diff --git a/authority/provisioner/nebula.go b/authority/provisioner/nebula.go index 11cff219..1a6eee3e 100644 --- a/authority/provisioner/nebula.go +++ b/authority/provisioner/nebula.go @@ -260,10 +260,7 @@ func (p *Nebula) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOpti // AuthorizeRenew returns an error if the renewal is disabled. func (p *Nebula) AuthorizeRenew(ctx context.Context, crt *x509.Certificate) error { - if p.ctl.Claimer.IsDisableRenewal() { - return errs.Unauthorized("renew is disabled for nebula provisioner '%s'", p.GetName()) - } - return nil + return p.ctl.AuthorizeRenew(ctx, crt) } // AuthorizeRevoke returns an error if the token is not valid. diff --git a/authority/provisioner/nebula_test.go b/authority/provisioner/nebula_test.go index 8f9afd9d..b190d607 100644 --- a/authority/provisioner/nebula_test.go +++ b/authority/provisioner/nebula_test.go @@ -549,6 +549,8 @@ func TestNebula_AuthorizeSSHSign(t *testing.T) { func TestNebula_AuthorizeRenew(t *testing.T) { ctx := context.TODO() + now := time.Now().Truncate(time.Second) + // Ok provisioner p, _, _ := mustNebulaProvisioner(t) @@ -567,8 +569,14 @@ func TestNebula_AuthorizeRenew(t *testing.T) { args args wantErr bool }{ - {"ok", p, args{ctx, &x509.Certificate{}}, false}, - {"fail disabled", pDisabled, args{ctx, &x509.Certificate{}}, true}, + {"ok", p, args{ctx, &x509.Certificate{ + NotBefore: now, + NotAfter: now.Add(time.Hour), + }}, false}, + {"fail disabled", pDisabled, args{ctx, &x509.Certificate{ + NotBefore: now, + NotAfter: now.Add(time.Hour), + }}, true}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) {