From e7d7eb1a947bd60cc70fc67abe775c9f6060a29e Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Wed, 18 May 2022 18:42:42 -0700 Subject: [PATCH] Add provisioner as a signOption for SSH --- authority/provisioner/aws.go | 1 + authority/provisioner/azure.go | 1 + authority/provisioner/gcp.go | 1 + authority/provisioner/jwk.go | 1 + authority/provisioner/k8sSA.go | 1 + authority/provisioner/nebula.go | 1 + authority/provisioner/noop.go | 2 +- authority/provisioner/oidc.go | 1 + authority/provisioner/x5c.go | 1 + 9 files changed, 9 insertions(+), 1 deletion(-) diff --git a/authority/provisioner/aws.go b/authority/provisioner/aws.go index 8433fde5..afc61dd7 100644 --- a/authority/provisioner/aws.go +++ b/authority/provisioner/aws.go @@ -747,6 +747,7 @@ func (p *AWS) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, signOptions = append(signOptions, templateOptions) return append(signOptions, + p, // Validate user SignSSHOptions. sshCertOptionsValidator(defaults), // Set the validity bounds if not set. diff --git a/authority/provisioner/azure.go b/authority/provisioner/azure.go index 438ab5b3..b6f7ec91 100644 --- a/authority/provisioner/azure.go +++ b/authority/provisioner/azure.go @@ -418,6 +418,7 @@ func (p *Azure) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOptio signOptions = append(signOptions, templateOptions) return append(signOptions, + p, // Validate user SignSSHOptions. sshCertOptionsValidator(defaults), // Set the validity bounds if not set. diff --git a/authority/provisioner/gcp.go b/authority/provisioner/gcp.go index 94c19e17..a116312d 100644 --- a/authority/provisioner/gcp.go +++ b/authority/provisioner/gcp.go @@ -425,6 +425,7 @@ func (p *GCP) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, signOptions = append(signOptions, templateOptions) return append(signOptions, + p, // Validate user SignSSHOptions. sshCertOptionsValidator(defaults), // Set the validity bounds if not set. diff --git a/authority/provisioner/jwk.go b/authority/provisioner/jwk.go index 336736db..de592941 100644 --- a/authority/provisioner/jwk.go +++ b/authority/provisioner/jwk.go @@ -257,6 +257,7 @@ func (p *JWK) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, } return append(signOptions, + p, // Set the validity bounds if not set. &sshDefaultDuration{p.ctl.Claimer}, // Validate public key diff --git a/authority/provisioner/k8sSA.go b/authority/provisioner/k8sSA.go index e2dbf840..28be0d5c 100644 --- a/authority/provisioner/k8sSA.go +++ b/authority/provisioner/k8sSA.go @@ -275,6 +275,7 @@ func (p *K8sSA) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOptio signOptions := []SignOption{templateOptions} return append(signOptions, + p, // Require type, key-id and principals in the SignSSHOptions. &sshCertOptionsRequireValidator{CertType: true, KeyID: true, Principals: true}, // Set the validity bounds if not set. diff --git a/authority/provisioner/nebula.go b/authority/provisioner/nebula.go index 38a2409f..cde5857c 100644 --- a/authority/provisioner/nebula.go +++ b/authority/provisioner/nebula.go @@ -250,6 +250,7 @@ func (p *Nebula) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOpti } return append(signOptions, + p, templateOptions, // Checks the validity bounds, and set the validity if has not been set. &sshLimitDuration{p.ctl.Claimer, crt.Details.NotAfter}, diff --git a/authority/provisioner/noop.go b/authority/provisioner/noop.go index 39661e54..9ccd0c8c 100644 --- a/authority/provisioner/noop.go +++ b/authority/provisioner/noop.go @@ -50,7 +50,7 @@ func (p *noop) AuthorizeRevoke(ctx context.Context, token string) error { } func (p *noop) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) { - return []SignOption{}, nil + return []SignOption{p}, nil } func (p *noop) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error) { diff --git a/authority/provisioner/oidc.go b/authority/provisioner/oidc.go index 9f389b29..e64d98d9 100644 --- a/authority/provisioner/oidc.go +++ b/authority/provisioner/oidc.go @@ -434,6 +434,7 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption } return append(signOptions, + o, // Set the validity bounds if not set. &sshDefaultDuration{o.ctl.Claimer}, // Validate public key diff --git a/authority/provisioner/x5c.go b/authority/provisioner/x5c.go index 69576da5..b9ae24c5 100644 --- a/authority/provisioner/x5c.go +++ b/authority/provisioner/x5c.go @@ -312,6 +312,7 @@ func (p *X5C) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, } return append(signOptions, + p, // Checks the validity bounds, and set the validity if has not been set. &sshLimitDuration{p.ctl.Claimer, claims.chains[0][0].NotAfter}, // Validate public key.