Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update temporal solution for sending message to users

Browse Source
pull/752/head
Mariano Cano 3 years ago
parent 668d3ea6c7
commit b6ebd118fc
2 changed files with 11 additions and 24 deletions
Show Stats Download Patch File Download Diff File

21
authority/provisioner/sign_options.go
Unescape Escape View File

@ -8,9 +8,7 @@ import (
"crypto/x509/pkix" "crypto/x509/pkix"
"encoding/asn1" "encoding/asn1"
"encoding/json" "encoding/json"
"fmt"
"net" "net"
"net/http"
"net/url" "net/url"
"reflect" "reflect"
"time" "time"
@ -372,17 +370,6 @@ func newValidityValidator(min, max time.Duration) *validityValidator {
return &validityValidator{min: min, max: max} return &validityValidator{min: min, max: max}
} }
// TODO(mariano): refactor errs package to allow sending real errors to the
// user.
func badRequest(format string, args ...interface{}) error {
msg := fmt.Sprintf(format, args...)
return &errs.Error{
Status: http.StatusBadRequest,
Msg: msg,
Err: errors.New(msg),
}
}
// Valid validates the certificate validity settings (notBefore/notAfter) and // Valid validates the certificate validity settings (notBefore/notAfter) and
// total duration. // total duration.
func (v *validityValidator) Valid(cert *x509.Certificate, o SignOptions) error { func (v *validityValidator) Valid(cert *x509.Certificate, o SignOptions) error {
@ -395,20 +382,20 @@ func (v *validityValidator) Valid(cert *x509.Certificate, o SignOptions) error {
d := na.Sub(nb) d := na.Sub(nb)
if na.Before(now) { if na.Before(now) {
return badRequest("notAfter cannot be in the past; na=%v", na) return errs.BadRequest("notAfter cannot be in the past; na=%v", na)
} }
if na.Before(nb) { if na.Before(nb) {
return badRequest("notAfter cannot be before notBefore; na=%v, nb=%v", na, nb) return errs.BadRequest("notAfter cannot be before notBefore; na=%v, nb=%v", na, nb)
} }
if d < v.min { if d < v.min {
return badRequest("requested duration of %v is less than the authorized minimum certificate duration of %v", d, v.min) return errs.BadRequest("requested duration of %v is less than the authorized minimum certificate duration of %v", d, v.min)
} }
// NOTE: this check is not "technically correct". We're allowing the max // NOTE: this check is not "technically correct". We're allowing the max
// duration of a cert to be "max + backdate" and not all certificates will // duration of a cert to be "max + backdate" and not all certificates will
// be backdated (e.g. if a user passes the NotBefore value then we do not // be backdated (e.g. if a user passes the NotBefore value then we do not
// apply a backdate). This is good enough. // apply a backdate). This is good enough.
if d > v.max+o.Backdate { if d > v.max+o.Backdate {
return badRequest("requested duration of %v is more than the authorized maximum certificate duration of %v", d, v.max+o.Backdate) return errs.BadRequest("requested duration of %v is more than the authorized maximum certificate duration of %v", d, v.max+o.Backdate)
} }
return nil return nil
} }

14
authority/provisioner/sign_ssh_options.go
Unescape Escape View File

@ -336,11 +336,11 @@ type sshCertValidityValidator struct {
func (v *sshCertValidityValidator) Valid(cert *ssh.Certificate, opts SignSSHOptions) error { func (v *sshCertValidityValidator) Valid(cert *ssh.Certificate, opts SignSSHOptions) error {
switch { switch {
case cert.ValidAfter == 0: case cert.ValidAfter == 0:
return badRequest("ssh certificate validAfter cannot be 0") return errs.BadRequest("ssh certificate validAfter cannot be 0")
case cert.ValidBefore < uint64(now().Unix()): case cert.ValidBefore < uint64(now().Unix()):
return badRequest("ssh certificate validBefore cannot be in the past") return errs.BadRequest("ssh certificate validBefore cannot be in the past")
case cert.ValidBefore < cert.ValidAfter: case cert.ValidBefore < cert.ValidAfter:
return badRequest("ssh certificate validBefore cannot be before validAfter") return errs.BadRequest("ssh certificate validBefore cannot be before validAfter")
} }
var min, max time.Duration var min, max time.Duration
@ -352,9 +352,9 @@ func (v *sshCertValidityValidator) Valid(cert *ssh.Certificate, opts SignSSHOpti
min = v.MinHostSSHCertDuration() min = v.MinHostSSHCertDuration()
max = v.MaxHostSSHCertDuration() max = v.MaxHostSSHCertDuration()
case 0: case 0:
return badRequest("ssh certificate type has not been set") return errs.BadRequest("ssh certificate type has not been set")
default: default:
return badRequest("unknown ssh certificate type %d", cert.CertType) return errs.BadRequest("unknown ssh certificate type %d", cert.CertType)
} }
// To not take into account the backdate, time.Now() will be used to // To not take into account the backdate, time.Now() will be used to
@ -363,9 +363,9 @@ func (v *sshCertValidityValidator) Valid(cert *ssh.Certificate, opts SignSSHOpti
switch { switch {
case dur < min: case dur < min:
return badRequest("requested duration of %s is less than minimum accepted duration for selected provisioner of %s", dur, min) return errs.BadRequest("requested duration of %s is less than minimum accepted duration for selected provisioner of %s", dur, min)
case dur > max+opts.Backdate: case dur > max+opts.Backdate:
return badRequest("requested duration of %s is greater than maximum accepted duration for selected provisioner of %s", dur, max+opts.Backdate) return errs.BadRequest("requested duration of %s is greater than maximum accepted duration for selected provisioner of %s", dur, max+opts.Backdate)
default: default:
return nil return nil
} }

Write Preview
Loading…
Cancel
Save