Create a hash of a token if a token id is empty.

This commit is contained in:
Mariano Cano 2020-09-18 16:25:08 -07:00
parent 656315bd61
commit d79b4e709e
2 changed files with 42 additions and 0 deletions

View file

@ -2,7 +2,9 @@ package authority
import ( import (
"context" "context"
"crypto/sha256"
"crypto/x509" "crypto/x509"
"encoding/hex"
"net/http" "net/http"
"strings" "strings"
@ -69,8 +71,13 @@ func (a *Authority) authorizeToken(ctx context.Context, token string) (provision
} }
// Store the token to protect against reuse unless it's skipped. // Store the token to protect against reuse unless it's skipped.
// If we cannot get a token id from the provisioner, just hash the token.
if !SkipTokenReuseFromContext(ctx) { if !SkipTokenReuseFromContext(ctx) {
if reuseKey, err := p.GetTokenID(token); err == nil { if reuseKey, err := p.GetTokenID(token); err == nil {
if reuseKey == "" {
sum := sha256.Sum256([]byte(token))
reuseKey = strings.ToLower(hex.EncodeToString(sum[:]))
}
ok, err := a.db.UseToken(reuseKey, token) ok, err := a.db.UseToken(reuseKey, token)
if err != nil { if err != nil {
return nil, errs.Wrap(http.StatusInternalServerError, err, return nil, errs.Wrap(http.StatusInternalServerError, err,

View file

@ -188,6 +188,41 @@ func TestAuthority_authorizeToken(t *testing.T) {
code: http.StatusUnauthorized, code: http.StatusUnauthorized,
} }
}, },
"ok/sha256": func(t *testing.T) *authorizeTest {
cl := jose.Claims{
Subject: "test.smallstep.com",
Issuer: validIssuer,
NotBefore: jose.NewNumericDate(now),
Expiry: jose.NewNumericDate(now.Add(time.Minute)),
Audience: validAudience,
}
raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
assert.FatalError(t, err)
return &authorizeTest{
auth: a,
token: raw,
}
},
"fail/sha256/token-already-used": func(t *testing.T) *authorizeTest {
_a := testAuthority(t)
cl := jose.Claims{
Subject: "test.smallstep.com",
Issuer: validIssuer,
NotBefore: jose.NewNumericDate(now),
Expiry: jose.NewNumericDate(now.Add(time.Minute)),
Audience: validAudience,
}
raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
assert.FatalError(t, err)
_, err = _a.authorizeToken(context.Background(), raw)
assert.FatalError(t, err)
return &authorizeTest{
auth: _a,
token: raw,
err: errors.New("authority.authorizeToken: token already used"),
code: http.StatusUnauthorized,
}
},
"ok/mockNoSQLDB": func(t *testing.T) *authorizeTest { "ok/mockNoSQLDB": func(t *testing.T) *authorizeTest {
_a := testAuthority(t) _a := testAuthority(t)
_a.db = &db.MockAuthDB{ _a.db = &db.MockAuthDB{