From 69da47a7274e10a9332f9a4d32f811adce771945 Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Fri, 19 Oct 2018 18:25:59 -0700 Subject: [PATCH] Set audience using the sign url. --- authority/authority.go | 21 +++++++++++++++++++++ authority/authorize.go | 6 +----- 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/authority/authority.go b/authority/authority.go index a4e107d8..f9ec6fbf 100644 --- a/authority/authority.go +++ b/authority/authority.go @@ -4,13 +4,18 @@ import ( "crypto/sha256" realx509 "crypto/x509" "encoding/hex" + "fmt" + "net" "sync" "time" + "github.com/pkg/errors" "github.com/smallstep/cli/crypto/pemutil" "github.com/smallstep/cli/crypto/x509util" ) +const legacyAuthority = "step-certificate-authority" + // Authority implements the Certificate Authority internal interface. type Authority struct { config *Config @@ -23,6 +28,7 @@ type Authority struct { provisionerIDIndex *sync.Map encryptedKeyIndex *sync.Map provisionerKeySetIndex *sync.Map + audiences []string // Do not re-initialize initOnce bool } @@ -64,6 +70,21 @@ func (a *Authority) init() error { sum := sha256.Sum256(a.rootX509Crt.Raw) a.certificates.Store(hex.EncodeToString(sum[:]), a.rootX509Crt) + // Define audiences: legacy + possible urls + _, port, err := net.SplitHostPort(a.config.Address) + if err != nil { + return errors.Wrapf(err, "error parsing %s", a.config.Address) + } + audiences := []string{legacyAuthority} + for _, name := range a.config.DNSNames { + if port == "443" { + audiences = append(audiences, fmt.Sprintf("https://%s/sign", name), fmt.Sprintf("https://%s/1.0/sign", name)) + } + audiences = append(audiences, fmt.Sprintf("https://%s:%s/sign", name, port), fmt.Sprintf("https://%s:%s/1.0/sign", name, port)) + + } + a.audiences = audiences + // Decrypt and load intermediate public / private key pair. if len(a.config.Password) > 0 { a.intermediateIdentity, err = x509util.LoadIdentityFromDisk( diff --git a/authority/authorize.go b/authority/authorize.go index ba98e2cb..918a3b9e 100644 --- a/authority/authorize.go +++ b/authority/authorize.go @@ -15,10 +15,6 @@ type idUsed struct { Subject string `json:"sub,omitempty"` } -var ( - validTokenAudience = []string{"https://ca/sign", "step-certificate-authority"} -) - func containsAtLeastOneAudience(claim []string, expected []string) bool { if len(expected) == 0 { return true @@ -83,7 +79,7 @@ func (a *Authority) Authorize(ott string) ([]api.Claim, error) { http.StatusUnauthorized, errContext} } - if !containsAtLeastOneAudience(claims.Audience, validTokenAudience) { + if !containsAtLeastOneAudience(claims.Audience, a.audiences) { return nil, &apiError{errors.New("invalid audience"), http.StatusUnauthorized, errContext} }