
|
@ -906,13 +890,13 @@ func TestPolicyAdminResponder_GetProvisionerPolicy(t *testing.T) {
|
||||||
|
|
||||||
func TestPolicyAdminResponder_CreateProvisionerPolicy(t *testing.T) {
|
func TestPolicyAdminResponder_CreateProvisionerPolicy(t *testing.T) {
|
||||||
type test struct {
|
type test struct {
|
||||||
auth adminAuthority
|
auth adminAuthority
|
||||||
deploymentType string
|
adminDB admin.DB
|
||||||
body []byte
|
body []byte
|
||||||
ctx context.Context
|
ctx context.Context
|
||||||
err *admin.Error
|
err *admin.Error
|
||||||
policy *linkedca.Policy
|
policy *linkedca.Policy
|
||||||
statusCode int
|
statusCode int
|
||||||
}
|
}
|
||||||
var tests = map[string]func(t *testing.T) test{
|
var tests = map[string]func(t *testing.T) test{
|
||||||
"fail/linkedca": func(t *testing.T) test {
|
"fail/linkedca": func(t *testing.T) test {
|
||||||
|
@ -920,10 +904,10 @@ func TestPolicyAdminResponder_CreateProvisionerPolicy(t *testing.T) {
|
||||||
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
|
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
|
||||||
err.Message = "policy operations not yet supported in linked deployments"
|
err.Message = "policy operations not yet supported in linked deployments"
|
||||||
return test{
|
return test{
|
||||||
ctx: ctx,
|
ctx: ctx,
|
||||||
deploymentType: "linked",
|
adminDB: &fakeLinkedCA{},
|
||||||
err: err,
|
err: err,
|
||||||
statusCode: 501,
|
statusCode: 501,
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"fail/existing-policy": func(t *testing.T) test {
|
"fail/existing-policy": func(t *testing.T) test {
|
||||||
|
@ -1067,10 +1051,8 @@ func TestPolicyAdminResponder_CreateProvisionerPolicy(t *testing.T) {
|
||||||
for name, prep := range tests {
|
for name, prep := range tests {
|
||||||
tc := prep(t)
|
tc := prep(t)
|
||||||
t.Run(name, func(t *testing.T) {
|
t.Run(name, func(t *testing.T) {
|
||||||
par := &PolicyAdminResponder{
|
|
||||||
auth: tc.auth,
|
par := NewPolicyAdminResponder(tc.auth, tc.adminDB, nil)
|
||||||
deploymentType: tc.deploymentType,
|
|
||||||
}
|
|
||||||
|
|
||||||
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
|
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
|
||||||
req = req.WithContext(tc.ctx)
|
req = req.WithContext(tc.ctx)
|
||||||
|
@ -1117,13 +1099,13 @@ func TestPolicyAdminResponder_CreateProvisionerPolicy(t *testing.T) {
|
||||||
|
|
||||||
func TestPolicyAdminResponder_UpdateProvisionerPolicy(t *testing.T) {
|
func TestPolicyAdminResponder_UpdateProvisionerPolicy(t *testing.T) {
|
||||||
type test struct {
|
type test struct {
|
||||||
auth adminAuthority
|
auth adminAuthority
|
||||||
deploymentType string
|
body []byte
|
||||||
body []byte
|
adminDB admin.DB
|
||||||
ctx context.Context
|
ctx context.Context
|
||||||
err *admin.Error
|
err *admin.Error
|
||||||
policy *linkedca.Policy
|
policy *linkedca.Policy
|
||||||
statusCode int
|
statusCode int
|
||||||
}
|
}
|
||||||
var tests = map[string]func(t *testing.T) test{
|
var tests = map[string]func(t *testing.T) test{
|
||||||
"fail/linkedca": func(t *testing.T) test {
|
"fail/linkedca": func(t *testing.T) test {
|
||||||
|
@ -1131,10 +1113,10 @@ func TestPolicyAdminResponder_UpdateProvisionerPolicy(t *testing.T) {
|
||||||
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
|
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
|
||||||
err.Message = "policy operations not yet supported in linked deployments"
|
err.Message = "policy operations not yet supported in linked deployments"
|
||||||
return test{
|
return test{
|
||||||
ctx: ctx,
|
ctx: ctx,
|
||||||
deploymentType: "linked",
|
adminDB: &fakeLinkedCA{},
|
||||||
err: err,
|
err: err,
|
||||||
statusCode: 501,
|
statusCode: 501,
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"fail/no-existing-policy": func(t *testing.T) test {
|
"fail/no-existing-policy": func(t *testing.T) test {
|
||||||
|
@ -1280,10 +1262,8 @@ func TestPolicyAdminResponder_UpdateProvisionerPolicy(t *testing.T) {
|
||||||
for name, prep := range tests {
|
for name, prep := range tests {
|
||||||
tc := prep(t)
|
tc := prep(t)
|
||||||
t.Run(name, func(t *testing.T) {
|
t.Run(name, func(t *testing.T) {
|
||||||
par := &PolicyAdminResponder{
|
|
||||||
auth: tc.auth,
|
par := NewPolicyAdminResponder(tc.auth, tc.adminDB, nil)
|
||||||
deploymentType: tc.deploymentType,
|
|
||||||
}
|
|
||||||
|
|
||||||
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
|
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
|
||||||
req = req.WithContext(tc.ctx)
|
req = req.WithContext(tc.ctx)
|
||||||
|
@ -1330,14 +1310,13 @@ func TestPolicyAdminResponder_UpdateProvisionerPolicy(t *testing.T) {
|
||||||
|
|
||||||
func TestPolicyAdminResponder_DeleteProvisionerPolicy(t *testing.T) {
|
func TestPolicyAdminResponder_DeleteProvisionerPolicy(t *testing.T) {
|
||||||
type test struct {
|
type test struct {
|
||||||
auth adminAuthority
|
auth adminAuthority
|
||||||
deploymentType string
|
adminDB admin.DB
|
||||||
adminDB admin.DB
|
body []byte
|
||||||
body []byte
|
ctx context.Context
|
||||||
ctx context.Context
|
acmeDB acme.DB
|
||||||
acmeDB acme.DB
|
err *admin.Error
|
||||||
err *admin.Error
|
statusCode int
|
||||||
statusCode int
|
|
||||||
}
|
}
|
||||||
|
|
||||||
var tests = map[string]func(t *testing.T) test{
|
var tests = map[string]func(t *testing.T) test{
|
||||||
|
@ -1346,10 +1325,10 @@ func TestPolicyAdminResponder_DeleteProvisionerPolicy(t *testing.T) {
|
||||||
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
|
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
|
||||||
err.Message = "policy operations not yet supported in linked deployments"
|
err.Message = "policy operations not yet supported in linked deployments"
|
||||||
return test{
|
return test{
|
||||||
ctx: ctx,
|
ctx: ctx,
|
||||||
deploymentType: "linked",
|
adminDB: &fakeLinkedCA{},
|
||||||
err: err,
|
err: err,
|
||||||
statusCode: 501,
|
statusCode: 501,
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"fail/no-existing-policy": func(t *testing.T) test {
|
"fail/no-existing-policy": func(t *testing.T) test {
|
||||||
|
@ -1404,12 +1383,8 @@ func TestPolicyAdminResponder_DeleteProvisionerPolicy(t *testing.T) {
|
||||||
for name, prep := range tests {
|
for name, prep := range tests {
|
||||||
tc := prep(t)
|
tc := prep(t)
|
||||||
t.Run(name, func(t *testing.T) {
|
t.Run(name, func(t *testing.T) {
|
||||||
par := &PolicyAdminResponder{
|
|
||||||
auth: tc.auth,
|
par := NewPolicyAdminResponder(tc.auth, tc.adminDB, tc.acmeDB)
|
||||||
adminDB: tc.adminDB,
|
|
||||||
acmeDB: tc.acmeDB,
|
|
||||||
deploymentType: tc.deploymentType,
|
|
||||||
}
|
|
||||||
|
|
||||||
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
|
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
|
||||||
req = req.WithContext(tc.ctx)
|
req = req.WithContext(tc.ctx)
|
||||||
|
@ -1451,12 +1426,12 @@ func TestPolicyAdminResponder_DeleteProvisionerPolicy(t *testing.T) {
|
||||||
|
|
||||||
func TestPolicyAdminResponder_GetACMEAccountPolicy(t *testing.T) {
|
func TestPolicyAdminResponder_GetACMEAccountPolicy(t *testing.T) {
|
||||||
type test struct {
|
type test struct {
|
||||||
deploymentType string
|
ctx context.Context
|
||||||
ctx context.Context
|
acmeDB acme.DB
|
||||||
acmeDB acme.DB
|
adminDB admin.DB
|
||||||
err *admin.Error
|
err *admin.Error
|
||||||
policy *linkedca.Policy
|
policy *linkedca.Policy
|
||||||
statusCode int
|
statusCode int
|
||||||
}
|
}
|
||||||
var tests = map[string]func(t *testing.T) test{
|
var tests = map[string]func(t *testing.T) test{
|
||||||
"fail/linkedca": func(t *testing.T) test {
|
"fail/linkedca": func(t *testing.T) test {
|
||||||
|
@ -1464,10 +1439,10 @@ func TestPolicyAdminResponder_GetACMEAccountPolicy(t *testing.T) {
|
||||||
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
|
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
|
||||||
err.Message = "policy operations not yet supported in linked deployments"
|
err.Message = "policy operations not yet supported in linked deployments"
|
||||||
return test{
|
return test{
|
||||||
ctx: ctx,
|
ctx: ctx,
|
||||||
deploymentType: "linked",
|
adminDB: &fakeLinkedCA{},
|
||||||
err: err,
|
err: err,
|
||||||
statusCode: 501,
|
statusCode: 501,
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"fail/no-policy": func(t *testing.T) test {
|
"fail/no-policy": func(t *testing.T) test {
|
||||||
|
@ -1514,10 +1489,8 @@ func TestPolicyAdminResponder_GetACMEAccountPolicy(t *testing.T) {
|
||||||
for name, prep := range tests {
|
for name, prep := range tests {
|
||||||
tc := prep(t)
|
tc := prep(t)
|
||||||
t.Run(name, func(t *testing.T) {
|
t.Run(name, func(t *testing.T) {
|
||||||
par := &PolicyAdminResponder{
|
|
||||||
acmeDB: tc.acmeDB,
|
par := NewPolicyAdminResponder(nil, tc.adminDB, tc.acmeDB)
|
||||||
deploymentType: tc.deploymentType,
|
|
||||||
}
|
|
||||||
|
|
||||||
req := httptest.NewRequest("GET", "/foo", nil)
|
req := httptest.NewRequest("GET", "/foo", nil)
|
||||||
req = req.WithContext(tc.ctx)
|
req = req.WithContext(tc.ctx)
|
||||||
|
@ -1555,13 +1528,13 @@ func TestPolicyAdminResponder_GetACMEAccountPolicy(t *testing.T) {
|
||||||
|
|
||||||
func TestPolicyAdminResponder_CreateACMEAccountPolicy(t *testing.T) {
|
func TestPolicyAdminResponder_CreateACMEAccountPolicy(t *testing.T) {
|
||||||
type test struct {
|
type test struct {
|
||||||
deploymentType string
|
acmeDB acme.DB
|
||||||
acmeDB acme.DB
|
adminDB admin.DB
|
||||||
body []byte
|
body []byte
|
||||||
ctx context.Context
|
ctx context.Context
|
||||||
err *admin.Error
|
err *admin.Error
|
||||||
policy *linkedca.Policy
|
policy *linkedca.Policy
|
||||||
statusCode int
|
statusCode int
|
||||||
}
|
}
|
||||||
var tests = map[string]func(t *testing.T) test{
|
var tests = map[string]func(t *testing.T) test{
|
||||||
"fail/linkedca": func(t *testing.T) test {
|
"fail/linkedca": func(t *testing.T) test {
|
||||||
|
@ -1569,10 +1542,10 @@ func TestPolicyAdminResponder_CreateACMEAccountPolicy(t *testing.T) {
|
||||||
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
|
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
|
||||||
err.Message = "policy operations not yet supported in linked deployments"
|
err.Message = "policy operations not yet supported in linked deployments"
|
||||||
return test{
|
return test{
|
||||||
ctx: ctx,
|
ctx: ctx,
|
||||||
deploymentType: "linked",
|
adminDB: &fakeLinkedCA{},
|
||||||
err: err,
|
err: err,
|
||||||
statusCode: 501,
|
statusCode: 501,
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"fail/existing-policy": func(t *testing.T) test {
|
"fail/existing-policy": func(t *testing.T) test {
|
||||||
|
@ -1691,10 +1664,8 @@ func TestPolicyAdminResponder_CreateACMEAccountPolicy(t *testing.T) {
|
||||||
for name, prep := range tests {
|
for name, prep := range tests {
|
||||||
tc := prep(t)
|
tc := prep(t)
|
||||||
t.Run(name, func(t *testing.T) {
|
t.Run(name, func(t *testing.T) {
|
||||||
par := &PolicyAdminResponder{
|
|
||||||
acmeDB: tc.acmeDB,
|
par := NewPolicyAdminResponder(nil, tc.adminDB, tc.acmeDB)
|
||||||
deploymentType: tc.deploymentType,
|
|
||||||
}
|
|
||||||
|
|
||||||
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
|
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
|
||||||
req = req.WithContext(tc.ctx)
|
req = req.WithContext(tc.ctx)
|
||||||
|
@ -1741,13 +1712,13 @@ func TestPolicyAdminResponder_CreateACMEAccountPolicy(t *testing.T) {
|
||||||
|
|
||||||
func TestPolicyAdminResponder_UpdateACMEAccountPolicy(t *testing.T) {
|
func TestPolicyAdminResponder_UpdateACMEAccountPolicy(t *testing.T) {
|
||||||
type test struct {
|
type test struct {
|
||||||
deploymentType string
|
acmeDB acme.DB
|
||||||
acmeDB acme.DB
|
adminDB admin.DB
|
||||||
body []byte
|
body []byte
|
||||||
ctx context.Context
|
ctx context.Context
|
||||||
err *admin.Error
|
err *admin.Error
|
||||||
policy *linkedca.Policy
|
policy *linkedca.Policy
|
||||||
statusCode int
|
statusCode int
|
||||||
}
|
}
|
||||||
var tests = map[string]func(t *testing.T) test{
|
var tests = map[string]func(t *testing.T) test{
|
||||||
"fail/linkedca": func(t *testing.T) test {
|
"fail/linkedca": func(t *testing.T) test {
|
||||||
|
@ -1755,10 +1726,10 @@ func TestPolicyAdminResponder_UpdateACMEAccountPolicy(t *testing.T) {
|
||||||
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
|
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
|
||||||
err.Message = "policy operations not yet supported in linked deployments"
|
err.Message = "policy operations not yet supported in linked deployments"
|
||||||
return test{
|
return test{
|
||||||
ctx: ctx,
|
ctx: ctx,
|
||||||
deploymentType: "linked",
|
adminDB: &fakeLinkedCA{},
|
||||||
err: err,
|
err: err,
|
||||||
statusCode: 501,
|
statusCode: 501,
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"fail/no-existing-policy": func(t *testing.T) test {
|
"fail/no-existing-policy": func(t *testing.T) test {
|
||||||
|
@ -1879,10 +1850,8 @@ func TestPolicyAdminResponder_UpdateACMEAccountPolicy(t *testing.T) {
|
||||||
for name, prep := range tests {
|
for name, prep := range tests {
|
||||||
tc := prep(t)
|
tc := prep(t)
|
||||||
t.Run(name, func(t *testing.T) {
|
t.Run(name, func(t *testing.T) {
|
||||||
par := &PolicyAdminResponder{
|
|
||||||
acmeDB: tc.acmeDB,
|
par := NewPolicyAdminResponder(nil, tc.adminDB, tc.acmeDB)
|
||||||
deploymentType: tc.deploymentType,
|
|
||||||
}
|
|
||||||
|
|
||||||
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
|
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
|
||||||
req = req.WithContext(tc.ctx)
|
req = req.WithContext(tc.ctx)
|
||||||
|
@ -1929,12 +1898,12 @@ func TestPolicyAdminResponder_UpdateACMEAccountPolicy(t *testing.T) {
|
||||||
|
|
||||||
func TestPolicyAdminResponder_DeleteACMEAccountPolicy(t *testing.T) {
|
func TestPolicyAdminResponder_DeleteACMEAccountPolicy(t *testing.T) {
|
||||||
type test struct {
|
type test struct {
|
||||||
deploymentType string
|
body []byte
|
||||||
body []byte
|
adminDB admin.DB
|
||||||
ctx context.Context
|
ctx context.Context
|
||||||
acmeDB acme.DB
|
acmeDB acme.DB
|
||||||
err *admin.Error
|
err *admin.Error
|
||||||
statusCode int
|
statusCode int
|
||||||
}
|
}
|
||||||
|
|
||||||
var tests = map[string]func(t *testing.T) test{
|
var tests = map[string]func(t *testing.T) test{
|
||||||
|
@ -1943,10 +1912,10 @@ func TestPolicyAdminResponder_DeleteACMEAccountPolicy(t *testing.T) {
|
||||||
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
|
err := admin.NewError(admin.ErrorNotImplementedType, "policy operations not yet supported in linked deployments")
|
||||||
err.Message = "policy operations not yet supported in linked deployments"
|
err.Message = "policy operations not yet supported in linked deployments"
|
||||||
return test{
|
return test{
|
||||||
ctx: ctx,
|
ctx: ctx,
|
||||||
deploymentType: "linked",
|
adminDB: &fakeLinkedCA{},
|
||||||
err: err,
|
err: err,
|
||||||
statusCode: 501,
|
statusCode: 501,
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"fail/no-existing-policy": func(t *testing.T) test {
|
"fail/no-existing-policy": func(t *testing.T) test {
|
||||||
|
@ -2033,10 +2002,8 @@ func TestPolicyAdminResponder_DeleteACMEAccountPolicy(t *testing.T) {
|
||||||
for name, prep := range tests {
|
for name, prep := range tests {
|
||||||
tc := prep(t)
|
tc := prep(t)
|
||||||
t.Run(name, func(t *testing.T) {
|
t.Run(name, func(t *testing.T) {
|
||||||
par := &PolicyAdminResponder{
|
|
||||||
acmeDB: tc.acmeDB,
|
par := NewPolicyAdminResponder(nil, tc.adminDB, tc.acmeDB)
|
||||||
deploymentType: tc.deploymentType,
|
|
||||||
}
|
|
||||||
|
|
||||||
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
|
req := httptest.NewRequest("POST", "/foo", io.NopCloser(bytes.NewBuffer(tc.body)))
|
||||||
req = req.WithContext(tc.ctx)
|
req = req.WithContext(tc.ctx)
|
||||||
|
|
|
@ -122,6 +122,13 @@ func newLinkedCAClient(token string) (*linkedCaClient, error) {
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// IsLinkedCA is a sentinel function that can be used to
|
||||||
|
// check if a linkedCaClient is the underlying type of an
|
||||||
|
// admin.DB interface.
|
||||||
|
func (c *linkedCaClient) IsLinkedCA() bool {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
func (c *linkedCaClient) Run() {
|
func (c *linkedCaClient) Run() {
|
||||||
c.renewer.Run()
|
c.renewer.Run()
|
||||||
}
|
}
|
||||||
|
|
|
@ -15,8 +15,7 @@ import (
|
||||||
type policyErrorType int
|
type policyErrorType int
|
||||||
|
|
||||||
const (
|
const (
|
||||||
_ policyErrorType = iota
|
AdminLockOut policyErrorType = iota + 1
|
||||||
AdminLockOut
|
|
||||||
StoreFailure
|
StoreFailure
|
||||||
ReloadFailure
|
ReloadFailure
|
||||||
ConfigurationFailure
|
ConfigurationFailure
|
||||||
|
@ -345,7 +344,7 @@ func policyToCertificates(p *linkedca.Policy) *authPolicy.Options {
|
||||||
}
|
}
|
||||||
|
|
||||||
opts.X509.AllowWildcardLiteral = x509.AllowWildcardLiteral
|
opts.X509.AllowWildcardLiteral = x509.AllowWildcardLiteral
|
||||||
opts.X509.DisableSubjectCommonNameVerification = x509.DisableSubjectCommonNameVerification
|
opts.X509.DisableCommonNameVerification = x509.DisableSubjectCommonNameVerification
|
||||||
}
|
}
|
||||||
|
|
||||||
// fill ssh policy configuration
|
// fill ssh policy configuration
|
||||||
|
|
|
@ -31,7 +31,7 @@ type X509PolicyOptionsInterface interface {
|
||||||
GetAllowedNameOptions() *X509NameOptions
|
GetAllowedNameOptions() *X509NameOptions
|
||||||
GetDeniedNameOptions() *X509NameOptions
|
GetDeniedNameOptions() *X509NameOptions
|
||||||
IsWildcardLiteralAllowed() bool
|
IsWildcardLiteralAllowed() bool
|
||||||
ShouldVerifySubjectCommonName() bool
|
ShouldVerifyCommonName() bool
|
||||||
}
|
}
|
||||||
|
|
||||||
// X509PolicyOptions is a container for x509 allowed and denied
|
// X509PolicyOptions is a container for x509 allowed and denied
|
||||||
|
@ -39,15 +39,19 @@ type X509PolicyOptionsInterface interface {
|
||||||
type X509PolicyOptions struct {
|
type X509PolicyOptions struct {
|
||||||
// AllowedNames contains the x509 allowed names
|
// AllowedNames contains the x509 allowed names
|
||||||
AllowedNames *X509NameOptions `json:"allow,omitempty"`
|
AllowedNames *X509NameOptions `json:"allow,omitempty"`
|
||||||
|
|
||||||
// DeniedNames contains the x509 denied names
|
// DeniedNames contains the x509 denied names
|
||||||
DeniedNames *X509NameOptions `json:"deny,omitempty"`
|
DeniedNames *X509NameOptions `json:"deny,omitempty"`
|
||||||
|
|
||||||
// AllowWildcardLiteral indicates if literal wildcard names
|
// AllowWildcardLiteral indicates if literal wildcard names
|
||||||
// such as *.example.com and @example.com are allowed. Defaults
|
// such as *.example.com and @example.com are allowed. Defaults
|
||||||
// to false.
|
// to false.
|
||||||
AllowWildcardLiteral bool `json:"allow_wildcard_literal,omitempty"`
|
AllowWildcardLiteral bool `json:"allowWildcardLiteral,omitempty"`
|
||||||
// DisableSubjectCommonNameVerification indicates if the Subject Common Name
|
|
||||||
// is verified in addition to the SANs. Defaults to false.
|
// DisableCommonNameVerification indicates if the Subject Common Name
|
||||||
DisableSubjectCommonNameVerification bool `json:"disable_subject_common_name_verification,omitempty"`
|
// is verified in addition to the SANs. Defaults to false, resulting in
|
||||||
|
// Common Names being verified.
|
||||||
|
DisableCommonNameVerification bool `json:"disableCommonNameVerification,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// X509NameOptions models the X509 name policy configuration.
|
// X509NameOptions models the X509 name policy configuration.
|
||||||
|
@ -92,13 +96,13 @@ func (o *X509PolicyOptions) IsWildcardLiteralAllowed() bool {
|
||||||
return o.AllowWildcardLiteral
|
return o.AllowWildcardLiteral
|
||||||
}
|
}
|
||||||
|
|
||||||
// ShouldVerifySubjectCommonName returns whether the authority
|
// ShouldVerifyCommonName returns whether the authority
|
||||||
// should verify the Subject Common Name in addition to the SANs.
|
// should verify the Subject Common Name in addition to the SANs.
|
||||||
func (o *X509PolicyOptions) ShouldVerifySubjectCommonName() bool {
|
func (o *X509PolicyOptions) ShouldVerifyCommonName() bool {
|
||||||
if o == nil {
|
if o == nil {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
return !o.DisableSubjectCommonNameVerification
|
return !o.DisableCommonNameVerification
|
||||||
}
|
}
|
||||||
|
|
||||||
// SSHPolicyOptionsInterface is an interface for providers of
|
// SSHPolicyOptionsInterface is an interface for providers of
|
||||||
|
|
|
@ -63,21 +63,21 @@ func TestX509PolicyOptions_ShouldVerifySubjectCommonName(t *testing.T) {
|
||||||
{
|
{
|
||||||
name: "set-true",
|
name: "set-true",
|
||||||
options: &X509PolicyOptions{
|
options: &X509PolicyOptions{
|
||||||
DisableSubjectCommonNameVerification: true,
|
DisableCommonNameVerification: true,
|
||||||
},
|
},
|
||||||
want: false,
|
want: false,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "set-false",
|
name: "set-false",
|
||||||
options: &X509PolicyOptions{
|
options: &X509PolicyOptions{
|
||||||
DisableSubjectCommonNameVerification: false,
|
DisableCommonNameVerification: false,
|
||||||
},
|
},
|
||||||
want: true,
|
want: true,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
for _, tt := range tests {
|
for _, tt := range tests {
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
if got := tt.options.ShouldVerifySubjectCommonName(); got != tt.want {
|
if got := tt.options.ShouldVerifyCommonName(); got != tt.want {
|
||||||
t.Errorf("X509PolicyOptions.ShouldVerifySubjectCommonName() = %v, want %v", got, tt.want)
|
t.Errorf("X509PolicyOptions.ShouldVerifySubjectCommonName() = %v, want %v", got, tt.want)
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
|
@ -50,7 +50,7 @@ func NewX509PolicyEngine(policyOptions X509PolicyOptionsInterface) (X509Policy,
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
if policyOptions.ShouldVerifySubjectCommonName() {
|
if policyOptions.ShouldVerifyCommonName() {
|
||||||
options = append(options, policy.WithSubjectCommonNameVerification())
|
options = append(options, policy.WithSubjectCommonNameVerification())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -227,8 +227,8 @@ func Test_policyToCertificates(t *testing.T) {
|
||||||
AllowedNames: &policy.X509NameOptions{
|
AllowedNames: &policy.X509NameOptions{
|
||||||
DNSDomains: []string{"*.local"},
|
DNSDomains: []string{"*.local"},
|
||||||
},
|
},
|
||||||
AllowWildcardLiteral: false,
|
AllowWildcardLiteral: false,
|
||||||
DisableSubjectCommonNameVerification: false,
|
DisableCommonNameVerification: false,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -290,8 +290,8 @@ func Test_policyToCertificates(t *testing.T) {
|
||||||
EmailAddresses: []string{"badhost.example.com"},
|
EmailAddresses: []string{"badhost.example.com"},
|
||||||
URIDomains: []string{"https://badhost.local"},
|
URIDomains: []string{"https://badhost.local"},
|
||||||
},
|
},
|
||||||
AllowWildcardLiteral: true,
|
AllowWildcardLiteral: true,
|
||||||
DisableSubjectCommonNameVerification: false,
|
DisableCommonNameVerification: false,
|
||||||
},
|
},
|
||||||
SSH: &policy.SSHPolicyOptions{
|
SSH: &policy.SSHPolicyOptions{
|
||||||
Host: &policy.SSHHostCertificateOptions{
|
Host: &policy.SSHHostCertificateOptions{
|
||||||
|
@ -364,8 +364,8 @@ func TestAuthority_reloadPolicyEngines(t *testing.T) {
|
||||||
DeniedNames: &policy.X509NameOptions{
|
DeniedNames: &policy.X509NameOptions{
|
||||||
DNSDomains: []string{"badhost.local"},
|
DNSDomains: []string{"badhost.local"},
|
||||||
},
|
},
|
||||||
AllowWildcardLiteral: true,
|
AllowWildcardLiteral: true,
|
||||||
DisableSubjectCommonNameVerification: false,
|
DisableCommonNameVerification: false,
|
||||||
})
|
})
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
|
|
||||||
|
@ -648,8 +648,8 @@ func TestAuthority_reloadPolicyEngines(t *testing.T) {
|
||||||
DeniedNames: &policy.X509NameOptions{
|
DeniedNames: &policy.X509NameOptions{
|
||||||
DNSDomains: []string{"badhost.local"},
|
DNSDomains: []string{"badhost.local"},
|
||||||
},
|
},
|
||||||
AllowWildcardLiteral: true,
|
AllowWildcardLiteral: true,
|
||||||
DisableSubjectCommonNameVerification: false,
|
DisableCommonNameVerification: false,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -768,8 +768,8 @@ func TestAuthority_reloadPolicyEngines(t *testing.T) {
|
||||||
DeniedNames: &policy.X509NameOptions{
|
DeniedNames: &policy.X509NameOptions{
|
||||||
DNSDomains: []string{"badhost.local"},
|
DNSDomains: []string{"badhost.local"},
|
||||||
},
|
},
|
||||||
AllowWildcardLiteral: true,
|
AllowWildcardLiteral: true,
|
||||||
DisableSubjectCommonNameVerification: false,
|
DisableCommonNameVerification: false,
|
||||||
},
|
},
|
||||||
SSH: &policy.SSHPolicyOptions{
|
SSH: &policy.SSHPolicyOptions{
|
||||||
Host: &policy.SSHHostCertificateOptions{
|
Host: &policy.SSHHostCertificateOptions{
|
||||||
|
|
|
@ -69,10 +69,12 @@ type X509Options struct {
|
||||||
// AllowWildcardLiteral indicates if literal wildcard names
|
// AllowWildcardLiteral indicates if literal wildcard names
|
||||||
// such as *.example.com and @example.com are allowed. Defaults
|
// such as *.example.com and @example.com are allowed. Defaults
|
||||||
// to false.
|
// to false.
|
||||||
AllowWildcardLiteral *bool `json:"-"`
|
AllowWildcardLiteral bool `json:"-"`
|
||||||
// VerifySubjectCommonName indicates if the Subject Common Name
|
|
||||||
// is verified in addition to the SANs. Defaults to true.
|
// DisableCommonNameVerification indicates if the Subject Common Name
|
||||||
VerifySubjectCommonName *bool `json:"-"`
|
// is verified in addition to the SANs. Defaults to false, resulting
|
||||||
|
// in Common Names to be verified.
|
||||||
|
DisableCommonNameVerification bool `json:"-"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// HasTemplate returns true if a template is defined in the provisioner options.
|
// HasTemplate returns true if a template is defined in the provisioner options.
|
||||||
|
@ -102,17 +104,14 @@ func (o *X509Options) IsWildcardLiteralAllowed() bool {
|
||||||
if o == nil {
|
if o == nil {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
return o.AllowWildcardLiteral != nil && *o.AllowWildcardLiteral
|
return o.AllowWildcardLiteral
|
||||||
}
|
}
|
||||||
|
|
||||||
func (o *X509Options) ShouldVerifySubjectCommonName() bool {
|
func (o *X509Options) ShouldVerifyCommonName() bool {
|
||||||
if o == nil {
|
if o == nil {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
if o.VerifySubjectCommonName == nil {
|
return !o.DisableCommonNameVerification
|
||||||
return true
|
|
||||||
}
|
|
||||||
return *o.VerifySubjectCommonName
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// TemplateOptions generates a CertificateOptions with the template and data
|
// TemplateOptions generates a CertificateOptions with the template and data
|
||||||
|
|
|
@ -289,8 +289,6 @@ func Test_unsafeParseSigned(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestX509Options_IsWildcardLiteralAllowed(t *testing.T) {
|
func TestX509Options_IsWildcardLiteralAllowed(t *testing.T) {
|
||||||
trueValue := true
|
|
||||||
falseValue := false
|
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
name string
|
name string
|
||||||
options *X509Options
|
options *X509Options
|
||||||
|
@ -301,24 +299,17 @@ func TestX509Options_IsWildcardLiteralAllowed(t *testing.T) {
|
||||||
options: nil,
|
options: nil,
|
||||||
want: true,
|
want: true,
|
||||||
},
|
},
|
||||||
{
|
|
||||||
name: "nil",
|
|
||||||
options: &X509Options{
|
|
||||||
AllowWildcardLiteral: nil,
|
|
||||||
},
|
|
||||||
want: false,
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
name: "set-true",
|
name: "set-true",
|
||||||
options: &X509Options{
|
options: &X509Options{
|
||||||
AllowWildcardLiteral: &trueValue,
|
AllowWildcardLiteral: true,
|
||||||
},
|
},
|
||||||
want: true,
|
want: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "set-false",
|
name: "set-false",
|
||||||
options: &X509Options{
|
options: &X509Options{
|
||||||
AllowWildcardLiteral: &falseValue,
|
AllowWildcardLiteral: false,
|
||||||
},
|
},
|
||||||
want: false,
|
want: false,
|
||||||
},
|
},
|
||||||
|
@ -333,8 +324,6 @@ func TestX509Options_IsWildcardLiteralAllowed(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestX509Options_ShouldVerifySubjectCommonName(t *testing.T) {
|
func TestX509Options_ShouldVerifySubjectCommonName(t *testing.T) {
|
||||||
trueValue := true
|
|
||||||
falseValue := false
|
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
name string
|
name string
|
||||||
options *X509Options
|
options *X509Options
|
||||||
|
@ -345,31 +334,24 @@ func TestX509Options_ShouldVerifySubjectCommonName(t *testing.T) {
|
||||||
options: nil,
|
options: nil,
|
||||||
want: false,
|
want: false,
|
||||||
},
|
},
|
||||||
{
|
|
||||||
name: "nil",
|
|
||||||
options: &X509Options{
|
|
||||||
VerifySubjectCommonName: nil,
|
|
||||||
},
|
|
||||||
want: true,
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
name: "set-true",
|
name: "set-true",
|
||||||
options: &X509Options{
|
options: &X509Options{
|
||||||
VerifySubjectCommonName: &trueValue,
|
DisableCommonNameVerification: true,
|
||||||
},
|
},
|
||||||
want: true,
|
want: false,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "set-false",
|
name: "set-false",
|
||||||
options: &X509Options{
|
options: &X509Options{
|
||||||
VerifySubjectCommonName: &falseValue,
|
DisableCommonNameVerification: false,
|
||||||
},
|
},
|
||||||
want: false,
|
want: true,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
for _, tt := range tests {
|
for _, tt := range tests {
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
if got := tt.options.ShouldVerifySubjectCommonName(); got != tt.want {
|
if got := tt.options.ShouldVerifyCommonName(); got != tt.want {
|
||||||
t.Errorf("X509PolicyOptions.ShouldVerifySubjectCommonName() = %v, want %v", got, tt.want)
|
t.Errorf("X509PolicyOptions.ShouldVerifySubjectCommonName() = %v, want %v", got, tt.want)
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
|
@ -700,7 +700,7 @@ ZYtQ9Ot36qc=
|
||||||
AllowedNames: &policy.X509NameOptions{
|
AllowedNames: &policy.X509NameOptions{
|
||||||
DNSDomains: []string{"*.smallstep.com"},
|
DNSDomains: []string{"*.smallstep.com"},
|
||||||
},
|
},
|
||||||
DisableSubjectCommonNameVerification: true, // allows "smallstep test"
|
DisableCommonNameVerification: true, // TODO(hs): allows "smallstep test"; do we want to keep it like this?
|
||||||
}
|
}
|
||||||
engine, err := policy.NewX509PolicyEngine(policyOptions)
|
engine, err := policy.NewX509PolicyEngine(policyOptions)
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
|
|
2
ca/ca.go
2
ca/ca.go
|
@ -219,7 +219,7 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
|
||||||
adminDB := auth.GetAdminDatabase()
|
adminDB := auth.GetAdminDatabase()
|
||||||
if adminDB != nil {
|
if adminDB != nil {
|
||||||
acmeAdminResponder := adminAPI.NewACMEAdminResponder()
|
acmeAdminResponder := adminAPI.NewACMEAdminResponder()
|
||||||
policyAdminResponder := adminAPI.NewPolicyAdminResponder(auth, adminDB, acmeDB, cfg.AuthorityConfig.DeploymentType)
|
policyAdminResponder := adminAPI.NewPolicyAdminResponder(auth, adminDB, acmeDB)
|
||||||
adminHandler := adminAPI.NewHandler(auth, adminDB, acmeDB, acmeAdminResponder, policyAdminResponder)
|
adminHandler := adminAPI.NewHandler(auth, adminDB, acmeDB, acmeAdminResponder, policyAdminResponder)
|
||||||
mux.Route("/admin", func(r chi.Router) {
|
mux.Route("/admin", func(r chi.Router) {
|
||||||
adminHandler.Route(r)
|
adminHandler.Route(r)
|
||||||
|
|
Loading…
Reference in a new issue