Merge pull request smallstep#650 from hslatman/hs/acme-eab

ACME External Account Binding

Author: hslatman

acme/account.go

@@ -4,18 +4,20 @@ import (
 	"crypto"
 	"encoding/base64"
 	"encoding/json"
+	"time"
 
 	"go.step.sm/crypto/jose"
 )
 
 // Account is a subset of the internal account type containing only those
 // attributes required for responses in the ACME protocol.
 type Account struct {
-	ID        string           `json:"-"`
-	Key       *jose.JSONWebKey `json:"-"`
-	Contact   []string         `json:"contact,omitempty"`
-	Status    Status           `json:"status"`
-	OrdersURL string           `json:"orders"`
+	ID                     string           `json:"-"`
+	Key                    *jose.JSONWebKey `json:"-"`
+	Contact                []string         `json:"contact,omitempty"`
+	Status                 Status           `json:"status"`
+	OrdersURL              string           `json:"orders"`
+	ExternalAccountBinding interface{}      `json:"externalAccountBinding,omitempty"`
 }
 
 // ToLog enables response logging.
@@ -40,3 +42,32 @@ func KeyToID(jwk *jose.JSONWebKey) (string, error) {
 	}
 	return base64.RawURLEncoding.EncodeToString(kid), nil
 }
+
+// ExternalAccountKey is an ACME External Account Binding key.
+type ExternalAccountKey struct {
+	ID            string    `json:"id"`
+	ProvisionerID string    `json:"provisionerID"`
+	Reference     string    `json:"reference"`
+	AccountID     string    `json:"-"`
+	KeyBytes      []byte    `json:"-"`
+	CreatedAt     time.Time `json:"createdAt"`
+	BoundAt       time.Time `json:"boundAt,omitempty"`
+}
+
+// AlreadyBound returns whether this EAK is already bound to
+// an ACME Account or not.
+func (eak *ExternalAccountKey) AlreadyBound() bool {
+	return !eak.BoundAt.IsZero()
+}
+
+// BindTo binds the EAK to an Account.
+// It returns an error if it's already bound.
+func (eak *ExternalAccountKey) BindTo(account *Account) error {
+	if eak.AlreadyBound() {
+		return NewError(ErrorUnauthorizedType, "external account binding key with id '%s' was already bound to account '%s' on %s", eak.ID, eak.AccountID, eak.BoundAt)
+	}
+	eak.AccountID = account.ID
+	eak.BoundAt = time.Now()
+	eak.KeyBytes = []byte{} // clearing the key bytes; can only be used once
+	return nil
+}

acme/account_test.go

@@ -4,6 +4,7 @@ import (
 	"crypto"
 	"encoding/base64"
 	"testing"
+	"time"
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
@@ -79,3 +80,67 @@ func TestAccount_IsValid(t *testing.T) {
 		})
 	}
 }
+
+func TestExternalAccountKey_BindTo(t *testing.T) {
+	boundAt := time.Now()
+	tests := []struct {
+		name string
+		eak  *ExternalAccountKey
+		acct *Account
+		err  *Error
+	}{
+		{
+			name: "ok",
+			eak: &ExternalAccountKey{
+				ID:            "eakID",
+				ProvisionerID: "provID",
+				Reference:     "ref",
+				KeyBytes:      []byte{1, 3, 3, 7},
+			},
+			acct: &Account{
+				ID: "accountID",
+			},
+			err: nil,
+		},
+		{
+			name: "fail/already-bound",
+			eak: &ExternalAccountKey{
+				ID:            "eakID",
+				ProvisionerID: "provID",
+				Reference:     "ref",
+				KeyBytes:      []byte{1, 3, 3, 7},
+				AccountID:     "someAccountID",
+				BoundAt:       boundAt,
+			},
+			acct: &Account{
+				ID: "accountID",
+			},
+			err: NewError(ErrorUnauthorizedType, "external account binding key with id '%s' was already bound to account '%s' on %s", "eakID", "someAccountID", boundAt),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			eak := tt.eak
+			acct := tt.acct
+			err := eak.BindTo(acct)
+			wantErr := tt.err != nil
+			gotErr := err != nil
+			if wantErr != gotErr {
+				t.Errorf("ExternalAccountKey.BindTo() error = %v, wantErr %v", err, tt.err)
+			}
+			if wantErr {
+				assert.NotNil(t, err)
+				assert.Type(t, &Error{}, err)
+				ae, _ := err.(*Error)
+				assert.Equals(t, ae.Type, tt.err.Type)
+				assert.Equals(t, ae.Detail, tt.err.Detail)
+				assert.Equals(t, ae.Identifier, tt.err.Identifier)
+				assert.Equals(t, ae.Subproblems, tt.err.Subproblems)
+			} else {
+				assert.Equals(t, eak.AccountID, acct.ID)
+				assert.Equals(t, eak.KeyBytes, []byte{})
+				assert.NotNil(t, eak.BoundAt)
+			}
+		})
+	}
+}

acme/api/account.go

@@ -12,9 +12,10 @@ import (
 
 // NewAccountRequest represents the payload for a new account request.
 type NewAccountRequest struct {
-	Contact              []string `json:"contact"`
-	OnlyReturnExisting   bool     `json:"onlyReturnExisting"`
-	TermsOfServiceAgreed bool     `json:"termsOfServiceAgreed"`
+	Contact                []string                `json:"contact"`
+	OnlyReturnExisting     bool                    `json:"onlyReturnExisting"`
+	TermsOfServiceAgreed   bool                    `json:"termsOfServiceAgreed"`
+	ExternalAccountBinding *ExternalAccountBinding `json:"externalAccountBinding,omitempty"`
 }
 
 func validateContacts(cs []string) error {
@@ -83,8 +84,14 @@ func (h *Handler) NewAccount(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	prov, err := acmeProvisionerFromContext(ctx)
+	if err != nil {
+		api.WriteError(w, err)
+		return
+	}
+
 	httpStatus := http.StatusCreated
-	acc, err := accountFromContext(r.Context())
+	acc, err := accountFromContext(ctx)
 	if err != nil {
 		acmeErr, ok := err.(*acme.Error)
 		if !ok || acmeErr.Status != http.StatusBadRequest {
@@ -99,12 +106,19 @@ func (h *Handler) NewAccount(w http.ResponseWriter, r *http.Request) {
 				"account does not exist"))
 			return
 		}
+
 		jwk, err := jwkFromContext(ctx)
 		if err != nil {
 			api.WriteError(w, err)
 			return
 		}
 
+		eak, err := h.validateExternalAccountBinding(ctx, &nar)
+		if err != nil {
+			api.WriteError(w, err)
+			return
+		}
+
 		acc = &acme.Account{
 			Key:     jwk,
 			Contact: nar.Contact,
@@ -114,8 +128,21 @@ func (h *Handler) NewAccount(w http.ResponseWriter, r *http.Request) {
 			api.WriteError(w, acme.WrapErrorISE(err, "error creating account"))
 			return
 		}
+
+		if eak != nil { // means that we have a (valid) External Account Binding key that should be bound, updated and sent in the response
+			err := eak.BindTo(acc)
+			if err != nil {
+				api.WriteError(w, err)
+				return
+			}
+			if err := h.db.UpdateExternalAccountKey(ctx, prov.ID, eak); err != nil {
+				api.WriteError(w, acme.WrapErrorISE(err, "error updating external account binding key"))
+				return
+			}
+			acc.ExternalAccountBinding = nar.ExternalAccountBinding
+		}
 	} else {
-		// Account exists //
+		// Account exists
 		httpStatus = http.StatusOK
 	}