Merge pull request #947 from smallstep/fix-ssh-revocation

Fix SSH certificate revocation

CHANGELOG.md

@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Deprecated
 ### Removed
 ### Fixed
+- Fixed SSH revocation.
 ### Security
 
 ## [0.19.0] - 2022-04-19

authority/tls.go

@@ -560,7 +560,7 @@ func (a *Authority) revokeSSH(crt *ssh.Certificate, rci *db.RevokedCertificateIn
 	}); ok {
 		return lca.RevokeSSH(crt, rci)
 	}
-	return a.db.Revoke(rci)
+	return a.db.RevokeSSH(rci)
 }
 
 // GetTLSCertificate creates a new leaf certificate to be used by the CA HTTPS server.

authority/tls_test.go

@@ -1301,8 +1301,11 @@ func TestAuthority_Revoke(t *testing.T) {
 
 	a := testAuthority(t)
 
+	tlsRevokeCtx := provisioner.NewContextWithMethod(context.Background(), provisioner.RevokeMethod)
+
 	type test struct {
 		auth            *Authority
+		ctx             context.Context
 		opts            *RevokeOptions
 		err             error
 		code            int
@@ -1312,6 +1315,7 @@ func TestAuthority_Revoke(t *testing.T) {
 		"fail/token/authorizeRevoke error": func() test {
 			return test{
 				auth: a,
+				ctx:  tlsRevokeCtx,
 				opts: &RevokeOptions{
 					OTT:        "foo",
 					Serial:     "sn",
@@ -1336,6 +1340,7 @@ func TestAuthority_Revoke(t *testing.T) {
 
 			return test{
 				auth: a,
+				ctx:  tlsRevokeCtx,
 				opts: &RevokeOptions{
 					Serial:     "sn",
 					ReasonCode: reasonCode,
@@ -1375,6 +1380,7 @@ func TestAuthority_Revoke(t *testing.T) {
 
 			return test{
 				auth: _a,
+				ctx:  tlsRevokeCtx,
 				opts: &RevokeOptions{
 					Serial:     "sn",
 					ReasonCode: reasonCode,
@@ -1414,6 +1420,7 @@ func TestAuthority_Revoke(t *testing.T) {
 
 			return test{
 				auth: _a,
+				ctx:  tlsRevokeCtx,
 				opts: &RevokeOptions{
 					Serial:     "sn",
 					ReasonCode: reasonCode,
@@ -1451,6 +1458,7 @@ func TestAuthority_Revoke(t *testing.T) {
 			assert.FatalError(t, err)
 			return test{
 				auth: _a,
+				ctx:  tlsRevokeCtx,
 				opts: &RevokeOptions{
 					Serial:     "sn",
 					ReasonCode: reasonCode,
@@ -1467,6 +1475,7 @@ func TestAuthority_Revoke(t *testing.T) {
 
 			return test{
 				auth: _a,
+				ctx:  tlsRevokeCtx,
 				opts: &RevokeOptions{
 					Crt:        crt,
 					Serial:     "102012593071130646873265215610956555026",
@@ -1491,6 +1500,7 @@ func TestAuthority_Revoke(t *testing.T) {
 
 			return test{
 				auth: _a,
+				ctx:  tlsRevokeCtx,
 				opts: &RevokeOptions{
 					Crt:        crt,
 					Serial:     "102012593071130646873265215610956555026",
@@ -1508,6 +1518,7 @@ func TestAuthority_Revoke(t *testing.T) {
 
 			return test{
 				auth: _a,
+				ctx:  tlsRevokeCtx,
 				opts: &RevokeOptions{
 					Crt:        crt,
 					Serial:     "102012593071130646873265215610956555026",
@@ -1517,12 +1528,42 @@ func TestAuthority_Revoke(t *testing.T) {
 				},
 			}
 		},
+		"ok/ssh": func() test {
+			a := testAuthority(t, WithDatabase(&db.MockAuthDB{
+				MRevoke: func(rci *db.RevokedCertificateInfo) error {
+					return errors.New("Revoke was called")
+				},
+				MRevokeSSH: func(rci *db.RevokedCertificateInfo) error {
+					return nil
+				},
+			}))
+
+			cl := jwt.Claims{
+				Subject:   "sn",
+				Issuer:    validIssuer,
+				NotBefore: jwt.NewNumericDate(now),
+				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				Audience:  validAudience,
+				ID:        "44",
+			}
+			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			assert.FatalError(t, err)
+			return test{
+				auth: a,
+				ctx:  provisioner.NewContextWithMethod(context.Background(), provisioner.SSHRevokeMethod),
+				opts: &RevokeOptions{
+					Serial:     "sn",
+					ReasonCode: reasonCode,
+					Reason:     reason,
+					OTT:        raw,
+				},
+			}
+		},
 	}
 	for name, f := range tests {
 		tc := f()
 		t.Run(name, func(t *testing.T) {
-			ctx := provisioner.NewContextWithMethod(context.Background(), provisioner.RevokeMethod)
+			if err := tc.auth.Revoke(tc.ctx, tc.opts); err != nil {
-			if err := tc.auth.Revoke(ctx, tc.opts); err != nil {
 				if assert.NotNil(t, tc.err, fmt.Sprintf("unexpected error: %s", err)) {
 					sc, ok := err.(render.StatusCodedError)
 					assert.Fatal(t, ok, "error does not implement StatusCodedError interface")

go.mod

@@ -58,7 +58,7 @@ require (
 	google.golang.org/grpc v1.45.0
 	google.golang.org/protobuf v1.28.0
 	gopkg.in/square/go-jose.v2 v2.6.0
-	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+	gopkg.in/yaml.v3 v3.0.0 // indirect
 )
 
 // replace github.com/smallstep/nosql => ../nosql

go.sum

@@ -1347,8 +1347,8 @@ gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
+gopkg.in/yaml.v3 v3.0.0 h1:hjy8E9ON/egN1tAYqKb61G10WtihqetD4sz2H+8nIeA=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=