Add SSH host certificate support for GCP provisioner.

2019-07-29 18:17:20 -07:00 · 2019-07-29 18:17:20 -07:00 · b827a59e96
commit b827a59e96
parent 221d323b68
1 changed files with 23 additions and 1 deletions
--- a/authority/provisioner/gcp.go
+++ b/authority/provisioner/gcp.go
@ -353,5 +353,27 @@ func (p *GCP) authorizeToken(token string) (*gcpPayload, error) {

 // authorizeSSHSign returns the list of SignOption for a SignSSH request.
 func (p *GCP) authorizeSSHSign(claims *gcpPayload) ([]SignOption, error) {
-	return nil, nil
+	ce := claims.Google.ComputeEngine
+
+	signOptions := []SignOption{
+		// set the key id to the token subject
+		sshCertificateKeyIDModifier(ce.InstanceName),
+	}
+
+	signOptions = append(signOptions, &sshCertificateOptionsValidator{&SSHOptions{
+		CertType: SSHHostCert,
+		Principals: []string{
+			fmt.Sprintf("%s.c.%s.internal", ce.InstanceName, ce.ProjectID),
+			fmt.Sprintf("%s.%s.c.%s.internal", ce.InstanceName, ce.Zone, ce.ProjectID),
+		},
+	}})
+
+	return append(signOptions,
+		// set the default extensions
+		&sshDefaultExtensionModifier{},
+		// checks the validity bounds, and set the validity if has not been set
+		&sshCertificateValidityModifier{p.claimer},
+		// require all the fields in the SSH certificate
+		&sshCertificateDefaultValidator{},
+	), nil
 }