From b401376829199e2196181c84781a4f72e0acd9dc Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Mon, 21 Mar 2022 19:21:40 -0700 Subject: [PATCH] Add current provisioner to AuthorizeSign SignOptions. The original provisioner cannot be retrieved from a certificate if a linked ra is used. --- authority/provisioner/acme.go | 1 + authority/provisioner/aws.go | 1 + authority/provisioner/azure.go | 1 + authority/provisioner/gcp.go | 1 + authority/provisioner/jwk.go | 1 + authority/provisioner/k8sSA.go | 1 + authority/provisioner/nebula.go | 1 + authority/provisioner/noop.go | 2 +- authority/provisioner/oidc.go | 1 + authority/provisioner/scep.go | 1 + authority/provisioner/x5c.go | 1 + 11 files changed, 11 insertions(+), 1 deletion(-) diff --git a/authority/provisioner/acme.go b/authority/provisioner/acme.go index 913d0ace..b5d806ab 100644 --- a/authority/provisioner/acme.go +++ b/authority/provisioner/acme.go @@ -89,6 +89,7 @@ func (p *ACME) Init(config Config) (err error) { // on the resulting certificate. func (p *ACME) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) { return []SignOption{ + p, // modifiers / withOptions newProvisionerExtensionOption(TypeACME, p.Name, ""), newForceCNOption(p.ForceCN), diff --git a/authority/provisioner/aws.go b/authority/provisioner/aws.go index 5f79d7d0..9d27e016 100644 --- a/authority/provisioner/aws.go +++ b/authority/provisioner/aws.go @@ -467,6 +467,7 @@ func (p *AWS) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er } return append(so, + p, templateOptions, // modifiers / withOptions newProvisionerExtensionOption(TypeAWS, p.Name, doc.AccountID, "InstanceID", doc.InstanceID), diff --git a/authority/provisioner/azure.go b/authority/provisioner/azure.go index d9654566..58ce47b3 100644 --- a/authority/provisioner/azure.go +++ b/authority/provisioner/azure.go @@ -349,6 +349,7 @@ func (p *Azure) AuthorizeSign(ctx context.Context, token string) ([]SignOption, } return append(so, + p, templateOptions, // modifiers / withOptions newProvisionerExtensionOption(TypeAzure, p.Name, p.TenantID), diff --git a/authority/provisioner/gcp.go b/authority/provisioner/gcp.go index 6070b640..69d909a2 100644 --- a/authority/provisioner/gcp.go +++ b/authority/provisioner/gcp.go @@ -262,6 +262,7 @@ func (p *GCP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er } return append(so, + p, templateOptions, // modifiers / withOptions newProvisionerExtensionOption(TypeGCP, p.Name, claims.Subject, "InstanceID", ce.InstanceID, "InstanceName", ce.InstanceName), diff --git a/authority/provisioner/jwk.go b/authority/provisioner/jwk.go index c014bec0..3c5032fb 100644 --- a/authority/provisioner/jwk.go +++ b/authority/provisioner/jwk.go @@ -170,6 +170,7 @@ func (p *JWK) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er } return []SignOption{ + p, templateOptions, // modifiers / withOptions newProvisionerExtensionOption(TypeJWK, p.Name, p.Key.KeyID), diff --git a/authority/provisioner/k8sSA.go b/authority/provisioner/k8sSA.go index 557d571a..083773e0 100644 --- a/authority/provisioner/k8sSA.go +++ b/authority/provisioner/k8sSA.go @@ -231,6 +231,7 @@ func (p *K8sSA) AuthorizeSign(ctx context.Context, token string) ([]SignOption, } return []SignOption{ + p, templateOptions, // modifiers / withOptions newProvisionerExtensionOption(TypeK8sSA, p.Name, ""), diff --git a/authority/provisioner/nebula.go b/authority/provisioner/nebula.go index 1a6eee3e..4216e997 100644 --- a/authority/provisioner/nebula.go +++ b/authority/provisioner/nebula.go @@ -144,6 +144,7 @@ func (p *Nebula) AuthorizeSign(ctx context.Context, token string) ([]SignOption, } return []SignOption{ + p, templateOptions, // modifiers / withOptions newProvisionerExtensionOption(TypeNebula, p.Name, ""), diff --git a/authority/provisioner/noop.go b/authority/provisioner/noop.go index 1709fbca..39661e54 100644 --- a/authority/provisioner/noop.go +++ b/authority/provisioner/noop.go @@ -38,7 +38,7 @@ func (p *noop) Init(config Config) error { } func (p *noop) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) { - return []SignOption{}, nil + return []SignOption{p}, nil } func (p *noop) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error { diff --git a/authority/provisioner/oidc.go b/authority/provisioner/oidc.go index 1fc9bb4b..3a9398a2 100644 --- a/authority/provisioner/oidc.go +++ b/authority/provisioner/oidc.go @@ -345,6 +345,7 @@ func (o *OIDC) AuthorizeSign(ctx context.Context, token string) ([]SignOption, e } return []SignOption{ + o, templateOptions, // modifiers / withOptions newProvisionerExtensionOption(TypeOIDC, o.Name, o.ClientID), diff --git a/authority/provisioner/scep.go b/authority/provisioner/scep.go index f4cffd78..9dc1edd8 100644 --- a/authority/provisioner/scep.go +++ b/authority/provisioner/scep.go @@ -121,6 +121,7 @@ func (s *SCEP) Init(config Config) (err error) { // on the resulting certificate. func (s *SCEP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) { return []SignOption{ + s, // modifiers / withOptions newProvisionerExtensionOption(TypeSCEP, s.Name, ""), newForceCNOption(s.ForceCN), diff --git a/authority/provisioner/x5c.go b/authority/provisioner/x5c.go index 6f534c76..4f3e5899 100644 --- a/authority/provisioner/x5c.go +++ b/authority/provisioner/x5c.go @@ -218,6 +218,7 @@ func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er } return []SignOption{ + p, templateOptions, // modifiers / withOptions newProvisionerExtensionOption(TypeX5C, p.Name, ""),