alexvanin/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

allow missing Email claim in OIDC tokens, use subject when its missing

Browse source
This commit is contained in:
Raal Goff 2022-09-05 12:43:32 +08:00
parent d718c69ad3
commit 7a03c43fe2
1 changed files with 38 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
authority/provisioner/oidc.go
View file

@ -376,11 +376,23 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption
if err != nil { if err != nil {
return nil, errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeSSHSign") return nil, errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeSSHSign")
} }
// Enforce an email claim
if claims.Email == "" { if claims.Subject == "" {
return nil, errs.Unauthorized("oidc.AuthorizeSSHSign: failed to validate oidc token payload: email not found") return nil, errs.Unauthorized("oidc.AuthorizeSSHSign: failed to validate oidc token payload: subject not found")
} }
var data sshutil.TemplateData
var principals []string
if claims.Email == "" {
// If email is empty, use the Subject claim instead to create minimal data for the template to use
data = sshutil.CreateTemplateData(sshutil.UserCert, claims.Subject, nil)
if v, err := unsafeParseSigned(token); err == nil {
data.SetToken(v)
}
principals = nil
} else {
// Get the identity using either the default identityFunc or one injected // Get the identity using either the default identityFunc or one injected
// externally. Note that the PreferredUsername might be empty. // externally. Note that the PreferredUsername might be empty.
// TBD: Would preferred_username present a safety issue here? // TBD: Would preferred_username present a safety issue here?
@ -390,7 +402,7 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption
} }
// Certificate templates. // Certificate templates.
data := sshutil.CreateTemplateData(sshutil.UserCert, claims.Email, iden.Usernames) data = sshutil.CreateTemplateData(sshutil.UserCert, claims.Email, iden.Usernames)
if v, err := unsafeParseSigned(token); err == nil { if v, err := unsafeParseSigned(token); err == nil {
data.SetToken(v) data.SetToken(v)
} }
@ -403,6 +415,9 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption
data.AddCriticalOption(k, v) data.AddCriticalOption(k, v)
} }
principals = iden.Usernames
}
// Use the default template unless no-templates are configured and email is // Use the default template unless no-templates are configured and email is
// an admin, in that case we will use the parameters in the request. // an admin, in that case we will use the parameters in the request.
isAdmin := claims.IsAdmin(o.Admins) isAdmin := claims.IsAdmin(o.Admins)
@ -429,7 +444,7 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption
} else { } else {
signOptions = append(signOptions, sshCertOptionsValidator(SignSSHOptions{ signOptions = append(signOptions, sshCertOptionsValidator(SignSSHOptions{
CertType: SSHUserCert, CertType: SSHUserCert,
Principals: iden.Usernames, Principals: principals,
})) }))
} }