Wire ACME extensions #1666
Wire ACME extensions #1666
Conversation
…o craft from client side
…_token. Also have a different mapping for id_token claims name
|
@maraino about the DB interface: I tried it before, but without changing a lot more, you'll end up with This would've been a nice solution that I think can work, but isn't allowed in Go (today, at least; ref): type DB interface {
// DB methods
}
type WireDB interface {
DB
// Wire methods
}
type NewDB interface {
DB | WireDB
}Alternatives would be:
It's not the cleanest solution, but implementers could always return some "not implemented" error. It's not as strong of a guarantee as having an interface, but it works. So, time for the build tag? |
…tes into wire-acme-extensions
…tes into wire-acme-extensions
| Name string `json:"preferred_username,omitempty"` | ||
| Handle string `json:"name"` | ||
| Issuer string `json:"iss,omitempty"` | ||
| GivenName string `json:"given_name,omitempty"` | ||
| KeyAuth string `json:"keyauth"` | ||
| ACMEAudience string `json:"acme_aud,omitempty"` |
There was a problem hiding this comment.
omitempty tags are not used on unmarshaling.
| orders, err := db.GetAllOrdersByAccountID(ctx, ch.AccountID) | ||
| if err != nil { | ||
| return WrapErrorISE(err, "could not retrieve current order by account id") | ||
| } | ||
| if len(orders) == 0 { | ||
| return NewErrorISE("there are not enough orders for this account for this custom OIDC challenge") | ||
| } | ||
|
|
||
| order := orders[len(orders)-1] | ||
| if err := db.CreateOidcToken(ctx, order, transformedIDToken); err != nil { | ||
| return WrapErrorISE(err, "failed storing OIDC id token") | ||
| } |
There was a problem hiding this comment.
Although we already discussed this, these methods are problematic. Without implementing them, we won't be able to upgrade the certificates' version.
We should split this into a different interface and return an error if the database doesn't implement it.
We can change this later, but not too late. This should not be hard to change as this method is probably called from Challenge.Validate
| } | ||
|
|
||
| order := orders[len(orders)-1] | ||
| if err := db.CreateDpopToken(ctx, order, map[string]any(*dpop)); err != nil { |
| type UserID struct { | ||
| Name string `json:"name,omitempty"` | ||
| Domain string `json:"domain,omitempty"` | ||
| Handle string `json:"handle,omitempty"` | ||
| } | ||
|
|
||
| type DeviceID struct { | ||
| Name string `json:"name,omitempty"` | ||
| Domain string `json:"domain,omitempty"` | ||
| ClientID string `json:"client-id,omitempty"` | ||
| Handle string `json:"handle,omitempty"` | ||
| } |
There was a problem hiding this comment.
It's weird having omitempty tags when most of those values are required later.
| @@ -6,6 +6,7 @@ require ( | |||
| cloud.google.com/go/longrunning v0.5.11 | |||
| cloud.google.com/go/security v1.17.4 | |||
| github.com/Masterminds/sprig/v3 v3.2.3 | |||
| github.com/coreos/go-oidc/v3 v3.4.0 | |||
There was a problem hiding this comment.
It is not the latest version, but I guess ok.
No description provided.