Use default SANs without sans in the token.

Fix step claim condition in SSH
This commit is contained in:
Mariano Cano 2022-01-04 12:05:58 -08:00
parent 9ec0276887
commit 76794ce613

View file

@ -114,7 +114,16 @@ func (p *Nebula) AuthorizeSign(ctx context.Context, token string) ([]SignOption,
return nil, err
}
data := x509util.CreateTemplateData(claims.Subject, claims.SANs)
sans := claims.SANs
if len(sans) == 0 {
sans = make([]string, len(crt.Details.Ips)+1)
sans[0] = crt.Details.Name
for i, ipnet := range crt.Details.Ips {
sans[i+1] = ipnet.IP.String()
}
}
data := x509util.CreateTemplateData(claims.Subject, sans)
if v, err := unsafeParseSigned(token); err == nil {
data.SetToken(v)
}
@ -171,7 +180,7 @@ func (p *Nebula) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOpti
var signOptions []SignOption
// If step ssh options are given, validate them and set key id, principals
// and validity.
if claims.Step != nil || claims.Step.SSH != nil {
if claims.Step != nil && claims.Step.SSH != nil {
opts := claims.Step.SSH
// Check that the token only contains valid principals.
@ -261,7 +270,7 @@ func (p *Nebula) AuthorizeSSHRevoke(ctx context.Context, token string) error {
if !p.claimer.IsSSHCAEnabled() {
return errs.Unauthorized("ssh is disabled for nebula provisioner '%s'", p.Name)
}
if _, _, err := p.authorizeToken(token, p.audiences.Revoke); err != nil {
if _, _, err := p.authorizeToken(token, p.audiences.SSHRevoke); err != nil {
return err
}
return nil