From c8c59d68f5988d3fefe4616c45f8f924165f4627 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano.cano@gmail.com>
Date: Mon, 11 Apr 2022 12:19:42 -0700
Subject: [PATCH] Allow mTLS renewals if the provisioner extension does not
 exists.

This fixes a backward compatibility issue with with the new
LoadProvisionerByCertificate.
---
 authority/authorize.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/authority/authorize.go b/authority/authorize.go
index 95698b49..6162fc0e 100644
--- a/authority/authorize.go
+++ b/authority/authorize.go
@@ -284,7 +284,13 @@ func (a *Authority) authorizeRenew(cert *x509.Certificate) error {
 	}
 	p, err := a.LoadProvisionerByCertificate(cert)
 	if err != nil {
-		return errs.Unauthorized("authority.authorizeRenew: provisioner not found", opts...)
+		var ok bool
+		// For backward compatibility this method will also succeed if the
+		// provisioner does not have an extension. LoadByCertificate returns the
+		// noop provisioner if this happens, and it allow certificate renewals.
+		if p, ok = a.provisioners.LoadByCertificate(cert); !ok {
+			return errs.Unauthorized("authority.authorizeRenew: provisioner not found", opts...)
+		}
 	}
 	if err := p.AuthorizeRenew(context.Background(), cert); err != nil {
 		return errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...)