forked from TrueCloudLab/certificates
Add initial template support for iid provisisioners.
This commit is contained in:
parent
8e7bf96769
commit
6c36ceb158
3 changed files with 111 additions and 78 deletions
|
@ -17,6 +17,7 @@ import (
|
|||
|
||||
"github.com/pkg/errors"
|
||||
"github.com/smallstep/certificates/errs"
|
||||
"github.com/smallstep/certificates/sshutil"
|
||||
"github.com/smallstep/certificates/x509util"
|
||||
"github.com/smallstep/cli/jose"
|
||||
)
|
||||
|
@ -134,6 +135,7 @@ type AWS struct {
|
|||
InstanceAge Duration `json:"instanceAge,omitempty"`
|
||||
Claims *Claims `json:"claims,omitempty"`
|
||||
Options *Options `json:"options,omitempty"`
|
||||
SSHOptions *SSHOptions `json:"sshOptions,omitempty"`
|
||||
claimer *Claimer
|
||||
config *awsConfig
|
||||
audiences Audiences
|
||||
|
@ -468,34 +470,42 @@ func (p *AWS) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
|
|||
|
||||
doc := claims.document
|
||||
|
||||
signOptions := []SignOption{
|
||||
// set the key id to the instance id
|
||||
sshCertKeyIDModifier(doc.InstanceID),
|
||||
}
|
||||
|
||||
// Only enforce known principals if disable custom sans is true.
|
||||
var principals []string
|
||||
if p.DisableCustomSANs {
|
||||
principals = []string{
|
||||
// Validated principals.
|
||||
principals := []string{
|
||||
doc.PrivateIP,
|
||||
fmt.Sprintf("ip-%s.%s.compute.internal", strings.Replace(doc.PrivateIP, ".", "-", -1), doc.Region),
|
||||
}
|
||||
}
|
||||
|
||||
// Default to cert type to host
|
||||
defaults := SignSSHOptions{
|
||||
CertType: SSHHostCert,
|
||||
Principals: principals,
|
||||
}
|
||||
defaultTemplate := sshutil.DefaultIIDCertificate
|
||||
|
||||
// Only enforce known principals if disable custom sans is true.
|
||||
if p.DisableCustomSANs {
|
||||
defaults.Principals = principals
|
||||
defaultTemplate = sshutil.DefaultCertificate
|
||||
}
|
||||
|
||||
// Validate user options
|
||||
signOptions = append(signOptions, sshCertOptionsValidator(defaults))
|
||||
// Set defaults if not given as user options
|
||||
signOptions = append(signOptions, sshCertDefaultsModifier(defaults))
|
||||
signOptions := []SignOption{
|
||||
sshCertOptionsValidator(defaults),
|
||||
}
|
||||
|
||||
// Certificate templates.
|
||||
data := sshutil.CreateTemplateData(sshutil.HostCert, doc.InstanceID, principals)
|
||||
if v, err := unsafeParseSigned(token); err == nil {
|
||||
data.SetToken(v)
|
||||
}
|
||||
|
||||
templateOptions, err := CustomSSHTemplateOptions(p.SSHOptions, data, defaultTemplate)
|
||||
if err != nil {
|
||||
return nil, errs.Wrap(http.StatusInternalServerError, err, "aws.AuthorizeSSHSign")
|
||||
}
|
||||
signOptions = append(signOptions, templateOptions)
|
||||
|
||||
return append(signOptions,
|
||||
// Set the default extensions.
|
||||
&sshDefaultExtensionModifier{},
|
||||
// Set the validity bounds if not set.
|
||||
&sshDefaultDuration{p.claimer},
|
||||
// Validate public key
|
||||
|
|
|
@ -14,6 +14,7 @@ import (
|
|||
|
||||
"github.com/pkg/errors"
|
||||
"github.com/smallstep/certificates/errs"
|
||||
"github.com/smallstep/certificates/sshutil"
|
||||
"github.com/smallstep/certificates/x509util"
|
||||
"github.com/smallstep/cli/jose"
|
||||
)
|
||||
|
@ -92,6 +93,7 @@ type Azure struct {
|
|||
DisableTrustOnFirstUse bool `json:"disableTrustOnFirstUse"`
|
||||
Claims *Claims `json:"claims,omitempty"`
|
||||
Options *Options `json:"options,omitempty"`
|
||||
SSHOptions *SSHOptions `json:"sshOptions,omitempty"`
|
||||
claimer *Claimer
|
||||
config *azureConfig
|
||||
oidcConfig openIDConfiguration
|
||||
|
@ -338,30 +340,40 @@ func (p *Azure) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOptio
|
|||
if err != nil {
|
||||
return nil, errs.Wrap(http.StatusInternalServerError, err, "azure.AuthorizeSSHSign")
|
||||
}
|
||||
signOptions := []SignOption{
|
||||
// set the key id to the instance name
|
||||
sshCertKeyIDModifier(name),
|
||||
}
|
||||
|
||||
// Only enforce known principals if disable custom sans is true.
|
||||
var principals []string
|
||||
if p.DisableCustomSANs {
|
||||
principals = []string{name}
|
||||
}
|
||||
// Validated principals
|
||||
principals := []string{name}
|
||||
|
||||
// Default to host + known hostnames
|
||||
// Default options and template
|
||||
defaults := SignSSHOptions{
|
||||
CertType: SSHHostCert,
|
||||
Principals: principals,
|
||||
}
|
||||
defaultTemplate := sshutil.DefaultIIDCertificate
|
||||
|
||||
// Only enforce known principals if disable custom sans is true.
|
||||
if p.DisableCustomSANs {
|
||||
defaults.Principals = principals
|
||||
defaultTemplate = sshutil.DefaultCertificate
|
||||
}
|
||||
|
||||
// Validate user options
|
||||
signOptions = append(signOptions, sshCertOptionsValidator(defaults))
|
||||
// Set defaults if not given as user options
|
||||
signOptions = append(signOptions, sshCertDefaultsModifier(defaults))
|
||||
signOptions := []SignOption{
|
||||
sshCertOptionsValidator(defaults),
|
||||
}
|
||||
|
||||
// Certificate templates.
|
||||
data := sshutil.CreateTemplateData(sshutil.HostCert, name, principals)
|
||||
if v, err := unsafeParseSigned(token); err == nil {
|
||||
data.SetToken(v)
|
||||
}
|
||||
|
||||
templateOptions, err := CustomSSHTemplateOptions(p.SSHOptions, data, defaultTemplate)
|
||||
if err != nil {
|
||||
return nil, errs.Wrap(http.StatusInternalServerError, err, "azure.AuthorizeSSHSign")
|
||||
}
|
||||
signOptions = append(signOptions, templateOptions)
|
||||
|
||||
return append(signOptions,
|
||||
// Set the default extensions.
|
||||
&sshDefaultExtensionModifier{},
|
||||
// Set the validity bounds if not set.
|
||||
&sshDefaultDuration{p.claimer},
|
||||
// Validate public key
|
||||
|
|
|
@ -15,6 +15,7 @@ import (
|
|||
|
||||
"github.com/pkg/errors"
|
||||
"github.com/smallstep/certificates/errs"
|
||||
"github.com/smallstep/certificates/sshutil"
|
||||
"github.com/smallstep/certificates/x509util"
|
||||
"github.com/smallstep/cli/jose"
|
||||
)
|
||||
|
@ -86,6 +87,7 @@ type GCP struct {
|
|||
InstanceAge Duration `json:"instanceAge,omitempty"`
|
||||
Claims *Claims `json:"claims,omitempty"`
|
||||
Options *Options `json:"options,omitempty"`
|
||||
SSHOptions *SSHOptions `json:"sshOptions,omitempty"`
|
||||
claimer *Claimer
|
||||
config *gcpConfig
|
||||
keyStore *keyStore
|
||||
|
@ -379,33 +381,42 @@ func (p *GCP) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
|
|||
|
||||
ce := claims.Google.ComputeEngine
|
||||
|
||||
signOptions := []SignOption{
|
||||
// set the key id to the instance name
|
||||
sshCertKeyIDModifier(ce.InstanceName),
|
||||
}
|
||||
|
||||
// Only enforce known principals if disable custom sans is true.
|
||||
var principals []string
|
||||
if p.DisableCustomSANs {
|
||||
principals = []string{
|
||||
// Validated principals
|
||||
principals := []string{
|
||||
fmt.Sprintf("%s.c.%s.internal", ce.InstanceName, ce.ProjectID),
|
||||
fmt.Sprintf("%s.%s.c.%s.internal", ce.InstanceName, ce.Zone, ce.ProjectID),
|
||||
}
|
||||
}
|
||||
|
||||
// Default to host + known hostnames
|
||||
// Default options and template
|
||||
defaults := SignSSHOptions{
|
||||
CertType: SSHHostCert,
|
||||
Principals: principals,
|
||||
}
|
||||
defaultTemplate := sshutil.DefaultIIDCertificate
|
||||
|
||||
// Only enforce known principals if disable custom sans is true.
|
||||
if p.DisableCustomSANs {
|
||||
defaults.Principals = principals
|
||||
defaultTemplate = sshutil.DefaultCertificate
|
||||
}
|
||||
|
||||
// Validate user options
|
||||
signOptions = append(signOptions, sshCertOptionsValidator(defaults))
|
||||
// Set defaults if not given as user options
|
||||
signOptions = append(signOptions, sshCertDefaultsModifier(defaults))
|
||||
signOptions := []SignOption{
|
||||
sshCertOptionsValidator(defaults),
|
||||
}
|
||||
|
||||
// Certificate templates.
|
||||
data := sshutil.CreateTemplateData(sshutil.HostCert, ce.InstanceName, principals)
|
||||
if v, err := unsafeParseSigned(token); err == nil {
|
||||
data.SetToken(v)
|
||||
}
|
||||
|
||||
templateOptions, err := CustomSSHTemplateOptions(p.SSHOptions, data, defaultTemplate)
|
||||
if err != nil {
|
||||
return nil, errs.Wrap(http.StatusInternalServerError, err, "gcp.AuthorizeSSHSign")
|
||||
}
|
||||
signOptions = append(signOptions, templateOptions)
|
||||
|
||||
return append(signOptions,
|
||||
// Set the default extensions
|
||||
&sshDefaultExtensionModifier{},
|
||||
// Set the validity bounds if not set.
|
||||
&sshDefaultDuration{p.claimer},
|
||||
// Validate public key
|
||||
|
|
Loading…
Reference in a new issue