Rename interface to CertificateEnforcer and add tests.
This commit is contained in:
parent
64f26c0f40
commit
bfe1f4952d
4 changed files with 53 additions and 15 deletions
|
@ -489,7 +489,7 @@ type identityModifier struct {
|
|||
NotAfter time.Time
|
||||
}
|
||||
|
||||
func (m *identityModifier) Constrain(cert *x509.Certificate) error {
|
||||
func (m *identityModifier) Enforce(cert *x509.Certificate) error {
|
||||
cert.NotBefore = m.NotBefore
|
||||
cert.NotAfter = m.NotAfter
|
||||
return nil
|
||||
|
|
|
@ -47,11 +47,11 @@ type ProfileModifier interface {
|
|||
Option(o Options) x509util.WithOption
|
||||
}
|
||||
|
||||
// CertificateConstrainModifier is the interface used to modify a certificate
|
||||
// after validation.
|
||||
type CertificateConstrainModifier interface {
|
||||
// CertificateEnforcer is the interface used to modify a certificate after
|
||||
// validation.
|
||||
type CertificateEnforcer interface {
|
||||
SignOption
|
||||
Constrain(cert *x509.Certificate) error
|
||||
Enforce(cert *x509.Certificate) error
|
||||
}
|
||||
|
||||
// profileWithOption is a wrapper against x509util.WithOption to conform the
|
||||
|
|
|
@ -61,10 +61,10 @@ func withDefaultASN1DN(def *x509util.ASN1DN) x509util.WithOption {
|
|||
// Sign creates a signed certificate from a certificate signing request.
|
||||
func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Options, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
|
||||
var (
|
||||
opts = []interface{}{errs.WithKeyVal("csr", csr), errs.WithKeyVal("signOptions", signOpts)}
|
||||
mods = []x509util.WithOption{withDefaultASN1DN(a.config.AuthorityConfig.Template)}
|
||||
certValidators = []provisioner.CertificateValidator{}
|
||||
constrainModifiers = []provisioner.CertificateConstrainModifier{}
|
||||
opts = []interface{}{errs.WithKeyVal("csr", csr), errs.WithKeyVal("signOptions", signOpts)}
|
||||
mods = []x509util.WithOption{withDefaultASN1DN(a.config.AuthorityConfig.Template)}
|
||||
certValidators = []provisioner.CertificateValidator{}
|
||||
forcedModifiers = []provisioner.CertificateEnforcer{}
|
||||
)
|
||||
|
||||
// Set backdate with the configured value
|
||||
|
@ -80,8 +80,8 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
|
|||
}
|
||||
case provisioner.ProfileModifier:
|
||||
mods = append(mods, k.Option(signOpts))
|
||||
case provisioner.CertificateConstrainModifier:
|
||||
constrainModifiers = append(constrainModifiers, k)
|
||||
case provisioner.CertificateEnforcer:
|
||||
forcedModifiers = append(forcedModifiers, k)
|
||||
default:
|
||||
return nil, errs.InternalServer("authority.Sign; invalid extra option type %T", append([]interface{}{k}, opts...)...)
|
||||
}
|
||||
|
@ -104,8 +104,8 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
|
|||
}
|
||||
|
||||
// Certificate modifier after validation
|
||||
for _, m := range constrainModifiers {
|
||||
if err := m.Constrain(leaf.Subject()); err != nil {
|
||||
for _, m := range forcedModifiers {
|
||||
if err := m.Enforce(leaf.Subject()); err != nil {
|
||||
return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -41,6 +41,17 @@ type stepProvisionerASN1 struct {
|
|||
CredentialID []byte
|
||||
}
|
||||
|
||||
type certificateDurationEnforcer struct {
|
||||
NotBefore time.Time
|
||||
NotAfter time.Time
|
||||
}
|
||||
|
||||
func (m *certificateDurationEnforcer) Enforce(cert *x509.Certificate) error {
|
||||
cert.NotBefore = m.NotBefore
|
||||
cert.NotAfter = m.NotAfter
|
||||
return nil
|
||||
}
|
||||
|
||||
func withProvisionerOID(name, kid string) x509util.WithOption {
|
||||
return func(p x509util.Profile) error {
|
||||
crt := p.Subject()
|
||||
|
@ -114,6 +125,8 @@ func TestAuthority_Sign(t *testing.T) {
|
|||
csr *x509.CertificateRequest
|
||||
signOpts provisioner.Options
|
||||
extraOpts []provisioner.SignOption
|
||||
notBefore time.Time
|
||||
notAfter time.Time
|
||||
err error
|
||||
code int
|
||||
}
|
||||
|
@ -253,6 +266,31 @@ ZYtQ9Ot36qc=
|
|||
csr: csr,
|
||||
extraOpts: extraOpts,
|
||||
signOpts: signOpts,
|
||||
notBefore: signOpts.NotBefore.Time().Truncate(time.Second),
|
||||
notAfter: signOpts.NotAfter.Time().Truncate(time.Second),
|
||||
}
|
||||
},
|
||||
"ok with enforced modifier": func(t *testing.T) *signTest {
|
||||
csr := getCSR(t, priv)
|
||||
now := time.Now().UTC()
|
||||
enforcedExtraOptions := append(extraOpts, &certificateDurationEnforcer{
|
||||
NotBefore: now,
|
||||
NotAfter: now.Add(365 * 24 * time.Hour),
|
||||
})
|
||||
_a := testAuthority(t)
|
||||
_a.db = &db.MockAuthDB{
|
||||
MStoreCertificate: func(crt *x509.Certificate) error {
|
||||
assert.Equals(t, crt.Subject.CommonName, "smallstep test")
|
||||
return nil
|
||||
},
|
||||
}
|
||||
return &signTest{
|
||||
auth: a,
|
||||
csr: csr,
|
||||
extraOpts: enforcedExtraOptions,
|
||||
signOpts: signOpts,
|
||||
notBefore: now.Truncate(time.Second),
|
||||
notAfter: now.Add(365 * 24 * time.Hour).Truncate(time.Second),
|
||||
}
|
||||
},
|
||||
}
|
||||
|
@ -279,8 +317,8 @@ ZYtQ9Ot36qc=
|
|||
leaf := certChain[0]
|
||||
intermediate := certChain[1]
|
||||
if assert.Nil(t, tc.err) {
|
||||
assert.Equals(t, leaf.NotBefore, signOpts.NotBefore.Time().Truncate(time.Second))
|
||||
assert.Equals(t, leaf.NotAfter, signOpts.NotAfter.Time().Truncate(time.Second))
|
||||
assert.Equals(t, leaf.NotBefore, tc.notBefore)
|
||||
assert.Equals(t, leaf.NotAfter, tc.notAfter)
|
||||
tmplt := a.config.AuthorityConfig.Template
|
||||
assert.Equals(t, fmt.Sprintf("%v", leaf.Subject),
|
||||
fmt.Sprintf("%v", &pkix.Name{
|
||||
|
|
Loading…
Reference in a new issue