smallstep-certificates/acme/account.go

package acme

import (
	"crypto"
	"encoding/base64"
	"encoding/json"
	"time"

	"go.step.sm/crypto/jose"
)

// Account is a subset of the internal account type containing only those
// attributes required for responses in the ACME protocol.
type Account struct {
	ID                     string           `json:"-"`
	Key                    *jose.JSONWebKey `json:"-"`
	Contact                []string         `json:"contact,omitempty"`
	Status                 Status           `json:"status"`
	OrdersURL              string           `json:"orders"`
	ExternalAccountBinding interface{}      `json:"externalAccountBinding,omitempty"`
}

// ToLog enables response logging.
func (a *Account) ToLog() (interface{}, error) {
	b, err := json.Marshal(a)
	if err != nil {
		return nil, WrapErrorISE(err, "error marshaling account for logging")
	}
	return string(b), nil
}

// IsValid returns true if the Account is valid.
func (a *Account) IsValid() bool {
	return Status(a.Status) == StatusValid
}

// KeyToID converts a JWK to a thumbprint.
func KeyToID(jwk *jose.JSONWebKey) (string, error) {
	kid, err := jwk.Thumbprint(crypto.SHA256)
	if err != nil {
		return "", WrapErrorISE(err, "error generating jwk thumbprint")
	}
	return base64.RawURLEncoding.EncodeToString(kid), nil
}

// ExternalAccountKey is an ACME External Account Binding key.
type ExternalAccountKey struct {
	ID            string    `json:"id"`
	ProvisionerID string    `json:"provisionerID"`
	Reference     string    `json:"reference"`
	AccountID     string    `json:"-"`
	KeyBytes      []byte    `json:"-"`
	CreatedAt     time.Time `json:"createdAt"`
	BoundAt       time.Time `json:"boundAt,omitempty"`
}

// AlreadyBound returns whether this EAK is already bound to
// an ACME Account or not.
func (eak *ExternalAccountKey) AlreadyBound() bool {
	return !eak.BoundAt.IsZero()
}

// BindTo binds the EAK to an Account.
// It returns an error if it's already bound.
func (eak *ExternalAccountKey) BindTo(account *Account) error {
	if eak.AlreadyBound() {
		return NewError(ErrorUnauthorizedType, "external account binding key with id '%s' was already bound to account '%s' on %s", eak.ID, eak.AccountID, eak.BoundAt)
	}
	eak.AccountID = account.ID
	eak.BoundAt = time.Now()
	eak.KeyBytes = []byte{} // clearing the key bytes; can only be used once
	return nil
}
Add new directory structure 2021-02-25 18:24:24 +00:00			`package acme`

			`import (`
[acme db interface] wip errors 2021-03-01 06:49:20 +00:00			`"crypto"`
			`"encoding/base64"`
Add new directory structure 2021-02-25 18:24:24 +00:00			`"encoding/json"`
Add first working version of External Account Binding 2021-07-17 15:35:44 +00:00			`"time"`
Add new directory structure 2021-02-25 18:24:24 +00:00
			`"go.step.sm/crypto/jose"`
			`)`

			`// Account is a subset of the internal account type containing only those`
			`// attributes required for responses in the ACME protocol.`
			`type Account struct {`
Add External Accounting Binding key "BoundAt" marking 2021-07-17 17:02:47 +00:00			ID string `json:"-"`
			Key *jose.JSONWebKey `json:"-"`
			Contact []string `json:"contact,omitempty"`
			Status Status `json:"status"`
			OrdersURL string `json:"orders"`
			ExternalAccountBinding interface{} `json:"externalAccountBinding,omitempty"`
Add new directory structure 2021-02-25 18:24:24 +00:00			`}`

			`// ToLog enables response logging.`
			`func (a *Account) ToLog() (interface{}, error) {`
			`b, err := json.Marshal(a)`
			`if err != nil {`
[acme db interface] wip 2021-03-05 07:10:46 +00:00			`return nil, WrapErrorISE(err, "error marshaling account for logging")`
Add new directory structure 2021-02-25 18:24:24 +00:00			`}`
			`return string(b), nil`
			`}`

			`// IsValid returns true if the Account is valid.`
			`func (a *Account) IsValid() bool {`
[acme db interface] wip 2021-02-28 18:09:06 +00:00			`return Status(a.Status) == StatusValid`
Add new directory structure 2021-02-25 18:24:24 +00:00			`}`
[acme db interface] wip errors 2021-03-01 06:49:20 +00:00
			`// KeyToID converts a JWK to a thumbprint.`
			`func KeyToID(jwk *jose.JSONWebKey) (string, error) {`
			`kid, err := jwk.Thumbprint(crypto.SHA256)`
			`if err != nil {`
[acme db interface] wip 2021-03-05 07:10:46 +00:00			`return "", WrapErrorISE(err, "error generating jwk thumbprint")`
[acme db interface] wip errors 2021-03-01 06:49:20 +00:00			`}`
			`return base64.RawURLEncoding.EncodeToString(kid), nil`
			`}`
Add first working version of External Account Binding 2021-07-17 15:35:44 +00:00
Improve tests for already bound EAB keys 2021-10-08 11:18:23 +00:00			`// ExternalAccountKey is an ACME External Account Binding key.`
Add first working version of External Account Binding 2021-07-17 15:35:44 +00:00			`type ExternalAccountKey struct {`
Refactor ACME EAB queries The ACME EAB keys are now also indexed by the provisioner. This solves part of the issue in which too many EAB keys may be in memory at a given time. 2022-01-07 15:59:55 +00:00			ID string `json:"id"`
			ProvisionerID string `json:"provisionerID"`
			Reference string `json:"reference"`
			AccountID string `json:"-"`
			KeyBytes []byte `json:"-"`
			CreatedAt time.Time `json:"createdAt"`
			BoundAt time.Time `json:"boundAt,omitempty"`
Add first working version of External Account Binding 2021-07-17 15:35:44 +00:00			`}`
Add External Accounting Binding key "BoundAt" marking 2021-07-17 17:02:47 +00:00
Improve tests for already bound EAB keys 2021-10-08 11:18:23 +00:00			`// AlreadyBound returns whether this EAK is already bound to`
			`// an ACME Account or not.`
Fix PR comments 2021-07-22 21:48:41 +00:00			`func (eak *ExternalAccountKey) AlreadyBound() bool {`
			`return !eak.BoundAt.IsZero()`
			`}`

Improve tests for already bound EAB keys 2021-10-08 11:18:23 +00:00			`// BindTo binds the EAK to an Account.`
			`// It returns an error if it's already bound.`
			`func (eak ExternalAccountKey) BindTo(account Account) error {`
			`if eak.AlreadyBound() {`
			`return NewError(ErrorUnauthorizedType, "external account binding key with id '%s' was already bound to account '%s' on %s", eak.ID, eak.AccountID, eak.BoundAt)`
			`}`
Add External Accounting Binding key "BoundAt" marking 2021-07-17 17:02:47 +00:00			`eak.AccountID = account.ID`
			`eak.BoundAt = time.Now()`
Fix PR comments 2021-07-22 21:48:41 +00:00			`eak.KeyBytes = []byte{} // clearing the key bytes; can only be used once`
Improve tests for already bound EAB keys 2021-10-08 11:18:23 +00:00			`return nil`
Add External Accounting Binding key "BoundAt" marking 2021-07-17 17:02:47 +00:00			`}`