Merge pull request #68 from synadia-io/fix-67

Add SetIssuer method for account operator key selection

Author: aricart

accounts.go

@@ -61,6 +61,31 @@ func (a *AccountData) Issuer() string {
 	return a.Claim.Issuer
 }
 
+func (a *AccountData) SetIssuer(issuer string) error {
+	if issuer != "" {
+		_, err := KeyFrom(issuer, nkeys.PrefixByteOperator)
+		if err != nil {
+			return err
+		}
+	}
+
+	found := issuer == "" || a.Operator.Key.Public == issuer
+	if !found {
+		for i := 0; i < len(a.Operator.OperatorSigningKeys); i++ {
+			if a.Operator.OperatorSigningKeys[i].Public == issuer {
+				found = true
+				break
+			}
+		}
+	}
+
+	if !found {
+		return fmt.Errorf("issuer is not a registered operator key")
+	}
+	a.Claim.Issuer = issuer
+	return a.update()
+}
+
 func (a *AccountData) update() error {
 	if a.BaseData.readOnly {
 		return fmt.Errorf("account is read-only")
@@ -71,12 +96,19 @@ func (a *AccountData) update() error {
 	if vr.IsBlocking(true) {
 		return vr.Errors()[0]
 	}
-	// FIXME: the account possibly needs a way to select the key...
-	key := a.Operator.Key
-	if len(a.Operator.OperatorSigningKeys) > 0 {
-		key = a.Operator.OperatorSigningKeys[0]
+	if a.Claim.Issuer == "" {
+		a.Claim.Issuer = a.Operator.Key.Public
+	}
+
+	if a.Claim.Issuer == a.Operator.Key.Public {
+		return a.issue(a.Operator.Key)
+	}
+	for i := 0; i < len(a.Operator.OperatorSigningKeys); i++ {
+		if a.Claim.Issuer == a.Operator.OperatorSigningKeys[0].Public {
+			return a.issue(a.Operator.OperatorSigningKeys[i])
+		}
 	}
-	return a.issue(key)
+	return fmt.Errorf("operator signing key %q is was not found", a.Claim.Issuer)
 }
 
 func (a *AccountData) getRevocations() jwt.RevocationList {

tests/accounts_test.go

@@ -1070,3 +1070,42 @@ func (t *ProviderSuite) Test_SubjectMapping() {
 	t.NoError(sm.Delete("foo"))
 	t.NoError(sm.Delete("foo"))
 }
+
+func (t *ProviderSuite) Test_AccountIssuer() {
+	auth, err := authb.NewAuth(t.Provider)
+	t.NoError(err)
+
+	operators := auth.Operators()
+	t.Empty(operators.List())
+
+	o, err := operators.Add("O")
+	t.NoError(err)
+	t.NotNil(o)
+
+	a, err := o.Accounts().Add("A")
+	t.NoError(err)
+	t.NotNil(a)
+
+	t.Equal(a.Issuer(), o.Subject())
+
+	bad, err := authb.KeyFor(nkeys.PrefixByteAccount)
+	t.NoError(err)
+	err = a.SetIssuer(bad.Public)
+	t.Error(err)
+	t.Equal(err.Error(), "nkeys: incompatible key")
+
+	unknown, err := authb.KeyFor(nkeys.PrefixByteOperator)
+	t.NoError(err)
+	err = a.SetIssuer(unknown.Public)
+	t.Error(err)
+	t.Equal(err.Error(), "issuer is not a registered operator key")
+
+	sk, err := o.SigningKeys().Add()
+	t.NoError(err)
+	t.NotEmpty(sk)
+	t.NoError(a.SetIssuer(sk))
+	t.Equal(a.Issuer(), sk)
+
+	t.NoError(a.SetIssuer(""))
+	t.Equal(a.Issuer(), o.Subject())
+}

tests/operator_test.go

@@ -184,23 +184,6 @@ func (t *ProviderSuite) Test_OperatorUsesMainKeyToSignAccount() {
 	t.NoError(auth.Commit())
 }
 
-func (t *ProviderSuite) Test_OperatorUsesSigningKeyToSignAccount() {
-	auth, err := authb.NewAuth(t.Provider)
-	t.NoError(err)
-	o, err := auth.Operators().Add("O")
-	t.NoError(err)
-	sk, err := o.SigningKeys().Add()
-	t.NoError(err)
-	t.NotEmpty(sk)
-	a, err := o.Accounts().Add("A")
-	t.NoError(err)
-	t.NotNil(sk, a.Issuer())
-	t.NoError(auth.Commit())
-
-	ac := t.Store.GetAccount("O", "A")
-	t.Equal(sk, ac.ClaimsData.Issuer)
-}
-
 func (t *ProviderSuite) Test_OperatorRotate() {
 	auth, err := authb.NewAuth(t.Provider)
 	t.NoError(err)
@@ -211,6 +194,9 @@ func (t *ProviderSuite) Test_OperatorRotate() {
 	t.NotEmpty(sk)
 	a, err := o.Accounts().Add("A")
 	t.NoError(err)
+	t.Equal(o.Subject(), a.Issuer())
+
+	t.NoError(a.SetIssuer(sk))
 	t.Equal(sk, a.Issuer())
 	t.NoError(auth.Commit())
 

types.go

@@ -312,6 +312,9 @@ type Account interface {
 	// SetExpiry sets the expiry for the account in Unix Time Seconds.
 	// 0 never expires.
 	SetExpiry(exp int64) error
+	// SetIssuer sets the operator key to use (default is operator). If
+	// set to empty string, it will use the operator identity key
+	SetIssuer(issuer string) error
 	// Expiry returns the expiry for the account in Unix Time Seconds.
 	// 0 never expires
 	Expiry() int64