revoke access command

banyancomputer · Jun 5, 2024 · 627c777 · 627c777
1 parent 2fc0d61
commit 627c777
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 35 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/src/cli/commands/drives/access.rs b/src/cli/commands/drives/access.rs
@@ -87,32 +87,9 @@ impl RunnableCommand<NativeError> for DriveKeyCommand {
                 // You need to already have access locally to do this
                 let bfs = LocalBanyanFS::decode(&payload.id).await?;
 
-                // Grab the verifying key and fingerprint, either from disk or Platform
                 let (public_key, fingerprint) =
-                    if let Ok(user_key) = SigningKey::decode(&name).await {
-                        let public_key = user_key.verifying_key();
-                        let fingerprint = api_fingerprint_key(&public_key);
-                        (public_key, fingerprint)
-                    } else {
-                        match helpers::platform_user_keys(&payload.global)
-                            .await
-                            .into_iter()
-                            .find(|key| *key.name() == name)
-                        {
-                            Some(api_key) => {
-                                let fingerprint = api_key.fingerprint().to_string();
-                                let public_key_pem = api_key.public_key();
-                                let public_key = VerifyingKey::from_spki(&public_key_pem)
-                                    .map_err(|_| NativeError::Custom("Decode SPKI".into()))?;
-                                (public_key, fingerprint)
-                            }
-                            None => {
-                                error!("No known user key with that name locally or remotely.");
-                                return Ok(());
-                            }
-                        }
-                    };
-
+                    helpers::public_key_and_fingerprint(&payload.global, &name).await?;
+                // Grab the verifying key and fingerprint, either from disk or Platform
                 let access_mask = AccessMaskBuilder::full_access().build()?;
                 if let Some((_, _mask)) =
                     bfs.drive.verifying_keys().await.iter().find(|(key, mask)| {
@@ -133,12 +110,9 @@ impl RunnableCommand<NativeError> for DriveKeyCommand {
                 Ok(())
             }
             DriveKeyCommand::Revoke { name } => {
-                let user_key = SigningKey::decode(&name).await?;
-                let public_user_key = user_key.verifying_key();
-                let fingerprint = api_fingerprint_key(&public_user_key);
                 let bfs = LocalBanyanFS::decode(&payload.id).await?;
-                let access_mask = AccessMaskBuilder::full_access().historical().build()?;
-
+                let (public_key, fingerprint) =
+                    helpers::public_key_and_fingerprint(&payload.global, &name).await?;
                 if let Some((_, mask)) = bfs
                     .drive
                     .verifying_keys()
@@ -151,8 +125,9 @@ impl RunnableCommand<NativeError> for DriveKeyCommand {
                             "This is a protected user key and can not be revoked from the Drive."
                         );
                     } else {
+                        let current_key = SigningKey::decode(&payload.id.user_key_id).await?;
                         bfs.drive
-                            .authorize_key(&mut crypto_rng(), public_user_key, access_mask)
+                            .remove_key(&current_key, &public_key.actor_id())
                             .await?;
                         bfs.encode(&payload.id).await?;
                         info!("<< REVOKED LOCAL ACCESS FOR USER KEY >>");

diff --git a/src/cli/helpers.rs b/src/cli/helpers.rs
@@ -1,7 +1,16 @@
-use banyanfs::api::platform::{self, ApiDrive, ApiUserKey};
-use tracing::warn;
+use banyanfs::{
+    api::{
+        api_fingerprint_key,
+        platform::{self, ApiDrive, ApiUserKey},
+    },
+    codec::crypto::{SigningKey, VerifyingKey},
+};
+use tracing::{error, warn};
 
-use crate::on_disk::config::GlobalConfig;
+use crate::{
+    on_disk::{config::GlobalConfig, OnDisk},
+    ConfigStateError, NativeError,
+};
 
 pub async fn platform_drive_with_name(global: &GlobalConfig, name: &str) -> Option<ApiDrive> {
     platform_drives(global)
@@ -41,3 +50,32 @@ pub async fn platform_user_keys(global: &GlobalConfig) -> Vec<ApiUserKey> {
         }
     }
 }
+
+pub async fn public_key_and_fingerprint(
+    global: &GlobalConfig,
+    name: &String,
+) -> Result<(VerifyingKey, String), NativeError> {
+    if let Ok(user_key) = SigningKey::decode(name).await {
+        let public_key = user_key.verifying_key();
+        let fingerprint = api_fingerprint_key(&public_key);
+        Ok((public_key, fingerprint))
+    } else {
+        match self::platform_user_keys(&global)
+            .await
+            .into_iter()
+            .find(|key| key.name() == name)
+        {
+            Some(api_key) => {
+                let fingerprint = api_key.fingerprint().to_string();
+                let public_key_pem = api_key.public_key();
+                let public_key = VerifyingKey::from_spki(&public_key_pem)
+                    .map_err(|_| NativeError::Custom("Decode SPKI".into()))?;
+                Ok((public_key, fingerprint))
+            }
+            None => {
+                error!("No known user key with that name locally or remotely.");
+                Err(NativeError::Custom("missing usrkey".into()).into())
+            }
+        }
+    }
+}