Recalculate token id instead of validating it.
This commit is contained in:
parent
86c947babc
commit
5017b7d21f
2 changed files with 5 additions and 24 deletions
|
@ -284,7 +284,11 @@ func (p *AWS) GetTokenID(token string) (string, error) {
|
|||
sum := sha256.Sum256([]byte(token))
|
||||
return strings.ToLower(hex.EncodeToString(sum[:])), nil
|
||||
}
|
||||
return payload.ID, nil
|
||||
|
||||
// Use provisioner + instance-id as the identifier.
|
||||
unique := fmt.Sprintf("%s.%s", p.GetID(), payload.document.InstanceID)
|
||||
sum := sha256.Sum256([]byte(unique))
|
||||
return strings.ToLower(hex.EncodeToString(sum[:])), nil
|
||||
}
|
||||
|
||||
// GetName returns the name of the provisioner.
|
||||
|
@ -631,13 +635,6 @@ func (p *AWS) authorizeToken(token string) (*awsPayload, error) {
|
|||
return nil, errs.Unauthorized("aws.authorizeToken; aws identity document region cannot be empty")
|
||||
}
|
||||
|
||||
// Recalculate and validate payload.ID
|
||||
unique := fmt.Sprintf("%s.%s", p.GetID(), doc.InstanceID)
|
||||
sum := sha256.Sum256([]byte(unique))
|
||||
if payload.ID != strings.ToLower(hex.EncodeToString(sum[:])) {
|
||||
return nil, errs.Unauthorized("aws.authorizeToken; invalid token id")
|
||||
}
|
||||
|
||||
// According to "rfc7519 JSON Web Token" acceptable skew should be no
|
||||
// more than a few minutes.
|
||||
now := time.Now().UTC()
|
||||
|
|
|
@ -470,22 +470,6 @@ func TestAWS_authorizeToken(t *testing.T) {
|
|||
err: errors.New("aws.authorizeToken; aws identity document pendingTime is too old"),
|
||||
}
|
||||
},
|
||||
"fail/payloadId": func(t *testing.T) test {
|
||||
p, err := generateAWS()
|
||||
assert.FatalError(t, err)
|
||||
p2, err := generateAWS()
|
||||
assert.FatalError(t, err)
|
||||
tok, err := generateAWSToken(
|
||||
p2, "instance-id", awsIssuer, p.GetID(), p.Accounts[0], "instance-id",
|
||||
"127.0.0.1", "us-west-1", time.Now(), key)
|
||||
assert.FatalError(t, err)
|
||||
return test{
|
||||
p: p,
|
||||
token: tok,
|
||||
code: http.StatusUnauthorized,
|
||||
err: errors.New("aws.authorizeToken; invalid token id"),
|
||||
}
|
||||
},
|
||||
"ok": func(t *testing.T) test {
|
||||
p, err := generateAWS()
|
||||
assert.FatalError(t, err)
|
||||
|
|
Loading…
Reference in a new issue