Allow mTLS renewals if the provisioner extension does not exists.
This fixes a backward compatibility issue with with the new LoadProvisionerByCertificate.
This commit is contained in:
parent
2fbff47acf
commit
c8c59d68f5
1 changed files with 7 additions and 1 deletions
|
@ -284,7 +284,13 @@ func (a *Authority) authorizeRenew(cert *x509.Certificate) error {
|
||||||
}
|
}
|
||||||
p, err := a.LoadProvisionerByCertificate(cert)
|
p, err := a.LoadProvisionerByCertificate(cert)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errs.Unauthorized("authority.authorizeRenew: provisioner not found", opts...)
|
var ok bool
|
||||||
|
// For backward compatibility this method will also succeed if the
|
||||||
|
// provisioner does not have an extension. LoadByCertificate returns the
|
||||||
|
// noop provisioner if this happens, and it allow certificate renewals.
|
||||||
|
if p, ok = a.provisioners.LoadByCertificate(cert); !ok {
|
||||||
|
return errs.Unauthorized("authority.authorizeRenew: provisioner not found", opts...)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
if err := p.AuthorizeRenew(context.Background(), cert); err != nil {
|
if err := p.AuthorizeRenew(context.Background(), cert); err != nil {
|
||||||
return errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...)
|
return errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...)
|
||||||
|
|
Loading…
Reference in a new issue