ACME V2 Integration

2018-03-26 14:12:03 +02:00 · 2018-03-26 14:12:03 +02:00 · 16bb9b6836
commit 16bb9b6836
parent d2766b1b4f
72 changed files with 11401 additions and 403 deletions
--- a/acme/account.go
+++ b/acme/account.go
@ -15,7 +15,7 @@ import (

 	"github.com/containous/traefik/log"
 	"github.com/containous/traefik/types"
-	"github.com/xenolf/lego/acme"
+	acme "github.com/xenolf/lego/acmev2"
 )

 // Account is used to store lets encrypt registration info
@ -63,15 +63,14 @@ func (a *Account) Init() error {
 }

 // NewAccount creates an account
-func NewAccount(email string) (*Account, error) {
+func NewAccount(email string, certs []*DomainsCertificate) (*Account, error) {
 	// Create a user. New accounts need an email and private key to start
 	privateKey, err := rsa.GenerateKey(rand.Reader, 4096)
 	if err != nil {
 		return nil, err
 	}

-	domainsCerts := DomainsCertificates{Certs: []*DomainsCertificate{}}
-
+	domainsCerts := DomainsCertificates{Certs: certs}
 	err = domainsCerts.Init()
 	if err != nil {
 		return nil, err
@ -211,7 +210,6 @@ func (dc *DomainsCertificates) addCertificateForDomains(acmeCert *Certificate, d

 	cert := DomainsCertificate{Domains: domain, Certificate: acmeCert, tlsCert: &tlsCert}
 	dc.Certs = append(dc.Certs, &cert)
-
 	return &cert, nil
 }

@ -220,10 +218,7 @@ func (dc *DomainsCertificates) getCertificateForDomain(domainToFind string) (*Do
 	defer dc.lock.RUnlock()

 	for _, domainsCertificate := range dc.Certs {
-		domains := []string{domainsCertificate.Domains.Main}
-		domains = append(domains, domainsCertificate.Domains.SANs...)
-
-		for _, domain := range domains {
+		for _, domain := range domainsCertificate.Domains.ToStrArray() {
 			if domain == domainToFind {
 				return domainsCertificate, true
 			}
--- a/acme/acme.go
+++ b/acme/acme.go
@ -10,6 +10,7 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"reflect"
 	"regexp"
 	"strings"
 	"time"
@ -26,7 +27,7 @@ import (
 	"github.com/containous/traefik/tls/generate"
 	"github.com/containous/traefik/types"
 	"github.com/eapache/channels"
-	"github.com/xenolf/lego/acme"
+	acme "github.com/xenolf/lego/acmev2"
 	"github.com/xenolf/lego/providers/dns"
 )

@ -184,20 +185,30 @@ func (a *ACME) leadershipListener(elected bool) error {
 		if err != nil {
 			return err
 		}
+
 		transaction, object, err := a.store.Begin()
 		if err != nil {
 			return err
 		}
+
 		account := object.(*Account)
 		account.Init()
+
 		var needRegister bool
 		if account == nil || len(account.Email) == 0 {
-			account, err = NewAccount(a.Email)
+			domainsCerts := DomainsCertificates{Certs: []*DomainsCertificate{}}
+			if account != nil {
+				domainsCerts = account.DomainsCertificate
+			}
+
+			account, err = NewAccount(a.Email, domainsCerts.Certs)
 			if err != nil {
 				return err
 			}
+
 			needRegister = true
 		}
+
 		a.client, err = a.buildACMEClient(account)
 		if err != nil {
 			return err
@ -205,29 +216,15 @@ func (a *ACME) leadershipListener(elected bool) error {
 		if needRegister {
 			// New users will need to register; be sure to save it
 			log.Debug("Register...")
-			reg, err := a.client.Register()
+
+			reg, err := a.client.Register(true)
 			if err != nil {
 				return err
 			}
+
 			account.Registration = reg
 		}
-		// The client has a URL to the current Let's Encrypt Subscriber
-		// Agreement. The user will need to agree to it.
-		log.Debug("AgreeToTOS...")
-		err = a.client.AgreeToTOS()
-		if err != nil {
-			log.Debug(err)
-			// Let's Encrypt Subscriber Agreement renew ?
-			reg, err := a.client.QueryRegistration()
-			if err != nil {
-				return err
-			}
-			account.Registration = reg
-			err = a.client.AgreeToTOS()
-			if err != nil {
-				log.Errorf("Error sending ACME agreement to TOS: %+v: %s", account, err.Error())
-			}
-		}
+
 		err = transaction.Commit(account)
 		if err != nil {
 			return err
@ -265,36 +262,50 @@ func (a *ACME) getCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificat
 func (a *ACME) retrieveCertificates() {
 	a.jobs.In() <- func() {
 		log.Info("Retrieving ACME certificates...")
-		for _, domain := range a.Domains {
+
+		a.deleteUnnecessaryDomains()
+
+		for i := 0; i < len(a.Domains); i++ {
+			domain := a.Domains[i]
+
 			// check if cert isn't already loaded
 			account := a.store.Get().(*Account)
 			if _, exists := account.DomainsCertificate.exists(domain); !exists {
-				domains := []string{}
+				var domains []string
 				domains = append(domains, domain.Main)
 				domains = append(domains, domain.SANs...)
+				domains, err := a.getValidDomains(domains, true)
+				if err != nil {
+					log.Errorf("Error validating ACME certificate for domain %q: %s", domains, err)
+					continue
+				}
+
 				certificateResource, err := a.getDomainsCertificates(domains)
 				if err != nil {
-					log.Errorf("Error getting ACME certificate for domain %s: %s", domains, err.Error())
+					log.Errorf("Error getting ACME certificate for domain %q: %s", domains, err)
 					continue
 				}
+
 				transaction, object, err := a.store.Begin()
 				if err != nil {
-					log.Errorf("Error creating ACME store transaction from domain %s: %s", domain, err.Error())
+					log.Errorf("Error creating ACME store transaction from domain %q: %s", domain, err)
 					continue
 				}
+
 				account = object.(*Account)
 				_, err = account.DomainsCertificate.addCertificateForDomains(certificateResource, domain)
 				if err != nil {
-					log.Errorf("Error adding ACME certificate for domain %s: %s", domains, err.Error())
+					log.Errorf("Error adding ACME certificate for domain %q: %s", domains, err)
 					continue
 				}

 				if err = transaction.Commit(account); err != nil {
-					log.Errorf("Error Saving ACME account %+v: %s", account, err.Error())
+					log.Errorf("Error Saving ACME account %+v: %s", account, err)
 					continue
 				}
 			}
 		}
+
 		log.Info("Retrieved ACME certificates")
 	}
 }
@ -395,7 +406,7 @@ func dnsOverrideDelay(delay flaeg.Duration) error {

 func (a *ACME) buildACMEClient(account *Account) (*acme.Client, error) {
 	log.Debug("Building ACME client...")
-	caServer := "https://acme-v01.api.letsencrypt.org/directory"
+	caServer := "https://acme-v02.api.letsencrypt.org/directory"
 	if len(a.CAServer) > 0 {
 		caServer = a.CAServer
 	}
@ -418,11 +429,11 @@ func (a *ACME) buildACMEClient(account *Account) (*acme.Client, error) {
 			return nil, err
 		}

-		client.ExcludeChallenges([]acme.Challenge{acme.HTTP01, acme.TLSSNI01})
+		client.ExcludeChallenges([]acme.Challenge{acme.HTTP01})
 		err = client.SetChallengeProvider(acme.DNS01, provider)
 	} else if a.HTTPChallenge != nil && len(a.HTTPChallenge.EntryPoint) > 0 {
 		log.Debug("Using HTTP Challenge provider.")
-		client.ExcludeChallenges([]acme.Challenge{acme.DNS01, acme.TLSSNI01})
+		client.ExcludeChallenges([]acme.Challenge{acme.DNS01})
 		a.challengeHTTPProvider = &challengeHTTPProvider{store: a.store}
 		err = client.SetChallengeProvider(acme.HTTP01, a.challengeHTTPProvider)
 	} else {
@ -467,13 +478,12 @@ func (a *ACME) LoadCertificateForDomains(domains []string) {
 	a.jobs.In() <- func() {
 		log.Debugf("LoadCertificateForDomains %v...", domains)

-		if len(domains) == 0 {
-			// no domain
+		domains, err := a.getValidDomains(domains, false)
+		if err != nil {
+			log.Errorf("Error getting valid domain: %v", err)
 			return
 		}

-		domains = fun.Map(types.CanonicalDomain, domains).([]string)
-
 		operation := func() error {
 			if a.client == nil {
 				return errors.New("ACME client still not built")
@ -485,7 +495,7 @@ func (a *ACME) LoadCertificateForDomains(domains []string) {
 		}
 		ebo := backoff.NewExponentialBackOff()
 		ebo.MaxElapsedTime = 30 * time.Second
-		err := backoff.RetryNotify(safe.OperationWithRecover(operation), ebo, notify)
+		err = backoff.RetryNotify(safe.OperationWithRecover(operation), ebo, notify)
 		if err != nil {
 			log.Errorf("Error getting ACME client: %v", err)
 			return
@ -547,7 +557,7 @@ func searchProvidedCertificateForDomains(domain string, certs map[string]*tls.Ce
 	for certDomains := range certs {
 		domainCheck := false
 		for _, certDomain := range strings.Split(certDomains, ",") {
-			selector := "^" + strings.Replace(certDomain, "*.", "[^\\.]*\\.?", -1) + "$"
+			selector := "^" + strings.Replace(certDomain, "*.", "[^\\.]*\\.", -1) + "$"
 			domainCheck, _ = regexp.MatchString(selector, domain)
 			if domainCheck {
 				break
@ -586,31 +596,25 @@ func (a *ACME) getUncheckedDomains(domains []string, account *Account) []string
 		}
 	}

+	// Get Configuration Domains
+	for i := 0; i < len(a.Domains); i++ {
+		allCerts[a.Domains[i].Main] = &tls.Certificate{}
+		for _, san := range a.Domains[i].SANs {
+			allCerts[san] = &tls.Certificate{}
+		}
+	}
+
 	return searchUncheckedDomains(domains, allCerts)
 }

 func searchUncheckedDomains(domains []string, certs map[string]*tls.Certificate) []string {
-	uncheckedDomains := []string{}
+	var uncheckedDomains []string
 	for _, domainToCheck := range domains {
-		domainCheck := false
-		for certDomains := range certs {
-			domainCheck = false
-			for _, certDomain := range strings.Split(certDomains, ",") {
-				// Use regex to test for provided certs that might have been added into TLSConfig
-				selector := "^" + strings.Replace(certDomain, "*.", "[^\\.]*\\.?", -1) + "$"
-				domainCheck, _ = regexp.MatchString(selector, domainToCheck)
-				if domainCheck {
-					break
-				}
-			}
-			if domainCheck {
-				break
-			}
-		}
-		if !domainCheck {
+		if !isDomainAlreadyChecked(domainToCheck, certs) {
 			uncheckedDomains = append(uncheckedDomains, domainToCheck)
 		}
 	}
+
 	if len(uncheckedDomains) == 0 {
 		log.Debugf("No ACME certificate to generate for domains %q.", domains)
 	} else {
@ -646,3 +650,107 @@ func (a *ACME) runJobs() {
 		}
 	})
 }
+
+// getValidDomains checks if given domain is allowed to generate a ACME certificate and return it
+func (a *ACME) getValidDomains(domains []string, wildcardAllowed bool) ([]string, error) {
+	if len(domains) == 0 || (len(domains) == 1 && len(domains[0]) == 0) {
+		return nil, errors.New("unable to generate a certificate when no domain is given")
+	}
+
+	if strings.HasPrefix(domains[0], "*") {
+		if !wildcardAllowed {
+			return nil, fmt.Errorf("unable to generate a wildcard certificate for domain %q from a 'Host' rule", strings.Join(domains, ","))
+		}
+
+		if a.DNSChallenge == nil && len(a.DNSProvider) == 0 {
+			return nil, fmt.Errorf("unable to generate a wildcard certificate for domain %q : ACME needs a DNSChallenge", strings.Join(domains, ","))
+		}
+
+		if len(domains) > 1 {
+			return nil, fmt.Errorf("unable to generate a wildcard certificate for domain %q : SANs are not allowed", strings.Join(domains, ","))
+		}
+	} else {
+		for _, san := range domains[1:] {
+			if strings.HasPrefix(san, "*") {
+				return nil, fmt.Errorf("unable to generate a certificate in ACME provider for domains %q: SANs can not be a wildcard domain", strings.Join(domains, ","))
+			}
+		}
+	}
+
+	domains = fun.Map(types.CanonicalDomain, domains).([]string)
+	return domains, nil
+}
+
+func isDomainAlreadyChecked(domainToCheck string, existentDomains map[string]*tls.Certificate) bool {
+	for certDomains := range existentDomains {
+		for _, certDomain := range strings.Split(certDomains, ",") {
+			// Use regex to test for provided existentDomains that might have been added into TLSConfig
+			selector := "^" + strings.Replace(certDomain, "*.", "[^\\.]*\\.", -1) + "$"
+			domainCheck, err := regexp.MatchString(selector, domainToCheck)
+			if err != nil {
+				log.Errorf("Unable to compare %q and %q : %s", domainToCheck, certDomain, err)
+				continue
+			}
+
+			if domainCheck {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// deleteUnnecessaryDomains deletes from the configuration :
+// - Duplicated domains
+// - Domains which are checked by wildcard domain
+func (a *ACME) deleteUnnecessaryDomains() {
+	var newDomains []types.Domain
+
+	for idxDomainToCheck, domainToCheck := range a.Domains {
+		keepDomain := true
+
+		for idxDomain, domain := range a.Domains {
+			if idxDomainToCheck == idxDomain {
+				continue
+			}
+
+			if reflect.DeepEqual(domain, domainToCheck) {
+				if idxDomainToCheck > idxDomain {
+					log.Warnf("The domain %v is duplicated in the configuration but will be process by ACME only once.", domainToCheck)
+					keepDomain = false
+				}
+				break
+			} else if strings.HasPrefix(domain.Main, "*") && domain.SANs == nil {
+				// Check if domains can be validated by the wildcard domain
+
+				var newDomainsToCheck []string
+
+				// Check if domains can be validated by the wildcard domain
+				domainsMap := make(map[string]*tls.Certificate)
+				domainsMap[domain.Main] = &tls.Certificate{}
+
+				for _, domainProcessed := range domainToCheck.ToStrArray() {
+					if isDomainAlreadyChecked(domainProcessed, domainsMap) {
+						log.Warnf("Domain %q will not be processed by ACME because it is validated by the wildcard %q", domainProcessed, domain.Main)
+						continue
+					}
+					newDomainsToCheck = append(newDomainsToCheck, domainProcessed)
+				}
+
+				// Delete the domain if both Main and SANs can be validated by the wildcard domain
+				// otherwise keep the unchecked values
+				if newDomainsToCheck == nil {
+					keepDomain = false
+					break
+				}
+				domainToCheck.Set(newDomainsToCheck)
+			}
+		}
+
+		if keepDomain {
+			newDomains = append(newDomains, domainToCheck)
+		}
+	}
+
+	a.Domains = newDomains
+}
--- a/acme/acme_test.go
+++ b/acme/acme_test.go
@ -14,7 +14,7 @@ import (
 	"github.com/containous/traefik/tls/generate"
 	"github.com/containous/traefik/types"
 	"github.com/stretchr/testify/assert"
-	"github.com/xenolf/lego/acme"
+	acme "github.com/xenolf/lego/acmev2"
 )

 func TestDomainsSet(t *testing.T) {
@ -299,10 +299,15 @@ llJh9MC0svjevGtNlxJoE3lmEQIhAKXy1wfZ32/XtcrnENPvi6lzxI0T94X7s5pP3aCoPPoJAiEAl
 cijFkALeQp/qyeXdFld2v9gUN3eCgljgcl0QweRoIc=---`)
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Write([]byte(`{
-"new-authz": "https://foo/acme/new-authz",
-"new-cert": "https://foo/acme/new-cert",
-"new-reg": "https://foo/acme/new-reg",
-"revoke-cert": "https://foo/acme/revoke-cert"
+  "GPHhmRVEDas": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
+  "keyChange": "https://foo/acme/key-change",
+  "meta": {
+    "termsOfService": "https://boulder:4431/terms/v7"
+  },
+  "newAccount": "https://foo/acme/new-acct",
+  "newNonce": "https://foo/acme/new-nonce",
+  "newOrder": "https://foo/acme/new-order",
+  "revokeCert": "https://foo/acme/revoke-cert"
 }`))
 	}))
 	defer ts.Close()
@ -361,3 +366,81 @@ func TestAcme_getProvidedCertificate(t *testing.T) {
 	certificate = a.getProvidedCertificate(domain)
 	assert.Nil(t, certificate)
 }
+
+func TestAcme_getValidDomain(t *testing.T) {
+	testCases := []struct {
+		desc            string
+		domains         []string
+		wildcardAllowed bool
+		dnsChallenge    *acmeprovider.DNSChallenge
+		expectedErr     string
+		expectedDomains []string
+	}{
+		{
+			desc:            "valid wildcard",
+			domains:         []string{"*.traefik.wtf"},
+			dnsChallenge:    &acmeprovider.DNSChallenge{},
+			wildcardAllowed: true,
+			expectedErr:     "",
+			expectedDomains: []string{"*.traefik.wtf"},
+		},
+		{
+			desc:            "no wildcard",
+			domains:         []string{"traefik.wtf", "foo.traefik.wtf"},
+			dnsChallenge:    &acmeprovider.DNSChallenge{},
+			expectedErr:     "",
+			wildcardAllowed: true,
+			expectedDomains: []string{"traefik.wtf", "foo.traefik.wtf"},
+		},
+		{
+			desc:            "unauthorized wildcard",
+			domains:         []string{"*.traefik.wtf"},
+			dnsChallenge:    &acmeprovider.DNSChallenge{},
+			wildcardAllowed: false,
+			expectedErr:     "unable to generate a wildcard certificate for domain \"*.traefik.wtf\" from a 'Host' rule",
+			expectedDomains: nil,
+		},
+		{
+			desc:            "no domain",
+			domains:         []string{},
+			dnsChallenge:    nil,
+			wildcardAllowed: true,
+			expectedErr:     "unable to generate a certificate when no domain is given",
+			expectedDomains: nil,
+		},
+		{
+			desc:            "no DNSChallenge",
+			domains:         []string{"*.traefik.wtf", "foo.traefik.wtf"},
+			dnsChallenge:    nil,
+			wildcardAllowed: true,
+			expectedErr:     "unable to generate a wildcard certificate for domain \"*.traefik.wtf,foo.traefik.wtf\" : ACME needs a DNSChallenge",
+			expectedDomains: nil,
+		},
+		{
+			desc:            "unexpected SANs",
+			domains:         []string{"*.traefik.wtf", "foo.traefik.wtf"},
+			dnsChallenge:    &acmeprovider.DNSChallenge{},
+			wildcardAllowed: true,
+			expectedErr:     "unable to generate a wildcard certificate for domain \"*.traefik.wtf,foo.traefik.wtf\" : SANs are not allowed",
+			expectedDomains: nil,
+		},
+	}
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			a := ACME{}
+			if test.dnsChallenge != nil {
+				a.DNSChallenge = test.dnsChallenge
+			}
+			domains, err := a.getValidDomains(test.domains, test.wildcardAllowed)
+
+			if len(test.expectedErr) > 0 {
+				assert.EqualError(t, err, test.expectedErr, "Unexpected error.")
+			} else {
+				assert.Equal(t, len(test.expectedDomains), len(domains), "Unexpected domains.")
+			}
+		})
+	}
+}
--- a/acme/challenge_http_provider.go
+++ b/acme/challenge_http_provider.go
@ -9,7 +9,7 @@ import (
 	"github.com/containous/traefik/cluster"
 	"github.com/containous/traefik/log"
 	"github.com/containous/traefik/safe"
-	"github.com/xenolf/lego/acme"
+	acme "github.com/xenolf/lego/acmev2"
 )

 var _ acme.ChallengeProviderTimeout = (*challengeHTTPProvider)(nil)
--- a/acme/localStore.go
+++ b/acme/localStore.go
@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"io/ioutil"
 	"os"
+	"regexp"

 	"github.com/containous/traefik/log"
 	"github.com/containous/traefik/provider/acme"
@ -45,19 +46,41 @@ func (s *LocalStore) Get() (*Account, error) {
 		if err := json.Unmarshal(file, &account); err != nil {
 			return nil, err
 		}
+
+		// Check if ACME Account is in ACME V1 format
+		if account != nil && account.Registration != nil {
+			isOldRegistration, err := regexp.MatchString(acme.RegistrationURLPathV1Regexp, account.Registration.URI)
+			if err != nil {
+				return nil, err
+			}
+
+			if isOldRegistration {
+				account.Email = ""
+				account.Registration = nil
+				account.PrivateKey = nil
+			}
+		}
 	}
+
 	return account, nil
 }

 // ConvertToNewFormat converts old acme.json format to the new one and store the result into the file (used for the backward compatibility)
 func ConvertToNewFormat(fileName string) {
 	localStore := acme.NewLocalStore(fileName)
+
 	storeAccount, err := localStore.GetAccount()
 	if err != nil {
 		log.Warnf("Failed to read new account, ACME data conversion is not available : %v", err)
 		return
 	}

+	storeCertificates, err := localStore.GetCertificates()
+	if err != nil {
+		log.Warnf("Failed to read new certificates, ACME data conversion is not available : %v", err)
+		return
+	}
+
 	if storeAccount == nil {
 		localStore := NewLocalStore(fileName)

@ -67,8 +90,10 @@ func ConvertToNewFormat(fileName string) {
 			return
 		}

-		if account != nil {
-			newAccount := &acme.Account{
+		// Convert ACME data from old to new format
+		newAccount := &acme.Account{}
+		if account != nil && len(account.Email) > 0 {
+			newAccount = &acme.Account{
 				PrivateKey:   account.PrivateKey,
 				Registration: account.Registration,
 				Email:        account.Email,
@ -82,9 +107,15 @@ func ConvertToNewFormat(fileName string) {
 					Domain:      cert.Domains,
 				})
 			}
-			newLocalStore := acme.NewLocalStore(fileName)
-			newLocalStore.SaveDataChan <- &acme.StoredData{Account: newAccount, Certificates: newCertificates}
+			// If account is in the old format, storeCertificates is nil or empty
+			// and has to be initialized
+			storeCertificates = newCertificates
 		}
+
+		// Store the data in new format into the file even if account is nil
+		// to delete Account in ACME v1 format and keeping the certificates
+		newLocalStore := acme.NewLocalStore(fileName)
+		newLocalStore.SaveDataChan <- &acme.StoredData{Account: newAccount, Certificates: storeCertificates}
 	}
 }

@ -102,15 +133,28 @@ func FromNewToOldFormat(fileName string) (*Account, error) {
 		return nil, err
 	}

+	// Convert ACME Account from new to old format
+	// (Needed by the KV stores)
+	var account *Account
 	if storeAccount != nil {
-		account := &Account{}
-		account.Email = storeAccount.Email
-		account.PrivateKey = storeAccount.PrivateKey
-		account.Registration = storeAccount.Registration
-		account.DomainsCertificate = DomainsCertificates{}
+		account = &Account{
+			Email:              storeAccount.Email,
+			PrivateKey:         storeAccount.PrivateKey,
+			Registration:       storeAccount.Registration,
+			DomainsCertificate: DomainsCertificates{},
+		}
+	}

+	// Convert ACME Certificates from new to old format
+	// (Needed by the KV stores)
+	if len(storeCertificates) > 0 {
+		// Account can be nil if data are migrated from new format
+		// with a ACME V1 Account
+		if account == nil {
+			account = &Account{}
+		}
 		for _, cert := range storeCertificates {
-			_, err = account.DomainsCertificate.addCertificateForDomains(&Certificate{
+			_, err := account.DomainsCertificate.addCertificateForDomains(&Certificate{
 				Domain:      cert.Domain.Main,
 				Certificate: cert.Certificate,
 				PrivateKey:  cert.Key,
@ -119,7 +163,7 @@ func FromNewToOldFormat(fileName string) (*Account, error) {
 				return nil, err
 			}
 		}
-		return account, nil
 	}
-	return nil, nil
+
+	return account, nil
 }