gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-11 00:18:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

acme-server: account resource + JWS verifier (Phase 1b/7)

Browse Source 
Layers JWS-authenticated POST machinery onto the Phase 1a foundation
(commit ec88a61). After this commit, an ACME client can run

  POST /acme/profile/<id>/new-account

against certctl and successfully register an account. Account update
+ deactivation via POST /acme/profile/<id>/account/<acc-id> work.
Orders + challenges remain Phase 2 / 3.

Background:
  Two prior dispatch attempts at the original Phase 1 ("skeleton +
  directory + new-nonce + new-account" as a single commit) failed on
  go-jose v4 API speculation (jws.GetPayload, sig.Algorithm,
  jose.SHA256, etc. — none of those exist in v4). Splitting Phase 1
  into 1a (foundation, no go-jose) and 1b (this commit, all go-jose
  in one place) concentrated the JWS work where attention pays off.
  The verifier reads the actual go-jose v4 surface — ParseSigned with
  closed alg allow-list, Header struct fields (Algorithm, KeyID,
  JSONWebKey, Nonce, ExtraHeaders[HeaderKey]), JWK.Thumbprint with
  stdlib crypto.SHA256.

What ships:
  - internal/api/acme/jws.go: 487-line verifier + sentinel error
    family. Enforces RFC 8555 §6.2 + §6.4 + §6.5 invariants:
      - alg in {RS256, ES256, EdDSA} (closed allow-list passed to
        jose.ParseSigned — HS256 / none / etc. rejected at parse time)
      - exactly one of `kid` / `jwk` in protected header (per
        endpoint policy — new-account demands jwk, others demand kid)
      - protected `url` matches request URL exactly
      - protected `nonce` consumed against acme_nonces (badNonce on
        miss/replay/expiry per RFC 8555 §6.5.1)
      - kid round-trips against canonical AccountKID(accountID) URL
        (catches cross-profile / cross-host replay)
      - kid path: account exists + status=valid (deactivated /
        revoked accounts cannot authenticate)
      - signature verifies; post-Verify payload bytes equal
        UnsafePayloadWithoutVerification (defense in depth)
    + JWK persistence helpers (JWKToPEM / ParseJWKFromPEM round-
    trip a public-only JWK as a PEM-wrapped JSON envelope; stored
    as TEXT in acme_accounts.jwk_pem for diff-friendliness) +
    JWKThumbprint per RFC 7638.
  - internal/api/acme/jws_test.go: 16 cases covering happy paths
    (RS256 kid, ES256 jwk, EdDSA kid) + every named failure mode
    (alg-not-allowed, bad-sig, missing-nonce, unknown-nonce,
    replay, url-mismatch, mixed kid+jwk, deactivated-account,
    cross-host kid). Uses real keypairs + real go-jose Signer to
    build JWS objects.
  - internal/api/acme/account.go: NewAccountRequest /
    AccountUpdateRequest payload shapes (RFC 8555 §7.3 + §7.3.2 +
    §7.3.6) + AccountResponseJSON wire shape + MarshalAccount
    helper.
  - internal/domain/acme.go: ACMEAccount struct + ACMEAccountStatus
    closed enum (valid / deactivated / revoked).
  - internal/repository/postgres/acme.go: full account CRUD path
    (CreateAccountWithTx with 23505-unique-violation sentinel
    translation, GetAccountByID, GetAccountByThumbprint,
    UpdateAccountContactWithTx, UpdateAccountStatusWithTx) +
    sql.ErrNoRows-wrapped repository.ErrNotFound on lookup misses.
  - internal/service/acme.go: ACMERepo interface extended;
    SetTransactor + SetAuditService wires; NewAccount (idempotent
    re-registration per RFC 8555 §7.3.1 — same JWK returns existing
    row without an update or new audit event); LookupAccount;
    UpdateAccount; DeactivateAccount; VerifyJWS adapter that bridges
    api/acme.VerifierConfig to the service-layer ACMERepo; per-op
    metrics extended (new_account_total + _failures_total +
    _idempotent_total + update_account_total + _failures_total +
    deactivate_account_total).
  - internal/service/acme_test.go: 8 new tests covering
    new-account happy path / idempotent re-registration / only-
    return-existing match + no-match / contact update / deactivate
    / lookup-not-found / requires-transactor.
  - internal/api/handler/acme.go: NewAccount + Account handlers.
    Account dispatches POST-as-GET (RFC 8555 §6.3 — empty body or
    {} payload returns the account row), contact update, and
    deactivation from the same endpoint. Defense-in-depth check
    that the kid path-segment matches the URL path-segment (the
    verifier already round-tripped the kid against canonical URL,
    but the handler re-asserts to catch any future verifier
    refactor).
  - internal/api/handler/acme_handler_test.go: 7 new cases
    covering happy-create, idempotent-200, only-return-existing-
    no-match-400, malformed-JWS-400, kid-URL-mismatch-401,
    deactivate, contact-update, POST-as-GET.
  - internal/api/router/router.go: 4 new Register calls (per-
    profile + shorthand for new-account and account/{acc_id}).
  - internal/api/router/openapi_parity_test.go: SpecParityExceptions
    extended with the 4 new routes (RFC 8555 wire-protocol surface,
    not OpenAPI-shaped — same precedent as Phase 1a).
  - cmd/server/main.go: SetTransactor + SetAuditService on
    acmeService at startup so the WithinTx-based new-account /
    update / deactivate paths run with the same transactor instance
    shared across CertificateService / RevocationSvc / RenewalService.
  - docs/acme-server.md: Phase status updated; endpoints table grows
    new-account + account/<acc_id> rows; new "JWS verification
    (Phase 1b)" section enumerates the 7 invariants the verifier
    enforces; phases-cross-reference table marks 1b live.
  - go.mod / go.sum: github.com/go-jose/go-jose/v4 v4.0.4 added.

Atomicity: every account-state mutation writes its acme_accounts row
+ its audit_events row inside one repository.Transactor.WithinTx
call — the canonical certctl atomicity contract (matches
CertificateService.Create at internal/service/certificate.go:131).
Idempotent re-registration explicitly does NOT write an audit row
(RFC 8555 §7.3.1 returns the existing row unmodified).

Tests: 16 jws_test.go cases + 11 service tests + 11 handler tests
all pass under -short. Bad-signature test uses a real registered
account whose stored JWK is a different keypair from the signer's,
so the JWS parses cleanly but jose.Verify rejects — exercises the
ErrJWSSignatureInvalid path directly.

Engineering history: cowork/WORKSPACE-CHANGELOG.md "ACME-Server-1b".
This commit is contained in:
shankar0123
2026-05-03 13:21:56 +00:00
parent ec88a61274
commit 44a85d6f85
15 changed files with 2621 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/service/acme.go
+328 -31
View File
@@ -10,6 +10,8 @@ import (
"sync/atomic"
"time"
jose "github.com/go-jose/go-jose/v4"
"github.com/shankar0123/certctl/internal/api/acme"
"github.com/shankar0123/certctl/internal/config"
"github.com/shankar0123/certctl/internal/domain"
@@ -17,20 +19,25 @@ import (
)
// ACMERepo is the persistence-layer surface ACMEService consumes for
// nonce + (later phases) account / order / authz / challenge state.
// Phase 1a wires only the nonce path; the interface is tightened in
// Phase 1b along with the AccountService.
// nonce + account state. Phase 1b extends the Phase 1a interface with
// the account CRUD path; Phases 2-4 will further extend with order /
// authz / challenge state.
//
// Defining the interface in the service package (rather than
// internal/repository/interfaces.go) keeps the cross-phase blast
// radius small: when Phase 1b adds CreateAccountWithTx /
// GetAccountByThumbprint / etc., only this file's interface and the
// concrete postgres ACMERepository move together. Mock implementations
// in tests satisfy this interface without depending on the postgres
// package.
// radius small: only this file and the concrete postgres
// ACMERepository move together. Mock implementations in tests satisfy
// this interface without depending on the postgres package.
type ACMERepo interface {
// Phase 1a — nonce.
IssueNonce(ctx context.Context, nonce string, ttl time.Duration) error
ConsumeNonce(ctx context.Context, nonce string) error
// Phase 1b — account CRUD.
CreateAccountWithTx(ctx context.Context, q repository.Querier, acct *domain.ACMEAccount) error
GetAccountByID(ctx context.Context, accountID string) (*domain.ACMEAccount, error)
GetAccountByThumbprint(ctx context.Context, profileID, thumbprint string) (*domain.ACMEAccount, error)
UpdateAccountContactWithTx(ctx context.Context, q repository.Querier, accountID string, contact []string) error
UpdateAccountStatusWithTx(ctx context.Context, q repository.Querier, accountID string, status domain.ACMEAccountStatus) error
}
// profileLookup is the minimum surface ACMEService needs to resolve a
@@ -41,31 +48,37 @@ type profileLookup interface {
Get(ctx context.Context, id string) (*domain.CertificateProfile, error)
}
// ACMEService orchestrates the ACME server's RFC 8555 surface. Phase 1a
// implements:
// ACMEService orchestrates the ACME server's RFC 8555 surface.
//
// - BuildDirectory: returns the per-profile directory document.
// - IssueNonce: returns a Replay-Nonce, persisted with TTL.
//
// Phase 1b will extend with VerifyJWS, NewAccount, LookupAccount,
// UpdateAccount, DeactivateAccount.
// - Phase 1a (live): BuildDirectory, IssueNonce.
// - Phase 1b (this commit): VerifyJWS, NewAccount, LookupAccount,
// UpdateAccount, DeactivateAccount.
// - Subsequent phases extend with new-order, finalize, challenges,
// key-change, revoke, ARI.
//
// The struct deliberately holds raw config rather than per-field
// extracted values — the directory builder uses 4 of the 11 fields
// and reading them lazily keeps the constructor signature tight.
// extracted values — readers use 4 of the 11 fields and reading them
// lazily keeps the constructor signature tight.
type ACMEService struct {
repo ACMERepo
profiles profileLookup
cfg config.ACMEServerConfig
metrics *ACMEMetrics
// Phase 1b — atomic-audit plumbing for the JWS-authenticated
// POST surface. Both fields are set via SetTransactor +
// SetAuditService (mirrors CertificateService.SetTransactor at
// internal/service/certificate.go:254). When both are nil the
// service falls back to the non-transactional path — kept for
// the legacy directory + new-nonce paths that don't write to
// stateful tables.
tx repository.Transactor
auditService *AuditService
}
// NewACMEService constructs an ACMEService. The constructor matches
// certctl's per-service convention: required dependencies in the
// argument list (repo, profile lookup, config), optional wiring via
// post-construction setters (metrics is wired now to keep the
// Phase-1a-only footprint clean; Phase 1b adds SetTransactor +
// SetAuditService for the JWS-authenticated POST path).
// NewACMEService constructs an ACMEService with the directory + nonce
// surface wired. Account-creating endpoints additionally need the
// transactor + audit service — see SetTransactor / SetAuditService.
func NewACMEService(repo ACMERepo, profiles profileLookup, cfg config.ACMEServerConfig) *ACMEService {
return &ACMEService{
repo: repo,
@@ -75,6 +88,17 @@ func NewACMEService(repo ACMERepo, profiles profileLookup, cfg config.ACMEServer
}
}
// SetTransactor wires the atomic-audit transactor. Mirrors
// CertificateService.SetTransactor; cmd/server/main.go calls this
// at startup with the same *postgres.transactor instance shared
// across CertificateService / RevocationSvc / RenewalService.
func (s *ACMEService) SetTransactor(tx repository.Transactor) { s.tx = tx }
// SetAuditService wires the audit service. cmd/server/main.go
// constructs auditService once and passes the same instance into
// every service that emits audit rows.
func (s *ACMEService) SetAuditService(a *AuditService) { s.auditService = a }
// Metrics returns the per-op counter snapshotter. cmd/server/main.go
// passes this into MetricsHandler so the Prometheus exposer picks up
// the per-op signals.
@@ -92,6 +116,17 @@ var ErrACMEUserActionRequired = errors.New("acme: default profile not configured
// says "something is wrong server-side").
var ErrACMEProfileNotFound = errors.New("acme: profile not found")
// ErrACMEAccountNotFound is returned by LookupAccount when the
// account ID in the URL doesn't match any row. Handler maps to
// 404 + RFC 8555 §6.7 accountDoesNotExist.
var ErrACMEAccountNotFound = errors.New("acme: account not found")
// ErrACMEAccountDoesNotExist is returned by NewAccount when
// onlyReturnExisting=true and no account exists for the supplied
// JWK. RFC 8555 §7.3.1 requires returning 400 +
// urn:ietf:params:acme:error:accountDoesNotExist (NOT 404).
var ErrACMEAccountDoesNotExist = errors.New("acme: account does not exist for this JWK")
// BuildDirectory constructs the per-profile directory document.
//
// profileID resolution:
@@ -176,14 +211,22 @@ func (s *ACMEService) resolveProfile(ctx context.Context, profileID string) (str
// ACMEMetrics is the per-op counter table for the ACME server. Mirrors
// the IssuanceMetrics / DeployCounters pattern (atomic.Uint64 + a
// Snapshot method that emits stable tuples). Phase 1a tracks just
// directory + new-nonce; subsequent phases add new-account / new-order
// / etc.
// Snapshot method that emits stable tuples). Phases 2-4 will extend
// with new-order / finalize / challenge counters.
type ACMEMetrics struct {
// Phase 1a — directory + new-nonce.
DirectoryTotal atomic.Uint64
DirectoryFailureTotal atomic.Uint64
NewNonceTotal atomic.Uint64
NewNonceFailureTotal atomic.Uint64
// Phase 1b — account resource.
NewAccountTotal atomic.Uint64
NewAccountFailureTotal atomic.Uint64
NewAccountIdempotentTotal atomic.Uint64 // re-registration of existing JWK (RFC 8555 §7.3.1)
UpdateAccountTotal atomic.Uint64
UpdateAccountFailureTotal atomic.Uint64
DeactivateAccountTotal atomic.Uint64
}
// NewACMEMetrics returns a zeroed counter table. Concurrent callers
@@ -192,7 +235,7 @@ type ACMEMetrics struct {
func NewACMEMetrics() *ACMEMetrics { return &ACMEMetrics{} }
// bump increments a single atomic counter. Centralized so the call
// sites in BuildDirectory + IssueNonce are uniform.
// sites in BuildDirectory + IssueNonce + NewAccount + etc. are uniform.
func (m *ACMEMetrics) bump(c *atomic.Uint64) { c.Add(1) }
// Snapshot emits the current counter values as a map (op → count).
@@ -201,9 +244,263 @@ func (m *ACMEMetrics) bump(c *atomic.Uint64) { c.Add(1) }
// directly without per-op stringly-typed branching.
func (m *ACMEMetrics) Snapshot() map[string]uint64 {
return map[string]uint64{
"certctl_acme_directory_total": m.DirectoryTotal.Load(),
"certctl_acme_directory_failures_total": m.DirectoryFailureTotal.Load(),
"certctl_acme_new_nonce_total": m.NewNonceTotal.Load(),
"certctl_acme_new_nonce_failures_total": m.NewNonceFailureTotal.Load(),
"certctl_acme_directory_total": m.DirectoryTotal.Load(),
"certctl_acme_directory_failures_total": m.DirectoryFailureTotal.Load(),
"certctl_acme_new_nonce_total": m.NewNonceTotal.Load(),
"certctl_acme_new_nonce_failures_total": m.NewNonceFailureTotal.Load(),
"certctl_acme_new_account_total": m.NewAccountTotal.Load(),
"certctl_acme_new_account_failures_total": m.NewAccountFailureTotal.Load(),
"certctl_acme_new_account_idempotent_total": m.NewAccountIdempotentTotal.Load(),
"certctl_acme_update_account_total": m.UpdateAccountTotal.Load(),
"certctl_acme_update_account_failures_total": m.UpdateAccountFailureTotal.Load(),
"certctl_acme_deactivate_account_total": m.DeactivateAccountTotal.Load(),
}
}
// VerifyJWS adapts the api/acme verifier to the service-layer
// dependency surface. It builds the VerifierConfig from the service's
// repo + the supplied AccountKID-builder closure, then delegates to
// acme.VerifyJWS.
//
// accountKID is the handler-supplied closure that returns the
// canonical kid URL for an account ID (scheme + host + per-profile
// path). VerifyJWS uses it to round-trip-check the inbound `kid`
// against what the server would have emitted on new-account.
func (s *ACMEService) VerifyJWS(
ctx context.Context,
body []byte,
requestURL string,
expectNewAccount bool,
accountKID func(accountID string) string,
) (*acme.VerifiedRequest, error) {
cfg := acme.VerifierConfig{
Accounts: &accountAdapter{ctx: ctx, repo: s.repo},
Nonces: &nonceAdapter{ctx: ctx, repo: s.repo},
AccountKID: accountKID,
}
return acme.VerifyJWS(cfg, body, requestURL, acme.VerifyOptions{
ExpectNewAccount: expectNewAccount,
})
}
// accountAdapter bridges the service-layer ACMERepo to the verifier's
// AccountLookup interface. The verifier doesn't take a context (its
// surface is sync-pure for testability), so the adapter captures the
// per-request context at construction time.
type accountAdapter struct {
ctx context.Context
repo ACMERepo
}
func (a *accountAdapter) LookupAccount(accountID string) (*domain.ACMEAccount, error) {
acct, err := a.repo.GetAccountByID(a.ctx, accountID)
if err != nil {
if errors.Is(err, repository.ErrNotFound) {
return nil, acme.ErrJWSAccountNotFound
}
return nil, fmt.Errorf("acme: lookup account: %w", err)
}
return acct, nil
}
// nonceAdapter bridges the service-layer ACMERepo's ConsumeNonce
// to the verifier's NonceConsumer interface (no-context signature).
type nonceAdapter struct {
ctx context.Context
repo ACMERepo
}
func (n *nonceAdapter) ConsumeNonce(nonce string) error {
return n.repo.ConsumeNonce(n.ctx, nonce)
}
// NewAccount creates (or, on RFC 8555 §7.3.1 idempotent re-registration,
// re-returns the existing) account row for the supplied JWK. Returns
// the persisted ACMEAccount + a bool indicating whether the row was
// newly created (true) or already existed (false).
//
// onlyReturnExisting=true makes the call read-only: when no account
// exists for the JWK, the service returns ErrACMEAccountDoesNotExist
// instead of creating one.
//
// State writes (cert insert + audit row) are atomic via WithinTx +
// RecordEventWithTx — same pattern as CertificateService.Create.
func (s *ACMEService) NewAccount(
ctx context.Context,
profileID string,
jwk *jose.JSONWebKey,
contact []string,
onlyReturnExisting bool,
tosAgreed bool,
) (*domain.ACMEAccount, bool, error) {
if s.tx == nil || s.auditService == nil {
s.metrics.bump(&s.metrics.NewAccountFailureTotal)
return nil, false, fmt.Errorf("acme: new-account requires SetTransactor + SetAuditService")
}
resolvedProfileID, err := s.resolveProfile(ctx, profileID)
if err != nil {
s.metrics.bump(&s.metrics.NewAccountFailureTotal)
return nil, false, err
}
thumb, err := acme.JWKThumbprint(jwk)
if err != nil {
s.metrics.bump(&s.metrics.NewAccountFailureTotal)
return nil, false, fmt.Errorf("acme: thumbprint: %w", err)
}
// RFC 8555 §7.3.1 idempotency: a new-account request for an
// already-registered JWK returns the existing row unmodified.
if existing, err := s.repo.GetAccountByThumbprint(ctx, resolvedProfileID, thumb); err == nil {
s.metrics.bump(&s.metrics.NewAccountIdempotentTotal)
return existing, false, nil
} else if !errors.Is(err, repository.ErrNotFound) {
s.metrics.bump(&s.metrics.NewAccountFailureTotal)
return nil, false, fmt.Errorf("acme: lookup-by-thumbprint: %w", err)
}
if onlyReturnExisting {
s.metrics.bump(&s.metrics.NewAccountFailureTotal)
return nil, false, ErrACMEAccountDoesNotExist
}
jwkPEM, err := acme.JWKToPEM(jwk)
if err != nil {
s.metrics.bump(&s.metrics.NewAccountFailureTotal)
return nil, false, fmt.Errorf("acme: serialize jwk: %w", err)
}
acct := &domain.ACMEAccount{
AccountID: acme.AccountID(thumb),
JWKThumbprint: thumb,
JWKPEM: jwkPEM,
Contact: contact,
Status: domain.ACMEAccountStatusValid,
ProfileID: resolvedProfileID,
}
auditDetails := map[string]interface{}{
"profile_id": resolvedProfileID,
"jwk_thumbprint": thumb,
"contact_count": len(contact),
"tos_agreed": tosAgreed,
}
err = s.tx.WithinTx(ctx, func(q repository.Querier) error {
if err := s.repo.CreateAccountWithTx(ctx, q, acct); err != nil {
return fmt.Errorf("acme: create account: %w", err)
}
return s.auditService.RecordEventWithTx(
ctx, q,
fmt.Sprintf("acme:%s", acct.AccountID),
domain.ActorTypeUser,
"acme_account_created",
"acme_account",
acct.AccountID,
auditDetails,
)
})
if err != nil {
s.metrics.bump(&s.metrics.NewAccountFailureTotal)
return nil, false, err
}
s.metrics.bump(&s.metrics.NewAccountTotal)
return acct, true, nil
}
// LookupAccount returns the account by ID. Returns
// ErrACMEAccountNotFound when the row doesn't exist (handler maps to
// 404 with RFC 7807 + RFC 8555 §6.7 accountDoesNotExist Problem).
func (s *ACMEService) LookupAccount(ctx context.Context, accountID string) (*domain.ACMEAccount, error) {
acct, err := s.repo.GetAccountByID(ctx, accountID)
if err != nil {
if errors.Is(err, repository.ErrNotFound) {
return nil, ErrACMEAccountNotFound
}
return nil, fmt.Errorf("acme: lookup account: %w", err)
}
return acct, nil
}
// UpdateAccount replaces the account's contact list. Atomic: the
// repo update + audit row run in one WithinTx.
func (s *ACMEService) UpdateAccount(
ctx context.Context,
accountID string,
contact []string,
) (*domain.ACMEAccount, error) {
if s.tx == nil || s.auditService == nil {
s.metrics.bump(&s.metrics.UpdateAccountFailureTotal)
return nil, fmt.Errorf("acme: update-account requires SetTransactor + SetAuditService")
}
auditDetails := map[string]interface{}{
"account_id": accountID,
"contact_count": len(contact),
}
err := s.tx.WithinTx(ctx, func(q repository.Querier) error {
if err := s.repo.UpdateAccountContactWithTx(ctx, q, accountID, contact); err != nil {
return err
}
return s.auditService.RecordEventWithTx(
ctx, q,
fmt.Sprintf("acme:%s", accountID),
domain.ActorTypeUser,
"acme_account_updated",
"acme_account",
accountID,
auditDetails,
)
})
if err != nil {
s.metrics.bump(&s.metrics.UpdateAccountFailureTotal)
return nil, err
}
// Re-read the row so the response carries the persisted state.
acct, err := s.LookupAccount(ctx, accountID)
if err != nil {
s.metrics.bump(&s.metrics.UpdateAccountFailureTotal)
return nil, err
}
s.metrics.bump(&s.metrics.UpdateAccountTotal)
return acct, nil
}
// DeactivateAccount transitions the account from `valid` to
// `deactivated` (RFC 8555 §7.3.6). Subsequent JWS-authenticated
// requests using this account's kid are rejected by the verifier
// (status check at acme/jws.go).
func (s *ACMEService) DeactivateAccount(ctx context.Context, accountID string) (*domain.ACMEAccount, error) {
if s.tx == nil || s.auditService == nil {
s.metrics.bump(&s.metrics.UpdateAccountFailureTotal)
return nil, fmt.Errorf("acme: deactivate-account requires SetTransactor + SetAuditService")
}
auditDetails := map[string]interface{}{
"account_id": accountID,
"new_status": string(domain.ACMEAccountStatusDeactivated),
}
err := s.tx.WithinTx(ctx, func(q repository.Querier) error {
if err := s.repo.UpdateAccountStatusWithTx(ctx, q, accountID, domain.ACMEAccountStatusDeactivated); err != nil {
return err
}
return s.auditService.RecordEventWithTx(
ctx, q,
fmt.Sprintf("acme:%s", accountID),
domain.ActorTypeUser,
"acme_account_deactivated",
"acme_account",
accountID,
auditDetails,
)
})
if err != nil {
s.metrics.bump(&s.metrics.UpdateAccountFailureTotal)
return nil, err
}
acct, err := s.LookupAccount(ctx, accountID)
if err != nil {
s.metrics.bump(&s.metrics.UpdateAccountFailureTotal)
return nil, err
}
s.metrics.bump(&s.metrics.DeactivateAccountTotal)
return acct, nil
}
internal/service/acme_test.go
+304 -1
View File
@@ -5,10 +5,14 @@ package service
import (
"context"
"crypto/rand"
"crypto/rsa"
"errors"
"testing"
"time"
jose "github.com/go-jose/go-jose/v4"
"github.com/shankar0123/certctl/internal/config"
"github.com/shankar0123/certctl/internal/domain"
"github.com/shankar0123/certctl/internal/repository"
@@ -16,13 +20,23 @@ import (
// fakeACMERepo is an in-memory ACMERepo for tests. It tracks issued
// nonces in a map; Consume removes the entry to model one-shot use.
// Phase 1b extends with account state.
type fakeACMERepo struct {
issued map[string]time.Time // nonce → expires_at
issueErr error
// Phase 1b — account state.
accounts map[string]*domain.ACMEAccount // account_id → row
thumbToAccount map[string]string // (profile|thumbprint) → account_id
createAccountErr error
}
func newFakeACMERepo() *fakeACMERepo {
return &fakeACMERepo{issued: make(map[string]time.Time)}
return &fakeACMERepo{
issued: make(map[string]time.Time),
accounts: make(map[string]*domain.ACMEAccount),
thumbToAccount: make(map[string]string),
}
}
func (f *fakeACMERepo) IssueNonce(ctx context.Context, nonce string, ttl time.Duration) error {
@@ -45,6 +59,88 @@ func (f *fakeACMERepo) ConsumeNonce(ctx context.Context, nonce string) error {
return nil
}
func (f *fakeACMERepo) CreateAccountWithTx(ctx context.Context, q repository.Querier, acct *domain.ACMEAccount) error {
if f.createAccountErr != nil {
return f.createAccountErr
}
key := acct.ProfileID + "|" + acct.JWKThumbprint
if _, exists := f.thumbToAccount[key]; exists {
return errors.New("duplicate")
}
cp := *acct
cp.CreatedAt = time.Now()
cp.UpdatedAt = cp.CreatedAt
f.accounts[acct.AccountID] = &cp
f.thumbToAccount[key] = acct.AccountID
return nil
}
func (f *fakeACMERepo) GetAccountByID(ctx context.Context, accountID string) (*domain.ACMEAccount, error) {
acct, ok := f.accounts[accountID]
if !ok {
return nil, repository.ErrNotFound
}
cp := *acct
return &cp, nil
}
func (f *fakeACMERepo) GetAccountByThumbprint(ctx context.Context, profileID, thumbprint string) (*domain.ACMEAccount, error) {
id, ok := f.thumbToAccount[profileID+"|"+thumbprint]
if !ok {
return nil, repository.ErrNotFound
}
return f.GetAccountByID(ctx, id)
}
func (f *fakeACMERepo) UpdateAccountContactWithTx(ctx context.Context, q repository.Querier, accountID string, contact []string) error {
acct, ok := f.accounts[accountID]
if !ok {
return repository.ErrNotFound
}
acct.Contact = contact
acct.UpdatedAt = time.Now()
return nil
}
func (f *fakeACMERepo) UpdateAccountStatusWithTx(ctx context.Context, q repository.Querier, accountID string, status domain.ACMEAccountStatus) error {
acct, ok := f.accounts[accountID]
if !ok {
return repository.ErrNotFound
}
acct.Status = status
acct.UpdatedAt = time.Now()
return nil
}
// fakeTransactor is the repository.Transactor stand-in: runs fn
// against the supplied querier (we just pass nil — fakes ignore it).
// Mirrors how production transactor works without an actual DB.
type fakeTransactor struct{}
func (f *fakeTransactor) WithinTx(ctx context.Context, fn func(q repository.Querier) error) error {
return fn(nil)
}
// fakeAuditRepo records the audit events fakeAuditService emits so
// tests can assert on the audit row count + shape.
type fakeAuditRepo struct {
events []*domain.AuditEvent
}
func (f *fakeAuditRepo) Create(ctx context.Context, event *domain.AuditEvent) error {
return f.CreateWithTx(ctx, nil, event)
}
func (f *fakeAuditRepo) CreateWithTx(ctx context.Context, q repository.Querier, event *domain.AuditEvent) error {
cp := *event
f.events = append(f.events, &cp)
return nil
}
func (f *fakeAuditRepo) List(ctx context.Context, filter *repository.AuditFilter) ([]*domain.AuditEvent, error) {
return f.events, nil
}
// fakeProfileLookup is an in-memory profileLookup that returns the
// profile by ID. Unknown IDs return repository.ErrNotFound (the
// canonical sentinel ACMEService maps to ErrACMEProfileNotFound).
@@ -67,6 +163,20 @@ func newSvc(t *testing.T, cfg config.ACMEServerConfig, profiles map[string]*doma
return NewACMEService(repo, pl, cfg), repo
}
// newSvcWithAudit returns a service wired with the transactor + audit
// service required by the JWS-authenticated POST endpoints.
func newSvcWithAudit(t *testing.T, cfg config.ACMEServerConfig, profiles map[string]*domain.CertificateProfile) (*ACMEService, *fakeACMERepo, *fakeAuditRepo) {
t.Helper()
repo := newFakeACMERepo()
pl := &fakeProfileLookup{profiles: profiles}
auditRepo := &fakeAuditRepo{}
auditSvc := NewAuditService(auditRepo)
svc := NewACMEService(repo, pl, cfg)
svc.SetTransactor(&fakeTransactor{})
svc.SetAuditService(auditSvc)
return svc, repo, auditRepo
}
func TestBuildDirectory_HappyPath(t *testing.T) {
cfg := config.ACMEServerConfig{
NonceTTL: 5 * time.Minute,
@@ -168,6 +278,8 @@ func TestACMEMetrics_Snapshot(t *testing.T) {
m.DirectoryTotal.Store(7)
m.NewNonceTotal.Store(11)
m.NewNonceFailureTotal.Store(2)
m.NewAccountTotal.Store(3)
m.NewAccountIdempotentTotal.Store(1)
snap := m.Snapshot()
if snap["certctl_acme_directory_total"] != 7 {
t.Errorf("directory_total = %d", snap["certctl_acme_directory_total"])
@@ -178,4 +290,195 @@ func TestACMEMetrics_Snapshot(t *testing.T) {
if snap["certctl_acme_new_nonce_failures_total"] != 2 {
t.Errorf("new_nonce_failures_total = %d", snap["certctl_acme_new_nonce_failures_total"])
}
if snap["certctl_acme_new_account_total"] != 3 {
t.Errorf("new_account_total = %d", snap["certctl_acme_new_account_total"])
}
if snap["certctl_acme_new_account_idempotent_total"] != 1 {
t.Errorf("new_account_idempotent_total = %d", snap["certctl_acme_new_account_idempotent_total"])
}
}
// --- Phase 1b — account management -------------------------------------
func mustGenJWK(t *testing.T) *jose.JSONWebKey {
t.Helper()
k, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
t.Fatalf("rsa keygen: %v", err)
}
return &jose.JSONWebKey{Key: &k.PublicKey}
}
func TestNewAccount_HappyPath(t *testing.T) {
cfg := config.ACMEServerConfig{NonceTTL: 5 * time.Minute}
svc, repo, auditRepo := newSvcWithAudit(t, cfg, map[string]*domain.CertificateProfile{
"prof-corp": {ID: "prof-corp", Name: "corp"},
})
jwk := mustGenJWK(t)
acct, isNew, err := svc.NewAccount(context.Background(), "prof-corp", jwk, []string{"mailto:a@example.com"}, false, true)
if err != nil {
t.Fatalf("NewAccount: %v", err)
}
if !isNew {
t.Errorf("isNew = false; want true")
}
if acct == nil || acct.AccountID == "" || acct.JWKThumbprint == "" {
t.Fatalf("account row is malformed: %+v", acct)
}
if got := svc.Metrics().NewAccountTotal.Load(); got != 1 {
t.Errorf("NewAccountTotal = %d, want 1", got)
}
if got := len(auditRepo.events); got != 1 {
t.Errorf("audit events = %d, want 1", got)
}
if got := auditRepo.events[0].Action; got != "acme_account_created" {
t.Errorf("audit action = %q", got)
}
if _, ok := repo.accounts[acct.AccountID]; !ok {
t.Errorf("account row not in repo")
}
}
func TestNewAccount_Idempotent_ExistingJWKReturnsExistingRow(t *testing.T) {
cfg := config.ACMEServerConfig{NonceTTL: 5 * time.Minute}
svc, _, auditRepo := newSvcWithAudit(t, cfg, map[string]*domain.CertificateProfile{
"prof-corp": {ID: "prof-corp", Name: "corp"},
})
jwk := mustGenJWK(t)
first, _, err := svc.NewAccount(context.Background(), "prof-corp", jwk, []string{"mailto:a@example.com"}, false, true)
if err != nil {
t.Fatalf("first NewAccount: %v", err)
}
second, isNew, err := svc.NewAccount(context.Background(), "prof-corp", jwk, []string{"mailto:b@example.com"}, false, true)
if err != nil {
t.Fatalf("second NewAccount: %v", err)
}
if isNew {
t.Errorf("isNew = true on idempotent re-registration; want false")
}
if second.AccountID != first.AccountID {
t.Errorf("second account ID = %q; want first %q", second.AccountID, first.AccountID)
}
// Idempotent re-registration MUST NOT update contact / write a
// second audit row (RFC 8555 §7.3.1 says return the existing row
// unmodified).
if got := len(auditRepo.events); got != 1 {
t.Errorf("audit events = %d after idempotent call; want 1", got)
}
if got := svc.Metrics().NewAccountIdempotentTotal.Load(); got != 1 {
t.Errorf("NewAccountIdempotentTotal = %d, want 1", got)
}
}
func TestNewAccount_OnlyReturnExisting_NoMatch(t *testing.T) {
cfg := config.ACMEServerConfig{NonceTTL: 5 * time.Minute}
svc, _, _ := newSvcWithAudit(t, cfg, map[string]*domain.CertificateProfile{
"prof-corp": {ID: "prof-corp", Name: "corp"},
})
jwk := mustGenJWK(t)
_, _, err := svc.NewAccount(context.Background(), "prof-corp", jwk, nil, true /*onlyReturnExisting*/, false)
if !errors.Is(err, ErrACMEAccountDoesNotExist) {
t.Errorf("err = %v; want ErrACMEAccountDoesNotExist", err)
}
}
func TestNewAccount_OnlyReturnExisting_Match(t *testing.T) {
cfg := config.ACMEServerConfig{NonceTTL: 5 * time.Minute}
svc, _, _ := newSvcWithAudit(t, cfg, map[string]*domain.CertificateProfile{
"prof-corp": {ID: "prof-corp", Name: "corp"},
})
jwk := mustGenJWK(t)
first, _, err := svc.NewAccount(context.Background(), "prof-corp", jwk, nil, false, false)
if err != nil {
t.Fatalf("first: %v", err)
}
second, isNew, err := svc.NewAccount(context.Background(), "prof-corp", jwk, nil, true, false)
if err != nil {
t.Fatalf("second: %v", err)
}
if isNew {
t.Errorf("isNew = true; want false")
}
if second.AccountID != first.AccountID {
t.Errorf("ids differ")
}
}
func TestUpdateAccount_HappyPath(t *testing.T) {
cfg := config.ACMEServerConfig{NonceTTL: 5 * time.Minute}
svc, _, auditRepo := newSvcWithAudit(t, cfg, map[string]*domain.CertificateProfile{
"prof-corp": {ID: "prof-corp", Name: "corp"},
})
jwk := mustGenJWK(t)
acct, _, err := svc.NewAccount(context.Background(), "prof-corp", jwk, []string{"mailto:old@example.com"}, false, false)
if err != nil {
t.Fatalf("seed: %v", err)
}
updated, err := svc.UpdateAccount(context.Background(), acct.AccountID, []string{"mailto:new@example.com"})
if err != nil {
t.Fatalf("UpdateAccount: %v", err)
}
if len(updated.Contact) != 1 || updated.Contact[0] != "mailto:new@example.com" {
t.Errorf("contact = %v", updated.Contact)
}
// Two audit rows: the create + the update.
if got := len(auditRepo.events); got != 2 {
t.Errorf("audit events = %d, want 2", got)
}
if got := auditRepo.events[1].Action; got != "acme_account_updated" {
t.Errorf("update audit action = %q", got)
}
}
func TestDeactivateAccount_HappyPath(t *testing.T) {
cfg := config.ACMEServerConfig{NonceTTL: 5 * time.Minute}
svc, _, auditRepo := newSvcWithAudit(t, cfg, map[string]*domain.CertificateProfile{
"prof-corp": {ID: "prof-corp", Name: "corp"},
})
jwk := mustGenJWK(t)
acct, _, err := svc.NewAccount(context.Background(), "prof-corp", jwk, nil, false, false)
if err != nil {
t.Fatalf("seed: %v", err)
}
deactivated, err := svc.DeactivateAccount(context.Background(), acct.AccountID)
if err != nil {
t.Fatalf("DeactivateAccount: %v", err)
}
if deactivated.Status != domain.ACMEAccountStatusDeactivated {
t.Errorf("status = %q, want %q", deactivated.Status, domain.ACMEAccountStatusDeactivated)
}
if got := svc.Metrics().DeactivateAccountTotal.Load(); got != 1 {
t.Errorf("DeactivateAccountTotal = %d, want 1", got)
}
if got := auditRepo.events[len(auditRepo.events)-1].Action; got != "acme_account_deactivated" {
t.Errorf("last audit action = %q", got)
}
}
func TestLookupAccount_NotFound(t *testing.T) {
cfg := config.ACMEServerConfig{NonceTTL: 5 * time.Minute}
svc, _ := newSvc(t, cfg, nil)
_, err := svc.LookupAccount(context.Background(), "acme-acc-missing")
if !errors.Is(err, ErrACMEAccountNotFound) {
t.Errorf("err = %v; want ErrACMEAccountNotFound", err)
}
}
func TestNewAccount_RequiresTransactor(t *testing.T) {
cfg := config.ACMEServerConfig{NonceTTL: 5 * time.Minute}
// Use newSvc (no transactor wired) — NewAccount should refuse.
svc, _ := newSvc(t, cfg, map[string]*domain.CertificateProfile{
"prof-corp": {ID: "prof-corp", Name: "corp"},
})
jwk := mustGenJWK(t)
_, _, err := svc.NewAccount(context.Background(), "prof-corp", jwk, nil, false, false)
if err == nil {
t.Fatal("expected error when transactor is unset")
}
}