-
-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement Certificate Revocation List #1379
base: main
Are you sure you want to change the base?
Conversation
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
5ab9db9
to
68ca5a5
Compare
165ae68
to
549b38e
Compare
549b38e
to
2c958e9
Compare
if err != nil { | ||
// TODO: what to do here? remove the new signing record? restore the original? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At first you need to add cerficate to CRL list. And when it success then you try to replace with a new certificate . It can fails when someone make parallel update. In this case you will return error. And when all steps are succeed than you return ok. You don't touch CRL even replace fails. But if you insert serial number to CRL slice it must not exist there.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I need an additional request to mongo that way though, which I wanted to avoid, but I guess there is no way around it.
9745c8b
to
d99d010
Compare
d99d010
to
2f351e9
Compare
f4042a5
to
7cb304c
Compare
Quality Gate passedIssues Measures |
3909233
to
1be10f8
Compare
} | ||
|
||
var rl store.RevocationList | ||
err := s.Collection(revocationListCol).FindOne(ctx, filter, opts...).Decode(&rl) |
Check failure
Code scanning / CodeQL
Database query built from user-controlled sources High
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI about 4 hours ago
To fix the problem, we need to ensure that the issuerID
is safely embedded into the MongoDB query using parameterized queries. The MongoDB Go driver supports this by using BSON documents for query parameters. We will modify the GetRevocationList
function to ensure that the issuerID
is properly validated and embedded into the query.
- Ensure that the
issuerID
is validated as a UUID before being used in the query. - Use the validated
issuerID
directly in the BSON query filter.
-
Copy modified lines R159-R161
@@ -158,2 +158,5 @@ | ||
func (s *Store) GetRevocationList(ctx context.Context, issuerID string, includeExpired bool) (*store.RevocationList, error) { | ||
if _, err := uuid.Parse(issuerID); err != nil { | ||
return nil, errors.New("invalid issuerID") | ||
} | ||
now := time.Now().UnixNano() |
}, | ||
}}}) | ||
} | ||
cur, err := s.Collection(revocationListCol).Aggregate(ctx, pl) |
Check failure
Code scanning / CodeQL
Database query built from user-controlled sources High
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI about 4 hours ago
To fix the problem, we need to use parameterized queries instead of directly embedding user input into the query. This can be achieved by using MongoDB's parameterized query capabilities. Specifically, we will replace the direct embedding of query.IssuerID
with a parameterized approach.
- Modify the MongoDB query construction to use parameterized queries.
- Ensure that the
issuerID
is passed as a parameter to the query.
-
Copy modified lines R53-R54
@@ -52,5 +52,4 @@ | ||
} | ||
pl := mongo.Pipeline{ | ||
bson.D{{Key: mongodb.Match, Value: bson.D{{Key: "_id", Value: query.IssuerID}}}}, | ||
} | ||
matchStage := bson.D{{Key: mongodb.Match, Value: bson.D{{Key: "_id", Value: query.IssuerID}}}} | ||
pl := mongo.Pipeline{matchStage} | ||
if len(cmap) > 0 { |
} | ||
opts := options.FindOneAndUpdate().SetReturnDocument(options.After) | ||
var updatedRL store.RevocationList | ||
if err = s.Collection(revocationListCol).FindOneAndUpdate(ctx, filter, update, opts).Decode(&updatedRL); err != nil { |
Check failure
Code scanning / CodeQL
Database query built from user-controlled sources High
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI about 4 hours ago
To fix the problem, we should use parameterized queries or ensure that the user input is properly sanitized before being used in the MongoDB query. In this case, since MongoDB queries are constructed using BSON, we can ensure that the issuerID
is safely embedded by using a parameterized approach.
- Modify the
UpdateRevocationList
function to use a parameterized query for theissuerID
. - Ensure that the
issuerID
is properly validated and sanitized before being used in the query.
-
Copy modified line R134
@@ -133,3 +133,3 @@ | ||
filter := bson.M{ | ||
"_id": query.IssuerID, | ||
"_id": bson.D{{Key: "$eq", Value: query.IssuerID}}, | ||
store.NumberKey: number.String(), |
This pull request includes several changes to the certificate authority's codebase, focusing on improving the handling of signing records and enhancing documentation. The most important changes include adding validation for
CredentialStatus
, updating documentation to reflect the new functionality, and correcting typographical errors.Code Enhancements:
certificate-authority/pb/signingRecords.go
: Added aValidate
method toCredentialStatus
to ensure all necessary fields are populated and correctly formatted.certificate-authority/pb/signingRecords.go
: RefactoredValidate
method inSigningRecord
to use the newCredentialStatus
validation.Documentation Updates:
certificate-authority/pb/README.md
: Updated descriptions forGetSigningRecords
andDeleteSigningRecords
to reflect the new functionality of revoking certificates. Added fieldsserial
andissuer_id
to the documentation. [1] [2] [3]certificate-authority/pb/doc.html
: Updated HTML documentation to include new fields and corrected descriptions forGetSigningRecords
andDeleteSigningRecords
. [1] [2] [3]Typographical Corrections:
certificate-authority/pb/service.proto
: Corrected typos in comments forGetSigningRecords
andDeleteSigningRecords
. [1] [2]certificate-authority/pb/service.swagger.json
: Corrected typos in the Swagger documentation forGetSigningRecords
andDeleteSigningRecords
. [1] [2]Minor Changes:
.dockerignore
: Addedtest-local
to the ignore list.certificate-authority/config.yaml
: Removed bulk write configuration settings.These changes collectively enhance the robustness of the certificate authority's functionality and improve the clarity of its documentation.