forked from TrueCloudLab/certificates
Allow mTLS revocation without provisioner.
This commit is contained in:
parent
96de4e6ec8
commit
0b8528ce6b
2 changed files with 29 additions and 6 deletions
|
@ -334,22 +334,21 @@ func (a *Authority) Revoke(ctx context.Context, revokeOpts *RevokeOptions) error
|
|||
if !ok {
|
||||
return errs.InternalServer("authority.Revoke; provisioner not found", opts...)
|
||||
}
|
||||
rci.ProvisionerID = p.GetID()
|
||||
rci.TokenID, err = p.GetTokenID(revokeOpts.OTT)
|
||||
if err != nil {
|
||||
return errs.Wrap(http.StatusInternalServerError, err,
|
||||
"authority.Revoke; could not get ID for token")
|
||||
}
|
||||
opts = append(opts, errs.WithKeyVal("provisionerID", rci.ProvisionerID))
|
||||
opts = append(opts, errs.WithKeyVal("tokenID", rci.TokenID))
|
||||
} else {
|
||||
// Load the Certificate provisioner if one exists.
|
||||
p, err = a.LoadProvisionerByCertificate(revokeOpts.Crt)
|
||||
if err != nil {
|
||||
return errs.Wrap(http.StatusUnauthorized, err,
|
||||
"authority.Revoke: unable to load certificate provisioner", opts...)
|
||||
if p, err = a.LoadProvisionerByCertificate(revokeOpts.Crt); err == nil {
|
||||
rci.ProvisionerID = p.GetID()
|
||||
opts = append(opts, errs.WithKeyVal("provisionerID", rci.ProvisionerID))
|
||||
}
|
||||
}
|
||||
rci.ProvisionerID = p.GetID()
|
||||
opts = append(opts, errs.WithKeyVal("provisionerID", rci.ProvisionerID))
|
||||
|
||||
if provisioner.MethodFromContext(ctx) == provisioner.SSHRevokeMethod {
|
||||
err = a.db.RevokeSSH(rci)
|
||||
|
|
|
@ -1231,6 +1231,30 @@ func TestAuthority_Revoke(t *testing.T) {
|
|||
crt, err := pemutil.ReadCertificate("./testdata/certs/foo.crt")
|
||||
assert.FatalError(t, err)
|
||||
|
||||
return test{
|
||||
auth: _a,
|
||||
opts: &RevokeOptions{
|
||||
Crt: crt,
|
||||
Serial: "102012593071130646873265215610956555026",
|
||||
ReasonCode: reasonCode,
|
||||
Reason: reason,
|
||||
MTLS: true,
|
||||
},
|
||||
}
|
||||
},
|
||||
"ok/mTLS-no-provisioner": func() test {
|
||||
_a := testAuthority(t, WithDatabase(&db.MockAuthDB{}))
|
||||
|
||||
crt, err := pemutil.ReadCertificate("./testdata/certs/foo.crt")
|
||||
assert.FatalError(t, err)
|
||||
// Filter out provisioner extension.
|
||||
for i, ext := range crt.Extensions {
|
||||
if ext.Id.Equal(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37476, 9000, 64, 1}) {
|
||||
crt.Extensions = append(crt.Extensions[:i], crt.Extensions[i+1:]...)
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
return test{
|
||||
auth: _a,
|
||||
opts: &RevokeOptions{
|
||||
|
|
Loading…
Reference in a new issue