Add initial support for templates in the OIDC provisioner.

2020-07-08 19:01:59 -07:00 · 2020-07-08 19:01:59 -07:00 · 206bc6757a
commit 206bc6757a
parent 534a6b6c4c
1 changed files with 22 additions and 11 deletions
--- a/authority/provisioner/oidc.go
+++ b/authority/provisioner/oidc.go
@ -13,6 +13,7 @@ import (

 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
+	"github.com/smallstep/certificates/x509util"
 	"github.com/smallstep/cli/jose"
 )

@ -52,17 +53,18 @@ type openIDPayload struct {
 // ClientSecret is mandatory, but it can be an empty string.
 type OIDC struct {
 	*base
-	Type                  string   `json:"type"`
-	Name                  string   `json:"name"`
-	ClientID              string   `json:"clientID"`
-	ClientSecret          string   `json:"clientSecret"`
-	ConfigurationEndpoint string   `json:"configurationEndpoint"`
-	TenantID              string   `json:"tenantID,omitempty"`
-	Admins                []string `json:"admins,omitempty"`
-	Domains               []string `json:"domains,omitempty"`
-	Groups                []string `json:"groups,omitempty"`
-	ListenAddress         string   `json:"listenAddress,omitempty"`
-	Claims                *Claims  `json:"claims,omitempty"`
+	Type                  string              `json:"type"`
+	Name                  string              `json:"name"`
+	ClientID              string              `json:"clientID"`
+	ClientSecret          string              `json:"clientSecret"`
+	ConfigurationEndpoint string              `json:"configurationEndpoint"`
+	TenantID              string              `json:"tenantID,omitempty"`
+	Admins                []string            `json:"admins,omitempty"`
+	Domains               []string            `json:"domains,omitempty"`
+	Groups                []string            `json:"groups,omitempty"`
+	ListenAddress         string              `json:"listenAddress,omitempty"`
+	Claims                *Claims             `json:"claims,omitempty"`
+	Options               *ProvisionerOptions `json:"options,omitempty"`
 	configuration         openIDConfiguration
 	keyStore              *keyStore
 	claimer               *Claimer
@ -301,7 +303,16 @@ func (o *OIDC) AuthorizeSign(ctx context.Context, token string) ([]SignOption, e
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeSign")
 	}

+	data := x509util.CreateTemplateData(claims.Subject, []string{claims.Email})
+	data.SetToken(claims)
+
+	templateOptions, err := TemplateOptions(o.Options, data)
+	if err != nil {
+		return nil, errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeSign")
+	}
+
 	so := []SignOption{
+		templateOptions,
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeOIDC, o.Name, o.ClientID),
 		profileDefaultDuration(o.claimer.DefaultTLSCertDuration()),