alexvanin/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

Allow mTLS revocation without provisioner.

Browse source
This commit is contained in:
Mariano Cano 2021-03-22 13:37:31 -07:00
parent 96de4e6ec8
commit 0b8528ce6b
2 changed files with 29 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
authority/tls.go
View file

@ -334,22 +334,21 @@ func (a *Authority) Revoke(ctx context.Context, revokeOpts *RevokeOptions) error
if !ok { if !ok {
return errs.InternalServer("authority.Revoke; provisioner not found", opts...) return errs.InternalServer("authority.Revoke; provisioner not found", opts...)
} }
rci.ProvisionerID = p.GetID()
rci.TokenID, err = p.GetTokenID(revokeOpts.OTT) rci.TokenID, err = p.GetTokenID(revokeOpts.OTT)
if err != nil { if err != nil {
return errs.Wrap(http.StatusInternalServerError, err, return errs.Wrap(http.StatusInternalServerError, err,
"authority.Revoke; could not get ID for token") "authority.Revoke; could not get ID for token")
} }
opts = append(opts, errs.WithKeyVal("provisionerID", rci.ProvisionerID))
opts = append(opts, errs.WithKeyVal("tokenID", rci.TokenID)) opts = append(opts, errs.WithKeyVal("tokenID", rci.TokenID))
} else { } else {
// Load the Certificate provisioner if one exists. // Load the Certificate provisioner if one exists.
p, err = a.LoadProvisionerByCertificate(revokeOpts.Crt) if p, err = a.LoadProvisionerByCertificate(revokeOpts.Crt); err == nil {
if err != nil {
return errs.Wrap(http.StatusUnauthorized, err,
"authority.Revoke: unable to load certificate provisioner", opts...)
}
}
rci.ProvisionerID = p.GetID() rci.ProvisionerID = p.GetID()
opts = append(opts, errs.WithKeyVal("provisionerID", rci.ProvisionerID)) opts = append(opts, errs.WithKeyVal("provisionerID", rci.ProvisionerID))
}
}
if provisioner.MethodFromContext(ctx) == provisioner.SSHRevokeMethod { if provisioner.MethodFromContext(ctx) == provisioner.SSHRevokeMethod {
err = a.db.RevokeSSH(rci) err = a.db.RevokeSSH(rci)

24
authority/tls_test.go
View file

@ -1231,6 +1231,30 @@ func TestAuthority_Revoke(t *testing.T) {
crt, err := pemutil.ReadCertificate("./testdata/certs/foo.crt") crt, err := pemutil.ReadCertificate("./testdata/certs/foo.crt")
assert.FatalError(t, err) assert.FatalError(t, err)
return test{
auth: _a,
opts: &RevokeOptions{
Crt: crt,
Serial: "102012593071130646873265215610956555026",
ReasonCode: reasonCode,
Reason: reason,
MTLS: true,
},
}
},
"ok/mTLS-no-provisioner": func() test {
_a := testAuthority(t, WithDatabase(&db.MockAuthDB{}))
crt, err := pemutil.ReadCertificate("./testdata/certs/foo.crt")
assert.FatalError(t, err)
// Filter out provisioner extension.
for i, ext := range crt.Extensions {
if ext.Id.Equal(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37476, 9000, 64, 1}) {
crt.Extensions = append(crt.Extensions[:i], crt.Extensions[i+1:]...)
break
}
}
return test{ return test{
auth: _a, auth: _a,
opts: &RevokeOptions{ opts: &RevokeOptions{