Allow mTLS renewals if the provisioner extension does not exists.

This fixes a backward compatibility issue with with the new
LoadProvisionerByCertificate.
This commit is contained in:
Mariano Cano 2022-04-11 12:19:42 -07:00
parent 2fbff47acf
commit c8c59d68f5

View file

@ -284,8 +284,14 @@ func (a *Authority) authorizeRenew(cert *x509.Certificate) error {
} }
p, err := a.LoadProvisionerByCertificate(cert) p, err := a.LoadProvisionerByCertificate(cert)
if err != nil { if err != nil {
var ok bool
// For backward compatibility this method will also succeed if the
// provisioner does not have an extension. LoadByCertificate returns the
// noop provisioner if this happens, and it allow certificate renewals.
if p, ok = a.provisioners.LoadByCertificate(cert); !ok {
return errs.Unauthorized("authority.authorizeRenew: provisioner not found", opts...) return errs.Unauthorized("authority.authorizeRenew: provisioner not found", opts...)
} }
}
if err := p.AuthorizeRenew(context.Background(), cert); err != nil { if err := p.AuthorizeRenew(context.Background(), cert); err != nil {
return errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...) return errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...)
} }