Merge pull request #672 from smallstep/azure-tofu

Allow the reuse of azure tokens if DisableTrustOnFirstUse is true

authority/authorize.go

@@ -173,6 +173,9 @@ func (a *Authority) AuthorizeAdminToken(r *http.Request, token string) (*linkedc
 }
 
 // UseToken stores the token to protect against reuse.
+//
+// This method currently ignores any error coming from the GetTokenID, but it
+// should specifically ignore the error provisioner.ErrAllowTokenReuse.
 func (a *Authority) UseToken(token string, prov provisioner.Interface) error {
 	if reuseKey, err := prov.GetTokenID(token); err == nil {
 		if reuseKey == "" {

authority/provisioner/azure.go

@@ -131,9 +131,10 @@ func (p *Azure) GetTokenID(token string) (string, error) {
 		return "", errors.Wrap(err, "error verifying claims")
 	}
 
-	// If TOFU is disabled create return the token kid
+	// If TOFU is disabled then allow token re-use. Azure caches the token for
+	// 24h and without allowing the re-use we cannot use it twice.
 	if p.DisableTrustOnFirstUse {
-		return claims.ID, nil
+		return "", ErrAllowTokenReuse
 	}
 
 	sum := sha256.Sum256([]byte(claims.XMSMirID))

authority/provisioner/azure_test.go

@@ -72,7 +72,7 @@ func TestAzure_GetTokenID(t *testing.T) {
 		wantErr bool
 	}{
 		{"ok", p1, args{t1}, w1, false},
-		{"ok no TOFU", p2, args{t2}, "the-jti", false},
+		{"ok no TOFU", p2, args{t2}, "", true},
 		{"fail token", p1, args{"bad-token"}, "", true},
 		{"fail claims", p1, args{"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ey.fooo"}, "", true},
 	}

authority/provisioner/provisioner.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/x509"
 	"encoding/json"
+	stderrors "errors"
 	"net/url"
 	"regexp"
 	"strings"
@@ -32,6 +33,17 @@ type Interface interface {
 	AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error)
 }
 
+// ErrAllowTokenReuse is an error that is returned by provisioners that allows
+// the reuse of tokens.
+//
+// This is, for example, returned by the Azure provisioner when
+// DisableTrustOnFirstUse is set to true. Azure caches tokens for up to 24hr and
+// has no mechanism for getting a different token - this can be an issue when
+// rebooting a VM. In contrast, AWS and GCP have facilities for requesting a new
+// token. Therefore, for the Azure provisioner we are enabling token reuse, with
+// the understanding that we are not following security best practices
+var ErrAllowTokenReuse = stderrors.New("allow token reuse")
+
 // Audiences stores all supported audiences by request type.
 type Audiences struct {
 	Sign      []string

authority/tls.go

@@ -366,7 +366,7 @@ func (a *Authority) Revoke(ctx context.Context, revokeOpts *RevokeOptions) error
 		}
 		rci.ProvisionerID = p.GetID()
 		rci.TokenID, err = p.GetTokenID(revokeOpts.OTT)
-		if err != nil {
+		if err != nil && !errors.Is(err, provisioner.ErrAllowTokenReuse) {
 			return errs.Wrap(http.StatusInternalServerError, err,
 				"authority.Revoke; could not get ID for token")
 		}