Fix ACME order tests with mock ACME CA

2 years ago · b49307f326
parent cf34b32e61
commit b49307f326
6 changed files with 17 additions and 26 deletions
--- a/acme/api/order_test.go
+++ b/acme/api/order_test.go
@ -667,6 +667,7 @@ func TestHandler_NewOrder(t *testing.T) {
 		baseURL.String(), escProvName)

 	type test struct {
+		ca         acme.CertificateAuthority
 		db         acme.DB
 		ctx        context.Context
 		nor        *NewOrderRequest
@ -771,6 +772,7 @@ func TestHandler_NewOrder(t *testing.T) {
 			return test{
 				ctx:        ctx,
 				statusCode: 500,
+				ca:         &mockCA{},
 				db: &acme.MockDB{
 					MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
 						assert.Equals(t, ch.AccountID, "accID")
@ -804,6 +806,7 @@ func TestHandler_NewOrder(t *testing.T) {
 			return test{
 				ctx:        ctx,
 				statusCode: 500,
+				ca:         &mockCA{},
 				db: &acme.MockDB{
 					MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
 						switch count {
@ -876,6 +879,7 @@ func TestHandler_NewOrder(t *testing.T) {
 				ctx:        ctx,
 				statusCode: 201,
 				nor:        nor,
+				ca:         &mockCA{},
 				db: &acme.MockDB{
 					MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
 						switch chCount {
@ -991,6 +995,7 @@ func TestHandler_NewOrder(t *testing.T) {
 				ctx:        ctx,
 				statusCode: 201,
 				nor:        nor,
+				ca:         &mockCA{},
 				db: &acme.MockDB{
 					MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
 						switch count {
@ -1083,6 +1088,7 @@ func TestHandler_NewOrder(t *testing.T) {
 				ctx:        ctx,
 				statusCode: 201,
 				nor:        nor,
+				ca:         &mockCA{},
 				db: &acme.MockDB{
 					MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
 						switch count {
@ -1174,6 +1180,7 @@ func TestHandler_NewOrder(t *testing.T) {
 				ctx:        ctx,
 				statusCode: 201,
 				nor:        nor,
+				ca:         &mockCA{},
 				db: &acme.MockDB{
 					MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
 						switch count {
@ -1266,6 +1273,7 @@ func TestHandler_NewOrder(t *testing.T) {
 				ctx:        ctx,
 				statusCode: 201,
 				nor:        nor,
+				ca:         &mockCA{},
 				db: &acme.MockDB{
 					MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
 						switch count {
@ -1334,7 +1342,7 @@ func TestHandler_NewOrder(t *testing.T) {
 	for name, run := range tests {
 		tc := run(t)
 		t.Run(name, func(t *testing.T) {
-			h := &Handler{linker: NewLinker("dns", "acme"), db: tc.db}
+			h := &Handler{linker: NewLinker("dns", "acme"), db: tc.db, ca: tc.ca}
 			req := httptest.NewRequest("GET", u, nil)
 			req = req.WithContext(tc.ctx)
 			w := httptest.NewRecorder()
--- a/authority/admin/api/acme.go
+++ b/authority/admin/api/acme.go
@ -6,15 +6,12 @@ import (
 	"net/http"

 	"github.com/go-chi/chi"
+
+	"go.step.sm/linkedca"
+
 	"github.com/smallstep/certificates/api"
 	"github.com/smallstep/certificates/authority/admin"
 	"github.com/smallstep/certificates/authority/provisioner"
-	"go.step.sm/linkedca"
-)
-
-const (
-	// provisionerContextKey provisioner key
-	provisionerContextKey = admin.ContextKey("provisioner")
 )

 // CreateExternalAccountKeyRequest is the type for POST /admin/acme/eab requests
@ -51,7 +48,7 @@ func (h *Handler) requireEABEnabled(next nextHTTP) nextHTTP {
 			api.WriteError(w, admin.NewError(admin.ErrorBadRequestType, "ACME EAB not enabled for provisioner %s", prov.GetName()))
 			return
 		}
-		ctx = context.WithValue(ctx, provisionerContextKey, prov)
+		ctx = linkedca.NewContextWithProvisioner(ctx, prov)
 		next(w, r.WithContext(ctx))
 	}
 }
--- a/authority/admin/api/middleware.go
+++ b/authority/admin/api/middleware.go
@ -42,7 +42,7 @@ func (h *Handler) extractAuthorizeTokenAdmin(next nextHTTP) nextHTTP {
 			return
 		}

-		ctx := linkedca.WithAdmin(r.Context(), adm)
+		ctx := linkedca.NewContextWithAdmin(r.Context(), adm)
 		next(w, r.WithContext(ctx))
 	}
 }
@ -57,8 +57,8 @@ func (h *Handler) checkAction(next nextHTTP, supportedInStandalone bool) nextHTT
 			return
 		}

-		// when not in standalone mode and using a nosql.DB backend,
-		// actions are not supported
+		// when an action is not supported in standalone mode and when
+		// using a nosql.DB backend, actions are not supported
 		if _, ok := h.adminDB.(*nosql.DB); ok {
 			api.WriteError(w, admin.NewError(admin.ErrorNotImplementedType,
 				"operation not supported in standalone mode"))
--- a/authority/admin/context.go
+++ b/authority/admin/context.go
@ -1,10 +0,0 @@
-package admin
-
-// ContextKey is the key type for storing and searching for
-// Admin API objects in request contexts.
-type ContextKey string
-
-const (
-	// AdminContextKey account key
-	AdminContextKey = ContextKey("admin")
-)
--- a/authority/provisioner/scep.go
+++ b/authority/provisioner/scep.go
@ -34,9 +34,9 @@ type SCEP struct {
 	Options                       *Options `json:"options,omitempty"`
 	Claims                        *Claims  `json:"claims,omitempty"`
 	ctl                           *Controller
-	x509Policy                    policy.X509Policy
 	secretChallengePassword       string
 	encryptionAlgorithm           int
+	x509Policy                    policy.X509Policy
 }

 // GetID returns the provisioner unique identifier.
--- a/authority/tls.go
+++ b/authority/tls.go
@ -231,10 +231,6 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign
 }

 // isAllowedToSign checks if the Authority is allowed to sign the X.509 certificate.
-// It first checks if the certificate contains an admin subject that exists in the
-// collection of admins. The CA is always allowed to sign those. If the cert contains
-// different names and a policy is configured, the policy will be executed against
-// the cert to see if the CA is allowed to sign it.
 func (a *Authority) isAllowedToSign(cert *x509.Certificate) (bool, error) {

 	// if no policy is configured, the cert is implicitly allowed