Kyle Isom
ac4577f778
- Register handleSignCSR route in webserver (was dead code)
- Add GET /v1/pki/{mount}/issuer/{name}/crl REST endpoint and
PKIService.GetCRL gRPC RPC for DER-encoded CRL generation
- Replace admin-only gates on issue/renew/sign-csr with policy-based
access control: admins grant-all, authenticated users subject to
identifier ownership (CN/SANs not held by another user's active cert)
and optional policy overrides via ca/{mount}/id/{identifier} resources
- Add PolicyChecker to engine.Request and policy.Match() method to
distinguish matched rules from default deny
- Update and expand CA engine tests for ownership, revocation freeing,
and policy override scenarios
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
635 lines
19 KiB
Go
635 lines
19 KiB
Go
package server
|
|
|
|
import (
|
|
"encoding/json"
|
|
"errors"
|
|
"io"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/go-chi/chi/v5"
|
|
|
|
mcias "git.wntrmute.dev/kyle/mcias/clients/go"
|
|
|
|
"git.wntrmute.dev/kyle/metacrypt/internal/crypto"
|
|
"git.wntrmute.dev/kyle/metacrypt/internal/engine"
|
|
"git.wntrmute.dev/kyle/metacrypt/internal/engine/ca"
|
|
"git.wntrmute.dev/kyle/metacrypt/internal/policy"
|
|
"git.wntrmute.dev/kyle/metacrypt/internal/seal"
|
|
)
|
|
|
|
func (s *Server) registerRoutes(r chi.Router) {
|
|
// REST API routes — web UI served by metacrypt-web.
|
|
r.Get("/v1/status", s.handleStatus)
|
|
r.Post("/v1/init", s.handleInit)
|
|
r.Post("/v1/unseal", s.handleUnseal)
|
|
r.Post("/v1/seal", s.requireAdmin(s.handleSeal))
|
|
|
|
r.Post("/v1/auth/login", s.handleLogin)
|
|
r.Post("/v1/auth/logout", s.requireAuth(s.handleLogout))
|
|
r.Get("/v1/auth/tokeninfo", s.requireAuth(s.handleTokenInfo))
|
|
|
|
r.Get("/v1/engine/mounts", s.requireAuth(s.handleEngineMounts))
|
|
r.Post("/v1/engine/mount", s.requireAdmin(s.handleEngineMount))
|
|
r.Post("/v1/engine/unmount", s.requireAdmin(s.handleEngineUnmount))
|
|
r.Post("/v1/engine/request", s.requireAuth(s.handleEngineRequest))
|
|
|
|
// CA certificate routes (auth required).
|
|
r.Get("/v1/ca/{mount}/cert/{serial}", s.requireAuth(s.handleGetCert))
|
|
r.Post("/v1/ca/{mount}/cert/{serial}/revoke", s.requireAdmin(s.handleRevokeCert))
|
|
r.Delete("/v1/ca/{mount}/cert/{serial}", s.requireAdmin(s.handleDeleteCert))
|
|
|
|
// Public PKI routes (no auth required, but must be unsealed).
|
|
r.Get("/v1/pki/{mount}/ca", s.requireUnseal(s.handlePKIRoot))
|
|
r.Get("/v1/pki/{mount}/ca/chain", s.requireUnseal(s.handlePKIChain))
|
|
r.Get("/v1/pki/{mount}/issuer/{name}", s.requireUnseal(s.handlePKIIssuer))
|
|
r.Get("/v1/pki/{mount}/issuer/{name}/crl", s.requireUnseal(s.handlePKICRL))
|
|
|
|
r.HandleFunc("/v1/policy/rules", s.requireAuth(s.handlePolicyRules))
|
|
r.HandleFunc("/v1/policy/rule", s.requireAuth(s.handlePolicyRule))
|
|
s.registerACMERoutes(r)
|
|
}
|
|
|
|
// --- API Handlers ---
|
|
|
|
func (s *Server) handleStatus(w http.ResponseWriter, r *http.Request) {
|
|
writeJSON(w, http.StatusOK, map[string]interface{}{
|
|
"state": s.seal.State().String(),
|
|
})
|
|
}
|
|
|
|
func (s *Server) handleInit(w http.ResponseWriter, r *http.Request) {
|
|
var req struct {
|
|
Password string `json:"password"`
|
|
}
|
|
if err := readJSON(r, &req); err != nil {
|
|
http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
|
|
return
|
|
}
|
|
if req.Password == "" {
|
|
http.Error(w, `{"error":"password is required"}`, http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
params := crypto.Argon2Params{
|
|
Time: s.cfg.Seal.Argon2Time,
|
|
Memory: s.cfg.Seal.Argon2Memory,
|
|
Threads: s.cfg.Seal.Argon2Threads,
|
|
}
|
|
if err := s.seal.Initialize(r.Context(), []byte(req.Password), params); err != nil {
|
|
if errors.Is(err, seal.ErrAlreadyInitialized) {
|
|
http.Error(w, `{"error":"already initialized"}`, http.StatusConflict)
|
|
return
|
|
}
|
|
s.logger.Error("init failed", "error", err)
|
|
http.Error(w, `{"error":"initialization failed"}`, http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
writeJSON(w, http.StatusOK, map[string]interface{}{
|
|
"state": s.seal.State().String(),
|
|
})
|
|
}
|
|
|
|
func (s *Server) handleUnseal(w http.ResponseWriter, r *http.Request) {
|
|
var req struct {
|
|
Password string `json:"password"`
|
|
}
|
|
if err := readJSON(r, &req); err != nil {
|
|
http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
if err := s.seal.Unseal([]byte(req.Password)); err != nil {
|
|
if errors.Is(err, seal.ErrNotInitialized) {
|
|
s.logger.Warn("unseal attempt on uninitialized service", "remote_addr", r.RemoteAddr)
|
|
http.Error(w, `{"error":"not initialized"}`, http.StatusPreconditionFailed)
|
|
} else if errors.Is(err, seal.ErrInvalidPassword) {
|
|
s.logger.Warn("unseal attempt with invalid password", "remote_addr", r.RemoteAddr)
|
|
http.Error(w, `{"error":"invalid password"}`, http.StatusUnauthorized)
|
|
} else if errors.Is(err, seal.ErrRateLimited) {
|
|
s.logger.Warn("unseal attempt rate limited", "remote_addr", r.RemoteAddr)
|
|
http.Error(w, `{"error":"too many attempts, try again later"}`, http.StatusTooManyRequests)
|
|
} else if errors.Is(err, seal.ErrNotSealed) {
|
|
s.logger.Warn("unseal attempt on already-unsealed service", "remote_addr", r.RemoteAddr)
|
|
http.Error(w, `{"error":"already unsealed"}`, http.StatusConflict)
|
|
} else {
|
|
s.logger.Error("unseal failed", "remote_addr", r.RemoteAddr, "error", err)
|
|
http.Error(w, `{"error":"unseal failed"}`, http.StatusInternalServerError)
|
|
}
|
|
return
|
|
}
|
|
|
|
if err := s.engines.UnsealAll(r.Context()); err != nil {
|
|
s.logger.Error("engine unseal failed", "error", err)
|
|
http.Error(w, `{"error":"engine unseal failed"}`, http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
s.logger.Info("service unsealed", "remote_addr", r.RemoteAddr)
|
|
writeJSON(w, http.StatusOK, map[string]interface{}{
|
|
"state": s.seal.State().String(),
|
|
})
|
|
}
|
|
|
|
func (s *Server) handleSeal(w http.ResponseWriter, r *http.Request) {
|
|
if err := s.engines.SealAll(); err != nil {
|
|
s.logger.Error("seal engines failed", "error", err)
|
|
}
|
|
|
|
if err := s.seal.Seal(); err != nil {
|
|
s.logger.Error("seal failed", "error", err)
|
|
http.Error(w, `{"error":"seal failed"}`, http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
s.auth.ClearCache()
|
|
writeJSON(w, http.StatusOK, map[string]interface{}{
|
|
"state": s.seal.State().String(),
|
|
})
|
|
}
|
|
|
|
func (s *Server) handleLogin(w http.ResponseWriter, r *http.Request) {
|
|
if s.seal.State() != seal.StateUnsealed {
|
|
http.Error(w, `{"error":"sealed"}`, http.StatusServiceUnavailable)
|
|
return
|
|
}
|
|
|
|
var req struct {
|
|
Username string `json:"username"`
|
|
Password string `json:"password"`
|
|
TOTPCode string `json:"totp_code"`
|
|
}
|
|
if err := readJSON(r, &req); err != nil {
|
|
http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
token, expiresAt, err := s.auth.Login(req.Username, req.Password, req.TOTPCode)
|
|
if err != nil {
|
|
http.Error(w, `{"error":"invalid credentials"}`, http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
writeJSON(w, http.StatusOK, map[string]interface{}{
|
|
"token": token,
|
|
"expires_at": expiresAt,
|
|
})
|
|
}
|
|
|
|
func (s *Server) handleLogout(w http.ResponseWriter, r *http.Request) {
|
|
token := extractToken(r)
|
|
client, err := mcias.New(s.cfg.MCIAS.ServerURL, mcias.Options{
|
|
CACertPath: s.cfg.MCIAS.CACert,
|
|
Token: token,
|
|
})
|
|
if err == nil {
|
|
_ = s.auth.Logout(client)
|
|
}
|
|
|
|
// Clear cookie.
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: "metacrypt_token",
|
|
Value: "",
|
|
Path: "/",
|
|
MaxAge: -1,
|
|
HttpOnly: true,
|
|
Secure: true,
|
|
SameSite: http.SameSiteStrictMode,
|
|
})
|
|
|
|
writeJSON(w, http.StatusOK, map[string]interface{}{"ok": true})
|
|
}
|
|
|
|
func (s *Server) handleTokenInfo(w http.ResponseWriter, r *http.Request) {
|
|
info := TokenInfoFromContext(r.Context())
|
|
writeJSON(w, http.StatusOK, map[string]interface{}{
|
|
"username": info.Username,
|
|
"roles": info.Roles,
|
|
"is_admin": info.IsAdmin,
|
|
})
|
|
}
|
|
|
|
func (s *Server) handleEngineMounts(w http.ResponseWriter, r *http.Request) {
|
|
mounts := s.engines.ListMounts()
|
|
writeJSON(w, http.StatusOK, mounts)
|
|
}
|
|
|
|
func (s *Server) handleEngineMount(w http.ResponseWriter, r *http.Request) {
|
|
var req struct {
|
|
Config map[string]interface{} `json:"config"`
|
|
Name string `json:"name"`
|
|
Type string `json:"type"`
|
|
}
|
|
if err := readJSON(r, &req); err != nil {
|
|
http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
|
|
return
|
|
}
|
|
if req.Name == "" || req.Type == "" {
|
|
http.Error(w, `{"error":"name and type are required"}`, http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
if err := s.engines.Mount(r.Context(), req.Name, engine.EngineType(req.Type), req.Config); err != nil {
|
|
s.logger.Error("mount engine", "name", req.Name, "type", req.Type, "error", err)
|
|
http.Error(w, `{"error":"`+err.Error()+`"}`, http.StatusBadRequest)
|
|
return
|
|
}
|
|
writeJSON(w, http.StatusOK, map[string]interface{}{"ok": true})
|
|
}
|
|
|
|
func (s *Server) handleEngineUnmount(w http.ResponseWriter, r *http.Request) {
|
|
var req struct {
|
|
Name string `json:"name"`
|
|
}
|
|
if err := readJSON(r, &req); err != nil {
|
|
http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
|
|
return
|
|
}
|
|
if err := s.engines.Unmount(r.Context(), req.Name); err != nil {
|
|
http.Error(w, `{"error":"`+err.Error()+`"}`, http.StatusNotFound)
|
|
return
|
|
}
|
|
writeJSON(w, http.StatusOK, map[string]interface{}{"ok": true})
|
|
}
|
|
|
|
func (s *Server) handleEngineRequest(w http.ResponseWriter, r *http.Request) {
|
|
var req struct {
|
|
Data map[string]interface{} `json:"data"`
|
|
Mount string `json:"mount"`
|
|
Operation string `json:"operation"`
|
|
Path string `json:"path"`
|
|
}
|
|
if err := readJSON(r, &req); err != nil {
|
|
http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
|
|
return
|
|
}
|
|
if req.Mount == "" || req.Operation == "" {
|
|
http.Error(w, `{"error":"mount and operation are required"}`, http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
info := TokenInfoFromContext(r.Context())
|
|
|
|
// Evaluate policy before dispatching to the engine.
|
|
policyReq := &policy.Request{
|
|
Username: info.Username,
|
|
Roles: info.Roles,
|
|
Resource: "engine/" + req.Mount + "/" + req.Operation,
|
|
Action: operationAction(req.Operation),
|
|
}
|
|
effect, err := s.policy.Evaluate(r.Context(), policyReq)
|
|
if err != nil {
|
|
s.logger.Error("policy evaluation failed", "error", err)
|
|
http.Error(w, `{"error":"internal error"}`, http.StatusInternalServerError)
|
|
return
|
|
}
|
|
if effect != policy.EffectAllow {
|
|
http.Error(w, `{"error":"forbidden"}`, http.StatusForbidden)
|
|
return
|
|
}
|
|
|
|
policyChecker := func(resource, action string) (string, bool) {
|
|
pReq := &policy.Request{
|
|
Username: info.Username,
|
|
Roles: info.Roles,
|
|
Resource: resource,
|
|
Action: action,
|
|
}
|
|
eff, matched, pErr := s.policy.Match(r.Context(), pReq)
|
|
if pErr != nil {
|
|
return string(policy.EffectDeny), false
|
|
}
|
|
return string(eff), matched
|
|
}
|
|
|
|
engReq := &engine.Request{
|
|
Operation: req.Operation,
|
|
Path: req.Path,
|
|
Data: req.Data,
|
|
CallerInfo: &engine.CallerInfo{
|
|
Username: info.Username,
|
|
Roles: info.Roles,
|
|
IsAdmin: info.IsAdmin,
|
|
},
|
|
CheckPolicy: policyChecker,
|
|
}
|
|
|
|
resp, err := s.engines.HandleRequest(r.Context(), req.Mount, engReq)
|
|
if err != nil {
|
|
status := http.StatusInternalServerError
|
|
switch {
|
|
case errors.Is(err, engine.ErrMountNotFound):
|
|
status = http.StatusNotFound
|
|
case errors.Is(err, ca.ErrIdentifierInUse):
|
|
status = http.StatusConflict
|
|
case strings.Contains(err.Error(), "forbidden"):
|
|
status = http.StatusForbidden
|
|
case strings.Contains(err.Error(), "authentication required"):
|
|
status = http.StatusUnauthorized
|
|
case strings.Contains(err.Error(), "not found"):
|
|
status = http.StatusNotFound
|
|
}
|
|
http.Error(w, `{"error":"`+err.Error()+`"}`, status)
|
|
return
|
|
}
|
|
|
|
writeJSON(w, http.StatusOK, resp.Data)
|
|
}
|
|
|
|
func (s *Server) handlePolicyRules(w http.ResponseWriter, r *http.Request) {
|
|
info := TokenInfoFromContext(r.Context())
|
|
switch r.Method {
|
|
case http.MethodGet:
|
|
if !info.IsAdmin {
|
|
http.Error(w, `{"error":"forbidden"}`, http.StatusForbidden)
|
|
return
|
|
}
|
|
rules, err := s.policy.ListRules(r.Context())
|
|
if err != nil {
|
|
s.logger.Error("list policies", "error", err)
|
|
http.Error(w, `{"error":"internal error"}`, http.StatusInternalServerError)
|
|
return
|
|
}
|
|
if rules == nil {
|
|
rules = []policy.Rule{}
|
|
}
|
|
writeJSON(w, http.StatusOK, rules)
|
|
case http.MethodPost:
|
|
if !info.IsAdmin {
|
|
http.Error(w, `{"error":"forbidden"}`, http.StatusForbidden)
|
|
return
|
|
}
|
|
var rule policy.Rule
|
|
if err := readJSON(r, &rule); err != nil {
|
|
http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
|
|
return
|
|
}
|
|
if rule.ID == "" {
|
|
http.Error(w, `{"error":"id is required"}`, http.StatusBadRequest)
|
|
return
|
|
}
|
|
if err := s.policy.CreateRule(r.Context(), &rule); err != nil {
|
|
s.logger.Error("create policy", "error", err)
|
|
http.Error(w, `{"error":"internal error"}`, http.StatusInternalServerError)
|
|
return
|
|
}
|
|
writeJSON(w, http.StatusCreated, rule)
|
|
default:
|
|
http.Error(w, `{"error":"method not allowed"}`, http.StatusMethodNotAllowed)
|
|
}
|
|
}
|
|
|
|
func (s *Server) handlePolicyRule(w http.ResponseWriter, r *http.Request) {
|
|
info := TokenInfoFromContext(r.Context())
|
|
if !info.IsAdmin {
|
|
http.Error(w, `{"error":"forbidden"}`, http.StatusForbidden)
|
|
return
|
|
}
|
|
|
|
id := r.URL.Query().Get("id")
|
|
if id == "" {
|
|
http.Error(w, `{"error":"id parameter required"}`, http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
switch r.Method {
|
|
case http.MethodGet:
|
|
rule, err := s.policy.GetRule(r.Context(), id)
|
|
if err != nil {
|
|
http.Error(w, `{"error":"not found"}`, http.StatusNotFound)
|
|
return
|
|
}
|
|
writeJSON(w, http.StatusOK, rule)
|
|
case http.MethodDelete:
|
|
if err := s.policy.DeleteRule(r.Context(), id); err != nil {
|
|
http.Error(w, `{"error":"not found"}`, http.StatusNotFound)
|
|
return
|
|
}
|
|
writeJSON(w, http.StatusOK, map[string]interface{}{"ok": true})
|
|
default:
|
|
http.Error(w, `{"error":"method not allowed"}`, http.StatusMethodNotAllowed)
|
|
}
|
|
}
|
|
|
|
// --- CA Certificate Handlers ---
|
|
|
|
func (s *Server) handleGetCert(w http.ResponseWriter, r *http.Request) {
|
|
mountName := chi.URLParam(r, "mount")
|
|
serial := chi.URLParam(r, "serial")
|
|
|
|
info := TokenInfoFromContext(r.Context())
|
|
resp, err := s.engines.HandleRequest(r.Context(), mountName, &engine.Request{
|
|
Operation: "get-cert",
|
|
Data: map[string]interface{}{"serial": serial},
|
|
CallerInfo: &engine.CallerInfo{
|
|
Username: info.Username,
|
|
Roles: info.Roles,
|
|
IsAdmin: info.IsAdmin,
|
|
},
|
|
})
|
|
if err != nil {
|
|
if errors.Is(err, ca.ErrCertNotFound) {
|
|
http.Error(w, `{"error":"certificate not found"}`, http.StatusNotFound)
|
|
return
|
|
}
|
|
http.Error(w, `{"error":"`+err.Error()+`"}`, http.StatusInternalServerError)
|
|
return
|
|
}
|
|
writeJSON(w, http.StatusOK, resp.Data)
|
|
}
|
|
|
|
func (s *Server) handleRevokeCert(w http.ResponseWriter, r *http.Request) {
|
|
mountName := chi.URLParam(r, "mount")
|
|
serial := chi.URLParam(r, "serial")
|
|
|
|
info := TokenInfoFromContext(r.Context())
|
|
resp, err := s.engines.HandleRequest(r.Context(), mountName, &engine.Request{
|
|
Operation: "revoke-cert",
|
|
Data: map[string]interface{}{"serial": serial},
|
|
CallerInfo: &engine.CallerInfo{
|
|
Username: info.Username,
|
|
Roles: info.Roles,
|
|
IsAdmin: info.IsAdmin,
|
|
},
|
|
})
|
|
if err != nil {
|
|
if errors.Is(err, ca.ErrCertNotFound) {
|
|
http.Error(w, `{"error":"certificate not found"}`, http.StatusNotFound)
|
|
return
|
|
}
|
|
if errors.Is(err, ca.ErrForbidden) {
|
|
http.Error(w, `{"error":"forbidden"}`, http.StatusForbidden)
|
|
return
|
|
}
|
|
http.Error(w, `{"error":"`+err.Error()+`"}`, http.StatusInternalServerError)
|
|
return
|
|
}
|
|
writeJSON(w, http.StatusOK, resp.Data)
|
|
}
|
|
|
|
func (s *Server) handleDeleteCert(w http.ResponseWriter, r *http.Request) {
|
|
mountName := chi.URLParam(r, "mount")
|
|
serial := chi.URLParam(r, "serial")
|
|
|
|
info := TokenInfoFromContext(r.Context())
|
|
_, err := s.engines.HandleRequest(r.Context(), mountName, &engine.Request{
|
|
Operation: "delete-cert",
|
|
Data: map[string]interface{}{"serial": serial},
|
|
CallerInfo: &engine.CallerInfo{
|
|
Username: info.Username,
|
|
Roles: info.Roles,
|
|
IsAdmin: info.IsAdmin,
|
|
},
|
|
})
|
|
if err != nil {
|
|
if errors.Is(err, ca.ErrCertNotFound) {
|
|
http.Error(w, `{"error":"certificate not found"}`, http.StatusNotFound)
|
|
return
|
|
}
|
|
if errors.Is(err, ca.ErrForbidden) {
|
|
http.Error(w, `{"error":"forbidden"}`, http.StatusForbidden)
|
|
return
|
|
}
|
|
http.Error(w, `{"error":"`+err.Error()+`"}`, http.StatusInternalServerError)
|
|
return
|
|
}
|
|
writeJSON(w, http.StatusNoContent, nil)
|
|
}
|
|
|
|
// --- Public PKI Handlers ---
|
|
|
|
func (s *Server) handlePKIRoot(w http.ResponseWriter, r *http.Request) {
|
|
mountName := chi.URLParam(r, "mount")
|
|
caEng, err := s.getCAEngine(mountName)
|
|
if err != nil {
|
|
http.Error(w, `{"error":"`+err.Error()+`"}`, http.StatusNotFound)
|
|
return
|
|
}
|
|
|
|
certPEM, err := caEng.GetRootCertPEM()
|
|
if err != nil {
|
|
http.Error(w, `{"error":"sealed"}`, http.StatusServiceUnavailable)
|
|
return
|
|
}
|
|
|
|
w.Header().Set("Content-Type", "application/x-pem-file")
|
|
_, _ = w.Write(certPEM) //nolint:gosec
|
|
}
|
|
|
|
func (s *Server) handlePKIChain(w http.ResponseWriter, r *http.Request) {
|
|
mountName := chi.URLParam(r, "mount")
|
|
issuerName := r.URL.Query().Get("issuer")
|
|
if issuerName == "" {
|
|
http.Error(w, `{"error":"issuer query parameter required"}`, http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
caEng, err := s.getCAEngine(mountName)
|
|
if err != nil {
|
|
http.Error(w, `{"error":"`+err.Error()+`"}`, http.StatusNotFound)
|
|
return
|
|
}
|
|
|
|
chainPEM, err := caEng.GetChainPEM(issuerName)
|
|
if err != nil {
|
|
if errors.Is(err, ca.ErrIssuerNotFound) {
|
|
http.Error(w, `{"error":"issuer not found"}`, http.StatusNotFound)
|
|
return
|
|
}
|
|
http.Error(w, `{"error":"sealed"}`, http.StatusServiceUnavailable)
|
|
return
|
|
}
|
|
|
|
w.Header().Set("Content-Type", "application/x-pem-file")
|
|
_, _ = w.Write(chainPEM) //nolint:gosec
|
|
}
|
|
|
|
func (s *Server) handlePKIIssuer(w http.ResponseWriter, r *http.Request) {
|
|
mountName := chi.URLParam(r, "mount")
|
|
issuerName := chi.URLParam(r, "name")
|
|
|
|
caEng, err := s.getCAEngine(mountName)
|
|
if err != nil {
|
|
http.Error(w, `{"error":"`+err.Error()+`"}`, http.StatusNotFound)
|
|
return
|
|
}
|
|
|
|
certPEM, err := caEng.GetIssuerCertPEM(issuerName)
|
|
if err != nil {
|
|
if errors.Is(err, ca.ErrIssuerNotFound) {
|
|
http.Error(w, `{"error":"issuer not found"}`, http.StatusNotFound)
|
|
return
|
|
}
|
|
http.Error(w, `{"error":"sealed"}`, http.StatusServiceUnavailable)
|
|
return
|
|
}
|
|
|
|
w.Header().Set("Content-Type", "application/x-pem-file")
|
|
_, _ = w.Write(certPEM) //nolint:gosec
|
|
}
|
|
|
|
func (s *Server) handlePKICRL(w http.ResponseWriter, r *http.Request) {
|
|
mountName := chi.URLParam(r, "mount")
|
|
issuerName := chi.URLParam(r, "name")
|
|
|
|
caEng, err := s.getCAEngine(mountName)
|
|
if err != nil {
|
|
http.Error(w, `{"error":"`+err.Error()+`"}`, http.StatusNotFound)
|
|
return
|
|
}
|
|
|
|
crlDER, err := caEng.GetCRLDER(r.Context(), issuerName)
|
|
if err != nil {
|
|
if errors.Is(err, ca.ErrIssuerNotFound) {
|
|
http.Error(w, `{"error":"issuer not found"}`, http.StatusNotFound)
|
|
return
|
|
}
|
|
http.Error(w, `{"error":"sealed"}`, http.StatusServiceUnavailable)
|
|
return
|
|
}
|
|
|
|
w.Header().Set("Content-Type", "application/pkix-crl")
|
|
_, _ = w.Write(crlDER) //nolint:gosec
|
|
}
|
|
|
|
func (s *Server) getCAEngine(mountName string) (*ca.CAEngine, error) {
|
|
mount, err := s.engines.GetMount(mountName)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if mount.Type != engine.EngineTypeCA {
|
|
return nil, errors.New("mount is not a CA engine")
|
|
}
|
|
caEng, ok := mount.Engine.(*ca.CAEngine)
|
|
if !ok {
|
|
return nil, errors.New("mount is not a CA engine")
|
|
}
|
|
return caEng, nil
|
|
}
|
|
|
|
// operationAction maps an engine operation name to a policy action ("read" or "write").
|
|
func operationAction(op string) string {
|
|
switch op {
|
|
case "list-issuers", "list-certs", "get-cert", "get-root", "get-chain", "get-issuer":
|
|
return "read"
|
|
default:
|
|
return "write"
|
|
}
|
|
}
|
|
|
|
func writeJSON(w http.ResponseWriter, status int, v interface{}) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(status)
|
|
_ = json.NewEncoder(w).Encode(v)
|
|
}
|
|
|
|
func readJSON(r *http.Request, v interface{}) error {
|
|
defer func() { _ = r.Body.Close() }()
|
|
body, err := io.ReadAll(io.LimitReader(r.Body, 1<<20)) // 1MB limit
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return json.Unmarshal(body, v)
|
|
}
|