google · google-oss-robot · Nov 6, 2020 · Nov 6, 2020
@@ -68,10 +68,21 @@
                 <ol>
                   <li>Creating a new key.</li>
                   <li>Communicating that key version and public key to your <em>exposure notifications key server</em> operator.</li>
-                  <li>Activiating the new key in this system.</li>
+                  <li>Activating the new key in this system.</li>
                 </ol>
               </span>
-              <button type="submit" class="btn btn-primary btn-block">Create new signing key version</button>
+
+              {{if ge (len .realmKeys) .maximumKeyVersions }}
+                <div class="alert alert-warning">
+                  <span class="oi oi-warning" aria-hidden="true"></span>
+                  There is a limit of {{.maximumKeyVersions}} available key versions.
+                </div>
+                <button class="btn btn-primary btn-block disabled" disabled>
+                  Create new signing key version
+                </button>
+              {{else}}
+                <button type="submit" class="btn btn-primary btn-block">Create new signing key version</button>
+              {{end}}
             </div>
           </div>
         </form>

@@ -42,6 +42,9 @@ func (c *Controller) renderShow(ctx context.Context, w http.ResponseWriter, r *h
 
 		m["realmKeys"] = keys
 
+		maximumKeyVersions := c.db.MaxCertificateSigningKeyVersions()
+		m["maximumKeyVersions"] = maximumKeyVersions
+
 		publicKeys := make(map[string]string)
 		// Go through and load / parse all of the public keys for the realm.
 		for _, k := range keys {

@@ -24,7 +24,7 @@ func (c *Controller) HandleSave() http.Handler {
 	type FormData struct {
 		Issuer         string `form:"certificateIssuer"`
 		Audience       string `form:"certificateAudience"`
-		DuratingString string `form:"certificateDuration"`
+		DurationString string `form:"certificateDuration"`
 	}
 
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -60,7 +60,7 @@ func (c *Controller) HandleSave() http.Handler {
 		realm.CertificateIssuer = form.Issuer
 		realm.CertificateAudience = form.Audience
 		// AsString delgates the duration parsing and validation to the model.
-		realm.CertificateDuration.AsString = form.DuratingString
+		realm.CertificateDuration.AsString = form.DurationString
 
 		if err := c.db.SaveRealm(realm, currentUser); err != nil {
 			flash.Error("Failed to update realm: %v", err)

@@ -55,6 +55,11 @@ type Config struct {
 	// created on.
 	CertificateSigningKeyRing string `env:"CERTIFICATE_SIGNING_KEYRING"`
 
+	// MaxCertificateSigningKeyVersions is the maximum number of certificate
+	// signing key versions per realm. This is enforced at the database layer, not
+	// the upstream KMS.
+	MaxCertificateSigningKeyVersions int64 `env:"MAX_CERTIFICATE_SIGNING_KEY_VERSIONS, default=5"`
+
 	// EncryptionKey is the reference to an encryption/decryption key to use when
 	// for application-layer encryption before values are persisted to the
 	// database.

@@ -91,6 +91,11 @@ func (db *Database) SupportsPerRealmSigning() bool {
 	return db.signingKeyManager != nil
 }
 
+// MaxCertificateSigningKeyVersions returns the configured maximum.
+func (db *Database) MaxCertificateSigningKeyVersions() int64 {
+	return db.config.MaxCertificateSigningKeyVersions
+}
+
 func (db *Database) KeyManager() keys.KeyManager {
 	return db.keyManager
 }

@@ -1162,6 +1162,24 @@ func (r *Realm) CreateSigningKeyVersion(ctx context.Context, db *Database) (stri
 		return "", fmt.Errorf("missing key name")
 	}
 
+	// Check how many non-deleted signing keys currently exist. There's a limit on
+	// the number of "active" signing keys to help protect realms against
+	// excessive costs.
+	var count int64
+	if err := db.db.
+		Table("signing_keys").
+		Where("realm_id = ?", r.ID).
+		Where("deleted_at IS NULL").
+		Count(&count).
+		Error; err != nil {
+		if !IsNotFound(err) {
+			return "", fmt.Errorf("failed to count existing signing keys: %w", err)
+		}
+	}
+	if max := db.config.MaxCertificateSigningKeyVersions; count >= max {
+		return "", fmt.Errorf("too many available signing keys (maximum: %d)", max)
+	}
+
 	// Create the parent key - this interface does not return an error if the key
 	// already exists, so this is safe to run each time.
 	keyName, err := manager.CreateSigningKey(ctx, parent, name)

@@ -15,10 +15,14 @@
 package database
 
 import (
+	"context"
+	"path/filepath"
+	"strings"
 	"testing"
 	"time"
 
 	"github.com/google/exposure-notifications-server/pkg/timeutils"
+	"github.com/google/exposure-notifications-verification-server/internal/project"
 )
 
 func TestSMS(t *testing.T) {
@@ -164,3 +168,54 @@ func TestRealm_FindMobileApp(t *testing.T) {
 		}
 	})
 }
+
+func TestRealm_CreateSigningKeyVersion(t *testing.T) {
+	t.Parallel()
+
+	ctx := context.Background()
+	db := NewTestDatabase(t)
+
+	db.config.CertificateSigningKeyRing = filepath.Join(project.Root(), "local", "test", "realm")
+	db.config.MaxCertificateSigningKeyVersions = 2
+
+	realm1 := NewRealmWithDefaults("realm1")
+	if err := db.SaveRealm(realm1, System); err != nil {
+		t.Fatal(err)
+	}
+
+	// First creates ok
+	if _, err := realm1.CreateSigningKeyVersion(ctx, db); err != nil {
+		t.Fatal(err)
+	}
+
+	// Second creates ok
+	if _, err := realm1.CreateSigningKeyVersion(ctx, db); err != nil {
+		t.Fatal(err)
+	}
+
+	// Third fails over quota
+	_, err := realm1.CreateSigningKeyVersion(ctx, db)
+	if err == nil {
+		t.Fatal("expected error")
+	}
+	if got, want := err.Error(), "too many available signing keys"; !strings.Contains(got, want) {
+		t.Errorf("expected %q to contain %q", got, want)
+	}
+
+	// Delete one
+	list, err := realm1.ListSigningKeys(db)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(list) < 1 {
+		t.Fatal("empty list")
+	}
+	if err := realm1.DestroySigningKeyVersion(ctx, db, list[0].ID); err != nil {
+		t.Fatal(err)
+	}
+
+	// Third should succeed now
+	if _, err := realm1.CreateSigningKeyVersion(ctx, db); err != nil {
+		t.Fatal(err)
+	}
+}