Do not fail if a provisioner cannot be initialized

This commit will mark a provisioner as disabled if it fails to initialize. The provisioner will be visible, but authorizing a token with a disabled provisioner will always fail. Fixes: #589, #1757
smallstep · Mar 13, 2024 · 976bf0c · 976bf0c
1 parent fe364d5
commit 976bf0c
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 1 deletion.
diff --git a/authority/authority.go b/authority/authority.go
@@ -255,7 +255,10 @@ func (a *Authority) ReloadAdminResources(ctx context.Context) error {
  provClxn := provisioner.NewCollection(provisionerConfig.Audiences)
  for _, p := range provList {
  if err := p.Init(provisionerConfig); err != nil {
- return err
+ log.Printf("failed to initialize %s provisioner %q: %v\n", p.GetType(), p.GetName(), err)
+ p = provisioner.Disabled{
+ Interface: p, Reason: err,
+ }
  }
  if err := provClxn.Store(p); err != nil {
  return err

diff --git a/authority/authorize.go b/authority/authorize.go
@@ -64,6 +64,10 @@ func (a *Authority) getProvisionerFromToken(token string) (provisioner.Interface
  if !ok {
  return nil, nil, fmt.Errorf("provisioner not found or invalid audience (%s)", strings.Join(claims.Audience, ", "))
  }
+ // If the provisioner is disabled, send an appropriate message to the client
+ if _, ok := p.(provisioner.Disabled); ok {
+ return nil, nil, errs.New(http.StatusUnauthorized, "provisioner %q is disabled due to an initialization error", p.GetName())
+ }
 
  return p, &claims, nil
 }

diff --git a/authority/provisioner/provisioner.go b/authority/provisioner/provisioner.go
@@ -33,6 +33,31 @@ type Interface interface {
  AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error)
 }
 
+// Disabled represents a disabled provisioner. Disabled provisioners are created
+// when the Init methods fails.
+type Disabled struct {
+ Interface
+ Reason error
+}
+
+// MarshalJSON returns the JSON encoding of the provisioner with the disabled
+// reason.
+func (p Disabled) MarshalJSON() ([]byte, error) {
+ provisionerJSON, err := json.Marshal(p.Interface)
+ if err != nil {
+ return nil, err
+ }
+ reasonJSON, err := json.Marshal(struct {
+ Disabled bool `json:"disabled"`
+ DisabledReason string `json:"disabledReason"`
+ }{true, p.Reason.Error()})
+ if err != nil {
+ return nil, err
+ }
+ reasonJSON[0] = ','
+ return append(provisionerJSON[:len(provisionerJSON)-1], reasonJSON...), nil
+}
+
 // ErrAllowTokenReuse is an error that is returned by provisioners that allows
 // the reuse of tokens.
 //