Change authority policy to use dbPolicy model

Author: hslatman

authority/admin/db/nosql/policy.go

@@ -11,17 +11,64 @@ import (
 	"github.com/smallstep/nosql"
 )
 
+type dbX509Policy struct {
+	Allow              *dbX509Names `json:"allow,omitempty"`
+	Deny               *dbX509Names `json:"deny,omitempty"`
+	AllowWildcardNames bool         `json:"allow_wildcard_names,omitempty"`
+}
+
+type dbX509Names struct {
+	CommonNames    []string `json:"cn,omitempty"`
+	DNSDomains     []string `json:"dns,omitempty"`
+	IPRanges       []string `json:"ip,omitempty"`
+	EmailAddresses []string `json:"email,omitempty"`
+	URIDomains     []string `json:"uri,omitempty"`
+}
+
+type dbSSHPolicy struct {
+	// User contains SSH user certificate options.
+	User *dbSSHUserPolicy `json:"user,omitempty"`
+	// Host contains SSH host certificate options.
+	Host *dbSSHHostPolicy `json:"host,omitempty"`
+}
+
+type dbSSHHostPolicy struct {
+	Allow *dbSSHHostNames `json:"allow,omitempty"`
+	Deny  *dbSSHHostNames `json:"deny,omitempty"`
+}
+
+type dbSSHHostNames struct {
+	DNSDomains []string `json:"dns,omitempty"`
+	IPRanges   []string `json:"ip,omitempty"`
+	Principals []string `json:"principal,omitempty"`
+}
+
+type dbSSHUserPolicy struct {
+	Allow *dbSSHUserNames `json:"allow,omitempty"`
+	Deny  *dbSSHUserNames `json:"deny,omitempty"`
+}
+
+type dbSSHUserNames struct {
+	EmailAddresses []string `json:"email,omitempty"`
+	Principals     []string `json:"principal,omitempty"`
+}
+
+type dbPolicy struct {
+	X509 *dbX509Policy `json:"x509,omitempty"`
+	SSH  *dbSSHPolicy  `json:"ssh,omitempty"`
+}
+
 type dbAuthorityPolicy struct {
-	ID          string           `json:"id"`
-	AuthorityID string           `json:"authorityID"`
-	Policy      *linkedca.Policy `json:"policy"`
+	ID          string    `json:"id"`
+	AuthorityID string    `json:"authorityID"`
+	Policy      *dbPolicy `json:"policy,omitempty"`
 }
 
 func (dbap *dbAuthorityPolicy) convert() *linkedca.Policy {
 	if dbap == nil {
 		return nil
 	}
-	return dbap.Policy
+	return dbToLinked(dbap.Policy)
 }
 
 func (db *DB) getDBAuthorityPolicyBytes(ctx context.Context, authorityID string) ([]byte, error) {
@@ -69,7 +116,7 @@ func (db *DB) CreateAuthorityPolicy(ctx context.Context, policy *linkedca.Policy
 	dbap := &dbAuthorityPolicy{
 		ID:          db.authorityID,
 		AuthorityID: db.authorityID,
-		Policy:      policy,
+		Policy:      linkedToDB(policy),
 	}
 
 	if err := db.save(ctx, dbap.ID, dbap, nil, "authority_policy", authorityPoliciesTable); err != nil {
@@ -97,7 +144,7 @@ func (db *DB) UpdateAuthorityPolicy(ctx context.Context, policy *linkedca.Policy
 	dbap := &dbAuthorityPolicy{
 		ID:          db.authorityID,
 		AuthorityID: db.authorityID,
-		Policy:      policy,
+		Policy:      linkedToDB(policy),
 	}
 
 	if err := db.save(ctx, dbap.ID, dbap, old, "authority_policy", authorityPoliciesTable); err != nil {
@@ -119,3 +166,174 @@ func (db *DB) DeleteAuthorityPolicy(ctx context.Context) error {
 
 	return nil
 }
+
+func dbToLinked(p *dbPolicy) *linkedca.Policy {
+	if p == nil {
+		return nil
+	}
+	r := &linkedca.Policy{}
+	if x509 := p.X509; x509 != nil {
+		r.X509 = &linkedca.X509Policy{}
+		if allow := x509.Allow; allow != nil {
+			r.X509.Allow = &linkedca.X509Names{}
+			r.X509.Allow.Dns = allow.DNSDomains
+			r.X509.Allow.Emails = allow.EmailAddresses
+			r.X509.Allow.Ips = allow.IPRanges
+			r.X509.Allow.Uris = allow.URIDomains
+			r.X509.Allow.CommonNames = allow.CommonNames
+		}
+		if deny := x509.Deny; deny != nil {
+			r.X509.Deny = &linkedca.X509Names{}
+			r.X509.Deny.Dns = deny.DNSDomains
+			r.X509.Deny.Emails = deny.EmailAddresses
+			r.X509.Deny.Ips = deny.IPRanges
+			r.X509.Deny.Uris = deny.URIDomains
+			r.X509.Deny.CommonNames = deny.CommonNames
+		}
+		r.X509.AllowWildcardNames = x509.AllowWildcardNames
+	}
+	if ssh := p.SSH; ssh != nil {
+		r.Ssh = &linkedca.SSHPolicy{}
+		if host := ssh.Host; host != nil {
+			r.Ssh.Host = &linkedca.SSHHostPolicy{}
+			if allow := host.Allow; allow != nil {
+				r.Ssh.Host.Allow = &linkedca.SSHHostNames{}
+				r.Ssh.Host.Allow.Dns = allow.DNSDomains
+				r.Ssh.Host.Allow.Ips = allow.IPRanges
+				r.Ssh.Host.Allow.Principals = allow.Principals
+			}
+			if deny := host.Deny; deny != nil {
+				r.Ssh.Host.Deny = &linkedca.SSHHostNames{}
+				r.Ssh.Host.Deny.Dns = deny.DNSDomains
+				r.Ssh.Host.Deny.Ips = deny.IPRanges
+				r.Ssh.Host.Deny.Principals = deny.Principals
+			}
+		}
+		if user := ssh.User; user != nil {
+			r.Ssh.User = &linkedca.SSHUserPolicy{}
+			if allow := user.Allow; allow != nil {
+				r.Ssh.User.Allow = &linkedca.SSHUserNames{}
+				r.Ssh.User.Allow.Emails = allow.EmailAddresses
+				r.Ssh.User.Allow.Principals = allow.Principals
+			}
+			if deny := user.Deny; deny != nil {
+				r.Ssh.User.Deny = &linkedca.SSHUserNames{}
+				r.Ssh.User.Deny.Emails = deny.EmailAddresses
+				r.Ssh.User.Deny.Principals = deny.Principals
+			}
+		}
+	}
+
+	return r
+}
+
+func linkedToDB(p *linkedca.Policy) *dbPolicy {
+
+	if p == nil {
+		return nil
+	}
+
+	// return early if x509 nor SSH is set
+	if p.GetX509() == nil && p.GetSsh() == nil {
+		return nil
+	}
+
+	r := &dbPolicy{}
+	// fill x509 policy configuration
+	if x509 := p.GetX509(); x509 != nil {
+		r.X509 = &dbX509Policy{}
+		if allow := x509.GetAllow(); allow != nil {
+			r.X509.Allow = &dbX509Names{}
+			if allow.Dns != nil {
+				r.X509.Allow.DNSDomains = allow.Dns
+			}
+			if allow.Ips != nil {
+				r.X509.Allow.IPRanges = allow.Ips
+			}
+			if allow.Emails != nil {
+				r.X509.Allow.EmailAddresses = allow.Emails
+			}
+			if allow.Uris != nil {
+				r.X509.Allow.URIDomains = allow.Uris
+			}
+			if allow.CommonNames != nil {
+				r.X509.Allow.CommonNames = allow.CommonNames
+			}
+		}
+		if deny := x509.GetDeny(); deny != nil {
+			r.X509.Deny = &dbX509Names{}
+			if deny.Dns != nil {
+				r.X509.Deny.DNSDomains = deny.Dns
+			}
+			if deny.Ips != nil {
+				r.X509.Deny.IPRanges = deny.Ips
+			}
+			if deny.Emails != nil {
+				r.X509.Deny.EmailAddresses = deny.Emails
+			}
+			if deny.Uris != nil {
+				r.X509.Deny.URIDomains = deny.Uris
+			}
+			if deny.CommonNames != nil {
+				r.X509.Deny.CommonNames = deny.CommonNames
+			}
+		}
+
+		r.X509.AllowWildcardNames = x509.GetAllowWildcardNames()
+	}
+
+	// fill ssh policy configuration
+	if ssh := p.GetSsh(); ssh != nil {
+		r.SSH = &dbSSHPolicy{}
+		if host := ssh.GetHost(); host != nil {
+			r.SSH.Host = &dbSSHHostPolicy{}
+			if allow := host.GetAllow(); allow != nil {
+				r.SSH.Host.Allow = &dbSSHHostNames{}
+				if allow.Dns != nil {
+					r.SSH.Host.Allow.DNSDomains = allow.Dns
+				}
+				if allow.Ips != nil {
+					r.SSH.Host.Allow.IPRanges = allow.Ips
+				}
+				if allow.Principals != nil {
+					r.SSH.Host.Allow.Principals = allow.Principals
+				}
+			}
+			if deny := host.GetDeny(); deny != nil {
+				r.SSH.Host.Deny = &dbSSHHostNames{}
+				if deny.Dns != nil {
+					r.SSH.Host.Deny.DNSDomains = deny.Dns
+				}
+				if deny.Ips != nil {
+					r.SSH.Host.Deny.IPRanges = deny.Ips
+				}
+				if deny.Principals != nil {
+					r.SSH.Host.Deny.Principals = deny.Principals
+				}
+			}
+		}
+		if user := ssh.GetUser(); user != nil {
+			r.SSH.User = &dbSSHUserPolicy{}
+			if allow := user.GetAllow(); allow != nil {
+				r.SSH.User.Allow = &dbSSHUserNames{}
+				if allow.Emails != nil {
+					r.SSH.User.Allow.EmailAddresses = allow.Emails
+				}
+				if allow.Principals != nil {
+					r.SSH.User.Allow.Principals = allow.Principals
+				}
+			}
+			if deny := user.GetDeny(); deny != nil {
+				r.SSH.User.Deny = &dbSSHUserNames{}
+				if deny.Emails != nil {
+					r.SSH.User.Deny.EmailAddresses = deny.Emails
+				}
+				if deny.Principals != nil {
+					r.SSH.User.Deny.Principals = deny.Principals
+				}
+			}
+		}
+	}
+
+	return r
+}