File: authz.go

package info (click to toggle)
golang-github-smallstep-certificates 0.20.0-5
  • links: PTS, VCS
  • area: main
  • in suites: forky, trixie
  • size: 23,144 kB
  • sloc: sh: 278; makefile: 170
file content (152 lines) | stat: -rw-r--r-- 4,488 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
 
package nosql

import (
	"context"
	"encoding/json"
	"time"

	"github.com/pkg/errors"
	"github.com/smallstep/certificates/acme"
	"github.com/smallstep/nosql"
)

// dbAuthz is the base authz type that others build from.
type dbAuthz struct {
	ID           string          `json:"id"`
	AccountID    string          `json:"accountID"`
	Identifier   acme.Identifier `json:"identifier"`
	Status       acme.Status     `json:"status"`
	Token        string          `json:"token"`
	ChallengeIDs []string        `json:"challengeIDs"`
	Wildcard     bool            `json:"wildcard"`
	CreatedAt    time.Time       `json:"createdAt"`
	ExpiresAt    time.Time       `json:"expiresAt"`
	Error        *acme.Error     `json:"error"`
}

func (ba *dbAuthz) clone() *dbAuthz {
	u := *ba
	return &u
}

// getDBAuthz retrieves and unmarshals a database representation of the
// ACME Authorization type.
func (db *DB) getDBAuthz(ctx context.Context, id string) (*dbAuthz, error) {
	data, err := db.db.Get(authzTable, []byte(id))
	if nosql.IsErrNotFound(err) {
		return nil, acme.NewError(acme.ErrorMalformedType, "authz %s not found", id)
	} else if err != nil {
		return nil, errors.Wrapf(err, "error loading authz %s", id)
	}

	var dbaz dbAuthz
	if err = json.Unmarshal(data, &dbaz); err != nil {
		return nil, errors.Wrapf(err, "error unmarshaling authz %s into dbAuthz", id)
	}
	return &dbaz, nil
}

// GetAuthorization retrieves and unmarshals an ACME authz type from the database.
// Implements acme.DB GetAuthorization interface.
func (db *DB) GetAuthorization(ctx context.Context, id string) (*acme.Authorization, error) {
	dbaz, err := db.getDBAuthz(ctx, id)
	if err != nil {
		return nil, err
	}
	var chs = make([]*acme.Challenge, len(dbaz.ChallengeIDs))
	for i, chID := range dbaz.ChallengeIDs {
		chs[i], err = db.GetChallenge(ctx, chID, id)
		if err != nil {
			return nil, err
		}
	}
	return &acme.Authorization{
		ID:         dbaz.ID,
		AccountID:  dbaz.AccountID,
		Identifier: dbaz.Identifier,
		Status:     dbaz.Status,
		Challenges: chs,
		Wildcard:   dbaz.Wildcard,
		ExpiresAt:  dbaz.ExpiresAt,
		Token:      dbaz.Token,
		Error:      dbaz.Error,
	}, nil
}

// CreateAuthorization creates an entry in the database for the Authorization.
// Implements the acme.DB.CreateAuthorization interface.
func (db *DB) CreateAuthorization(ctx context.Context, az *acme.Authorization) error {
	var err error
	az.ID, err = randID()
	if err != nil {
		return err
	}

	chIDs := make([]string, len(az.Challenges))
	for i, ch := range az.Challenges {
		chIDs[i] = ch.ID
	}

	now := clock.Now()
	dbaz := &dbAuthz{
		ID:           az.ID,
		AccountID:    az.AccountID,
		Status:       az.Status,
		CreatedAt:    now,
		ExpiresAt:    az.ExpiresAt,
		Identifier:   az.Identifier,
		ChallengeIDs: chIDs,
		Token:        az.Token,
		Wildcard:     az.Wildcard,
	}

	return db.save(ctx, az.ID, dbaz, nil, "authz", authzTable)
}

// UpdateAuthorization saves an updated ACME Authorization to the database.
func (db *DB) UpdateAuthorization(ctx context.Context, az *acme.Authorization) error {
	old, err := db.getDBAuthz(ctx, az.ID)
	if err != nil {
		return err
	}

	nu := old.clone()

	nu.Status = az.Status
	nu.Error = az.Error
	return db.save(ctx, old.ID, nu, old, "authz", authzTable)
}

// GetAuthorizationsByAccountID retrieves and unmarshals ACME authz types from the database.
func (db *DB) GetAuthorizationsByAccountID(ctx context.Context, accountID string) ([]*acme.Authorization, error) {
	entries, err := db.db.List(authzTable)
	if err != nil {
		return nil, errors.Wrapf(err, "error listing authz")
	}
	authzs := []*acme.Authorization{}
	for _, entry := range entries {
		dbaz := new(dbAuthz)
		if err = json.Unmarshal(entry.Value, dbaz); err != nil {
			return nil, errors.Wrapf(err, "error unmarshaling dbAuthz key '%s' into dbAuthz struct", string(entry.Key))
		}
		// Filter out all dbAuthzs that don't belong to the accountID. This
		// could be made more efficient with additional data structures mapping the
		// Account ID to authorizations. Not trivial to do, though.
		if dbaz.AccountID != accountID {
			continue
		}
		authzs = append(authzs, &acme.Authorization{
			ID:         dbaz.ID,
			AccountID:  dbaz.AccountID,
			Identifier: dbaz.Identifier,
			Status:     dbaz.Status,
			Challenges: nil, // challenges not required for current use case
			Wildcard:   dbaz.Wildcard,
			ExpiresAt:  dbaz.ExpiresAt,
			Token:      dbaz.Token,
			Error:      dbaz.Error,
		})
	}

	return authzs, nil
}