Merge pull request #2097 from smallstep/dependabot/go_modules/github.com/slackhq/nebula-1.9.5

step-ci · web-flow · commit 51e253be7198 · 2024-12-10T07:03:55.000-08:00
Bump github.com/slackhq/nebula from 1.9.4 to 1.9.5
diff --git a/authority/provisioner/nebula.go b/authority/provisioner/nebula.go
@@ -62,9 +62,13 @@ func (p *Nebula) Init(config Config) (err error) {
 		return errors.New("provisioner root(s) cannot be empty")
 	}
 
-	p.caPool, err = nebula.NewCAPoolFromBytes(p.Roots)
+	var certErrors []error
+	p.caPool, certErrors, err = nebula.NewCAPoolFromBytes(p.Roots)
 	if err != nil {
-		return errs.InternalServer("failed to create ca pool: %v", err)
+		return errs.InternalServer("failed to create CA pool: %v", err)
+	}
+	if len(certErrors) > 0 {
+		return errs.InternalServer("failed to create CA pool: %v", certErrors)
 	}
 
 	config.Audiences = config.Audiences.WithFragment(p.GetIDForToken())
diff --git a/authority/provisioner/nebula_test.go b/authority/provisioner/nebula_test.go
@@ -62,6 +62,31 @@ func mustNebulaCA(t *testing.T) (*cert.NebulaCertificate, ed25519.PrivateKey) {
 	return nc, priv
 }
 
+func mustExpiredNebulaCA(t *testing.T) (*cert.NebulaCertificate, ed25519.PrivateKey) {
+	t.Helper()
+	pub, priv, err := ed25519.GenerateKey(rand.Reader)
+	require.NoError(t, err)
+	nc := &cert.NebulaCertificate{
+		Details: cert.NebulaCertificateDetails{
+			Name:   "ExpiredTestCA",
+			Groups: []string{"expired"},
+			Ips: []*net.IPNet{
+				mustNebulaIPNet(t, "10.2.0.0/16"),
+			},
+			Subnets:   []*net.IPNet{},
+			NotBefore: time.Now().Add(-2 * time.Hour),
+			NotAfter:  time.Now().Add(-1 * time.Hour),
+			PublicKey: pub,
+			IsCA:      true,
+			Curve:     cert.Curve_CURVE25519,
+		},
+	}
+	err = nc.Sign(cert.Curve_CURVE25519, priv)
+	require.NoError(t, err)
+
+	return nc, priv
+}
+
 func mustNebulaP256CA(t *testing.T) (*cert.NebulaCertificate, *ecdsa.PrivateKey) {
 	t.Helper()
 
@@ -298,6 +323,10 @@ func TestNebula_Init(t *testing.T) {
 	nc, _ := mustNebulaCA(t)
 	ncPem, err := nc.MarshalToPEM()
 	require.NoError(t, err)
+	expiredNC, _ := mustExpiredNebulaCA(t)
+	expiredPEM, err := expiredNC.MarshalToPEM()
+	require.NoError(t, err)
+	expiredPEM = append(expiredPEM, ncPem...) // needed so that regular error isn't triggered
 
 	cfg := Config{
 		Claims:    globalProvisionerClaims,
@@ -326,6 +355,7 @@ func TestNebula_Init(t *testing.T) {
 		{"fail type", fields{"", "Nebulous", ncPem, nil, nil}, args{cfg}, true},
 		{"fail name", fields{"Nebula", "", ncPem, nil, nil}, args{cfg}, true},
 		{"fail root", fields{"Nebula", "Nebulous", nil, nil, nil}, args{cfg}, true},
+		{"fail expired root", fields{"Nebula", "Nebulous", expiredPEM, nil, nil}, args{cfg}, true},
 		{"fail bad root", fields{"Nebula", "Nebulous", ncPem[:16], nil, nil}, args{cfg}, true},
 		{"fail bad claims", fields{"Nebula", "Nebulous", ncPem, &Claims{
 			MinTLSDur: &Duration{Duration: 0},
diff --git a/go.mod b/go.mod
@@ -25,7 +25,7 @@ require (
 	github.com/prometheus/client_golang v1.20.5
 	github.com/rs/xid v1.6.0
 	github.com/sirupsen/logrus v1.9.3
-	github.com/slackhq/nebula v1.9.4
+	github.com/slackhq/nebula v1.9.5
 	github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262
 	github.com/smallstep/cli-utils v0.10.0
 	github.com/smallstep/go-attestation v0.4.4-0.20240109183208-413678f90935
diff --git a/go.sum b/go.sum
@@ -377,8 +377,8 @@ github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5I
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/slackhq/nebula v1.9.4 h1:p06JxtXT/OBMWt2OQkY7F0phOBb42X93YWNsS1yqC9o=
-github.com/slackhq/nebula v1.9.4/go.mod h1:1+4q4wd3dDAjO8rKCttSb9JIVbklQhuJiBp5I0lbIsQ=
+github.com/slackhq/nebula v1.9.5 h1:ZrxcvP/lxwFglaijmiwXLuCSkybZMJnqSYI1S8DtGnY=
+github.com/slackhq/nebula v1.9.5/go.mod h1:1+4q4wd3dDAjO8rKCttSb9JIVbklQhuJiBp5I0lbIsQ=
 github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262 h1:unQFBIznI+VYD1/1fApl1A+9VcBk+9dcqGfnePY87LY=
 github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262/go.mod h1:MyOHs9Po2fbM1LHej6sBUT8ozbxmMOFG+E+rx/GSGuc=
 github.com/smallstep/cli-utils v0.10.0 h1:CfXNvHtIN5pAzGvGP0NEUZoGFcj5epNEB6RSpSfduek=

Original file line number	Diff line number	Diff line change
`@@ -62,9 +62,13 @@ func (p *Nebula) Init(config Config) (err error) {`
`62`	`62`	`return errors.New("provisioner root(s) cannot be empty")`
`63`	`63`	`}`
`64`	`64`
`65`		`- p.caPool, err = nebula.NewCAPoolFromBytes(p.Roots)`
	`65`	`+ var certErrors []error`
	`66`	`+ p.caPool, certErrors, err = nebula.NewCAPoolFromBytes(p.Roots)`
`66`	`67`	`if err != nil {`
`67`		`- return errs.InternalServer("failed to create ca pool: %v", err)`
	`68`	`+ return errs.InternalServer("failed to create CA pool: %v", err)`
	`69`	`+ }`
	`70`	`+ if len(certErrors) > 0 {`
	`71`	`+ return errs.InternalServer("failed to create CA pool: %v", certErrors)`
`68`	`72`	`}`
`69`	`73`
`70`	`74`	`config.Audiences = config.Audiences.WithFragment(p.GetIDForToken())`