Add disableIssuedAt check functionality

Fixes #86
This commit is contained in:
Mariano Cano 2018-10-24 18:59:48 -07:00
parent f938ab113b
commit 1c1ac1b3fb
2 changed files with 14 additions and 4 deletions

View file

@ -79,6 +79,15 @@ func (a *Authority) Authorize(ott string) ([]api.Claim, error) {
http.StatusUnauthorized, errContext}
}
// Do not accept tokens issued before the start of the ca.
// This check is meant as a stopgap solution to the current lack of a persistence layer.
if a.config.AuthorityConfig != nil && !a.config.AuthorityConfig.DisableIssuedAtCheck {
if claims.IssuedAt > 0 && claims.IssuedAt.Time().Before(a.startTime) {
return nil, &apiError{errors.New("token issued before the bootstrap of certificate authority"),
http.StatusUnauthorized, errContext}
}
}
if !containsAtLeastOneAudience(claims.Audience, a.audiences) {
return nil, &apiError{errors.New("invalid audience"), http.StatusUnauthorized,
errContext}

View file

@ -67,10 +67,11 @@ type Config struct {
// AuthConfig represents the configuration options for the authority.
type AuthConfig struct {
Provisioners []*provisioner.Provisioner `json:"provisioners,omitempty"`
Template *x509util.ASN1DN `json:"template,omitempty"`
MinCertDuration *duration `json:"minCertDuration,omitempty"`
MaxCertDuration *duration `json:"maxCertDuration,omitempty"`
Provisioners []*provisioner.Provisioner `json:"provisioners,omitempty"`
Template *x509util.ASN1DN `json:"template,omitempty"`
MinCertDuration *duration `json:"minCertDuration,omitempty"`
MaxCertDuration *duration `json:"maxCertDuration,omitempty"`
DisableIssuedAtCheck bool `json:"disableIssuedAtCheck,omitempty"`
}
// Validate validates the authority configuration.