Add initial template support for iid provisisioners.

This commit is contained in:
Mariano Cano 2020-07-29 18:05:35 -07:00
parent 8e7bf96769
commit 6c36ceb158
3 changed files with 111 additions and 78 deletions

View file

@ -17,6 +17,7 @@ import (
"github.com/pkg/errors"
"github.com/smallstep/certificates/errs"
"github.com/smallstep/certificates/sshutil"
"github.com/smallstep/certificates/x509util"
"github.com/smallstep/cli/jose"
)
@ -134,6 +135,7 @@ type AWS struct {
InstanceAge Duration `json:"instanceAge,omitempty"`
Claims *Claims `json:"claims,omitempty"`
Options *Options `json:"options,omitempty"`
SSHOptions *SSHOptions `json:"sshOptions,omitempty"`
claimer *Claimer
config *awsConfig
audiences Audiences
@ -468,34 +470,42 @@ func (p *AWS) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
doc := claims.document
signOptions := []SignOption{
// set the key id to the instance id
sshCertKeyIDModifier(doc.InstanceID),
}
// Only enforce known principals if disable custom sans is true.
var principals []string
if p.DisableCustomSANs {
principals = []string{
// Validated principals.
principals := []string{
doc.PrivateIP,
fmt.Sprintf("ip-%s.%s.compute.internal", strings.Replace(doc.PrivateIP, ".", "-", -1), doc.Region),
}
}
// Default to cert type to host
defaults := SignSSHOptions{
CertType: SSHHostCert,
Principals: principals,
}
defaultTemplate := sshutil.DefaultIIDCertificate
// Only enforce known principals if disable custom sans is true.
if p.DisableCustomSANs {
defaults.Principals = principals
defaultTemplate = sshutil.DefaultCertificate
}
// Validate user options
signOptions = append(signOptions, sshCertOptionsValidator(defaults))
// Set defaults if not given as user options
signOptions = append(signOptions, sshCertDefaultsModifier(defaults))
signOptions := []SignOption{
sshCertOptionsValidator(defaults),
}
// Certificate templates.
data := sshutil.CreateTemplateData(sshutil.HostCert, doc.InstanceID, principals)
if v, err := unsafeParseSigned(token); err == nil {
data.SetToken(v)
}
templateOptions, err := CustomSSHTemplateOptions(p.SSHOptions, data, defaultTemplate)
if err != nil {
return nil, errs.Wrap(http.StatusInternalServerError, err, "aws.AuthorizeSSHSign")
}
signOptions = append(signOptions, templateOptions)
return append(signOptions,
// Set the default extensions.
&sshDefaultExtensionModifier{},
// Set the validity bounds if not set.
&sshDefaultDuration{p.claimer},
// Validate public key

View file

@ -14,6 +14,7 @@ import (
"github.com/pkg/errors"
"github.com/smallstep/certificates/errs"
"github.com/smallstep/certificates/sshutil"
"github.com/smallstep/certificates/x509util"
"github.com/smallstep/cli/jose"
)
@ -92,6 +93,7 @@ type Azure struct {
DisableTrustOnFirstUse bool `json:"disableTrustOnFirstUse"`
Claims *Claims `json:"claims,omitempty"`
Options *Options `json:"options,omitempty"`
SSHOptions *SSHOptions `json:"sshOptions,omitempty"`
claimer *Claimer
config *azureConfig
oidcConfig openIDConfiguration
@ -338,30 +340,40 @@ func (p *Azure) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOptio
if err != nil {
return nil, errs.Wrap(http.StatusInternalServerError, err, "azure.AuthorizeSSHSign")
}
signOptions := []SignOption{
// set the key id to the instance name
sshCertKeyIDModifier(name),
}
// Only enforce known principals if disable custom sans is true.
var principals []string
if p.DisableCustomSANs {
principals = []string{name}
}
// Validated principals
principals := []string{name}
// Default to host + known hostnames
// Default options and template
defaults := SignSSHOptions{
CertType: SSHHostCert,
Principals: principals,
}
defaultTemplate := sshutil.DefaultIIDCertificate
// Only enforce known principals if disable custom sans is true.
if p.DisableCustomSANs {
defaults.Principals = principals
defaultTemplate = sshutil.DefaultCertificate
}
// Validate user options
signOptions = append(signOptions, sshCertOptionsValidator(defaults))
// Set defaults if not given as user options
signOptions = append(signOptions, sshCertDefaultsModifier(defaults))
signOptions := []SignOption{
sshCertOptionsValidator(defaults),
}
// Certificate templates.
data := sshutil.CreateTemplateData(sshutil.HostCert, name, principals)
if v, err := unsafeParseSigned(token); err == nil {
data.SetToken(v)
}
templateOptions, err := CustomSSHTemplateOptions(p.SSHOptions, data, defaultTemplate)
if err != nil {
return nil, errs.Wrap(http.StatusInternalServerError, err, "azure.AuthorizeSSHSign")
}
signOptions = append(signOptions, templateOptions)
return append(signOptions,
// Set the default extensions.
&sshDefaultExtensionModifier{},
// Set the validity bounds if not set.
&sshDefaultDuration{p.claimer},
// Validate public key

View file

@ -15,6 +15,7 @@ import (
"github.com/pkg/errors"
"github.com/smallstep/certificates/errs"
"github.com/smallstep/certificates/sshutil"
"github.com/smallstep/certificates/x509util"
"github.com/smallstep/cli/jose"
)
@ -86,6 +87,7 @@ type GCP struct {
InstanceAge Duration `json:"instanceAge,omitempty"`
Claims *Claims `json:"claims,omitempty"`
Options *Options `json:"options,omitempty"`
SSHOptions *SSHOptions `json:"sshOptions,omitempty"`
claimer *Claimer
config *gcpConfig
keyStore *keyStore
@ -379,33 +381,42 @@ func (p *GCP) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
ce := claims.Google.ComputeEngine
signOptions := []SignOption{
// set the key id to the instance name
sshCertKeyIDModifier(ce.InstanceName),
}
// Only enforce known principals if disable custom sans is true.
var principals []string
if p.DisableCustomSANs {
principals = []string{
// Validated principals
principals := []string{
fmt.Sprintf("%s.c.%s.internal", ce.InstanceName, ce.ProjectID),
fmt.Sprintf("%s.%s.c.%s.internal", ce.InstanceName, ce.Zone, ce.ProjectID),
}
}
// Default to host + known hostnames
// Default options and template
defaults := SignSSHOptions{
CertType: SSHHostCert,
Principals: principals,
}
defaultTemplate := sshutil.DefaultIIDCertificate
// Only enforce known principals if disable custom sans is true.
if p.DisableCustomSANs {
defaults.Principals = principals
defaultTemplate = sshutil.DefaultCertificate
}
// Validate user options
signOptions = append(signOptions, sshCertOptionsValidator(defaults))
// Set defaults if not given as user options
signOptions = append(signOptions, sshCertDefaultsModifier(defaults))
signOptions := []SignOption{
sshCertOptionsValidator(defaults),
}
// Certificate templates.
data := sshutil.CreateTemplateData(sshutil.HostCert, ce.InstanceName, principals)
if v, err := unsafeParseSigned(token); err == nil {
data.SetToken(v)
}
templateOptions, err := CustomSSHTemplateOptions(p.SSHOptions, data, defaultTemplate)
if err != nil {
return nil, errs.Wrap(http.StatusInternalServerError, err, "gcp.AuthorizeSSHSign")
}
signOptions = append(signOptions, templateOptions)
return append(signOptions,
// Set the default extensions
&sshDefaultExtensionModifier{},
// Set the validity bounds if not set.
&sshDefaultDuration{p.claimer},
// Validate public key