forked from TrueCloudLab/certificates
Allow to enable the SSH CA per provisioner
This commit is contained in:
Mariano Cano
parent
e71072d389
commit
57a529cc1a
7 changed files with 30 additions and 0 deletions
|
|
@ -28,6 +28,7 @@ var (
|
||||||
Renegotiation: false,
|
Renegotiation: false,
|
||||||
}
|
}
|
||||||
defaultDisableRenewal = false
|
defaultDisableRenewal = false
|
||||||
|
defaultEnableSSHCA = false
|
||||||
globalProvisionerClaims = provisioner.Claims{
|
globalProvisionerClaims = provisioner.Claims{
|
||||||
MinTLSDur: &provisioner.Duration{Duration: 5 * time.Minute}, // TLS certs
|
MinTLSDur: &provisioner.Duration{Duration: 5 * time.Minute}, // TLS certs
|
||||||
MaxTLSDur: &provisioner.Duration{Duration: 24 * time.Hour},
|
MaxTLSDur: &provisioner.Duration{Duration: 24 * time.Hour},
|
||||||
|
|
@ -39,6 +40,7 @@ var (
|
||||||
MinHostSSHDur: &provisioner.Duration{Duration: 5 * time.Minute}, // Host SSH certs
|
MinHostSSHDur: &provisioner.Duration{Duration: 5 * time.Minute}, // Host SSH certs
|
||||||
MaxHostSSHDur: &provisioner.Duration{Duration: 30 * 24 * time.Hour},
|
MaxHostSSHDur: &provisioner.Duration{Duration: 30 * 24 * time.Hour},
|
||||||
DefaultHostSSHDur: &provisioner.Duration{Duration: 30 * 24 * time.Hour},
|
DefaultHostSSHDur: &provisioner.Duration{Duration: 30 * 24 * time.Hour},
|
||||||
|
EnableSSHCA: &defaultEnableSSHCA,
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -275,6 +275,9 @@ func (p *AWS) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
|
||||||
|
|
||||||
// Check for the sign ssh method, default to sign X.509
|
// Check for the sign ssh method, default to sign X.509
|
||||||
if m := MethodFromContext(ctx); m == SignSSHMethod {
|
if m := MethodFromContext(ctx); m == SignSSHMethod {
|
||||||
|
if p.claimer.IsSSHCAEnabled() == false {
|
||||||
|
return nil, errors.Errorf("ssh ca is disabled for provisioner %s", p.GetID())
|
||||||
|
}
|
||||||
return p.authorizeSSHSign(payload)
|
return p.authorizeSSHSign(payload)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -267,6 +267,9 @@ func (p *Azure) AuthorizeSign(ctx context.Context, token string) ([]SignOption,
|
||||||
|
|
||||||
// Check for the sign ssh method, default to sign X.509
|
// Check for the sign ssh method, default to sign X.509
|
||||||
if m := MethodFromContext(ctx); m == SignSSHMethod {
|
if m := MethodFromContext(ctx); m == SignSSHMethod {
|
||||||
|
if p.claimer.IsSSHCAEnabled() == false {
|
||||||
|
return nil, errors.Errorf("ssh ca is disabled for provisioner %s", p.GetID())
|
||||||
|
}
|
||||||
return p.authorizeSSHSign(claims, name)
|
return p.authorizeSSHSign(claims, name)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -20,6 +20,7 @@ type Claims struct {
|
||||||
MinHostSSHDur *Duration `json:"minHostSSHCertDuration,omitempty"`
|
MinHostSSHDur *Duration `json:"minHostSSHCertDuration,omitempty"`
|
||||||
MaxHostSSHDur *Duration `json:"maxHostSSHCertDuration,omitempty"`
|
MaxHostSSHDur *Duration `json:"maxHostSSHCertDuration,omitempty"`
|
||||||
DefaultHostSSHDur *Duration `json:"defaultHostSSHCertDuration,omitempty"`
|
DefaultHostSSHDur *Duration `json:"defaultHostSSHCertDuration,omitempty"`
|
||||||
|
EnableSSHCA *bool `json:"enableSSHCA,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// Claimer is the type that controls claims. It provides an interface around the
|
// Claimer is the type that controls claims. It provides an interface around the
|
||||||
|
|
@ -38,6 +39,7 @@ func NewClaimer(claims *Claims, global Claims) (*Claimer, error) {
|
||||||
// Claims returns the merge of the inner and global claims.
|
// Claims returns the merge of the inner and global claims.
|
||||||
func (c *Claimer) Claims() Claims {
|
func (c *Claimer) Claims() Claims {
|
||||||
disableRenewal := c.IsDisableRenewal()
|
disableRenewal := c.IsDisableRenewal()
|
||||||
|
enableSSHCA := c.IsSSHCAEnabled()
|
||||||
return Claims{
|
return Claims{
|
||||||
MinTLSDur: &Duration{c.MinTLSCertDuration()},
|
MinTLSDur: &Duration{c.MinTLSCertDuration()},
|
||||||
MaxTLSDur: &Duration{c.MaxTLSCertDuration()},
|
MaxTLSDur: &Duration{c.MaxTLSCertDuration()},
|
||||||
|
|
@ -49,6 +51,7 @@ func (c *Claimer) Claims() Claims {
|
||||||
MinHostSSHDur: &Duration{c.MinHostSSHCertDuration()},
|
MinHostSSHDur: &Duration{c.MinHostSSHCertDuration()},
|
||||||
MaxHostSSHDur: &Duration{c.MaxHostSSHCertDuration()},
|
MaxHostSSHDur: &Duration{c.MaxHostSSHCertDuration()},
|
||||||
DefaultHostSSHDur: &Duration{c.DefaultHostSSHCertDuration()},
|
DefaultHostSSHDur: &Duration{c.DefaultHostSSHCertDuration()},
|
||||||
|
EnableSSHCA: &enableSSHCA,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -152,6 +155,16 @@ func (c *Claimer) MaxHostSSHCertDuration() time.Duration {
|
||||||
return c.claims.MaxHostSSHDur.Duration
|
return c.claims.MaxHostSSHDur.Duration
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// IsSSHCAEnabled returns if the SSH CA is enabled for the provisioner. If the
|
||||||
|
// property is not set within the provisioner, then the global value from the
|
||||||
|
// authority configuration will be used.
|
||||||
|
func (c *Claimer) IsSSHCAEnabled() bool {
|
||||||
|
if c.claims == nil || c.claims.EnableSSHCA == nil {
|
||||||
|
return *c.global.EnableSSHCA
|
||||||
|
}
|
||||||
|
return *c.claims.EnableSSHCA
|
||||||
|
}
|
||||||
|
|
||||||
// Validate validates and modifies the Claims with default values.
|
// Validate validates and modifies the Claims with default values.
|
||||||
func (c *Claimer) Validate() error {
|
func (c *Claimer) Validate() error {
|
||||||
var (
|
var (
|
||||||
|
|
|
||||||
|
|
@ -214,6 +214,9 @@ func (p *GCP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
|
||||||
|
|
||||||
// Check for the sign ssh method, default to sign X.509
|
// Check for the sign ssh method, default to sign X.509
|
||||||
if m := MethodFromContext(ctx); m == SignSSHMethod {
|
if m := MethodFromContext(ctx); m == SignSSHMethod {
|
||||||
|
if p.claimer.IsSSHCAEnabled() == false {
|
||||||
|
return nil, errors.Errorf("ssh ca is disabled for provisioner %s", p.GetID())
|
||||||
|
}
|
||||||
return p.authorizeSSHSign(claims)
|
return p.authorizeSSHSign(claims)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -143,6 +143,9 @@ func (p *JWK) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
|
||||||
|
|
||||||
// Check for SSH token
|
// Check for SSH token
|
||||||
if claims.Step != nil && claims.Step.SSH != nil {
|
if claims.Step != nil && claims.Step.SSH != nil {
|
||||||
|
if p.claimer.IsSSHCAEnabled() == false {
|
||||||
|
return nil, errors.Errorf("ssh ca is disabled for provisioner %s", p.GetID())
|
||||||
|
}
|
||||||
return p.authorizeSSHSign(claims)
|
return p.authorizeSSHSign(claims)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -268,6 +268,9 @@ func (o *OIDC) AuthorizeSign(ctx context.Context, token string) ([]SignOption, e
|
||||||
|
|
||||||
// Check for the sign ssh method, default to sign X.509
|
// Check for the sign ssh method, default to sign X.509
|
||||||
if m := MethodFromContext(ctx); m == SignSSHMethod {
|
if m := MethodFromContext(ctx); m == SignSSHMethod {
|
||||||
|
if o.claimer.IsSSHCAEnabled() == false {
|
||||||
|
return nil, errors.Errorf("ssh ca is disabled for provisioner %s", o.GetID())
|
||||||
|
}
|
||||||
return o.authorizeSSHSign(claims)
|
return o.authorizeSSHSign(claims)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue