mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 16:01:30 +00:00
acme-server: account resource + JWS verifier (Phase 1b/7)
Layers JWS-authenticated POST machinery onto the Phase 1a foundation
(commit ec88a61). After this commit, an ACME client can run
POST /acme/profile/<id>/new-account
against certctl and successfully register an account. Account update
+ deactivation via POST /acme/profile/<id>/account/<acc-id> work.
Orders + challenges remain Phase 2 / 3.
Background:
Two prior dispatch attempts at the original Phase 1 ("skeleton +
directory + new-nonce + new-account" as a single commit) failed on
go-jose v4 API speculation (jws.GetPayload, sig.Algorithm,
jose.SHA256, etc. — none of those exist in v4). Splitting Phase 1
into 1a (foundation, no go-jose) and 1b (this commit, all go-jose
in one place) concentrated the JWS work where attention pays off.
The verifier reads the actual go-jose v4 surface — ParseSigned with
closed alg allow-list, Header struct fields (Algorithm, KeyID,
JSONWebKey, Nonce, ExtraHeaders[HeaderKey]), JWK.Thumbprint with
stdlib crypto.SHA256.
What ships:
- internal/api/acme/jws.go: 487-line verifier + sentinel error
family. Enforces RFC 8555 §6.2 + §6.4 + §6.5 invariants:
- alg in {RS256, ES256, EdDSA} (closed allow-list passed to
jose.ParseSigned — HS256 / none / etc. rejected at parse time)
- exactly one of `kid` / `jwk` in protected header (per
endpoint policy — new-account demands jwk, others demand kid)
- protected `url` matches request URL exactly
- protected `nonce` consumed against acme_nonces (badNonce on
miss/replay/expiry per RFC 8555 §6.5.1)
- kid round-trips against canonical AccountKID(accountID) URL
(catches cross-profile / cross-host replay)
- kid path: account exists + status=valid (deactivated /
revoked accounts cannot authenticate)
- signature verifies; post-Verify payload bytes equal
UnsafePayloadWithoutVerification (defense in depth)
+ JWK persistence helpers (JWKToPEM / ParseJWKFromPEM round-
trip a public-only JWK as a PEM-wrapped JSON envelope; stored
as TEXT in acme_accounts.jwk_pem for diff-friendliness) +
JWKThumbprint per RFC 7638.
- internal/api/acme/jws_test.go: 16 cases covering happy paths
(RS256 kid, ES256 jwk, EdDSA kid) + every named failure mode
(alg-not-allowed, bad-sig, missing-nonce, unknown-nonce,
replay, url-mismatch, mixed kid+jwk, deactivated-account,
cross-host kid). Uses real keypairs + real go-jose Signer to
build JWS objects.
- internal/api/acme/account.go: NewAccountRequest /
AccountUpdateRequest payload shapes (RFC 8555 §7.3 + §7.3.2 +
§7.3.6) + AccountResponseJSON wire shape + MarshalAccount
helper.
- internal/domain/acme.go: ACMEAccount struct + ACMEAccountStatus
closed enum (valid / deactivated / revoked).
- internal/repository/postgres/acme.go: full account CRUD path
(CreateAccountWithTx with 23505-unique-violation sentinel
translation, GetAccountByID, GetAccountByThumbprint,
UpdateAccountContactWithTx, UpdateAccountStatusWithTx) +
sql.ErrNoRows-wrapped repository.ErrNotFound on lookup misses.
- internal/service/acme.go: ACMERepo interface extended;
SetTransactor + SetAuditService wires; NewAccount (idempotent
re-registration per RFC 8555 §7.3.1 — same JWK returns existing
row without an update or new audit event); LookupAccount;
UpdateAccount; DeactivateAccount; VerifyJWS adapter that bridges
api/acme.VerifierConfig to the service-layer ACMERepo; per-op
metrics extended (new_account_total + _failures_total +
_idempotent_total + update_account_total + _failures_total +
deactivate_account_total).
- internal/service/acme_test.go: 8 new tests covering
new-account happy path / idempotent re-registration / only-
return-existing match + no-match / contact update / deactivate
/ lookup-not-found / requires-transactor.
- internal/api/handler/acme.go: NewAccount + Account handlers.
Account dispatches POST-as-GET (RFC 8555 §6.3 — empty body or
{} payload returns the account row), contact update, and
deactivation from the same endpoint. Defense-in-depth check
that the kid path-segment matches the URL path-segment (the
verifier already round-tripped the kid against canonical URL,
but the handler re-asserts to catch any future verifier
refactor).
- internal/api/handler/acme_handler_test.go: 7 new cases
covering happy-create, idempotent-200, only-return-existing-
no-match-400, malformed-JWS-400, kid-URL-mismatch-401,
deactivate, contact-update, POST-as-GET.
- internal/api/router/router.go: 4 new Register calls (per-
profile + shorthand for new-account and account/{acc_id}).
- internal/api/router/openapi_parity_test.go: SpecParityExceptions
extended with the 4 new routes (RFC 8555 wire-protocol surface,
not OpenAPI-shaped — same precedent as Phase 1a).
- cmd/server/main.go: SetTransactor + SetAuditService on
acmeService at startup so the WithinTx-based new-account /
update / deactivate paths run with the same transactor instance
shared across CertificateService / RevocationSvc / RenewalService.
- docs/acme-server.md: Phase status updated; endpoints table grows
new-account + account/<acc_id> rows; new "JWS verification
(Phase 1b)" section enumerates the 7 invariants the verifier
enforces; phases-cross-reference table marks 1b live.
- go.mod / go.sum: github.com/go-jose/go-jose/v4 v4.0.4 added.
Atomicity: every account-state mutation writes its acme_accounts row
+ its audit_events row inside one repository.Transactor.WithinTx
call — the canonical certctl atomicity contract (matches
CertificateService.Create at internal/service/certificate.go:131).
Idempotent re-registration explicitly does NOT write an audit row
(RFC 8555 §7.3.1 returns the existing row unmodified).
Tests: 16 jws_test.go cases + 11 service tests + 11 handler tests
all pass under -short. Bad-signature test uses a real registered
account whose stored JWK is a different keypair from the signer's,
so the JWS parses cleanly but jose.Verify rejects — exercises the
ErrJWSSignatureInvalid path directly.
Engineering history: cowork/WORKSPACE-CHANGELOG.md "ACME-Server-1b".
This commit is contained in:
shankar0123
@@ -6,8 +6,13 @@ package postgres
|
||||
import (
|
||||
"context"
|
||||
"database/sql"
|
||||
"errors"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"github.com/lib/pq"
|
||||
"github.com/shankar0123/certctl/internal/domain"
|
||||
"github.com/shankar0123/certctl/internal/repository"
|
||||
)
|
||||
|
||||
// ACMERepository implements the ACME server's persistence layer
|
||||
@@ -84,3 +89,170 @@ func (r *ACMERepository) ConsumeNonce(ctx context.Context, nonce string) error {
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// ErrACMEAccountDuplicateThumbprint is the sentinel returned by
|
||||
// CreateAccount[WithTx] when the (profile_id, jwk_thumbprint) UNIQUE
|
||||
// constraint fires. Callers (the new-account flow) translate this
|
||||
// into "an account already exists for this JWK" — RFC 8555 §7.3.1
|
||||
// idempotent-semantics path.
|
||||
var ErrACMEAccountDuplicateThumbprint = errors.New("acme: account already exists for this profile + JWK thumbprint")
|
||||
|
||||
// CreateAccount inserts a new acme_accounts row. Use CreateAccountWithTx
|
||||
// when the insert must be atomic with an audit row.
|
||||
func (r *ACMERepository) CreateAccount(ctx context.Context, acct *domain.ACMEAccount) error {
|
||||
return r.CreateAccountWithTx(ctx, r.db, acct)
|
||||
}
|
||||
|
||||
// CreateAccountWithTx inserts using the supplied Querier (typically
|
||||
// *sql.Tx from postgres.WithinTx). Returns
|
||||
// ErrACMEAccountDuplicateThumbprint on the (profile_id, jwk_thumbprint)
|
||||
// UNIQUE collision per migration 000025.
|
||||
func (r *ACMERepository) CreateAccountWithTx(ctx context.Context, q repository.Querier, acct *domain.ACMEAccount) error {
|
||||
if acct.AccountID == "" || acct.JWKThumbprint == "" || acct.JWKPEM == "" || acct.ProfileID == "" {
|
||||
return fmt.Errorf("acme: create account: missing required field")
|
||||
}
|
||||
if acct.Status == "" {
|
||||
acct.Status = domain.ACMEAccountStatusValid
|
||||
}
|
||||
now := time.Now().UTC()
|
||||
if acct.CreatedAt.IsZero() {
|
||||
acct.CreatedAt = now
|
||||
}
|
||||
acct.UpdatedAt = now
|
||||
|
||||
contact := pq.Array(acct.Contact)
|
||||
var ownerID interface{}
|
||||
if acct.OwnerID != "" {
|
||||
ownerID = acct.OwnerID
|
||||
}
|
||||
_, err := q.ExecContext(ctx, `
|
||||
INSERT INTO acme_accounts (
|
||||
account_id, jwk_thumbprint, jwk_pem, contact, status,
|
||||
profile_id, owner_id, created_at, updated_at
|
||||
) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
|
||||
`,
|
||||
acct.AccountID, acct.JWKThumbprint, acct.JWKPEM, contact,
|
||||
string(acct.Status), acct.ProfileID, ownerID,
|
||||
acct.CreatedAt, acct.UpdatedAt,
|
||||
)
|
||||
if err != nil {
|
||||
// Postgres SQLSTATE 23505 = unique_violation. lib/pq wraps the
|
||||
// raw error in *pq.Error; decode and translate to the
|
||||
// repository sentinel.
|
||||
var pqErr *pq.Error
|
||||
if errors.As(err, &pqErr) && pqErr.Code == "23505" {
|
||||
return ErrACMEAccountDuplicateThumbprint
|
||||
}
|
||||
return fmt.Errorf("acme: insert account: %w", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// GetAccountByID returns the account row for an account ID.
|
||||
// Returns sql.ErrNoRows wrapped via repository.ErrNotFound when
|
||||
// no row matches (callers branch on errors.Is(err, repository.ErrNotFound)).
|
||||
func (r *ACMERepository) GetAccountByID(ctx context.Context, accountID string) (*domain.ACMEAccount, error) {
|
||||
row := r.db.QueryRowContext(ctx, `
|
||||
SELECT account_id, jwk_thumbprint, jwk_pem, contact, status,
|
||||
profile_id, COALESCE(owner_id, ''), created_at, updated_at
|
||||
FROM acme_accounts
|
||||
WHERE account_id = $1
|
||||
`, accountID)
|
||||
return scanACMEAccount(row)
|
||||
}
|
||||
|
||||
// GetAccountByThumbprint returns the account row for a (profile_id,
|
||||
// jwk_thumbprint) pair. Same sentinel semantics as GetAccountByID.
|
||||
// The new-account idempotency path queries by thumbprint to detect a
|
||||
// re-registration of an existing JWK (RFC 8555 §7.3.1).
|
||||
func (r *ACMERepository) GetAccountByThumbprint(ctx context.Context, profileID, thumbprint string) (*domain.ACMEAccount, error) {
|
||||
row := r.db.QueryRowContext(ctx, `
|
||||
SELECT account_id, jwk_thumbprint, jwk_pem, contact, status,
|
||||
profile_id, COALESCE(owner_id, ''), created_at, updated_at
|
||||
FROM acme_accounts
|
||||
WHERE profile_id = $1 AND jwk_thumbprint = $2
|
||||
`, profileID, thumbprint)
|
||||
return scanACMEAccount(row)
|
||||
}
|
||||
|
||||
// UpdateAccountContact replaces the account's contact list. Use the
|
||||
// WithTx variant when the update must be atomic with an audit row.
|
||||
func (r *ACMERepository) UpdateAccountContact(ctx context.Context, accountID string, contact []string) error {
|
||||
return r.UpdateAccountContactWithTx(ctx, r.db, accountID, contact)
|
||||
}
|
||||
|
||||
// UpdateAccountContactWithTx writes the new contact list using the
|
||||
// supplied Querier. Returns sql.ErrNoRows-wrapped repository.ErrNotFound
|
||||
// on missing account.
|
||||
func (r *ACMERepository) UpdateAccountContactWithTx(ctx context.Context, q repository.Querier, accountID string, contact []string) error {
|
||||
res, err := q.ExecContext(ctx, `
|
||||
UPDATE acme_accounts
|
||||
SET contact = $2, updated_at = NOW()
|
||||
WHERE account_id = $1
|
||||
`, accountID, pq.Array(contact))
|
||||
if err != nil {
|
||||
return fmt.Errorf("acme: update account contact: %w", err)
|
||||
}
|
||||
n, err := res.RowsAffected()
|
||||
if err != nil {
|
||||
return fmt.Errorf("acme: update account contact rows affected: %w", err)
|
||||
}
|
||||
if n == 0 {
|
||||
return fmt.Errorf("account not found: %w", repository.ErrNotFound)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// UpdateAccountStatus is the persistence path for account
|
||||
// deactivation. Phase 1b accepts only the "valid" → "deactivated"
|
||||
// transition (RFC 8555 §7.3.6); operator-initiated revocation is a
|
||||
// future phase.
|
||||
func (r *ACMERepository) UpdateAccountStatus(ctx context.Context, accountID string, status domain.ACMEAccountStatus) error {
|
||||
return r.UpdateAccountStatusWithTx(ctx, r.db, accountID, status)
|
||||
}
|
||||
|
||||
// UpdateAccountStatusWithTx writes the status transition using the
|
||||
// supplied Querier. Same sentinel semantics as UpdateAccountContactWithTx.
|
||||
func (r *ACMERepository) UpdateAccountStatusWithTx(ctx context.Context, q repository.Querier, accountID string, status domain.ACMEAccountStatus) error {
|
||||
res, err := q.ExecContext(ctx, `
|
||||
UPDATE acme_accounts
|
||||
SET status = $2, updated_at = NOW()
|
||||
WHERE account_id = $1
|
||||
`, accountID, string(status))
|
||||
if err != nil {
|
||||
return fmt.Errorf("acme: update account status: %w", err)
|
||||
}
|
||||
n, err := res.RowsAffected()
|
||||
if err != nil {
|
||||
return fmt.Errorf("acme: update account status rows affected: %w", err)
|
||||
}
|
||||
if n == 0 {
|
||||
return fmt.Errorf("account not found: %w", repository.ErrNotFound)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// scanACMEAccount is the shared shape for the SELECT-by-X account
|
||||
// queries above. Returns sql.ErrNoRows-wrapped repository.ErrNotFound
|
||||
// on miss; any other scan failure surfaces verbatim.
|
||||
func scanACMEAccount(row interface{ Scan(...interface{}) error }) (*domain.ACMEAccount, error) {
|
||||
var (
|
||||
acct domain.ACMEAccount
|
||||
contact pq.StringArray
|
||||
statusStr string
|
||||
)
|
||||
err := row.Scan(
|
||||
&acct.AccountID, &acct.JWKThumbprint, &acct.JWKPEM, &contact,
|
||||
&statusStr, &acct.ProfileID, &acct.OwnerID,
|
||||
&acct.CreatedAt, &acct.UpdatedAt,
|
||||
)
|
||||
if err != nil {
|
||||
if errors.Is(err, sql.ErrNoRows) {
|
||||
return nil, fmt.Errorf("account not found: %w", repository.ErrNotFound)
|
||||
}
|
||||
return nil, fmt.Errorf("acme: scan account: %w", err)
|
||||
}
|
||||
acct.Contact = []string(contact)
|
||||
acct.Status = domain.ACMEAccountStatus(statusStr)
|
||||
return &acct, nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user