Set not extensions to host certificates.

This commit is contained in:
Mariano Cano 2019-07-29 16:36:46 -07:00
parent 48c98dea2a
commit 53f62f871c
3 changed files with 21 additions and 13 deletions

View file

@ -179,8 +179,6 @@ func (p *JWK) authorizeSSHSign(claims *jwtPayload) ([]SignOption, error) {
signOptions := []SignOption{
// validates user's SSHOptions with the ones in the token
&sshCertificateOptionsValidator{opts},
// set the default extensions
&sshDefaultExtensionModifier{},
// set the key id to the token subject
sshCertificateKeyIDModifier(claims.Subject),
}
@ -200,6 +198,8 @@ func (p *JWK) authorizeSSHSign(claims *jwtPayload) ([]SignOption, error) {
}
return append(signOptions,
// set the default extensions
&sshDefaultExtensionModifier{},
// checks the validity bounds, and set the validity if has not been set
&sshCertificateValidityModifier{p.claimer},
// require all the fields in the SSH certificate

View file

@ -299,8 +299,6 @@ func (o *OIDC) AuthorizeRenewal(cert *x509.Certificate) error {
// authorizeSSHSign returns the list of SignOption for a SignSSH request.
func (o *OIDC) authorizeSSHSign(claims *openIDPayload) ([]SignOption, error) {
signOptions := []SignOption{
// set the default extensions
&sshDefaultExtensionModifier{},
// set the key id to the token subject
sshCertificateKeyIDModifier(claims.Email),
}
@ -320,6 +318,8 @@ func (o *OIDC) authorizeSSHSign(claims *openIDPayload) ([]SignOption, error) {
}
return append(signOptions,
// set the default extensions
&sshDefaultExtensionModifier{},
// checks the validity bounds, and set the validity if has not been set
&sshCertificateValidityModifier{o.claimer},
// require all the fields in the SSH certificate

View file

@ -148,6 +148,11 @@ func (m sshCertificateValidBeforeModifier) Modify(cert *ssh.Certificate) error {
type sshDefaultExtensionModifier struct{}
func (m *sshDefaultExtensionModifier) Modify(cert *ssh.Certificate) error {
switch cert.CertType {
// Default to no extensions to HostCert
case ssh.HostCert:
return nil
case ssh.UserCert:
if cert.Extensions == nil {
cert.Extensions = make(map[string]string)
}
@ -157,6 +162,9 @@ func (m *sshDefaultExtensionModifier) Modify(cert *ssh.Certificate) error {
cert.Extensions["permit-pty"] = ""
cert.Extensions["permit-user-rc"] = ""
return nil
default:
return errors.New("ssh certificate type has not been set or is invalid")
}
}
// sshCertificateValidityModifier is a SSHCertificateModifier checks the
@ -240,7 +248,7 @@ func (v *sshCertificateDefaultValidator) Valid(crt *ssh.Certificate) error {
return errors.New("ssh certificate valid after cannot be 0")
case crt.ValidBefore == 0:
return errors.New("ssh certificate valid before cannot be 0")
case len(crt.Extensions) == 0:
case crt.CertType == ssh.UserCert && len(crt.Extensions) == 0:
return errors.New("ssh certificate extensions cannot be empty")
case crt.SignatureKey == nil:
return errors.New("ssh certificate signature key cannot be nil")