Add disableIssuedAt check functionality

Fixes #86

authority/authorize.go

@@ -79,6 +79,15 @@ func (a *Authority) Authorize(ott string) ([]api.Claim, error) {
 			http.StatusUnauthorized, errContext}
 	}
 
+	// Do not accept tokens issued before the start of the ca.
+	// This check is meant as a stopgap solution to the current lack of a persistence layer.
+	if a.config.AuthorityConfig != nil && !a.config.AuthorityConfig.DisableIssuedAtCheck {
+		if claims.IssuedAt > 0 && claims.IssuedAt.Time().Before(a.startTime) {
+			return nil, &apiError{errors.New("token issued before the bootstrap of certificate authority"),
+				http.StatusUnauthorized, errContext}
+		}
+	}
+
 	if !containsAtLeastOneAudience(claims.Audience, a.audiences) {
 		return nil, &apiError{errors.New("invalid audience"), http.StatusUnauthorized,
 			errContext}

authority/config.go

@@ -67,10 +67,11 @@ type Config struct {
 
 // AuthConfig represents the configuration options for the authority.
 type AuthConfig struct {
-	Provisioners    []*provisioner.Provisioner `json:"provisioners,omitempty"`
-	Template        *x509util.ASN1DN           `json:"template,omitempty"`
-	MinCertDuration *duration                  `json:"minCertDuration,omitempty"`
-	MaxCertDuration *duration                  `json:"maxCertDuration,omitempty"`
+	Provisioners         []*provisioner.Provisioner `json:"provisioners,omitempty"`
+	Template             *x509util.ASN1DN           `json:"template,omitempty"`
+	MinCertDuration      *duration                  `json:"minCertDuration,omitempty"`
+	MaxCertDuration      *duration                  `json:"maxCertDuration,omitempty"`
+	DisableIssuedAtCheck bool                       `json:"disableIssuedAtCheck,omitempty"`
 }
 
 // Validate validates the authority configuration.