Add disableIssuedAt check functionality

Fixes #86
6 years ago · 1c1ac1b3fb
parent f938ab113b
commit 1c1ac1b3fb
2 changed files with 14 additions and 4 deletions
--- a/authority/authorize.go
+++ b/authority/authorize.go
@ -79,6 +79,15 @@ func (a *Authority) Authorize(ott string) ([]api.Claim, error) {
 			http.StatusUnauthorized, errContext}
 	}

+	// Do not accept tokens issued before the start of the ca.
+	// This check is meant as a stopgap solution to the current lack of a persistence layer.
+	if a.config.AuthorityConfig != nil && !a.config.AuthorityConfig.DisableIssuedAtCheck {
+		if claims.IssuedAt > 0 && claims.IssuedAt.Time().Before(a.startTime) {
+			return nil, &apiError{errors.New("token issued before the bootstrap of certificate authority"),
+				http.StatusUnauthorized, errContext}
+		}
+	}
+
 	if !containsAtLeastOneAudience(claims.Audience, a.audiences) {
 		return nil, &apiError{errors.New("invalid audience"), http.StatusUnauthorized,
 			errContext}
--- a/authority/config.go
+++ b/authority/config.go
@ -67,10 +67,11 @@ type Config struct {

 // AuthConfig represents the configuration options for the authority.
 type AuthConfig struct {
-	Provisioners    []*provisioner.Provisioner `json:"provisioners,omitempty"`
-	Template        *x509util.ASN1DN           `json:"template,omitempty"`
-	MinCertDuration *duration                  `json:"minCertDuration,omitempty"`
-	MaxCertDuration *duration                  `json:"maxCertDuration,omitempty"`
+	Provisioners         []*provisioner.Provisioner `json:"provisioners,omitempty"`
+	Template             *x509util.ASN1DN           `json:"template,omitempty"`
+	MinCertDuration      *duration                  `json:"minCertDuration,omitempty"`
+	MaxCertDuration      *duration                  `json:"maxCertDuration,omitempty"`
+	DisableIssuedAtCheck bool                       `json:"disableIssuedAtCheck,omitempty"`
 }

 // Validate validates the authority configuration.