forked from TrueCloudLab/certificates
commit
bcc6ed9a8c
2 changed files with 17 additions and 3 deletions
|
@ -11,6 +11,7 @@ import (
|
|||
"net"
|
||||
"reflect"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/pkg/errors"
|
||||
"github.com/smallstep/assert"
|
||||
|
@ -82,6 +83,10 @@ func testAuthority(t *testing.T, opts ...Option) *Authority {
|
|||
}
|
||||
a, err := New(c, opts...)
|
||||
assert.FatalError(t, err)
|
||||
// Avoid errors when test tokens are created before the test authority. This
|
||||
// happens in some tests where we re-create the same authority to test
|
||||
// special cases without re-creating the token.
|
||||
a.startTime = a.startTime.Add(-1 * time.Minute)
|
||||
return a
|
||||
}
|
||||
|
||||
|
|
|
@ -37,8 +37,9 @@ func (p provisionerSlice) Swap(i, j int) { p[i], p[j] = p[j], p[i] }
|
|||
// provisioner.
|
||||
type loadByTokenPayload struct {
|
||||
jose.Claims
|
||||
AuthorizedParty string `json:"azp"` // OIDC client id
|
||||
TenantID string `json:"tid"` // Microsoft Azure tenant id
|
||||
Email string `json:"email"` // OIDC email
|
||||
AuthorizedParty string `json:"azp"` // OIDC client id
|
||||
TenantID string `json:"tid"` // Microsoft Azure tenant id
|
||||
}
|
||||
|
||||
// Collection is a memory map of provisioners.
|
||||
|
@ -129,12 +130,20 @@ func (c *Collection) LoadByToken(token *jose.JSONWebToken, claims *jose.Claims)
|
|||
return p, ok
|
||||
}
|
||||
}
|
||||
// Try with tid (Azure)
|
||||
// Try with tid (Azure, Azure OIDC)
|
||||
if payload.TenantID != "" {
|
||||
// Try to load an OIDC provisioner first.
|
||||
if payload.Email != "" {
|
||||
if p, ok := c.LoadByTokenID(payload.Audience[0]); ok {
|
||||
return p, ok
|
||||
}
|
||||
}
|
||||
// Try to load an Azure provisioner.
|
||||
if p, ok := c.LoadByTokenID(payload.TenantID); ok {
|
||||
return p, ok
|
||||
}
|
||||
}
|
||||
|
||||
// Fallback to aud
|
||||
return c.LoadByTokenID(payload.Audience[0])
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue