api/render, api/log: initial implementation of the packages (smallstep#860)

* api/render: initial implementation of the package

* acme/api: refactored to support api/render

* authority/admin: refactored to support api/render

* ca: refactored to support api/render

* api: refactored to support api/render

* api/render: implemented Error

* api: refactored to support api/render.Error

* acme/api: refactored to support api/render.Error

* authority/admin: refactored to support api/render.Error

* ca: refactored to support api/render.Error

* ca: fixed broken tests

* api/render, api/log: moved error logging to this package

* acme: refactored Error so that it implements render.RenderableError

* authority/admin: refactored Error so that it implements render.RenderableError

* api/render: implemented RenderableError

* api/render: added test coverage for Error

* api/render: implemented statusCodeFromError

* api: refactored RootsPEM to work with render.Error

* acme, authority/admin: fixed pointer receiver name for consistency

* api/render, errs: moved StatusCoder & StackTracer to the render package

Author: azazeal

acme/api/account.go

@@ -5,8 +5,9 @@ import (
 	"net/http"
 
 	"github.com/go-chi/chi"
+
 	"github.com/smallstep/certificates/acme"
-	"github.com/smallstep/certificates/api"
+	"github.com/smallstep/certificates/api/render"
 	"github.com/smallstep/certificates/logging"
 )
 
@@ -70,23 +71,23 @@ func (h *Handler) NewAccount(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	payload, err := payloadFromContext(ctx)
 	if err != nil {
-		api.WriteError(w, err)
+		render.Error(w, err)
 		return
 	}
 	var nar NewAccountRequest
 	if err := json.Unmarshal(payload.value, &nar); err != nil {
-		api.WriteError(w, acme.WrapError(acme.ErrorMalformedType, err,
+		render.Error(w, acme.WrapError(acme.ErrorMalformedType, err,
 			"failed to unmarshal new-account request payload"))
 		return
 	}
 	if err := nar.Validate(); err != nil {
-		api.WriteError(w, err)
+		render.Error(w, err)
 		return
 	}
 
 	prov, err := acmeProvisionerFromContext(ctx)
 	if err != nil {
-		api.WriteError(w, err)
+		render.Error(w, err)
 		return
 	}
 
@@ -96,26 +97,26 @@ func (h *Handler) NewAccount(w http.ResponseWriter, r *http.Request) {
 		acmeErr, ok := err.(*acme.Error)
 		if !ok || acmeErr.Status != http.StatusBadRequest {
 			// Something went wrong ...
-			api.WriteError(w, err)
+			render.Error(w, err)
 			return
 		}
 
 		// Account does not exist //
 		if nar.OnlyReturnExisting {
-			api.WriteError(w, acme.NewError(acme.ErrorAccountDoesNotExistType,
+			render.Error(w, acme.NewError(acme.ErrorAccountDoesNotExistType,
 				"account does not exist"))
 			return
 		}
 
 		jwk, err := jwkFromContext(ctx)
 		if err != nil {
-			api.WriteError(w, err)
+			render.Error(w, err)
 			return
 		}
 
 		eak, err := h.validateExternalAccountBinding(ctx, &nar)
 		if err != nil {
-			api.WriteError(w, err)
+			render.Error(w, err)
 			return
 		}
 
@@ -125,18 +126,18 @@ func (h *Handler) NewAccount(w http.ResponseWriter, r *http.Request) {
 			Status:  acme.StatusValid,
 		}
 		if err := h.db.CreateAccount(ctx, acc); err != nil {
-			api.WriteError(w, acme.WrapErrorISE(err, "error creating account"))
+			render.Error(w, acme.WrapErrorISE(err, "error creating account"))
 			return
 		}
 
 		if eak != nil { // means that we have a (valid) External Account Binding key that should be bound, updated and sent in the response
 			err := eak.BindTo(acc)
 			if err != nil {
-				api.WriteError(w, err)
+				render.Error(w, err)
 				return
 			}
 			if err := h.db.UpdateExternalAccountKey(ctx, prov.ID, eak); err != nil {
-				api.WriteError(w, acme.WrapErrorISE(err, "error updating external account binding key"))
+				render.Error(w, acme.WrapErrorISE(err, "error updating external account binding key"))
 				return
 			}
 			acc.ExternalAccountBinding = nar.ExternalAccountBinding
@@ -149,20 +150,20 @@ func (h *Handler) NewAccount(w http.ResponseWriter, r *http.Request) {
 	h.linker.LinkAccount(ctx, acc)
 
 	w.Header().Set("Location", h.linker.GetLink(r.Context(), AccountLinkType, acc.ID))
-	api.JSONStatus(w, acc, httpStatus)
+	render.JSONStatus(w, acc, httpStatus)
 }
 
 // GetOrUpdateAccount is the api for updating an ACME account.
 func (h *Handler) GetOrUpdateAccount(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		api.WriteError(w, err)
+		render.Error(w, err)
 		return
 	}
 	payload, err := payloadFromContext(ctx)
 	if err != nil {
-		api.WriteError(w, err)
+		render.Error(w, err)
 		return
 	}
 
@@ -171,12 +172,12 @@ func (h *Handler) GetOrUpdateAccount(w http.ResponseWriter, r *http.Request) {
 	if !payload.isPostAsGet {
 		var uar UpdateAccountRequest
 		if err := json.Unmarshal(payload.value, &uar); err != nil {
-			api.WriteError(w, acme.WrapError(acme.ErrorMalformedType, err,
+			render.Error(w, acme.WrapError(acme.ErrorMalformedType, err,
 				"failed to unmarshal new-account request payload"))
 			return
 		}
 		if err := uar.Validate(); err != nil {
-			api.WriteError(w, err)
+			render.Error(w, err)
 			return
 		}
 		if len(uar.Status) > 0 || len(uar.Contact) > 0 {
@@ -187,7 +188,7 @@ func (h *Handler) GetOrUpdateAccount(w http.ResponseWriter, r *http.Request) {
 			}
 
 			if err := h.db.UpdateAccount(ctx, acc); err != nil {
-				api.WriteError(w, acme.WrapErrorISE(err, "error updating account"))
+				render.Error(w, acme.WrapErrorISE(err, "error updating account"))
 				return
 			}
 		}
@@ -196,7 +197,7 @@ func (h *Handler) GetOrUpdateAccount(w http.ResponseWriter, r *http.Request) {
 	h.linker.LinkAccount(ctx, acc)
 
 	w.Header().Set("Location", h.linker.GetLink(ctx, AccountLinkType, acc.ID))
-	api.JSON(w, acc)
+	render.JSON(w, acc)
 }
 
 func logOrdersByAccount(w http.ResponseWriter, oids []string) {
@@ -213,22 +214,22 @@ func (h *Handler) GetOrdersByAccountID(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		api.WriteError(w, err)
+		render.Error(w, err)
 		return
 	}
 	accID := chi.URLParam(r, "accID")
 	if acc.ID != accID {
-		api.WriteError(w, acme.NewError(acme.ErrorUnauthorizedType, "account ID '%s' does not match url param '%s'", acc.ID, accID))
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType, "account ID '%s' does not match url param '%s'", acc.ID, accID))
 		return
 	}
 	orders, err := h.db.GetOrdersByAccountID(ctx, acc.ID)
 	if err != nil {
-		api.WriteError(w, err)
+		render.Error(w, err)
 		return
 	}
 
 	h.linker.LinkOrdersByAccountID(ctx, orders)
 
-	api.JSON(w, orders)
+	render.JSON(w, orders)
 	logOrdersByAccount(w, orders)
 }

acme/api/handler.go

@@ -12,8 +12,10 @@ import (
 	"time"
 
 	"github.com/go-chi/chi"
+
 	"github.com/smallstep/certificates/acme"
 	"github.com/smallstep/certificates/api"
+	"github.com/smallstep/certificates/api/render"
 	"github.com/smallstep/certificates/authority/provisioner"
 )
 
@@ -181,11 +183,11 @@ func (h *Handler) GetDirectory(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	acmeProv, err := acmeProvisionerFromContext(ctx)
 	if err != nil {
-		api.WriteError(w, err)
+		render.Error(w, err)
 		return
 	}
 
-	api.JSON(w, &Directory{
+	render.JSON(w, &Directory{
 		NewNonce:   h.linker.GetLink(ctx, NewNonceLinkType),
 		NewAccount: h.linker.GetLink(ctx, NewAccountLinkType),
 		NewOrder:   h.linker.GetLink(ctx, NewOrderLinkType),
@@ -200,51 +202,51 @@ func (h *Handler) GetDirectory(w http.ResponseWriter, r *http.Request) {
 // NotImplemented returns a 501 and is generally a placeholder for functionality which
 // MAY be added at some point in the future but is not in any way a guarantee of such.
 func (h *Handler) NotImplemented(w http.ResponseWriter, r *http.Request) {
-	api.WriteError(w, acme.NewError(acme.ErrorNotImplementedType, "this API is not implemented"))
+	render.Error(w, acme.NewError(acme.ErrorNotImplementedType, "this API is not implemented"))
 }
 
 // GetAuthorization ACME api for retrieving an Authz.
 func (h *Handler) GetAuthorization(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		api.WriteError(w, err)
+		render.Error(w, err)
 		return
 	}
 	az, err := h.db.GetAuthorization(ctx, chi.URLParam(r, "authzID"))
 	if err != nil {
-		api.WriteError(w, acme.WrapErrorISE(err, "error retrieving authorization"))
+		render.Error(w, acme.WrapErrorISE(err, "error retrieving authorization"))
 		return
 	}
 	if acc.ID != az.AccountID {
-		api.WriteError(w, acme.NewError(acme.ErrorUnauthorizedType,
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 			"account '%s' does not own authorization '%s'", acc.ID, az.ID))
 		return
 	}
 	if err = az.UpdateStatus(ctx, h.db); err != nil {
-		api.WriteError(w, acme.WrapErrorISE(err, "error updating authorization status"))
+		render.Error(w, acme.WrapErrorISE(err, "error updating authorization status"))
 		return
 	}
 
 	h.linker.LinkAuthorization(ctx, az)
 
 	w.Header().Set("Location", h.linker.GetLink(ctx, AuthzLinkType, az.ID))
-	api.JSON(w, az)
+	render.JSON(w, az)
 }
 
 // GetChallenge ACME api for retrieving a Challenge.
 func (h *Handler) GetChallenge(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		api.WriteError(w, err)
+		render.Error(w, err)
 		return
 	}
 	// Just verify that the payload was set, since we're not strictly adhering
 	// to ACME V2 spec for reasons specified below.
 	_, err = payloadFromContext(ctx)
 	if err != nil {
-		api.WriteError(w, err)
+		render.Error(w, err)
 		return
 	}
 
@@ -257,49 +259,49 @@ func (h *Handler) GetChallenge(w http.ResponseWriter, r *http.Request) {
 	azID := chi.URLParam(r, "authzID")
 	ch, err := h.db.GetChallenge(ctx, chi.URLParam(r, "chID"), azID)
 	if err != nil {
-		api.WriteError(w, acme.WrapErrorISE(err, "error retrieving challenge"))
+		render.Error(w, acme.WrapErrorISE(err, "error retrieving challenge"))
 		return
 	}
 	ch.AuthorizationID = azID
 	if acc.ID != ch.AccountID {
-		api.WriteError(w, acme.NewError(acme.ErrorUnauthorizedType,
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 			"account '%s' does not own challenge '%s'", acc.ID, ch.ID))
 		return
 	}
 	jwk, err := jwkFromContext(ctx)
 	if err != nil {
-		api.WriteError(w, err)
+		render.Error(w, err)
 		return
 	}
 	if err = ch.Validate(ctx, h.db, jwk, h.validateChallengeOptions); err != nil {
-		api.WriteError(w, acme.WrapErrorISE(err, "error validating challenge"))
+		render.Error(w, acme.WrapErrorISE(err, "error validating challenge"))
 		return
 	}
 
 	h.linker.LinkChallenge(ctx, ch, azID)
 
 	w.Header().Add("Link", link(h.linker.GetLink(ctx, AuthzLinkType, azID), "up"))
 	w.Header().Set("Location", h.linker.GetLink(ctx, ChallengeLinkType, azID, ch.ID))
-	api.JSON(w, ch)
+	render.JSON(w, ch)
 }
 
 // GetCertificate ACME api for retrieving a Certificate.
 func (h *Handler) GetCertificate(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	acc, err := accountFromContext(ctx)
 	if err != nil {
-		api.WriteError(w, err)
+		render.Error(w, err)
 		return
 	}
 	certID := chi.URLParam(r, "certID")
 
 	cert, err := h.db.GetCertificate(ctx, certID)
 	if err != nil {
-		api.WriteError(w, acme.WrapErrorISE(err, "error retrieving certificate"))
+		render.Error(w, acme.WrapErrorISE(err, "error retrieving certificate"))
 		return
 	}
 	if cert.AccountID != acc.ID {
-		api.WriteError(w, acme.NewError(acme.ErrorUnauthorizedType,
+		render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 			"account '%s' does not own certificate '%s'", acc.ID, certID))
 		return
 	}