Verify provisioner with id if available

This commit allows verifying the account provisioner with the request provisioner using the ID instead of the name. When the provisioner are stored in the DB, the provisioner ID is not mutable but the name is.
3 weeks ago · 5fa5a63de8
parent e3ba702811
commit 5fa5a63de8
3 changed files with 88 additions and 11 deletions
--- a/acme/api/account_test.go
+++ b/acme/api/account_test.go
@ -14,6 +14,7 @@ import (
 	"time"

 	"github.com/go-chi/chi/v5"
+	"github.com/google/uuid"
 	"github.com/pkg/errors"

 	"go.step.sm/crypto/jose"
@ -66,6 +67,19 @@ func newProv() acme.Provisioner {
 	return p
 }

+func newProvWithID() acme.Provisioner {
+	// Initialize provisioners
+	p := &provisioner.ACME{
+		ID:   uuid.NewString(),
+		Type: "ACME",
+		Name: "test@acme-<test>provisioner.com",
+	}
+	if err := p.Init(provisioner.Config{Claims: globalProvisionerClaims}); err != nil {
+		fmt.Printf("%v", err)
+	}
+	return p
+}
+
 func newProvWithOptions(options *provisioner.Options) acme.Provisioner {
 	// Initialize provisioners
 	p := &provisioner.ACME{
--- a/acme/api/middleware.go
+++ b/acme/api/middleware.go
@ -334,15 +334,22 @@ func lookupJWK(next nextHTTP) nextHTTP {
 				// Verify that the provisioner with which the account was created
 				// matches the provisioner in the request URL.
 				reqProv := acme.MustProvisionerFromContext(ctx)
-				reqProvName := reqProv.GetName()
-				accProvName := acc.ProvisionerName
-				if reqProvName != accProvName {
-					// Provisioner in the URL must match the provisioner with
-					// which the account was created.
-					render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
-						"account provisioner does not match requested provisioner; account provisioner = %s, requested provisioner = %s",
-						accProvName, reqProvName))
-					return
+				if acc.ProvisionerID == "" || reqProv.GetID() != acc.ProvisionerID {
+					reqProvisioner := reqProv.GetName()
+					accProvisioner := acc.ProvisionerName
+					if reqProvisioner != accProvisioner {
+						// Show IDs if names are not available
+						if accProvisioner == "" && acc.ProvisionerID != "" {
+							reqProvisioner = reqProv.GetID()
+							accProvisioner = acc.ProvisionerID
+						}
+						// Provisioner in the URL must match the provisioner with
+						// which the account was created.
+						render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
+							"account provisioner does not match requested provisioner; account provisioner = %s, requested provisioner = %s",
+							accProvisioner, reqProvisioner))
+						return
+					}
 				}
 			} else {
 				// This code will only execute for old ACME accounts that do
--- a/acme/api/middleware_test.go
+++ b/acme/api/middleware_test.go
@ -15,6 +15,7 @@ import (
 	"strings"
 	"testing"

+	"github.com/google/uuid"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/acme"
 	tassert "github.com/stretchr/testify/assert"
@ -831,8 +832,37 @@ func TestHandler_lookupJWK(t *testing.T) {
 				},
 				statusCode: http.StatusUnauthorized,
 				err: acme.NewError(acme.ErrorUnauthorizedType,
-					"account provisioner does not match requested provisioner; account provisioner = %s, reqested provisioner = %s",
-					prov.GetName(), "other"),
+					"account provisioner does not match requested provisioner; account provisioner = %s, requested provisioner = %s",
+					"other", prov.GetName()),
+			}
+		},
+		"fail/account-with-location-prefix/bad-provisioner-id": func(t *testing.T) test {
+			p := newProvWithID()
+			acc := &acme.Account{LocationPrefix: prefix + accID, Status: "valid", Key: jwk, ProvisionerID: uuid.NewString()}
+			ctx := acme.NewProvisionerContext(context.Background(), p)
+			ctx = context.WithValue(ctx, jwsContextKey, parsedJWS)
+			return test{
+				linker: acme.NewLinker("test.ca.smallstep.com", "acme"),
+				db: &acme.MockDB{
+					MockGetAccount: func(ctx context.Context, id string) (*acme.Account, error) {
+						assert.Equals(t, id, accID)
+						return acc, nil
+					},
+				},
+				ctx: ctx,
+				next: func(w http.ResponseWriter, r *http.Request) {
+					_acc, err := accountFromContext(r.Context())
+					assert.FatalError(t, err)
+					assert.Equals(t, _acc, acc)
+					_jwk, err := jwkFromContext(r.Context())
+					assert.FatalError(t, err)
+					assert.Equals(t, _jwk, jwk)
+					w.Write(testBody)
+				},
+				statusCode: http.StatusUnauthorized,
+				err: acme.NewError(acme.ErrorUnauthorizedType,
+					"account provisioner does not match requested provisioner; account provisioner = %s, requested provisioner = %s",
+					acc.ProvisionerID, p.GetID()),
 			}
 		},
 		"ok/account-with-location-prefix": func(t *testing.T) test {
@ -885,6 +915,32 @@ func TestHandler_lookupJWK(t *testing.T) {
 				statusCode: 200,
 			}
 		},
+		"ok/account-with-provisioner-id": func(t *testing.T) test {
+			p := newProvWithID()
+			acc := &acme.Account{LocationPrefix: prefix + accID, Status: "valid", Key: jwk, ProvisionerID: p.GetID()}
+			ctx := acme.NewProvisionerContext(context.Background(), p)
+			ctx = context.WithValue(ctx, jwsContextKey, parsedJWS)
+			return test{
+				linker: acme.NewLinker("test.ca.smallstep.com", "acme"),
+				db: &acme.MockDB{
+					MockGetAccount: func(ctx context.Context, id string) (*acme.Account, error) {
+						assert.Equals(t, id, accID)
+						return acc, nil
+					},
+				},
+				ctx: ctx,
+				next: func(w http.ResponseWriter, r *http.Request) {
+					_acc, err := accountFromContext(r.Context())
+					assert.FatalError(t, err)
+					assert.Equals(t, _acc, acc)
+					_jwk, err := jwkFromContext(r.Context())
+					assert.FatalError(t, err)
+					assert.Equals(t, _jwk, jwk)
+					w.Write(testBody)
+				},
+				statusCode: 200,
+			}
+		},
 	}
 	for name, run := range tests {
 		tc := run(t)