lxd/identity: Validate authentication method when getting cache entries.

When `core.trust_ca_certificates` is enabled, we check the identity cache for a certificate with a matching fingerprint anyway. This is in case the certificate does exist in the truststore and was previously restricted. If the caller erroneously uses the new authentication method `auth.AuthenticationMethodPKI` instead of `api.AuthenticationMethodTLS` the identity will not be found in the cache. Returning a Not Found error in this instance tells the authorizer that they should have admin privileges! Adding validation on the authentication method when getting or setting cache entries will surface these errors more transparently. Signed-off-by: Mark Laing <mark.laing@canonical.com>
canonical · Jul 5, 2024 · 365078f · 365078f
1 parent 500b905
commit 365078f
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/lxd/identity/cache.go b/lxd/identity/cache.go
@@ -42,6 +42,11 @@ func (c *Cache) Get(authenticationMethod string, identifier string) (*CacheEntry
 	c.mu.RLock()
 	defer c.mu.RUnlock()
 
+	err := ValidateAuthenticationMethod(authenticationMethod)
+	if err != nil {
+		return nil, err
+	}
+
 	if c.entries == nil {
 		return nil, api.StatusErrorf(http.StatusNotFound, "Identity %q (%s) not found", identifier, authenticationMethod)
 	}
@@ -115,6 +120,11 @@ func (c *Cache) ReplaceAll(entries []CacheEntry, idpGroups map[string][]string)
 
 	c.entries = make(map[string]map[string]*CacheEntry)
 	for _, entry := range entries {
+		err := ValidateAuthenticationMethod(entry.AuthenticationMethod)
+		if err != nil {
+			return err
+		}
+
 		if entry.AuthenticationMethod == api.AuthenticationMethodTLS && entry.Certificate == nil {
 			return fmt.Errorf("Identity cache entries of type %q must have a certificate", api.AuthenticationMethodTLS)
 		}