forked from TrueCloudLab/certificates
Add nebula header and use der version of certificate.
This commit is contained in:
Mariano Cano
parent
f49a4b326f
commit
b424aa3dc1
2 changed files with 12 additions and 12 deletions
|
|
@ -20,7 +20,7 @@ import (
|
||||||
|
|
||||||
const (
|
const (
|
||||||
// NebulaCertHeader is the token header that contains a nebula certificate.
|
// NebulaCertHeader is the token header that contains a nebula certificate.
|
||||||
NebulaCertHeader jose.HeaderKey = "nbc"
|
NebulaCertHeader jose.HeaderKey = "nebula"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Nebula is a provisioner that verifies tokens signed using nebula private
|
// Nebula is a provisioner that verifies tokens signed using nebula private
|
||||||
|
|
@ -308,21 +308,21 @@ func (p *Nebula) authorizeToken(token string, audiences []string) (*cert.NebulaC
|
||||||
}
|
}
|
||||||
|
|
||||||
// Extract nebula certificate
|
// Extract nebula certificate
|
||||||
nbc, ok := jwt.Headers[0].ExtraHeaders[NebulaCertHeader]
|
h, ok := jwt.Headers[0].ExtraHeaders[NebulaCertHeader]
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil, nil, errs.Unauthorized("failed to parse token: nbc header is missing")
|
return nil, nil, errs.Unauthorized("failed to parse token: nebula header is missing")
|
||||||
}
|
}
|
||||||
s, ok := nbc.(string)
|
s, ok := h.(string)
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil, nil, errs.Unauthorized("failed to parse token: nbc header is not valid")
|
return nil, nil, errs.Unauthorized("failed to parse token: nebula header is not valid")
|
||||||
}
|
}
|
||||||
b, err := base64.StdEncoding.DecodeString(s)
|
b, err := base64.StdEncoding.DecodeString(s)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, errs.UnauthorizedErr(err, errs.WithMessage("failed to parse token: nbc header is not valid"))
|
return nil, nil, errs.UnauthorizedErr(err, errs.WithMessage("failed to parse token: nebula header is not valid"))
|
||||||
}
|
}
|
||||||
c, _, err := cert.UnmarshalNebulaCertificateFromPEM(b)
|
c, err := cert.UnmarshalNebulaCertificate(b)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, errs.UnauthorizedErr(err, errs.WithMessage("failed to parse nebula certificate: nbc header is not valid"))
|
return nil, nil, errs.UnauthorizedErr(err, errs.WithMessage("failed to parse nebula certificate: nebula header is not valid"))
|
||||||
}
|
}
|
||||||
|
|
||||||
// Validate nebula certificate against CA
|
// Validate nebula certificate against CA
|
||||||
|
|
|
||||||
|
|
@ -131,14 +131,14 @@ func mustNebulaProvisioner(t *testing.T) (*Nebula, *cert.NebulaCertificate, ed25
|
||||||
|
|
||||||
func mustNebulaToken(t *testing.T, sub, iss, aud string, iat time.Time, sans []string, nc *cert.NebulaCertificate, key crypto.Signer) string {
|
func mustNebulaToken(t *testing.T, sub, iss, aud string, iat time.Time, sans []string, nc *cert.NebulaCertificate, key crypto.Signer) string {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
ncPEM, err := nc.MarshalToPEM()
|
ncDer, err := nc.Marshal()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
so := new(jose.SignerOptions)
|
so := new(jose.SignerOptions)
|
||||||
so.WithType("JWT")
|
so.WithType("JWT")
|
||||||
so.WithHeader(NebulaCertHeader, ncPEM)
|
so.WithHeader(NebulaCertHeader, ncDer)
|
||||||
|
|
||||||
sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.XEdDSA, Key: key}, so)
|
sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.XEdDSA, Key: key}, so)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
@ -174,14 +174,14 @@ func mustNebulaToken(t *testing.T, sub, iss, aud string, iat time.Time, sans []s
|
||||||
|
|
||||||
func mustNebulaSSHToken(t *testing.T, sub, iss, aud string, iat time.Time, opts *SignSSHOptions, nc *cert.NebulaCertificate, key crypto.Signer) string {
|
func mustNebulaSSHToken(t *testing.T, sub, iss, aud string, iat time.Time, opts *SignSSHOptions, nc *cert.NebulaCertificate, key crypto.Signer) string {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
ncPEM, err := nc.MarshalToPEM()
|
ncDer, err := nc.Marshal()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
so := new(jose.SignerOptions)
|
so := new(jose.SignerOptions)
|
||||||
so.WithType("JWT")
|
so.WithType("JWT")
|
||||||
so.WithHeader(NebulaCertHeader, ncPEM)
|
so.WithHeader(NebulaCertHeader, ncDer)
|
||||||
|
|
||||||
sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.XEdDSA, Key: key}, so)
|
sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.XEdDSA, Key: key}, so)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue