Add initial template support for iid provisisioners.

2020-07-29 18:05:35 -07:00 · 2020-07-29 18:05:35 -07:00 · 6c36ceb158
commit 6c36ceb158
parent 8e7bf96769
3 changed files with 111 additions and 78 deletions
--- a/authority/provisioner/aws.go
+++ b/authority/provisioner/aws.go
@ -17,6 +17,7 @@ import (

 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
+	"github.com/smallstep/certificates/sshutil"
 	"github.com/smallstep/certificates/x509util"
 	"github.com/smallstep/cli/jose"
 )
@ -126,14 +127,15 @@ type awsInstanceIdentityDocument struct {
 // https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
 type AWS struct {
 	*base
-	Type                   string   `json:"type"`
-	Name                   string   `json:"name"`
-	Accounts               []string `json:"accounts"`
-	DisableCustomSANs      bool     `json:"disableCustomSANs"`
-	DisableTrustOnFirstUse bool     `json:"disableTrustOnFirstUse"`
-	InstanceAge            Duration `json:"instanceAge,omitempty"`
-	Claims                 *Claims  `json:"claims,omitempty"`
-	Options                *Options `json:"options,omitempty"`
+	Type                   string      `json:"type"`
+	Name                   string      `json:"name"`
+	Accounts               []string    `json:"accounts"`
+	DisableCustomSANs      bool        `json:"disableCustomSANs"`
+	DisableTrustOnFirstUse bool        `json:"disableTrustOnFirstUse"`
+	InstanceAge            Duration    `json:"instanceAge,omitempty"`
+	Claims                 *Claims     `json:"claims,omitempty"`
+	Options                *Options    `json:"options,omitempty"`
+	SSHOptions             *SSHOptions `json:"sshOptions,omitempty"`
 	claimer                *Claimer
 	config                 *awsConfig
 	audiences              Audiences
@ -468,34 +470,42 @@ func (p *AWS) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,

 	doc := claims.document

-	signOptions := []SignOption{
-		// set the key id to the instance id
-		sshCertKeyIDModifier(doc.InstanceID),
-	}
-
-	// Only enforce known principals if disable custom sans is true.
-	var principals []string
-	if p.DisableCustomSANs {
-		principals = []string{
-			doc.PrivateIP,
-			fmt.Sprintf("ip-%s.%s.compute.internal", strings.Replace(doc.PrivateIP, ".", "-", -1), doc.Region),
-		}
+	// Validated principals.
+	principals := []string{
+		doc.PrivateIP,
+		fmt.Sprintf("ip-%s.%s.compute.internal", strings.Replace(doc.PrivateIP, ".", "-", -1), doc.Region),
 	}

 	// Default to cert type to host
 	defaults := SignSSHOptions{
-		CertType:   SSHHostCert,
-		Principals: principals,
+		CertType: SSHHostCert,
+	}
+	defaultTemplate := sshutil.DefaultIIDCertificate
+
+	// Only enforce known principals if disable custom sans is true.
+	if p.DisableCustomSANs {
+		defaults.Principals = principals
+		defaultTemplate = sshutil.DefaultCertificate
 	}

 	// Validate user options
-	signOptions = append(signOptions, sshCertOptionsValidator(defaults))
-	// Set defaults if not given as user options
-	signOptions = append(signOptions, sshCertDefaultsModifier(defaults))
+	signOptions := []SignOption{
+		sshCertOptionsValidator(defaults),
+	}
+
+	// Certificate templates.
+	data := sshutil.CreateTemplateData(sshutil.HostCert, doc.InstanceID, principals)
+	if v, err := unsafeParseSigned(token); err == nil {
+		data.SetToken(v)
+	}
+
+	templateOptions, err := CustomSSHTemplateOptions(p.SSHOptions, data, defaultTemplate)
+	if err != nil {
+		return nil, errs.Wrap(http.StatusInternalServerError, err, "aws.AuthorizeSSHSign")
+	}
+	signOptions = append(signOptions, templateOptions)

 	return append(signOptions,
-		// Set the default extensions.
-		&sshDefaultExtensionModifier{},
 		// Set the validity bounds if not set.
 		&sshDefaultDuration{p.claimer},
 		// Validate public key
--- a/authority/provisioner/azure.go
+++ b/authority/provisioner/azure.go
@ -14,6 +14,7 @@ import (

 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
+	"github.com/smallstep/certificates/sshutil"
 	"github.com/smallstep/certificates/x509util"
 	"github.com/smallstep/cli/jose"
 )
@ -83,15 +84,16 @@ type azurePayload struct {
 // and https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service
 type Azure struct {
 	*base
-	Type                   string   `json:"type"`
-	Name                   string   `json:"name"`
-	TenantID               string   `json:"tenantID"`
-	ResourceGroups         []string `json:"resourceGroups"`
-	Audience               string   `json:"audience,omitempty"`
-	DisableCustomSANs      bool     `json:"disableCustomSANs"`
-	DisableTrustOnFirstUse bool     `json:"disableTrustOnFirstUse"`
-	Claims                 *Claims  `json:"claims,omitempty"`
-	Options                *Options `json:"options,omitempty"`
+	Type                   string      `json:"type"`
+	Name                   string      `json:"name"`
+	TenantID               string      `json:"tenantID"`
+	ResourceGroups         []string    `json:"resourceGroups"`
+	Audience               string      `json:"audience,omitempty"`
+	DisableCustomSANs      bool        `json:"disableCustomSANs"`
+	DisableTrustOnFirstUse bool        `json:"disableTrustOnFirstUse"`
+	Claims                 *Claims     `json:"claims,omitempty"`
+	Options                *Options    `json:"options,omitempty"`
+	SSHOptions             *SSHOptions `json:"sshOptions,omitempty"`
 	claimer                *Claimer
 	config                 *azureConfig
 	oidcConfig             openIDConfiguration
@ -338,30 +340,40 @@ func (p *Azure) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOptio
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "azure.AuthorizeSSHSign")
 	}
-	signOptions := []SignOption{
-		// set the key id to the instance name
-		sshCertKeyIDModifier(name),
+
+	// Validated principals
+	principals := []string{name}
+
+	// Default options and template
+	defaults := SignSSHOptions{
+		CertType: SSHHostCert,
 	}
+	defaultTemplate := sshutil.DefaultIIDCertificate

 	// Only enforce known principals if disable custom sans is true.
-	var principals []string
 	if p.DisableCustomSANs {
-		principals = []string{name}
+		defaults.Principals = principals
+		defaultTemplate = sshutil.DefaultCertificate
 	}

-	// Default to host + known hostnames
-	defaults := SignSSHOptions{
-		CertType:   SSHHostCert,
-		Principals: principals,
-	}
 	// Validate user options
-	signOptions = append(signOptions, sshCertOptionsValidator(defaults))
-	// Set defaults if not given as user options
-	signOptions = append(signOptions, sshCertDefaultsModifier(defaults))
+	signOptions := []SignOption{
+		sshCertOptionsValidator(defaults),
+	}
+
+	// Certificate templates.
+	data := sshutil.CreateTemplateData(sshutil.HostCert, name, principals)
+	if v, err := unsafeParseSigned(token); err == nil {
+		data.SetToken(v)
+	}
+
+	templateOptions, err := CustomSSHTemplateOptions(p.SSHOptions, data, defaultTemplate)
+	if err != nil {
+		return nil, errs.Wrap(http.StatusInternalServerError, err, "azure.AuthorizeSSHSign")
+	}
+	signOptions = append(signOptions, templateOptions)

 	return append(signOptions,
-		// Set the default extensions.
-		&sshDefaultExtensionModifier{},
 		// Set the validity bounds if not set.
 		&sshDefaultDuration{p.claimer},
 		// Validate public key
--- a/authority/provisioner/gcp.go
+++ b/authority/provisioner/gcp.go
@ -15,6 +15,7 @@ import (

 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
+	"github.com/smallstep/certificates/sshutil"
 	"github.com/smallstep/certificates/x509util"
 	"github.com/smallstep/cli/jose"
 )
@ -77,15 +78,16 @@ func newGCPConfig() *gcpConfig {
 // https://cloud.google.com/compute/docs/instances/verifying-instance-identity
 type GCP struct {
 	*base
-	Type                   string   `json:"type"`
-	Name                   string   `json:"name"`
-	ServiceAccounts        []string `json:"serviceAccounts"`
-	ProjectIDs             []string `json:"projectIDs"`
-	DisableCustomSANs      bool     `json:"disableCustomSANs"`
-	DisableTrustOnFirstUse bool     `json:"disableTrustOnFirstUse"`
-	InstanceAge            Duration `json:"instanceAge,omitempty"`
-	Claims                 *Claims  `json:"claims,omitempty"`
-	Options                *Options `json:"options,omitempty"`
+	Type                   string      `json:"type"`
+	Name                   string      `json:"name"`
+	ServiceAccounts        []string    `json:"serviceAccounts"`
+	ProjectIDs             []string    `json:"projectIDs"`
+	DisableCustomSANs      bool        `json:"disableCustomSANs"`
+	DisableTrustOnFirstUse bool        `json:"disableTrustOnFirstUse"`
+	InstanceAge            Duration    `json:"instanceAge,omitempty"`
+	Claims                 *Claims     `json:"claims,omitempty"`
+	Options                *Options    `json:"options,omitempty"`
+	SSHOptions             *SSHOptions `json:"sshOptions,omitempty"`
 	claimer                *Claimer
 	config                 *gcpConfig
 	keyStore               *keyStore
@ -379,33 +381,42 @@ func (p *GCP) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,

 	ce := claims.Google.ComputeEngine

-	signOptions := []SignOption{
-		// set the key id to the instance name
-		sshCertKeyIDModifier(ce.InstanceName),
+	// Validated principals
+	principals := []string{
+		fmt.Sprintf("%s.c.%s.internal", ce.InstanceName, ce.ProjectID),
+		fmt.Sprintf("%s.%s.c.%s.internal", ce.InstanceName, ce.Zone, ce.ProjectID),
 	}

+	// Default options and template
+	defaults := SignSSHOptions{
+		CertType: SSHHostCert,
+	}
+	defaultTemplate := sshutil.DefaultIIDCertificate
+
 	// Only enforce known principals if disable custom sans is true.
-	var principals []string
 	if p.DisableCustomSANs {
-		principals = []string{
-			fmt.Sprintf("%s.c.%s.internal", ce.InstanceName, ce.ProjectID),
-			fmt.Sprintf("%s.%s.c.%s.internal", ce.InstanceName, ce.Zone, ce.ProjectID),
-		}
+		defaults.Principals = principals
+		defaultTemplate = sshutil.DefaultCertificate
 	}

-	// Default to host + known hostnames
-	defaults := SignSSHOptions{
-		CertType:   SSHHostCert,
-		Principals: principals,
-	}
 	// Validate user options
-	signOptions = append(signOptions, sshCertOptionsValidator(defaults))
-	// Set defaults if not given as user options
-	signOptions = append(signOptions, sshCertDefaultsModifier(defaults))
+	signOptions := []SignOption{
+		sshCertOptionsValidator(defaults),
+	}
+
+	// Certificate templates.
+	data := sshutil.CreateTemplateData(sshutil.HostCert, ce.InstanceName, principals)
+	if v, err := unsafeParseSigned(token); err == nil {
+		data.SetToken(v)
+	}
+
+	templateOptions, err := CustomSSHTemplateOptions(p.SSHOptions, data, defaultTemplate)
+	if err != nil {
+		return nil, errs.Wrap(http.StatusInternalServerError, err, "gcp.AuthorizeSSHSign")
+	}
+	signOptions = append(signOptions, templateOptions)

 	return append(signOptions,
-		// Set the default extensions
-		&sshDefaultExtensionModifier{},
 		// Set the validity bounds if not set.
 		&sshDefaultDuration{p.claimer},
 		// Validate public key