feat(protocol): implement kwargs updater to handle acme posts

piraz · piraz · commit 2d8201a09eff · 2025-02-22T15:06:42.000-05:00
Also handle acme post_as_get requests. Refs: #141
diff --git a/automatoes/crypto.py b/automatoes/crypto.py
@@ -91,6 +91,27 @@ def generate_ari_data(cert):
     return f"{aki_b64}.{serial_b64}"
 
 
+# TODO: accept new kinds of encryption
+def generate_protected_header(account_key):
+    """
+    Creates a new request header for the specified account key.
+    """
+    numbers = account_key.public_key().public_numbers()
+    e = numbers.e.to_bytes((numbers.e.bit_length() // 8 + 1), byteorder='big')
+    n = numbers.n.to_bytes((numbers.n.bit_length() // 8 + 1), byteorder='big')
+    if n[0] == 0:  # for strict JWK
+        n = n[1:]
+    return {
+        'alg': 'RS256',
+        'jwk': {
+            'kty': 'RSA',
+            'e': jose_b64(e),
+            'n': jose_b64(n),
+        },
+    }
+
+
+# TODO: Remove this function after acme to peasant migration
 def generate_header(account_key):
     """
     Creates a new request header for the specified account key.
@@ -141,6 +162,7 @@ def sign_request(key, header, protected_header, payload):
     })
 
 
+# TODO: we need to accept other forms of encryption over here!!!
 def sign_request_v2(key, protected_header, payload):
     """
     Creates a JSON Web Signature for the request header and payload using the
diff --git a/automatoes/protocol.py b/automatoes/protocol.py
@@ -66,13 +66,58 @@ def __init__(self, bastion_address):
         self.basic_headers = {
             'User-Agent': self.user_agent
         }
-        self.kwargs_updater = self.update_kwargs
-
-    def update_kwargs(self, method, **kwargs):
+        self.kwargs_updater = self.__kwargs_updater
+
+    def __kwargs_updater(self, method, **kwargs):
+        if method == METHOD_POST:
+            kid = None
+            if "kid" in kwargs:
+                kid = kwargs.pop("kid")
+            key = None
+            if "key" in kwargs:
+                key = kwargs.pop("key")
+            uri = None
+            if "uri" in kwargs:
+                uri = kwargs.pop("uri")
+            protected = self.get_protected_headers(key, uri=uri)
+            if kid:
+                protected['kid'] = kid
+                protected.pop("jwk")
+            data = kwargs.get("data")
+            if data:
+                kwargs['data'] = sign_request_v2(key, protected, data)
         if self.peasant.verify:
             kwargs['verify'] = self.peasant.verify
         return kwargs
 
+    def get_protected_headers(self, key, uri=None):
+        """
+        Builds a new pair of headers for signed requests.
+        """
+        header = generate_protected_header(key)
+        protected_header = copy.deepcopy(header)
+        protected_header['nonce'] = self.new_nonce()
+        if uri is not None:
+            protected_header['url'] = uri
+        return protected_header
+
+    def post_as_get(self, path, **kwargs):
+        """Send a POST request.
+
+        :param path: absolute or relative URL for the new
+        :class:`requests.Request` object.
+        :param **kwargs: Optional arguments that ``request`` takes.
+        :return: :class:`requests.Response <Response>` object
+        :rtype: requests.Response
+        """
+        url = self.get_url(path, **kwargs)
+        headers = self.get_headers(**kwargs)
+        kwargs['headers'] = headers
+        kwargs = self.update_kwargs(METHOD_POST, **kwargs)
+        with requests.post(url, **kwargs) as result:
+            result.raise_for_status()
+        return result
+
     def set_directory(self):
         response = self.get("/%s" % self.peasant.directory_path)
         if response.status_code == 200:
