Merge branch 'master' into context-authority

Author: maraino

.github/PULL_REQUEST_TEMPLATE

@@ -1,4 +1,20 @@
-### Description
-Please describe your pull request.
+<!---
+Please provide answers in the spaces below each prompt, where applicable.
+Not every PR requires responses for each prompt.
+Use your discretion.
+-->
+#### Name of feature:
+
+#### Pain or issue this feature alleviates:
+
+#### Why is this important to the project (if not answered above):
+
+#### Is there documentation on how to use this feature? If so, where?
+
+#### In what environments or workflows is this feature supported?
+
+#### In what environments or workflows is this feature explicitly NOT supported (if any)?
+
+#### Supporting links/other PRs/issues:
 
 💔Thank you!

acme/account.go

@@ -7,6 +7,8 @@ import (
 	"time"
 
 	"go.step.sm/crypto/jose"
+
+	"github.com/smallstep/certificates/authority/policy"
 )
 
 // Account is a subset of the internal account type containing only those
@@ -43,15 +45,63 @@ func KeyToID(jwk *jose.JSONWebKey) (string, error) {
 	return base64.RawURLEncoding.EncodeToString(kid), nil
 }
 
+// PolicyNames contains ACME account level policy names
+type PolicyNames struct {
+	DNSNames []string `json:"dns"`
+	IPRanges []string `json:"ips"`
+}
+
+// X509Policy contains ACME account level X.509 policy
+type X509Policy struct {
+	Allowed            PolicyNames `json:"allow"`
+	Denied             PolicyNames `json:"deny"`
+	AllowWildcardNames bool        `json:"allowWildcardNames"`
+}
+
+// Policy is an ACME Account level policy
+type Policy struct {
+	X509 X509Policy `json:"x509"`
+}
+
+func (p *Policy) GetAllowedNameOptions() *policy.X509NameOptions {
+	if p == nil {
+		return nil
+	}
+	return &policy.X509NameOptions{
+		DNSDomains: p.X509.Allowed.DNSNames,
+		IPRanges:   p.X509.Allowed.IPRanges,
+	}
+}
+func (p *Policy) GetDeniedNameOptions() *policy.X509NameOptions {
+	if p == nil {
+		return nil
+	}
+	return &policy.X509NameOptions{
+		DNSDomains: p.X509.Denied.DNSNames,
+		IPRanges:   p.X509.Denied.IPRanges,
+	}
+}
+
+// AreWildcardNamesAllowed returns if wildcard names
+// like *.example.com are allowed to be signed.
+// Defaults to false.
+func (p *Policy) AreWildcardNamesAllowed() bool {
+	if p == nil {
+		return false
+	}
+	return p.X509.AllowWildcardNames
+}
+
 // ExternalAccountKey is an ACME External Account Binding key.
 type ExternalAccountKey struct {
 	ID            string    `json:"id"`
 	ProvisionerID string    `json:"provisionerID"`
 	Reference     string    `json:"reference"`
 	AccountID     string    `json:"-"`
-	KeyBytes      []byte    `json:"-"`
+	HmacKey       []byte    `json:"-"`
 	CreatedAt     time.Time `json:"createdAt"`
 	BoundAt       time.Time `json:"boundAt,omitempty"`
+	Policy        *Policy   `json:"policy,omitempty"`
 }
 
 // AlreadyBound returns whether this EAK is already bound to
@@ -68,6 +118,6 @@ func (eak *ExternalAccountKey) BindTo(account *Account) error {
 	}
 	eak.AccountID = account.ID
 	eak.BoundAt = time.Now()
-	eak.KeyBytes = []byte{} // clearing the key bytes; can only be used once
+	eak.HmacKey = []byte{} // clearing the key bytes; can only be used once
 	return nil
 }

acme/account_test.go

@@ -7,8 +7,9 @@ import (
 	"time"
 
 	"github.com/pkg/errors"
-	"github.com/smallstep/assert"
 	"go.step.sm/crypto/jose"
+
+	"github.com/smallstep/assert"
 )
 
 func TestKeyToID(t *testing.T) {
@@ -95,7 +96,7 @@ func TestExternalAccountKey_BindTo(t *testing.T) {
 				ID:            "eakID",
 				ProvisionerID: "provID",
 				Reference:     "ref",
-				KeyBytes:      []byte{1, 3, 3, 7},
+				HmacKey:       []byte{1, 3, 3, 7},
 			},
 			acct: &Account{
 				ID: "accountID",
@@ -108,7 +109,7 @@ func TestExternalAccountKey_BindTo(t *testing.T) {
 				ID:            "eakID",
 				ProvisionerID: "provID",
 				Reference:     "ref",
-				KeyBytes:      []byte{1, 3, 3, 7},
+				HmacKey:       []byte{1, 3, 3, 7},
 				AccountID:     "someAccountID",
 				BoundAt:       boundAt,
 			},
@@ -138,7 +139,7 @@ func TestExternalAccountKey_BindTo(t *testing.T) {
 				assert.Equals(t, ae.Subproblems, tt.err.Subproblems)
 			} else {
 				assert.Equals(t, eak.AccountID, acct.ID)
-				assert.Equals(t, eak.KeyBytes, []byte{})
+				assert.Equals(t, eak.HmacKey, []byte{})
 				assert.NotNil(t, eak.BoundAt)
 			}
 		})

acme/api/account.go

@@ -134,8 +134,7 @@ func NewAccount(w http.ResponseWriter, r *http.Request) {
 		}
 
 		if eak != nil { // means that we have a (valid) External Account Binding key that should be bound, updated and sent in the response
-			err := eak.BindTo(acc)
-			if err != nil {
+			if err := eak.BindTo(acc); err != nil {
 				render.Error(w, err)
 				return
 			}

acme/api/account_test.go

@@ -13,10 +13,12 @@ import (
 
 	"github.com/go-chi/chi"
 	"github.com/pkg/errors"
+
+	"go.step.sm/crypto/jose"
+
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/acme"
 	"github.com/smallstep/certificates/authority/provisioner"
-	"go.step.sm/crypto/jose"
 )
 
 var (
@@ -29,6 +31,22 @@ var (
 	}
 )
 
+type fakeProvisioner struct{}
+
+func (*fakeProvisioner) AuthorizeOrderIdentifier(ctx context.Context, identifier provisioner.ACMEIdentifier) error {
+	return nil
+}
+
+func (*fakeProvisioner) AuthorizeSign(ctx context.Context, token string) ([]provisioner.SignOption, error) {
+	return nil, nil
+}
+
+func (*fakeProvisioner) AuthorizeRevoke(ctx context.Context, token string) error { return nil }
+func (*fakeProvisioner) GetID() string                                           { return "" }
+func (*fakeProvisioner) GetName() string                                         { return "" }
+func (*fakeProvisioner) DefaultTLSCertDuration() time.Duration                   { return 0 }
+func (*fakeProvisioner) GetOptions() *provisioner.Options                        { return nil }
+
 func newProv() acme.Provisioner {
 	// Initialize provisioners
 	p := &provisioner.ACME{
@@ -41,6 +59,19 @@ func newProv() acme.Provisioner {
 	return p
 }
 
+func newProvWithOptions(options *provisioner.Options) acme.Provisioner {
+	// Initialize provisioners
+	p := &provisioner.ACME{
+		Type:    "ACME",
+		Name:    "test@acme-<test>provisioner.com",
+		Options: options,
+	}
+	if err := p.Init(provisioner.Config{Claims: globalProvisionerClaims}); err != nil {
+		fmt.Printf("%v", err)
+	}
+	return p
+}
+
 func newACMEProv(t *testing.T) *provisioner.ACME {
 	p := newProv()
 	a, ok := p.(*provisioner.ACME)
@@ -50,6 +81,15 @@ func newACMEProv(t *testing.T) *provisioner.ACME {
 	return a
 }
 
+func newACMEProvWithOptions(t *testing.T, options *provisioner.Options) *provisioner.ACME {
+	p := newProvWithOptions(options)
+	a, ok := p.(*provisioner.ACME)
+	if !ok {
+		t.Fatal("not a valid ACME provisioner")
+	}
+	return a
+}
+
 func createEABJWS(jwk *jose.JSONWebKey, hmacKey []byte, keyID, u string) (*jose.JSONWebSignature, error) {
 	signer, err := jose.NewSigner(
 		jose.SigningKey{
@@ -507,16 +547,9 @@ func TestHandler_NewAccount(t *testing.T) {
 			}
 			b, err := json.Marshal(nar)
 			assert.FatalError(t, err)
-			scepProvisioner := &provisioner.SCEP{
-				Type: "SCEP",
-				Name: "test@scep-<test>provisioner.com",
-			}
-			if err := scepProvisioner.Init(provisioner.Config{Claims: globalProvisionerClaims}); err != nil {
-				assert.FatalError(t, err)
-			}
 			ctx := context.WithValue(context.Background(), payloadContextKey, &payloadInfo{value: b})
 			ctx = context.WithValue(ctx, jwkContextKey, jwk)
-			ctx = acme.NewProvisionerContext(ctx, scepProvisioner)
+			ctx = acme.NewProvisionerContext(ctx, &fakeProvisioner{})
 			return test{
 				db:         &acme.MockDB{},
 				ctx:        ctx,
@@ -563,7 +596,7 @@ func TestHandler_NewAccount(t *testing.T) {
 				ID:            "eakID",
 				ProvisionerID: provID,
 				Reference:     "testeak",
-				KeyBytes:      []byte{1, 3, 3, 7},
+				HmacKey:       []byte{1, 3, 3, 7},
 				CreatedAt:     time.Now(),
 			}
 			return test{
@@ -737,7 +770,7 @@ func TestHandler_NewAccount(t *testing.T) {
 							ID:            "eakID",
 							ProvisionerID: provID,
 							Reference:     "testeak",
-							KeyBytes:      []byte{1, 3, 3, 7},
+							HmacKey:       []byte{1, 3, 3, 7},
 							CreatedAt:     time.Now(),
 						}, nil
 					},

acme/api/eab.go

@@ -4,8 +4,9 @@ import (
 	"context"
 	"encoding/json"
 
-	"github.com/smallstep/certificates/acme"
 	"go.step.sm/crypto/jose"
+
+	"github.com/smallstep/certificates/acme"
 )
 
 // ExternalAccountBinding represents the ACME externalAccountBinding JWS
@@ -56,11 +57,19 @@ func validateExternalAccountBinding(ctx context.Context, nar *NewAccountRequest)
 		return nil, acme.WrapErrorISE(err, "error retrieving external account key")
 	}
 
+	if externalAccountKey == nil {
+		return nil, acme.NewError(acme.ErrorUnauthorizedType, "the field 'kid' references an unknown key")
+	}
+
+	if len(externalAccountKey.HmacKey) == 0 {
+		return nil, acme.NewError(acme.ErrorServerInternalType, "external account binding key with id '%s' does not have secret bytes", keyID)
+	}
+
 	if externalAccountKey.AlreadyBound() {
 		return nil, acme.NewError(acme.ErrorUnauthorizedType, "external account binding key with id '%s' was already bound to account '%s' on %s", keyID, externalAccountKey.AccountID, externalAccountKey.BoundAt)
 	}
 
-	payload, err := eabJWS.Verify(externalAccountKey.KeyBytes)
+	payload, err := eabJWS.Verify(externalAccountKey.HmacKey)
 	if err != nil {
 		return nil, acme.WrapErrorISE(err, "error verifying externalAccountBinding signature")
 	}