Add initial template support for iid provisisioners.

authority/provisioner/aws.go

@@ -17,6 +17,7 @@ import (
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
+	"github.com/smallstep/certificates/sshutil"
 	"github.com/smallstep/certificates/x509util"
 	"github.com/smallstep/cli/jose"
 )
@@ -134,6 +135,7 @@ type AWS struct {
 	InstanceAge            Duration    `json:"instanceAge,omitempty"`
 	Claims                 *Claims     `json:"claims,omitempty"`
 	Options                *Options    `json:"options,omitempty"`
+	SSHOptions             *SSHOptions `json:"sshOptions,omitempty"`
 	claimer                *Claimer
 	config                 *awsConfig
 	audiences              Audiences
@@ -468,34 +470,42 @@ func (p *AWS) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
 
 	doc := claims.document
 
-	signOptions := []SignOption{
+	// Validated principals.
-		// set the key id to the instance id
+	principals := []string{
-		sshCertKeyIDModifier(doc.InstanceID),
-	}
-
-	// Only enforce known principals if disable custom sans is true.
-	var principals []string
-	if p.DisableCustomSANs {
-		principals = []string{
 		doc.PrivateIP,
 		fmt.Sprintf("ip-%s.%s.compute.internal", strings.Replace(doc.PrivateIP, ".", "-", -1), doc.Region),
 	}
-	}
 
 	// Default to cert type to host
 	defaults := SignSSHOptions{
 		CertType: SSHHostCert,
-		Principals: principals,
+	}
+	defaultTemplate := sshutil.DefaultIIDCertificate
+
+	// Only enforce known principals if disable custom sans is true.
+	if p.DisableCustomSANs {
+		defaults.Principals = principals
+		defaultTemplate = sshutil.DefaultCertificate
 	}
 
 	// Validate user options
-	signOptions = append(signOptions, sshCertOptionsValidator(defaults))
+	signOptions := []SignOption{
-	// Set defaults if not given as user options
+		sshCertOptionsValidator(defaults),
-	signOptions = append(signOptions, sshCertDefaultsModifier(defaults))
+	}
+
+	// Certificate templates.
+	data := sshutil.CreateTemplateData(sshutil.HostCert, doc.InstanceID, principals)
+	if v, err := unsafeParseSigned(token); err == nil {
+		data.SetToken(v)
+	}
+
+	templateOptions, err := CustomSSHTemplateOptions(p.SSHOptions, data, defaultTemplate)
+	if err != nil {
+		return nil, errs.Wrap(http.StatusInternalServerError, err, "aws.AuthorizeSSHSign")
+	}
+	signOptions = append(signOptions, templateOptions)
 
 	return append(signOptions,
-		// Set the default extensions.
-		&sshDefaultExtensionModifier{},
 		// Set the validity bounds if not set.
 		&sshDefaultDuration{p.claimer},
 		// Validate public key

authority/provisioner/azure.go

@@ -14,6 +14,7 @@ import (
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
+	"github.com/smallstep/certificates/sshutil"
 	"github.com/smallstep/certificates/x509util"
 	"github.com/smallstep/cli/jose"
 )
@@ -92,6 +93,7 @@ type Azure struct {
 	DisableTrustOnFirstUse bool        `json:"disableTrustOnFirstUse"`
 	Claims                 *Claims     `json:"claims,omitempty"`
 	Options                *Options    `json:"options,omitempty"`
+	SSHOptions             *SSHOptions `json:"sshOptions,omitempty"`
 	claimer                *Claimer
 	config                 *azureConfig
 	oidcConfig             openIDConfiguration
@@ -338,30 +340,40 @@ func (p *Azure) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOptio
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "azure.AuthorizeSSHSign")
 	}
-	signOptions := []SignOption{
-		// set the key id to the instance name
-		sshCertKeyIDModifier(name),
-	}
 
-	// Only enforce known principals if disable custom sans is true.
+	// Validated principals
-	var principals []string
+	principals := []string{name}
-	if p.DisableCustomSANs {
-		principals = []string{name}
-	}
 
-	// Default to host + known hostnames
+	// Default options and template
 	defaults := SignSSHOptions{
 		CertType: SSHHostCert,
-		Principals: principals,
 	}
+	defaultTemplate := sshutil.DefaultIIDCertificate
+
+	// Only enforce known principals if disable custom sans is true.
+	if p.DisableCustomSANs {
+		defaults.Principals = principals
+		defaultTemplate = sshutil.DefaultCertificate
+	}
+
 	// Validate user options
-	signOptions = append(signOptions, sshCertOptionsValidator(defaults))
+	signOptions := []SignOption{
-	// Set defaults if not given as user options
+		sshCertOptionsValidator(defaults),
-	signOptions = append(signOptions, sshCertDefaultsModifier(defaults))
+	}
+
+	// Certificate templates.
+	data := sshutil.CreateTemplateData(sshutil.HostCert, name, principals)
+	if v, err := unsafeParseSigned(token); err == nil {
+		data.SetToken(v)
+	}
+
+	templateOptions, err := CustomSSHTemplateOptions(p.SSHOptions, data, defaultTemplate)
+	if err != nil {
+		return nil, errs.Wrap(http.StatusInternalServerError, err, "azure.AuthorizeSSHSign")
+	}
+	signOptions = append(signOptions, templateOptions)
 
 	return append(signOptions,
-		// Set the default extensions.
-		&sshDefaultExtensionModifier{},
 		// Set the validity bounds if not set.
 		&sshDefaultDuration{p.claimer},
 		// Validate public key

authority/provisioner/gcp.go

@@ -15,6 +15,7 @@ import (
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
+	"github.com/smallstep/certificates/sshutil"
 	"github.com/smallstep/certificates/x509util"
 	"github.com/smallstep/cli/jose"
 )
@@ -86,6 +87,7 @@ type GCP struct {
 	InstanceAge            Duration    `json:"instanceAge,omitempty"`
 	Claims                 *Claims     `json:"claims,omitempty"`
 	Options                *Options    `json:"options,omitempty"`
+	SSHOptions             *SSHOptions `json:"sshOptions,omitempty"`
 	claimer                *Claimer
 	config                 *gcpConfig
 	keyStore               *keyStore
@@ -379,33 +381,42 @@ func (p *GCP) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
 
 	ce := claims.Google.ComputeEngine
 
-	signOptions := []SignOption{
+	// Validated principals
-		// set the key id to the instance name
+	principals := []string{
-		sshCertKeyIDModifier(ce.InstanceName),
-	}
-
-	// Only enforce known principals if disable custom sans is true.
-	var principals []string
-	if p.DisableCustomSANs {
-		principals = []string{
 		fmt.Sprintf("%s.c.%s.internal", ce.InstanceName, ce.ProjectID),
 		fmt.Sprintf("%s.%s.c.%s.internal", ce.InstanceName, ce.Zone, ce.ProjectID),
 	}
-	}
 
-	// Default to host + known hostnames
+	// Default options and template
 	defaults := SignSSHOptions{
 		CertType: SSHHostCert,
-		Principals: principals,
 	}
+	defaultTemplate := sshutil.DefaultIIDCertificate
+
+	// Only enforce known principals if disable custom sans is true.
+	if p.DisableCustomSANs {
+		defaults.Principals = principals
+		defaultTemplate = sshutil.DefaultCertificate
+	}
+
 	// Validate user options
-	signOptions = append(signOptions, sshCertOptionsValidator(defaults))
+	signOptions := []SignOption{
-	// Set defaults if not given as user options
+		sshCertOptionsValidator(defaults),
-	signOptions = append(signOptions, sshCertDefaultsModifier(defaults))
+	}
+
+	// Certificate templates.
+	data := sshutil.CreateTemplateData(sshutil.HostCert, ce.InstanceName, principals)
+	if v, err := unsafeParseSigned(token); err == nil {
+		data.SetToken(v)
+	}
+
+	templateOptions, err := CustomSSHTemplateOptions(p.SSHOptions, data, defaultTemplate)
+	if err != nil {
+		return nil, errs.Wrap(http.StatusInternalServerError, err, "gcp.AuthorizeSSHSign")
+	}
+	signOptions = append(signOptions, templateOptions)
 
 	return append(signOptions,
-		// Set the default extensions
-		&sshDefaultExtensionModifier{},
 		// Set the validity bounds if not set.
 		&sshDefaultDuration{p.claimer},
 		// Validate public key