func dispatchRequest(w http.ResponseWriter, req *http.Request) {
incRequests()
if req.Method != "POST" {
fail(w, req, http.StatusMethodNotAllowed, 1, "only POST is permitted", "")
return
}
body, err := ioutil.ReadAll(req.Body)
if err != nil {
fail(w, req, http.StatusInternalServerError, 1, err.Error(), "while reading request body")
return
}
defer req.Body.Close()
var authReq auth.AuthenticatedRequest
err = json.Unmarshal(body, &authReq)
if err != nil {
fail(w, req, http.StatusBadRequest, 1, err.Error(), "while unmarshaling request body")
return
}
var sigRequest signer.SignRequest
err = json.Unmarshal(authReq.Request, &sigRequest)
if err != nil {
fail(w, req, http.StatusBadRequest, 1, err.Error(), "while unmarshalling authenticated request")
return
}
if sigRequest.Label == "" {
sigRequest.Label = defaultLabel
}
s, ok := signers[sigRequest.Label]
if !ok {
fail(w, req, http.StatusBadRequest, 1, "bad request", "request is for non-existent label "+sigRequest.Label)
return
}
stats.Requests[sigRequest.Label].Counter.Inc(1)
stats.Requests[sigRequest.Label].Rate.Mark(1)
// Sanity checks to ensure that we have a valid policy. This
// should have been checked in NewAuthSignHandler.
policy := s.Policy()
if policy == nil {
fail(w, req, http.StatusInternalServerError, 1, "invalid policy", "signer was initialised without a signing policy")
return
}
profile := policy.Default
if policy.Profiles != nil && sigRequest.Profile != "" {
profile = policy.Profiles[sigRequest.Profile]
if profile == nil {
fail(w, req, http.StatusBadRequest, 1, "invalid profile", "failed to look up profile with name: "+sigRequest.Profile)
return
}
}
if profile == nil {
fail(w, req, http.StatusInternalServerError, 1, "invalid profile", "signer was initialised without any valid profiles")
return
}
if profile.Provider == nil {
fail(w, req, http.StatusUnauthorized, 1, "authorisation required", "received unauthenticated request")
return
}
if !profile.Provider.Verify(&authReq) {
fail(w, req, http.StatusBadRequest, 1, "invalid token", "received authenticated request with invalid token")
return
}
if sigRequest.Request == "" {
fail(w, req, http.StatusBadRequest, 1, "invalid request", "empty request")
return
}
cert, err := s.Sign(sigRequest)
if err != nil {
fail(w, req, http.StatusBadRequest, 1, "bad request", "signature failed: "+err.Error())
return
}
x509Cert, err := helpers.ParseCertificatePEM(cert)
if err != nil {
fail(w, req, http.StatusInternalServerError, 1, "bad certificate", err.Error())
}
log.Infof("signature: requester=%s, label=%s, profile=%s, serialno=%s",
req.RemoteAddr, sigRequest.Label, sigRequest.Profile, x509Cert.SerialNumber)
res := api.NewSuccessResponse(&SignatureResponse{Certificate: string(cert)})
jenc := json.NewEncoder(w)
err = jenc.Encode(res)
if err != nil {
log.Errorf("error writing response: %v", err)
}
}
