package nosql import ( "context" "crypto/rand" "encoding/json" "time" "github.com/pkg/errors" "github.com/smallstep/certificates/acme" nosqlDB "github.com/smallstep/nosql" "go.step.sm/crypto/jose" ) // dbAccount represents an ACME account. type dbAccount struct { ID string `json:"id"` Key *jose.JSONWebKey `json:"key"` Contact []string `json:"contact,omitempty"` Status acme.Status `json:"status"` CreatedAt time.Time `json:"createdAt"` DeactivatedAt time.Time `json:"deactivatedAt"` } func (dba *dbAccount) clone() *dbAccount { nu := *dba return &nu } type dbExternalAccountKey struct { ID string `json:"id"` ProvisionerName string `json:"provisioner_name"` Name string `json:"name"` AccountID string `json:"accountID,omitempty"` KeyBytes []byte `json:"key"` CreatedAt time.Time `json:"createdAt"` BoundAt time.Time `json:"boundAt"` } func (db *DB) getAccountIDByKeyID(ctx context.Context, kid string) (string, error) { id, err := db.db.Get(accountByKeyIDTable, []byte(kid)) if err != nil { if nosqlDB.IsErrNotFound(err) { return "", acme.ErrNotFound } return "", errors.Wrapf(err, "error loading key-account index for key %s", kid) } return string(id), nil } // getDBAccount retrieves and unmarshals dbAccount. func (db *DB) getDBAccount(ctx context.Context, id string) (*dbAccount, error) { data, err := db.db.Get(accountTable, []byte(id)) if err != nil { if nosqlDB.IsErrNotFound(err) { return nil, acme.ErrNotFound } return nil, errors.Wrapf(err, "error loading account %s", id) } dbacc := new(dbAccount) if err = json.Unmarshal(data, dbacc); err != nil { return nil, errors.Wrapf(err, "error unmarshaling account %s into dbAccount", id) } return dbacc, nil } // getDBExternalAccountKey retrieves and unmarshals dbExternalAccountKey. func (db *DB) getDBExternalAccountKey(ctx context.Context, id string) (*dbExternalAccountKey, error) { data, err := db.db.Get(externalAccountKeyTable, []byte(id)) if err != nil { if nosqlDB.IsErrNotFound(err) { return nil, acme.ErrNotFound } return nil, errors.Wrapf(err, "error loading external account key %s", id) } dbeak := new(dbExternalAccountKey) if err = json.Unmarshal(data, dbeak); err != nil { return nil, errors.Wrapf(err, "error unmarshaling external account key %s into dbExternalAccountKey", id) } return dbeak, nil } // GetAccount retrieves an ACME account by ID. func (db *DB) GetAccount(ctx context.Context, id string) (*acme.Account, error) { dbacc, err := db.getDBAccount(ctx, id) if err != nil { return nil, err } return &acme.Account{ Status: dbacc.Status, Contact: dbacc.Contact, Key: dbacc.Key, ID: dbacc.ID, }, nil } // GetAccountByKeyID retrieves an ACME account by KeyID (thumbprint of the Account Key -- JWK). func (db *DB) GetAccountByKeyID(ctx context.Context, kid string) (*acme.Account, error) { id, err := db.getAccountIDByKeyID(ctx, kid) if err != nil { return nil, err } return db.GetAccount(ctx, id) } // CreateAccount imlements the AcmeDB.CreateAccount interface. func (db *DB) CreateAccount(ctx context.Context, acc *acme.Account) error { var err error acc.ID, err = randID() if err != nil { return err } dba := &dbAccount{ ID: acc.ID, Key: acc.Key, Contact: acc.Contact, Status: acc.Status, CreatedAt: clock.Now(), } kid, err := acme.KeyToID(dba.Key) if err != nil { return err } kidB := []byte(kid) // Set the jwkID -> acme account ID index _, swapped, err := db.db.CmpAndSwap(accountByKeyIDTable, kidB, nil, []byte(acc.ID)) switch { case err != nil: return errors.Wrap(err, "error storing keyID to accountID index") case !swapped: return errors.Errorf("key-id to account-id index already exists") default: if err = db.save(ctx, acc.ID, dba, nil, "account", accountTable); err != nil { db.db.Del(accountByKeyIDTable, kidB) return err } return nil } } // UpdateAccount imlements the AcmeDB.UpdateAccount interface. func (db *DB) UpdateAccount(ctx context.Context, acc *acme.Account) error { old, err := db.getDBAccount(ctx, acc.ID) if err != nil { return err } nu := old.clone() nu.Contact = acc.Contact nu.Status = acc.Status // If the status has changed to 'deactivated', then set deactivatedAt timestamp. if acc.Status == acme.StatusDeactivated && old.Status != acme.StatusDeactivated { nu.DeactivatedAt = clock.Now() } return db.save(ctx, old.ID, nu, old, "account", accountTable) } // CreateExternalAccountKey creates a new External Account Binding key with a name func (db *DB) CreateExternalAccountKey(ctx context.Context, provisionerName string, name string) (*acme.ExternalAccountKey, error) { keyID, err := randID() if err != nil { return nil, err } random := make([]byte, 32) _, err = rand.Read(random) if err != nil { return nil, err } dbeak := &dbExternalAccountKey{ ID: keyID, ProvisionerName: provisionerName, Name: name, KeyBytes: random, CreatedAt: clock.Now(), } if err = db.save(ctx, keyID, dbeak, nil, "external_account_key", externalAccountKeyTable); err != nil { return nil, err } return &acme.ExternalAccountKey{ ID: dbeak.ID, ProvisionerName: dbeak.ProvisionerName, Name: dbeak.Name, AccountID: dbeak.AccountID, KeyBytes: dbeak.KeyBytes, CreatedAt: dbeak.CreatedAt, BoundAt: dbeak.BoundAt, }, nil } // GetExternalAccountKey retrieves an External Account Binding key by KeyID func (db *DB) GetExternalAccountKey(ctx context.Context, provisionerName string, keyID string) (*acme.ExternalAccountKey, error) { dbeak, err := db.getDBExternalAccountKey(ctx, keyID) if err != nil { return nil, err } if dbeak.ProvisionerName != provisionerName { return nil, acme.NewError(acme.ErrorUnauthorizedType, "name of provisioner does not match provisioner for which the EAB key was created") } return &acme.ExternalAccountKey{ ID: dbeak.ID, ProvisionerName: dbeak.ProvisionerName, Name: dbeak.Name, AccountID: dbeak.AccountID, KeyBytes: dbeak.KeyBytes, CreatedAt: dbeak.CreatedAt, BoundAt: dbeak.BoundAt, }, nil } func (db *DB) DeleteExternalAccountKey(ctx context.Context, keyID string) error { _, err := db.db.Get(externalAccountKeyTable, []byte(keyID)) if err != nil { return errors.Wrapf(err, "error loading ACME EAB Key with Key ID %s", keyID) } err = db.db.Del(externalAccountKeyTable, []byte(keyID)) if err != nil { return errors.Wrapf(err, "error deleting ACME EAB Key with Key ID %s", keyID) } return nil } func (db *DB) UpdateExternalAccountKey(ctx context.Context, provisionerName string, eak *acme.ExternalAccountKey) error { old, err := db.getDBExternalAccountKey(ctx, eak.ID) if err != nil { return err } if old.ProvisionerName != provisionerName { return acme.NewError(acme.ErrorUnauthorizedType, "name of provisioner does not match provisioner for which the EAB key was created") } nu := dbExternalAccountKey{ ID: eak.ID, ProvisionerName: eak.ProvisionerName, Name: eak.Name, AccountID: eak.AccountID, KeyBytes: eak.KeyBytes, CreatedAt: eak.CreatedAt, BoundAt: eak.BoundAt, } return db.save(ctx, nu.ID, nu, old, "external_account_key", externalAccountKeyTable) }