forked from TrueCloudLab/certificates
Use scep authority from context
This commit also converts all the methods from the handler to functions.
This commit is contained in:
Mariano Cano
parent
688f9ceb56
commit
42435ace64
2 changed files with 42 additions and 42 deletions
|
|
@ -84,7 +84,7 @@ func newOptionsContext(ctx context.Context, o *HandlerOptions) context.Context {
|
|||
func optionsFromContext(ctx context.Context) *HandlerOptions {
|
||||
o, ok := ctx.Value(optionsKey{}).(*HandlerOptions)
|
||||
if !ok {
|
||||
panic("handler options are not in the context")
|
||||
panic("acme options are not in the context")
|
||||
}
|
||||
return o
|
||||
}
|
||||
|
|
|
|||
|
|
@ -48,29 +48,32 @@ type response struct {
|
|||
}
|
||||
|
||||
// handler is the SCEP request handler.
|
||||
type handler struct {
|
||||
auth *scep.Authority
|
||||
type handler struct{}
|
||||
|
||||
// Route traffic and implement the Router interface.
|
||||
//
|
||||
// Deprecated: use scep.Route(r api.Router)
|
||||
func (h *handler) Route(r api.Router) {
|
||||
Route(r)
|
||||
}
|
||||
|
||||
// New returns a new SCEP API router.
|
||||
//
|
||||
// Deprecated: use scep.Route(r api.Router)
|
||||
func New(auth *scep.Authority) api.RouterHandler {
|
||||
return &handler{
|
||||
auth: auth,
|
||||
}
|
||||
return &handler{}
|
||||
}
|
||||
|
||||
// Route traffic and implement the Router interface.
|
||||
func (h *handler) Route(r api.Router) {
|
||||
getLink := h.auth.GetLinkExplicit
|
||||
r.MethodFunc(http.MethodGet, getLink("{provisionerName}/*", false, nil), h.lookupProvisioner(h.Get))
|
||||
r.MethodFunc(http.MethodGet, getLink("{provisionerName}", false, nil), h.lookupProvisioner(h.Get))
|
||||
r.MethodFunc(http.MethodPost, getLink("{provisionerName}/*", false, nil), h.lookupProvisioner(h.Post))
|
||||
r.MethodFunc(http.MethodPost, getLink("{provisionerName}", false, nil), h.lookupProvisioner(h.Post))
|
||||
func Route(r api.Router) {
|
||||
r.MethodFunc(http.MethodGet, "/{provisionerName}/*", lookupProvisioner(Get))
|
||||
r.MethodFunc(http.MethodGet, "/{provisionerName}", lookupProvisioner(Get))
|
||||
r.MethodFunc(http.MethodPost, "/{provisionerName}/*", lookupProvisioner(Post))
|
||||
r.MethodFunc(http.MethodPost, "/{provisionerName}", lookupProvisioner(Post))
|
||||
}
|
||||
|
||||
// Get handles all SCEP GET requests
|
||||
func (h *handler) Get(w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
func Get(w http.ResponseWriter, r *http.Request) {
|
||||
req, err := decodeRequest(r)
|
||||
if err != nil {
|
||||
fail(w, fmt.Errorf("invalid scep get request: %w", err))
|
||||
|
|
@ -82,9 +85,9 @@ func (h *handler) Get(w http.ResponseWriter, r *http.Request) {
|
|||
|
||||
switch req.Operation {
|
||||
case opnGetCACert:
|
||||
res, err = h.GetCACert(ctx)
|
||||
res, err = GetCACert(ctx)
|
||||
case opnGetCACaps:
|
||||
res, err = h.GetCACaps(ctx)
|
||||
res, err = GetCACaps(ctx)
|
||||
case opnPKIOperation:
|
||||
// TODO: implement the GET for PKI operation? Default CACAPS doesn't specify this is in use, though
|
||||
default:
|
||||
|
|
@ -100,20 +103,17 @@ func (h *handler) Get(w http.ResponseWriter, r *http.Request) {
|
|||
}
|
||||
|
||||
// Post handles all SCEP POST requests
|
||||
func (h *handler) Post(w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
func Post(w http.ResponseWriter, r *http.Request) {
|
||||
req, err := decodeRequest(r)
|
||||
if err != nil {
|
||||
fail(w, fmt.Errorf("invalid scep post request: %w", err))
|
||||
return
|
||||
}
|
||||
|
||||
ctx := r.Context()
|
||||
var res response
|
||||
|
||||
switch req.Operation {
|
||||
case opnPKIOperation:
|
||||
res, err = h.PKIOperation(ctx, req)
|
||||
res, err = PKIOperation(r.Context(), req)
|
||||
default:
|
||||
err = fmt.Errorf("unknown operation: %s", req.Operation)
|
||||
}
|
||||
|
|
@ -127,7 +127,6 @@ func (h *handler) Post(w http.ResponseWriter, r *http.Request) {
|
|||
}
|
||||
|
||||
func decodeRequest(r *http.Request) (request, error) {
|
||||
|
||||
defer r.Body.Close()
|
||||
|
||||
method := r.Method
|
||||
|
|
@ -179,9 +178,8 @@ func decodeRequest(r *http.Request) (request, error) {
|
|||
|
||||
// lookupProvisioner loads the provisioner associated with the request.
|
||||
// Responds 404 if the provisioner does not exist.
|
||||
func (h *handler) lookupProvisioner(next http.HandlerFunc) http.HandlerFunc {
|
||||
func lookupProvisioner(next http.HandlerFunc) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
name := chi.URLParam(r, "provisionerName")
|
||||
provisionerName, err := url.PathUnescape(name)
|
||||
if err != nil {
|
||||
|
|
@ -189,7 +187,9 @@ func (h *handler) lookupProvisioner(next http.HandlerFunc) http.HandlerFunc {
|
|||
return
|
||||
}
|
||||
|
||||
p, err := h.auth.LoadProvisionerByName(provisionerName)
|
||||
ctx := r.Context()
|
||||
auth := scep.MustFromContext(ctx)
|
||||
p, err := auth.LoadProvisionerByName(provisionerName)
|
||||
if err != nil {
|
||||
fail(w, err)
|
||||
return
|
||||
|
|
@ -201,16 +201,15 @@ func (h *handler) lookupProvisioner(next http.HandlerFunc) http.HandlerFunc {
|
|||
return
|
||||
}
|
||||
|
||||
ctx := r.Context()
|
||||
ctx = context.WithValue(ctx, scep.ProvisionerContextKey, scep.Provisioner(prov))
|
||||
next(w, r.WithContext(ctx))
|
||||
}
|
||||
}
|
||||
|
||||
// GetCACert returns the CA certificates in a SCEP response
|
||||
func (h *handler) GetCACert(ctx context.Context) (response, error) {
|
||||
|
||||
certs, err := h.auth.GetCACertificates(ctx)
|
||||
func GetCACert(ctx context.Context) (response, error) {
|
||||
auth := scep.MustFromContext(ctx)
|
||||
certs, err := auth.GetCACertificates(ctx)
|
||||
if err != nil {
|
||||
return response{}, err
|
||||
}
|
||||
|
|
@ -241,9 +240,9 @@ func (h *handler) GetCACert(ctx context.Context) (response, error) {
|
|||
}
|
||||
|
||||
// GetCACaps returns the CA capabilities in a SCEP response
|
||||
func (h *handler) GetCACaps(ctx context.Context) (response, error) {
|
||||
|
||||
caps := h.auth.GetCACaps(ctx)
|
||||
func GetCACaps(ctx context.Context) (response, error) {
|
||||
auth := scep.MustFromContext(ctx)
|
||||
caps := auth.GetCACaps(ctx)
|
||||
|
||||
res := response{
|
||||
Operation: opnGetCACaps,
|
||||
|
|
@ -254,8 +253,7 @@ func (h *handler) GetCACaps(ctx context.Context) (response, error) {
|
|||
}
|
||||
|
||||
// PKIOperation performs PKI operations and returns a SCEP response
|
||||
func (h *handler) PKIOperation(ctx context.Context, req request) (response, error) {
|
||||
|
||||
func PKIOperation(ctx context.Context, req request) (response, error) {
|
||||
// parse the message using microscep implementation
|
||||
microMsg, err := microscep.ParsePKIMessage(req.Message)
|
||||
if err != nil {
|
||||
|
|
@ -280,7 +278,8 @@ func (h *handler) PKIOperation(ctx context.Context, req request) (response, erro
|
|||
P7: p7,
|
||||
}
|
||||
|
||||
if err := h.auth.DecryptPKIEnvelope(ctx, msg); err != nil {
|
||||
auth := scep.MustFromContext(ctx)
|
||||
if err := auth.DecryptPKIEnvelope(ctx, msg); err != nil {
|
||||
return response{}, err
|
||||
}
|
||||
|
||||
|
|
@ -293,13 +292,13 @@ func (h *handler) PKIOperation(ctx context.Context, req request) (response, erro
|
|||
// a certificate exists; then it will use RenewalReq. Adding the challenge check here may be a small breaking change for clients.
|
||||
// We'll have to see how it works out.
|
||||
if msg.MessageType == microscep.PKCSReq || msg.MessageType == microscep.RenewalReq {
|
||||
challengeMatches, err := h.auth.MatchChallengePassword(ctx, msg.CSRReqMessage.ChallengePassword)
|
||||
challengeMatches, err := auth.MatchChallengePassword(ctx, msg.CSRReqMessage.ChallengePassword)
|
||||
if err != nil {
|
||||
return h.createFailureResponse(ctx, csr, msg, microscep.BadRequest, errors.New("error when checking password"))
|
||||
return createFailureResponse(ctx, csr, msg, microscep.BadRequest, errors.New("error when checking password"))
|
||||
}
|
||||
if !challengeMatches {
|
||||
// TODO: can this be returned safely to the client? In the end, if the password was correct, that gains a bit of info too.
|
||||
return h.createFailureResponse(ctx, csr, msg, microscep.BadRequest, errors.New("wrong password provided"))
|
||||
return createFailureResponse(ctx, csr, msg, microscep.BadRequest, errors.New("wrong password provided"))
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -311,9 +310,9 @@ func (h *handler) PKIOperation(ctx context.Context, req request) (response, erro
|
|||
// Authentication by the (self-signed) certificate with an optional challenge is required; supporting renewals incl. verification
|
||||
// of the client cert is not.
|
||||
|
||||
certRep, err := h.auth.SignCSR(ctx, csr, msg)
|
||||
certRep, err := auth.SignCSR(ctx, csr, msg)
|
||||
if err != nil {
|
||||
return h.createFailureResponse(ctx, csr, msg, microscep.BadRequest, fmt.Errorf("error when signing new certificate: %w", err))
|
||||
return createFailureResponse(ctx, csr, msg, microscep.BadRequest, fmt.Errorf("error when signing new certificate: %w", err))
|
||||
}
|
||||
|
||||
res := response{
|
||||
|
|
@ -350,8 +349,9 @@ func fail(w http.ResponseWriter, err error) {
|
|||
http.Error(w, err.Error(), http.StatusInternalServerError)
|
||||
}
|
||||
|
||||
func (h *handler) createFailureResponse(ctx context.Context, csr *x509.CertificateRequest, msg *scep.PKIMessage, info microscep.FailInfo, failError error) (response, error) {
|
||||
certRepMsg, err := h.auth.CreateFailureResponse(ctx, csr, msg, scep.FailInfoName(info), failError.Error())
|
||||
func createFailureResponse(ctx context.Context, csr *x509.CertificateRequest, msg *scep.PKIMessage, info microscep.FailInfo, failError error) (response, error) {
|
||||
auth := scep.MustFromContext(ctx)
|
||||
certRepMsg, err := auth.CreateFailureResponse(ctx, csr, msg, scep.FailInfoName(info), failError.Error())
|
||||
if err != nil {
|
||||
return response{}, err
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue