From a0cf8083938cd054e3d6fbaff6d0c44059e1dcad Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Thu, 17 Feb 2022 17:53:44 -0800 Subject: [PATCH 1/2] Make the X5C leaf certificate available to the templates. X509 and SSH templates of the X5C provisioner will have now access to the leaf certificate used to sign the token using the template variable .AuthorizationCrt Fixes #433 --- authority/provisioner/nebula.go | 3 ++- authority/provisioner/x5c.go | 10 ++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/authority/provisioner/nebula.go b/authority/provisioner/nebula.go index a77f4281..71c57590 100644 --- a/authority/provisioner/nebula.go +++ b/authority/provisioner/nebula.go @@ -140,7 +140,8 @@ func (p *Nebula) AuthorizeSign(ctx context.Context, token string) ([]SignOption, } // The Nebula certificate will be available using the template variable Crt. - // For example {{ .Crt.Details.Groups }} can be used to get all the groups. + // For example {{ .AuthorizationCrt.Details.Groups }} can be used to get all + // the groups. data.SetAuthorizationCertificate(crt) templateOptions, err := TemplateOptions(p.Options, data) diff --git a/authority/provisioner/x5c.go b/authority/provisioner/x5c.go index 8710acb5..342ccd73 100644 --- a/authority/provisioner/x5c.go +++ b/authority/provisioner/x5c.go @@ -213,6 +213,11 @@ func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er data.SetToken(v) } + // The X509 certificate will be available using the template variable Crt. + // For example {{ .AuthorizationCrt.DNSNames }} can be used to get all the + // domains. + data.SetAuthorizationCertificate(claims.chains[0][0]) + templateOptions, err := TemplateOptions(p.Options, data) if err != nil { return nil, errs.Wrap(http.StatusInternalServerError, err, "jwk.AuthorizeSign") @@ -287,6 +292,11 @@ func (p *X5C) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, data.SetToken(v) } + // The X509 certificate will be available using the template variable Crt. + // For example {{ .AuthorizationCrt.DNSNames }} can be used to get all the + // domains. + data.SetAuthorizationCertificate(claims.chains[0][0]) + templateOptions, err := TemplateSSHOptions(p.Options, data) if err != nil { return nil, errs.Wrap(http.StatusInternalServerError, err, "x5c.AuthorizeSSHSign") From abe951d4169eee44eb80536535caf4c270010dcf Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Thu, 17 Feb 2022 17:59:17 -0800 Subject: [PATCH 2/2] Fix name of the variable in comment. --- authority/provisioner/nebula.go | 6 +++--- authority/provisioner/x5c.go | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/authority/provisioner/nebula.go b/authority/provisioner/nebula.go index 71c57590..72a275ff 100644 --- a/authority/provisioner/nebula.go +++ b/authority/provisioner/nebula.go @@ -139,9 +139,9 @@ func (p *Nebula) AuthorizeSign(ctx context.Context, token string) ([]SignOption, data.SetToken(v) } - // The Nebula certificate will be available using the template variable Crt. - // For example {{ .AuthorizationCrt.Details.Groups }} can be used to get all - // the groups. + // The Nebula certificate will be available using the template variable + // AuthorizationCrt. For example {{ .AuthorizationCrt.Details.Groups }} can + // be used to get all the groups. data.SetAuthorizationCertificate(crt) templateOptions, err := TemplateOptions(p.Options, data) diff --git a/authority/provisioner/x5c.go b/authority/provisioner/x5c.go index 342ccd73..aa44245d 100644 --- a/authority/provisioner/x5c.go +++ b/authority/provisioner/x5c.go @@ -213,9 +213,9 @@ func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er data.SetToken(v) } - // The X509 certificate will be available using the template variable Crt. - // For example {{ .AuthorizationCrt.DNSNames }} can be used to get all the - // domains. + // The X509 certificate will be available using the template variable + // AuthorizationCrt. For example {{ .AuthorizationCrt.DNSNames }} can be + // used to get all the domains. data.SetAuthorizationCertificate(claims.chains[0][0]) templateOptions, err := TemplateOptions(p.Options, data) @@ -292,9 +292,9 @@ func (p *X5C) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, data.SetToken(v) } - // The X509 certificate will be available using the template variable Crt. - // For example {{ .AuthorizationCrt.DNSNames }} can be used to get all the - // domains. + // The X509 certificate will be available using the template variable + // AuthorizationCrt. For example {{ .AuthorizationCrt.DNSNames }} can be + // used to get all the domains. data.SetAuthorizationCertificate(claims.chains[0][0]) templateOptions, err := TemplateSSHOptions(p.Options, data)