Allow mTLS renewals if the provisioner extension does not exists.

This fixes a backward compatibility issue with with the new LoadProvisionerByCertificate.
2 years ago · c8c59d68f5
parent 2fbff47acf
commit c8c59d68f5
1 changed files with 7 additions and 1 deletions
--- a/authority/authorize.go
+++ b/authority/authorize.go
@ -284,7 +284,13 @@ func (a *Authority) authorizeRenew(cert *x509.Certificate) error {
 	}
 	p, err := a.LoadProvisionerByCertificate(cert)
 	if err != nil {
-		return errs.Unauthorized("authority.authorizeRenew: provisioner not found", opts...)
+		var ok bool
+		// For backward compatibility this method will also succeed if the
+		// provisioner does not have an extension. LoadByCertificate returns the
+		// noop provisioner if this happens, and it allow certificate renewals.
+		if p, ok = a.provisioners.LoadByCertificate(cert); !ok {
+			return errs.Unauthorized("authority.authorizeRenew: provisioner not found", opts...)
+		}
 	}
 	if err := p.AuthorizeRenew(context.Background(), cert); err != nil {
 		return errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...)