forked from TrueCloudLab/certificates
parent
f938ab113b
commit
1c1ac1b3fb
2 changed files with 14 additions and 4 deletions
|
@ -79,6 +79,15 @@ func (a *Authority) Authorize(ott string) ([]api.Claim, error) {
|
|||
http.StatusUnauthorized, errContext}
|
||||
}
|
||||
|
||||
// Do not accept tokens issued before the start of the ca.
|
||||
// This check is meant as a stopgap solution to the current lack of a persistence layer.
|
||||
if a.config.AuthorityConfig != nil && !a.config.AuthorityConfig.DisableIssuedAtCheck {
|
||||
if claims.IssuedAt > 0 && claims.IssuedAt.Time().Before(a.startTime) {
|
||||
return nil, &apiError{errors.New("token issued before the bootstrap of certificate authority"),
|
||||
http.StatusUnauthorized, errContext}
|
||||
}
|
||||
}
|
||||
|
||||
if !containsAtLeastOneAudience(claims.Audience, a.audiences) {
|
||||
return nil, &apiError{errors.New("invalid audience"), http.StatusUnauthorized,
|
||||
errContext}
|
||||
|
|
|
@ -67,10 +67,11 @@ type Config struct {
|
|||
|
||||
// AuthConfig represents the configuration options for the authority.
|
||||
type AuthConfig struct {
|
||||
Provisioners []*provisioner.Provisioner `json:"provisioners,omitempty"`
|
||||
Template *x509util.ASN1DN `json:"template,omitempty"`
|
||||
MinCertDuration *duration `json:"minCertDuration,omitempty"`
|
||||
MaxCertDuration *duration `json:"maxCertDuration,omitempty"`
|
||||
Provisioners []*provisioner.Provisioner `json:"provisioners,omitempty"`
|
||||
Template *x509util.ASN1DN `json:"template,omitempty"`
|
||||
MinCertDuration *duration `json:"minCertDuration,omitempty"`
|
||||
MaxCertDuration *duration `json:"maxCertDuration,omitempty"`
|
||||
DisableIssuedAtCheck bool `json:"disableIssuedAtCheck,omitempty"`
|
||||
}
|
||||
|
||||
// Validate validates the authority configuration.
|
||||
|
|
Loading…
Reference in a new issue