TrueCloudLab/certificates
16
0
Fork 2
Code Issues 1 Pull requests 1 Releases Activity Actions

Add disableIssuedAt check functionality

Browse source 
Fixes #86
This commit is contained in:
Mariano Cano 2018-10-24 18:59:48 -07:00
parent f938ab113b
commit 1c1ac1b3fb
2 changed files with 14 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
authority/authorize.go
View file

@ -79,6 +79,15 @@ func (a *Authority) Authorize(ott string) ([]api.Claim, error) {
http.StatusUnauthorized, errContext} http.StatusUnauthorized, errContext}
} }
// Do not accept tokens issued before the start of the ca.
// This check is meant as a stopgap solution to the current lack of a persistence layer.
if a.config.AuthorityConfig != nil && !a.config.AuthorityConfig.DisableIssuedAtCheck {
if claims.IssuedAt > 0 && claims.IssuedAt.Time().Before(a.startTime) {
return nil, &apiError{errors.New("token issued before the bootstrap of certificate authority"),
http.StatusUnauthorized, errContext}
}
}
if !containsAtLeastOneAudience(claims.Audience, a.audiences) { if !containsAtLeastOneAudience(claims.Audience, a.audiences) {
return nil, &apiError{errors.New("invalid audience"), http.StatusUnauthorized, return nil, &apiError{errors.New("invalid audience"), http.StatusUnauthorized,
errContext} errContext}

1
authority/config.go
View file

@ -71,6 +71,7 @@ type AuthConfig struct {
Template *x509util.ASN1DN `json:"template,omitempty"` Template *x509util.ASN1DN `json:"template,omitempty"`
MinCertDuration *duration `json:"minCertDuration,omitempty"` MinCertDuration *duration `json:"minCertDuration,omitempty"`
MaxCertDuration *duration `json:"maxCertDuration,omitempty"` MaxCertDuration *duration `json:"maxCertDuration,omitempty"`
DisableIssuedAtCheck bool `json:"disableIssuedAtCheck,omitempty"`
} }
// Validate validates the authority configuration. // Validate validates the authority configuration.