alexvanin/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

Recalculate token id instead of validating it.

Browse source
This commit is contained in:
Mariano Cano 2020-12-17 14:52:34 -08:00
parent 86c947babc
commit 5017b7d21f
2 changed files with 5 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
authority/provisioner/aws.go
View file

@ -284,7 +284,11 @@ func (p *AWS) GetTokenID(token string) (string, error) {
sum := sha256.Sum256([]byte(token)) sum := sha256.Sum256([]byte(token))
return strings.ToLower(hex.EncodeToString(sum[:])), nil return strings.ToLower(hex.EncodeToString(sum[:])), nil
} }
return payload.ID, nil
// Use provisioner + instance-id as the identifier.
unique := fmt.Sprintf("%s.%s", p.GetID(), payload.document.InstanceID)
sum := sha256.Sum256([]byte(unique))
return strings.ToLower(hex.EncodeToString(sum[:])), nil
} }
// GetName returns the name of the provisioner. // GetName returns the name of the provisioner.
@ -631,13 +635,6 @@ func (p *AWS) authorizeToken(token string) (*awsPayload, error) {
return nil, errs.Unauthorized("aws.authorizeToken; aws identity document region cannot be empty") return nil, errs.Unauthorized("aws.authorizeToken; aws identity document region cannot be empty")
} }
// Recalculate and validate payload.ID
unique := fmt.Sprintf("%s.%s", p.GetID(), doc.InstanceID)
sum := sha256.Sum256([]byte(unique))
if payload.ID != strings.ToLower(hex.EncodeToString(sum[:])) {
return nil, errs.Unauthorized("aws.authorizeToken; invalid token id")
}
// According to "rfc7519 JSON Web Token" acceptable skew should be no // According to "rfc7519 JSON Web Token" acceptable skew should be no
// more than a few minutes. // more than a few minutes.
now := time.Now().UTC() now := time.Now().UTC()

16
authority/provisioner/aws_test.go
View file

@ -470,22 +470,6 @@ func TestAWS_authorizeToken(t *testing.T) {
err: errors.New("aws.authorizeToken; aws identity document pendingTime is too old"), err: errors.New("aws.authorizeToken; aws identity document pendingTime is too old"),
} }
}, },
"fail/payloadId": func(t *testing.T) test {
p, err := generateAWS()
assert.FatalError(t, err)
p2, err := generateAWS()
assert.FatalError(t, err)
tok, err := generateAWSToken(
p2, "instance-id", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
"127.0.0.1", "us-west-1", time.Now(), key)
assert.FatalError(t, err)
return test{
p: p,
token: tok,
code: http.StatusUnauthorized,
err: errors.New("aws.authorizeToken; invalid token id"),
}
},
"ok": func(t *testing.T) test { "ok": func(t *testing.T) test {
p, err := generateAWS() p, err := generateAWS()
assert.FatalError(t, err) assert.FatalError(t, err)