From ce9a23a0f7d6f4586b498e4a18c666577e712d81 Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Wed, 25 May 2022 16:55:22 -0700 Subject: [PATCH 1/3] Fix SSH certificate revocation --- CHANGELOG.md | 1 + authority/tls.go | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fdd504e2..cab6e7e3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ### Deprecated ### Removed ### Fixed +- Fixed SSH revocation. ### Security ## [0.19.0] - 2022-04-19 diff --git a/authority/tls.go b/authority/tls.go index fd21ae98..4c29ca15 100644 --- a/authority/tls.go +++ b/authority/tls.go @@ -560,7 +560,7 @@ func (a *Authority) revokeSSH(crt *ssh.Certificate, rci *db.RevokedCertificateIn }); ok { return lca.RevokeSSH(crt, rci) } - return a.db.Revoke(rci) + return a.db.RevokeSSH(rci) } // GetTLSCertificate creates a new leaf certificate to be used by the CA HTTPS server. From 9c049eec5a4641215b0d35bdb28ca789b2944b4e Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Wed, 25 May 2022 17:10:07 -0700 Subject: [PATCH 2/3] Add revoke ssh unit test --- authority/tls_test.go | 45 +++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 43 insertions(+), 2 deletions(-) diff --git a/authority/tls_test.go b/authority/tls_test.go index 9330f0a3..23d2f8fa 100644 --- a/authority/tls_test.go +++ b/authority/tls_test.go @@ -1301,8 +1301,11 @@ func TestAuthority_Revoke(t *testing.T) { a := testAuthority(t) + tlsRevokeCtx := provisioner.NewContextWithMethod(context.Background(), provisioner.RevokeMethod) + type test struct { auth *Authority + ctx context.Context opts *RevokeOptions err error code int @@ -1312,6 +1315,7 @@ func TestAuthority_Revoke(t *testing.T) { "fail/token/authorizeRevoke error": func() test { return test{ auth: a, + ctx: tlsRevokeCtx, opts: &RevokeOptions{ OTT: "foo", Serial: "sn", @@ -1336,6 +1340,7 @@ func TestAuthority_Revoke(t *testing.T) { return test{ auth: a, + ctx: tlsRevokeCtx, opts: &RevokeOptions{ Serial: "sn", ReasonCode: reasonCode, @@ -1375,6 +1380,7 @@ func TestAuthority_Revoke(t *testing.T) { return test{ auth: _a, + ctx: tlsRevokeCtx, opts: &RevokeOptions{ Serial: "sn", ReasonCode: reasonCode, @@ -1414,6 +1420,7 @@ func TestAuthority_Revoke(t *testing.T) { return test{ auth: _a, + ctx: tlsRevokeCtx, opts: &RevokeOptions{ Serial: "sn", ReasonCode: reasonCode, @@ -1451,6 +1458,7 @@ func TestAuthority_Revoke(t *testing.T) { assert.FatalError(t, err) return test{ auth: _a, + ctx: tlsRevokeCtx, opts: &RevokeOptions{ Serial: "sn", ReasonCode: reasonCode, @@ -1467,6 +1475,7 @@ func TestAuthority_Revoke(t *testing.T) { return test{ auth: _a, + ctx: tlsRevokeCtx, opts: &RevokeOptions{ Crt: crt, Serial: "102012593071130646873265215610956555026", @@ -1491,6 +1500,7 @@ func TestAuthority_Revoke(t *testing.T) { return test{ auth: _a, + ctx: tlsRevokeCtx, opts: &RevokeOptions{ Crt: crt, Serial: "102012593071130646873265215610956555026", @@ -1508,6 +1518,7 @@ func TestAuthority_Revoke(t *testing.T) { return test{ auth: _a, + ctx: tlsRevokeCtx, opts: &RevokeOptions{ Crt: crt, Serial: "102012593071130646873265215610956555026", @@ -1517,12 +1528,42 @@ func TestAuthority_Revoke(t *testing.T) { }, } }, + "ok/ssh": func() test { + a := testAuthority(t, WithDatabase(&db.MockAuthDB{ + MRevoke: func(rci *db.RevokedCertificateInfo) error { + return errors.New("Revoke was called") + }, + MRevokeSSH: func(rci *db.RevokedCertificateInfo) error { + return nil + }, + })) + + cl := jwt.Claims{ + Subject: "sn", + Issuer: validIssuer, + NotBefore: jwt.NewNumericDate(now), + Expiry: jwt.NewNumericDate(now.Add(time.Minute)), + Audience: validAudience, + ID: "44", + } + raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize() + assert.FatalError(t, err) + return test{ + auth: a, + ctx: provisioner.NewContextWithMethod(context.Background(), provisioner.SSHRevokeMethod), + opts: &RevokeOptions{ + Serial: "sn", + ReasonCode: reasonCode, + Reason: reason, + OTT: raw, + }, + } + }, } for name, f := range tests { tc := f() t.Run(name, func(t *testing.T) { - ctx := provisioner.NewContextWithMethod(context.Background(), provisioner.RevokeMethod) - if err := tc.auth.Revoke(ctx, tc.opts); err != nil { + if err := tc.auth.Revoke(tc.ctx, tc.opts); err != nil { if assert.NotNil(t, tc.err, fmt.Sprintf("unexpected error: %s", err)) { sc, ok := err.(render.StatusCodedError) assert.Fatal(t, ok, "error does not implement StatusCodedError interface") From 2adf8caac7f986d93d2fc1daaaa1d9dcf14d36a9 Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Wed, 25 May 2022 17:11:45 -0700 Subject: [PATCH 3/3] Fix Dependabot warning on an indirect dependency --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 0b772018..546ec53d 100644 --- a/go.mod +++ b/go.mod @@ -58,7 +58,7 @@ require ( google.golang.org/grpc v1.45.0 google.golang.org/protobuf v1.28.0 gopkg.in/square/go-jose.v2 v2.6.0 - gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect + gopkg.in/yaml.v3 v3.0.0 // indirect ) // replace github.com/smallstep/nosql => ../nosql diff --git a/go.sum b/go.sum index d76648c2..32a27e27 100644 --- a/go.sum +++ b/go.sum @@ -1347,8 +1347,8 @@ gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo= -gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0 h1:hjy8E9ON/egN1tAYqKb61G10WtihqetD4sz2H+8nIeA= +gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=