Add K8sSA SSH user policy back

According to the docs, the K8sSA provisioner can be configured to issue SSH user certs.
2022-04-01 15:37:48 +02:00 · 2022-04-01 15:37:48 +02:00 · d8776d8f7f
commit d8776d8f7f
parent 5f0dc42b1e
2 changed files with 8 additions and 2 deletions
--- a/authority/provisioner/k8sSA.go
+++ b/authority/provisioner/k8sSA.go
@ -56,6 +56,7 @@ type K8sSA struct {
 	ctl           *Controller
 	x509Policy    policy.X509Policy
 	sshHostPolicy policy.HostPolicy
+	sshUserPolicy policy.UserPolicy
 }

 // GetID returns the provisioner unique identifier. The name and credential id
@ -148,6 +149,11 @@ func (p *K8sSA) Init(config Config) (err error) {
 		return err
 	}

+	// Initialize the SSH allow/deny policy engine for user certificates
+	if p.sshUserPolicy, err = policy.NewSSHUserPolicyEngine(p.Options.GetSSHOptions()); err != nil {
+		return err
+	}
+
 	// Initialize the SSH allow/deny policy engine for host certificates
 	if p.sshHostPolicy, err = policy.NewSSHHostPolicyEngine(p.Options.GetSSHOptions()); err != nil {
 		return err
@ -298,7 +304,7 @@ func (p *K8sSA) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOptio
 		// Require and validate all the default fields in the SSH certificate.
 		&sshCertDefaultValidator{},
 		// Ensure that all principal names are allowed
-		newSSHNamePolicyValidator(p.sshHostPolicy, nil),
+		newSSHNamePolicyValidator(p.sshHostPolicy, p.sshUserPolicy),
 	), nil
 }

--- a/policy/options_test.go
+++ b/policy/options_test.go
@ -135,7 +135,7 @@ func Test_normalizeAndValidateEmailConstraint(t *testing.T) {
 		},
 		{
 			name:       "fail/idna-internationalized-domain",
-			constraint: `mail@xn--bla.local`,
+			constraint: "mail@xn--bla.local",
 			want:       "",
 			wantErr:    true,
 		},