2019-05-27 00:41:10 +00:00
|
|
|
package acme
|
|
|
|
|
|
|
|
import (
|
2020-05-07 03:18:12 +00:00
|
|
|
"context"
|
2019-05-27 00:41:10 +00:00
|
|
|
"crypto/x509"
|
|
|
|
"time"
|
|
|
|
|
2021-07-02 20:51:15 +00:00
|
|
|
"github.com/smallstep/certificates/authority"
|
2019-05-27 00:41:10 +00:00
|
|
|
"github.com/smallstep/certificates/authority/provisioner"
|
|
|
|
)
|
|
|
|
|
2022-04-29 02:15:18 +00:00
|
|
|
// Clock that returns time in UTC rounded to seconds.
|
|
|
|
type Clock struct{}
|
|
|
|
|
|
|
|
// Now returns the UTC time rounded to seconds.
|
|
|
|
func (c *Clock) Now() time.Time {
|
|
|
|
return time.Now().UTC().Truncate(time.Second)
|
|
|
|
}
|
|
|
|
|
|
|
|
var clock Clock
|
|
|
|
|
2021-03-05 07:10:46 +00:00
|
|
|
// CertificateAuthority is the interface implemented by a CA authority.
|
|
|
|
type CertificateAuthority interface {
|
|
|
|
Sign(cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
|
2022-03-24 13:55:40 +00:00
|
|
|
AreSANsAllowed(ctx context.Context, sans []string) error
|
2021-11-26 16:27:42 +00:00
|
|
|
IsRevoked(sn string) (bool, error)
|
2021-07-02 20:51:15 +00:00
|
|
|
Revoke(context.Context, *authority.RevokeOptions) error
|
2021-05-03 19:48:20 +00:00
|
|
|
LoadProvisionerByName(string) (provisioner.Interface, error)
|
2021-03-05 07:10:46 +00:00
|
|
|
}
|
|
|
|
|
2022-04-29 02:15:18 +00:00
|
|
|
// NewContext adds the given acme components to the context.
|
|
|
|
func NewContext(ctx context.Context, db DB, client Client, linker Linker, fn PrerequisitesChecker) context.Context {
|
|
|
|
ctx = NewDatabaseContext(ctx, db)
|
|
|
|
ctx = NewClientContext(ctx, client)
|
|
|
|
ctx = NewLinkerContext(ctx, linker)
|
|
|
|
// Prerequisite checker is optional.
|
|
|
|
if fn != nil {
|
|
|
|
ctx = NewPrerequisitesCheckerContext(ctx, fn)
|
|
|
|
}
|
|
|
|
return ctx
|
|
|
|
}
|
2021-03-05 07:10:46 +00:00
|
|
|
|
2022-04-29 02:15:18 +00:00
|
|
|
// PrerequisitesChecker is a function that checks if all prerequisites for
|
|
|
|
// serving ACME are met by the CA configuration.
|
|
|
|
type PrerequisitesChecker func(ctx context.Context) (bool, error)
|
|
|
|
|
|
|
|
// DefaultPrerequisitesChecker is the default PrerequisiteChecker and returns
|
|
|
|
// always true.
|
2023-05-10 06:47:28 +00:00
|
|
|
func DefaultPrerequisitesChecker(context.Context) (bool, error) {
|
2022-04-29 02:15:18 +00:00
|
|
|
return true, nil
|
2021-03-05 07:10:46 +00:00
|
|
|
}
|
|
|
|
|
2022-04-29 02:15:18 +00:00
|
|
|
type prerequisitesKey struct{}
|
|
|
|
|
|
|
|
// NewPrerequisitesCheckerContext adds the given PrerequisitesChecker to the
|
|
|
|
// context.
|
|
|
|
func NewPrerequisitesCheckerContext(ctx context.Context, fn PrerequisitesChecker) context.Context {
|
|
|
|
return context.WithValue(ctx, prerequisitesKey{}, fn)
|
|
|
|
}
|
|
|
|
|
|
|
|
// PrerequisitesCheckerFromContext returns the PrerequisitesChecker in the
|
|
|
|
// context.
|
|
|
|
func PrerequisitesCheckerFromContext(ctx context.Context) (PrerequisitesChecker, bool) {
|
|
|
|
fn, ok := ctx.Value(prerequisitesKey{}).(PrerequisitesChecker)
|
|
|
|
return fn, ok && fn != nil
|
|
|
|
}
|
2021-03-05 07:10:46 +00:00
|
|
|
|
2020-05-20 01:44:55 +00:00
|
|
|
// Provisioner is an interface that implements a subset of the provisioner.Interface --
|
|
|
|
// only those methods required by the ACME api/authority.
|
|
|
|
type Provisioner interface {
|
2022-03-08 13:17:59 +00:00
|
|
|
AuthorizeOrderIdentifier(ctx context.Context, identifier provisioner.ACMEIdentifier) error
|
2020-05-20 01:44:55 +00:00
|
|
|
AuthorizeSign(ctx context.Context, token string) ([]provisioner.SignOption, error)
|
2021-07-09 22:28:31 +00:00
|
|
|
AuthorizeRevoke(ctx context.Context, token string) error
|
2022-09-08 20:22:35 +00:00
|
|
|
IsChallengeEnabled(ctx context.Context, challenge provisioner.ACMEChallenge) bool
|
2022-09-09 00:38:05 +00:00
|
|
|
IsAttestationFormatEnabled(ctx context.Context, format provisioner.ACMEAttestationFormat) bool
|
2022-09-16 01:19:52 +00:00
|
|
|
GetAttestationRoots() (*x509.CertPool, bool)
|
2021-02-28 01:05:37 +00:00
|
|
|
GetID() string
|
2020-05-20 01:44:55 +00:00
|
|
|
GetName() string
|
|
|
|
DefaultTLSCertDuration() time.Duration
|
2020-07-23 01:24:45 +00:00
|
|
|
GetOptions() *provisioner.Options
|
2020-05-20 01:44:55 +00:00
|
|
|
}
|
|
|
|
|
2022-04-29 02:15:18 +00:00
|
|
|
type provisionerKey struct{}
|
|
|
|
|
|
|
|
// NewProvisionerContext adds the given provisioner to the context.
|
|
|
|
func NewProvisionerContext(ctx context.Context, v Provisioner) context.Context {
|
|
|
|
return context.WithValue(ctx, provisionerKey{}, v)
|
|
|
|
}
|
|
|
|
|
|
|
|
// ProvisionerFromContext returns the current provisioner from the given context.
|
|
|
|
func ProvisionerFromContext(ctx context.Context) (v Provisioner, ok bool) {
|
|
|
|
v, ok = ctx.Value(provisionerKey{}).(Provisioner)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-11-29 04:58:58 +00:00
|
|
|
// MustProvisionerFromContext returns the current provisioner from the given context.
|
2022-04-29 02:15:18 +00:00
|
|
|
// It will panic if it's not in the context.
|
|
|
|
func MustProvisionerFromContext(ctx context.Context) Provisioner {
|
2023-11-29 04:58:58 +00:00
|
|
|
var (
|
|
|
|
v Provisioner
|
|
|
|
ok bool
|
|
|
|
)
|
|
|
|
if v, ok = ProvisionerFromContext(ctx); !ok {
|
2022-04-29 02:15:18 +00:00
|
|
|
panic("acme provisioner is not the context")
|
|
|
|
}
|
2023-11-29 04:58:58 +00:00
|
|
|
return v
|
2022-04-29 02:15:18 +00:00
|
|
|
}
|
|
|
|
|
2020-05-20 01:44:55 +00:00
|
|
|
// MockProvisioner for testing
|
|
|
|
type MockProvisioner struct {
|
2022-01-03 11:25:24 +00:00
|
|
|
Mret1 interface{}
|
|
|
|
Merr error
|
|
|
|
MgetID func() string
|
|
|
|
MgetName func() string
|
2022-03-08 13:17:59 +00:00
|
|
|
MauthorizeOrderIdentifier func(ctx context.Context, identifier provisioner.ACMEIdentifier) error
|
2022-01-03 11:25:24 +00:00
|
|
|
MauthorizeSign func(ctx context.Context, ott string) ([]provisioner.SignOption, error)
|
|
|
|
MauthorizeRevoke func(ctx context.Context, token string) error
|
2022-09-09 00:38:05 +00:00
|
|
|
MisChallengeEnabled func(ctx context.Context, challenge provisioner.ACMEChallenge) bool
|
|
|
|
MisAttFormatEnabled func(ctx context.Context, format provisioner.ACMEAttestationFormat) bool
|
2022-09-16 01:19:52 +00:00
|
|
|
MgetAttestationRoots func() (*x509.CertPool, bool)
|
2022-01-03 11:25:24 +00:00
|
|
|
MdefaultTLSCertDuration func() time.Duration
|
|
|
|
MgetOptions func() *provisioner.Options
|
2020-05-20 01:44:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// GetName mock
|
|
|
|
func (m *MockProvisioner) GetName() string {
|
|
|
|
if m.MgetName != nil {
|
|
|
|
return m.MgetName()
|
|
|
|
}
|
|
|
|
return m.Mret1.(string)
|
|
|
|
}
|
|
|
|
|
2022-01-03 11:25:24 +00:00
|
|
|
// AuthorizeOrderIdentifiers mock
|
2022-03-08 13:17:59 +00:00
|
|
|
func (m *MockProvisioner) AuthorizeOrderIdentifier(ctx context.Context, identifier provisioner.ACMEIdentifier) error {
|
2022-01-03 11:25:24 +00:00
|
|
|
if m.MauthorizeOrderIdentifier != nil {
|
|
|
|
return m.MauthorizeOrderIdentifier(ctx, identifier)
|
|
|
|
}
|
|
|
|
return m.Merr
|
|
|
|
}
|
|
|
|
|
2020-05-20 01:44:55 +00:00
|
|
|
// AuthorizeSign mock
|
|
|
|
func (m *MockProvisioner) AuthorizeSign(ctx context.Context, ott string) ([]provisioner.SignOption, error) {
|
|
|
|
if m.MauthorizeSign != nil {
|
|
|
|
return m.MauthorizeSign(ctx, ott)
|
|
|
|
}
|
|
|
|
return m.Mret1.([]provisioner.SignOption), m.Merr
|
|
|
|
}
|
|
|
|
|
2021-07-09 22:28:31 +00:00
|
|
|
// AuthorizeRevoke mock
|
|
|
|
func (m *MockProvisioner) AuthorizeRevoke(ctx context.Context, token string) error {
|
|
|
|
if m.MauthorizeRevoke != nil {
|
|
|
|
return m.MauthorizeRevoke(ctx, token)
|
|
|
|
}
|
|
|
|
return m.Merr
|
|
|
|
}
|
|
|
|
|
2022-09-09 00:38:05 +00:00
|
|
|
// IsChallengeEnabled mock
|
2022-09-08 20:22:35 +00:00
|
|
|
func (m *MockProvisioner) IsChallengeEnabled(ctx context.Context, challenge provisioner.ACMEChallenge) bool {
|
|
|
|
if m.MisChallengeEnabled != nil {
|
|
|
|
return m.MisChallengeEnabled(ctx, challenge)
|
2022-08-24 00:11:40 +00:00
|
|
|
}
|
2022-09-08 20:22:35 +00:00
|
|
|
return m.Merr == nil
|
2022-08-24 00:11:40 +00:00
|
|
|
}
|
|
|
|
|
2022-09-09 00:38:05 +00:00
|
|
|
// IsAttestationFormatEnabled mock
|
|
|
|
func (m *MockProvisioner) IsAttestationFormatEnabled(ctx context.Context, format provisioner.ACMEAttestationFormat) bool {
|
|
|
|
if m.MisAttFormatEnabled != nil {
|
|
|
|
return m.MisAttFormatEnabled(ctx, format)
|
|
|
|
}
|
|
|
|
return m.Merr == nil
|
|
|
|
}
|
|
|
|
|
2022-09-16 01:19:52 +00:00
|
|
|
func (m *MockProvisioner) GetAttestationRoots() (*x509.CertPool, bool) {
|
|
|
|
if m.MgetAttestationRoots != nil {
|
|
|
|
return m.MgetAttestationRoots()
|
|
|
|
}
|
|
|
|
return m.Mret1.(*x509.CertPool), m.Mret1 != nil
|
|
|
|
}
|
|
|
|
|
2020-05-20 01:44:55 +00:00
|
|
|
// DefaultTLSCertDuration mock
|
|
|
|
func (m *MockProvisioner) DefaultTLSCertDuration() time.Duration {
|
|
|
|
if m.MdefaultTLSCertDuration != nil {
|
|
|
|
return m.MdefaultTLSCertDuration()
|
|
|
|
}
|
|
|
|
return m.Mret1.(time.Duration)
|
|
|
|
}
|
|
|
|
|
2021-02-28 01:05:37 +00:00
|
|
|
// GetOptions mock
|
2020-07-23 01:24:45 +00:00
|
|
|
func (m *MockProvisioner) GetOptions() *provisioner.Options {
|
2020-07-21 02:01:43 +00:00
|
|
|
if m.MgetOptions != nil {
|
|
|
|
return m.MgetOptions()
|
|
|
|
}
|
2020-07-23 01:24:45 +00:00
|
|
|
return m.Mret1.(*provisioner.Options)
|
2020-07-21 02:01:43 +00:00
|
|
|
}
|
|
|
|
|
2021-02-28 01:05:37 +00:00
|
|
|
// GetID mock
|
|
|
|
func (m *MockProvisioner) GetID() string {
|
|
|
|
if m.MgetID != nil {
|
|
|
|
return m.MgetID()
|
|
|
|
}
|
|
|
|
return m.Mret1.(string)
|
|
|
|
}
|