forked from TrueCloudLab/certificates
Set full token payload instead of only the known properties.
This commit is contained in:
parent
0c8376a7f6
commit
02c4f9817d
10 changed files with 50 additions and 11 deletions
|
@ -281,8 +281,10 @@ func (p *AWS) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
|
|||
|
||||
// Template options
|
||||
data := x509util.NewTemplateData()
|
||||
data.SetToken(payload)
|
||||
data.SetCommonName(payload.Claims.Subject)
|
||||
if v, err := unsafeParseSigned(token); err == nil {
|
||||
data.SetToken(v)
|
||||
}
|
||||
|
||||
// Enforce known CN and default DNS and IP if configured.
|
||||
// By default we'll accept the CN and SANs in the CSR.
|
||||
|
|
|
@ -259,7 +259,7 @@ func (p *Azure) authorizeToken(token string) (*azurePayload, string, string, err
|
|||
// AuthorizeSign validates the given token and returns the sign options that
|
||||
// will be used on certificate creation.
|
||||
func (p *Azure) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
|
||||
payload, name, group, err := p.authorizeToken(token)
|
||||
_, name, group, err := p.authorizeToken(token)
|
||||
if err != nil {
|
||||
return nil, errs.Wrap(http.StatusInternalServerError, err, "azure.AuthorizeSign")
|
||||
}
|
||||
|
@ -280,8 +280,10 @@ func (p *Azure) AuthorizeSign(ctx context.Context, token string) ([]SignOption,
|
|||
|
||||
// Template options
|
||||
data := x509util.NewTemplateData()
|
||||
data.SetToken(payload)
|
||||
data.SetCommonName(name)
|
||||
if v, err := unsafeParseSigned(token); err == nil {
|
||||
data.SetToken(v)
|
||||
}
|
||||
|
||||
// Enforce known common name and default DNS if configured.
|
||||
// By default we'll accept the CN and SANs in the CSR.
|
||||
|
|
|
@ -220,8 +220,10 @@ func (p *GCP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
|
|||
|
||||
// Template options
|
||||
data := x509util.NewTemplateData()
|
||||
data.SetToken(claims)
|
||||
data.SetCommonName(ce.InstanceName)
|
||||
if v, err := unsafeParseSigned(token); err == nil {
|
||||
data.SetToken(v)
|
||||
}
|
||||
|
||||
// Enforce known common name and default DNS if configured.
|
||||
// By default we we'll accept the CN and SANs in the CSR.
|
||||
|
|
|
@ -155,7 +155,9 @@ func (p *JWK) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
|
|||
|
||||
// Certificate templates
|
||||
data := x509util.CreateTemplateData(claims.Subject, claims.SANs)
|
||||
data.SetToken(claims)
|
||||
if v, err := unsafeParseSigned(token); err == nil {
|
||||
data.SetToken(v)
|
||||
}
|
||||
|
||||
templateOptions, err := TemplateOptions(p.Options, data)
|
||||
if err != nil {
|
||||
|
|
|
@ -213,8 +213,10 @@ func (p *K8sSA) AuthorizeSign(ctx context.Context, token string) ([]SignOption,
|
|||
|
||||
// Add some values to use in custom templates.
|
||||
data := x509util.NewTemplateData()
|
||||
data.SetToken(claims)
|
||||
data.SetCommonName(claims.ServiceAccountName)
|
||||
if v, err := unsafeParseSigned(token); err == nil {
|
||||
data.SetToken(v)
|
||||
}
|
||||
|
||||
// Certificate templates: on K8sSA the default template is the certificate
|
||||
// request.
|
||||
|
|
|
@ -318,7 +318,9 @@ func (o *OIDC) AuthorizeSign(ctx context.Context, token string) ([]SignOption, e
|
|||
}
|
||||
|
||||
data := x509util.CreateTemplateData(claims.Subject, sans)
|
||||
data.SetToken(claims)
|
||||
if v, err := unsafeParseSigned(token); err == nil {
|
||||
data.SetToken(v)
|
||||
}
|
||||
|
||||
// Use the default template unless no-templates are configured and email is
|
||||
// an admin, in that case we will use the CR template.
|
||||
|
|
|
@ -6,6 +6,7 @@ import (
|
|||
|
||||
"github.com/pkg/errors"
|
||||
"github.com/smallstep/certificates/x509util"
|
||||
"github.com/smallstep/cli/jose"
|
||||
)
|
||||
|
||||
// CertificateOptions is an interface that returns a list of options passed when
|
||||
|
@ -106,3 +107,17 @@ func CustomTemplateOptions(o *ProvisionerOptions, data x509util.TemplateData, de
|
|||
}
|
||||
}), nil
|
||||
}
|
||||
|
||||
// unsafeParseSigned parses the given token and returns all the claims without
|
||||
// verifying the signature of the token.
|
||||
func unsafeParseSigned(s string) (map[string]interface{}, error) {
|
||||
token, err := jose.ParseSigned(s)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
claims := make(map[string]interface{})
|
||||
if err = token.UnsafeClaimsWithoutVerification(&claims); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return claims, nil
|
||||
}
|
||||
|
|
|
@ -197,7 +197,9 @@ func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
|
|||
|
||||
// Certificate templates
|
||||
data := x509util.CreateTemplateData(claims.Subject, claims.SANs)
|
||||
data.SetToken(claims)
|
||||
if v, err := unsafeParseSigned(token); err == nil {
|
||||
data.SetToken(v)
|
||||
}
|
||||
|
||||
templateOptions, err := TemplateOptions(p.Options, data)
|
||||
if err != nil {
|
||||
|
|
|
@ -147,9 +147,9 @@ func TestNewCertificate(t *testing.T) {
|
|||
SANsKey: []SubjectAlternativeName{
|
||||
{Type: "dns", Value: "foo.com"},
|
||||
},
|
||||
TokenKey: map[string]string{
|
||||
"Issuer": "https://iss",
|
||||
"Subject": "sub",
|
||||
TokenKey: map[string]interface{}{
|
||||
"iss": "https://iss",
|
||||
"sub": "sub",
|
||||
},
|
||||
})}}, &Certificate{
|
||||
Subject: Subject{CommonName: "commonName"},
|
||||
|
|
|
@ -44,10 +44,12 @@ func CreateTemplateData(commonName string, sans []string) TemplateData {
|
|||
}
|
||||
}
|
||||
|
||||
// Set sets a key-value pair in the template data.
|
||||
func (t TemplateData) Set(key string, v interface{}) {
|
||||
t[key] = v
|
||||
}
|
||||
|
||||
// SetInsecure sets a key-value pair in the insecure template data.
|
||||
func (t TemplateData) SetInsecure(key string, v interface{}) {
|
||||
if m, ok := t[InsecureKey].(TemplateData); ok {
|
||||
m[key] = v
|
||||
|
@ -56,28 +58,36 @@ func (t TemplateData) SetInsecure(key string, v interface{}) {
|
|||
}
|
||||
}
|
||||
|
||||
// SetSubject sets the given subject in the template data.
|
||||
func (t TemplateData) SetSubject(v Subject) {
|
||||
t.Set(SubjectKey, v)
|
||||
}
|
||||
|
||||
// SetCommonName sets the given common name in the subject in the template data.
|
||||
func (t TemplateData) SetCommonName(cn string) {
|
||||
s, _ := t[SubjectKey].(Subject)
|
||||
s.CommonName = cn
|
||||
t[SubjectKey] = s
|
||||
}
|
||||
|
||||
// SetSANs sets the given SANs in the template data.
|
||||
func (t TemplateData) SetSANs(sans []string) {
|
||||
t.Set(SANsKey, CreateSANs(sans))
|
||||
}
|
||||
|
||||
// SetToken sets the given token in the template data.
|
||||
func (t TemplateData) SetToken(v interface{}) {
|
||||
t.Set(TokenKey, v)
|
||||
}
|
||||
|
||||
// SetUserData sets the given user provided object in the insecure template
|
||||
// data.
|
||||
func (t TemplateData) SetUserData(v interface{}) {
|
||||
t.SetInsecure(UserKey, v)
|
||||
}
|
||||
|
||||
// SetCertificateRequest sets the given certificate request in the insecure
|
||||
// template data.
|
||||
func (t TemplateData) SetCertificateRequest(cr *x509.CertificateRequest) {
|
||||
t.SetInsecure(CertificateRequestKey, newCertificateRequest(cr))
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue