Fix (part of) PR comments

Author: hslatman

api/read/read.go

@@ -24,7 +24,7 @@ func JSON(r io.Reader, v interface{}) error {
 }
 
 // ProtoJSON reads JSON from the request body and stores it in the value
-// pointed to by v.
+// pointed to by m.
 func ProtoJSON(r io.Reader, m proto.Message) error {
 	data, err := io.ReadAll(r)
 	if err != nil {

authority/admin/api/policy.go

@@ -74,8 +74,7 @@ func (par *PolicyAdminResponder) CreateAuthorityPolicy(w http.ResponseWriter, r
 	}
 
 	if policy != nil {
-		adminErr := admin.NewError(admin.ErrorBadRequestType, "authority already has a policy")
-		adminErr.Status = http.StatusConflict
+		adminErr := admin.NewError(admin.ErrorConflictType, "authority already has a policy")
 		render.Error(w, adminErr)
 		return
 	}
@@ -197,8 +196,7 @@ func (par *PolicyAdminResponder) CreateProvisionerPolicy(w http.ResponseWriter,
 
 	policy := prov.GetPolicy()
 	if policy != nil {
-		adminErr := admin.NewError(admin.ErrorBadRequestType, "provisioner %s already has a policy", prov.Name)
-		adminErr.Status = http.StatusConflict
+		adminErr := admin.NewError(admin.ErrorConflictType, "provisioner %s already has a policy", prov.Name)
 		render.Error(w, adminErr)
 		return
 	}
@@ -307,8 +305,7 @@ func (par *PolicyAdminResponder) CreateACMEAccountPolicy(w http.ResponseWriter,
 
 	policy := eak.GetPolicy()
 	if policy != nil {
-		adminErr := admin.NewError(admin.ErrorBadRequestType, "ACME EAK %s already has a policy", eak.Id)
-		adminErr.Status = http.StatusConflict
+		adminErr := admin.NewError(admin.ErrorConflictType, "ACME EAK %s already has a policy", eak.Id)
 		render.Error(w, adminErr)
 		return
 	}

authority/admin/api/policy_test.go

@@ -154,9 +154,8 @@ func TestPolicyAdminResponder_CreateAuthorityPolicy(t *testing.T) {
 		},
 		"fail/existing-policy": func(t *testing.T) test {
 			ctx := context.Background()
-			err := admin.NewError(admin.ErrorBadRequestType, "authority already has a policy")
+			err := admin.NewError(admin.ErrorConflictType, "authority already has a policy")
 			err.Message = "authority already has a policy"
-			err.Status = http.StatusConflict
 			return test{
 				ctx: ctx,
 				auth: &mockAdminAuthority{
@@ -864,9 +863,8 @@ func TestPolicyAdminResponder_CreateProvisionerPolicy(t *testing.T) {
 				Policy: policy,
 			}
 			ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
-			err := admin.NewError(admin.ErrorBadRequestType, "provisioner provName already has a policy")
+			err := admin.NewError(admin.ErrorConflictType, "provisioner provName already has a policy")
 			err.Message = "provisioner provName already has a policy"
-			err.Status = http.StatusConflict
 			return test{
 				ctx:        ctx,
 				err:        err,
@@ -1466,9 +1464,8 @@ func TestPolicyAdminResponder_CreateACMEAccountPolicy(t *testing.T) {
 			}
 			ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
 			ctx = linkedca.NewContextWithExternalAccountKey(ctx, eak)
-			err := admin.NewError(admin.ErrorBadRequestType, "ACME EAK eakID already has a policy")
+			err := admin.NewError(admin.ErrorConflictType, "ACME EAK eakID already has a policy")
 			err.Message = "ACME EAK eakID already has a policy"
-			err.Status = http.StatusConflict
 			return test{
 				ctx:        ctx,
 				err:        err,

authority/admin/errors.go

@@ -24,10 +24,12 @@ const (
 	ErrorBadRequestType
 	// ErrorNotImplementedType not implemented.
 	ErrorNotImplementedType
-	// ErrorUnauthorizedType internal server error.
+	// ErrorUnauthorizedType unauthorized.
 	ErrorUnauthorizedType
 	// ErrorServerInternalType internal server error.
 	ErrorServerInternalType
+	// ErrorConflictType conflict.
+	ErrorConflictType
 )
 
 // String returns the string representation of the admin problem type,
@@ -48,6 +50,8 @@ func (ap ProblemType) String() string {
 		return "unauthorized"
 	case ErrorServerInternalType:
 		return "internalServerError"
+	case ErrorConflictType:
+		return "conflict"
 	default:
 		return fmt.Sprintf("unsupported error type '%d'", int(ap))
 	}
@@ -64,7 +68,7 @@ var (
 	errorServerInternalMetadata = errorMetadata{
 		typ:     ErrorServerInternalType.String(),
 		details: "the server experienced an internal error",
-		status:  500,
+		status:  http.StatusInternalServerError,
 	}
 	errorMap = map[ProblemType]errorMetadata{
 		ErrorNotFoundType: {
@@ -98,6 +102,11 @@ var (
 			status:  http.StatusUnauthorized,
 		},
 		ErrorServerInternalType: errorServerInternalMetadata,
+		ErrorConflictType: {
+			typ:     ErrorConflictType.String(),
+			details: "conflict",
+			status:  http.StatusConflict,
+		},
 	}
 )
 

authority/policy.go

@@ -318,11 +318,10 @@ func policyToCertificates(p *linkedca.Policy) *authPolicy.Options {
 	opts := &authPolicy.Options{}
 
 	// fill x509 policy configuration
-	if p.GetX509() != nil {
+	if x509 := p.GetX509(); x509 != nil {
 		opts.X509 = &authPolicy.X509PolicyOptions{}
-		if p.GetX509().GetAllow() != nil {
+		if allow := x509.GetAllow(); allow != nil {
 			opts.X509.AllowedNames = &authPolicy.X509NameOptions{}
-			allow := p.GetX509().GetAllow()
 			if allow.Dns != nil {
 				opts.X509.AllowedNames.DNSDomains = allow.Dns
 			}
@@ -336,9 +335,8 @@ func policyToCertificates(p *linkedca.Policy) *authPolicy.Options {
 				opts.X509.AllowedNames.URIDomains = allow.Uris
 			}
 		}
-		if p.GetX509().GetDeny() != nil {
+		if deny := x509.GetDeny(); deny != nil {
 			opts.X509.DeniedNames = &authPolicy.X509NameOptions{}
-			deny := p.GetX509().GetDeny()
 			if deny.Dns != nil {
 				opts.X509.DeniedNames.DNSDomains = deny.Dns
 			}
@@ -352,22 +350,21 @@ func policyToCertificates(p *linkedca.Policy) *authPolicy.Options {
 				opts.X509.DeniedNames.URIDomains = deny.Uris
 			}
 		}
-		if p.GetX509().GetAllowWildcardLiteral() != nil {
-			opts.X509.AllowWildcardLiteral = &p.GetX509().GetAllowWildcardLiteral().Value
+		if v := x509.GetAllowWildcardLiteral(); v != nil {
+			opts.X509.AllowWildcardLiteral = &v.Value
 		}
-		if p.GetX509().GetVerifySubjectCommonName() != nil {
-			opts.X509.VerifySubjectCommonName = &p.GetX509().VerifySubjectCommonName.Value
+		if v := x509.GetVerifySubjectCommonName(); v != nil {
+			opts.X509.VerifySubjectCommonName = &v.Value
 		}
 	}
 
 	// fill ssh policy configuration
-	if p.GetSsh() != nil {
+	if ssh := p.GetSsh(); ssh != nil {
 		opts.SSH = &authPolicy.SSHPolicyOptions{}
-		if p.GetSsh().GetHost() != nil {
+		if host := ssh.GetHost(); host != nil {
 			opts.SSH.Host = &authPolicy.SSHHostCertificateOptions{}
-			if p.GetSsh().GetHost().GetAllow() != nil {
+			if allow := host.GetAllow(); allow != nil {
 				opts.SSH.Host.AllowedNames = &authPolicy.SSHNameOptions{}
-				allow := p.GetSsh().GetHost().GetAllow()
 				if allow.Dns != nil {
 					opts.SSH.Host.AllowedNames.DNSDomains = allow.Dns
 				}
@@ -378,9 +375,8 @@ func policyToCertificates(p *linkedca.Policy) *authPolicy.Options {
 					opts.SSH.Host.AllowedNames.Principals = allow.Principals
 				}
 			}
-			if p.GetSsh().GetHost().GetDeny() != nil {
+			if deny := host.GetDeny(); deny != nil {
 				opts.SSH.Host.DeniedNames = &authPolicy.SSHNameOptions{}
-				deny := p.GetSsh().GetHost().GetDeny()
 				if deny.Dns != nil {
 					opts.SSH.Host.DeniedNames.DNSDomains = deny.Dns
 				}
@@ -392,21 +388,19 @@ func policyToCertificates(p *linkedca.Policy) *authPolicy.Options {
 				}
 			}
 		}
-		if p.GetSsh().GetUser() != nil {
+		if user := ssh.GetUser(); user != nil {
 			opts.SSH.User = &authPolicy.SSHUserCertificateOptions{}
-			if p.GetSsh().GetUser().GetAllow() != nil {
+			if allow := user.GetAllow(); allow != nil {
 				opts.SSH.User.AllowedNames = &authPolicy.SSHNameOptions{}
-				allow := p.GetSsh().GetUser().GetAllow()
 				if allow.Emails != nil {
 					opts.SSH.User.AllowedNames.EmailAddresses = allow.Emails
 				}
 				if allow.Principals != nil {
 					opts.SSH.User.AllowedNames.Principals = allow.Principals
 				}
 			}
-			if p.GetSsh().GetUser().GetDeny() != nil {
+			if deny := user.GetDeny(); deny != nil {
 				opts.SSH.User.DeniedNames = &authPolicy.SSHNameOptions{}
-				deny := p.GetSsh().GetUser().GetDeny()
 				if deny.Emails != nil {
 					opts.SSH.User.DeniedNames.EmailAddresses = deny.Emails
 				}

authority/policy/options.go

@@ -67,24 +67,20 @@ func (o *X509NameOptions) HasNames() bool {
 		len(o.URIDomains) > 0
 }
 
-// GetDeniedNameOptions returns the x509 denied name policy configuration
-func (o *X509PolicyOptions) GetDeniedNameOptions() *X509NameOptions {
+// GetAllowedNameOptions returns x509 allowed name policy configuration
+func (o *X509PolicyOptions) GetAllowedNameOptions() *X509NameOptions {
 	if o == nil {
 		return nil
 	}
-	return o.DeniedNames
+	return o.AllowedNames
 }
 
-// GetAllowedUserNameOptions returns the SSH allowed user name policy
-// configuration.
-func (o *SSHPolicyOptions) GetAllowedUserNameOptions() *SSHNameOptions {
+// GetDeniedNameOptions returns the x509 denied name policy configuration
+func (o *X509PolicyOptions) GetDeniedNameOptions() *X509NameOptions {
 	if o == nil {
 		return nil
 	}
-	if o.User == nil {
-		return nil
-	}
-	return o.User.AllowedNames
+	return o.DeniedNames
 }
 
 func (o *X509PolicyOptions) IsWildcardLiteralAllowed() bool {
@@ -122,21 +118,19 @@ type SSHPolicyOptions struct {
 	Host *SSHHostCertificateOptions `json:"host,omitempty"`
 }
 
-// GetAllowedNameOptions returns x509 allowed name policy configuration
-func (o *X509PolicyOptions) GetAllowedNameOptions() *X509NameOptions {
-	if o == nil {
+// GetAllowedUserNameOptions returns the SSH allowed user name policy
+// configuration.
+func (o *SSHPolicyOptions) GetAllowedUserNameOptions() *SSHNameOptions {
+	if o == nil || o.User == nil {
 		return nil
 	}
-	return o.AllowedNames
+	return o.User.AllowedNames
 }
 
 // GetDeniedUserNameOptions returns the SSH denied user name policy
 // configuration.
 func (o *SSHPolicyOptions) GetDeniedUserNameOptions() *SSHNameOptions {
-	if o == nil {
-		return nil
-	}
-	if o.User == nil {
+	if o == nil || o.User == nil {
 		return nil
 	}
 	return o.User.DeniedNames
@@ -145,10 +139,7 @@ func (o *SSHPolicyOptions) GetDeniedUserNameOptions() *SSHNameOptions {
 // GetAllowedHostNameOptions returns the SSH allowed host name policy
 // configuration.
 func (o *SSHPolicyOptions) GetAllowedHostNameOptions() *SSHNameOptions {
-	if o == nil {
-		return nil
-	}
-	if o.Host == nil {
+	if o == nil || o.Host == nil {
 		return nil
 	}
 	return o.Host.AllowedNames
@@ -157,10 +148,7 @@ func (o *SSHPolicyOptions) GetAllowedHostNameOptions() *SSHNameOptions {
 // GetDeniedHostNameOptions returns the SSH denied host name policy
 // configuration.
 func (o *SSHPolicyOptions) GetDeniedHostNameOptions() *SSHNameOptions {
-	if o == nil {
-		return nil
-	}
-	if o.Host == nil {
+	if o == nil || o.Host == nil {
 		return nil
 	}
 	return o.Host.DeniedNames

authority/policy/policy.go

@@ -28,20 +28,20 @@ func NewX509PolicyEngine(policyOptions X509PolicyOptionsInterface) (X509Policy,
 	allowed := policyOptions.GetAllowedNameOptions()
 	if allowed != nil && allowed.HasNames() {
 		options = append(options,
-			policy.WithPermittedDNSDomains(allowed.DNSDomains),
-			policy.WithPermittedIPsOrCIDRs(allowed.IPRanges),
-			policy.WithPermittedEmailAddresses(allowed.EmailAddresses),
-			policy.WithPermittedURIDomains(allowed.URIDomains),
+			policy.WithPermittedDNSDomains(allowed.DNSDomains...),
+			policy.WithPermittedIPsOrCIDRs(allowed.IPRanges...),
+			policy.WithPermittedEmailAddresses(allowed.EmailAddresses...),
+			policy.WithPermittedURIDomains(allowed.URIDomains...),
 		)
 	}
 
 	denied := policyOptions.GetDeniedNameOptions()
 	if denied != nil && denied.HasNames() {
 		options = append(options,
-			policy.WithExcludedDNSDomains(denied.DNSDomains),
-			policy.WithExcludedIPsOrCIDRs(denied.IPRanges),
-			policy.WithExcludedEmailAddresses(denied.EmailAddresses),
-			policy.WithExcludedURIDomains(denied.URIDomains),
+			policy.WithExcludedDNSDomains(denied.DNSDomains...),
+			policy.WithExcludedIPsOrCIDRs(denied.IPRanges...),
+			policy.WithExcludedEmailAddresses(denied.EmailAddresses...),
+			policy.WithExcludedURIDomains(denied.URIDomains...),
 		)
 	}
 
@@ -114,19 +114,19 @@ func newSSHPolicyEngine(policyOptions SSHPolicyOptionsInterface, typ sshPolicyEn
 
 	if allowed != nil && allowed.HasNames() {
 		options = append(options,
-			policy.WithPermittedDNSDomains(allowed.DNSDomains),
-			policy.WithPermittedIPsOrCIDRs(allowed.IPRanges),
-			policy.WithPermittedEmailAddresses(allowed.EmailAddresses),
-			policy.WithPermittedPrincipals(allowed.Principals),
+			policy.WithPermittedDNSDomains(allowed.DNSDomains...),
+			policy.WithPermittedIPsOrCIDRs(allowed.IPRanges...),
+			policy.WithPermittedEmailAddresses(allowed.EmailAddresses...),
+			policy.WithPermittedPrincipals(allowed.Principals...),
 		)
 	}
 
 	if denied != nil && denied.HasNames() {
 		options = append(options,
-			policy.WithExcludedDNSDomains(denied.DNSDomains),
-			policy.WithExcludedIPsOrCIDRs(denied.IPRanges),
-			policy.WithExcludedEmailAddresses(denied.EmailAddresses),
-			policy.WithExcludedPrincipals(denied.Principals),
+			policy.WithExcludedDNSDomains(denied.DNSDomains...),
+			policy.WithExcludedIPsOrCIDRs(denied.IPRanges...),
+			policy.WithExcludedEmailAddresses(denied.EmailAddresses...),
+			policy.WithExcludedPrincipals(denied.Principals...),
 		)
 	}