From a0cf8083938cd054e3d6fbaff6d0c44059e1dcad Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Thu, 17 Feb 2022 17:53:44 -0800 Subject: [PATCH] Make the X5C leaf certificate available to the templates. X509 and SSH templates of the X5C provisioner will have now access to the leaf certificate used to sign the token using the template variable .AuthorizationCrt Fixes #433 --- authority/provisioner/nebula.go | 3 ++- authority/provisioner/x5c.go | 10 ++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/authority/provisioner/nebula.go b/authority/provisioner/nebula.go index a77f4281..71c57590 100644 --- a/authority/provisioner/nebula.go +++ b/authority/provisioner/nebula.go @@ -140,7 +140,8 @@ func (p *Nebula) AuthorizeSign(ctx context.Context, token string) ([]SignOption, } // The Nebula certificate will be available using the template variable Crt. - // For example {{ .Crt.Details.Groups }} can be used to get all the groups. + // For example {{ .AuthorizationCrt.Details.Groups }} can be used to get all + // the groups. data.SetAuthorizationCertificate(crt) templateOptions, err := TemplateOptions(p.Options, data) diff --git a/authority/provisioner/x5c.go b/authority/provisioner/x5c.go index 8710acb5..342ccd73 100644 --- a/authority/provisioner/x5c.go +++ b/authority/provisioner/x5c.go @@ -213,6 +213,11 @@ func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er data.SetToken(v) } + // The X509 certificate will be available using the template variable Crt. + // For example {{ .AuthorizationCrt.DNSNames }} can be used to get all the + // domains. + data.SetAuthorizationCertificate(claims.chains[0][0]) + templateOptions, err := TemplateOptions(p.Options, data) if err != nil { return nil, errs.Wrap(http.StatusInternalServerError, err, "jwk.AuthorizeSign") @@ -287,6 +292,11 @@ func (p *X5C) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, data.SetToken(v) } + // The X509 certificate will be available using the template variable Crt. + // For example {{ .AuthorizationCrt.DNSNames }} can be used to get all the + // domains. + data.SetAuthorizationCertificate(claims.chains[0][0]) + templateOptions, err := TemplateSSHOptions(p.Options, data) if err != nil { return nil, errs.Wrap(http.StatusInternalServerError, err, "x5c.AuthorizeSSHSign")