forked from TrueCloudLab/certificates
Set audience using the sign url.
This commit is contained in:
Mariano Cano
parent
828798418c
commit
69da47a727
2 changed files with 22 additions and 5 deletions
|
|
@ -4,13 +4,18 @@ import (
|
||||||
"crypto/sha256"
|
"crypto/sha256"
|
||||||
realx509 "crypto/x509"
|
realx509 "crypto/x509"
|
||||||
"encoding/hex"
|
"encoding/hex"
|
||||||
|
"fmt"
|
||||||
|
"net"
|
||||||
"sync"
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/pkg/errors"
|
||||||
"github.com/smallstep/cli/crypto/pemutil"
|
"github.com/smallstep/cli/crypto/pemutil"
|
||||||
"github.com/smallstep/cli/crypto/x509util"
|
"github.com/smallstep/cli/crypto/x509util"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const legacyAuthority = "step-certificate-authority"
|
||||||
|
|
||||||
// Authority implements the Certificate Authority internal interface.
|
// Authority implements the Certificate Authority internal interface.
|
||||||
type Authority struct {
|
type Authority struct {
|
||||||
config *Config
|
config *Config
|
||||||
|
|
@ -23,6 +28,7 @@ type Authority struct {
|
||||||
provisionerIDIndex *sync.Map
|
provisionerIDIndex *sync.Map
|
||||||
encryptedKeyIndex *sync.Map
|
encryptedKeyIndex *sync.Map
|
||||||
provisionerKeySetIndex *sync.Map
|
provisionerKeySetIndex *sync.Map
|
||||||
|
audiences []string
|
||||||
// Do not re-initialize
|
// Do not re-initialize
|
||||||
initOnce bool
|
initOnce bool
|
||||||
}
|
}
|
||||||
|
|
@ -64,6 +70,21 @@ func (a *Authority) init() error {
|
||||||
sum := sha256.Sum256(a.rootX509Crt.Raw)
|
sum := sha256.Sum256(a.rootX509Crt.Raw)
|
||||||
a.certificates.Store(hex.EncodeToString(sum[:]), a.rootX509Crt)
|
a.certificates.Store(hex.EncodeToString(sum[:]), a.rootX509Crt)
|
||||||
|
|
||||||
|
// Define audiences: legacy + possible urls
|
||||||
|
_, port, err := net.SplitHostPort(a.config.Address)
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrapf(err, "error parsing %s", a.config.Address)
|
||||||
|
}
|
||||||
|
audiences := []string{legacyAuthority}
|
||||||
|
for _, name := range a.config.DNSNames {
|
||||||
|
if port == "443" {
|
||||||
|
audiences = append(audiences, fmt.Sprintf("https://%s/sign", name), fmt.Sprintf("https://%s/1.0/sign", name))
|
||||||
|
}
|
||||||
|
audiences = append(audiences, fmt.Sprintf("https://%s:%s/sign", name, port), fmt.Sprintf("https://%s:%s/1.0/sign", name, port))
|
||||||
|
|
||||||
|
}
|
||||||
|
a.audiences = audiences
|
||||||
|
|
||||||
// Decrypt and load intermediate public / private key pair.
|
// Decrypt and load intermediate public / private key pair.
|
||||||
if len(a.config.Password) > 0 {
|
if len(a.config.Password) > 0 {
|
||||||
a.intermediateIdentity, err = x509util.LoadIdentityFromDisk(
|
a.intermediateIdentity, err = x509util.LoadIdentityFromDisk(
|
||||||
|
|
|
||||||
|
|
@ -15,10 +15,6 @@ type idUsed struct {
|
||||||
Subject string `json:"sub,omitempty"`
|
Subject string `json:"sub,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
var (
|
|
||||||
validTokenAudience = []string{"https://ca/sign", "step-certificate-authority"}
|
|
||||||
)
|
|
||||||
|
|
||||||
func containsAtLeastOneAudience(claim []string, expected []string) bool {
|
func containsAtLeastOneAudience(claim []string, expected []string) bool {
|
||||||
if len(expected) == 0 {
|
if len(expected) == 0 {
|
||||||
return true
|
return true
|
||||||
|
|
@ -83,7 +79,7 @@ func (a *Authority) Authorize(ott string) ([]api.Claim, error) {
|
||||||
http.StatusUnauthorized, errContext}
|
http.StatusUnauthorized, errContext}
|
||||||
}
|
}
|
||||||
|
|
||||||
if !containsAtLeastOneAudience(claims.Audience, validTokenAudience) {
|
if !containsAtLeastOneAudience(claims.Audience, a.audiences) {
|
||||||
return nil, &apiError{errors.New("invalid audience"), http.StatusUnauthorized,
|
return nil, &apiError{errors.New("invalid audience"), http.StatusUnauthorized,
|
||||||
errContext}
|
errContext}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue