Merge pull request #652 from kjaskiewiczz/men-6504-3.3.x

fix: do not accept device which is being decommissioned

LICENSE

@@ -1,4 +1,4 @@
-Copyright 2022 Northern.tech AS
+Copyright 2023 Northern.tech AS
 
 All content in this project is licensed under the Apache License v2, unless
 indicated otherwise.

LIC_FILES_CHKSUM.sha256

@@ -1,6 +1,6 @@
 #
 # Apache-2.0
-1033348db7606a7e61b6484f293847cf8d7a35766efebb97e304d4bd5d7f3f6b  LICENSE
+52b2497ce07650b825015e80ca7a5d40c360c04c530234ca6d950b0f98bca23a  LICENSE
 0d542e0c8804e39aa7f37eb00da5a762149dc682d7829451287e11b938e94594  vendor/github.com/gomodule/redigo/LICENSE
 a4e99d13c6cd0e4faf3867ae5c9815ff88cab3cefdefe0dc1ec9ac28b1152944  vendor/github.com/mendersoftware/go-lib-micro/LICENSE
 c71d239df91726fc519c6eb72d318ec65820627232b2f796219e87dcf35d0ab4  vendor/github.com/modern-go/concurrent/LICENSE

devauth/devauth.go

@@ -1,16 +1,16 @@
-// Copyright 2022 Northern.tech AS
+// Copyright 2023 Northern.tech AS
 //
-//    Licensed under the Apache License, Version 2.0 (the "License");
-//    you may not use this file except in compliance with the License.
-//    You may obtain a copy of the License at
+//	Licensed under the Apache License, Version 2.0 (the "License");
+//	you may not use this file except in compliance with the License.
+//	You may obtain a copy of the License at
 //
-//        http://www.apache.org/licenses/LICENSE-2.0
+//	    http://www.apache.org/licenses/LICENSE-2.0
 //
-//    Unless required by applicable law or agreed to in writing, software
-//    distributed under the License is distributed on an "AS IS" BASIS,
-//    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-//    See the License for the specific language governing permissions and
-//    limitations under the License.
+//	Unless required by applicable law or agreed to in writing, software
+//	distributed under the License is distributed on an "AS IS" BASIS,
+//	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//	See the License for the specific language governing permissions and
+//	limitations under the License.
 package devauth
 
 import (
@@ -510,6 +510,13 @@ func (d *DevAuth) processPreAuthRequest(
 		return nil, err
 	}
 
+	// check if the device is in the decommissioning state
+	if dev.Decommissioning {
+		l := log.FromContext(ctx)
+		l.Warnf("Device %s in the decommissioning state.", dev.Id)
+		return nil, ErrDevAuthUnauthorized
+	}
+
 	currentStatus := dev.Status
 	if dev.Status == model.DevStatusAccepted {
 		deviceAlreadyAccepted = true

devauth/devauth_test.go

@@ -1,4 +1,4 @@
-// Copyright 2022 Northern.tech AS
+// Copyright 2023 Northern.tech AS
 //
 //    Licensed under the Apache License, Version 2.0 (the "License");
 //    you may not use this file except in compliance with the License.
@@ -747,6 +747,26 @@ func TestDevAuthSubmitAuthRequestPreauth(t *testing.T) {
 			},
 			res: dummyToken,
 		},
+		{
+			desc: "ok: device during decommissioning",
+			dbGetAuthSetByDataKeyRes: &model.AuthSet{
+				Id:           dummyAuthID,
+				IdDataSha256: idDataSha256,
+				DeviceId:     dummyDevId,
+				PubKey:       inReq.PubKey,
+				Status:       model.DevStatusPreauth,
+			},
+			dbGetLimitRes: &model.Limit{
+				Value: 5,
+			},
+			dbGetDevCountByStatusRes: 0,
+			dev: &model.Device{
+				Id:              dummyDevId,
+				Status:          model.DevStatusPending,
+				Decommissioning: true,
+			},
+			err: ErrDevAuthUnauthorized,
+		},
 		{
 			desc:                     "error: can't get an existing authset",
 			dbGetAuthSetByDataKeyErr: errors.New("db error"),

tests/docker-compose-acceptance-enterprise.yml

@@ -33,3 +33,4 @@ services:
             DEVICEAUTH_DEVADM_ADDR: "http://acceptance:9997/"
             DEVICEAUTH_HAVE_ADDONS: "1"
             TESTING_LOGS: "1"
+            DEVICEAUTH_ENABLE_REPORTING: "0"

tests/docker-compose-acceptance.yml

@@ -26,3 +26,4 @@ services:
                 DEVICEAUTH_ORCHESTRATOR_ADDR: "http://acceptance:9998/"
                 DEVICEAUTH_DEVADM_ADDR: "http://acceptance:9997/"
                 TESTING_LOGS: "1"
+                DEVICEAUTH_ENABLE_REPORTING: "0"