Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update temporal solution for sending message to users

Browse Source
pull/752/head
Mariano Cano 3 years ago
parent 668d3ea6c7
commit b6ebd118fc
2 changed files with 11 additions and 24 deletions
Show Stats Download Patch File Download Diff File

21
authority/provisioner/sign_options.go
Unescape Escape View File

@ -8,9 +8,7 @@ import (
"crypto/x509/pkix"
"encoding/asn1"
"encoding/json"
"fmt"
"net"
"net/http"
"net/url"
"reflect"
"time"
@ -372,17 +370,6 @@ func newValidityValidator(min, max time.Duration) *validityValidator {
return &validityValidator{min: min, max: max}
}
// TODO(mariano): refactor errs package to allow sending real errors to the
// user.
func badRequest(format string, args ...interface{}) error {
msg := fmt.Sprintf(format, args...)
return &errs.Error{
Status: http.StatusBadRequest,
Msg: msg,
Err: errors.New(msg),
}
}
// Valid validates the certificate validity settings (notBefore/notAfter) and
// total duration.
func (v *validityValidator) Valid(cert *x509.Certificate, o SignOptions) error {
@ -395,20 +382,20 @@ func (v *validityValidator) Valid(cert *x509.Certificate, o SignOptions) error {
d := na.Sub(nb)
if na.Before(now) {
return badRequest("notAfter cannot be in the past; na=%v", na)
return errs.BadRequest("notAfter cannot be in the past; na=%v", na)
}
if na.Before(nb) {
return badRequest("notAfter cannot be before notBefore; na=%v, nb=%v", na, nb)
return errs.BadRequest("notAfter cannot be before notBefore; na=%v, nb=%v", na, nb)
}
if d < v.min {
return badRequest("requested duration of %v is less than the authorized minimum certificate duration of %v", d, v.min)
return errs.BadRequest("requested duration of %v is less than the authorized minimum certificate duration of %v", d, v.min)
}
// NOTE: this check is not "technically correct". We're allowing the max
// duration of a cert to be "max + backdate" and not all certificates will
// be backdated (e.g. if a user passes the NotBefore value then we do not
// apply a backdate). This is good enough.
if d > v.max+o.Backdate {
return badRequest("requested duration of %v is more than the authorized maximum certificate duration of %v", d, v.max+o.Backdate)
return errs.BadRequest("requested duration of %v is more than the authorized maximum certificate duration of %v", d, v.max+o.Backdate)
}
return nil
}

14
authority/provisioner/sign_ssh_options.go
Unescape Escape View File

@ -336,11 +336,11 @@ type sshCertValidityValidator struct {
func (v *sshCertValidityValidator) Valid(cert *ssh.Certificate, opts SignSSHOptions) error {
switch {
case cert.ValidAfter == 0:
return badRequest("ssh certificate validAfter cannot be 0")
return errs.BadRequest("ssh certificate validAfter cannot be 0")
case cert.ValidBefore < uint64(now().Unix()):
return badRequest("ssh certificate validBefore cannot be in the past")
return errs.BadRequest("ssh certificate validBefore cannot be in the past")
case cert.ValidBefore < cert.ValidAfter:
return badRequest("ssh certificate validBefore cannot be before validAfter")
return errs.BadRequest("ssh certificate validBefore cannot be before validAfter")
}
var min, max time.Duration
@ -352,9 +352,9 @@ func (v *sshCertValidityValidator) Valid(cert *ssh.Certificate, opts SignSSHOpti
min = v.MinHostSSHCertDuration()
max = v.MaxHostSSHCertDuration()
case 0:
return badRequest("ssh certificate type has not been set")
return errs.BadRequest("ssh certificate type has not been set")
default:
return badRequest("unknown ssh certificate type %d", cert.CertType)
return errs.BadRequest("unknown ssh certificate type %d", cert.CertType)
}
// To not take into account the backdate, time.Now() will be used to
@ -363,9 +363,9 @@ func (v *sshCertValidityValidator) Valid(cert *ssh.Certificate, opts SignSSHOpti
switch {
case dur < min:
return badRequest("requested duration of %s is less than minimum accepted duration for selected provisioner of %s", dur, min)
return errs.BadRequest("requested duration of %s is less than minimum accepted duration for selected provisioner of %s", dur, min)
case dur > max+opts.Backdate:
return badRequest("requested duration of %s is greater than maximum accepted duration for selected provisioner of %s", dur, max+opts.Backdate)
return errs.BadRequest("requested duration of %s is greater than maximum accepted duration for selected provisioner of %s", dur, max+opts.Backdate)
default:
return nil
}

Write Preview
Loading…
Cancel
Save