New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wire ACME extensions #1666
base: master
Are you sure you want to change the base?
Wire ACME extensions #1666
Conversation
…o craft from client side
…_token. Also have a different mapping for id_token claims name
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good, but I added a few comments about:
- One related to error messages
- Using
net/url
instead of kms/uri - Split the db interface on two
I think it would be nice to fix 2 and 3 soon.
acme/challenge.go
Outdated
if accessToken.Cnf.Kid == "" || accessToken.Cnf.Kid != v.dpopKeyID { | ||
return nil, nil, fmt.Errorf("expected kid %q; got %q", v.dpopKeyID, accessToken.Cnf.Kid) | ||
} | ||
if accessToken.ClientID != v.wireID.ClientID { | ||
return nil, nil, fmt.Errorf("invalid Wire client ID %q", accessToken.ClientID) | ||
} | ||
if accessToken.Expiry.Time().After(v.t.Add(time.Hour)) { | ||
return nil, nil, fmt.Errorf("'exp' %s is too far into the future", accessToken.Expiry.Time().String()) | ||
} | ||
if accessToken.Scope != "wire_client_id" { | ||
return nil, nil, fmt.Errorf("invalid Wire scope %q", accessToken.Scope) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be nice if the errors will follow the same format, all this a things in the token, and you have things like 'exp'
, kid
, Wire scope
acme/challenge.go
Outdated
if wireDpop.HTU == "" || wireDpop.HTU != v.issuer { // DPoP doesn't contains "iss" claim, but has it in the "htu" claim | ||
return nil, nil, fmt.Errorf("DPoP contains invalid issuer (htu) %q", wireDpop.HTU) | ||
} | ||
if wireDpop.Expiry.Time().After(v.t.Add(time.Hour)) { | ||
return nil, nil, fmt.Errorf("'exp' %s is too far into the future", wireDpop.Expiry.Time().String()) | ||
} | ||
if wireDpop.Subject != v.wireID.ClientID { | ||
return nil, nil, fmt.Errorf("DPoP contains invalid Wire client ID %q", wireDpop.ClientID) | ||
} | ||
if wireDpop.Nonce == "" || wireDpop.Nonce != accessToken.Nonce { | ||
return nil, nil, fmt.Errorf("DPoP contains invalid nonce %q", wireDpop.Nonce) | ||
} | ||
if wireDpop.Challenge == "" || wireDpop.Challenge != accessToken.Challenge { | ||
return nil, nil, fmt.Errorf("DPoP contains invalid challenge %q", wireDpop.Challenge) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same thing here, (htu
, 'exp'
, ...). One option can be Dpop contains invalid xxx ...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And similar errors later.
CreateDpopToken(ctx context.Context, orderID string, dpop map[string]interface{}) error | ||
GetDpopToken(ctx context.Context, orderID string) (map[string]interface{}, error) | ||
CreateOidcToken(ctx context.Context, orderID string, idToken map[string]interface{}) error | ||
GetOidcToken(ctx context.Context, orderID string) (map[string]interface{}, error) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It can be in a TODO, but it should be fixed fast. We don't want different implementations of this DB to implement these methods unless is necessary. One simple solution would be something like:
type WireDB. interface{
DB
GetAllOrdersByAccountID(ctx context.Context, accountID string) ([]string, error)
// ...
}
@maraino about the DB interface: I tried it before, but without changing a lot more, you'll end up with This would've been a nice solution that I think can work, but isn't allowed in Go (today, at least; ref): type DB interface {
// DB methods
}
type WireDB interface {
DB
// Wire methods
}
type NewDB interface {
DB | WireDB
} Alternatives would be:
It's not the cleanest solution, but implementers could always return some "not implemented" error. It's not as strong of a guarantee as having an interface, but it works. So, time for the build tag? |
…tes into wire-acme-extensions
…tes into wire-acme-extensions
No description provided.