smallstep-certificates/api/sshRevoke.go

package api

import (
	"net/http"

	"golang.org/x/crypto/ocsp"

	"github.com/smallstep/certificates/api/read"
	"github.com/smallstep/certificates/api/render"
	"github.com/smallstep/certificates/authority"
	"github.com/smallstep/certificates/authority/provisioner"
	"github.com/smallstep/certificates/errs"
	"github.com/smallstep/certificates/logging"
)

// SSHRevokeResponse is the response object that returns the health of the server.
type SSHRevokeResponse struct {
	Status string `json:"status"`
}

// SSHRevokeRequest is the request body for a revocation request.
type SSHRevokeRequest struct {
	Serial     string `json:"serial"`
	OTT        string `json:"ott"`
	ReasonCode int    `json:"reasonCode"`
	Reason     string `json:"reason"`
	Passive    bool   `json:"passive"`
}

// Validate checks the fields of the RevokeRequest and returns nil if they are ok
// or an error if something is wrong.
func (r *SSHRevokeRequest) Validate() (err error) {
	if r.Serial == "" {
		return errs.BadRequest("missing serial")
	}
	if r.ReasonCode < ocsp.Unspecified || r.ReasonCode > ocsp.AACompromise {
		return errs.BadRequest("reasonCode out of bounds")
	}
	if !r.Passive {
		return errs.NotImplemented("non-passive revocation not implemented")
	}
	if r.OTT == "" {
		return errs.BadRequest("missing ott")
	}
	return
}

// Revoke supports handful of different methods that revoke a Certificate.
//
// NOTE: currently only Passive revocation is supported.
func SSHRevoke(w http.ResponseWriter, r *http.Request) {
	var body SSHRevokeRequest
	if err := read.JSON(r.Body, &body); err != nil {
		render.Error(w, errs.BadRequestErr(err, "error reading request body"))
		return
	}

	if err := body.Validate(); err != nil {
		render.Error(w, err)
		return
	}

	opts := &authority.RevokeOptions{
		Serial:      body.Serial,
		Reason:      body.Reason,
		ReasonCode:  body.ReasonCode,
		PassiveOnly: body.Passive,
	}

	ctx := provisioner.NewContextWithMethod(r.Context(), provisioner.SSHRevokeMethod)
	a := mustAuthority(ctx)

	// A token indicates that we are using the api via a provisioner token,
	// otherwise it is assumed that the certificate is revoking itself over mTLS.
	logOtt(w, body.OTT)

	if _, err := a.Authorize(ctx, body.OTT); err != nil {
		render.Error(w, errs.UnauthorizedErr(err))
		return
	}
	opts.OTT = body.OTT

	if err := a.Revoke(ctx, opts); err != nil {
		render.Error(w, errs.ForbiddenErr(err, "error revoking ssh certificate"))
		return
	}

	logSSHRevoke(w, opts)
	render.JSON(w, &SSHRevokeResponse{Status: "ok"})
}

func logSSHRevoke(w http.ResponseWriter, ri *authority.RevokeOptions) {
	if rl, ok := w.(logging.ResponseLogger); ok {
		rl.WithFields(map[string]interface{}{
			"serial":      ri.Serial,
			"reasonCode":  ri.ReasonCode,
			"reason":      ri.Reason,
			"passiveOnly": ri.PassiveOnly,
			"mTLS":        ri.MTLS,
			"ssh":         true,
		})
	}
}
sshpop provisioner + ssh renew \| revoke \| rekey first pass 2019-10-28 18:50:43 +00:00			`package api`

			`import (`
			`"net/http"`

api: refactored to use the read package 2022-03-18 13:25:34 +00:00			`"golang.org/x/crypto/ocsp"`

			`"github.com/smallstep/certificates/api/read"`
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package 2022-03-30 08:22:22 +00:00			`"github.com/smallstep/certificates/api/render"`
sshpop provisioner + ssh renew \| revoke \| rekey first pass 2019-10-28 18:50:43 +00:00			`"github.com/smallstep/certificates/authority"`
			`"github.com/smallstep/certificates/authority/provisioner"`
Move api errors to their own package and modify the typedef 2019-12-16 07:54:25 +00:00			`"github.com/smallstep/certificates/errs"`
sshpop provisioner + ssh renew \| revoke \| rekey first pass 2019-10-28 18:50:43 +00:00			`"github.com/smallstep/certificates/logging"`
			`)`

			`// SSHRevokeResponse is the response object that returns the health of the server.`
			`type SSHRevokeResponse struct {`
			Status string `json:"status"`
			`}`

			`// SSHRevokeRequest is the request body for a revocation request.`
			`type SSHRevokeRequest struct {`
			Serial string `json:"serial"`
			OTT string `json:"ott"`
			ReasonCode int `json:"reasonCode"`
			Reason string `json:"reason"`
			Passive bool `json:"passive"`
			`}`

			`// Validate checks the fields of the RevokeRequest and returns nil if they are ok`
			`// or an error if something is wrong.`
			`func (r *SSHRevokeRequest) Validate() (err error) {`
			`if r.Serial == "" {`
Simplify statuscoder error generators. 2020-01-24 06:04:34 +00:00			`return errs.BadRequest("missing serial")`
sshpop provisioner + ssh renew \| revoke \| rekey first pass 2019-10-28 18:50:43 +00:00			`}`
			`if r.ReasonCode < ocsp.Unspecified \|\| r.ReasonCode > ocsp.AACompromise {`
Simplify statuscoder error generators. 2020-01-24 06:04:34 +00:00			`return errs.BadRequest("reasonCode out of bounds")`
sshpop provisioner + ssh renew \| revoke \| rekey first pass 2019-10-28 18:50:43 +00:00			`}`
			`if !r.Passive {`
Simplify statuscoder error generators. 2020-01-24 06:04:34 +00:00			`return errs.NotImplemented("non-passive revocation not implemented")`
sshpop provisioner + ssh renew \| revoke \| rekey first pass 2019-10-28 18:50:43 +00:00			`}`
Introduce gocritic linter and address warnings 2021-10-08 18:59:57 +00:00			`if r.OTT == "" {`
Simplify statuscoder error generators. 2020-01-24 06:04:34 +00:00			`return errs.BadRequest("missing ott")`
sshpop provisioner + ssh renew \| revoke \| rekey first pass 2019-10-28 18:50:43 +00:00			`}`
			`return`
			`}`

			`// Revoke supports handful of different methods that revoke a Certificate.`
			`//`
			`// NOTE: currently only Passive revocation is supported.`
Retrieve the authority from the context in api methods. 2022-04-26 19:58:40 +00:00			`func SSHRevoke(w http.ResponseWriter, r *http.Request) {`
sshpop provisioner + ssh renew \| revoke \| rekey first pass 2019-10-28 18:50:43 +00:00			`var body SSHRevokeRequest`
api: refactored to use the read package 2022-03-18 13:25:34 +00:00			`if err := read.JSON(r.Body, &body); err != nil {`
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package 2022-03-30 08:22:22 +00:00			`render.Error(w, errs.BadRequestErr(err, "error reading request body"))`
sshpop provisioner + ssh renew \| revoke \| rekey first pass 2019-10-28 18:50:43 +00:00			`return`
			`}`

			`if err := body.Validate(); err != nil {`
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package 2022-03-30 08:22:22 +00:00			`render.Error(w, err)`
sshpop provisioner + ssh renew \| revoke \| rekey first pass 2019-10-28 18:50:43 +00:00			`return`
			`}`

			`opts := &authority.RevokeOptions{`
			`Serial: body.Serial,`
			`Reason: body.Reason,`
			`ReasonCode: body.ReasonCode,`
			`PassiveOnly: body.Passive,`
			`}`

Add context parameter to all SSH methods. 2020-03-11 02:01:45 +00:00			`ctx := provisioner.NewContextWithMethod(r.Context(), provisioner.SSHRevokeMethod)`
Retrieve the authority from the context in api methods. 2022-04-26 19:58:40 +00:00			`a := mustAuthority(ctx)`

sshpop provisioner + ssh renew \| revoke \| rekey first pass 2019-10-28 18:50:43 +00:00			`// A token indicates that we are using the api via a provisioner token,`
			`// otherwise it is assumed that the certificate is revoking itself over mTLS.`
			`logOtt(w, body.OTT)`
Retrieve the authority from the context in api methods. 2022-04-26 19:58:40 +00:00
			`if _, err := a.Authorize(ctx, body.OTT); err != nil {`
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package 2022-03-30 08:22:22 +00:00			`render.Error(w, errs.UnauthorizedErr(err))`
sshpop provisioner + ssh renew \| revoke \| rekey first pass 2019-10-28 18:50:43 +00:00			`return`
			`}`
			`opts.OTT = body.OTT`

Retrieve the authority from the context in api methods. 2022-04-26 19:58:40 +00:00			`if err := a.Revoke(ctx, opts); err != nil {`
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package 2022-03-30 08:22:22 +00:00			`render.Error(w, errs.ForbiddenErr(err, "error revoking ssh certificate"))`
sshpop provisioner + ssh renew \| revoke \| rekey first pass 2019-10-28 18:50:43 +00:00			`return`
			`}`

			`logSSHRevoke(w, opts)`
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package 2022-03-30 08:22:22 +00:00			`render.JSON(w, &SSHRevokeResponse{Status: "ok"})`
sshpop provisioner + ssh renew \| revoke \| rekey first pass 2019-10-28 18:50:43 +00:00			`}`

			`func logSSHRevoke(w http.ResponseWriter, ri *authority.RevokeOptions) {`
			`if rl, ok := w.(logging.ResponseLogger); ok {`
			`rl.WithFields(map[string]interface{}{`
			`"serial": ri.Serial,`
			`"reasonCode": ri.ReasonCode,`
			`"reason": ri.Reason,`
			`"passiveOnly": ri.PassiveOnly,`
			`"mTLS": ri.MTLS,`
			`"ssh": true,`
			`})`
			`}`
			`}`