Add tests for local authority service

Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>
MarcosDY · Aug 9, 2024 · f70b8c8 · f70b8c8
1 parent a429675
commit f70b8c8
Show file tree

Hide file tree

Showing 9 changed files with 812 additions and 168 deletions.
diff --git a/pkg/common/telemetry/names.go b/pkg/common/telemetry/names.go
@@ -372,9 +372,6 @@ const (
 	// LocalAuthorityID tags a local authority ID
 	LocalAuthorityID = "local_authority_id"
 
-	// SigningAuthorityID tags a signing authority ID
-	SigningAuthorityID = "signing_authority_id"
-
 	// Mode tags a bundle deletion mode
 	Mode = "mode"
 
@@ -605,6 +602,9 @@ const (
 	// with other tags to add clarity
 	Updated = "updated"
 
+	// UpstreamAuthorityID tags a signing authority ID
+	UpstreamAuthorityID = "upstream_authority_id"
+
 	// StoreSvid tags if entry is storable
 	StoreSvid = "store_svid"
 

diff --git a/pkg/server/api/localauthority/v1/service.go b/pkg/server/api/localauthority/v1/service.go
@@ -331,13 +331,12 @@ func (s *Service) ActivateX509Authority(ctx context.Context, req *localauthority
 func (s *Service) TaintX509Authority(ctx context.Context, req *localauthorityv1.TaintX509AuthorityRequest) (*localauthorityv1.TaintX509AuthorityResponse, error) {
 	rpccontext.AddRPCAuditFields(ctx, buildAuditLogFields(req.AuthorityId))
 	log := rpccontext.Logger(ctx)
-
 	if req.AuthorityId != "" {
 		log = log.WithField(telemetry.LocalAuthorityID, req.AuthorityId)
 	}
 
 	if s.ca.IsUpstreamAuthority() {
-		return nil, api.MakeErr(log, codes.FailedPrecondition, "local authority can't be tainted if there is an upstream authorit", nil)
+		return nil, api.MakeErr(log, codes.FailedPrecondition, "local authority can't be tainted if there is an upstream authority", nil)
 	}
 
 	nextSlot := s.ca.GetNextX509CASlot()
@@ -377,17 +376,17 @@ func (s *Service) TaintX509Authority(ctx context.Context, req *localauthorityv1.
 }
 
 func (s *Service) TaintX509UpstreamAuthority(ctx context.Context, req *localauthorityv1.TaintX509UpstreamAuthorityRequest) (*localauthorityv1.TaintX509UpstreamAuthorityResponse, error) {
-	rpccontext.AddRPCAuditFields(ctx, buildAuditLogFields(req.SubjectKeyId))
+	rpccontext.AddRPCAuditFields(ctx, buildAuditUpstreamLogFields(req.SubjectKeyId))
 	log := rpccontext.Logger(ctx)
 
-	if !s.ca.IsUpstreamAuthority() {
-		return nil, api.MakeErr(log, codes.FailedPrecondition, "upstream authority is not configured", nil)
-	}
-
 	if req.SubjectKeyId != "" {
 		log = log.WithField(telemetry.SubjectKeyId, req.SubjectKeyId)
 	}
 
+	if !s.ca.IsUpstreamAuthority() {
+		return nil, api.MakeErr(log, codes.FailedPrecondition, "upstream authority is not configured", nil)
+	}
+
 	// TODO: may we request in lower case?
 	// Normalize SKID
 	subjectKeyIDRequest := strings.ToLower(req.SubjectKeyId)
@@ -400,6 +399,9 @@ func (s *Service) TaintX509UpstreamAuthority(ctx context.Context, req *localauth
 
 	}
 
+	rpccontext.AuditRPC(ctx)
+	log.Info("X.509 upstream authority tainted successfully")
+
 	return &localauthorityv1.TaintX509UpstreamAuthorityResponse{}, nil
 }
 
@@ -437,17 +439,17 @@ func (s *Service) RevokeX509Authority(ctx context.Context, req *localauthorityv1
 }
 
 func (s *Service) RevokeX509UpstreamAuthority(ctx context.Context, req *localauthorityv1.RevokeX509UpstreamAuthorityRequest) (*localauthorityv1.RevokeX509UpstreamAuthorityResponse, error) {
-	rpccontext.AddRPCAuditFields(ctx, buildAuditLogFields(req.SubjectKeyId))
+	rpccontext.AddRPCAuditFields(ctx, buildAuditUpstreamLogFields(req.SubjectKeyId))
 	log := rpccontext.Logger(ctx)
 
-	if !s.ca.IsUpstreamAuthority() {
-		return nil, api.MakeErr(log, codes.FailedPrecondition, "upstream authority is not configured", nil)
-	}
-
 	if req.SubjectKeyId != "" {
 		log = log.WithField(telemetry.SubjectKeyId, req.SubjectKeyId)
 	}
 
+	if !s.ca.IsUpstreamAuthority() {
+		return nil, api.MakeErr(log, codes.FailedPrecondition, "upstream authority is not configured", nil)
+	}
+
 	// TODO: may we request in lower case?
 	// Normalize SKID
 	subjectKeyIDRequest := strings.ToLower(req.SubjectKeyId)
@@ -488,15 +490,17 @@ func (s *Service) validateUpstreamAuthoritySubjectKey(subjectKeyIDRequest string
 	}
 
 	currentSlot := s.ca.GetCurrentX509CASlot()
-	if subjectKeyIDRequest == currentSlot.SigningAuthorityID() {
+	if subjectKeyIDRequest == currentSlot.UpstreamAuthorityID() {
 		return errors.New("unable to use upstream authority singing current authority")
 	}
 
 	nextSlot := s.ca.GetNextX509CASlot()
-	if subjectKeyIDRequest == nextSlot.SigningAuthorityID() {
-		if nextSlot.Status() == journal.Status_PREPARED {
-			return errors.New("unable to use upstream authority singing prepared key")
-		}
+	if subjectKeyIDRequest != nextSlot.UpstreamAuthorityID() {
+		return errors.New("upstream authority is not signing Old local authority")
+	}
+
+	if nextSlot.Status() == journal.Status_PREPARED {
+		return errors.New("only upstream authorities signing an old authority can be used")
 	}
 
 	return nil
@@ -544,6 +548,14 @@ func buildAuditLogFields(authorityID string) logrus.Fields {
 	return fields
 }
 
+func buildAuditUpstreamLogFields(authorityID string) logrus.Fields {
+	fields := logrus.Fields{}
+	if authorityID != "" {
+		fields[telemetry.SubjectKeyId] = authorityID
+	}
+	return fields
+}
+
 func stateFromSlot(s manager.Slot) *localauthorityv1.AuthorityState {
 	return &localauthorityv1.AuthorityState{
 		AuthorityId: s.AuthorityID(),