sshpop provisioner + ssh renew | revoke | rekey first pass

api/revoke.go

@@ -1,10 +1,12 @@
 package api
 
 import (
+	"context"
 	"net/http"
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/authority"
+	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/logging"
 	"golang.org/x/crypto/ocsp"
 )
@@ -63,10 +65,15 @@ func (h *caHandler) Revoke(w http.ResponseWriter, r *http.Request) {
 		PassiveOnly: body.Passive,
 	}
 
+	ctx := provisioner.NewContextWithMethod(context.Background(), provisioner.RevokeMethod)
 	// A token indicates that we are using the api via a provisioner token,
 	// otherwise it is assumed that the certificate is revoking itself over mTLS.
 	if len(body.OTT) > 0 {
 		logOtt(w, body.OTT)
+		if _, err := h.Authority.Authorize(ctx, body.OTT); err != nil {
+			WriteError(w, Unauthorized(err))
+			return
+		}
 		opts.OTT = body.OTT
 	} else {
 		// If no token is present, then the request must be made over mTLS and
@@ -77,11 +84,18 @@ func (h *caHandler) Revoke(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 		opts.Crt = r.TLS.PeerCertificates[0]
+		if opts.Crt.SerialNumber.String() != opts.Serial {
+			WriteError(w, BadRequest(errors.New("revoke: serial number in mtls certificate different than body")))
+			return
+		}
+		// TODO: should probably be checking if the certificate was revoked here.
+		// Will need to thread that request down to the authority, so will need
+		// to add API for that.
 		logCertificate(w, opts.Crt)
 		opts.MTLS = true
 	}
 
-	if err := h.Authority.Revoke(opts); err != nil {
+	if err := h.Authority.Revoke(ctx, opts); err != nil {
 		WriteError(w, Forbidden(err))
 		return
 	}