Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lxc: Prevent accept-certificate flag when using trust token #14149

Merged
merged 12 commits into from
Oct 15, 2024
Merged

lxc: Prevent accept-certificate flag when using trust token #14149

merged 12 commits into from
Oct 15, 2024

Commits on Oct 14, 2024

  1. lxc/remote: Fix interactive question about remote fingerprint 

    Do not exit if incorrect input is provided when asking to accept remote certificate.
Instead, ask the question again.

Exit only if user entered 'n' (answered with no) or has provided the incorrect fingerprint
to prevent scripts from hanging in such case.

This issue was found because previously returned error ended with colon (':'),
indicating the error was not meant to terminate interaction, but rather ask
user again for valid answer.

Signed-off-by: Din Music <din.music@canonical.com>
    @MusicDin
    MusicDin committed Oct 14, 2024
    Configuration menu
    Copy the full SHA
    4c85e35 View commit details
    Browse the repository at this point in the history

  2. lxc/remote: Add validation for mutually exclusive flags 

    Prevents usage of flag --token with flags --oidc and --public.

Signed-off-by: Din Music <din.music@canonical.com>
    @MusicDin
    MusicDin committed Oct 14, 2024
    Configuration menu
    Copy the full SHA
    30c9f50 View commit details
    Browse the repository at this point in the history

  3. lxc/remote: Prevent accept-certificate flag when using trust token 

    When trust token is provided, certificate cannot be blindly accepted. Trust token contains
certificate fingerprint, which has to be compared with the remote certificate fingerprint.
If those do not match, we should never accept the remote certificate.

Signed-off-by: Din Music <din.music@canonical.com>
    @MusicDin
    MusicDin committed Oct 14, 2024
    Configuration menu
    Copy the full SHA
    d83ac8f View commit details
    Browse the repository at this point in the history

  4. lxd/certificates: Invalidate trust token when adding client certificate 

    If certificate add request is sent from a trusted client and the trust token is provided,
first ensure the provided token is valid, then invalidate it by canceling the corresponding
token operation, and finally return the conflict error because the client certificate is
already present in the trust store.

Signed-off-by: Din Music <din.music@canonical.com>
    @MusicDin
    MusicDin committed Oct 14, 2024
    Configuration menu
    Copy the full SHA
    693409b View commit details
    Browse the repository at this point in the history

  5. lxc/remote: Always send token to remote to invalidate it 

    Even if the remote already trust us, send the token to the remote to invalidate it.
Ignore conflict error, which indicates that the remote already trust us.

Signed-off-by: Din Music <din.music@canonical.com>
    @MusicDin
    MusicDin committed Oct 14, 2024
    Configuration menu
    Copy the full SHA
    99b40da View commit details
    Browse the repository at this point in the history

  6. test: Remove accept-certificate flag where token is used 

    Signed-off-by: Din Music <din.music@canonical.com>
    @MusicDin
    MusicDin committed Oct 14, 2024
    Configuration menu
    Copy the full SHA
    5577379 View commit details
    Browse the repository at this point in the history

  7. test/pki: Do not use invalid token as it will always fail 

    Signed-off-by: Din Music <din.music@canonical.com>
    @MusicDin
    MusicDin committed Oct 14, 2024
    Configuration menu
    Copy the full SHA
    82d0683 View commit details
    Browse the repository at this point in the history

  8. test/clustering: Remove unused token 

    Signed-off-by: Din Music <din.music@canonical.com>
    @MusicDin
    MusicDin committed Oct 14, 2024
    Configuration menu
    Copy the full SHA
    1521aa2 View commit details
    Browse the repository at this point in the history

  9. test/clustering: Do not use token when adding public remote 

    Signed-off-by: Din Music <din.music@canonical.com>
    @MusicDin
    MusicDin committed Oct 14, 2024
    Configuration menu
    Copy the full SHA
    db59e89 View commit details
    Browse the repository at this point in the history

  10. test: Ensure token cannot be used with --accept-certificate flag 

    Signed-off-by: Din Music <din.music@canonical.com>
    @MusicDin
    MusicDin committed Oct 14, 2024
    Configuration menu
    Copy the full SHA
    0098b7f View commit details
    Browse the repository at this point in the history

  11. i18n: Update translation templates. 

    Signed-off-by: Din Music <din.music@canonical.com>
    @MusicDin
    MusicDin committed Oct 14, 2024
    Configuration menu
    Copy the full SHA
    b77e4a3 View commit details
    Browse the repository at this point in the history

  12. i18n: Update translations. 

    Signed-off-by: Din Music <din.music@canonical.com>
    @MusicDin
    MusicDin committed Oct 14, 2024
    Configuration menu
    Copy the full SHA
    88f5b75 View commit details
    Browse the repository at this point in the history