Admin level API for provisioner mgmt v1

Author: dopey

.golangci.yml

@@ -8,7 +8,7 @@ linters-settings:
           - (github.com/golangci/golangci-lint/pkg/logutils.Log).Errorf
           - (github.com/golangci/golangci-lint/pkg/logutils.Log).Warnf
           - (github.com/golangci/golangci-lint/pkg/logutils.Log).Fatalf
-  golint:
+  revive:
     min-confidence: 0
   gocyclo:
     min-complexity: 10
@@ -44,7 +44,7 @@ linters:
   disable-all: true
   enable:
     - gofmt
-    - golint
+    - revive
     - govet
     - misspell
     - ineffassign

acme/api/middleware.go

@@ -288,13 +288,13 @@ func (h *Handler) lookupProvisioner(next nextHTTP) nextHTTP {
 	return func(w http.ResponseWriter, r *http.Request) {
 		ctx := r.Context()
 
-		name := chi.URLParam(r, "provisionerID")
-		provID, err := url.PathUnescape(name)
+		nameEscaped := chi.URLParam(r, "provisionerID")
+		name, err := url.PathUnescape(nameEscaped)
 		if err != nil {
-			api.WriteError(w, acme.WrapErrorISE(err, "error url unescaping provisioner id '%s'", name))
+			api.WriteError(w, acme.WrapErrorISE(err, "error url unescaping provisioner name '%s'", nameEscaped))
 			return
 		}
-		p, err := h.ca.LoadProvisionerByID("acme/" + provID)
+		p, err := h.ca.LoadProvisionerByName(name)
 		if err != nil {
 			api.WriteError(w, err)
 			return

acme/common.go

@@ -11,7 +11,7 @@ import (
 // CertificateAuthority is the interface implemented by a CA authority.
 type CertificateAuthority interface {
 	Sign(cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
-	LoadProvisionerByID(string) (provisioner.Interface, error)
+	LoadProvisionerByName(string) (provisioner.Interface, error)
 }
 
 // Clock that returns time in UTC rounded to seconds.

acme/db/nosql/nosql.go

@@ -23,12 +23,11 @@ var (
 
 // DB is a struct that implements the AcmeDB interface.
 type DB struct {
-	db          nosqlDB.DB
-	authorityID string
+	db nosqlDB.DB
 }
 
 // New configures and returns a new ACME DB backend implemented using a nosql DB.
-func New(db nosqlDB.DB, authorityID string) (*DB, error) {
+func New(db nosqlDB.DB) (*DB, error) {
 	tables := [][]byte{accountTable, accountByKeyIDTable, authzTable,
 		challengeTable, nonceTable, orderTable, ordersByAccountIDTable, certTable}
 	for _, b := range tables {
@@ -37,7 +36,7 @@ func New(db nosqlDB.DB, authorityID string) (*DB, error) {
 				string(b))
 		}
 	}
-	return &DB{db, authorityID}, nil
+	return &DB{db}, nil
 }
 
 // save writes the new data to the database, overwriting the old data if it

acme/order_test.go

@@ -261,10 +261,10 @@ func TestOrder_UpdateStatus(t *testing.T) {
 }
 
 type mockSignAuth struct {
-	sign                func(csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
-	loadProvisionerByID func(string) (provisioner.Interface, error)
-	ret1, ret2          interface{}
-	err                 error
+	sign                  func(csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
+	loadProvisionerByName func(string) (provisioner.Interface, error)
+	ret1, ret2            interface{}
+	err                   error
 }
 
 func (m *mockSignAuth) Sign(csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
@@ -276,9 +276,9 @@ func (m *mockSignAuth) Sign(csr *x509.CertificateRequest, signOpts provisioner.S
 	return []*x509.Certificate{m.ret1.(*x509.Certificate), m.ret2.(*x509.Certificate)}, m.err
 }
 
-func (m *mockSignAuth) LoadProvisionerByID(id string) (provisioner.Interface, error) {
-	if m.loadProvisionerByID != nil {
-		return m.loadProvisionerByID(id)
+func (m *mockSignAuth) LoadProvisionerByName(name string) (provisioner.Interface, error) {
+	if m.loadProvisionerByName != nil {
+		return m.loadProvisionerByName(name)
 	}
 	return m.ret1.(provisioner.Interface), m.err
 }

api/api.go

@@ -39,7 +39,7 @@ type Authority interface {
 	Renew(peer *x509.Certificate) ([]*x509.Certificate, error)
 	Rekey(peer *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error)
 	LoadProvisionerByCertificate(*x509.Certificate) (provisioner.Interface, error)
-	LoadProvisionerByID(string) (provisioner.Interface, error)
+	LoadProvisionerByName(string) (provisioner.Interface, error)
 	GetProvisioners(cursor string, limit int) (provisioner.List, string, error)
 	Revoke(context.Context, *authority.RevokeOptions) error
 	GetEncryptedKey(kid string) (string, error)
@@ -418,7 +418,7 @@ func LogCertificate(w http.ResponseWriter, cert *x509.Certificate) {
 				if len(val.CredentialID) > 0 {
 					m["provisioner"] = fmt.Sprintf("%s (%s)", val.Name, val.CredentialID)
 				} else {
-					m["provisioner"] = fmt.Sprintf("%s", val.Name)
+					m["provisioner"] = string(val.Name)
 				}
 				break
 			}

api/api_test.go

@@ -430,6 +430,7 @@ type mockProvisioner struct {
 	ret1, ret2, ret3   interface{}
 	err                error
 	getID              func() string
+	getIDForToken      func() string
 	getTokenID         func(string) (string, error)
 	getName            func() string
 	getType            func() provisioner.Type
@@ -452,6 +453,13 @@ func (m *mockProvisioner) GetID() string {
 	return m.ret1.(string)
 }
 
+func (m *mockProvisioner) GetIDForToken() string {
+	if m.getIDForToken != nil {
+		return m.getIDForToken()
+	}
+	return m.ret1.(string)
+}
+
 func (m *mockProvisioner) GetTokenID(token string) (string, error) {
 	if m.getTokenID != nil {
 		return m.getTokenID(token)
@@ -553,7 +561,7 @@ type mockAuthority struct {
 	renew                        func(cert *x509.Certificate) ([]*x509.Certificate, error)
 	rekey                        func(oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error)
 	loadProvisionerByCertificate func(cert *x509.Certificate) (provisioner.Interface, error)
-	loadProvisionerByID          func(provID string) (provisioner.Interface, error)
+	loadProvisionerByName        func(name string) (provisioner.Interface, error)
 	getProvisioners              func(nextCursor string, limit int) (provisioner.List, string, error)
 	revoke                       func(context.Context, *authority.RevokeOptions) error
 	getEncryptedKey              func(kid string) (string, error)
@@ -633,9 +641,9 @@ func (m *mockAuthority) LoadProvisionerByCertificate(cert *x509.Certificate) (pr
 	return m.ret1.(provisioner.Interface), m.err
 }
 
-func (m *mockAuthority) LoadProvisionerByID(provID string) (provisioner.Interface, error) {
-	if m.loadProvisionerByID != nil {
-		return m.loadProvisionerByID(provID)
+func (m *mockAuthority) LoadProvisionerByName(name string) (provisioner.Interface, error) {
+	if m.loadProvisionerByName != nil {
+		return m.loadProvisionerByName(name)
 	}
 	return m.ret1.(provisioner.Interface), m.err
 }

api/errors.go

@@ -8,7 +8,7 @@ import (
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/acme"
-	"github.com/smallstep/certificates/authority/mgmt"
+	"github.com/smallstep/certificates/authority/admin"
 	"github.com/smallstep/certificates/errs"
 	"github.com/smallstep/certificates/logging"
 	"github.com/smallstep/certificates/scep"
@@ -20,8 +20,8 @@ func WriteError(w http.ResponseWriter, err error) {
 	case *acme.Error:
 		acme.WriteError(w, k)
 		return
-	case *mgmt.Error:
-		mgmt.WriteError(w, k)
+	case *admin.Error:
+		admin.WriteError(w, k)
 		return
 	case *scep.Error:
 		w.Header().Set("Content-Type", "text/plain")

api/utils.go

@@ -3,11 +3,14 @@ package api
 import (
 	"encoding/json"
 	"io"
+	"io/ioutil"
 	"log"
 	"net/http"
 
 	"github.com/smallstep/certificates/errs"
 	"github.com/smallstep/certificates/logging"
+	"google.golang.org/protobuf/encoding/protojson"
+	"google.golang.org/protobuf/proto"
 )
 
 // EnableLogger is an interface that enables response logging for an object.
@@ -64,6 +67,29 @@ func JSONStatus(w http.ResponseWriter, v interface{}, status int) {
 	LogEnabledResponse(w, v)
 }
 
+// ProtoJSON writes the passed value into the http.ResponseWriter.
+func ProtoJSON(w http.ResponseWriter, m proto.Message) {
+	ProtoJSONStatus(w, m, http.StatusOK)
+}
+
+// ProtoJSONStatus writes the given value into the http.ResponseWriter and the
+// given status is written as the status code of the response.
+func ProtoJSONStatus(w http.ResponseWriter, m proto.Message, status int) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(status)
+
+	b, err := protojson.Marshal(m)
+	if err != nil {
+		LogError(w, err)
+		return
+	}
+	if _, err := w.Write(b); err != nil {
+		LogError(w, err)
+		return
+	}
+	//LogEnabledResponse(w, v)
+}
+
 // ReadJSON reads JSON from the request body and stores it in the value
 // pointed by v.
 func ReadJSON(r io.Reader, v interface{}) error {
@@ -72,3 +98,13 @@ func ReadJSON(r io.Reader, v interface{}) error {
 	}
 	return nil
 }
+
+// ReadProtoJSON reads JSON from the request body and stores it in the value
+// pointed by v.
+func ReadProtoJSON(r io.Reader, m proto.Message) error {
+	data, err := ioutil.ReadAll(r)
+	if err != nil {
+		return errs.Wrap(http.StatusBadRequest, err, "error reading request body")
+	}
+	return protojson.Unmarshal(data, m)
+}