From 672e3f976e120394c251824160351a13996f65d8 Mon Sep 17 00:00:00 2001 From: max furman Date: Mon, 12 Apr 2021 19:06:07 -0700 Subject: [PATCH] Few ACME fixes ... - always URL escape linker output - validateJWS should accept RSAPSS - GetUpdateAccount -> GetOrUpdateAccount --- acme/api/account.go | 4 +-- acme/api/account_test.go | 27 +++++++-------- acme/api/handler.go | 13 ++++---- acme/api/linker.go | 27 ++++++++------- acme/api/linker_test.go | 65 +++++++++++++++++++------------------ acme/api/middleware.go | 6 ++-- acme/api/middleware_test.go | 10 +++--- acme/api/order_test.go | 60 +++++++++++++++++----------------- ca/acmeClient_test.go | 2 -- 9 files changed, 107 insertions(+), 107 deletions(-) diff --git a/acme/api/account.go b/acme/api/account.go index ae39d2f7..92c5dbfc 100644 --- a/acme/api/account.go +++ b/acme/api/account.go @@ -126,8 +126,8 @@ func (h *Handler) NewAccount(w http.ResponseWriter, r *http.Request) { api.JSONStatus(w, acc, httpStatus) } -// GetUpdateAccount is the api for updating an ACME account. -func (h *Handler) GetUpdateAccount(w http.ResponseWriter, r *http.Request) { +// GetOrUpdateAccount is the api for updating an ACME account. +func (h *Handler) GetOrUpdateAccount(w http.ResponseWriter, r *http.Request) { ctx := r.Context() acc, err := accountFromContext(ctx) if err != nil { diff --git a/acme/api/account_test.go b/acme/api/account_test.go index 7cbe7b7c..c4d7a812 100644 --- a/acme/api/account_test.go +++ b/acme/api/account_test.go @@ -32,7 +32,7 @@ func newProv() acme.Provisioner { // Initialize provisioners p := &provisioner.ACME{ Type: "ACME", - Name: "test@acme-provisioner.com", + Name: "test@acme-provisioner.com", } if err := p.Init(provisioner.Config{Claims: globalProvisionerClaims}); err != nil { fmt.Printf("%v", err) @@ -168,11 +168,6 @@ func TestUpdateAccountRequest_Validate(t *testing.T) { } func TestHandler_GetOrdersByAccountID(t *testing.T) { - oids := []string{"foo", "bar"} - oidURLs := []string{ - "https://test.ca.smallstep.com/acme/test@acme-provisioner.com/order/foo", - "https://test.ca.smallstep.com/acme/test@acme-provisioner.com/order/bar", - } accID := "account-id" // Request with chi context @@ -185,6 +180,12 @@ func TestHandler_GetOrdersByAccountID(t *testing.T) { url := fmt.Sprintf("http://ca.smallstep.com/acme/%s/account/%s/orders", provName, accID) + oids := []string{"foo", "bar"} + oidURLs := []string{ + fmt.Sprintf("%s/acme/%s/order/foo", baseURL.String(), provName), + fmt.Sprintf("%s/acme/%s/order/bar", baseURL.String(), provName), + } + type test struct { db acme.DB ctx context.Context @@ -287,7 +288,7 @@ func TestHandler_GetOrdersByAccountID(t *testing.T) { func TestHandler_NewAccount(t *testing.T) { prov := newProv() - provName := url.PathEscape(prov.GetName()) + escProvName := url.PathEscape(prov.GetName()) baseURL := &url.URL{Scheme: "https", Host: "test.ca.smallstep.com"} type test struct { @@ -424,7 +425,7 @@ func TestHandler_NewAccount(t *testing.T) { Key: jwk, Status: acme.StatusValid, Contact: []string{"foo", "bar"}, - OrdersURL: "https://test.ca.smallstep.com/acme/test@acme-provisioner.com/account/accountID/orders", + OrdersURL: fmt.Sprintf("%s/acme/%s/account/accountID/orders", baseURL.String(), escProvName), }, ctx: ctx, statusCode: 201, @@ -486,14 +487,14 @@ func TestHandler_NewAccount(t *testing.T) { assert.Equals(t, bytes.TrimSpace(body), expB) assert.Equals(t, res.Header["Location"], []string{fmt.Sprintf("%s/acme/%s/account/%s", baseURL.String(), - provName, "accountID")}) + escProvName, "accountID")}) assert.Equals(t, res.Header["Content-Type"], []string{"application/json"}) } }) } } -func TestHandler_GetUpdateAccount(t *testing.T) { +func TestHandler_GetOrUpdateAccount(t *testing.T) { accID := "accountID" acc := acme.Account{ ID: accID, @@ -501,7 +502,7 @@ func TestHandler_GetUpdateAccount(t *testing.T) { OrdersURL: fmt.Sprintf("https://ca.smallstep.com/acme/account/%s/orders", accID), } prov := newProv() - provName := url.PathEscape(prov.GetName()) + escProvName := url.PathEscape(prov.GetName()) baseURL := &url.URL{Scheme: "https", Host: "test.ca.smallstep.com"} type test struct { @@ -662,7 +663,7 @@ func TestHandler_GetUpdateAccount(t *testing.T) { req := httptest.NewRequest("GET", "/foo/bar", nil) req = req.WithContext(tc.ctx) w := httptest.NewRecorder() - h.GetUpdateAccount(w, req) + h.GetOrUpdateAccount(w, req) res := w.Result() assert.Equals(t, res.StatusCode, tc.statusCode) @@ -686,7 +687,7 @@ func TestHandler_GetUpdateAccount(t *testing.T) { assert.Equals(t, bytes.TrimSpace(body), expB) assert.Equals(t, res.Header["Location"], []string{fmt.Sprintf("%s/acme/%s/account/%s", baseURL.String(), - provName, accID)}) + escProvName, accID)}) assert.Equals(t, res.Header["Content-Type"], []string{"application/json"}) } }) diff --git a/acme/api/handler.go b/acme/api/handler.go index e557f33b..7d02861e 100644 --- a/acme/api/handler.go +++ b/acme/api/handler.go @@ -102,7 +102,7 @@ func (h *Handler) Route(r api.Router) { } r.MethodFunc("POST", getLink(NewAccountLinkType, "{provisionerID}", false, nil), extractPayloadByJWK(h.NewAccount)) - r.MethodFunc("POST", getLink(AccountLinkType, "{provisionerID}", false, nil, "{accID}"), extractPayloadByKid(h.GetUpdateAccount)) + r.MethodFunc("POST", getLink(AccountLinkType, "{provisionerID}", false, nil, "{accID}"), extractPayloadByKid(h.GetOrUpdateAccount)) r.MethodFunc("POST", getLink(KeyChangeLinkType, "{provisionerID}", false, nil, "{accID}"), extractPayloadByKid(h.NotImplemented)) r.MethodFunc("POST", getLink(NewOrderLinkType, "{provisionerID}", false, nil), extractPayloadByKid(h.NewOrder)) r.MethodFunc("POST", getLink(OrderLinkType, "{provisionerID}", false, nil, "{ordID}"), extractPayloadByKid(h.isPostAsGet(h.GetOrder))) @@ -125,12 +125,11 @@ func (h *Handler) GetNonce(w http.ResponseWriter, r *http.Request) { // Directory represents an ACME directory for configuring clients. type Directory struct { - NewNonce string `json:"newNonce,omitempty"` - NewAccount string `json:"newAccount,omitempty"` - NewOrder string `json:"newOrder,omitempty"` - NewAuthz string `json:"newAuthz,omitempty"` - RevokeCert string `json:"revokeCert,omitempty"` - KeyChange string `json:"keyChange,omitempty"` + NewNonce string `json:"newNonce"` + NewAccount string `json:"newAccount"` + NewOrder string `json:"newOrder"` + RevokeCert string `json:"revokeCert"` + KeyChange string `json:"keyChange"` } // ToLog enables response logging for the Directory type. diff --git a/acme/api/linker.go b/acme/api/linker.go index b6a44dfa..702f7433 100644 --- a/acme/api/linker.go +++ b/acme/api/linker.go @@ -44,27 +44,26 @@ func (l *linker) GetLink(ctx context.Context, typ LinkType, abs bool, inputs ... // URL dynamically obtained from the request for which the link is being // calculated. func (l *linker) GetLinkExplicit(typ LinkType, provisionerName string, abs bool, baseURL *url.URL, inputs ...string) string { - var link string + var u = url.URL{} + // Copy the baseURL value from the pointer. https://github.com/golang/go/issues/38351 + if baseURL != nil { + u = *baseURL + } + switch typ { case NewNonceLinkType, NewAccountLinkType, NewOrderLinkType, NewAuthzLinkType, DirectoryLinkType, KeyChangeLinkType, RevokeCertLinkType: - link = fmt.Sprintf("/%s/%s", provisionerName, typ) + u.Path = fmt.Sprintf("/%s/%s", provisionerName, typ) case AccountLinkType, OrderLinkType, AuthzLinkType, CertificateLinkType: - link = fmt.Sprintf("/%s/%s/%s", provisionerName, typ, inputs[0]) + u.Path = fmt.Sprintf("/%s/%s/%s", provisionerName, typ, inputs[0]) case ChallengeLinkType: - link = fmt.Sprintf("/%s/%s/%s/%s", provisionerName, typ, inputs[0], inputs[1]) + u.Path = fmt.Sprintf("/%s/%s/%s/%s", provisionerName, typ, inputs[0], inputs[1]) case OrdersByAccountLinkType: - link = fmt.Sprintf("/%s/%s/%s/orders", provisionerName, AccountLinkType, inputs[0]) + u.Path = fmt.Sprintf("/%s/%s/%s/orders", provisionerName, AccountLinkType, inputs[0]) case FinalizeLinkType: - link = fmt.Sprintf("/%s/%s/%s/finalize", provisionerName, OrderLinkType, inputs[0]) + u.Path = fmt.Sprintf("/%s/%s/%s/finalize", provisionerName, OrderLinkType, inputs[0]) } if abs { - // Copy the baseURL value from the pointer. https://github.com/golang/go/issues/38351 - u := url.URL{} - if baseURL != nil { - u = *baseURL - } - // If no Scheme is set, then default to https. if u.Scheme == "" { u.Scheme = "https" @@ -75,10 +74,10 @@ func (l *linker) GetLinkExplicit(typ LinkType, provisionerName string, abs bool, u.Host = l.dns } - u.Path = l.prefix + link + u.Path = l.prefix + u.Path return u.String() } - return link + return u.EscapedPath() } // LinkType captures the link type. diff --git a/acme/api/linker_test.go b/acme/api/linker_test.go index 2252e334..6bb1f739 100644 --- a/acme/api/linker_test.go +++ b/acme/api/linker_test.go @@ -51,52 +51,53 @@ func TestLinker_GetLinkExplicit(t *testing.T) { id := "1234" prov := newProv() - provID := url.PathEscape(prov.GetName()) + provName := prov.GetName() + escProvName := url.PathEscape(provName) - assert.Equals(t, linker.GetLinkExplicit(NewNonceLinkType, provID, true, nil), fmt.Sprintf("%s/acme/%s/new-nonce", "https://ca.smallstep.com", provID)) - assert.Equals(t, linker.GetLinkExplicit(NewNonceLinkType, provID, true, &url.URL{}), fmt.Sprintf("%s/acme/%s/new-nonce", "https://ca.smallstep.com", provID)) - assert.Equals(t, linker.GetLinkExplicit(NewNonceLinkType, provID, true, &url.URL{Scheme: "http"}), fmt.Sprintf("%s/acme/%s/new-nonce", "http://ca.smallstep.com", provID)) - assert.Equals(t, linker.GetLinkExplicit(NewNonceLinkType, provID, true, baseURL), fmt.Sprintf("%s/acme/%s/new-nonce", baseURL, provID)) - assert.Equals(t, linker.GetLinkExplicit(NewNonceLinkType, provID, false, baseURL), fmt.Sprintf("/%s/new-nonce", provID)) + assert.Equals(t, linker.GetLinkExplicit(NewNonceLinkType, provName, true, nil), fmt.Sprintf("%s/acme/%s/new-nonce", "https://ca.smallstep.com", escProvName)) + assert.Equals(t, linker.GetLinkExplicit(NewNonceLinkType, provName, true, &url.URL{}), fmt.Sprintf("%s/acme/%s/new-nonce", "https://ca.smallstep.com", escProvName)) + assert.Equals(t, linker.GetLinkExplicit(NewNonceLinkType, provName, true, &url.URL{Scheme: "http"}), fmt.Sprintf("%s/acme/%s/new-nonce", "http://ca.smallstep.com", escProvName)) + assert.Equals(t, linker.GetLinkExplicit(NewNonceLinkType, provName, true, baseURL), fmt.Sprintf("%s/acme/%s/new-nonce", baseURL, escProvName)) + assert.Equals(t, linker.GetLinkExplicit(NewNonceLinkType, provName, false, baseURL), fmt.Sprintf("/%s/new-nonce", escProvName)) - assert.Equals(t, linker.GetLinkExplicit(NewAccountLinkType, provID, true, baseURL), fmt.Sprintf("%s/acme/%s/new-account", baseURL, provID)) - assert.Equals(t, linker.GetLinkExplicit(NewAccountLinkType, provID, false, baseURL), fmt.Sprintf("/%s/new-account", provID)) + assert.Equals(t, linker.GetLinkExplicit(NewAccountLinkType, provName, true, baseURL), fmt.Sprintf("%s/acme/%s/new-account", baseURL, escProvName)) + assert.Equals(t, linker.GetLinkExplicit(NewAccountLinkType, provName, false, baseURL), fmt.Sprintf("/%s/new-account", escProvName)) - assert.Equals(t, linker.GetLinkExplicit(AccountLinkType, provID, true, baseURL, id), fmt.Sprintf("%s/acme/%s/account/1234", baseURL, provID)) - assert.Equals(t, linker.GetLinkExplicit(AccountLinkType, provID, false, baseURL, id), fmt.Sprintf("/%s/account/1234", provID)) + assert.Equals(t, linker.GetLinkExplicit(AccountLinkType, provName, true, baseURL, id), fmt.Sprintf("%s/acme/%s/account/1234", baseURL, escProvName)) + assert.Equals(t, linker.GetLinkExplicit(AccountLinkType, provName, false, baseURL, id), fmt.Sprintf("/%s/account/1234", escProvName)) - assert.Equals(t, linker.GetLinkExplicit(NewOrderLinkType, provID, true, baseURL), fmt.Sprintf("%s/acme/%s/new-order", baseURL, provID)) - assert.Equals(t, linker.GetLinkExplicit(NewOrderLinkType, provID, false, baseURL), fmt.Sprintf("/%s/new-order", provID)) + assert.Equals(t, linker.GetLinkExplicit(NewOrderLinkType, provName, true, baseURL), fmt.Sprintf("%s/acme/%s/new-order", baseURL, escProvName)) + assert.Equals(t, linker.GetLinkExplicit(NewOrderLinkType, provName, false, baseURL), fmt.Sprintf("/%s/new-order", escProvName)) - assert.Equals(t, linker.GetLinkExplicit(OrderLinkType, provID, true, baseURL, id), fmt.Sprintf("%s/acme/%s/order/1234", baseURL, provID)) - assert.Equals(t, linker.GetLinkExplicit(OrderLinkType, provID, false, baseURL, id), fmt.Sprintf("/%s/order/1234", provID)) + assert.Equals(t, linker.GetLinkExplicit(OrderLinkType, provName, true, baseURL, id), fmt.Sprintf("%s/acme/%s/order/1234", baseURL, escProvName)) + assert.Equals(t, linker.GetLinkExplicit(OrderLinkType, provName, false, baseURL, id), fmt.Sprintf("/%s/order/1234", escProvName)) - assert.Equals(t, linker.GetLinkExplicit(OrdersByAccountLinkType, provID, true, baseURL, id), fmt.Sprintf("%s/acme/%s/account/1234/orders", baseURL, provID)) - assert.Equals(t, linker.GetLinkExplicit(OrdersByAccountLinkType, provID, false, baseURL, id), fmt.Sprintf("/%s/account/1234/orders", provID)) + assert.Equals(t, linker.GetLinkExplicit(OrdersByAccountLinkType, provName, true, baseURL, id), fmt.Sprintf("%s/acme/%s/account/1234/orders", baseURL, escProvName)) + assert.Equals(t, linker.GetLinkExplicit(OrdersByAccountLinkType, provName, false, baseURL, id), fmt.Sprintf("/%s/account/1234/orders", escProvName)) - assert.Equals(t, linker.GetLinkExplicit(FinalizeLinkType, provID, true, baseURL, id), fmt.Sprintf("%s/acme/%s/order/1234/finalize", baseURL, provID)) - assert.Equals(t, linker.GetLinkExplicit(FinalizeLinkType, provID, false, baseURL, id), fmt.Sprintf("/%s/order/1234/finalize", provID)) + assert.Equals(t, linker.GetLinkExplicit(FinalizeLinkType, provName, true, baseURL, id), fmt.Sprintf("%s/acme/%s/order/1234/finalize", baseURL, escProvName)) + assert.Equals(t, linker.GetLinkExplicit(FinalizeLinkType, provName, false, baseURL, id), fmt.Sprintf("/%s/order/1234/finalize", escProvName)) - assert.Equals(t, linker.GetLinkExplicit(NewAuthzLinkType, provID, true, baseURL), fmt.Sprintf("%s/acme/%s/new-authz", baseURL, provID)) - assert.Equals(t, linker.GetLinkExplicit(NewAuthzLinkType, provID, false, baseURL), fmt.Sprintf("/%s/new-authz", provID)) + assert.Equals(t, linker.GetLinkExplicit(NewAuthzLinkType, provName, true, baseURL), fmt.Sprintf("%s/acme/%s/new-authz", baseURL, escProvName)) + assert.Equals(t, linker.GetLinkExplicit(NewAuthzLinkType, provName, false, baseURL), fmt.Sprintf("/%s/new-authz", escProvName)) - assert.Equals(t, linker.GetLinkExplicit(AuthzLinkType, provID, true, baseURL, id), fmt.Sprintf("%s/acme/%s/authz/1234", baseURL, provID)) - assert.Equals(t, linker.GetLinkExplicit(AuthzLinkType, provID, false, baseURL, id), fmt.Sprintf("/%s/authz/1234", provID)) + assert.Equals(t, linker.GetLinkExplicit(AuthzLinkType, provName, true, baseURL, id), fmt.Sprintf("%s/acme/%s/authz/1234", baseURL, escProvName)) + assert.Equals(t, linker.GetLinkExplicit(AuthzLinkType, provName, false, baseURL, id), fmt.Sprintf("/%s/authz/1234", escProvName)) - assert.Equals(t, linker.GetLinkExplicit(DirectoryLinkType, provID, true, baseURL), fmt.Sprintf("%s/acme/%s/directory", baseURL, provID)) - assert.Equals(t, linker.GetLinkExplicit(DirectoryLinkType, provID, false, baseURL), fmt.Sprintf("/%s/directory", provID)) + assert.Equals(t, linker.GetLinkExplicit(DirectoryLinkType, provName, true, baseURL), fmt.Sprintf("%s/acme/%s/directory", baseURL, escProvName)) + assert.Equals(t, linker.GetLinkExplicit(DirectoryLinkType, provName, false, baseURL), fmt.Sprintf("/%s/directory", escProvName)) - assert.Equals(t, linker.GetLinkExplicit(RevokeCertLinkType, provID, true, baseURL, id), fmt.Sprintf("%s/acme/%s/revoke-cert", baseURL, provID)) - assert.Equals(t, linker.GetLinkExplicit(RevokeCertLinkType, provID, false, baseURL), fmt.Sprintf("/%s/revoke-cert", provID)) + assert.Equals(t, linker.GetLinkExplicit(RevokeCertLinkType, provName, true, baseURL, id), fmt.Sprintf("%s/acme/%s/revoke-cert", baseURL, escProvName)) + assert.Equals(t, linker.GetLinkExplicit(RevokeCertLinkType, provName, false, baseURL), fmt.Sprintf("/%s/revoke-cert", escProvName)) - assert.Equals(t, linker.GetLinkExplicit(KeyChangeLinkType, provID, true, baseURL), fmt.Sprintf("%s/acme/%s/key-change", baseURL, provID)) - assert.Equals(t, linker.GetLinkExplicit(KeyChangeLinkType, provID, false, baseURL), fmt.Sprintf("/%s/key-change", provID)) + assert.Equals(t, linker.GetLinkExplicit(KeyChangeLinkType, provName, true, baseURL), fmt.Sprintf("%s/acme/%s/key-change", baseURL, escProvName)) + assert.Equals(t, linker.GetLinkExplicit(KeyChangeLinkType, provName, false, baseURL), fmt.Sprintf("/%s/key-change", escProvName)) - assert.Equals(t, linker.GetLinkExplicit(ChallengeLinkType, provID, true, baseURL, id, id), fmt.Sprintf("%s/acme/%s/challenge/%s/%s", baseURL, provID, id, id)) - assert.Equals(t, linker.GetLinkExplicit(ChallengeLinkType, provID, false, baseURL, id, id), fmt.Sprintf("/%s/challenge/%s/%s", provID, id, id)) + assert.Equals(t, linker.GetLinkExplicit(ChallengeLinkType, provName, true, baseURL, id, id), fmt.Sprintf("%s/acme/%s/challenge/%s/%s", baseURL, escProvName, id, id)) + assert.Equals(t, linker.GetLinkExplicit(ChallengeLinkType, provName, false, baseURL, id, id), fmt.Sprintf("/%s/challenge/%s/%s", escProvName, id, id)) - assert.Equals(t, linker.GetLinkExplicit(CertificateLinkType, provID, true, baseURL, id), fmt.Sprintf("%s/acme/%s/certificate/1234", baseURL, provID)) - assert.Equals(t, linker.GetLinkExplicit(CertificateLinkType, provID, false, baseURL, id), fmt.Sprintf("/%s/certificate/1234", provID)) + assert.Equals(t, linker.GetLinkExplicit(CertificateLinkType, provName, true, baseURL, id), fmt.Sprintf("%s/acme/%s/certificate/1234", baseURL, escProvName)) + assert.Equals(t, linker.GetLinkExplicit(CertificateLinkType, provName, false, baseURL, id), fmt.Sprintf("/%s/certificate/1234", escProvName)) } func TestLinker_LinkOrder(t *testing.T) { diff --git a/acme/api/middleware.go b/acme/api/middleware.go index e06e4736..861876a9 100644 --- a/acme/api/middleware.go +++ b/acme/api/middleware.go @@ -90,7 +90,7 @@ func (h *Handler) verifyContentType(next nextHTTP) nextHTTP { return func(w http.ResponseWriter, r *http.Request) { ct := r.Header.Get("Content-Type") var expected []string - if strings.Contains(r.URL.Path, h.linker.GetLink(r.Context(), CertificateLinkType, false, "")) { + if strings.Contains(r.URL.String(), h.linker.GetLink(r.Context(), CertificateLinkType, false, "")) { // GET /certificate requests allow a greater range of content types. expected = []string{"application/jose+json", "application/pkix-cert", "application/pkcs7-mime"} } else { @@ -170,7 +170,7 @@ func (h *Handler) validateJWS(next nextHTTP) nextHTTP { } hdr := sig.Protected switch hdr.Algorithm { - case jose.RS256, jose.RS384, jose.RS512: + case jose.RS256, jose.RS384, jose.RS512, jose.PS256, jose.PS384, jose.PS512: if hdr.JSONWebKey != nil { switch k := hdr.JSONWebKey.Key.(type) { case *rsa.PublicKey: @@ -189,7 +189,7 @@ func (h *Handler) validateJWS(next nextHTTP) nextHTTP { case jose.ES256, jose.ES384, jose.ES512, jose.EdDSA: // we good default: - api.WriteError(w, acme.NewError(acme.ErrorMalformedType, "unsuitable algorithm: %s", hdr.Algorithm)) + api.WriteError(w, acme.NewError(acme.ErrorBadSignatureAlgorithmType, "unsuitable algorithm: %s", hdr.Algorithm)) return } diff --git a/acme/api/middleware_test.go b/acme/api/middleware_test.go index 1c0f3689..4c316910 100644 --- a/acme/api/middleware_test.go +++ b/acme/api/middleware_test.go @@ -228,9 +228,9 @@ func TestHandler_addDirLink(t *testing.T) { func TestHandler_verifyContentType(t *testing.T) { prov := newProv() - provName := prov.GetName() + escProvName := url.PathEscape(prov.GetName()) baseURL := &url.URL{Scheme: "https", Host: "test.ca.smallstep.com"} - url := fmt.Sprintf("%s/acme/%s/certificate/abc123", baseURL.String(), provName) + url := fmt.Sprintf("%s/acme/%s/certificate/abc123", baseURL.String(), escProvName) type test struct { h Handler ctx context.Context @@ -245,7 +245,7 @@ func TestHandler_verifyContentType(t *testing.T) { h: Handler{ linker: NewLinker("dns", "acme"), }, - url: fmt.Sprintf("%s/acme/%s/new-account", baseURL.String(), provName), + url: url, ctx: context.WithValue(context.Background(), provisionerContextKey, prov), contentType: "foo", statusCode: 400, @@ -1160,7 +1160,7 @@ func TestHandler_validateJWS(t *testing.T) { return test{ ctx: context.WithValue(context.Background(), jwsContextKey, jws), statusCode: 400, - err: acme.NewError(acme.ErrorMalformedType, "unsuitable algorithm: none"), + err: acme.NewError(acme.ErrorBadSignatureAlgorithmType, "unsuitable algorithm: none"), } }, "fail/unsuitable-algorithm-mac": func(t *testing.T) test { @@ -1172,7 +1172,7 @@ func TestHandler_validateJWS(t *testing.T) { return test{ ctx: context.WithValue(context.Background(), jwsContextKey, jws), statusCode: 400, - err: acme.NewError(acme.ErrorMalformedType, "unsuitable algorithm: %s", jose.HS256), + err: acme.NewError(acme.ErrorBadSignatureAlgorithmType, "unsuitable algorithm: %s", jose.HS256), } }, "fail/rsa-key-&-alg-mismatch": func(t *testing.T) test { diff --git a/acme/api/order_test.go b/acme/api/order_test.go index 506f0a0a..300aa61b 100644 --- a/acme/api/order_test.go +++ b/acme/api/order_test.go @@ -149,6 +149,10 @@ func TestFinalizeRequestValidate(t *testing.T) { } func TestHandler_GetOrder(t *testing.T) { + prov := newProv() + escProvName := url.PathEscape(prov.GetName()) + baseURL := &url.URL{Scheme: "https", Host: "test.ca.smallstep.com"} + now := clock.Now() nbf := now naf := now.Add(24 * time.Hour) @@ -171,21 +175,18 @@ func TestHandler_GetOrder(t *testing.T) { Status: acme.StatusInvalid, Error: acme.NewError(acme.ErrorMalformedType, "order has expired"), AuthorizationURLs: []string{ - "https://test.ca.smallstep.com/acme/test@acme-provisioner.com/authz/foo", - "https://test.ca.smallstep.com/acme/test@acme-provisioner.com/authz/bar", - "https://test.ca.smallstep.com/acme/test@acme-provisioner.com/authz/baz", + fmt.Sprintf("%s/acme/%s/authz/foo", baseURL.String(), escProvName), + fmt.Sprintf("%s/acme/%s/authz/bar", baseURL.String(), escProvName), + fmt.Sprintf("%s/acme/%s/authz/baz", baseURL.String(), escProvName), }, - FinalizeURL: "https://test.ca.smallstep.com/acme/test@acme-provisioner.com/order/orderID/finalize", + FinalizeURL: fmt.Sprintf("%s/acme/%s/order/orderID/finalize", baseURL.String(), escProvName), } // Request with chi context chiCtx := chi.NewRouteContext() chiCtx.URLParams.Add("ordID", o.ID) - prov := newProv() - provName := url.PathEscape(prov.GetName()) - baseURL := &url.URL{Scheme: "https", Host: "test.ca.smallstep.com"} url := fmt.Sprintf("%s/acme/%s/order/%s", - baseURL.String(), provName, o.ID) + baseURL.String(), escProvName, o.ID) type test struct { db acme.DB @@ -285,7 +286,7 @@ func TestHandler_GetOrder(t *testing.T) { MockGetOrder: func(ctx context.Context, id string) (*acme.Order, error) { return &acme.Order{ AccountID: "accountID", - ProvisionerID: "acme/test@acme-provisioner.com", + ProvisionerID: fmt.Sprintf("acme/%s", prov.GetName()), ExpiresAt: clock.Now().Add(-time.Hour), Status: acme.StatusReady, }, nil @@ -311,7 +312,7 @@ func TestHandler_GetOrder(t *testing.T) { return &acme.Order{ ID: "orderID", AccountID: "accountID", - ProvisionerID: "acme/test@acme-provisioner.com", + ProvisionerID: fmt.Sprintf("acme/%s", prov.GetName()), ExpiresAt: expiry, Status: acme.StatusReady, AuthorizationIDs: []string{"foo", "bar", "baz"}, @@ -581,10 +582,10 @@ func TestHandler_newAuthorization(t *testing.T) { func TestHandler_NewOrder(t *testing.T) { // Request with chi context prov := newProv() - provName := url.PathEscape(prov.GetName()) + escProvName := url.PathEscape(prov.GetName()) baseURL := &url.URL{Scheme: "https", Host: "test.ca.smallstep.com"} url := fmt.Sprintf("%s/acme/%s/order/ordID", - baseURL.String(), provName) + baseURL.String(), escProvName) type test struct { db acme.DB @@ -877,8 +878,8 @@ func TestHandler_NewOrder(t *testing.T) { assert.Equals(t, o.Status, acme.StatusPending) assert.Equals(t, o.Identifiers, nor.Identifiers) assert.Equals(t, o.AuthorizationURLs, []string{ - "https://test.ca.smallstep.com/acme/test@acme-provisioner.com/authz/az1ID", - "https://test.ca.smallstep.com/acme/test@acme-provisioner.com/authz/az2ID", + fmt.Sprintf("%s/acme/%s/authz/az1ID", baseURL.String(), escProvName), + fmt.Sprintf("%s/acme/%s/authz/az2ID", baseURL.String(), escProvName), }) assert.True(t, o.NotBefore.Add(-testBufferDur).Before(expNbf)) assert.True(t, o.NotBefore.Add(testBufferDur).After(expNbf)) @@ -968,7 +969,7 @@ func TestHandler_NewOrder(t *testing.T) { assert.Equals(t, o.ID, "ordID") assert.Equals(t, o.Status, acme.StatusPending) assert.Equals(t, o.Identifiers, nor.Identifiers) - assert.Equals(t, o.AuthorizationURLs, []string{"https://test.ca.smallstep.com/acme/test@acme-provisioner.com/authz/az1ID"}) + assert.Equals(t, o.AuthorizationURLs, []string{fmt.Sprintf("%s/acme/%s/authz/az1ID", baseURL.String(), escProvName)}) assert.True(t, o.NotBefore.Add(-testBufferDur).Before(expNbf)) assert.True(t, o.NotBefore.Add(testBufferDur).After(expNbf)) assert.True(t, o.NotAfter.Add(-testBufferDur).Before(expNaf)) @@ -1059,7 +1060,7 @@ func TestHandler_NewOrder(t *testing.T) { assert.Equals(t, o.ID, "ordID") assert.Equals(t, o.Status, acme.StatusPending) assert.Equals(t, o.Identifiers, nor.Identifiers) - assert.Equals(t, o.AuthorizationURLs, []string{"https://test.ca.smallstep.com/acme/test@acme-provisioner.com/authz/az1ID"}) + assert.Equals(t, o.AuthorizationURLs, []string{fmt.Sprintf("%s/acme/%s/authz/az1ID", baseURL.String(), escProvName)}) assert.True(t, o.NotBefore.Add(-testBufferDur).Before(expNbf)) assert.True(t, o.NotBefore.Add(testBufferDur).After(expNbf)) assert.True(t, o.NotAfter.Add(-testBufferDur).Before(expNaf)) @@ -1149,7 +1150,7 @@ func TestHandler_NewOrder(t *testing.T) { assert.Equals(t, o.ID, "ordID") assert.Equals(t, o.Status, acme.StatusPending) assert.Equals(t, o.Identifiers, nor.Identifiers) - assert.Equals(t, o.AuthorizationURLs, []string{"https://test.ca.smallstep.com/acme/test@acme-provisioner.com/authz/az1ID"}) + assert.Equals(t, o.AuthorizationURLs, []string{fmt.Sprintf("%s/acme/%s/authz/az1ID", baseURL.String(), escProvName)}) assert.True(t, o.NotBefore.Add(-testBufferDur).Before(expNbf)) assert.True(t, o.NotBefore.Add(testBufferDur).After(expNbf)) assert.True(t, o.NotAfter.Add(-testBufferDur).Before(expNaf)) @@ -1240,7 +1241,7 @@ func TestHandler_NewOrder(t *testing.T) { assert.Equals(t, o.ID, "ordID") assert.Equals(t, o.Status, acme.StatusPending) assert.Equals(t, o.Identifiers, nor.Identifiers) - assert.Equals(t, o.AuthorizationURLs, []string{"https://test.ca.smallstep.com/acme/test@acme-provisioner.com/authz/az1ID"}) + assert.Equals(t, o.AuthorizationURLs, []string{fmt.Sprintf("%s/acme/%s/authz/az1ID", baseURL.String(), escProvName)}) assert.True(t, o.NotBefore.Add(-testBufferDur).Before(expNbf)) assert.True(t, o.NotBefore.Add(testBufferDur).After(expNbf)) assert.True(t, o.NotAfter.Add(-testBufferDur).Before(expNaf)) @@ -1291,6 +1292,10 @@ func TestHandler_NewOrder(t *testing.T) { } func TestHandler_FinalizeOrder(t *testing.T) { + prov := newProv() + escProvName := url.PathEscape(prov.GetName()) + baseURL := &url.URL{Scheme: "https", Host: "test.ca.smallstep.com"} + now := clock.Now() nbf := now naf := now.Add(24 * time.Hour) @@ -1311,22 +1316,19 @@ func TestHandler_FinalizeOrder(t *testing.T) { ExpiresAt: naf, Status: acme.StatusValid, AuthorizationURLs: []string{ - "https://test.ca.smallstep.com/acme/test@acme-provisioner.com/authz/foo", - "https://test.ca.smallstep.com/acme/test@acme-provisioner.com/authz/bar", - "https://test.ca.smallstep.com/acme/test@acme-provisioner.com/authz/baz", + fmt.Sprintf("%s/acme/%s/authz/foo", baseURL.String(), escProvName), + fmt.Sprintf("%s/acme/%s/authz/bar", baseURL.String(), escProvName), + fmt.Sprintf("%s/acme/%s/authz/baz", baseURL.String(), escProvName), }, - FinalizeURL: "https://test.ca.smallstep.com/acme/test@acme-provisioner.com/order/orderID/finalize", - CertificateURL: "https://test.ca.smallstep.com/acme/test@acme-provisioner.com/certificate/certID", + FinalizeURL: fmt.Sprintf("%s/acme/%s/order/orderID/finalize", baseURL.String(), escProvName), + CertificateURL: fmt.Sprintf("%s/acme/%s/certificate/certID", baseURL.String(), escProvName), } // Request with chi context chiCtx := chi.NewRouteContext() chiCtx.URLParams.Add("ordID", o.ID) - prov := newProv() - provName := url.PathEscape(prov.GetName()) - baseURL := &url.URL{Scheme: "https", Host: "test.ca.smallstep.com"} url := fmt.Sprintf("%s/acme/%s/order/%s", - baseURL.String(), provName, o.ID) + baseURL.String(), escProvName, o.ID) _csr, err := pemutil.Read("../../authority/testdata/certs/foo.csr") assert.FatalError(t, err) @@ -1488,7 +1490,7 @@ func TestHandler_FinalizeOrder(t *testing.T) { MockGetOrder: func(ctx context.Context, id string) (*acme.Order, error) { return &acme.Order{ AccountID: "accountID", - ProvisionerID: "acme/test@acme-provisioner.com", + ProvisionerID: fmt.Sprintf("acme/%s", prov.GetName()), ExpiresAt: clock.Now().Add(-time.Hour), Status: acme.StatusReady, }, nil @@ -1515,7 +1517,7 @@ func TestHandler_FinalizeOrder(t *testing.T) { return &acme.Order{ ID: "orderID", AccountID: "accountID", - ProvisionerID: "acme/test@acme-provisioner.com", + ProvisionerID: fmt.Sprintf("acme/%s", prov.GetName()), ExpiresAt: naf, Status: acme.StatusValid, AuthorizationIDs: []string{"foo", "bar", "baz"}, diff --git a/ca/acmeClient_test.go b/ca/acmeClient_test.go index b97fdbd0..f5963de4 100644 --- a/ca/acmeClient_test.go +++ b/ca/acmeClient_test.go @@ -35,7 +35,6 @@ func TestNewACMEClient(t *testing.T) { NewNonce: srv.URL + "/foo", NewAccount: srv.URL + "/bar", NewOrder: srv.URL + "/baz", - NewAuthz: srv.URL + "/zap", RevokeCert: srv.URL + "/zip", KeyChange: srv.URL + "/blorp", } @@ -146,7 +145,6 @@ func TestACMEClient_GetDirectory(t *testing.T) { NewNonce: "/foo", NewAccount: "/bar", NewOrder: "/baz", - NewAuthz: "/zap", RevokeCert: "/zip", KeyChange: "/blorp", },