Skip to content

Commit

Permalink
Merge branch 'main' into fix-647
Browse files Browse the repository at this point in the history
  • Loading branch information
@aricart
aricart authored May 31, 2024
2 parents 9c922c0 + f3aaabc commit 2a90ce0
Show file tree
Hide file tree
Showing 4 changed files with 70 additions and 6 deletions.
23 changes: 18 additions & 5 deletions cmd/adduser.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -222,6 +222,20 @@ func (p *AddUserParams) Validate(ctx ActionCtx) error {
p.userName = GetRandomName(0)
}

s := ctx.StoreCtx().Store
claim, err := s.ReadAccountClaim(p.AccountContextParams.Name)
if err != nil {
return fmt.Errorf("reading account %q failed: %v", p.AccountContextParams.Name, err)
}

o, err := s.ReadOperatorClaim()
if err != nil {
return err
}
if o.StrictSigningKeyUsage && len(claim.SigningKeys) == 0 {
return errors.New("unable to issue users when operator requires signing keys and the account has none")
}

if err = p.AccountContextParams.Validate(ctx); err != nil {
return err
}
Expand Down Expand Up @@ -253,12 +267,11 @@ func (p *AddUserParams) Validate(ctx ActionCtx) error {
}
}

s := ctx.StoreCtx().Store
if claim, err := s.ReadAccountClaim(p.AccountContextParams.Name); err != nil {
return fmt.Errorf("reading account %q failed: %v", p.AccountContextParams.Name, err)
} else if claim.Limits.DisallowBearer && p.bearer {
if claim.Limits.DisallowBearer && p.bearer {
return fmt.Errorf("account %q forbids the use of bearer token", p.AccountContextParams.Name)
} else if s.Has(store.Accounts, p.AccountContextParams.Name, store.Users, store.JwtName(p.userName)) {
}

if s.Has(store.Accounts, p.AccountContextParams.Name, store.Users, store.JwtName(p.userName)) {
return fmt.Errorf("the user %q already exists", p.userName)
}

Expand Down
20 changes: 20 additions & 0 deletions cmd/adduser_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -601,3 +601,23 @@ func Test_AddUserBadName(t *testing.T) {
require.Error(t, err)
require.Contains(t, err.Error(), "name cannot contain '/' or '\\'")
}

func Test_AddUserRequireSk(t *testing.T) {
ts := NewTestStore(t, "0")
defer ts.Done(t)

_, _, err := ExecuteCmd(createEditOperatorCmd(), "--require-signing-keys", "--sk", "generate")
require.NoError(t, err)

ts.AddAccount(t, "A")

_, _, err = ExecuteCmd(CreateAddUserCmd(), "U")
require.Error(t, err)
require.Equal(t, "unable to issue users when operator requires signing keys and the account has none", err.Error())

_, _, err = ExecuteCmd(createEditAccount(), "--sk", "generate")
require.NoError(t, err)

_, _, err = ExecuteCmd(CreateAddUserCmd(), "U")
require.NoError(t, err)
}
10 changes: 9 additions & 1 deletion cmd/editoperator.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
package cmd

import (
"errors"
"fmt"
"strings"

Expand Down Expand Up @@ -111,7 +112,7 @@ func (p *EditOperatorParams) Load(ctx ActionCtx) error {
p.sysAcc = oc.SystemAccount
}

if !p.reqSk {
if !ctx.CurrentCmd().Flags().Changed("require-signing-keys") {
p.reqSk = oc.StrictSigningKeyUsage
}

Expand Down Expand Up @@ -254,6 +255,7 @@ func (p *EditOperatorParams) Validate(ctx ActionCtx) error {
}
}
}

if err = p.signingKeys.Valid(); err != nil {
return err
}
Expand Down Expand Up @@ -287,6 +289,12 @@ func (p *EditOperatorParams) Run(ctx ActionCtx) (store.Status, error) {
p.claim.StrictSigningKeyUsage = p.reqSk
r.AddOK("strict signing key usage set to: %t", p.reqSk)
}

if p.claim.StrictSigningKeyUsage && len(p.claim.SigningKeys) == 0 {
fmt.Printf("%t\n", p.reqSk)
return nil, errors.New("operator requires at least one signing key")
}

flags := ctx.CurrentCmd().Flags()
p.claim.AccountServerURL = p.asu
if flags.Changed("account-jwt-server-url") {
Expand Down
23 changes: 23 additions & 0 deletions cmd/editoperator_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -397,3 +397,26 @@ func Test_ExpireShouldNotBeUnset(t *testing.T) {
require.NoError(t, err)
require.Equal(t, expires, oc.Expires)
}

func Test_CannotSetRequireSKWithoutSK(t *testing.T) {
ts := NewTestStore(t, "0")
defer ts.Done(t)

_, _, err := ExecuteCmd(createEditOperatorCmd(), "--require-signing-keys")
require.Error(t, err)
require.Equal(t, "operator requires at least one signing key", err.Error())

_, _, err = ExecuteCmd(createEditOperatorCmd(), "--require-signing-keys", "--sk", "generate")
require.NoError(t, err)

oc, err := ts.Store.ReadOperatorClaim()
require.NoError(t, err)

_, _, err = ExecuteCmd(createEditOperatorCmd(), "--require-signing-keys=false", "--rm-sk", oc.SigningKeys[0])
require.NoError(t, err)

oc, err = ts.Store.ReadOperatorClaim()
require.NoError(t, err)
require.False(t, oc.StrictSigningKeyUsage)
require.Empty(t, oc.SigningKeys)
}

0 comments on commit 2a90ce0

Please sign in to comment.