forked from TrueCloudLab/certificates
Use default SANs without sans in the token.
Fix step claim condition in SSH
This commit is contained in:
parent
9ec0276887
commit
76794ce613
1 changed files with 12 additions and 3 deletions
|
@ -114,7 +114,16 @@ func (p *Nebula) AuthorizeSign(ctx context.Context, token string) ([]SignOption,
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
data := x509util.CreateTemplateData(claims.Subject, claims.SANs)
|
sans := claims.SANs
|
||||||
|
if len(sans) == 0 {
|
||||||
|
sans = make([]string, len(crt.Details.Ips)+1)
|
||||||
|
sans[0] = crt.Details.Name
|
||||||
|
for i, ipnet := range crt.Details.Ips {
|
||||||
|
sans[i+1] = ipnet.IP.String()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
data := x509util.CreateTemplateData(claims.Subject, sans)
|
||||||
if v, err := unsafeParseSigned(token); err == nil {
|
if v, err := unsafeParseSigned(token); err == nil {
|
||||||
data.SetToken(v)
|
data.SetToken(v)
|
||||||
}
|
}
|
||||||
|
@ -171,7 +180,7 @@ func (p *Nebula) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOpti
|
||||||
var signOptions []SignOption
|
var signOptions []SignOption
|
||||||
// If step ssh options are given, validate them and set key id, principals
|
// If step ssh options are given, validate them and set key id, principals
|
||||||
// and validity.
|
// and validity.
|
||||||
if claims.Step != nil || claims.Step.SSH != nil {
|
if claims.Step != nil && claims.Step.SSH != nil {
|
||||||
opts := claims.Step.SSH
|
opts := claims.Step.SSH
|
||||||
|
|
||||||
// Check that the token only contains valid principals.
|
// Check that the token only contains valid principals.
|
||||||
|
@ -261,7 +270,7 @@ func (p *Nebula) AuthorizeSSHRevoke(ctx context.Context, token string) error {
|
||||||
if !p.claimer.IsSSHCAEnabled() {
|
if !p.claimer.IsSSHCAEnabled() {
|
||||||
return errs.Unauthorized("ssh is disabled for nebula provisioner '%s'", p.Name)
|
return errs.Unauthorized("ssh is disabled for nebula provisioner '%s'", p.Name)
|
||||||
}
|
}
|
||||||
if _, _, err := p.authorizeToken(token, p.audiences.Revoke); err != nil {
|
if _, _, err := p.authorizeToken(token, p.audiences.SSHRevoke); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
|
|
Loading…
Reference in a new issue