Create a hash of a token if a token id is empty.
This commit is contained in:
parent
656315bd61
commit
d79b4e709e
2 changed files with 42 additions and 0 deletions
|
@ -2,7 +2,9 @@ package authority
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
|
"crypto/sha256"
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
|
"encoding/hex"
|
||||||
"net/http"
|
"net/http"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
|
@ -69,8 +71,13 @@ func (a *Authority) authorizeToken(ctx context.Context, token string) (provision
|
||||||
}
|
}
|
||||||
|
|
||||||
// Store the token to protect against reuse unless it's skipped.
|
// Store the token to protect against reuse unless it's skipped.
|
||||||
|
// If we cannot get a token id from the provisioner, just hash the token.
|
||||||
if !SkipTokenReuseFromContext(ctx) {
|
if !SkipTokenReuseFromContext(ctx) {
|
||||||
if reuseKey, err := p.GetTokenID(token); err == nil {
|
if reuseKey, err := p.GetTokenID(token); err == nil {
|
||||||
|
if reuseKey == "" {
|
||||||
|
sum := sha256.Sum256([]byte(token))
|
||||||
|
reuseKey = strings.ToLower(hex.EncodeToString(sum[:]))
|
||||||
|
}
|
||||||
ok, err := a.db.UseToken(reuseKey, token)
|
ok, err := a.db.UseToken(reuseKey, token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errs.Wrap(http.StatusInternalServerError, err,
|
return nil, errs.Wrap(http.StatusInternalServerError, err,
|
||||||
|
|
|
@ -188,6 +188,41 @@ func TestAuthority_authorizeToken(t *testing.T) {
|
||||||
code: http.StatusUnauthorized,
|
code: http.StatusUnauthorized,
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"ok/sha256": func(t *testing.T) *authorizeTest {
|
||||||
|
cl := jose.Claims{
|
||||||
|
Subject: "test.smallstep.com",
|
||||||
|
Issuer: validIssuer,
|
||||||
|
NotBefore: jose.NewNumericDate(now),
|
||||||
|
Expiry: jose.NewNumericDate(now.Add(time.Minute)),
|
||||||
|
Audience: validAudience,
|
||||||
|
}
|
||||||
|
raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
|
||||||
|
assert.FatalError(t, err)
|
||||||
|
return &authorizeTest{
|
||||||
|
auth: a,
|
||||||
|
token: raw,
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"fail/sha256/token-already-used": func(t *testing.T) *authorizeTest {
|
||||||
|
_a := testAuthority(t)
|
||||||
|
cl := jose.Claims{
|
||||||
|
Subject: "test.smallstep.com",
|
||||||
|
Issuer: validIssuer,
|
||||||
|
NotBefore: jose.NewNumericDate(now),
|
||||||
|
Expiry: jose.NewNumericDate(now.Add(time.Minute)),
|
||||||
|
Audience: validAudience,
|
||||||
|
}
|
||||||
|
raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
|
||||||
|
assert.FatalError(t, err)
|
||||||
|
_, err = _a.authorizeToken(context.Background(), raw)
|
||||||
|
assert.FatalError(t, err)
|
||||||
|
return &authorizeTest{
|
||||||
|
auth: _a,
|
||||||
|
token: raw,
|
||||||
|
err: errors.New("authority.authorizeToken: token already used"),
|
||||||
|
code: http.StatusUnauthorized,
|
||||||
|
}
|
||||||
|
},
|
||||||
"ok/mockNoSQLDB": func(t *testing.T) *authorizeTest {
|
"ok/mockNoSQLDB": func(t *testing.T) *authorizeTest {
|
||||||
_a := testAuthority(t)
|
_a := testAuthority(t)
|
||||||
_a.db = &db.MockAuthDB{
|
_a.db = &db.MockAuthDB{
|
||||||
|
|
Loading…
Reference in a new issue