Merge pull request #1844 from smallstep/mariano/account-provisioner

Verify provisioner with id if available
3 weeks ago · ad0ac55b41
parent 14959dbb2e 192e90eea7
commit ad0ac55b41
3 changed files with 80 additions and 8 deletions
--- a/acme/api/account_test.go
+++ b/acme/api/account_test.go
@ -14,6 +14,7 @@ import (
 	"time"

 	"github.com/go-chi/chi/v5"
+	"github.com/google/uuid"
 	"github.com/pkg/errors"

 	"go.step.sm/crypto/jose"
@ -66,6 +67,19 @@ func newProv() acme.Provisioner {
 	return p
 }

+func newProvWithID() acme.Provisioner {
+	// Initialize provisioners
+	p := &provisioner.ACME{
+		ID:   uuid.NewString(),
+		Type: "ACME",
+		Name: "test@acme-<test>provisioner.com",
+	}
+	if err := p.Init(provisioner.Config{Claims: globalProvisionerClaims}); err != nil {
+		fmt.Printf("%v", err)
+	}
+	return p
+}
+
 func newProvWithOptions(options *provisioner.Options) acme.Provisioner {
 	// Initialize provisioners
 	p := &provisioner.ACME{
--- a/acme/api/middleware.go
+++ b/acme/api/middleware.go
@ -334,14 +334,16 @@ func lookupJWK(next nextHTTP) nextHTTP {
 				// Verify that the provisioner with which the account was created
 				// matches the provisioner in the request URL.
 				reqProv := acme.MustProvisionerFromContext(ctx)
-				reqProvName := reqProv.GetName()
-				accProvName := acc.ProvisionerName
-				if reqProvName != accProvName {
-					// Provisioner in the URL must match the provisioner with
-					// which the account was created.
+				switch {
+				case acc.ProvisionerID == "" && acc.ProvisionerName != reqProv.GetName():
 					render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
 						"account provisioner does not match requested provisioner; account provisioner = %s, requested provisioner = %s",
-						accProvName, reqProvName))
+						acc.ProvisionerName, reqProv.GetName()))
+					return
+				case acc.ProvisionerID != "" && acc.ProvisionerID != reqProv.GetID():
+					render.Error(w, r, acme.NewError(acme.ErrorUnauthorizedType,
+						"account provisioner does not match requested provisioner; account provisioner = %s, requested provisioner = %s",
+						acc.ProvisionerID, reqProv.GetID()))
 					return
 				}
 			} else {
--- a/acme/api/middleware_test.go
+++ b/acme/api/middleware_test.go
@ -15,6 +15,7 @@ import (
 	"strings"
 	"testing"

+	"github.com/google/uuid"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/acme"
 	tassert "github.com/stretchr/testify/assert"
@ -831,8 +832,37 @@ func TestHandler_lookupJWK(t *testing.T) {
 				},
 				statusCode: http.StatusUnauthorized,
 				err: acme.NewError(acme.ErrorUnauthorizedType,
-					"account provisioner does not match requested provisioner; account provisioner = %s, reqested provisioner = %s",
-					prov.GetName(), "other"),
+					"account provisioner does not match requested provisioner; account provisioner = %s, requested provisioner = %s",
+					"other", prov.GetName()),
+			}
+		},
+		"fail/account-with-location-prefix/bad-provisioner-id": func(t *testing.T) test {
+			p := newProvWithID()
+			acc := &acme.Account{LocationPrefix: prefix + accID, Status: "valid", Key: jwk, ProvisionerID: uuid.NewString()}
+			ctx := acme.NewProvisionerContext(context.Background(), p)
+			ctx = context.WithValue(ctx, jwsContextKey, parsedJWS)
+			return test{
+				linker: acme.NewLinker("test.ca.smallstep.com", "acme"),
+				db: &acme.MockDB{
+					MockGetAccount: func(ctx context.Context, id string) (*acme.Account, error) {
+						assert.Equals(t, id, accID)
+						return acc, nil
+					},
+				},
+				ctx: ctx,
+				next: func(w http.ResponseWriter, r *http.Request) {
+					_acc, err := accountFromContext(r.Context())
+					assert.FatalError(t, err)
+					assert.Equals(t, _acc, acc)
+					_jwk, err := jwkFromContext(r.Context())
+					assert.FatalError(t, err)
+					assert.Equals(t, _jwk, jwk)
+					w.Write(testBody)
+				},
+				statusCode: http.StatusUnauthorized,
+				err: acme.NewError(acme.ErrorUnauthorizedType,
+					"account provisioner does not match requested provisioner; account provisioner = %s, requested provisioner = %s",
+					acc.ProvisionerID, p.GetID()),
 			}
 		},
 		"ok/account-with-location-prefix": func(t *testing.T) test {
@ -885,6 +915,32 @@ func TestHandler_lookupJWK(t *testing.T) {
 				statusCode: 200,
 			}
 		},
+		"ok/account-with-provisioner-id": func(t *testing.T) test {
+			p := newProvWithID()
+			acc := &acme.Account{LocationPrefix: prefix + accID, Status: "valid", Key: jwk, ProvisionerID: p.GetID()}
+			ctx := acme.NewProvisionerContext(context.Background(), p)
+			ctx = context.WithValue(ctx, jwsContextKey, parsedJWS)
+			return test{
+				linker: acme.NewLinker("test.ca.smallstep.com", "acme"),
+				db: &acme.MockDB{
+					MockGetAccount: func(ctx context.Context, id string) (*acme.Account, error) {
+						assert.Equals(t, id, accID)
+						return acc, nil
+					},
+				},
+				ctx: ctx,
+				next: func(w http.ResponseWriter, r *http.Request) {
+					_acc, err := accountFromContext(r.Context())
+					assert.FatalError(t, err)
+					assert.Equals(t, _acc, acc)
+					_jwk, err := jwkFromContext(r.Context())
+					assert.FatalError(t, err)
+					assert.Equals(t, _jwk, jwk)
+					w.Write(testBody)
+				},
+				statusCode: 200,
+			}
+		},
 	}
 	for name, run := range tests {
 		tc := run(t)