Change pointer booleans to regular boolean configuration

hslatman · hslatman · commit ef110a94df7f · 2022-04-21T23:45:05.000+02:00
diff --git a/authority/admin/api/policy.go b/authority/admin/api/policy.go
@@ -5,7 +5,6 @@ import (
 	"net/http"
 
 	"go.step.sm/linkedca"
-	"google.golang.org/protobuf/types/known/wrapperspb"
 
 	"github.com/smallstep/certificates/acme"
 	"github.com/smallstep/certificates/api/read"
@@ -97,8 +96,6 @@ func (par *PolicyAdminResponder) CreateAuthorityPolicy(w http.ResponseWriter, r
 		return
 	}
 
-	applyConditionalDefaults(newPolicy)
-
 	newPolicy.Deduplicate()
 
 	adm := linkedca.AdminFromContext(ctx)
@@ -234,8 +231,6 @@ func (par *PolicyAdminResponder) CreateProvisionerPolicy(w http.ResponseWriter,
 		return
 	}
 
-	applyConditionalDefaults(newPolicy)
-
 	newPolicy.Deduplicate()
 
 	prov.Policy = newPolicy
@@ -454,14 +449,3 @@ func isBadRequest(err error) bool {
 	isPolicyError := errors.As(err, &pe)
 	return isPolicyError && (pe.Typ == authority.AdminLockOut || pe.Typ == authority.EvaluationFailure || pe.Typ == authority.ConfigurationFailure)
 }
-
-// applyConditionalDefaults applies default settings in case they're not provided
-// in the request body.
-func applyConditionalDefaults(p *linkedca.Policy) {
-	if p.GetX509() == nil {
-		return
-	}
-	if p.GetX509().GetVerifySubjectCommonName() == nil {
-		p.X509.VerifySubjectCommonName = &wrapperspb.BoolValue{Value: true}
-	}
-}
diff --git a/authority/admin/api/policy_test.go b/authority/admin/api/policy_test.go
@@ -12,7 +12,6 @@ import (
 	"testing"
 
 	"google.golang.org/protobuf/encoding/protojson"
-	"google.golang.org/protobuf/types/known/wrapperspb"
 
 	"go.step.sm/linkedca"
 
@@ -310,7 +309,7 @@ func TestPolicyAdminResponder_CreateAuthorityPolicy(t *testing.T) {
 					Allow: &linkedca.X509Names{
 						Dns: []string{"*.local"},
 					},
-					VerifySubjectCommonName: &wrapperspb.BoolValue{Value: true},
+					DisableSubjectCommonNameVerification: false,
 				},
 			}
 			body, err := protojson.Marshal(policy)
@@ -1047,7 +1046,7 @@ func TestPolicyAdminResponder_CreateProvisionerPolicy(t *testing.T) {
 					Allow: &linkedca.X509Names{
 						Dns: []string{"*.local"},
 					},
-					VerifySubjectCommonName: &wrapperspb.BoolValue{Value: true},
+					DisableSubjectCommonNameVerification: false,
 				},
 			}
 			body, err := protojson.Marshal(policy)
@@ -2077,86 +2076,6 @@ func TestPolicyAdminResponder_DeleteACMEAccountPolicy(t *testing.T) {
 	}
 }
 
-func Test_applyConditionalDefaults(t *testing.T) {
-	tests := []struct {
-		name     string
-		policy   *linkedca.Policy
-		expected *linkedca.Policy
-	}{
-		{
-			name: "no-x509",
-			policy: &linkedca.Policy{
-				Ssh: &linkedca.SSHPolicy{},
-			},
-			expected: &linkedca.Policy{
-				Ssh: &linkedca.SSHPolicy{},
-			},
-		},
-		{
-			name: "with-x509-verify-subject-common-name",
-			policy: &linkedca.Policy{
-				X509: &linkedca.X509Policy{
-					Allow: &linkedca.X509Names{
-						Dns: []string{"*.local"},
-					},
-					VerifySubjectCommonName: &wrapperspb.BoolValue{Value: true},
-				},
-			},
-			expected: &linkedca.Policy{
-				X509: &linkedca.X509Policy{
-					Allow: &linkedca.X509Names{
-						Dns: []string{"*.local"},
-					},
-					VerifySubjectCommonName: &wrapperspb.BoolValue{Value: true},
-				},
-			},
-		},
-		{
-			name: "without-x509-verify-subject-common-name",
-			policy: &linkedca.Policy{
-				X509: &linkedca.X509Policy{
-					Allow: &linkedca.X509Names{
-						Dns: []string{"*.local"},
-					},
-					VerifySubjectCommonName: &wrapperspb.BoolValue{Value: false},
-				},
-			},
-			expected: &linkedca.Policy{
-				X509: &linkedca.X509Policy{
-					Allow: &linkedca.X509Names{
-						Dns: []string{"*.local"},
-					},
-					VerifySubjectCommonName: &wrapperspb.BoolValue{Value: false},
-				},
-			},
-		},
-		{
-			name: "no-x509-verify-subject-common-name",
-			policy: &linkedca.Policy{
-				X509: &linkedca.X509Policy{
-					Allow: &linkedca.X509Names{
-						Dns: []string{"*.local"},
-					},
-				},
-			},
-			expected: &linkedca.Policy{
-				X509: &linkedca.X509Policy{
-					Allow: &linkedca.X509Names{
-						Dns: []string{"*.local"},
-					},
-					VerifySubjectCommonName: &wrapperspb.BoolValue{Value: true},
-				},
-			},
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			applyConditionalDefaults(tt.policy)
-			assert.Equals(t, tt.expected, tt.policy)
-		})
-	}
-}
-
 func Test_isBadRequest(t *testing.T) {
 	tests := []struct {
 		name string
diff --git a/authority/policy.go b/authority/policy.go
@@ -350,12 +350,9 @@ func policyToCertificates(p *linkedca.Policy) *authPolicy.Options {
 				opts.X509.DeniedNames.URIDomains = deny.Uris
 			}
 		}
-		if v := x509.GetAllowWildcardLiteral(); v != nil {
-			opts.X509.AllowWildcardLiteral = &v.Value
-		}
-		if v := x509.GetVerifySubjectCommonName(); v != nil {
-			opts.X509.VerifySubjectCommonName = &v.Value
-		}
+
+		opts.X509.AllowWildcardLiteral = x509.AllowWildcardLiteral
+		opts.X509.DisableSubjectCommonNameVerification = x509.DisableSubjectCommonNameVerification
 	}
 
 	// fill ssh policy configuration
diff --git a/authority/policy/options.go b/authority/policy/options.go
@@ -44,10 +44,10 @@ type X509PolicyOptions struct {
 	// AllowWildcardLiteral indicates if literal wildcard names
 	// such as *.example.com and @example.com are allowed. Defaults
 	// to false.
-	AllowWildcardLiteral *bool `json:"allow_wildcard_literal,omitempty"`
-	// VerifySubjectCommonName indicates if the Subject Common Name
-	// is verified in addition to the SANs. Defaults to true.
-	VerifySubjectCommonName *bool `json:"verify_subject_common_name,omitempty"`
+	AllowWildcardLiteral bool `json:"allow_wildcard_literal,omitempty"`
+	// DisableSubjectCommonNameVerification indicates if the Subject Common Name
+	// is verified in addition to the SANs. Defaults to false.
+	DisableSubjectCommonNameVerification bool `json:"disable_subject_common_name_verification,omitempty"`
 }
 
 // X509NameOptions models the X509 name policy configuration.
@@ -83,21 +83,22 @@ func (o *X509PolicyOptions) GetDeniedNameOptions() *X509NameOptions {
 	return o.DeniedNames
 }
 
+// IsWildcardLiteralAllowed returns whether the authority allows
+// literal wildcard domains and other names to be signed.
 func (o *X509PolicyOptions) IsWildcardLiteralAllowed() bool {
 	if o == nil {
 		return true
 	}
-	return o.AllowWildcardLiteral != nil && *o.AllowWildcardLiteral
+	return o.AllowWildcardLiteral
 }
 
+// ShouldVerifySubjectCommonName returns whether the authority
+// should verify the Subject Common Name in addition to the SANs.
 func (o *X509PolicyOptions) ShouldVerifySubjectCommonName() bool {
 	if o == nil {
 		return false
 	}
-	if o.VerifySubjectCommonName == nil {
-		return true
-	}
-	return *o.VerifySubjectCommonName
+	return !o.DisableSubjectCommonNameVerification
 }
 
 // SSHPolicyOptionsInterface is an interface for providers of
diff --git a/authority/policy/options_test.go b/authority/policy/options_test.go
@@ -5,8 +5,6 @@ import (
 )
 
 func TestX509PolicyOptions_IsWildcardLiteralAllowed(t *testing.T) {
-	trueValue := true
-	falseValue := false
 	tests := []struct {
 		name    string
 		options *X509PolicyOptions
@@ -18,23 +16,21 @@ func TestX509PolicyOptions_IsWildcardLiteralAllowed(t *testing.T) {
 			want:    true,
 		},
 		{
-			name: "nil",
-			options: &X509PolicyOptions{
-				AllowWildcardLiteral: nil,
-			},
-			want: false,
+			name:    "not-set",
+			options: &X509PolicyOptions{},
+			want:    false,
 		},
 		{
 			name: "set-true",
 			options: &X509PolicyOptions{
-				AllowWildcardLiteral: &trueValue,
+				AllowWildcardLiteral: true,
 			},
 			want: true,
 		},
 		{
 			name: "set-false",
 			options: &X509PolicyOptions{
-				AllowWildcardLiteral: &falseValue,
+				AllowWildcardLiteral: false,
 			},
 			want: false,
 		},
@@ -49,8 +45,6 @@ func TestX509PolicyOptions_IsWildcardLiteralAllowed(t *testing.T) {
 }
 
 func TestX509PolicyOptions_ShouldVerifySubjectCommonName(t *testing.T) {
-	trueValue := true
-	falseValue := false
 	tests := []struct {
 		name    string
 		options *X509PolicyOptions
@@ -62,25 +56,23 @@ func TestX509PolicyOptions_ShouldVerifySubjectCommonName(t *testing.T) {
 			want:    false,
 		},
 		{
-			name: "nil",
-			options: &X509PolicyOptions{
-				VerifySubjectCommonName: nil,
-			},
-			want: true,
+			name:    "not-set",
+			options: &X509PolicyOptions{},
+			want:    true,
 		},
 		{
 			name: "set-true",
 			options: &X509PolicyOptions{
-				VerifySubjectCommonName: &trueValue,
+				DisableSubjectCommonNameVerification: true,
 			},
-			want: true,
+			want: false,
 		},
 		{
 			name: "set-false",
 			options: &X509PolicyOptions{
-				VerifySubjectCommonName: &falseValue,
+				DisableSubjectCommonNameVerification: false,
 			},
-			want: false,
+			want: true,
 		},
 	}
 	for _, tt := range tests {
diff --git a/authority/policy_test.go b/authority/policy_test.go

Original file line number	Diff line number	Diff line change
`@@ -350,12 +350,9 @@ func policyToCertificates(p linkedca.Policy) authPolicy.Options {`
`350`	`350`	`opts.X509.DeniedNames.URIDomains = deny.Uris`
`351`	`351`	`}`
`352`	`352`	`}`
`353`		`- if v := x509.GetAllowWildcardLiteral(); v != nil {`
`354`		`- opts.X509.AllowWildcardLiteral = &v.Value`
`355`		`- }`
`356`		`- if v := x509.GetVerifySubjectCommonName(); v != nil {`
`357`		`- opts.X509.VerifySubjectCommonName = &v.Value`
`358`		`- }`
	`353`	`+`
	`354`	`+ opts.X509.AllowWildcardLiteral = x509.AllowWildcardLiteral`
	`355`	`+ opts.X509.DisableSubjectCommonNameVerification = x509.DisableSubjectCommonNameVerification`
`359`	`356`	`}`
`360`	`357`
`361`	`358`	`// fill ssh policy configuration`