Add upstreamauthority commands and leverage the `UpstreamAuthorityS…

…ubjectKeyId` field in `AuthorityState` messages (#5518) - Add `upstreamauthority revoke` and `upstreamauthority taint` commands - Leverage the `UpstreamAuthoritySubjectKeyId` field in `AuthorityState` messages Signed-off-by: Agustín Martínez Fayó <[email protected]>
spiffe · Sep 27, 2024 · cfb994a · cfb994a
1 parent e9179be
commit cfb994a
Show file tree

Hide file tree

Showing 35 changed files with 765 additions and 322 deletions.
diff --git a/cmd/spire-server/cli/authoritycommon/authoritycommon.go b/cmd/spire-server/cli/authoritycommon/authoritycommon.go
@@ -1,170 +1,31 @@
-package authoritycommon_test
+package authoritycommon
 
 import (
-	"bytes"
-	"context"
-	"testing"
+	"time"
 
-	"github.com/mitchellh/cli"
 	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
-	"github.com/spiffe/spire/cmd/spire-server/cli/common"
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
-	"github.com/spiffe/spire/test/spiretest"
-	"github.com/stretchr/testify/require"
-	"google.golang.org/grpc"
 )
 
-var (
-	AvailableFormats = []string{"pretty", "json"}
-)
-
-type localAuthorityTest struct {
-	Stdin  *bytes.Buffer
-	Stdout *bytes.Buffer
-	Stderr *bytes.Buffer
-	Args   []string
-	Server *fakeLocalAuthorityServer
-	Client cli.Command
+func PrettyPrintJWTAuthorityState(env *commoncli.Env, authorityState *localauthorityv1.AuthorityState) {
+	prettyPrintAuthorityState(env, authorityState, false)
 }
 
-func (s *localAuthorityTest) afterTest(t *testing.T) {
-	t.Logf("TEST:%s", t.Name())
-	t.Logf("STDOUT:\n%s", s.Stdout.String())
-	t.Logf("STDIN:\n%s", s.Stdin.String())
-	t.Logf("STDERR:\n%s", s.Stderr.String())
+func PrettyPrintX509AuthorityState(env *commoncli.Env, authorityState *localauthorityv1.AuthorityState) {
+	prettyPrintAuthorityState(env, authorityState, true)
 }
 
-func SetupTest(t *testing.T, newClient func(*commoncli.Env) cli.Command) *localAuthorityTest {
-	server := &fakeLocalAuthorityServer{}
-
-	addr := spiretest.StartGRPCServer(t, func(s *grpc.Server) {
-		localauthorityv1.RegisterLocalAuthorityServer(s, server)
-	})
-
-	stdin := new(bytes.Buffer)
-	stdout := new(bytes.Buffer)
-	stderr := new(bytes.Buffer)
-
-	client := newClient(&commoncli.Env{
-		Stdin:  stdin,
-		Stdout: stdout,
-		Stderr: stderr,
-	})
-
-	test := &localAuthorityTest{
-		Stdin:  stdin,
-		Stdout: stdout,
-		Stderr: stderr,
-		Args:   []string{common.AddrArg, common.GetAddr(addr)},
-		Server: server,
-		Client: client,
+func prettyPrintAuthorityState(env *commoncli.Env, authorityState *localauthorityv1.AuthorityState, includeUpstreamAuthority bool) {
+	env.Printf("  Authority ID: %s\n", authorityState.AuthorityId)
+	env.Printf("  Expires at: %s\n", time.Unix(authorityState.ExpiresAt, 0).UTC())
+	if !includeUpstreamAuthority {
+		return
 	}
 
-	t.Cleanup(func() {
-		test.afterTest(t)
-	})
-
-	return test
-}
-
-type fakeLocalAuthorityServer struct {
-	localauthorityv1.UnsafeLocalAuthorityServer
-
-	ActiveJWT,
-	PreparedJWT,
-	OldJWT,
-	ActiveX509,
-	PreparedX509,
-	OldX509,
-	TaintedX509,
-	RevokedX509,
-	TaintedJWT,
-	RevokedJWT *localauthorityv1.AuthorityState
-
-	Err error
-}
-
-func (s *fakeLocalAuthorityServer) GetJWTAuthorityState(context.Context, *localauthorityv1.GetJWTAuthorityStateRequest) (*localauthorityv1.GetJWTAuthorityStateResponse, error) {
-	return &localauthorityv1.GetJWTAuthorityStateResponse{
-		Active:   s.ActiveJWT,
-		Prepared: s.PreparedJWT,
-		Old:      s.OldJWT,
-	}, s.Err
-}
-
-func (s *fakeLocalAuthorityServer) PrepareJWTAuthority(context.Context, *localauthorityv1.PrepareJWTAuthorityRequest) (*localauthorityv1.PrepareJWTAuthorityResponse, error) {
-	return &localauthorityv1.PrepareJWTAuthorityResponse{
-		PreparedAuthority: s.PreparedJWT,
-	}, s.Err
-}
-
-func (s *fakeLocalAuthorityServer) ActivateJWTAuthority(context.Context, *localauthorityv1.ActivateJWTAuthorityRequest) (*localauthorityv1.ActivateJWTAuthorityResponse, error) {
-	return &localauthorityv1.ActivateJWTAuthorityResponse{
-		ActivatedAuthority: s.ActiveJWT,
-	}, s.Err
-}
-
-func (s *fakeLocalAuthorityServer) TaintJWTAuthority(context.Context, *localauthorityv1.TaintJWTAuthorityRequest) (*localauthorityv1.TaintJWTAuthorityResponse, error) {
-	return &localauthorityv1.TaintJWTAuthorityResponse{
-		TaintedAuthority: s.TaintedJWT,
-	}, s.Err
-}
-
-func (s *fakeLocalAuthorityServer) RevokeJWTAuthority(context.Context, *localauthorityv1.RevokeJWTAuthorityRequest) (*localauthorityv1.RevokeJWTAuthorityResponse, error) {
-	return &localauthorityv1.RevokeJWTAuthorityResponse{
-		RevokedAuthority: s.RevokedJWT,
-	}, s.Err
-}
-
-func (s *fakeLocalAuthorityServer) GetX509AuthorityState(context.Context, *localauthorityv1.GetX509AuthorityStateRequest) (*localauthorityv1.GetX509AuthorityStateResponse, error) {
-	return &localauthorityv1.GetX509AuthorityStateResponse{
-		Active:   s.ActiveX509,
-		Prepared: s.PreparedX509,
-		Old:      s.OldX509,
-	}, s.Err
-}
-
-func (s *fakeLocalAuthorityServer) PrepareX509Authority(context.Context, *localauthorityv1.PrepareX509AuthorityRequest) (*localauthorityv1.PrepareX509AuthorityResponse, error) {
-	return &localauthorityv1.PrepareX509AuthorityResponse{
-		PreparedAuthority: s.PreparedX509,
-	}, s.Err
-}
-
-func (s *fakeLocalAuthorityServer) ActivateX509Authority(context.Context, *localauthorityv1.ActivateX509AuthorityRequest) (*localauthorityv1.ActivateX509AuthorityResponse, error) {
-	return &localauthorityv1.ActivateX509AuthorityResponse{
-		ActivatedAuthority: s.ActiveX509,
-	}, s.Err
-}
-
-func (s *fakeLocalAuthorityServer) TaintX509Authority(context.Context, *localauthorityv1.TaintX509AuthorityRequest) (*localauthorityv1.TaintX509AuthorityResponse, error) {
-	return &localauthorityv1.TaintX509AuthorityResponse{
-		TaintedAuthority: s.TaintedX509,
-	}, s.Err
-}
-
-func (s *fakeLocalAuthorityServer) TaintX509UpstreamAuthority(context.Context, *localauthorityv1.TaintX509UpstreamAuthorityRequest) (*localauthorityv1.TaintX509UpstreamAuthorityResponse, error) {
-	return &localauthorityv1.TaintX509UpstreamAuthorityResponse{}, s.Err
-}
-
-func (s *fakeLocalAuthorityServer) RevokeX509Authority(context.Context, *localauthorityv1.RevokeX509AuthorityRequest) (*localauthorityv1.RevokeX509AuthorityResponse, error) {
-	return &localauthorityv1.RevokeX509AuthorityResponse{
-		RevokedAuthority: s.RevokedX509,
-	}, s.Err
-}
-
-func (s *fakeLocalAuthorityServer) RevokeX509UpstreamAuthority(context.Context, *localauthorityv1.RevokeX509UpstreamAuthorityRequest) (*localauthorityv1.RevokeX509UpstreamAuthorityResponse, error) {
-	return &localauthorityv1.RevokeX509UpstreamAuthorityResponse{}, s.Err
-}
-
-func RequireOutputBasedOnFormat(t *testing.T, format, stdoutString string, expectedStdoutPretty, expectedStdoutJSON string) {
-	switch format {
-	case "pretty":
-		require.Contains(t, stdoutString, expectedStdoutPretty)
-	case "json":
-		if expectedStdoutJSON != "" {
-			require.JSONEq(t, expectedStdoutJSON, stdoutString)
-		} else {
-			require.Empty(t, stdoutString)
-		}
+	if authorityState.UpstreamAuthoritySubjectKeyId != "" {
+		env.Printf("  Upstream authority Subject Key ID: %s\n", authorityState.UpstreamAuthoritySubjectKeyId)
+		return
 	}
+
+	env.Println("  Upstream authority ID: No upstream authority")
 }
diff --git a/cmd/spire-server/cli/authoritycommon/test/authoritycommontest.go b/cmd/spire-server/cli/authoritycommon/test/authoritycommontest.go
@@ -0,0 +1,176 @@
+package authoritycommontest
+
+import (
+	"bytes"
+	"context"
+	"testing"
+
+	"github.com/mitchellh/cli"
+	localauthorityv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1"
+	"github.com/spiffe/spire/cmd/spire-server/cli/common"
+	commoncli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/test/spiretest"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc"
+)
+
+var (
+	AvailableFormats = []string{"pretty", "json"}
+)
+
+type localAuthorityTest struct {
+	Stdin  *bytes.Buffer
+	Stdout *bytes.Buffer
+	Stderr *bytes.Buffer
+	Args   []string
+	Server *fakeLocalAuthorityServer
+	Client cli.Command
+}
+
+func (s *localAuthorityTest) afterTest(t *testing.T) {
+	t.Logf("TEST:%s", t.Name())
+	t.Logf("STDOUT:\n%s", s.Stdout.String())
+	t.Logf("STDIN:\n%s", s.Stdin.String())
+	t.Logf("STDERR:\n%s", s.Stderr.String())
+}
+
+func SetupTest(t *testing.T, newClient func(*commoncli.Env) cli.Command) *localAuthorityTest {
+	server := &fakeLocalAuthorityServer{}
+
+	addr := spiretest.StartGRPCServer(t, func(s *grpc.Server) {
+		localauthorityv1.RegisterLocalAuthorityServer(s, server)
+	})
+
+	stdin := new(bytes.Buffer)
+	stdout := new(bytes.Buffer)
+	stderr := new(bytes.Buffer)
+
+	client := newClient(&commoncli.Env{
+		Stdin:  stdin,
+		Stdout: stdout,
+		Stderr: stderr,
+	})
+
+	test := &localAuthorityTest{
+		Stdin:  stdin,
+		Stdout: stdout,
+		Stderr: stderr,
+		Args:   []string{common.AddrArg, common.GetAddr(addr)},
+		Server: server,
+		Client: client,
+	}
+
+	t.Cleanup(func() {
+		test.afterTest(t)
+	})
+
+	return test
+}
+
+type fakeLocalAuthorityServer struct {
+	localauthorityv1.UnsafeLocalAuthorityServer
+
+	ActiveJWT,
+	PreparedJWT,
+	OldJWT,
+	ActiveX509,
+	PreparedX509,
+	OldX509,
+	TaintedX509,
+	RevokedX509,
+	TaintedJWT,
+	RevokedJWT *localauthorityv1.AuthorityState
+
+	TaintedUpstreamAuthoritySubjectKeyId,
+	RevokedUpstreamAuthoritySubjectKeyId string
+	Err error
+}
+
+func (s *fakeLocalAuthorityServer) GetJWTAuthorityState(context.Context, *localauthorityv1.GetJWTAuthorityStateRequest) (*localauthorityv1.GetJWTAuthorityStateResponse, error) {
+	return &localauthorityv1.GetJWTAuthorityStateResponse{
+		Active:   s.ActiveJWT,
+		Prepared: s.PreparedJWT,
+		Old:      s.OldJWT,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) PrepareJWTAuthority(context.Context, *localauthorityv1.PrepareJWTAuthorityRequest) (*localauthorityv1.PrepareJWTAuthorityResponse, error) {
+	return &localauthorityv1.PrepareJWTAuthorityResponse{
+		PreparedAuthority: s.PreparedJWT,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) ActivateJWTAuthority(context.Context, *localauthorityv1.ActivateJWTAuthorityRequest) (*localauthorityv1.ActivateJWTAuthorityResponse, error) {
+	return &localauthorityv1.ActivateJWTAuthorityResponse{
+		ActivatedAuthority: s.ActiveJWT,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) TaintJWTAuthority(context.Context, *localauthorityv1.TaintJWTAuthorityRequest) (*localauthorityv1.TaintJWTAuthorityResponse, error) {
+	return &localauthorityv1.TaintJWTAuthorityResponse{
+		TaintedAuthority: s.TaintedJWT,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) RevokeJWTAuthority(context.Context, *localauthorityv1.RevokeJWTAuthorityRequest) (*localauthorityv1.RevokeJWTAuthorityResponse, error) {
+	return &localauthorityv1.RevokeJWTAuthorityResponse{
+		RevokedAuthority: s.RevokedJWT,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) GetX509AuthorityState(context.Context, *localauthorityv1.GetX509AuthorityStateRequest) (*localauthorityv1.GetX509AuthorityStateResponse, error) {
+	return &localauthorityv1.GetX509AuthorityStateResponse{
+		Active:   s.ActiveX509,
+		Prepared: s.PreparedX509,
+		Old:      s.OldX509,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) PrepareX509Authority(context.Context, *localauthorityv1.PrepareX509AuthorityRequest) (*localauthorityv1.PrepareX509AuthorityResponse, error) {
+	return &localauthorityv1.PrepareX509AuthorityResponse{
+		PreparedAuthority: s.PreparedX509,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) ActivateX509Authority(context.Context, *localauthorityv1.ActivateX509AuthorityRequest) (*localauthorityv1.ActivateX509AuthorityResponse, error) {
+	return &localauthorityv1.ActivateX509AuthorityResponse{
+		ActivatedAuthority: s.ActiveX509,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) TaintX509Authority(context.Context, *localauthorityv1.TaintX509AuthorityRequest) (*localauthorityv1.TaintX509AuthorityResponse, error) {
+	return &localauthorityv1.TaintX509AuthorityResponse{
+		TaintedAuthority: s.TaintedX509,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) TaintX509UpstreamAuthority(context.Context, *localauthorityv1.TaintX509UpstreamAuthorityRequest) (*localauthorityv1.TaintX509UpstreamAuthorityResponse, error) {
+	return &localauthorityv1.TaintX509UpstreamAuthorityResponse{
+		UpstreamAuthoritySubjectKeyId: s.TaintedUpstreamAuthoritySubjectKeyId,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) RevokeX509Authority(context.Context, *localauthorityv1.RevokeX509AuthorityRequest) (*localauthorityv1.RevokeX509AuthorityResponse, error) {
+	return &localauthorityv1.RevokeX509AuthorityResponse{
+		RevokedAuthority: s.RevokedX509,
+	}, s.Err
+}
+
+func (s *fakeLocalAuthorityServer) RevokeX509UpstreamAuthority(context.Context, *localauthorityv1.RevokeX509UpstreamAuthorityRequest) (*localauthorityv1.RevokeX509UpstreamAuthorityResponse, error) {
+	return &localauthorityv1.RevokeX509UpstreamAuthorityResponse{
+		UpstreamAuthoritySubjectKeyId: s.RevokedUpstreamAuthoritySubjectKeyId,
+	}, s.Err
+}
+
+func RequireOutputBasedOnFormat(t *testing.T, format, stdoutString string, expectedStdoutPretty, expectedStdoutJSON string) {
+	switch format {
+	case "pretty":
+		require.Contains(t, stdoutString, expectedStdoutPretty)
+	case "json":
+		if expectedStdoutJSON != "" {
+			require.JSONEq(t, expectedStdoutJSON, stdoutString)
+		} else {
+			require.Empty(t, stdoutString)
+		}
+	}
+}
diff --git a/cmd/spire-server/cli/cli.go b/cmd/spire-server/cli/cli.go
@@ -18,6 +18,7 @@ import (
 	"github.com/spiffe/spire/cmd/spire-server/cli/logger"
 	"github.com/spiffe/spire/cmd/spire-server/cli/run"
 	"github.com/spiffe/spire/cmd/spire-server/cli/token"
+	"github.com/spiffe/spire/cmd/spire-server/cli/upstreamauthority"
 	"github.com/spiffe/spire/cmd/spire-server/cli/validate"
 	"github.com/spiffe/spire/cmd/spire-server/cli/x509"
 	"github.com/spiffe/spire/pkg/common/fflag"
@@ -193,5 +194,11 @@ func addCommandsEnabledByFFlags(commands map[string]cli.CommandFactory) {
 		commands["localauthority jwt revoke"] = func() (cli.Command, error) {
 			return localauthority_jwt.NewJWTRevokeCommand(), nil
 		}
+		commands["upstreamauthority taint"] = func() (cli.Command, error) {
+			return upstreamauthority.NewTaintCommand(), nil
+		}
+		commands["upstreamauthority revoke"] = func() (cli.Command, error) {
+			return upstreamauthority.NewRevokeCommand(), nil
+		}
 	}
 }