forked from TrueCloudLab/certificates
acme: Return 501 for the key-change route
RFC 8555 § 7.3.5 is not listed as optional but we do not currently support it. Rather than 404, return a 501 to inform clients that this functionality is not yet implemented. The notImplmented error type is not an official error registered in the ietf:params:acme:error namespace, so prefix if with step:acme:error. An ACME server is allowed to return other errors and clients should display the message detail to users. Fixes: https://github.com/smallstep/certificates/issues/209
This commit is contained in:
David Cowden
parent
ab0f2aedcc
commit
b26e6e42b3
2 changed files with 40 additions and 1 deletions
|
|
@ -59,6 +59,7 @@ func (h *Handler) Route(r api.Router) {
|
|||
|
||||
r.MethodFunc("POST", getLink(acme.NewAccountLink, "{provisionerID}", false, nil), extractPayloadByJWK(h.NewAccount))
|
||||
r.MethodFunc("POST", getLink(acme.AccountLink, "{provisionerID}", false, nil, "{accID}"), extractPayloadByKid(h.GetUpdateAccount))
|
||||
r.MethodFunc("POST", getLink(acme.KeyChangeLink, "{provisionerID}", false, nil, "{accID}"), extractPayloadByKid(h.NotImplemented))
|
||||
r.MethodFunc("POST", getLink(acme.NewOrderLink, "{provisionerID}", false, nil), extractPayloadByKid(h.NewOrder))
|
||||
r.MethodFunc("POST", getLink(acme.OrderLink, "{provisionerID}", false, nil, "{ordID}"), extractPayloadByKid(h.isPostAsGet(h.GetOrder)))
|
||||
r.MethodFunc("POST", getLink(acme.OrdersByAccountLink, "{provisionerID}", false, nil, "{accID}"), extractPayloadByKid(h.isPostAsGet(h.GetOrdersByAccount)))
|
||||
|
|
@ -66,6 +67,7 @@ func (h *Handler) Route(r api.Router) {
|
|||
r.MethodFunc("POST", getLink(acme.AuthzLink, "{provisionerID}", false, nil, "{authzID}"), extractPayloadByKid(h.isPostAsGet(h.GetAuthz)))
|
||||
r.MethodFunc("POST", getLink(acme.ChallengeLink, "{provisionerID}", false, nil, "{chID}"), extractPayloadByKid(h.GetChallenge))
|
||||
r.MethodFunc("POST", getLink(acme.CertificateLink, "{provisionerID}", false, nil, "{certID}"), extractPayloadByKid(h.isPostAsGet(h.GetCertificate)))
|
||||
|
||||
}
|
||||
|
||||
// GetNonce just sets the right header since a Nonce is added to each response
|
||||
|
|
@ -89,6 +91,11 @@ func (h *Handler) GetDirectory(w http.ResponseWriter, r *http.Request) {
|
|||
api.JSON(w, dir)
|
||||
}
|
||||
|
||||
// NotImplemented returns a 501. This is a place holder for future functionality.
|
||||
func (h *Handler) NotImplemented(w http.ResponseWriter, r *http.Request) {
|
||||
api.WriteError(w, acme.NotImplemented(nil).ToACME())
|
||||
}
|
||||
|
||||
// GetAuthz ACME api for retrieving an Authz.
|
||||
func (h *Handler) GetAuthz(w http.ResponseWriter, r *http.Request) {
|
||||
acc, err := acme.AccountFromContext(r.Context())
|
||||
|
|
|
|||
|
|
@ -194,6 +194,16 @@ func ServerInternalErr(err error) *Error {
|
|||
}
|
||||
}
|
||||
|
||||
// NotImplemented returns a new acme error.
|
||||
func NotImplemented(err error) *Error {
|
||||
return &Error{
|
||||
Type: notImplemented,
|
||||
Detail: "The requested operation is not implemented",
|
||||
Status: 501,
|
||||
Err: err,
|
||||
}
|
||||
}
|
||||
|
||||
// TLSErr returns a new acme error.
|
||||
func TLSErr(err error) *Error {
|
||||
return &Error{
|
||||
|
|
@ -296,6 +306,8 @@ const (
|
|||
unsupportedIdentifierErr
|
||||
// Visit the “instance” URL and take actions specified there
|
||||
userActionRequiredErr
|
||||
// The operation is not implemented
|
||||
notImplemented
|
||||
)
|
||||
|
||||
// String returns the string representation of the acme problem type,
|
||||
|
|
@ -350,6 +362,8 @@ func (ap ProbType) String() string {
|
|||
return "unsupportedIdentifier"
|
||||
case userActionRequiredErr:
|
||||
return "userActionRequired"
|
||||
case notImplemented:
|
||||
return "notImplemented"
|
||||
default:
|
||||
return "unsupported type"
|
||||
}
|
||||
|
|
@ -398,10 +412,28 @@ func (e *Error) Cause() error {
|
|||
return e.Err
|
||||
}
|
||||
|
||||
// Official returns true if this error is registered with the IETF.
|
||||
//
|
||||
// The RFC says:
|
||||
//
|
||||
// This list is not exhaustive. The server MAY return errors whose
|
||||
// "type" field is set to a URI other than those defined above. Servers
|
||||
// MUST NOT use the ACME URN namespace for errors not listed in the
|
||||
// appropriate IANA registry (see Section 9.6). Clients SHOULD display
|
||||
// the "detail" field of all errors.
|
||||
//
|
||||
func (e *Error) Official() bool {
|
||||
return e.Type != notImplemented
|
||||
}
|
||||
|
||||
// ToACME returns an acme representation of the problem type.
|
||||
func (e *Error) ToACME() *AError {
|
||||
prefix := "urn:step:acme:error"
|
||||
if e.Official() {
|
||||
prefix = "urn:ietf:params:acme:error:"
|
||||
}
|
||||
ae := &AError{
|
||||
Type: "urn:ietf:params:acme:error:" + e.Type.String(),
|
||||
Type: prefix + e.Type.String(),
|
||||
Detail: e.Error(),
|
||||
Status: e.Status,
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue