Archives/smallstep-certificates
2
0
Fork 0
mirror of https://github.com/smallstep/certificates.git synced 2024-11-15 18:12:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Split provisioner check in two cases

Browse Source
This commit is contained in:
Mariano Cano 2024-05-15 16:12:15 -07:00
parent 5fa5a63de8
commit 8673818980
No known key found for this signature in database
1 changed files with 11 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
acme/api/middleware.go
View File

@ -334,22 +334,17 @@ func lookupJWK(next nextHTTP) nextHTTP {
// Verify that the provisioner with which the account was created // Verify that the provisioner with which the account was created
// matches the provisioner in the request URL. // matches the provisioner in the request URL.
reqProv := acme.MustProvisionerFromContext(ctx) reqProv := acme.MustProvisionerFromContext(ctx)
if acc.ProvisionerID == "" || reqProv.GetID() != acc.ProvisionerID { switch {
reqProvisioner := reqProv.GetName() case acc.ProvisionerID == "" && acc.ProvisionerName != reqProv.GetName():
accProvisioner := acc.ProvisionerName render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
if reqProvisioner != accProvisioner { "account provisioner does not match requested provisioner; account provisioner = %s, requested provisioner = %s",
// Show IDs if names are not available acc.ProvisionerName, reqProv.GetName()))
if accProvisioner == "" && acc.ProvisionerID != "" { return
reqProvisioner = reqProv.GetID() case acc.ProvisionerID != "" && acc.ProvisionerID != reqProv.GetID():
accProvisioner = acc.ProvisionerID render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
} "account provisioner does not match requested provisioner; account provisioner = %s, requested provisioner = %s",
// Provisioner in the URL must match the provisioner with acc.ProvisionerID, reqProv.GetID()))
// which the account was created. return
render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
"account provisioner does not match requested provisioner; account provisioner = %s, requested provisioner = %s",
accProvisioner, reqProvisioner))
return
}
} }
} else { } else {
// This code will only execute for old ACME accounts that do // This code will only execute for old ACME accounts that do