From 1c1ac1b3fb98be3ba4f1518aa55f8bd4954d7bb9 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano@smallstep.com>
Date: Wed, 24 Oct 2018 18:59:48 -0700
Subject: [PATCH] Add disableIssuedAt check functionality

Fixes #86
---
 authority/authorize.go | 9 +++++++++
 authority/config.go    | 9 +++++----
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/authority/authorize.go b/authority/authorize.go
index 918a3b9e..545590a3 100644
--- a/authority/authorize.go
+++ b/authority/authorize.go
@@ -79,6 +79,15 @@ func (a *Authority) Authorize(ott string) ([]api.Claim, error) {
 			http.StatusUnauthorized, errContext}
 	}
 
+	// Do not accept tokens issued before the start of the ca.
+	// This check is meant as a stopgap solution to the current lack of a persistence layer.
+	if a.config.AuthorityConfig != nil && !a.config.AuthorityConfig.DisableIssuedAtCheck {
+		if claims.IssuedAt > 0 && claims.IssuedAt.Time().Before(a.startTime) {
+			return nil, &apiError{errors.New("token issued before the bootstrap of certificate authority"),
+				http.StatusUnauthorized, errContext}
+		}
+	}
+
 	if !containsAtLeastOneAudience(claims.Audience, a.audiences) {
 		return nil, &apiError{errors.New("invalid audience"), http.StatusUnauthorized,
 			errContext}
diff --git a/authority/config.go b/authority/config.go
index 37e9f478..11f6c21e 100644
--- a/authority/config.go
+++ b/authority/config.go
@@ -67,10 +67,11 @@ type Config struct {
 
 // AuthConfig represents the configuration options for the authority.
 type AuthConfig struct {
-	Provisioners    []*provisioner.Provisioner `json:"provisioners,omitempty"`
-	Template        *x509util.ASN1DN           `json:"template,omitempty"`
-	MinCertDuration *duration                  `json:"minCertDuration,omitempty"`
-	MaxCertDuration *duration                  `json:"maxCertDuration,omitempty"`
+	Provisioners         []*provisioner.Provisioner `json:"provisioners,omitempty"`
+	Template             *x509util.ASN1DN           `json:"template,omitempty"`
+	MinCertDuration      *duration                  `json:"minCertDuration,omitempty"`
+	MaxCertDuration      *duration                  `json:"maxCertDuration,omitempty"`
+	DisableIssuedAtCheck bool                       `json:"disableIssuedAtCheck,omitempty"`
 }
 
 // Validate validates the authority configuration.