From 512b8d673083f0b61d1642e09575a8629629b2e3 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Tue, 25 Jan 2022 16:45:25 +0100 Subject: [PATCH] Refactor instantiation of policy engines Instead of using the `base` struct, the x509 and SSH policy engines are now added to each provisioner directly. --- authority/provisioner/acme.go | 27 ++++++++++---------- authority/provisioner/aws.go | 12 +++++---- authority/provisioner/azure.go | 12 +++++---- authority/provisioner/gcp.go | 12 +++++---- authority/provisioner/jwk.go | 12 +++++---- authority/provisioner/k8sSA.go | 15 +++++++----- authority/provisioner/nebula.go | 29 +++++++++++++--------- authority/provisioner/oidc.go | 12 +++++---- authority/provisioner/provisioner.go | 6 +---- authority/provisioner/scep.go | 16 ++++++------ authority/provisioner/sign_ssh_options.go | 2 -- authority/provisioner/sshpop.go | 1 - authority/provisioner/utils_test.go | 9 ------- authority/provisioner/x5c.go | 30 ++++++++++++----------- 14 files changed, 100 insertions(+), 95 deletions(-) diff --git a/authority/provisioner/acme.go b/authority/provisioner/acme.go index 83d35e49..bab7e7ae 100644 --- a/authority/provisioner/acme.go +++ b/authority/provisioner/acme.go @@ -8,19 +8,21 @@ import ( "github.com/pkg/errors" "github.com/smallstep/certificates/errs" + "github.com/smallstep/certificates/policy" ) // ACME is the acme provisioner type, an entity that can authorize the ACME // provisioning flow. type ACME struct { *base - ID string `json:"-"` - Type string `json:"type"` - Name string `json:"name"` - ForceCN bool `json:"forceCN,omitempty"` - Claims *Claims `json:"claims,omitempty"` - Options *Options `json:"options,omitempty"` - claimer *Claimer + ID string `json:"-"` + Type string `json:"type"` + Name string `json:"name"` + ForceCN bool `json:"forceCN,omitempty"` + Claims *Claims `json:"claims,omitempty"` + Options *Options `json:"options,omitempty"` + claimer *Claimer + x509Policy policy.X509NamePolicyEngine } // GetID returns the provisioner unique identifier. @@ -70,7 +72,6 @@ func (p *ACME) DefaultTLSCertDuration() time.Duration { // Init initializes and validates the fields of an ACME type. func (p *ACME) Init(config Config) (err error) { - p.base = &base{} // prevent nil pointers switch { case p.Type == "": return errors.New("provisioner type cannot be empty") @@ -86,7 +87,7 @@ func (p *ACME) Init(config Config) (err error) { // Initialize the x509 allow/deny policy engine // TODO(hs): ensure no race conditions happen when reloading settings and requesting certs? // TODO(hs): implement memoization strategy, so that reloading is not required when no changes were made to allow/deny? - if p.x509PolicyEngine, err = newX509PolicyEngine(p.Options.GetX509Options()); err != nil { + if p.x509Policy, err = newX509PolicyEngine(p.Options.GetX509Options()); err != nil { return err } @@ -113,16 +114,16 @@ type ACMEIdentifier struct { // certificate for the Identifiers provided in an Order. func (p *ACME) AuthorizeOrderIdentifier(ctx context.Context, identifier string) error { - if p.x509PolicyEngine == nil { + if p.x509Policy == nil { return nil } // assuming only valid identifiers (IP or DNS) are provided var err error if ip := net.ParseIP(identifier); ip != nil { - _, err = p.x509PolicyEngine.IsIPAllowed(ip) + _, err = p.x509Policy.IsIPAllowed(ip) } else { - _, err = p.x509PolicyEngine.IsDNSAllowed(identifier) + _, err = p.x509Policy.IsDNSAllowed(identifier) } return err @@ -140,7 +141,7 @@ func (p *ACME) AuthorizeSign(ctx context.Context, token string) ([]SignOption, e // validators defaultPublicKeyValidator{}, newValidityValidator(p.claimer.MinTLSCertDuration(), p.claimer.MaxTLSCertDuration()), - newX509NamePolicyValidator(p.x509PolicyEngine), + newX509NamePolicyValidator(p.x509Policy), } return opts, nil diff --git a/authority/provisioner/aws.go b/authority/provisioner/aws.go index 9f542873..f63b9ced 100644 --- a/authority/provisioner/aws.go +++ b/authority/provisioner/aws.go @@ -18,6 +18,7 @@ import ( "github.com/pkg/errors" "github.com/smallstep/certificates/errs" + "github.com/smallstep/certificates/policy" "go.step.sm/crypto/jose" "go.step.sm/crypto/sshutil" "go.step.sm/crypto/x509util" @@ -267,6 +268,8 @@ type AWS struct { claimer *Claimer config *awsConfig audiences Audiences + x509Policy policy.X509NamePolicyEngine + sshPolicy policy.SSHNamePolicyEngine } // GetID returns the provisioner unique identifier. @@ -392,7 +395,6 @@ func (p *AWS) GetIdentityToken(subject, caURL string) (string, error) { // Init validates and initializes the AWS provisioner. func (p *AWS) Init(config Config) (err error) { - p.base = &base{} // prevent nil pointers switch { case p.Type == "": return errors.New("provisioner type cannot be empty") @@ -427,12 +429,12 @@ func (p *AWS) Init(config Config) (err error) { } // Initialize the x509 allow/deny policy engine - if p.x509PolicyEngine, err = newX509PolicyEngine(p.Options.GetX509Options()); err != nil { + if p.x509Policy, err = newX509PolicyEngine(p.Options.GetX509Options()); err != nil { return err } // Initialize the SSH allow/deny policy engine - if p.sshPolicyEngine, err = newSSHPolicyEngine(p.Options.GetSSHOptions()); err != nil { + if p.sshPolicy, err = newSSHPolicyEngine(p.Options.GetSSHOptions()); err != nil { return err } @@ -489,7 +491,7 @@ func (p *AWS) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er defaultPublicKeyValidator{}, commonNameValidator(payload.Claims.Subject), newValidityValidator(p.claimer.MinTLSCertDuration(), p.claimer.MaxTLSCertDuration()), - newX509NamePolicyValidator(p.x509PolicyEngine), + newX509NamePolicyValidator(p.x509Policy), ), nil } @@ -772,6 +774,6 @@ func (p *AWS) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, // Require all the fields in the SSH certificate &sshCertDefaultValidator{}, // Ensure that all principal names are allowed - newSSHNamePolicyValidator(p.sshPolicyEngine), + newSSHNamePolicyValidator(p.sshPolicy), ), nil } diff --git a/authority/provisioner/azure.go b/authority/provisioner/azure.go index b8bbe143..5ccdc06b 100644 --- a/authority/provisioner/azure.go +++ b/authority/provisioner/azure.go @@ -14,6 +14,7 @@ import ( "github.com/pkg/errors" "github.com/smallstep/certificates/errs" + "github.com/smallstep/certificates/policy" "go.step.sm/crypto/jose" "go.step.sm/crypto/sshutil" "go.step.sm/crypto/x509util" @@ -98,6 +99,8 @@ type Azure struct { config *azureConfig oidcConfig openIDConfiguration keyStore *keyStore + x509Policy policy.X509NamePolicyEngine + sshPolicy policy.SSHNamePolicyEngine } // GetID returns the provisioner unique identifier. @@ -191,7 +194,6 @@ func (p *Azure) GetIdentityToken(subject, caURL string) (string, error) { // Init validates and initializes the Azure provisioner. func (p *Azure) Init(config Config) (err error) { - p.base = &base{} // prevent nil pointers switch { case p.Type == "": return errors.New("provisioner type cannot be empty") @@ -223,12 +225,12 @@ func (p *Azure) Init(config Config) (err error) { } // Initialize the x509 allow/deny policy engine - if p.x509PolicyEngine, err = newX509PolicyEngine(p.Options.GetX509Options()); err != nil { + if p.x509Policy, err = newX509PolicyEngine(p.Options.GetX509Options()); err != nil { return err } // Initialize the SSH allow/deny policy engine - if p.sshPolicyEngine, err = newSSHPolicyEngine(p.Options.GetSSHOptions()); err != nil { + if p.sshPolicy, err = newSSHPolicyEngine(p.Options.GetSSHOptions()); err != nil { return err } @@ -339,7 +341,7 @@ func (p *Azure) AuthorizeSign(ctx context.Context, token string) ([]SignOption, // validators defaultPublicKeyValidator{}, newValidityValidator(p.claimer.MinTLSCertDuration(), p.claimer.MaxTLSCertDuration()), - newX509NamePolicyValidator(p.x509PolicyEngine), + newX509NamePolicyValidator(p.x509Policy), ), nil } @@ -409,7 +411,7 @@ func (p *Azure) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOptio // Require all the fields in the SSH certificate &sshCertDefaultValidator{}, // Ensure that all principal names are allowed - newSSHNamePolicyValidator(p.sshPolicyEngine), + newSSHNamePolicyValidator(p.sshPolicy), ), nil } diff --git a/authority/provisioner/gcp.go b/authority/provisioner/gcp.go index 4c7f2046..590c32e2 100644 --- a/authority/provisioner/gcp.go +++ b/authority/provisioner/gcp.go @@ -15,6 +15,7 @@ import ( "github.com/pkg/errors" "github.com/smallstep/certificates/errs" + "github.com/smallstep/certificates/policy" "go.step.sm/crypto/jose" "go.step.sm/crypto/sshutil" "go.step.sm/crypto/x509util" @@ -92,6 +93,8 @@ type GCP struct { config *gcpConfig keyStore *keyStore audiences Audiences + x509Policy policy.X509NamePolicyEngine + sshPolicy policy.SSHNamePolicyEngine } // GetID returns the provisioner unique identifier. The name should uniquely @@ -195,7 +198,6 @@ func (p *GCP) GetIdentityToken(subject, caURL string) (string, error) { // Init validates and initializes the GCP provisioner. func (p *GCP) Init(config Config) error { - p.base = &base{} // prevent nil pointers var err error switch { case p.Type == "": @@ -218,12 +220,12 @@ func (p *GCP) Init(config Config) error { } // Initialize the x509 allow/deny policy engine - if p.x509PolicyEngine, err = newX509PolicyEngine(p.Options.GetX509Options()); err != nil { + if p.x509Policy, err = newX509PolicyEngine(p.Options.GetX509Options()); err != nil { return err } // Initialize the SSH allow/deny policy engine - if p.sshPolicyEngine, err = newSSHPolicyEngine(p.Options.GetSSHOptions()); err != nil { + if p.sshPolicy, err = newSSHPolicyEngine(p.Options.GetSSHOptions()); err != nil { return err } @@ -284,7 +286,7 @@ func (p *GCP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er // validators defaultPublicKeyValidator{}, newValidityValidator(p.claimer.MinTLSCertDuration(), p.claimer.MaxTLSCertDuration()), - newX509NamePolicyValidator(p.x509PolicyEngine), + newX509NamePolicyValidator(p.x509Policy), ), nil } @@ -451,6 +453,6 @@ func (p *GCP) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, // Require all the fields in the SSH certificate &sshCertDefaultValidator{}, // Ensure that all principal names are allowed - newSSHNamePolicyValidator(p.sshPolicyEngine), + newSSHNamePolicyValidator(p.sshPolicy), ), nil } diff --git a/authority/provisioner/jwk.go b/authority/provisioner/jwk.go index 3ee8113f..081fbb90 100644 --- a/authority/provisioner/jwk.go +++ b/authority/provisioner/jwk.go @@ -8,6 +8,7 @@ import ( "github.com/pkg/errors" "github.com/smallstep/certificates/errs" + "github.com/smallstep/certificates/policy" "go.step.sm/crypto/jose" "go.step.sm/crypto/sshutil" "go.step.sm/crypto/x509util" @@ -37,6 +38,8 @@ type JWK struct { Options *Options `json:"options,omitempty"` claimer *Claimer audiences Audiences + x509Policy policy.X509NamePolicyEngine + sshPolicy policy.SSHNamePolicyEngine } // GetID returns the provisioner unique identifier. The name and credential id @@ -89,7 +92,6 @@ func (p *JWK) GetEncryptedKey() (string, string, bool) { // Init initializes and validates the fields of a JWK type. func (p *JWK) Init(config Config) (err error) { - p.base = &base{} // prevent nil pointers switch { case p.Type == "": return errors.New("provisioner type cannot be empty") @@ -105,12 +107,12 @@ func (p *JWK) Init(config Config) (err error) { } // Initialize the x509 allow/deny policy engine - if p.x509PolicyEngine, err = newX509PolicyEngine(p.Options.GetX509Options()); err != nil { + if p.x509Policy, err = newX509PolicyEngine(p.Options.GetX509Options()); err != nil { return err } // Initialize the SSH allow/deny policy engine - if p.sshPolicyEngine, err = newSSHPolicyEngine(p.Options.GetSSHOptions()); err != nil { + if p.sshPolicy, err = newSSHPolicyEngine(p.Options.GetSSHOptions()); err != nil { return err } @@ -197,7 +199,7 @@ func (p *JWK) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er defaultPublicKeyValidator{}, defaultSANsValidator(claims.SANs), newValidityValidator(p.claimer.MinTLSCertDuration(), p.claimer.MaxTLSCertDuration()), - newX509NamePolicyValidator(p.x509PolicyEngine), + newX509NamePolicyValidator(p.x509Policy), }, nil } @@ -292,7 +294,7 @@ func (p *JWK) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, // Require and validate all the default fields in the SSH certificate. &sshCertDefaultValidator{}, // Ensure that all principal names are allowed - newSSHNamePolicyValidator(p.sshPolicyEngine), + newSSHNamePolicyValidator(p.sshPolicy), ), nil } diff --git a/authority/provisioner/k8sSA.go b/authority/provisioner/k8sSA.go index 707e141e..d52f0d12 100644 --- a/authority/provisioner/k8sSA.go +++ b/authority/provisioner/k8sSA.go @@ -11,6 +11,7 @@ import ( "github.com/pkg/errors" "github.com/smallstep/certificates/errs" + "github.com/smallstep/certificates/policy" "go.step.sm/crypto/jose" "go.step.sm/crypto/pemutil" "go.step.sm/crypto/sshutil" @@ -51,7 +52,9 @@ type K8sSA struct { claimer *Claimer audiences Audiences //kauthn kauthn.AuthenticationV1Interface - pubKeys []interface{} + pubKeys []interface{} + x509Policy policy.X509NamePolicyEngine + sshPolicy policy.SSHNamePolicyEngine } // GetID returns the provisioner unique identifier. The name and credential id @@ -92,7 +95,7 @@ func (p *K8sSA) GetEncryptedKey() (string, string, bool) { // Init initializes and validates the fields of a K8sSA type. func (p *K8sSA) Init(config Config) (err error) { - p.base = &base{} // prevent nil pointers + switch { case p.Type == "": return errors.New("provisioner type cannot be empty") @@ -145,12 +148,12 @@ func (p *K8sSA) Init(config Config) (err error) { } // Initialize the x509 allow/deny policy engine - if p.x509PolicyEngine, err = newX509PolicyEngine(p.Options.GetX509Options()); err != nil { + if p.x509Policy, err = newX509PolicyEngine(p.Options.GetX509Options()); err != nil { return err } // Initialize the SSH allow/deny policy engine - if p.sshPolicyEngine, err = newSSHPolicyEngine(p.Options.GetSSHOptions()); err != nil { + if p.sshPolicy, err = newSSHPolicyEngine(p.Options.GetSSHOptions()); err != nil { return err } @@ -255,7 +258,7 @@ func (p *K8sSA) AuthorizeSign(ctx context.Context, token string) ([]SignOption, // validators defaultPublicKeyValidator{}, newValidityValidator(p.claimer.MinTLSCertDuration(), p.claimer.MaxTLSCertDuration()), - newX509NamePolicyValidator(p.x509PolicyEngine), + newX509NamePolicyValidator(p.x509Policy), }, nil } @@ -302,7 +305,7 @@ func (p *K8sSA) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOptio // Require and validate all the default fields in the SSH certificate. &sshCertDefaultValidator{}, // Ensure that all principal names are allowed - newSSHNamePolicyValidator(p.sshPolicyEngine), + newSSHNamePolicyValidator(p.sshPolicy), ), nil } diff --git a/authority/provisioner/nebula.go b/authority/provisioner/nebula.go index dfff8617..545939ac 100644 --- a/authority/provisioner/nebula.go +++ b/authority/provisioner/nebula.go @@ -11,6 +11,7 @@ import ( "github.com/pkg/errors" nebula "github.com/slackhq/nebula/cert" "github.com/smallstep/certificates/errs" + "github.com/smallstep/certificates/policy" "go.step.sm/crypto/jose" "go.step.sm/crypto/sshutil" "go.step.sm/crypto/x25519" @@ -35,20 +36,21 @@ const ( // go.step.sm/crypto/x25519. type Nebula struct { *base - ID string `json:"-"` - Type string `json:"type"` - Name string `json:"name"` - Roots []byte `json:"roots"` - Claims *Claims `json:"claims,omitempty"` - Options *Options `json:"options,omitempty"` - claimer *Claimer - caPool *nebula.NebulaCAPool - audiences Audiences + ID string `json:"-"` + Type string `json:"type"` + Name string `json:"name"` + Roots []byte `json:"roots"` + Claims *Claims `json:"claims,omitempty"` + Options *Options `json:"options,omitempty"` + claimer *Claimer + caPool *nebula.NebulaCAPool + audiences Audiences + x509Policy policy.X509NamePolicyEngine + sshPolicy policy.SSHNamePolicyEngine } // Init verifies and initializes the Nebula provisioner. func (p *Nebula) Init(config Config) error { - p.base = &base{} // prevent nil pointers switch { case p.Type == "": return errors.New("provisioner type cannot be empty") @@ -71,12 +73,12 @@ func (p *Nebula) Init(config Config) error { p.audiences = config.Audiences.WithFragment(p.GetIDForToken()) // Initialize the x509 allow/deny policy engine - if p.x509PolicyEngine, err = newX509PolicyEngine(p.Options.GetX509Options()); err != nil { + if p.x509Policy, err = newX509PolicyEngine(p.Options.GetX509Options()); err != nil { return err } // Initialize the SSH allow/deny policy engine - if p.sshPolicyEngine, err = newSSHPolicyEngine(p.Options.GetSSHOptions()); err != nil { + if p.sshPolicy, err = newSSHPolicyEngine(p.Options.GetSSHOptions()); err != nil { return err } @@ -177,6 +179,7 @@ func (p *Nebula) AuthorizeSign(ctx context.Context, token string) ([]SignOption, }, defaultPublicKeyValidator{}, newValidityValidator(p.claimer.MinTLSCertDuration(), p.claimer.MaxTLSCertDuration()), + newX509NamePolicyValidator(p.x509Policy), }, nil } @@ -272,6 +275,8 @@ func (p *Nebula) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOpti &sshCertValidityValidator{p.claimer}, // Require all the fields in the SSH certificate &sshCertDefaultValidator{}, + // Ensure that all principal names are allowed + newSSHNamePolicyValidator(p.sshPolicy), ), nil } diff --git a/authority/provisioner/oidc.go b/authority/provisioner/oidc.go index 707f8228..e4fe8090 100644 --- a/authority/provisioner/oidc.go +++ b/authority/provisioner/oidc.go @@ -13,6 +13,7 @@ import ( "github.com/pkg/errors" "github.com/smallstep/certificates/errs" + "github.com/smallstep/certificates/policy" "go.step.sm/crypto/jose" "go.step.sm/crypto/sshutil" "go.step.sm/crypto/x509util" @@ -94,6 +95,8 @@ type OIDC struct { keyStore *keyStore claimer *Claimer getIdentityFunc GetIdentityFunc + x509Policy policy.X509NamePolicyEngine + sshPolicy policy.SSHNamePolicyEngine } func sanitizeEmail(email string) string { @@ -154,7 +157,6 @@ func (o *OIDC) GetEncryptedKey() (kid, key string, ok bool) { // Init validates and initializes the OIDC provider. func (o *OIDC) Init(config Config) (err error) { - o.base = &base{} // prevent nil pointers switch { case o.Type == "": return errors.New("type cannot be empty") @@ -210,12 +212,12 @@ func (o *OIDC) Init(config Config) (err error) { } // Initialize the x509 allow/deny policy engine - if o.x509PolicyEngine, err = newX509PolicyEngine(o.Options.GetX509Options()); err != nil { + if o.x509Policy, err = newX509PolicyEngine(o.Options.GetX509Options()); err != nil { return err } // Initialize the SSH allow/deny policy engine - if o.sshPolicyEngine, err = newSSHPolicyEngine(o.Options.GetSSHOptions()); err != nil { + if o.sshPolicy, err = newSSHPolicyEngine(o.Options.GetSSHOptions()); err != nil { return err } @@ -375,7 +377,7 @@ func (o *OIDC) AuthorizeSign(ctx context.Context, token string) ([]SignOption, e // validators defaultPublicKeyValidator{}, newValidityValidator(o.claimer.MinTLSCertDuration(), o.claimer.MaxTLSCertDuration()), - newX509NamePolicyValidator(o.x509PolicyEngine), + newX509NamePolicyValidator(o.x509Policy), }, nil } @@ -466,7 +468,7 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption // Require all the fields in the SSH certificate &sshCertDefaultValidator{}, // Ensure that all principal names are allowed - newSSHNamePolicyValidator(o.sshPolicyEngine), + newSSHNamePolicyValidator(o.sshPolicy), ), nil } diff --git a/authority/provisioner/provisioner.go b/authority/provisioner/provisioner.go index a7d6e01d..55ebe092 100644 --- a/authority/provisioner/provisioner.go +++ b/authority/provisioner/provisioner.go @@ -12,7 +12,6 @@ import ( "github.com/pkg/errors" "github.com/smallstep/certificates/db" "github.com/smallstep/certificates/errs" - "github.com/smallstep/certificates/policy" "golang.org/x/crypto/ssh" ) @@ -305,10 +304,7 @@ func SanitizeSSHUserPrincipal(email string) string { }, strings.ToLower(email)) } -type base struct { - x509PolicyEngine policy.X509NamePolicyEngine - sshPolicyEngine policy.SSHNamePolicyEngine -} +type base struct{} // AuthorizeSign returns an unimplemented error. Provisioners should overwrite // this method if they will support authorizing tokens for signing x509 Certificates. diff --git a/authority/provisioner/scep.go b/authority/provisioner/scep.go index 7c78d14b..418f7030 100644 --- a/authority/provisioner/scep.go +++ b/authority/provisioner/scep.go @@ -5,6 +5,7 @@ import ( "time" "github.com/pkg/errors" + "github.com/smallstep/certificates/policy" ) // SCEP is the SCEP provisioner type, an entity that can authorize the @@ -19,11 +20,11 @@ type SCEP struct { ChallengePassword string `json:"challenge,omitempty"` Capabilities []string `json:"capabilities,omitempty"` // MinimumPublicKeyLength is the minimum length for public keys in CSRs - MinimumPublicKeyLength int `json:"minimumPublicKeyLength,omitempty"` - Options *Options `json:"options,omitempty"` - Claims *Claims `json:"claims,omitempty"` - claimer *Claimer - + MinimumPublicKeyLength int `json:"minimumPublicKeyLength,omitempty"` + Options *Options `json:"options,omitempty"` + Claims *Claims `json:"claims,omitempty"` + claimer *Claimer + x509Policy policy.X509NamePolicyEngine secretChallengePassword string } @@ -74,7 +75,6 @@ func (s *SCEP) DefaultTLSCertDuration() time.Duration { // Init initializes and validates the fields of a SCEP type. func (s *SCEP) Init(config Config) (err error) { - s.base = &base{} // prevent nil pointers switch { case s.Type == "": return errors.New("provisioner type cannot be empty") @@ -103,7 +103,7 @@ func (s *SCEP) Init(config Config) (err error) { // TODO: add other, SCEP specific, options? // Initialize the x509 allow/deny policy engine - if s.x509PolicyEngine, err = newX509PolicyEngine(s.Options.GetX509Options()); err != nil { + if s.x509Policy, err = newX509PolicyEngine(s.Options.GetX509Options()); err != nil { return err } @@ -122,7 +122,7 @@ func (s *SCEP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, e // validators newPublicKeyMinimumLengthValidator(s.MinimumPublicKeyLength), newValidityValidator(s.claimer.MinTLSCertDuration(), s.claimer.MaxTLSCertDuration()), - newX509NamePolicyValidator(s.x509PolicyEngine), + newX509NamePolicyValidator(s.x509Policy), }, nil } diff --git a/authority/provisioner/sign_ssh_options.go b/authority/provisioner/sign_ssh_options.go index e1853fa1..374bd65c 100644 --- a/authority/provisioner/sign_ssh_options.go +++ b/authority/provisioner/sign_ssh_options.go @@ -454,7 +454,6 @@ type sshNamePolicyValidator struct { // newSSHNamePolicyValidator return a new SSH allow/deny validator. func newSSHNamePolicyValidator(engine policy.SSHNamePolicyEngine) *sshNamePolicyValidator { return &sshNamePolicyValidator{ - // TODO: should we use two engines, one for host certs; another for user certs? policyEngine: engine, } } @@ -465,7 +464,6 @@ func (v *sshNamePolicyValidator) Valid(cert *ssh.Certificate, _ SignSSHOptions) if v.policyEngine == nil { return nil } - _, err := v.policyEngine.ArePrincipalsAllowed(cert) return err } diff --git a/authority/provisioner/sshpop.go b/authority/provisioner/sshpop.go index b41f512e..16fa0599 100644 --- a/authority/provisioner/sshpop.go +++ b/authority/provisioner/sshpop.go @@ -84,7 +84,6 @@ func (p *SSHPOP) GetEncryptedKey() (string, string, bool) { // Init initializes and validates the fields of a SSHPOP type. func (p *SSHPOP) Init(config Config) error { - p.base = &base{} // prevent nil pointers switch { case p.Type == "": return errors.New("provisioner type cannot be empty") diff --git a/authority/provisioner/utils_test.go b/authority/provisioner/utils_test.go index ea0890ae..fe2678fc 100644 --- a/authority/provisioner/utils_test.go +++ b/authority/provisioner/utils_test.go @@ -177,7 +177,6 @@ func generateJWK() (*JWK, error) { return nil, err } return &JWK{ - base: &base{}, Name: name, Type: "JWK", Key: &public, @@ -216,7 +215,6 @@ func generateK8sSA(inputPubKey interface{}) (*K8sSA, error) { } return &K8sSA{ - base: &base{}, Name: K8sSAName, Type: "K8sSA", Claims: &globalProvisionerClaims, @@ -254,7 +252,6 @@ func generateSSHPOP() (*SSHPOP, error) { } return &SSHPOP{ - base: &base{}, Name: name, Type: "SSHPOP", Claims: &globalProvisionerClaims, @@ -309,7 +306,6 @@ M46l92gdOozT rootPool.AddCert(cert) } return &X5C{ - base: &base{}, Name: name, Type: "X5C", Roots: root, @@ -342,7 +338,6 @@ func generateOIDC() (*OIDC, error) { return nil, err } return &OIDC{ - base: &base{}, Name: name, Type: "OIDC", ClientID: clientID, @@ -378,7 +373,6 @@ func generateGCP() (*GCP, error) { return nil, err } return &GCP{ - base: &base{}, Type: "GCP", Name: name, ServiceAccounts: []string{serviceAccount}, @@ -415,7 +409,6 @@ func generateAWS() (*AWS, error) { return nil, errors.Wrap(err, "error parsing AWS certificate") } return &AWS{ - base: &base{}, Type: "AWS", Name: name, Accounts: []string{accountID}, @@ -525,7 +518,6 @@ func generateAWSV1Only() (*AWS, error) { return nil, errors.Wrap(err, "error parsing AWS certificate") } return &AWS{ - base: &base{}, Type: "AWS", Name: name, Accounts: []string{accountID}, @@ -617,7 +609,6 @@ func generateAzure() (*Azure, error) { return nil, err } return &Azure{ - base: &base{}, Type: "Azure", Name: name, TenantID: tenantID, diff --git a/authority/provisioner/x5c.go b/authority/provisioner/x5c.go index a87e4392..434fc576 100644 --- a/authority/provisioner/x5c.go +++ b/authority/provisioner/x5c.go @@ -9,6 +9,7 @@ import ( "github.com/pkg/errors" "github.com/smallstep/certificates/errs" + "github.com/smallstep/certificates/policy" "go.step.sm/crypto/jose" "go.step.sm/crypto/sshutil" "go.step.sm/crypto/x509util" @@ -26,15 +27,17 @@ type x5cPayload struct { // signature requests. type X5C struct { *base - ID string `json:"-"` - Type string `json:"type"` - Name string `json:"name"` - Roots []byte `json:"roots"` - Claims *Claims `json:"claims,omitempty"` - Options *Options `json:"options,omitempty"` - claimer *Claimer - audiences Audiences - rootPool *x509.CertPool + ID string `json:"-"` + Type string `json:"type"` + Name string `json:"name"` + Roots []byte `json:"roots"` + Claims *Claims `json:"claims,omitempty"` + Options *Options `json:"options,omitempty"` + claimer *Claimer + audiences Audiences + rootPool *x509.CertPool + x509Policy policy.X509NamePolicyEngine + sshPolicy policy.SSHNamePolicyEngine } // GetID returns the provisioner unique identifier. The name and credential id @@ -87,7 +90,6 @@ func (p *X5C) GetEncryptedKey() (string, string, bool) { // Init initializes and validates the fields of a X5C type. func (p *X5C) Init(config Config) error { - p.base = &base{} // prevent nil pointers switch { case p.Type == "": return errors.New("provisioner type cannot be empty") @@ -127,12 +129,12 @@ func (p *X5C) Init(config Config) error { } // Initialize the x509 allow/deny policy engine - if p.x509PolicyEngine, err = newX509PolicyEngine(p.Options.GetX509Options()); err != nil { + if p.x509Policy, err = newX509PolicyEngine(p.Options.GetX509Options()); err != nil { return err } // Initialize the SSH allow/deny policy engine - if p.sshPolicyEngine, err = newSSHPolicyEngine(p.Options.GetSSHOptions()); err != nil { + if p.sshPolicy, err = newSSHPolicyEngine(p.Options.GetSSHOptions()); err != nil { return err } @@ -240,7 +242,7 @@ func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er defaultSANsValidator(claims.SANs), defaultPublicKeyValidator{}, newValidityValidator(p.claimer.MinTLSCertDuration(), p.claimer.MaxTLSCertDuration()), - newX509NamePolicyValidator(p.x509PolicyEngine), + newX509NamePolicyValidator(p.x509Policy), }, nil } @@ -324,6 +326,6 @@ func (p *X5C) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, // Require all the fields in the SSH certificate &sshCertDefaultValidator{}, // Ensure that all principal names are allowed - newSSHNamePolicyValidator(p.sshPolicyEngine), + newSSHNamePolicyValidator(p.sshPolicy), ), nil }