Allow mTLS revocation without provisioner.

3 years ago · 0b8528ce6b
parent 96de4e6ec8
commit 0b8528ce6b
2 changed files with 29 additions and 6 deletions
--- a/authority/tls.go
+++ b/authority/tls.go
@ -334,22 +334,21 @@ func (a *Authority) Revoke(ctx context.Context, revokeOpts *RevokeOptions) error
 		if !ok {
 			return errs.InternalServer("authority.Revoke; provisioner not found", opts...)
 		}
+		rci.ProvisionerID = p.GetID()
 		rci.TokenID, err = p.GetTokenID(revokeOpts.OTT)
 		if err != nil {
 			return errs.Wrap(http.StatusInternalServerError, err,
 				"authority.Revoke; could not get ID for token")
 		}
+		opts = append(opts, errs.WithKeyVal("provisionerID", rci.ProvisionerID))
 		opts = append(opts, errs.WithKeyVal("tokenID", rci.TokenID))
 	} else {
 		// Load the Certificate provisioner if one exists.
-		p, err = a.LoadProvisionerByCertificate(revokeOpts.Crt)
-		if err != nil {
-			return errs.Wrap(http.StatusUnauthorized, err,
-				"authority.Revoke: unable to load certificate provisioner", opts...)
+		if p, err = a.LoadProvisionerByCertificate(revokeOpts.Crt); err == nil {
+			rci.ProvisionerID = p.GetID()
+			opts = append(opts, errs.WithKeyVal("provisionerID", rci.ProvisionerID))
 		}
 	}
-	rci.ProvisionerID = p.GetID()
-	opts = append(opts, errs.WithKeyVal("provisionerID", rci.ProvisionerID))

 	if provisioner.MethodFromContext(ctx) == provisioner.SSHRevokeMethod {
 		err = a.db.RevokeSSH(rci)
--- a/authority/tls_test.go
+++ b/authority/tls_test.go
@ -1231,6 +1231,30 @@ func TestAuthority_Revoke(t *testing.T) {
 			crt, err := pemutil.ReadCertificate("./testdata/certs/foo.crt")
 			assert.FatalError(t, err)

+			return test{
+				auth: _a,
+				opts: &RevokeOptions{
+					Crt:        crt,
+					Serial:     "102012593071130646873265215610956555026",
+					ReasonCode: reasonCode,
+					Reason:     reason,
+					MTLS:       true,
+				},
+			}
+		},
+		"ok/mTLS-no-provisioner": func() test {
+			_a := testAuthority(t, WithDatabase(&db.MockAuthDB{}))
+
+			crt, err := pemutil.ReadCertificate("./testdata/certs/foo.crt")
+			assert.FatalError(t, err)
+			// Filter out provisioner extension.
+			for i, ext := range crt.Extensions {
+				if ext.Id.Equal(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37476, 9000, 64, 1}) {
+					crt.Extensions = append(crt.Extensions[:i], crt.Extensions[i+1:]...)
+					break
+				}
+			}
+
 			return test{
 				auth: _a,
 				opts: &RevokeOptions{