Allow mTLS renewals if the provisioner extension does not exists.
This fixes a backward compatibility issue with with the new LoadProvisionerByCertificate.
This commit is contained in:
parent
2fbff47acf
commit
c8c59d68f5
1 changed files with 7 additions and 1 deletions
|
@ -284,8 +284,14 @@ func (a *Authority) authorizeRenew(cert *x509.Certificate) error {
|
|||
}
|
||||
p, err := a.LoadProvisionerByCertificate(cert)
|
||||
if err != nil {
|
||||
var ok bool
|
||||
// For backward compatibility this method will also succeed if the
|
||||
// provisioner does not have an extension. LoadByCertificate returns the
|
||||
// noop provisioner if this happens, and it allow certificate renewals.
|
||||
if p, ok = a.provisioners.LoadByCertificate(cert); !ok {
|
||||
return errs.Unauthorized("authority.authorizeRenew: provisioner not found", opts...)
|
||||
}
|
||||
}
|
||||
if err := p.AuthorizeRenew(context.Background(), cert); err != nil {
|
||||
return errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...)
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue