smallstep-certificates/acme/db/nosql/authz.go

package nosql

import (
	"context"
	"encoding/json"
	"time"

	"github.com/pkg/errors"
	"github.com/smallstep/certificates/acme"
	"github.com/smallstep/nosql"
)

// dbAuthz is the base authz type that others build from.
type dbAuthz struct {
	ID           string          `json:"id"`
	AccountID    string          `json:"accountID"`
	Identifier   acme.Identifier `json:"identifier"`
	Status       acme.Status     `json:"status"`
	Token        string          `json:"token"`
	Fingerprint  string          `json:"fingerprint,omitempty"`
	ChallengeIDs []string        `json:"challengeIDs"`
	Wildcard     bool            `json:"wildcard"`
	CreatedAt    time.Time       `json:"createdAt"`
	ExpiresAt    time.Time       `json:"expiresAt"`
	Error        *acme.Error     `json:"error"`
}

func (ba *dbAuthz) clone() *dbAuthz {
	u := *ba
	return &u
}

// getDBAuthz retrieves and unmarshals a database representation of the
// ACME Authorization type.
func (db *DB) getDBAuthz(_ context.Context, id string) (*dbAuthz, error) {
	data, err := db.db.Get(authzTable, []byte(id))
	if nosql.IsErrNotFound(err) {
		return nil, acme.NewError(acme.ErrorMalformedType, "authz %s not found", id)
	} else if err != nil {
		return nil, errors.Wrapf(err, "error loading authz %s", id)
	}

	var dbaz dbAuthz
	if err = json.Unmarshal(data, &dbaz); err != nil {
		return nil, errors.Wrapf(err, "error unmarshaling authz %s into dbAuthz", id)
	}
	return &dbaz, nil
}

// GetAuthorization retrieves and unmarshals an ACME authz type from the database.
// Implements acme.DB GetAuthorization interface.
func (db *DB) GetAuthorization(ctx context.Context, id string) (*acme.Authorization, error) {
	dbaz, err := db.getDBAuthz(ctx, id)
	if err != nil {
		return nil, err
	}
	var chs = make([]*acme.Challenge, len(dbaz.ChallengeIDs))
	for i, chID := range dbaz.ChallengeIDs {
		chs[i], err = db.GetChallenge(ctx, chID, id)
		if err != nil {
			return nil, err
		}
	}
	return &acme.Authorization{
		ID:          dbaz.ID,
		AccountID:   dbaz.AccountID,
		Identifier:  dbaz.Identifier,
		Status:      dbaz.Status,
		Challenges:  chs,
		Wildcard:    dbaz.Wildcard,
		ExpiresAt:   dbaz.ExpiresAt,
		Token:       dbaz.Token,
		Fingerprint: dbaz.Fingerprint,
		Error:       dbaz.Error,
	}, nil
}

// CreateAuthorization creates an entry in the database for the Authorization.
// Implements the acme.DB.CreateAuthorization interface.
func (db *DB) CreateAuthorization(ctx context.Context, az *acme.Authorization) error {
	var err error
	az.ID, err = randID()
	if err != nil {
		return err
	}

	chIDs := make([]string, len(az.Challenges))
	for i, ch := range az.Challenges {
		chIDs[i] = ch.ID
	}

	now := clock.Now()
	dbaz := &dbAuthz{
		ID:           az.ID,
		AccountID:    az.AccountID,
		Status:       az.Status,
		CreatedAt:    now,
		ExpiresAt:    az.ExpiresAt,
		Identifier:   az.Identifier,
		ChallengeIDs: chIDs,
		Token:        az.Token,
		Fingerprint:  az.Fingerprint,
		Wildcard:     az.Wildcard,
	}

	return db.save(ctx, az.ID, dbaz, nil, "authz", authzTable)
}

// UpdateAuthorization saves an updated ACME Authorization to the database.
func (db *DB) UpdateAuthorization(ctx context.Context, az *acme.Authorization) error {
	old, err := db.getDBAuthz(ctx, az.ID)
	if err != nil {
		return err
	}

	nu := old.clone()
	nu.Status = az.Status
	nu.Fingerprint = az.Fingerprint
	nu.Error = az.Error
	return db.save(ctx, old.ID, nu, old, "authz", authzTable)
}

// GetAuthorizationsByAccountID retrieves and unmarshals ACME authz types from the database.
func (db *DB) GetAuthorizationsByAccountID(_ context.Context, accountID string) ([]*acme.Authorization, error) {
	entries, err := db.db.List(authzTable)
	if err != nil {
		return nil, errors.Wrapf(err, "error listing authz")
	}
	authzs := []*acme.Authorization{}
	for _, entry := range entries {
		dbaz := new(dbAuthz)
		if err = json.Unmarshal(entry.Value, dbaz); err != nil {
			return nil, errors.Wrapf(err, "error unmarshaling dbAuthz key '%s' into dbAuthz struct", string(entry.Key))
		}
		// Filter out all dbAuthzs that don't belong to the accountID. This
		// could be made more efficient with additional data structures mapping the
		// Account ID to authorizations. Not trivial to do, though.
		if dbaz.AccountID != accountID {
			continue
		}
		authzs = append(authzs, &acme.Authorization{
			ID:          dbaz.ID,
			AccountID:   dbaz.AccountID,
			Identifier:  dbaz.Identifier,
			Status:      dbaz.Status,
			Challenges:  nil, // challenges not required for current use case
			Wildcard:    dbaz.Wildcard,
			ExpiresAt:   dbaz.ExpiresAt,
			Token:       dbaz.Token,
			Fingerprint: dbaz.Fingerprint,
			Error:       dbaz.Error,
		})
	}

	return authzs, nil
}
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`package nosql`

			`import (`
			`"context"`
			`"encoding/json"`
			`"time"`

			`"github.com/pkg/errors"`
[acme db interface] wip errors 2021-03-01 06:49:20 +00:00			`"github.com/smallstep/certificates/acme"`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`"github.com/smallstep/nosql"`
			`)`

			`// dbAuthz is the base authz type that others build from.`
			`type dbAuthz struct {`
gethttp01 validate unit tests working 2021-03-24 05:12:25 +00:00			ID string `json:"id"`
			AccountID string `json:"accountID"`
			Identifier acme.Identifier `json:"identifier"`
			Status acme.Status `json:"status"`
PR review fixes / updates 2021-03-29 19:04:14 +00:00			Token string `json:"token"`
Verify CSR key fingerprint with attestation certificate key This commit makes sure that the attestation certificate key matches the key used on the CSR on an ACME device attestation flow. 2023-02-10 00:48:43 +00:00			Fingerprint string `json:"fingerprint,omitempty"`
gethttp01 validate unit tests working 2021-03-24 05:12:25 +00:00			ChallengeIDs []string `json:"challengeIDs"`
			Wildcard bool `json:"wildcard"`
			CreatedAt time.Time `json:"createdAt"`
PR review fixes / updates 2021-03-29 19:04:14 +00:00			ExpiresAt time.Time `json:"expiresAt"`
gethttp01 validate unit tests working 2021-03-24 05:12:25 +00:00			Error *acme.Error `json:"error"`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`}`

			`func (ba dbAuthz) clone() dbAuthz {`
			`u := *ba`
			`return &u`
			`}`

			`// getDBAuthz retrieves and unmarshals a database representation of the`
			`// ACME Authorization type.`
address linter warning for go 1.19 2023-05-10 06:47:28 +00:00			`func (db DB) getDBAuthz(_ context.Context, id string) (dbAuthz, error) {`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`data, err := db.db.Get(authzTable, []byte(id))`
			`if nosql.IsErrNotFound(err) {`
[acme db interface] nosql authz unit tests 2021-03-19 21:37:45 +00:00			`return nil, acme.NewError(acme.ErrorMalformedType, "authz %s not found", id)`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`} else if err != nil {`
[acme db interface] wip errors 2021-03-01 06:49:20 +00:00			`return nil, errors.Wrapf(err, "error loading authz %s", id)`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`}`

			`var dbaz dbAuthz`
			`if err = json.Unmarshal(data, &dbaz); err != nil {`
[acme db interface] nosql authz unit tests 2021-03-19 21:37:45 +00:00			`return nil, errors.Wrapf(err, "error unmarshaling authz %s into dbAuthz", id)`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`}`
[acme db interface] wip errors 2021-03-01 06:49:20 +00:00			`return &dbaz, nil`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`}`

			`// GetAuthorization retrieves and unmarshals an ACME authz type from the database.`
			`// Implements acme.DB GetAuthorization interface.`
[acme db interface] wip errors 2021-03-01 06:49:20 +00:00			`func (db DB) GetAuthorization(ctx context.Context, id string) (acme.Authorization, error) {`
			`dbaz, err := db.getDBAuthz(ctx, id)`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`if err != nil {`
			`return nil, err`
			`}`
gethttp01 validate unit tests working 2021-03-24 05:12:25 +00:00			`var chs = make([]*acme.Challenge, len(dbaz.ChallengeIDs))`
			`for i, chID := range dbaz.ChallengeIDs {`
[acme db interface] wip errors 2021-03-01 06:49:20 +00:00			`chs[i], err = db.GetChallenge(ctx, chID, id)`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`}`
[acme db interface] wip errors 2021-03-01 06:49:20 +00:00			`return &acme.Authorization{`
Verify CSR key fingerprint with attestation certificate key This commit makes sure that the attestation certificate key matches the key used on the CSR on an ACME device attestation flow. 2023-02-10 00:48:43 +00:00			`ID: dbaz.ID,`
			`AccountID: dbaz.AccountID,`
			`Identifier: dbaz.Identifier,`
			`Status: dbaz.Status,`
			`Challenges: chs,`
			`Wildcard: dbaz.Wildcard,`
			`ExpiresAt: dbaz.ExpiresAt,`
			`Token: dbaz.Token,`
			`Fingerprint: dbaz.Fingerprint,`
			`Error: dbaz.Error,`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`}, nil`
			`}`

			`// CreateAuthorization creates an entry in the database for the Authorization.`
			`// Implements the acme.DB.CreateAuthorization interface.`
[acme db interface] wip errors 2021-03-01 06:49:20 +00:00			`func (db DB) CreateAuthorization(ctx context.Context, az acme.Authorization) error {`
			`var err error`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`az.ID, err = randID()`
			`if err != nil {`
[acme db interface] wip errors 2021-03-01 06:49:20 +00:00			`return err`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`}`

[acme db interface] wip 2021-03-03 23:16:25 +00:00			`chIDs := make([]string, len(az.Challenges))`
			`for i, ch := range az.Challenges {`
			`chIDs[i] = ch.ID`
			`}`

[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`now := clock.Now()`
			`dbaz := &dbAuthz{`
gethttp01 validate unit tests working 2021-03-24 05:12:25 +00:00			`ID: az.ID,`
			`AccountID: az.AccountID,`
			`Status: az.Status,`
			`CreatedAt: now,`
			`ExpiresAt: az.ExpiresAt,`
			`Identifier: az.Identifier,`
			`ChallengeIDs: chIDs,`
			`Token: az.Token,`
Verify CSR key fingerprint with attestation certificate key This commit makes sure that the attestation certificate key matches the key used on the CSR on an ACME device attestation flow. 2023-02-10 00:48:43 +00:00			`Fingerprint: az.Fingerprint,`
gethttp01 validate unit tests working 2021-03-24 05:12:25 +00:00			`Wildcard: az.Wildcard,`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`}`

[acme db interface] wip 2021-02-28 01:05:37 +00:00			`return db.save(ctx, az.ID, dbaz, nil, "authz", authzTable)`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`}`

			`// UpdateAuthorization saves an updated ACME Authorization to the database.`
[acme db interface] wip errors 2021-03-01 06:49:20 +00:00			`func (db DB) UpdateAuthorization(ctx context.Context, az acme.Authorization) error {`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`old, err := db.getDBAuthz(ctx, az.ID)`
			`if err != nil {`
			`return err`
			`}`

			`nu := old.clone()`
			`nu.Status = az.Status`
Verify CSR key fingerprint with attestation certificate key This commit makes sure that the attestation certificate key matches the key used on the CSR on an ACME device attestation flow. 2023-02-10 00:48:43 +00:00			`nu.Fingerprint = az.Fingerprint`
[acme db interface] nosql authz unit tests 2021-03-19 21:37:45 +00:00			`nu.Error = az.Error`
[acme db interface] wip 2021-02-28 01:05:37 +00:00			`return db.save(ctx, old.ID, nu, old, "authz", authzTable)`
[acme] Continued work on acme db interface (wip) 2021-02-26 18:12:30 +00:00			`}`
Add logic for Account authorizations and improve tests 2021-12-02 15:25:35 +00:00
			`// GetAuthorizationsByAccountID retrieves and unmarshals ACME authz types from the database.`
address linter warning for go 1.19 2023-05-10 06:47:28 +00:00			`func (db DB) GetAuthorizationsByAccountID(_ context.Context, accountID string) ([]acme.Authorization, error) {`
Add logic for Account authorizations and improve tests 2021-12-02 15:25:35 +00:00			`entries, err := db.db.List(authzTable)`
			`if err != nil {`
			`return nil, errors.Wrapf(err, "error listing authz")`
			`}`
			`authzs := []*acme.Authorization{}`
			`for _, entry := range entries {`
			`dbaz := new(dbAuthz)`
			`if err = json.Unmarshal(entry.Value, dbaz); err != nil {`
			`return nil, errors.Wrapf(err, "error unmarshaling dbAuthz key '%s' into dbAuthz struct", string(entry.Key))`
			`}`
			`// Filter out all dbAuthzs that don't belong to the accountID. This`
			`// could be made more efficient with additional data structures mapping the`
			`// Account ID to authorizations. Not trivial to do, though.`
			`if dbaz.AccountID != accountID {`
			`continue`
			`}`
			`authzs = append(authzs, &acme.Authorization{`
Verify CSR key fingerprint with attestation certificate key This commit makes sure that the attestation certificate key matches the key used on the CSR on an ACME device attestation flow. 2023-02-10 00:48:43 +00:00			`ID: dbaz.ID,`
			`AccountID: dbaz.AccountID,`
			`Identifier: dbaz.Identifier,`
			`Status: dbaz.Status,`
			`Challenges: nil, // challenges not required for current use case`
			`Wildcard: dbaz.Wildcard,`
			`ExpiresAt: dbaz.ExpiresAt,`
			`Token: dbaz.Token,`
			`Fingerprint: dbaz.Fingerprint,`
			`Error: dbaz.Error,`
Add logic for Account authorizations and improve tests 2021-12-02 15:25:35 +00:00			`})`
			`}`

			`return authzs, nil`
			`}`