Merge pull request #1689 from smallstep/beltram/wire-acme-extensions

Use two separate Wire identifier types

Author: hslatman

acme/api/order.go

@@ -49,8 +49,13 @@ func (n *NewOrderRequest) Validate() error {
 			if id.Value == "" {
 				return acme.NewError(acme.ErrorMalformedType, "permanent identifier cannot be empty")
 			}
-		case acme.WireID:
-			wireID, err := wire.ParseID([]byte(id.Value))
+		case acme.WireUser:
+			_, err := wire.ParseUserID([]byte(id.Value))
+			if err != nil {
+				return acme.WrapError(acme.ErrorMalformedType, err, "failed parsing Wire ID")
+			}
+		case acme.WireDevice:
+			wireID, err := wire.ParseDeviceID([]byte(id.Value))
 			if err != nil {
 				return acme.WrapError(acme.ErrorMalformedType, err, "failed parsing Wire ID")
 			}
@@ -273,10 +278,28 @@ func newAuthorization(ctx context.Context, az *acme.Authorization) error {
 		}
 
 		var target string
-		if az.Identifier.Type == acme.WireID {
-			wireID, err := wire.ParseID([]byte(az.Identifier.Value))
+		switch az.Identifier.Type {
+		case acme.WireUser:
+			wireOptions, err := prov.GetOptions().GetWireOptions()
+			if err != nil {
+				return acme.WrapErrorISE(err, "failed getting Wire options")
+			}
+			var targetProvider interface{ EvaluateTarget(string) (string, error) }
+			switch typ {
+			case acme.WIREOIDC01:
+				targetProvider = wireOptions.GetOIDCOptions()
+			default:
+				return acme.NewError(acme.ErrorMalformedType, "unsupported type %q", typ)
+			}
+
+			target, err = targetProvider.EvaluateTarget("")
 			if err != nil {
-				return acme.WrapError(acme.ErrorMalformedType, err, "failed parsing WireID")
+				return acme.WrapError(acme.ErrorMalformedType, err, "invalid Go template registered for 'target'")
+			}
+		case acme.WireDevice:
+			wireID, err := wire.ParseDeviceID([]byte(az.Identifier.Value))
+			if err != nil {
+				return acme.WrapError(acme.ErrorMalformedType, err, "failed parsing WireUser")
 			}
 			clientID, err := wire.ParseClientID(wireID.ClientID)
 			if err != nil {
@@ -288,8 +311,6 @@ func newAuthorization(ctx context.Context, az *acme.Authorization) error {
 			}
 			var targetProvider interface{ EvaluateTarget(string) (string, error) }
 			switch typ {
-			case acme.WIREOIDC01:
-				targetProvider = wireOptions.GetOIDCOptions()
 			case acme.WIREDPOP01:
 				targetProvider = wireOptions.GetDPOPOptions()
 			default:
@@ -440,8 +461,10 @@ func challengeTypes(az *acme.Authorization) []acme.ChallengeType {
 		}
 	case acme.PermanentIdentifier:
 		chTypes = []acme.ChallengeType{acme.DEVICEATTEST01}
-	case acme.WireID:
-		chTypes = []acme.ChallengeType{acme.WIREOIDC01, acme.WIREDPOP01}
+	case acme.WireUser:
+		chTypes = []acme.ChallengeType{acme.WIREOIDC01}
+	case acme.WireDevice:
+		chTypes = []acme.ChallengeType{acme.WIREDPOP01}
 	default:
 		chTypes = []acme.ChallengeType{}
 	}

acme/api/order_test.go

@@ -101,7 +101,7 @@ func TestNewOrderRequest_Validate(t *testing.T) {
 			return test{
 				nor: &NewOrderRequest{
 					Identifiers: []acme.Identifier{
-						{Type: "wireapp-id", Value: "{}"},
+						{Type: "wireapp-device", Value: "{}"},
 					},
 				},
 				err: acme.NewError(acme.ErrorMalformedType, `invalid Wire client ID "": invalid Wire client ID URI "": error parsing : scheme is missing`),
@@ -111,7 +111,7 @@ func TestNewOrderRequest_Validate(t *testing.T) {
 			return test{
 				nor: &NewOrderRequest{
 					Identifiers: []acme.Identifier{
-						{Type: "wireapp-id", Value: `{"name": "Smith, Alice M (QA)", "domain": "example.com", "client-id": "nowireapp://example.com", "handle": "wireapp://%[email protected]"}`},
+						{Type: "wireapp-device", Value: `{"name": "Smith, Alice M (QA)", "domain": "example.com", "client-id": "nowireapp://example.com", "handle": "wireapp://%[email protected]"}`},
 					},
 				},
 				err: acme.NewError(acme.ErrorMalformedType, `invalid Wire client ID "nowireapp://example.com": invalid Wire client ID scheme "nowireapp"; expected "wireapp"`),
@@ -121,7 +121,7 @@ func TestNewOrderRequest_Validate(t *testing.T) {
 			return test{
 				nor: &NewOrderRequest{
 					Identifiers: []acme.Identifier{
-						{Type: "wireapp-id", Value: `{"name": "Smith, Alice M (QA)", "domain": "example.com", "client-id": "wireapp://[email protected]", "handle": "wireapp://%[email protected]"}`},
+						{Type: "wireapp-device", Value: `{"name": "Smith, Alice M (QA)", "domain": "example.com", "client-id": "wireapp://[email protected]", "handle": "wireapp://%[email protected]"}`},
 					},
 				},
 				err: acme.NewError(acme.ErrorMalformedType, `invalid Wire client ID "wireapp://[email protected]": invalid Wire client ID username "user-device"`),
@@ -205,13 +205,28 @@ func TestNewOrderRequest_Validate(t *testing.T) {
 				naf: naf,
 			}
 		},
-		"ok/wireapp-idd": func(t *testing.T) test {
+		"ok/wireapp-user": func(t *testing.T) test {
 			nbf := time.Now().UTC().Add(time.Minute)
 			naf := time.Now().UTC().Add(5 * time.Minute)
 			return test{
 				nor: &NewOrderRequest{
 					Identifiers: []acme.Identifier{
-						{Type: "wireapp-id", Value: `{"name": "Smith, Alice M (QA)", "domain": "example.com", "client-id": "wireapp://[email protected]", "handle": "wireapp://%[email protected]"}`},
+						{Type: "wireapp-user", Value: `{"name": "Smith, Alice M (QA)", "domain": "example.com", "handle": "wireapp://%[email protected]"}`},
+					},
+					NotAfter:  naf,
+					NotBefore: nbf,
+				},
+				nbf: nbf,
+				naf: naf,
+			}
+		},
+		"ok/wireapp-device": func(t *testing.T) test {
+			nbf := time.Now().UTC().Add(time.Minute)
+			naf := time.Now().UTC().Add(5 * time.Minute)
+			return test{
+				nor: &NewOrderRequest{
+					Identifiers: []acme.Identifier{
+						{Type: "wireapp-device", Value: `{"name": "Smith, Alice M (QA)", "domain": "example.com", "client-id": "wireapp://[email protected]", "handle": "wireapp://%[email protected]"}`},
 					},
 					NotAfter:  naf,
 					NotBefore: nbf,
@@ -1719,7 +1734,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				},
 			}
 		},
-		"ok/default-naf-nbf-wireapp": func(t *testing.T) test {
+		"ok/default-naf-nbf-wireapp-user": func(t *testing.T) test {
 			acmeWireProv := newWireProvisionerWithOptions(t, &provisioner.Options{
 				Wire: &wire.Options{
 					OIDC: &wire.OIDCOptions{
@@ -1749,7 +1764,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 			acc := &acme.Account{ID: "accID"}
 			nor := &NewOrderRequest{
 				Identifiers: []acme.Identifier{
-					{Type: "wireapp-id", Value: `{"client-id": "wireapp://user!client@domain"}`},
+					{Type: "wireapp-user", Value: `{"name": "Alice Smith", "handle": "wireapp://%[email protected]"}`},
 				},
 			}
 			b, err := json.Marshal(nor)
@@ -1758,9 +1773,8 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 			ctx = context.WithValue(ctx, accContextKey, acc)
 			ctx = context.WithValue(ctx, payloadContextKey, &payloadInfo{value: b})
 			var (
-				ch1, ch2 **acme.Challenge
-				az1ID    *string
-				count    = 0
+				ch1   **acme.Challenge
+				az1ID *string
 			)
 			return test{
 				ctx:        ctx,
@@ -1769,20 +1783,113 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 				ca:         &mockCA{},
 				db: &acme.MockDB{
 					MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
-						switch count {
-						case 0:
-							ch.ID = "wireapp-oidc"
-							assert.Equals(t, ch.Type, acme.WIREOIDC01)
-							ch1 = &ch
-						case 1:
-							ch.ID = "wireapp-dpop"
-							assert.Equals(t, ch.Type, acme.WIREDPOP01)
-							ch2 = &ch
-						default:
-							assert.FatalError(t, errors.New("test logic error"))
-							return errors.New("force")
-						}
-						count++
+						ch.ID = "wireapp-oidc"
+						assert.Equals(t, ch.Type, acme.WIREOIDC01)
+						ch1 = &ch
+						assert.Equals(t, ch.AccountID, "accID")
+						assert.NotEquals(t, ch.Token, "")
+						assert.Equals(t, ch.Status, acme.StatusPending)
+						assert.Equals(t, ch.Value, `{"name": "Alice Smith", "handle": "wireapp://%[email protected]"}`)
+						return nil
+					},
+					MockCreateAuthorization: func(ctx context.Context, az *acme.Authorization) error {
+						az.ID = "az1ID"
+						az1ID = &az.ID
+						assert.Equals(t, az.AccountID, "accID")
+						assert.NotEquals(t, az.Token, "")
+						assert.Equals(t, az.Status, acme.StatusPending)
+						assert.Equals(t, az.Identifier, nor.Identifiers[0])
+						assert.Equals(t, az.Challenges, []*acme.Challenge{*ch1})
+						assert.Equals(t, az.Wildcard, false)
+						return nil
+					},
+					MockCreateOrder: func(ctx context.Context, o *acme.Order) error {
+						o.ID = "ordID"
+						assert.Equals(t, o.AccountID, "accID")
+						assert.Equals(t, o.ProvisionerID, prov.GetID())
+						assert.Equals(t, o.Status, acme.StatusPending)
+						assert.Equals(t, o.Identifiers, nor.Identifiers)
+						assert.Equals(t, o.AuthorizationIDs, []string{*az1ID})
+						return nil
+					},
+					MockGetExternalAccountKeyByAccountID: func(ctx context.Context, provisionerID, accountID string) (*acme.ExternalAccountKey, error) {
+						assert.Equals(t, prov.GetID(), provisionerID)
+						assert.Equals(t, "accID", accountID)
+						return nil, nil
+					},
+				},
+				vr: func(t *testing.T, o *acme.Order) {
+					now := clock.Now()
+					testBufferDur := 5 * time.Second
+					orderExpiry := now.Add(defaultOrderExpiry)
+					expNbf := now.Add(-defaultOrderBackdate)
+					expNaf := now.Add(prov.DefaultTLSCertDuration())
+
+					assert.Equals(t, o.ID, "ordID")
+					assert.Equals(t, o.Status, acme.StatusPending)
+					assert.Equals(t, o.Identifiers, nor.Identifiers)
+					assert.Equals(t, o.AuthorizationURLs, []string{fmt.Sprintf("%s/acme/%s/authz/az1ID", baseURL.String(), escProvName)})
+					assert.True(t, o.NotBefore.Add(-testBufferDur).Before(expNbf))
+					assert.True(t, o.NotBefore.Add(testBufferDur).After(expNbf))
+					assert.True(t, o.NotAfter.Add(-testBufferDur).Before(expNaf))
+					assert.True(t, o.NotAfter.Add(testBufferDur).After(expNaf))
+					assert.True(t, o.ExpiresAt.Add(-testBufferDur).Before(orderExpiry))
+					assert.True(t, o.ExpiresAt.Add(testBufferDur).After(orderExpiry))
+				},
+			}
+		},
+		"ok/default-naf-nbf-wireapp-device": func(t *testing.T) test {
+			acmeWireProv := newWireProvisionerWithOptions(t, &provisioner.Options{
+				Wire: &wire.Options{
+					OIDC: &wire.OIDCOptions{
+						Provider: &wire.Provider{
+							IssuerURL:   "https://issuer.example.com",
+							AuthURL:     "",
+							TokenURL:    "",
+							JWKSURL:     "",
+							UserInfoURL: "",
+							Algorithms:  []string{"ES256"},
+						},
+						Config: &wire.Config{
+							ClientID:                   "integration test",
+							SignatureAlgorithms:        []string{"ES256"},
+							SkipClientIDCheck:          true,
+							SkipExpiryCheck:            true,
+							SkipIssuerCheck:            true,
+							InsecureSkipSignatureCheck: true,
+							Now:                        time.Now,
+						},
+					},
+					DPOP: &wire.DPOPOptions{
+						SigningKey: []byte(fakeWireSigningKey),
+					},
+				},
+			})
+			acc := &acme.Account{ID: "accID"}
+			nor := &NewOrderRequest{
+				Identifiers: []acme.Identifier{
+					{Type: "wireapp-device", Value: `{"client-id": "wireapp://user!client@domain"}`},
+				},
+			}
+			b, err := json.Marshal(nor)
+			assert.FatalError(t, err)
+			ctx := acme.NewProvisionerContext(context.Background(), acmeWireProv)
+			ctx = context.WithValue(ctx, accContextKey, acc)
+			ctx = context.WithValue(ctx, payloadContextKey, &payloadInfo{value: b})
+			var (
+				ch1   **acme.Challenge
+				az1ID *string
+			)
+			return test{
+				ctx:        ctx,
+				statusCode: 201,
+				nor:        nor,
+				ca:         &mockCA{},
+				db: &acme.MockDB{
+					MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
+						ch.ID = "wireapp-dpop"
+						assert.Equals(t, ch.Type, acme.WIREDPOP01)
+						ch1 = &ch
 						assert.Equals(t, ch.AccountID, "accID")
 						assert.NotEquals(t, ch.Token, "")
 						assert.Equals(t, ch.Status, acme.StatusPending)
@@ -1796,7 +1903,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 						assert.NotEquals(t, az.Token, "")
 						assert.Equals(t, az.Status, acme.StatusPending)
 						assert.Equals(t, az.Identifier, nor.Identifiers[0])
-						assert.Equals(t, az.Challenges, []*acme.Challenge{*ch1, *ch2})
+						assert.Equals(t, az.Challenges, []*acme.Challenge{*ch1})
 						assert.Equals(t, az.Wildcard, false)
 						return nil
 					},

acme/api/wire_integration_test.go

@@ -234,7 +234,11 @@ func TestWireIntegration(t *testing.T) {
 		nor := &NewOrderRequest{
 			Identifiers: []acme.Identifier{
 				{
-					Type:  "wireapp-id",
+					Type:  "wireapp-user",
+					Value: `{"name": "Smith, Alice M (QA)", "domain": "example.com", "handle": "wireapp://%[email protected]"}`,
+				},
+				{
+					Type:  "wireapp-device",
 					Value: `{"name": "Smith, Alice M (QA)", "domain": "example.com", "client-id": "wireapp://[email protected]", "handle": "wireapp://%[email protected]"}`,
 				},
 			},

acme/challenge.go

@@ -373,7 +373,7 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
 		return WrapError(ErrorMalformedType, err, "error unmarshalling Wire OIDC challenge payload")
 	}
 
-	wireID, err := wire.ParseID([]byte(ch.Value))
+	wireID, err := wire.ParseUserID([]byte(ch.Value))
 	if err != nil {
 		return WrapErrorISE(err, "error unmarshalling challenge data")
 	}
@@ -451,7 +451,7 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
 	return nil
 }
 
-func validateWireOIDCClaims(o *wireprovisioner.OIDCOptions, token *oidc.IDToken, wireID wire.ID) (map[string]any, error) {
+func validateWireOIDCClaims(o *wireprovisioner.OIDCOptions, token *oidc.IDToken, wireID wire.UserID) (map[string]any, error) {
 	var m map[string]any
 	if err := token.Claims(&m); err != nil {
 		return nil, fmt.Errorf("failed extracting OIDC ID token claims: %w", err)
@@ -500,7 +500,7 @@ func wireDPOP01Validate(ctx context.Context, ch *Challenge, db DB, accountJWK *j
 		return WrapError(ErrorMalformedType, err, "error unmarshalling Wire DPoP challenge payload")
 	}
 
-	wireID, err := wire.ParseID([]byte(ch.Value))
+	wireID, err := wire.ParseDeviceID([]byte(ch.Value))
 	if err != nil {
 		return WrapErrorISE(err, "error unmarshalling challenge data")
 	}
@@ -598,7 +598,7 @@ type wireVerifyParams struct {
 	dpopKeyID string
 	issuer    string
 	audience  string
-	wireID    wire.ID
+	wireID    wire.DeviceID
 	chToken   string
 	t         time.Time
 }

acme/challenge_wire_test.go

@@ -100,7 +100,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 					Type:   "urn:ietf:params:acme:error:serverInternal",
 					Detail: "The server experienced an internal error",
 					Status: 500,
-					Err:    errors.New(`error unmarshalling challenge data: json: cannot unmarshal number into Go value of type wire.ID`),
+					Err:    errors.New(`error unmarshalling challenge data: json: cannot unmarshal number into Go value of type wire.DeviceID`),
 				},
 			}
 		},
@@ -1096,7 +1096,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 					Type:   "urn:ietf:params:acme:error:serverInternal",
 					Detail: "The server experienced an internal error",
 					Status: 500,
-					Err:    errors.New(`error unmarshalling challenge data: json: cannot unmarshal number into Go value of type wire.ID`),
+					Err:    errors.New(`error unmarshalling challenge data: json: cannot unmarshal number into Go value of type wire.UserID`),
 				},
 			}
 		},
@@ -2030,7 +2030,7 @@ MCowBQYDK2VwAyEAB2IYqBWXAouDt3WcCZgCM3t9gumMEKMlgMsGenSu+fA=
 	require.True(t, ok)
 
 	issuer := "http://wire.com:19983/clients/7a41cf5b79683410/access-token"
-	wireID := wire.ID{
+	wireID := wire.DeviceID{
 		ClientID: "wireapp://[email protected]",
 		Handle:   "wireapp://%[email protected]",
 	}
@@ -2127,7 +2127,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 	idToken, err := verifier.Verify(ctx, idTokenString)
 	require.NoError(t, err)
 
-	wireID := wire.ID{
+	wireID := wire.UserID{
 		Name:   "Alice Smith",
 		Handle: "wireapp://%[email protected]",
 	}