forked from TrueCloudLab/certificates
Allow to enable the SSH CA per provisioner
This commit is contained in:
Mariano Cano
parent
e71072d389
commit
57a529cc1a
7 changed files with 30 additions and 0 deletions
|
|
@ -28,6 +28,7 @@ var (
|
|||
Renegotiation: false,
|
||||
}
|
||||
defaultDisableRenewal = false
|
||||
defaultEnableSSHCA = false
|
||||
globalProvisionerClaims = provisioner.Claims{
|
||||
MinTLSDur: &provisioner.Duration{Duration: 5 * time.Minute}, // TLS certs
|
||||
MaxTLSDur: &provisioner.Duration{Duration: 24 * time.Hour},
|
||||
|
|
@ -39,6 +40,7 @@ var (
|
|||
MinHostSSHDur: &provisioner.Duration{Duration: 5 * time.Minute}, // Host SSH certs
|
||||
MaxHostSSHDur: &provisioner.Duration{Duration: 30 * 24 * time.Hour},
|
||||
DefaultHostSSHDur: &provisioner.Duration{Duration: 30 * 24 * time.Hour},
|
||||
EnableSSHCA: &defaultEnableSSHCA,
|
||||
}
|
||||
)
|
||||
|
||||
|
|
|
|||
|
|
@ -275,6 +275,9 @@ func (p *AWS) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
|
|||
|
||||
// Check for the sign ssh method, default to sign X.509
|
||||
if m := MethodFromContext(ctx); m == SignSSHMethod {
|
||||
if p.claimer.IsSSHCAEnabled() == false {
|
||||
return nil, errors.Errorf("ssh ca is disabled for provisioner %s", p.GetID())
|
||||
}
|
||||
return p.authorizeSSHSign(payload)
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -267,6 +267,9 @@ func (p *Azure) AuthorizeSign(ctx context.Context, token string) ([]SignOption,
|
|||
|
||||
// Check for the sign ssh method, default to sign X.509
|
||||
if m := MethodFromContext(ctx); m == SignSSHMethod {
|
||||
if p.claimer.IsSSHCAEnabled() == false {
|
||||
return nil, errors.Errorf("ssh ca is disabled for provisioner %s", p.GetID())
|
||||
}
|
||||
return p.authorizeSSHSign(claims, name)
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@ type Claims struct {
|
|||
MinHostSSHDur *Duration `json:"minHostSSHCertDuration,omitempty"`
|
||||
MaxHostSSHDur *Duration `json:"maxHostSSHCertDuration,omitempty"`
|
||||
DefaultHostSSHDur *Duration `json:"defaultHostSSHCertDuration,omitempty"`
|
||||
EnableSSHCA *bool `json:"enableSSHCA,omitempty"`
|
||||
}
|
||||
|
||||
// Claimer is the type that controls claims. It provides an interface around the
|
||||
|
|
@ -38,6 +39,7 @@ func NewClaimer(claims *Claims, global Claims) (*Claimer, error) {
|
|||
// Claims returns the merge of the inner and global claims.
|
||||
func (c *Claimer) Claims() Claims {
|
||||
disableRenewal := c.IsDisableRenewal()
|
||||
enableSSHCA := c.IsSSHCAEnabled()
|
||||
return Claims{
|
||||
MinTLSDur: &Duration{c.MinTLSCertDuration()},
|
||||
MaxTLSDur: &Duration{c.MaxTLSCertDuration()},
|
||||
|
|
@ -49,6 +51,7 @@ func (c *Claimer) Claims() Claims {
|
|||
MinHostSSHDur: &Duration{c.MinHostSSHCertDuration()},
|
||||
MaxHostSSHDur: &Duration{c.MaxHostSSHCertDuration()},
|
||||
DefaultHostSSHDur: &Duration{c.DefaultHostSSHCertDuration()},
|
||||
EnableSSHCA: &enableSSHCA,
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -152,6 +155,16 @@ func (c *Claimer) MaxHostSSHCertDuration() time.Duration {
|
|||
return c.claims.MaxHostSSHDur.Duration
|
||||
}
|
||||
|
||||
// IsSSHCAEnabled returns if the SSH CA is enabled for the provisioner. If the
|
||||
// property is not set within the provisioner, then the global value from the
|
||||
// authority configuration will be used.
|
||||
func (c *Claimer) IsSSHCAEnabled() bool {
|
||||
if c.claims == nil || c.claims.EnableSSHCA == nil {
|
||||
return *c.global.EnableSSHCA
|
||||
}
|
||||
return *c.claims.EnableSSHCA
|
||||
}
|
||||
|
||||
// Validate validates and modifies the Claims with default values.
|
||||
func (c *Claimer) Validate() error {
|
||||
var (
|
||||
|
|
|
|||
|
|
@ -214,6 +214,9 @@ func (p *GCP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
|
|||
|
||||
// Check for the sign ssh method, default to sign X.509
|
||||
if m := MethodFromContext(ctx); m == SignSSHMethod {
|
||||
if p.claimer.IsSSHCAEnabled() == false {
|
||||
return nil, errors.Errorf("ssh ca is disabled for provisioner %s", p.GetID())
|
||||
}
|
||||
return p.authorizeSSHSign(claims)
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -143,6 +143,9 @@ func (p *JWK) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
|
|||
|
||||
// Check for SSH token
|
||||
if claims.Step != nil && claims.Step.SSH != nil {
|
||||
if p.claimer.IsSSHCAEnabled() == false {
|
||||
return nil, errors.Errorf("ssh ca is disabled for provisioner %s", p.GetID())
|
||||
}
|
||||
return p.authorizeSSHSign(claims)
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -268,6 +268,9 @@ func (o *OIDC) AuthorizeSign(ctx context.Context, token string) ([]SignOption, e
|
|||
|
||||
// Check for the sign ssh method, default to sign X.509
|
||||
if m := MethodFromContext(ctx); m == SignSSHMethod {
|
||||
if o.claimer.IsSSHCAEnabled() == false {
|
||||
return nil, errors.Errorf("ssh ca is disabled for provisioner %s", o.GetID())
|
||||
}
|
||||
return o.authorizeSSHSign(claims)
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue