Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): bump google.golang.org/api from 0.160.0 to 0.165.0 #294

Closed
wants to merge 14 commits into from
Closed

chore(deps): bump google.golang.org/api from 0.160.0 to 0.165.0 #294

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
9080bdb
feat: permit insecure endpoints for reverse proxying
fritterhoff Sep 22, 2023
0c72ca6
feat: try to extract reverse proxy headers
fritterhoff Sep 22, 2023
151e1f7
fix: better handling of insecure option
fritterhoff Sep 22, 2023
bd06b5b
fix handling of insecure flag
fritterhoff Sep 22, 2023
7c80731
chore: upgrade packages
fritterhoff Sep 29, 2023
b36bdbb
feat: better errors for eab usage
fritterhoff Oct 20, 2023
de9412b
fix: optimize error logging
fritterhoff Oct 20, 2023
91ac360
chore: update github actions
fritterhoff Oct 22, 2023
299ada7
feat: more mqtt logging
fritterhoff Oct 26, 2023
1a0a36c
chore: better handling of reconnects
fritterhoff Oct 26, 2023
2db5159
upgrade packages
fritterhoff Nov 21, 2023
442e051
fix: try to handle concurrent saving better
fritterhoff Nov 25, 2023
40300b0
upgrade packages
fritterhoff Jan 30, 2024
fccca32
chore(deps): bump google.golang.org/api from 0.160.0 to 0.165.0
dependabot[bot] Feb 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 10 additions & 10 deletions .github/workflows/docker.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,20 +18,20 @@ jobs:
contents: read
packages: write
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v4
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v1
uses: docker/setup-buildx-action@v3
- name: Log into registry ${{ env.REGISTRY }}
if: github.event_name != 'pull_request'
uses: docker/login-action@v1
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v3
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
Expand All @@ -41,7 +41,7 @@ jobs:
type=ref,event=pr
type=raw,value={{branch}}-{{sha}}-{{date 'X'}},enable=${{ github.event_name != 'pull_request' }}
- name: Build and push
uses: docker/build-push-action@v2
uses: docker/build-push-action@v5
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
Expand All @@ -59,20 +59,20 @@ jobs:
contents: read
packages: write
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v4
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v1
uses: docker/setup-buildx-action@v3
- name: Log into registry ${{ env.REGISTRY }}
if: github.event_name != 'pull_request'
uses: docker/login-action@v1
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v3
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-agent
tags: |
Expand All @@ -82,7 +82,7 @@ jobs:
type=ref,event=pr
type=raw,value={{branch}}-{{sha}}-{{date 'X'}},enable=${{ github.event_name != 'pull_request' }}
- name: Build and push
uses: docker/build-push-action@v2
uses: docker/build-push-action@v5
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
Expand Down
10 changes: 5 additions & 5 deletions acme/api/eab.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,21 +57,21 @@ func validateExternalAccountBinding(ctx context.Context, nar *NewAccountRequest)
if errors.As(err, &ae) {
return nil, acme.WrapError(acme.ErrorUnauthorizedType, err, "the field 'kid' references an unknown key")
}
return nil, acme.WrapErrorISE(err, "error retrieving external account key")
return nil, acme.NewError(acme.ErrorEabDoesNotExistType, "error retrieving external account key")
}

if externalAccountKey == nil {
return nil, acme.NewError(acme.ErrorUnauthorizedType, "the field 'kid' references an unknown key")
}

if len(externalAccountKey.HmacKey) == 0 {
return nil, acme.NewError(acme.ErrorServerInternalType, "external account binding key with id '%s' does not have secret bytes", keyID)
}

if externalAccountKey.AlreadyBound() {
return nil, acme.NewError(acme.ErrorUnauthorizedType, "external account binding key with id '%s' was already bound to account '%s' on %s", keyID, externalAccountKey.AccountID, externalAccountKey.BoundAt)
}

if len(externalAccountKey.HmacKey) == 0 {
return nil, acme.NewError(acme.ErrorEabAlreadyUsedType, "external account binding key with id '%s' does not have secret bytes", keyID)
}

payload, err := eabJWS.Verify(externalAccountKey.HmacKey)
if err != nil {
return nil, acme.WrapErrorISE(err, "error verifying externalAccountBinding signature")
Expand Down
8 changes: 4 additions & 4 deletions acme/api/eab_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -312,7 +312,7 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
ExternalAccountBinding: eab,
},
eak: nil,
err: acme.NewErrorISE("error retrieving external account key"),
err: acme.NewError(acme.ErrorEabDoesNotExistType, "error retrieving external account key"),
}
},
"fail/db.GetExternalAccountKey-not-found": func(t *testing.T) test {
Expand Down Expand Up @@ -361,7 +361,7 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
ExternalAccountBinding: eab,
},
eak: nil,
err: acme.NewErrorISE("error retrieving external account key"),
err: acme.NewError(acme.ErrorEabDoesNotExistType, "error retrieving external account key"),
}
},
"fail/db.GetExternalAccountKey-error": func(t *testing.T) test {
Expand Down Expand Up @@ -410,7 +410,7 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
ExternalAccountBinding: eab,
},
eak: nil,
err: acme.NewErrorISE("error retrieving external account key"),
err: acme.NewError(acme.ErrorEabDoesNotExistType, "error retrieving external account key"),
}
},
"fail/db.GetExternalAccountKey-nil": func(t *testing.T) test {
Expand Down Expand Up @@ -516,7 +516,7 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
ExternalAccountBinding: eab,
},
eak: nil,
err: acme.NewError(acme.ErrorServerInternalType, "external account binding key with id 'eakID' does not have secret bytes"),
err: acme.NewError(acme.ErrorEabAlreadyUsedType, "external account binding key with id 'eakID' does not have secret bytes"),
}
},
"fail/db.GetExternalAccountKey-wrong-provisioner": func(t *testing.T) test {
Expand Down
2 changes: 1 addition & 1 deletion acme/api/order.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,7 @@ func NewOrder(w http.ResponseWriter, r *http.Request) {
var eak *acme.ExternalAccountKey
if acmeProv.RequireEAB {
if eak, err = db.GetExternalAccountKeyByAccountID(ctx, prov.GetID(), acc.ID); err != nil {
render.Error(w, acme.WrapErrorISE(err, "error retrieving external account binding key"))
render.Error(w, acme.NewError(acme.ErrorEabAccountBindingDoesNotExistType, "error retrieving external account binding key"))
return
}
}
Expand Down
7 changes: 4 additions & 3 deletions acme/api/order_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ import (
"encoding/base64"
"encoding/json"
"fmt"
"github.com/smallstep/certificates/cas/sectigocas/eab"
"io"
"net/http"
"net/http/httptest"
Expand All @@ -16,6 +15,8 @@ import (
"testing"
"time"

"github.com/smallstep/certificates/cas/sectigocas/eab"

"github.com/go-chi/chi/v5"
"github.com/pkg/errors"

Expand Down Expand Up @@ -936,7 +937,7 @@ func TestHandler_NewOrder(t *testing.T) {
ctx = context.WithValue(ctx, payloadContextKey, &payloadInfo{value: b})
return test{
ctx: ctx,
statusCode: 500,
statusCode: 400,
ca: &mockCA{},
db: &acme.MockDB{
MockGetExternalAccountKeyByAccountID: func(ctx context.Context, provisionerID, accountID string) (*acme.ExternalAccountKey, error) {
Expand All @@ -945,7 +946,7 @@ func TestHandler_NewOrder(t *testing.T) {
return nil, errors.New("force")
},
},
err: acme.NewErrorISE("error retrieving external account binding key: force"),
err: acme.NewError(acme.ErrorEabAccountBindingDoesNotExistType, "The used external account binding seems to be deleted"),
}
},
"fail/newACMEPolicyEngine-error": func(t *testing.T) test {
Expand Down
16 changes: 13 additions & 3 deletions acme/challenge.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,14 +131,16 @@
}
data, err := json.Marshal(req)
if err != nil {
logrus.Warn(err)
return
}
if token := mqtt.GetClient().Publish(fmt.Sprintf("%s/jobs", mqtt.GetOrganization()), 1, false, data); token.Wait() && token.Error() != nil {
logrus.Warn(token.Error())
}
logrus.Info("published validation request")
}()
vc := MustClientFromContext(ctx)
resp, errHttp := vc.Get(u.String())

Check warning on line 143 in acme/challenge.go

View workflow job for this annotation

GitHub Actions / ci / lint / lint 

var-naming: var errHttp should be errHTTP (revive)
// get challenge again and check if it was already validated
chDb, errDb := db.GetChallenge(ctx, ch.ID, ch.AuthorizationID)
if errDb == nil {
Expand Down Expand Up @@ -179,9 +181,17 @@
ch.Status = StatusValid
ch.Error = nil
ch.ValidatedAt = clock.Now().Format(time.RFC3339)

if err = db.UpdateChallenge(ctx, ch); err != nil {
return WrapErrorISE(err, "error updating challenge")
for {
if err = db.UpdateChallenge(ctx, ch); err != nil {
if strings.Contains(err.Error(), "changed since last read") {
// If the challenge has changed since we read it, then we
// don't want to overwrite the error.
logrus.Warn("challenge changed since last read -> retry saving")
continue
}
return WrapErrorISE(err, "error updating challenge")
}
break
}
return nil
}
Expand Down
27 changes: 27 additions & 0 deletions acme/errors.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,12 @@ const (
ErrorUserActionRequiredType
// ErrorNotImplementedType operation is not implemented
ErrorNotImplementedType
// ErrorEabAlreadyUsedType the external account binding has already been used
ErrorEabAlreadyUsedType
// ErrorEabDoesNotExistType the external account binding does not exist
ErrorEabDoesNotExistType
// ErrorEabAccountBindingDoesNotExistType the external account binding does not exist
ErrorEabAccountBindingDoesNotExistType
)

// String returns the string representation of the acme problem type,
Expand Down Expand Up @@ -121,6 +127,12 @@ func (ap ProblemType) String() string {
return "userActionRequired"
case ErrorNotImplementedType:
return "notImplemented"
case ErrorEabAlreadyUsedType:
return "eabAlreadyUsed"
case ErrorEabDoesNotExistType:
return "eabDoesNotExist"
case ErrorEabAccountBindingDoesNotExistType:
return "eabAccountBindingDoesNotExist"
default:
return fmt.Sprintf("unsupported type ACME error type '%d'", int(ap))
}
Expand All @@ -141,6 +153,21 @@ var (
status: 500,
}
errorMap = map[ProblemType]errorMetadata{
ErrorEabAlreadyUsedType: {
typ: officialACMEPrefix + ErrorExternalAccountRequiredType.String(),
details: "The external account binding has already been used",
status: 400,
},
ErrorEabDoesNotExistType: {
typ: officialACMEPrefix + ErrorExternalAccountRequiredType.String(),
details: "The used external account binding key id does not exist",
status: 400,
},
ErrorEabAccountBindingDoesNotExistType: {
typ: officialACMEPrefix + ErrorExternalAccountRequiredType.String(),
details: "The used external account binding seems to be deleted",
status: 400,
},
ErrorAccountDoesNotExistType: {
typ: officialACMEPrefix + ErrorAccountDoesNotExistType.String(),
details: "Account does not exist",
Expand Down
106 changes: 57 additions & 49 deletions acme/mqtt/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
"encoding/json"
"fmt"
"net/url"
"strings"
"time"

mqtt "github.com/eclipse/paho.mqtt.golang"
Expand Down Expand Up @@ -33,8 +34,63 @@
opts.OnConnectionLost = func(cl mqtt.Client, err error) {
logrus.Println("mqtt connection lost")
}
opts.OnConnect = func(mqtt.Client) {
opts.OnConnect = func(cl mqtt.Client) {
logrus.Println("mqtt connection established")
go func() {
cl.Subscribe(fmt.Sprintf("%s/data", organization), 1, func(client mqtt.Client, msg mqtt.Message) {
logrus.Printf("Received message on topic: %s\nMessage: %s\n", msg.Topic(), msg.Payload())
ctx := context.Background()
data := msg.Payload()
var payload validation.ValidationResponse
err := json.Unmarshal(data, &payload)
if err != nil {
logrus.Errorf("error unmarshalling payload: %v", err)
return
}

ch, err := acmeDB.GetChallenge(ctx, payload.Challenge, payload.Authz)
if err != nil {
logrus.Errorf("error getting challenge: %v", err)
return
}

acc, err := acmeDB.GetAccount(ctx, ch.AccountID)
if err != nil {
logrus.Errorf("error getting account: %v", err)
return
}
expected, err := acme.KeyAuthorization(ch.Token, acc.Key)

if payload.Content != expected || err != nil {
logrus.Errorf("invalid key authorization: %v", err)
return
}
u := &url.URL{Scheme: "http", Host: ch.Value, Path: fmt.Sprintf("/.well-known/acme-challenge/%s", ch.Token)}
logrus.Infof("challenge %s validated using mqtt", u.String())

if ch.Status != acme.StatusPending && ch.Status != acme.StatusValid {
return
}

ch.Status = acme.StatusValid
ch.Error = nil
ch.ValidatedAt = clock.Now().Format(time.RFC3339)
for {
if err = acmeDB.UpdateChallenge(ctx, ch); err != nil {
if strings.Contains(err.Error(), "changed since last read") {
// If the challenge has changed since we read it, then we
// don't want to overwrite the error.
logrus.Warn("challenge changed since last read -> retry saving")
continue
}
logrus.Errorf("error updating challenge: %v", err)
}
logrus.Infof("challenge %s updated to valid", u.String())
break
}

Check failure on line 91 in acme/mqtt/client.go

View workflow job for this annotation

GitHub Actions / ci / lint / lint 

unnecessary trailing newline (whitespace)
})
}()
}
opts.OnReconnecting = func(mqtt.Client, *mqtt.ClientOptions) {
logrus.Println("mqtt attempting to reconnect")
Expand All @@ -47,54 +103,6 @@
return nil, token.Error()
}

go func() {
client.Subscribe(fmt.Sprintf("%s/data", organization), 1, func(client mqtt.Client, msg mqtt.Message) {
logrus.Printf("Received message on topic: %s\nMessage: %s\n", msg.Topic(), msg.Payload())
ctx := context.Background()
data := msg.Payload()
var payload validation.ValidationResponse
err := json.Unmarshal(data, &payload)
if err != nil {
logrus.Errorf("error unmarshalling payload: %v", err)
return
}

ch, err := acmeDB.GetChallenge(ctx, payload.Challenge, payload.Authz)
if err != nil {
logrus.Errorf("error getting challenge: %v", err)
return
}

acc, err := acmeDB.GetAccount(ctx, ch.AccountID)
if err != nil {
logrus.Errorf("error getting account: %v", err)
return
}
expected, err := acme.KeyAuthorization(ch.Token, acc.Key)

if payload.Content != expected || err != nil {
logrus.Errorf("invalid key authorization: %v", err)
return
}
u := &url.URL{Scheme: "http", Host: ch.Value, Path: fmt.Sprintf("/.well-known/acme-challenge/%s", ch.Token)}
logrus.Infof("challenge %s validated using mqtt", u.String())

if ch.Status != acme.StatusPending && ch.Status != acme.StatusValid {
return
}

ch.Status = acme.StatusValid
ch.Error = nil
ch.ValidatedAt = clock.Now().Format(time.RFC3339)

if err = acmeDB.UpdateChallenge(ctx, ch); err != nil {
logrus.Errorf("error updating challenge: %v", err)
} else {
logrus.Infof("challenge %s updated to valid", u.String())
}

})
}()
connection := validation.BrokerConnection{Client: client, Organization: organization}
return connection, nil
}
Loading
Loading