Use only the IID template on IID provisioners.

Use always sshutil.DefaultIIDCertificate and require at least one
principal on IID provisioners.

authority/provisioner/aws.go

@@ -468,6 +468,12 @@ func (p *AWS) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
 	}
 
 	doc := claims.document
+	signOptions := []SignOption{}
+
+	// Enforce host certificate.
+	defaults := SignSSHOptions{
+		CertType: SSHHostCert,
+	}
 
 	// Validated principals.
 	principals := []string{
@@ -475,21 +481,14 @@ func (p *AWS) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
 		fmt.Sprintf("ip-%s.%s.compute.internal", strings.Replace(doc.PrivateIP, ".", "-", -1), doc.Region),
 	}
 
-	// Default to cert type to host
-	defaults := SignSSHOptions{
-		CertType: SSHHostCert,
-	}
-	defaultTemplate := sshutil.DefaultIIDCertificate
-
 	// Only enforce known principals if disable custom sans is true.
 	if p.DisableCustomSANs {
 		defaults.Principals = principals
-		defaultTemplate = sshutil.DefaultCertificate
-	}
-
-	// Validate user options
-	signOptions := []SignOption{
-		sshCertOptionsValidator(defaults),
+	} else {
+		// Check that at least one principal is sent in the request.
+		signOptions = append(signOptions, &sshCertOptionsRequireValidator{
+			Principals: true,
+		})
 	}
 
 	// Certificate templates.
@@ -498,13 +497,15 @@ func (p *AWS) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
 		data.SetToken(v)
 	}
 
-	templateOptions, err := CustomSSHTemplateOptions(p.Options, data, defaultTemplate)
+	templateOptions, err := CustomSSHTemplateOptions(p.Options, data, sshutil.DefaultIIDCertificate)
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "aws.AuthorizeSSHSign")
 	}
 	signOptions = append(signOptions, templateOptions)
 
 	return append(signOptions,
+		// Validate user SignSSHOptions.
+		sshCertOptionsValidator(defaults),
 		// Set the validity bounds if not set.
 		&sshDefaultDuration{p.claimer},
 		// Validate public key

authority/provisioner/azure.go

@@ -340,24 +340,24 @@ func (p *Azure) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOptio
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "azure.AuthorizeSSHSign")
 	}
 
-	// Validated principals
-	principals := []string{name}
+	signOptions := []SignOption{}
 
-	// Default options and template
+	// Enforce host certificate.
 	defaults := SignSSHOptions{
 		CertType: SSHHostCert,
 	}
-	defaultTemplate := sshutil.DefaultIIDCertificate
+
+	// Validated principals.
+	principals := []string{name}
 
 	// Only enforce known principals if disable custom sans is true.
 	if p.DisableCustomSANs {
 		defaults.Principals = principals
-		defaultTemplate = sshutil.DefaultCertificate
-	}
-
-	// Validate user options
-	signOptions := []SignOption{
-		sshCertOptionsValidator(defaults),
+	} else {
+		// Check that at least one principal is sent in the request.
+		signOptions = append(signOptions, &sshCertOptionsRequireValidator{
+			Principals: true,
+		})
 	}
 
 	// Certificate templates.
@@ -366,13 +366,15 @@ func (p *Azure) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOptio
 		data.SetToken(v)
 	}
 
-	templateOptions, err := CustomSSHTemplateOptions(p.Options, data, defaultTemplate)
+	templateOptions, err := CustomSSHTemplateOptions(p.Options, data, sshutil.DefaultIIDCertificate)
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "azure.AuthorizeSSHSign")
 	}
 	signOptions = append(signOptions, templateOptions)
 
 	return append(signOptions,
+		// Validate user SignSSHOptions.
+		sshCertOptionsValidator(defaults),
 		// Set the validity bounds if not set.
 		&sshDefaultDuration{p.claimer},
 		// Validate public key

authority/provisioner/gcp.go

@@ -379,28 +379,27 @@ func (p *GCP) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
 	}
 
 	ce := claims.Google.ComputeEngine
+	signOptions := []SignOption{}
 
-	// Validated principals
+	// Enforce host certificate.
+	defaults := SignSSHOptions{
+		CertType: SSHHostCert,
+	}
+
+	// Validated principals.
 	principals := []string{
 		fmt.Sprintf("%s.c.%s.internal", ce.InstanceName, ce.ProjectID),
 		fmt.Sprintf("%s.%s.c.%s.internal", ce.InstanceName, ce.Zone, ce.ProjectID),
 	}
 
-	// Default options and template
-	defaults := SignSSHOptions{
-		CertType: SSHHostCert,
-	}
-	defaultTemplate := sshutil.DefaultIIDCertificate
-
 	// Only enforce known principals if disable custom sans is true.
 	if p.DisableCustomSANs {
 		defaults.Principals = principals
-		defaultTemplate = sshutil.DefaultCertificate
-	}
-
-	// Validate user options
-	signOptions := []SignOption{
-		sshCertOptionsValidator(defaults),
+	} else {
+		// Check that at least one principal is sent in the request.
+		signOptions = append(signOptions, &sshCertOptionsRequireValidator{
+			Principals: true,
+		})
 	}
 
 	// Certificate templates.
@@ -409,13 +408,15 @@ func (p *GCP) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
 		data.SetToken(v)
 	}
 
-	templateOptions, err := CustomSSHTemplateOptions(p.Options, data, defaultTemplate)
+	templateOptions, err := CustomSSHTemplateOptions(p.Options, data, sshutil.DefaultIIDCertificate)
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "gcp.AuthorizeSSHSign")
 	}
 	signOptions = append(signOptions, templateOptions)
 
 	return append(signOptions,
+		// Validate user SignSSHOptions.
+		sshCertOptionsValidator(defaults),
 		// Set the validity bounds if not set.
 		&sshDefaultDuration{p.claimer},
 		// Validate public key

authority/provisioner/sign_ssh_options.go

@@ -306,7 +306,7 @@ type sshCertOptionsRequireValidator struct {
 	Principals bool
 }
 
-func (v sshCertOptionsRequireValidator) Valid(got SignSSHOptions) error {
+func (v *sshCertOptionsRequireValidator) Valid(got SignSSHOptions) error {
 	switch {
 	case v.CertType && got.CertType == "":
 		return errors.New("ssh certificate certType cannot be empty")