Fix decoding of certificate.
This commit is contained in:
parent
32390a2964
commit
cb72796a2d
1 changed files with 21 additions and 15 deletions
|
@ -109,7 +109,7 @@ func (p *Nebula) GetEncryptedKey() (kid string, key string, ok bool) {
|
|||
|
||||
// AuthorizeSign returns the list of SignOption for a Sign request.
|
||||
func (p *Nebula) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
|
||||
cert, claims, err := p.authorizeToken(token, p.audiences.Sign)
|
||||
crt, claims, err := p.authorizeToken(token, p.audiences.Sign)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -118,7 +118,10 @@ func (p *Nebula) AuthorizeSign(ctx context.Context, token string) ([]SignOption,
|
|||
if v, err := unsafeParseSigned(token); err == nil {
|
||||
data.SetToken(v)
|
||||
}
|
||||
data.Set("Cert", cert)
|
||||
|
||||
// The nebula certificate will be available using the template variable Crt.
|
||||
// For example {{ .Crt.Details.Groups }} can be used to get all the groups.
|
||||
// data.SetCertificate(crt)
|
||||
|
||||
templateOptions, err := TemplateOptions(p.Options, data)
|
||||
if err != nil {
|
||||
|
@ -131,14 +134,14 @@ func (p *Nebula) AuthorizeSign(ctx context.Context, token string) ([]SignOption,
|
|||
newProvisionerExtensionOption(TypeNebula, p.Name, ""),
|
||||
profileLimitDuration{
|
||||
def: p.claimer.DefaultTLSCertDuration(),
|
||||
notBefore: cert.Details.NotBefore,
|
||||
notAfter: cert.Details.NotAfter,
|
||||
notBefore: crt.Details.NotBefore,
|
||||
notAfter: crt.Details.NotAfter,
|
||||
},
|
||||
// validators
|
||||
commonNameValidator(claims.Subject),
|
||||
nebulaSANsValidator{
|
||||
Name: cert.Details.Name,
|
||||
IPs: cert.Details.Ips,
|
||||
Name: crt.Details.Name,
|
||||
IPs: crt.Details.Ips,
|
||||
},
|
||||
defaultPublicKeyValidator{},
|
||||
newValidityValidator(p.claimer.MinTLSCertDuration(), p.claimer.MaxTLSCertDuration()),
|
||||
|
@ -152,16 +155,16 @@ func (p *Nebula) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOpti
|
|||
return nil, errs.Unauthorized("ssh is disabled for nebula provisioner '%s'", p.Name)
|
||||
}
|
||||
|
||||
cert, claims, err := p.authorizeToken(token, p.audiences.SSHSign)
|
||||
crt, claims, err := p.authorizeToken(token, p.audiences.SSHSign)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Default template attributes.
|
||||
keyID := claims.Subject
|
||||
principals := make([]string, len(cert.Details.Ips)+1)
|
||||
principals[0] = cert.Details.Name
|
||||
for i, ipnet := range cert.Details.Ips {
|
||||
principals := make([]string, len(crt.Details.Ips)+1)
|
||||
principals[0] = crt.Details.Name
|
||||
for i, ipnet := range crt.Details.Ips {
|
||||
principals[i+1] = ipnet.IP.String()
|
||||
}
|
||||
|
||||
|
@ -173,8 +176,8 @@ func (p *Nebula) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOpti
|
|||
|
||||
// Check that the token only contains valid principals.
|
||||
v := nebulaPrincipalsValidator{
|
||||
Name: cert.Details.Name,
|
||||
IPs: cert.Details.Ips,
|
||||
Name: crt.Details.Name,
|
||||
IPs: crt.Details.Ips,
|
||||
}
|
||||
if err := v.Valid(*opts); err != nil {
|
||||
return nil, err
|
||||
|
@ -217,7 +220,10 @@ func (p *Nebula) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOpti
|
|||
if v, err := unsafeParseSigned(token); err == nil {
|
||||
data.SetToken(v)
|
||||
}
|
||||
data.Set("Cert", cert)
|
||||
|
||||
// The nebula certificate will be available using the template variable Crt.
|
||||
// For example {{ .Crt.Details.Groups }} can be used to get all the groups.
|
||||
// data.SetCertificate(crt)
|
||||
|
||||
templateOptions, err := TemplateSSHOptions(p.Options, data)
|
||||
if err != nil {
|
||||
|
@ -227,7 +233,7 @@ func (p *Nebula) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOpti
|
|||
return append(signOptions,
|
||||
templateOptions,
|
||||
// Checks the validity bounds, and set the validity if has not been set.
|
||||
&sshLimitDuration{p.claimer, cert.Details.NotAfter},
|
||||
&sshLimitDuration{p.claimer, crt.Details.NotAfter},
|
||||
// Validate public key.
|
||||
&sshDefaultPublicKeyValidator{},
|
||||
// Validate the validity period.
|
||||
|
@ -291,7 +297,7 @@ func (p *Nebula) authorizeToken(token string, audiences []string) (*cert.NebulaC
|
|||
if !ok {
|
||||
return nil, nil, errs.Unauthorized("failed to parse token: nbc header is not valid")
|
||||
}
|
||||
b, err := base64.RawURLEncoding.DecodeString(s)
|
||||
b, err := base64.StdEncoding.DecodeString(s)
|
||||
if err != nil {
|
||||
return nil, nil, errs.UnauthorizedErr(err, errs.WithMessage("failed to parse token: nbc header is not valid"))
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue