Make CA explicit dependency of API handler (#354)

Signed-off-by: Nathan Smith <nathan@nfsmith.ca>
sigstore · Jan 28, 2022 · 4d0f539 · 4d0f539
1 parent a165f5c
commit 4d0f539
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 30 deletions.
diff --git a/cmd/app/serve.go b/cmd/app/serve.go
@@ -178,7 +178,7 @@ func runServeCmd(cmd *cobra.Command, args []string) {
 
 	var handler http.Handler
 	{
-		handler = api.New(ctClient)
+		handler = api.New(ctClient, baseca)
 
 		// Inject dependencies
 		withDependencies := func(inner http.Handler) http.Handler {
@@ -190,7 +190,6 @@ func runServeCmd(cmd *cobra.Command, args []string) {
 				// from disk, so that we don't need to cycle pods to pick up config updates.
 				// Alternately we could take advantage of Knative's configmap watcher.
 				ctx = config.With(ctx, cfg)
-				ctx = api.WithCA(ctx, baseca)
 
 				inner.ServeHTTP(rw, r.WithContext(ctx))
 			})

diff --git a/pkg/api/api_test.go b/pkg/api/api_test.go
@@ -87,15 +87,12 @@ func TestAPI(t *testing.T) {
 	}
 
 	// Create a test HTTP server to host our API.
-	h := New(ctl.New(ctlogServer.URL))
+	h := New(ctl.New(ctlogServer.URL), eca)
 	server := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		ctx := r.Context()
 		// For each request, infuse context with our snapshot of the FulcioConfig.
 		ctx = config.With(ctx, cfg)
 
-		// Decorate the context with our CA for testing.
-		ctx = WithCA(ctx, eca)
-
 		h.ServeHTTP(rw, r.WithContext(ctx))
 	}))
 	t.Cleanup(server.Close)

diff --git a/pkg/api/ca.go b/pkg/api/ca.go
@@ -55,16 +55,19 @@ const (
 
 type api struct {
 	ct *ctl.Client
+	ca certauth.CertificateAuthority
+
 	*http.ServeMux
 }
 
 // New creates a new http.Handler for serving the Fulcio API.
-func New(c *ctl.Client) http.Handler {
+func New(ct *ctl.Client, ca certauth.CertificateAuthority) http.Handler {
 	var a api
 	a.ServeMux = http.NewServeMux()
 	a.HandleFunc(signingCertPath, a.signingCert)
 	a.HandleFunc(rootCertPath, a.rootCert)
-	a.ct = c
+	a.ct = ct
+	a.ca = ca
 	return &a
 }
 
@@ -153,14 +156,12 @@ func (a *api) signingCert(w http.ResponseWriter, req *http.Request) {
 		return
 	}
 
-	ca := GetCA(ctx)
-
 	var csc *certauth.CodeSigningCertificate
 	var sctBytes []byte
 	// TODO: prefer embedding SCT if possible
-	if _, ok := ca.(certauth.EmbeddedSCTCA); !ok {
+	if _, ok := a.ca.(certauth.EmbeddedSCTCA); !ok {
 		// currently configured CA doesn't support pre-certificate flow required to embed SCT in final certificate
-		csc, err = ca.CreateCertificate(ctx, subject)
+		csc, err = a.ca.CreateCertificate(ctx, subject)
 		if err != nil {
 			// if the error was due to invalid input in the request, return HTTP 400
 			if _, ok := err.(certauth.ValidationError); ok {
@@ -231,8 +232,7 @@ func (a *api) rootCert(w http.ResponseWriter, req *http.Request) {
 	ctx := req.Context()
 	logger := log.ContextLogger(ctx)
 
-	ca := GetCA(ctx)
-	root, err := ca.Root(ctx)
+	root, err := a.ca.Root(ctx)
 	if err != nil {
 		logger.Error("Error retrieving root cert: ", err)
 	}
@@ -260,19 +260,3 @@ func ExtractSubject(ctx context.Context, tok *oidc.IDToken, publicKey crypto.Pub
 		return nil, fmt.Errorf("unsupported issuer: %s", iss.Type)
 	}
 }
-
-type caKey struct{}
-
-// WithCA associates the provided certificate authority with the provided context.
-func WithCA(ctx context.Context, ca certauth.CertificateAuthority) context.Context {
-	return context.WithValue(ctx, caKey{}, ca)
-}
-
-// GetCA accesses the certificate authority associated with the provided context.
-func GetCA(ctx context.Context) certauth.CertificateAuthority {
-	untyped := ctx.Value(caKey{})
-	if untyped == nil {
-		return nil
-	}
-	return untyped.(certauth.CertificateAuthority)
-}