Set full token payload instead of only the known properties.

This commit is contained in:
Mariano Cano 2020-07-21 11:41:36 -07:00
parent 0c8376a7f6
commit 02c4f9817d
10 changed files with 50 additions and 11 deletions

View file

@ -281,8 +281,10 @@ func (p *AWS) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
// Template options // Template options
data := x509util.NewTemplateData() data := x509util.NewTemplateData()
data.SetToken(payload)
data.SetCommonName(payload.Claims.Subject) data.SetCommonName(payload.Claims.Subject)
if v, err := unsafeParseSigned(token); err == nil {
data.SetToken(v)
}
// Enforce known CN and default DNS and IP if configured. // Enforce known CN and default DNS and IP if configured.
// By default we'll accept the CN and SANs in the CSR. // By default we'll accept the CN and SANs in the CSR.

View file

@ -259,7 +259,7 @@ func (p *Azure) authorizeToken(token string) (*azurePayload, string, string, err
// AuthorizeSign validates the given token and returns the sign options that // AuthorizeSign validates the given token and returns the sign options that
// will be used on certificate creation. // will be used on certificate creation.
func (p *Azure) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) { func (p *Azure) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
payload, name, group, err := p.authorizeToken(token) _, name, group, err := p.authorizeToken(token)
if err != nil { if err != nil {
return nil, errs.Wrap(http.StatusInternalServerError, err, "azure.AuthorizeSign") return nil, errs.Wrap(http.StatusInternalServerError, err, "azure.AuthorizeSign")
} }
@ -280,8 +280,10 @@ func (p *Azure) AuthorizeSign(ctx context.Context, token string) ([]SignOption,
// Template options // Template options
data := x509util.NewTemplateData() data := x509util.NewTemplateData()
data.SetToken(payload)
data.SetCommonName(name) data.SetCommonName(name)
if v, err := unsafeParseSigned(token); err == nil {
data.SetToken(v)
}
// Enforce known common name and default DNS if configured. // Enforce known common name and default DNS if configured.
// By default we'll accept the CN and SANs in the CSR. // By default we'll accept the CN and SANs in the CSR.

View file

@ -220,8 +220,10 @@ func (p *GCP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
// Template options // Template options
data := x509util.NewTemplateData() data := x509util.NewTemplateData()
data.SetToken(claims)
data.SetCommonName(ce.InstanceName) data.SetCommonName(ce.InstanceName)
if v, err := unsafeParseSigned(token); err == nil {
data.SetToken(v)
}
// Enforce known common name and default DNS if configured. // Enforce known common name and default DNS if configured.
// By default we we'll accept the CN and SANs in the CSR. // By default we we'll accept the CN and SANs in the CSR.

View file

@ -155,7 +155,9 @@ func (p *JWK) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
// Certificate templates // Certificate templates
data := x509util.CreateTemplateData(claims.Subject, claims.SANs) data := x509util.CreateTemplateData(claims.Subject, claims.SANs)
data.SetToken(claims) if v, err := unsafeParseSigned(token); err == nil {
data.SetToken(v)
}
templateOptions, err := TemplateOptions(p.Options, data) templateOptions, err := TemplateOptions(p.Options, data)
if err != nil { if err != nil {

View file

@ -213,8 +213,10 @@ func (p *K8sSA) AuthorizeSign(ctx context.Context, token string) ([]SignOption,
// Add some values to use in custom templates. // Add some values to use in custom templates.
data := x509util.NewTemplateData() data := x509util.NewTemplateData()
data.SetToken(claims)
data.SetCommonName(claims.ServiceAccountName) data.SetCommonName(claims.ServiceAccountName)
if v, err := unsafeParseSigned(token); err == nil {
data.SetToken(v)
}
// Certificate templates: on K8sSA the default template is the certificate // Certificate templates: on K8sSA the default template is the certificate
// request. // request.

View file

@ -318,7 +318,9 @@ func (o *OIDC) AuthorizeSign(ctx context.Context, token string) ([]SignOption, e
} }
data := x509util.CreateTemplateData(claims.Subject, sans) data := x509util.CreateTemplateData(claims.Subject, sans)
data.SetToken(claims) if v, err := unsafeParseSigned(token); err == nil {
data.SetToken(v)
}
// Use the default template unless no-templates are configured and email is // Use the default template unless no-templates are configured and email is
// an admin, in that case we will use the CR template. // an admin, in that case we will use the CR template.

View file

@ -6,6 +6,7 @@ import (
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/smallstep/certificates/x509util" "github.com/smallstep/certificates/x509util"
"github.com/smallstep/cli/jose"
) )
// CertificateOptions is an interface that returns a list of options passed when // CertificateOptions is an interface that returns a list of options passed when
@ -106,3 +107,17 @@ func CustomTemplateOptions(o *ProvisionerOptions, data x509util.TemplateData, de
} }
}), nil }), nil
} }
// unsafeParseSigned parses the given token and returns all the claims without
// verifying the signature of the token.
func unsafeParseSigned(s string) (map[string]interface{}, error) {
token, err := jose.ParseSigned(s)
if err != nil {
return nil, err
}
claims := make(map[string]interface{})
if err = token.UnsafeClaimsWithoutVerification(&claims); err != nil {
return nil, err
}
return claims, nil
}

View file

@ -197,7 +197,9 @@ func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
// Certificate templates // Certificate templates
data := x509util.CreateTemplateData(claims.Subject, claims.SANs) data := x509util.CreateTemplateData(claims.Subject, claims.SANs)
data.SetToken(claims) if v, err := unsafeParseSigned(token); err == nil {
data.SetToken(v)
}
templateOptions, err := TemplateOptions(p.Options, data) templateOptions, err := TemplateOptions(p.Options, data)
if err != nil { if err != nil {

View file

@ -147,9 +147,9 @@ func TestNewCertificate(t *testing.T) {
SANsKey: []SubjectAlternativeName{ SANsKey: []SubjectAlternativeName{
{Type: "dns", Value: "foo.com"}, {Type: "dns", Value: "foo.com"},
}, },
TokenKey: map[string]string{ TokenKey: map[string]interface{}{
"Issuer": "https://iss", "iss": "https://iss",
"Subject": "sub", "sub": "sub",
}, },
})}}, &Certificate{ })}}, &Certificate{
Subject: Subject{CommonName: "commonName"}, Subject: Subject{CommonName: "commonName"},

View file

@ -44,10 +44,12 @@ func CreateTemplateData(commonName string, sans []string) TemplateData {
} }
} }
// Set sets a key-value pair in the template data.
func (t TemplateData) Set(key string, v interface{}) { func (t TemplateData) Set(key string, v interface{}) {
t[key] = v t[key] = v
} }
// SetInsecure sets a key-value pair in the insecure template data.
func (t TemplateData) SetInsecure(key string, v interface{}) { func (t TemplateData) SetInsecure(key string, v interface{}) {
if m, ok := t[InsecureKey].(TemplateData); ok { if m, ok := t[InsecureKey].(TemplateData); ok {
m[key] = v m[key] = v
@ -56,28 +58,36 @@ func (t TemplateData) SetInsecure(key string, v interface{}) {
} }
} }
// SetSubject sets the given subject in the template data.
func (t TemplateData) SetSubject(v Subject) { func (t TemplateData) SetSubject(v Subject) {
t.Set(SubjectKey, v) t.Set(SubjectKey, v)
} }
// SetCommonName sets the given common name in the subject in the template data.
func (t TemplateData) SetCommonName(cn string) { func (t TemplateData) SetCommonName(cn string) {
s, _ := t[SubjectKey].(Subject) s, _ := t[SubjectKey].(Subject)
s.CommonName = cn s.CommonName = cn
t[SubjectKey] = s t[SubjectKey] = s
} }
// SetSANs sets the given SANs in the template data.
func (t TemplateData) SetSANs(sans []string) { func (t TemplateData) SetSANs(sans []string) {
t.Set(SANsKey, CreateSANs(sans)) t.Set(SANsKey, CreateSANs(sans))
} }
// SetToken sets the given token in the template data.
func (t TemplateData) SetToken(v interface{}) { func (t TemplateData) SetToken(v interface{}) {
t.Set(TokenKey, v) t.Set(TokenKey, v)
} }
// SetUserData sets the given user provided object in the insecure template
// data.
func (t TemplateData) SetUserData(v interface{}) { func (t TemplateData) SetUserData(v interface{}) {
t.SetInsecure(UserKey, v) t.SetInsecure(UserKey, v)
} }
// SetCertificateRequest sets the given certificate request in the insecure
// template data.
func (t TemplateData) SetCertificateRequest(cr *x509.CertificateRequest) { func (t TemplateData) SetCertificateRequest(cr *x509.CertificateRequest) {
t.SetInsecure(CertificateRequestKey, newCertificateRequest(cr)) t.SetInsecure(CertificateRequestKey, newCertificateRequest(cr))
} }