diff --git a/cmd/app/serve.go b/cmd/app/serve.go index a67238572..0bdabd3ce 100644 --- a/cmd/app/serve.go +++ b/cmd/app/serve.go @@ -177,7 +177,7 @@ func runServeCmd(cmd *cobra.Command, args []string) { var handler http.Handler { - handler = api.New(ctClient) + handler = api.New(ctClient, baseca) // Inject dependencies withDependencies := func(inner http.Handler) http.Handler { @@ -189,7 +189,6 @@ func runServeCmd(cmd *cobra.Command, args []string) { // from disk, so that we don't need to cycle pods to pick up config updates. // Alternately we could take advantage of Knative's configmap watcher. ctx = config.With(ctx, cfg) - ctx = api.WithCA(ctx, baseca) inner.ServeHTTP(rw, r.WithContext(ctx)) }) diff --git a/pkg/api/api_test.go b/pkg/api/api_test.go index 8ffaa66b8..24359202f 100644 --- a/pkg/api/api_test.go +++ b/pkg/api/api_test.go @@ -87,15 +87,12 @@ func TestAPI(t *testing.T) { } // Create a test HTTP server to host our API. - h := New(ctl.New(ctlogServer.URL)) + h := New(ctl.New(ctlogServer.URL), eca) server := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { ctx := r.Context() // For each request, infuse context with our snapshot of the FulcioConfig. ctx = config.With(ctx, cfg) - // Decorate the context with our CA for testing. - ctx = WithCA(ctx, eca) - h.ServeHTTP(rw, r.WithContext(ctx)) })) t.Cleanup(server.Close) diff --git a/pkg/api/ca.go b/pkg/api/ca.go index a644f9e2e..c677a1770 100644 --- a/pkg/api/ca.go +++ b/pkg/api/ca.go @@ -55,16 +55,19 @@ const ( type api struct { ct *ctl.Client + ca certauth.CertificateAuthority + *http.ServeMux } // New creates a new http.Handler for serving the Fulcio API. -func New(c *ctl.Client) http.Handler { +func New(ct *ctl.Client, ca certauth.CertificateAuthority) http.Handler { var a api a.ServeMux = http.NewServeMux() a.HandleFunc(signingCertPath, a.signingCert) a.HandleFunc(rootCertPath, a.rootCert) - a.ct = c + a.ct = ct + a.ca = ca return &a } @@ -153,14 +156,12 @@ func (a *api) signingCert(w http.ResponseWriter, req *http.Request) { return } - ca := GetCA(ctx) - var csc *certauth.CodeSigningCertificate var sctBytes []byte // TODO: prefer embedding SCT if possible - if _, ok := ca.(certauth.EmbeddedSCTCA); !ok { + if _, ok := a.ca.(certauth.EmbeddedSCTCA); !ok { // currently configured CA doesn't support pre-certificate flow required to embed SCT in final certificate - csc, err = ca.CreateCertificate(ctx, subject) + csc, err = a.ca.CreateCertificate(ctx, subject) if err != nil { // if the error was due to invalid input in the request, return HTTP 400 if _, ok := err.(certauth.ValidationError); ok { @@ -231,8 +232,7 @@ func (a *api) rootCert(w http.ResponseWriter, req *http.Request) { ctx := req.Context() logger := log.ContextLogger(ctx) - ca := GetCA(ctx) - root, err := ca.Root(ctx) + root, err := a.ca.Root(ctx) if err != nil { logger.Error("Error retrieving root cert: ", err) } @@ -260,19 +260,3 @@ func ExtractSubject(ctx context.Context, tok *oidc.IDToken, publicKey crypto.Pub return nil, fmt.Errorf("unsupported issuer: %s", iss.Type) } } - -type caKey struct{} - -// WithCA associates the provided certificate authority with the provided context. -func WithCA(ctx context.Context, ca certauth.CertificateAuthority) context.Context { - return context.WithValue(ctx, caKey{}, ca) -} - -// GetCA accesses the certificate authority associated with the provided context. -func GetCA(ctx context.Context) certauth.CertificateAuthority { - untyped := ctx.Value(caKey{}) - if untyped == nil { - return nil - } - return untyped.(certauth.CertificateAuthority) -}