TrueCloudLab/certificates
17
0
Fork 2
Code Issues 1 Pull requests 1 Releases Activity Actions

Add SSH host certificate support for GCP provisioner.

Browse source
This commit is contained in:
Mariano Cano 2019-07-29 18:17:20 -07:00
parent 221d323b68
commit b827a59e96
1 changed files with 23 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
authority/provisioner/gcp.go
View file

@ -353,5 +353,27 @@ func (p *GCP) authorizeToken(token string) (*gcpPayload, error) {
// authorizeSSHSign returns the list of SignOption for a SignSSH request. // authorizeSSHSign returns the list of SignOption for a SignSSH request.
func (p *GCP) authorizeSSHSign(claims *gcpPayload) ([]SignOption, error) { func (p *GCP) authorizeSSHSign(claims *gcpPayload) ([]SignOption, error) {
return nil, nil ce := claims.Google.ComputeEngine
signOptions := []SignOption{
// set the key id to the token subject
sshCertificateKeyIDModifier(ce.InstanceName),
}
signOptions = append(signOptions, &sshCertificateOptionsValidator{&SSHOptions{
CertType: SSHHostCert,
Principals: []string{
fmt.Sprintf("%s.c.%s.internal", ce.InstanceName, ce.ProjectID),
fmt.Sprintf("%s.%s.c.%s.internal", ce.InstanceName, ce.Zone, ce.ProjectID),
},
}})
return append(signOptions,
// set the default extensions
&sshDefaultExtensionModifier{},
// checks the validity bounds, and set the validity if has not been set
&sshCertificateValidityModifier{p.claimer},
// require all the fields in the SSH certificate
&sshCertificateDefaultValidator{},
), nil
} }