Set full token payload instead of only the known properties.
This commit is contained in:
parent
0c8376a7f6
commit
02c4f9817d
10 changed files with 50 additions and 11 deletions
|
@ -281,8 +281,10 @@ func (p *AWS) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
|
||||||
|
|
||||||
// Template options
|
// Template options
|
||||||
data := x509util.NewTemplateData()
|
data := x509util.NewTemplateData()
|
||||||
data.SetToken(payload)
|
|
||||||
data.SetCommonName(payload.Claims.Subject)
|
data.SetCommonName(payload.Claims.Subject)
|
||||||
|
if v, err := unsafeParseSigned(token); err == nil {
|
||||||
|
data.SetToken(v)
|
||||||
|
}
|
||||||
|
|
||||||
// Enforce known CN and default DNS and IP if configured.
|
// Enforce known CN and default DNS and IP if configured.
|
||||||
// By default we'll accept the CN and SANs in the CSR.
|
// By default we'll accept the CN and SANs in the CSR.
|
||||||
|
|
|
@ -259,7 +259,7 @@ func (p *Azure) authorizeToken(token string) (*azurePayload, string, string, err
|
||||||
// AuthorizeSign validates the given token and returns the sign options that
|
// AuthorizeSign validates the given token and returns the sign options that
|
||||||
// will be used on certificate creation.
|
// will be used on certificate creation.
|
||||||
func (p *Azure) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
|
func (p *Azure) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
|
||||||
payload, name, group, err := p.authorizeToken(token)
|
_, name, group, err := p.authorizeToken(token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errs.Wrap(http.StatusInternalServerError, err, "azure.AuthorizeSign")
|
return nil, errs.Wrap(http.StatusInternalServerError, err, "azure.AuthorizeSign")
|
||||||
}
|
}
|
||||||
|
@ -280,8 +280,10 @@ func (p *Azure) AuthorizeSign(ctx context.Context, token string) ([]SignOption,
|
||||||
|
|
||||||
// Template options
|
// Template options
|
||||||
data := x509util.NewTemplateData()
|
data := x509util.NewTemplateData()
|
||||||
data.SetToken(payload)
|
|
||||||
data.SetCommonName(name)
|
data.SetCommonName(name)
|
||||||
|
if v, err := unsafeParseSigned(token); err == nil {
|
||||||
|
data.SetToken(v)
|
||||||
|
}
|
||||||
|
|
||||||
// Enforce known common name and default DNS if configured.
|
// Enforce known common name and default DNS if configured.
|
||||||
// By default we'll accept the CN and SANs in the CSR.
|
// By default we'll accept the CN and SANs in the CSR.
|
||||||
|
|
|
@ -220,8 +220,10 @@ func (p *GCP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
|
||||||
|
|
||||||
// Template options
|
// Template options
|
||||||
data := x509util.NewTemplateData()
|
data := x509util.NewTemplateData()
|
||||||
data.SetToken(claims)
|
|
||||||
data.SetCommonName(ce.InstanceName)
|
data.SetCommonName(ce.InstanceName)
|
||||||
|
if v, err := unsafeParseSigned(token); err == nil {
|
||||||
|
data.SetToken(v)
|
||||||
|
}
|
||||||
|
|
||||||
// Enforce known common name and default DNS if configured.
|
// Enforce known common name and default DNS if configured.
|
||||||
// By default we we'll accept the CN and SANs in the CSR.
|
// By default we we'll accept the CN and SANs in the CSR.
|
||||||
|
|
|
@ -155,7 +155,9 @@ func (p *JWK) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
|
||||||
|
|
||||||
// Certificate templates
|
// Certificate templates
|
||||||
data := x509util.CreateTemplateData(claims.Subject, claims.SANs)
|
data := x509util.CreateTemplateData(claims.Subject, claims.SANs)
|
||||||
data.SetToken(claims)
|
if v, err := unsafeParseSigned(token); err == nil {
|
||||||
|
data.SetToken(v)
|
||||||
|
}
|
||||||
|
|
||||||
templateOptions, err := TemplateOptions(p.Options, data)
|
templateOptions, err := TemplateOptions(p.Options, data)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -213,8 +213,10 @@ func (p *K8sSA) AuthorizeSign(ctx context.Context, token string) ([]SignOption,
|
||||||
|
|
||||||
// Add some values to use in custom templates.
|
// Add some values to use in custom templates.
|
||||||
data := x509util.NewTemplateData()
|
data := x509util.NewTemplateData()
|
||||||
data.SetToken(claims)
|
|
||||||
data.SetCommonName(claims.ServiceAccountName)
|
data.SetCommonName(claims.ServiceAccountName)
|
||||||
|
if v, err := unsafeParseSigned(token); err == nil {
|
||||||
|
data.SetToken(v)
|
||||||
|
}
|
||||||
|
|
||||||
// Certificate templates: on K8sSA the default template is the certificate
|
// Certificate templates: on K8sSA the default template is the certificate
|
||||||
// request.
|
// request.
|
||||||
|
|
|
@ -318,7 +318,9 @@ func (o *OIDC) AuthorizeSign(ctx context.Context, token string) ([]SignOption, e
|
||||||
}
|
}
|
||||||
|
|
||||||
data := x509util.CreateTemplateData(claims.Subject, sans)
|
data := x509util.CreateTemplateData(claims.Subject, sans)
|
||||||
data.SetToken(claims)
|
if v, err := unsafeParseSigned(token); err == nil {
|
||||||
|
data.SetToken(v)
|
||||||
|
}
|
||||||
|
|
||||||
// Use the default template unless no-templates are configured and email is
|
// Use the default template unless no-templates are configured and email is
|
||||||
// an admin, in that case we will use the CR template.
|
// an admin, in that case we will use the CR template.
|
||||||
|
|
|
@ -6,6 +6,7 @@ import (
|
||||||
|
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"github.com/smallstep/certificates/x509util"
|
"github.com/smallstep/certificates/x509util"
|
||||||
|
"github.com/smallstep/cli/jose"
|
||||||
)
|
)
|
||||||
|
|
||||||
// CertificateOptions is an interface that returns a list of options passed when
|
// CertificateOptions is an interface that returns a list of options passed when
|
||||||
|
@ -106,3 +107,17 @@ func CustomTemplateOptions(o *ProvisionerOptions, data x509util.TemplateData, de
|
||||||
}
|
}
|
||||||
}), nil
|
}), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// unsafeParseSigned parses the given token and returns all the claims without
|
||||||
|
// verifying the signature of the token.
|
||||||
|
func unsafeParseSigned(s string) (map[string]interface{}, error) {
|
||||||
|
token, err := jose.ParseSigned(s)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
claims := make(map[string]interface{})
|
||||||
|
if err = token.UnsafeClaimsWithoutVerification(&claims); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return claims, nil
|
||||||
|
}
|
||||||
|
|
|
@ -197,7 +197,9 @@ func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
|
||||||
|
|
||||||
// Certificate templates
|
// Certificate templates
|
||||||
data := x509util.CreateTemplateData(claims.Subject, claims.SANs)
|
data := x509util.CreateTemplateData(claims.Subject, claims.SANs)
|
||||||
data.SetToken(claims)
|
if v, err := unsafeParseSigned(token); err == nil {
|
||||||
|
data.SetToken(v)
|
||||||
|
}
|
||||||
|
|
||||||
templateOptions, err := TemplateOptions(p.Options, data)
|
templateOptions, err := TemplateOptions(p.Options, data)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -147,9 +147,9 @@ func TestNewCertificate(t *testing.T) {
|
||||||
SANsKey: []SubjectAlternativeName{
|
SANsKey: []SubjectAlternativeName{
|
||||||
{Type: "dns", Value: "foo.com"},
|
{Type: "dns", Value: "foo.com"},
|
||||||
},
|
},
|
||||||
TokenKey: map[string]string{
|
TokenKey: map[string]interface{}{
|
||||||
"Issuer": "https://iss",
|
"iss": "https://iss",
|
||||||
"Subject": "sub",
|
"sub": "sub",
|
||||||
},
|
},
|
||||||
})}}, &Certificate{
|
})}}, &Certificate{
|
||||||
Subject: Subject{CommonName: "commonName"},
|
Subject: Subject{CommonName: "commonName"},
|
||||||
|
|
|
@ -44,10 +44,12 @@ func CreateTemplateData(commonName string, sans []string) TemplateData {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Set sets a key-value pair in the template data.
|
||||||
func (t TemplateData) Set(key string, v interface{}) {
|
func (t TemplateData) Set(key string, v interface{}) {
|
||||||
t[key] = v
|
t[key] = v
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// SetInsecure sets a key-value pair in the insecure template data.
|
||||||
func (t TemplateData) SetInsecure(key string, v interface{}) {
|
func (t TemplateData) SetInsecure(key string, v interface{}) {
|
||||||
if m, ok := t[InsecureKey].(TemplateData); ok {
|
if m, ok := t[InsecureKey].(TemplateData); ok {
|
||||||
m[key] = v
|
m[key] = v
|
||||||
|
@ -56,28 +58,36 @@ func (t TemplateData) SetInsecure(key string, v interface{}) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// SetSubject sets the given subject in the template data.
|
||||||
func (t TemplateData) SetSubject(v Subject) {
|
func (t TemplateData) SetSubject(v Subject) {
|
||||||
t.Set(SubjectKey, v)
|
t.Set(SubjectKey, v)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// SetCommonName sets the given common name in the subject in the template data.
|
||||||
func (t TemplateData) SetCommonName(cn string) {
|
func (t TemplateData) SetCommonName(cn string) {
|
||||||
s, _ := t[SubjectKey].(Subject)
|
s, _ := t[SubjectKey].(Subject)
|
||||||
s.CommonName = cn
|
s.CommonName = cn
|
||||||
t[SubjectKey] = s
|
t[SubjectKey] = s
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// SetSANs sets the given SANs in the template data.
|
||||||
func (t TemplateData) SetSANs(sans []string) {
|
func (t TemplateData) SetSANs(sans []string) {
|
||||||
t.Set(SANsKey, CreateSANs(sans))
|
t.Set(SANsKey, CreateSANs(sans))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// SetToken sets the given token in the template data.
|
||||||
func (t TemplateData) SetToken(v interface{}) {
|
func (t TemplateData) SetToken(v interface{}) {
|
||||||
t.Set(TokenKey, v)
|
t.Set(TokenKey, v)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// SetUserData sets the given user provided object in the insecure template
|
||||||
|
// data.
|
||||||
func (t TemplateData) SetUserData(v interface{}) {
|
func (t TemplateData) SetUserData(v interface{}) {
|
||||||
t.SetInsecure(UserKey, v)
|
t.SetInsecure(UserKey, v)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// SetCertificateRequest sets the given certificate request in the insecure
|
||||||
|
// template data.
|
||||||
func (t TemplateData) SetCertificateRequest(cr *x509.CertificateRequest) {
|
func (t TemplateData) SetCertificateRequest(cr *x509.CertificateRequest) {
|
||||||
t.SetInsecure(CertificateRequestKey, newCertificateRequest(cr))
|
t.SetInsecure(CertificateRequestKey, newCertificateRequest(cr))
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue