Refactor policy engines into container

Author: hslatman

Diff for: acme/api/order.go

@@ -5,7 +5,6 @@ import (
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
-	"fmt"
 	"net"
 	"net/http"
 	"strings"
@@ -199,14 +198,7 @@ func isIdentifierAllowed(acmePolicy policy.X509Policy, identifier acme.Identifie
 	if acmePolicy == nil {
 		return nil
 	}
-	allowed, err := acmePolicy.AreSANsAllowed([]string{identifier.Value})
-	if err != nil {
-		return err
-	}
-	if !allowed {
-		return fmt.Errorf("acme identifier '%s' not allowed", identifier.Value)
-	}
-	return nil
+	return acmePolicy.AreSANsAllowed([]string{identifier.Value})
 }
 
 func newACMEPolicyEngine(eak *acme.ExternalAccountKey) (policy.X509Policy, error) {

Diff for: authority/authority.go

@@ -81,9 +81,7 @@ type Authority struct {
 	authorizeSSHRenewFunc provisioner.AuthorizeSSHRenewFunc
 
 	// Policy engines
-	x509Policy    policy.X509Policy
-	sshUserPolicy policy.UserPolicy
-	sshHostPolicy policy.HostPolicy
+	policyEngine *policy.Engine
 
 	adminMutex sync.RWMutex
 }

Diff for: authority/policy.go

@@ -227,50 +227,19 @@ func (a *Authority) reloadPolicyEngines(ctx context.Context) error {
 		policyOptions = a.config.AuthorityConfig.Policy
 	}
 
-	// if no new or updated policy option is set, clear policy engines that (may have)
-	// been configured before and return early
-	if policyOptions == nil {
-		a.x509Policy = nil
-		a.sshHostPolicy = nil
-		a.sshUserPolicy = nil
-		return nil
-	}
-
-	var (
-		x509Policy    authPolicy.X509Policy
-		sshHostPolicy authPolicy.HostPolicy
-		sshUserPolicy authPolicy.UserPolicy
-	)
-
-	// initialize the x509 allow/deny policy engine
-	if x509Policy, err = authPolicy.NewX509PolicyEngine(policyOptions.GetX509Options()); err != nil {
-		return err
-	}
-
-	// initialize the SSH allow/deny policy engine for host certificates
-	if sshHostPolicy, err = authPolicy.NewSSHHostPolicyEngine(policyOptions.GetSSHOptions()); err != nil {
-		return err
-	}
-
-	// initialize the SSH allow/deny policy engine for user certificates
-	if sshUserPolicy, err = authPolicy.NewSSHUserPolicyEngine(policyOptions.GetSSHOptions()); err != nil {
+	engine, err := authPolicy.New(policyOptions)
+	if err != nil {
 		return err
 	}
 
-	// set all policy engines; all or nothing
-	a.x509Policy = x509Policy
-	a.sshHostPolicy = sshHostPolicy
-	a.sshUserPolicy = sshUserPolicy
+	// only update the policy engine when no error was returned
+	a.policyEngine = engine
 
 	return nil
 }
 
 func isAllowed(engine authPolicy.X509Policy, sans []string) error {
-	var (
-		allowed bool
-		err     error
-	)
-	if allowed, err = engine.AreSANsAllowed(sans); err != nil {
+	if err := engine.AreSANsAllowed(sans); err != nil {
 		var policyErr *policy.NamePolicyError
 		isNamePolicyError := errors.As(err, &policyErr)
 		if isNamePolicyError && policyErr.Reason == policy.NotAllowed {
@@ -285,13 +254,6 @@ func isAllowed(engine authPolicy.X509Policy, sans []string) error {
 		}
 	}
 
-	if !allowed {
-		return &PolicyError{
-			Typ: AdminLockOut,
-			Err: fmt.Errorf("the provided policy would lock out %s from the CA. Please update your policy to include %s as an allowed name", sans, sans),
-		}
-	}
-
 	return nil
 }
 

Diff for: authority/policy/engine.go

@@ -0,0 +1,114 @@
+package policy
+
+import (
+	"crypto/x509"
+	"errors"
+	"fmt"
+
+	"golang.org/x/crypto/ssh"
+)
+
+// Engine is a container for multiple policies.
+type Engine struct {
+	x509Policy    X509Policy
+	sshUserPolicy UserPolicy
+	sshHostPolicy HostPolicy
+}
+
+// New returns a new Engine using Options.
+func New(options *Options) (*Engine, error) {
+
+	// if no options provided, return early
+	if options == nil {
+		return nil, nil
+	}
+
+	var (
+		x509Policy    X509Policy
+		sshHostPolicy HostPolicy
+		sshUserPolicy UserPolicy
+		err           error
+	)
+
+	// initialize the x509 allow/deny policy engine
+	if x509Policy, err = NewX509PolicyEngine(options.GetX509Options()); err != nil {
+		return nil, err
+	}
+
+	// initialize the SSH allow/deny policy engine for host certificates
+	if sshHostPolicy, err = NewSSHHostPolicyEngine(options.GetSSHOptions()); err != nil {
+		return nil, err
+	}
+
+	// initialize the SSH allow/deny policy engine for user certificates
+	if sshUserPolicy, err = NewSSHUserPolicyEngine(options.GetSSHOptions()); err != nil {
+		return nil, err
+	}
+
+	return &Engine{
+		x509Policy:    x509Policy,
+		sshHostPolicy: sshHostPolicy,
+		sshUserPolicy: sshUserPolicy,
+	}, nil
+}
+
+// IsX509CertificateAllowed evaluates an X.509 certificate against
+// the X.509 policy (if available) and returns an error if one of the
+// names in the certificate is not allowed.
+func (e *Engine) IsX509CertificateAllowed(cert *x509.Certificate) error {
+
+	// return early if there's no policy to evaluate
+	if e == nil || e.x509Policy == nil {
+		return nil
+	}
+
+	// return result of X.509 policy evaluation
+	return e.x509Policy.IsX509CertificateAllowed(cert)
+}
+
+// AreSANsAllowed evaluates the slice of SANs against the X.509 policy
+// (if available) and returns an error if one of the SANs is not allowed.
+func (e *Engine) AreSANsAllowed(sans []string) error {
+
+	// return early if there's no policy to evaluate
+	if e == nil || e.x509Policy == nil {
+		return nil
+	}
+
+	// return result of X.509 policy evaluation
+	return e.x509Policy.AreSANsAllowed(sans)
+}
+
+// IsSSHCertificateAllowed evaluates an SSH certificate against the
+// user or host policy (if configured) and returns an error if one of the
+// principals in the certificate is not allowed.
+func (e *Engine) IsSSHCertificateAllowed(cert *ssh.Certificate) error {
+
+	// return early if there's no policy to evaluate
+	if e == nil || (e.sshHostPolicy == nil && e.sshUserPolicy == nil) {
+		return nil
+	}
+
+	switch cert.CertType {
+	case ssh.HostCert:
+		// when no host policy engine is configured, but a user policy engine is
+		// configured, the host certificate is denied.
+		if e.sshHostPolicy == nil && e.sshUserPolicy != nil {
+			return errors.New("authority not allowed to sign ssh host certificates")
+		}
+
+		// return result of SSH host policy evaluation
+		return e.sshHostPolicy.IsSSHCertificateAllowed(cert)
+	case ssh.UserCert:
+		// 	when no user policy engine is configured, but a host policy engine is
+		// 	configured, the user certificate is denied.
+		if e.sshUserPolicy == nil && e.sshHostPolicy != nil {
+			return errors.New("authority not allowed to sign ssh user certificates")
+		}
+
+		// return result of SSH user policy evaluation
+		return e.sshUserPolicy.IsSSHCertificateAllowed(cert)
+	default:
+		return fmt.Errorf("unexpected ssh certificate type %q", cert.CertType)
+	}
+}