Make the X5C leaf certificate available to the templates.

X509 and SSH templates of the X5C provisioner will have now access to the leaf certificate used to sign the token using the template variable .AuthorizationCrt Fixes #433
2022-02-17 17:53:44 -08:00 · 2022-02-17 17:53:44 -08:00 · a0cf808393
commit a0cf808393
parent 1d09d14b40
2 changed files with 12 additions and 1 deletions
--- a/authority/provisioner/nebula.go
+++ b/authority/provisioner/nebula.go
@ -140,7 +140,8 @@ func (p *Nebula) AuthorizeSign(ctx context.Context, token string) ([]SignOption,
 	}

 	// The Nebula certificate will be available using the template variable Crt.
-	// For example {{ .Crt.Details.Groups }} can be used to get all the groups.
+	// For example {{ .AuthorizationCrt.Details.Groups }} can be used to get all
+	// the groups.
 	data.SetAuthorizationCertificate(crt)

 	templateOptions, err := TemplateOptions(p.Options, data)
--- a/authority/provisioner/x5c.go
+++ b/authority/provisioner/x5c.go
@ -213,6 +213,11 @@ func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 		data.SetToken(v)
 	}

+	// The X509 certificate will be available using the template variable Crt.
+	// For example {{ .AuthorizationCrt.DNSNames }} can be used to get all the
+	// domains.
+	data.SetAuthorizationCertificate(claims.chains[0][0])
+
 	templateOptions, err := TemplateOptions(p.Options, data)
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "jwk.AuthorizeSign")
@ -287,6 +292,11 @@ func (p *X5C) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
 		data.SetToken(v)
 	}

+	// The X509 certificate will be available using the template variable Crt.
+	// For example {{ .AuthorizationCrt.DNSNames }} can be used to get all the
+	// domains.
+	data.SetAuthorizationCertificate(claims.chains[0][0])
+
 	templateOptions, err := TemplateSSHOptions(p.Options, data)
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "x5c.AuthorizeSSHSign")