From 0b8528ce6b47b53ce0f08f5edde447fd2ec95ec2 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano.cano@gmail.com>
Date: Mon, 22 Mar 2021 13:37:31 -0700
Subject: [PATCH] Allow mTLS revocation without provisioner.

---
 authority/tls.go      | 11 +++++------
 authority/tls_test.go | 24 ++++++++++++++++++++++++
 2 files changed, 29 insertions(+), 6 deletions(-)

diff --git a/authority/tls.go b/authority/tls.go
index 6b46ac54..c848d188 100644
--- a/authority/tls.go
+++ b/authority/tls.go
@@ -334,22 +334,21 @@ func (a *Authority) Revoke(ctx context.Context, revokeOpts *RevokeOptions) error
 		if !ok {
 			return errs.InternalServer("authority.Revoke; provisioner not found", opts...)
 		}
+		rci.ProvisionerID = p.GetID()
 		rci.TokenID, err = p.GetTokenID(revokeOpts.OTT)
 		if err != nil {
 			return errs.Wrap(http.StatusInternalServerError, err,
 				"authority.Revoke; could not get ID for token")
 		}
+		opts = append(opts, errs.WithKeyVal("provisionerID", rci.ProvisionerID))
 		opts = append(opts, errs.WithKeyVal("tokenID", rci.TokenID))
 	} else {
 		// Load the Certificate provisioner if one exists.
-		p, err = a.LoadProvisionerByCertificate(revokeOpts.Crt)
-		if err != nil {
-			return errs.Wrap(http.StatusUnauthorized, err,
-				"authority.Revoke: unable to load certificate provisioner", opts...)
+		if p, err = a.LoadProvisionerByCertificate(revokeOpts.Crt); err == nil {
+			rci.ProvisionerID = p.GetID()
+			opts = append(opts, errs.WithKeyVal("provisionerID", rci.ProvisionerID))
 		}
 	}
-	rci.ProvisionerID = p.GetID()
-	opts = append(opts, errs.WithKeyVal("provisionerID", rci.ProvisionerID))
 
 	if provisioner.MethodFromContext(ctx) == provisioner.SSHRevokeMethod {
 		err = a.db.RevokeSSH(rci)
diff --git a/authority/tls_test.go b/authority/tls_test.go
index bf629a0d..4c936f0c 100644
--- a/authority/tls_test.go
+++ b/authority/tls_test.go
@@ -1231,6 +1231,30 @@ func TestAuthority_Revoke(t *testing.T) {
 			crt, err := pemutil.ReadCertificate("./testdata/certs/foo.crt")
 			assert.FatalError(t, err)
 
+			return test{
+				auth: _a,
+				opts: &RevokeOptions{
+					Crt:        crt,
+					Serial:     "102012593071130646873265215610956555026",
+					ReasonCode: reasonCode,
+					Reason:     reason,
+					MTLS:       true,
+				},
+			}
+		},
+		"ok/mTLS-no-provisioner": func() test {
+			_a := testAuthority(t, WithDatabase(&db.MockAuthDB{}))
+
+			crt, err := pemutil.ReadCertificate("./testdata/certs/foo.crt")
+			assert.FatalError(t, err)
+			// Filter out provisioner extension.
+			for i, ext := range crt.Extensions {
+				if ext.Id.Equal(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37476, 9000, 64, 1}) {
+					crt.Extensions = append(crt.Extensions[:i], crt.Extensions[i+1:]...)
+					break
+				}
+			}
+
 			return test{
 				auth: _a,
 				opts: &RevokeOptions{