Use the provisioner controller in Nebula renewals

2 years ago · 8ef8f4f665
parent afb5d36206
commit 8ef8f4f665
2 changed files with 11 additions and 6 deletions
--- a/authority/provisioner/nebula.go
+++ b/authority/provisioner/nebula.go
@ -260,10 +260,7 @@ func (p *Nebula) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOpti

 // AuthorizeRenew returns an error if the renewal is disabled.
 func (p *Nebula) AuthorizeRenew(ctx context.Context, crt *x509.Certificate) error {
-	if p.ctl.Claimer.IsDisableRenewal() {
-		return errs.Unauthorized("renew is disabled for nebula provisioner '%s'", p.GetName())
-	}
-	return nil
+	return p.ctl.AuthorizeRenew(ctx, crt)
 }

 // AuthorizeRevoke returns an error if the token is not valid.
--- a/authority/provisioner/nebula_test.go
+++ b/authority/provisioner/nebula_test.go
@ -549,6 +549,8 @@ func TestNebula_AuthorizeSSHSign(t *testing.T) {

 func TestNebula_AuthorizeRenew(t *testing.T) {
 	ctx := context.TODO()
+	now := time.Now().Truncate(time.Second)
+
 	// Ok provisioner
 	p, _, _ := mustNebulaProvisioner(t)

@ -567,8 +569,14 @@ func TestNebula_AuthorizeRenew(t *testing.T) {
 		args    args
 		wantErr bool
 	}{
-		{"ok", p, args{ctx, &x509.Certificate{}}, false},
-		{"fail disabled", pDisabled, args{ctx, &x509.Certificate{}}, true},
+		{"ok", p, args{ctx, &x509.Certificate{
+			NotBefore: now,
+			NotAfter:  now.Add(time.Hour),
+		}}, false},
+		{"fail disabled", pDisabled, args{ctx, &x509.Certificate{
+			NotBefore: now,
+			NotAfter:  now.Add(time.Hour),
+		}}, true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {