TrueCloudLab/certificates
17
0
Fork 2
Code Issues 1 Pull requests 1 Releases Activity Actions

Fix decoding of certificate.

Browse source
This commit is contained in:
Mariano Cano 2021-12-29 16:07:05 -08:00
parent 32390a2964
commit cb72796a2d
1 changed files with 21 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
authority/provisioner/nebula.go
View file

@ -109,7 +109,7 @@ func (p *Nebula) GetEncryptedKey() (kid string, key string, ok bool) {
// AuthorizeSign returns the list of SignOption for a Sign request. // AuthorizeSign returns the list of SignOption for a Sign request.
func (p *Nebula) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) { func (p *Nebula) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
cert, claims, err := p.authorizeToken(token, p.audiences.Sign) crt, claims, err := p.authorizeToken(token, p.audiences.Sign)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -118,7 +118,10 @@ func (p *Nebula) AuthorizeSign(ctx context.Context, token string) ([]SignOption,
if v, err := unsafeParseSigned(token); err == nil { if v, err := unsafeParseSigned(token); err == nil {
data.SetToken(v) data.SetToken(v)
} }
data.Set("Cert", cert)
// The nebula certificate will be available using the template variable Crt.
// For example {{ .Crt.Details.Groups }} can be used to get all the groups.
// data.SetCertificate(crt)
templateOptions, err := TemplateOptions(p.Options, data) templateOptions, err := TemplateOptions(p.Options, data)
if err != nil { if err != nil {
@ -131,14 +134,14 @@ func (p *Nebula) AuthorizeSign(ctx context.Context, token string) ([]SignOption,
newProvisionerExtensionOption(TypeNebula, p.Name, ""), newProvisionerExtensionOption(TypeNebula, p.Name, ""),
profileLimitDuration{ profileLimitDuration{
def: p.claimer.DefaultTLSCertDuration(), def: p.claimer.DefaultTLSCertDuration(),
notBefore: cert.Details.NotBefore, notBefore: crt.Details.NotBefore,
notAfter: cert.Details.NotAfter, notAfter: crt.Details.NotAfter,
}, },
// validators // validators
commonNameValidator(claims.Subject), commonNameValidator(claims.Subject),
nebulaSANsValidator{ nebulaSANsValidator{
Name: cert.Details.Name, Name: crt.Details.Name,
IPs: cert.Details.Ips, IPs: crt.Details.Ips,
}, },
defaultPublicKeyValidator{}, defaultPublicKeyValidator{},
newValidityValidator(p.claimer.MinTLSCertDuration(), p.claimer.MaxTLSCertDuration()), newValidityValidator(p.claimer.MinTLSCertDuration(), p.claimer.MaxTLSCertDuration()),
@ -152,16 +155,16 @@ func (p *Nebula) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOpti
return nil, errs.Unauthorized("ssh is disabled for nebula provisioner '%s'", p.Name) return nil, errs.Unauthorized("ssh is disabled for nebula provisioner '%s'", p.Name)
} }
cert, claims, err := p.authorizeToken(token, p.audiences.SSHSign) crt, claims, err := p.authorizeToken(token, p.audiences.SSHSign)
if err != nil { if err != nil {
return nil, err return nil, err
} }
// Default template attributes. // Default template attributes.
keyID := claims.Subject keyID := claims.Subject
principals := make([]string, len(cert.Details.Ips)+1) principals := make([]string, len(crt.Details.Ips)+1)
principals[0] = cert.Details.Name principals[0] = crt.Details.Name
for i, ipnet := range cert.Details.Ips { for i, ipnet := range crt.Details.Ips {
principals[i+1] = ipnet.IP.String() principals[i+1] = ipnet.IP.String()
} }
@ -173,8 +176,8 @@ func (p *Nebula) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOpti
// Check that the token only contains valid principals. // Check that the token only contains valid principals.
v := nebulaPrincipalsValidator{ v := nebulaPrincipalsValidator{
Name: cert.Details.Name, Name: crt.Details.Name,
IPs: cert.Details.Ips, IPs: crt.Details.Ips,
} }
if err := v.Valid(*opts); err != nil { if err := v.Valid(*opts); err != nil {
return nil, err return nil, err
@ -217,7 +220,10 @@ func (p *Nebula) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOpti
if v, err := unsafeParseSigned(token); err == nil { if v, err := unsafeParseSigned(token); err == nil {
data.SetToken(v) data.SetToken(v)
} }
data.Set("Cert", cert)
// The nebula certificate will be available using the template variable Crt.
// For example {{ .Crt.Details.Groups }} can be used to get all the groups.
// data.SetCertificate(crt)
templateOptions, err := TemplateSSHOptions(p.Options, data) templateOptions, err := TemplateSSHOptions(p.Options, data)
if err != nil { if err != nil {
@ -227,7 +233,7 @@ func (p *Nebula) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOpti
return append(signOptions, return append(signOptions,
templateOptions, templateOptions,
// Checks the validity bounds, and set the validity if has not been set. // Checks the validity bounds, and set the validity if has not been set.
&sshLimitDuration{p.claimer, cert.Details.NotAfter}, &sshLimitDuration{p.claimer, crt.Details.NotAfter},
// Validate public key. // Validate public key.
&sshDefaultPublicKeyValidator{}, &sshDefaultPublicKeyValidator{},
// Validate the validity period. // Validate the validity period.
@ -291,7 +297,7 @@ func (p *Nebula) authorizeToken(token string, audiences []string) (*cert.NebulaC
if !ok { if !ok {
return nil, nil, errs.Unauthorized("failed to parse token: nbc header is not valid") return nil, nil, errs.Unauthorized("failed to parse token: nbc header is not valid")
} }
b, err := base64.RawURLEncoding.DecodeString(s) b, err := base64.StdEncoding.DecodeString(s)
if err != nil { if err != nil {
return nil, nil, errs.UnauthorizedErr(err, errs.WithMessage("failed to parse token: nbc header is not valid")) return nil, nil, errs.UnauthorizedErr(err, errs.WithMessage("failed to parse token: nbc header is not valid"))
} }