Add noop provisioner and use it if a provisioner cannot been found from a cert.

5 years ago · 9f7f871f25
parent 47817ab212
commit 9f7f871f25
2 changed files with 42 additions and 2 deletions
--- a/authority/provisioner/collection.go
+++ b/authority/provisioner/collection.go
@ -80,7 +80,7 @@ func (c *Collection) LoadByToken(token *jose.JSONWebToken, claims *jose.Claims)
 	return c.Load(payload.Audience[0])
 }

-// LoadByCertificate lookds for the provisioner extension and extracts the
+// LoadByCertificate looks for the provisioner extension and extracts the
 // proper id to load the provisioner.
 func (c *Collection) LoadByCertificate(cert *x509.Certificate) (Interface, bool) {
 	for _, e := range cert.Extensions {
@ -95,7 +95,10 @@ func (c *Collection) LoadByCertificate(cert *x509.Certificate) (Interface, bool)
 			return c.Load(string(provisioner.CredentialID))
 		}
 	}
-	return nil, false
+
+	// Default to noop provisioner if an extension is not found. This allows to
+	// accept a renewal of a cert without the provisioner extension.
+	return &noop{}, true
 }

 // LoadEncryptedKey returns a the encrypted key by KeyID. At this moment only
--- a/authority/provisioner/noop.go
+++ b/authority/provisioner/noop.go
@ -0,0 +1,37 @@
+package provisioner
+
+import "crypto/x509"
+
+// noop provisioners is a provisioner that accepts anything.
+type noop struct{}
+
+func (p *noop) GetID() string {
+	return "noop"
+}
+
+func (p *noop) GetName() string {
+	return "noop"
+}
+func (p *noop) GetType() Type {
+	return noopType
+}
+
+func (p *noop) GetEncryptedKey() (kid string, key string, ok bool) {
+	return "", "", false
+}
+
+func (p *noop) Init(config Config) error {
+	return nil
+}
+
+func (p *noop) Authorize(token string) ([]SignOption, error) {
+	return []SignOption{}, nil
+}
+
+func (p *noop) AuthorizeRenewal(cert *x509.Certificate) error {
+	return nil
+}
+
+func (p *noop) AuthorizeRevoke(token string) error {
+	return nil
+}