Refactor the Wire option configuration

2026-01-27 10:18:34 +00:00 · 2024-01-11 15:08:44 +01:00
parent b6fc0005d5
commit 6ef64b6ed6
6 changed files with 34 additions and 26 deletions
--- a/acme/api/order.go
+++ b/acme/api/order.go
@@ -283,7 +283,7 @@ func newAuthorization(ctx context.Context, az *acme.Authorization) error {
 				return acme.WrapError(acme.ErrorMalformedType, err, "failed parsing ClientID")
 			}

-			var targetProvider interface{ GetTarget(string) (string, error) }
+			var targetProvider interface{ EvaluateTarget(string) (string, error) }
 			switch typ {
 			case acme.WIREOIDC01:
 				targetProvider = prov.GetOptions().GetWireOptions().GetOIDCOptions()
@@ -293,7 +293,7 @@ func newAuthorization(ctx context.Context, az *acme.Authorization) error {
 				return acme.NewError(acme.ErrorMalformedType, "unsupported type %q", typ)
 			}

-			target, err = targetProvider.GetTarget(clientID.DeviceID)
+			target, err = targetProvider.EvaluateTarget(clientID.DeviceID)
 			if err != nil {
 				return acme.WrapError(acme.ErrorMalformedType, err, "invalid Go template registered for 'target'")
 			}
--- a/acme/api/order_test.go
+++ b/acme/api/order_test.go
@@ -1719,7 +1719,7 @@ func TestHandler_NewOrder(t *testing.T) {
 			acmeWireProv := newWireProvisionerWithOptions(t, &provisioner.Options{
 				Wire: &wire.Options{
 					OIDC: &wire.OIDCOptions{
-						Provider: wire.ProviderJSON{
+						Provider: &wire.Provider{
 							IssuerURL:   "",
 							AuthURL:     "",
 							TokenURL:    "",
@@ -1727,7 +1727,7 @@ func TestHandler_NewOrder(t *testing.T) {
 							UserInfoURL: "",
 							Algorithms:  []string{},
 						},
-						Config: wire.ConfigJSON{
+						Config: &wire.Config{
 							ClientID:                   "integration test",
 							SupportedSigningAlgs:       []string{},
 							SkipClientIDCheck:          true,
--- a/acme/api/wire_integration_test.go
+++ b/acme/api/wire_integration_test.go
@@ -54,7 +54,7 @@ func TestWireIntegration(t *testing.T) {
 	prov := newWireProvisionerWithOptions(t, &provisioner.Options{
 		Wire: &wire.Options{
 			OIDC: &wire.OIDCOptions{
-				Provider: wire.ProviderJSON{
+				Provider: &wire.Provider{
 					IssuerURL:   "",
 					AuthURL:     "",
 					TokenURL:    "",
@@ -62,7 +62,7 @@ func TestWireIntegration(t *testing.T) {
 					UserInfoURL: "",
 					Algorithms:  []string{},
 				},
-				Config: wire.ConfigJSON{
+				Config: &wire.Config{
 					ClientID:                   "integration test",
 					SupportedSigningAlgs:       []string{},
 					SkipClientIDCheck:          true,
--- a/acme/challenge.go
+++ b/acme/challenge.go
@@ -476,7 +476,7 @@ func wireDPOP01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO

 	dpopOptions := prov.GetOptions().GetWireOptions().GetDPOPOptions()

-	issuer, err := dpopOptions.GetTarget(clientID.DeviceID)
+	issuer, err := dpopOptions.EvaluateTarget(clientID.DeviceID)
 	if err != nil {
 		return WrapErrorISE(err, "invalid Go template registered for 'target'")
 	}
--- a/authority/provisioner/wire/dpop_options.go
+++ b/authority/provisioner/wire/dpop_options.go
@@ -8,10 +8,10 @@ import (
 )

 type DPOPOptions struct {
-	// Backend signing key for DPoP access token
+	// Public part of the  signing key for DPoP access token
 	SigningKey string `json:"key"`
 	// URI template acme client must call to fetch the DPoP challenge proof (an access token from wire-server)
-	DpopTarget string `json:"dpop-target"`
+	Target string `json:"target"`
 }

 func (o *DPOPOptions) GetSigningKey() string {
@@ -21,18 +21,18 @@ func (o *DPOPOptions) GetSigningKey() string {
 	return o.SigningKey
 }

-func (o *DPOPOptions) GetDPOPTarget() string {
+func (o *DPOPOptions) GetTarget() string {
 	if o == nil {
 		return ""
 	}
-	return o.DpopTarget
+	return o.Target
 }

-func (o *DPOPOptions) GetTarget(deviceID string) (string, error) {
+func (o *DPOPOptions) EvaluateTarget(deviceID string) (string, error) {
 	if o == nil {
 		return "", errors.New("misconfigured target template configuration")
 	}
-	targetTemplate := o.GetDPOPTarget()
+	targetTemplate := o.GetTarget()
 	tmpl, err := template.New("DeviceId").Parse(targetTemplate)
 	if err != nil {
 		return "", fmt.Errorf("failed parsing dpop template: %w", err)
--- a/authority/provisioner/wire/oidc_options.go
+++ b/authority/provisioner/wire/oidc_options.go
@@ -12,7 +12,7 @@ import (
 	"github.com/coreos/go-oidc/v3/oidc"
 )

-type ProviderJSON struct {
+type Provider struct {
 	IssuerURL   string   `json:"issuer,omitempty"`
 	AuthURL     string   `json:"authorization_endpoint,omitempty"`
 	TokenURL    string   `json:"token_endpoint,omitempty"`
@@ -21,9 +21,9 @@ type ProviderJSON struct {
 	Algorithms  []string `json:"id_token_signing_alg_values_supported,omitempty"`
 }

-type ConfigJSON struct {
-	ClientID                   string           `json:"client-id,omitempty"`
-	SupportedSigningAlgs       []string         `json:"support-signing-algs,omitempty"`
+type Config struct {
+	ClientID                   string           `json:"client_id,omitempty"`
+	SupportedSigningAlgs       []string         `json:"supported_signing_algs,omitempty"`
 	SkipClientIDCheck          bool             `json:"-"`
 	SkipExpiryCheck            bool             `json:"-"`
 	SkipIssuerCheck            bool             `json:"-"`
@@ -32,26 +32,34 @@ type ConfigJSON struct {
 }

 type OIDCOptions struct {
-	Provider ProviderJSON `json:"provider,omitempty"`
-	Config   ConfigJSON   `json:"config,omitempty"`
+	Provider *Provider `json:"provider,omitempty"`
+	Config   *Config   `json:"config,omitempty"`
 }

 func (o *OIDCOptions) GetProvider(ctx context.Context) *oidc.Provider {
-	if o == nil {
+	if o == nil || o.Provider == nil {
 		return nil
 	}
-	return toProviderConfig(o.Provider).NewProvider(ctx)
+	return toOIDCProviderConfig(o.Provider).NewProvider(ctx)
 }

 func (o *OIDCOptions) GetConfig() *oidc.Config {
-	if o == nil {
+	if o == nil || o.Config == nil {
 		return &oidc.Config{}
 	}
-	config := oidc.Config(o.Config)
-	return &config
+
+	return &oidc.Config{
+		ClientID:                   o.Config.ClientID,
+		SupportedSigningAlgs:       o.Config.SupportedSigningAlgs,
+		SkipClientIDCheck:          o.Config.SkipClientIDCheck,
+		SkipExpiryCheck:            o.Config.SkipExpiryCheck,
+		SkipIssuerCheck:            o.Config.SkipIssuerCheck,
+		Now:                        o.Config.Now,
+		InsecureSkipSignatureCheck: o.Config.InsecureSkipSignatureCheck,
+	}
 }

-func (o *OIDCOptions) GetTarget(deviceID string) (string, error) {
+func (o *OIDCOptions) EvaluateTarget(deviceID string) (string, error) {
 	if o == nil {
 		return "", errors.New("misconfigured target template configuration")
 	}
@@ -67,7 +75,7 @@ func (o *OIDCOptions) GetTarget(deviceID string) (string, error) {
 	return buf.String(), nil
 }

-func toProviderConfig(in ProviderJSON) *oidc.ProviderConfig {
+func toOIDCProviderConfig(in *Provider) *oidc.ProviderConfig {
 	issuerURL, err := url.Parse(in.IssuerURL)
 	if err != nil {
 		panic(err) // config error, it's ok to panic here