forked from TrueCloudLab/certificates
Set not extensions to host certificates.
This commit is contained in:
parent
48c98dea2a
commit
53f62f871c
3 changed files with 21 additions and 13 deletions
|
@ -179,8 +179,6 @@ func (p *JWK) authorizeSSHSign(claims *jwtPayload) ([]SignOption, error) {
|
|||
signOptions := []SignOption{
|
||||
// validates user's SSHOptions with the ones in the token
|
||||
&sshCertificateOptionsValidator{opts},
|
||||
// set the default extensions
|
||||
&sshDefaultExtensionModifier{},
|
||||
// set the key id to the token subject
|
||||
sshCertificateKeyIDModifier(claims.Subject),
|
||||
}
|
||||
|
@ -200,6 +198,8 @@ func (p *JWK) authorizeSSHSign(claims *jwtPayload) ([]SignOption, error) {
|
|||
}
|
||||
|
||||
return append(signOptions,
|
||||
// set the default extensions
|
||||
&sshDefaultExtensionModifier{},
|
||||
// checks the validity bounds, and set the validity if has not been set
|
||||
&sshCertificateValidityModifier{p.claimer},
|
||||
// require all the fields in the SSH certificate
|
||||
|
|
|
@ -299,8 +299,6 @@ func (o *OIDC) AuthorizeRenewal(cert *x509.Certificate) error {
|
|||
// authorizeSSHSign returns the list of SignOption for a SignSSH request.
|
||||
func (o *OIDC) authorizeSSHSign(claims *openIDPayload) ([]SignOption, error) {
|
||||
signOptions := []SignOption{
|
||||
// set the default extensions
|
||||
&sshDefaultExtensionModifier{},
|
||||
// set the key id to the token subject
|
||||
sshCertificateKeyIDModifier(claims.Email),
|
||||
}
|
||||
|
@ -320,6 +318,8 @@ func (o *OIDC) authorizeSSHSign(claims *openIDPayload) ([]SignOption, error) {
|
|||
}
|
||||
|
||||
return append(signOptions,
|
||||
// set the default extensions
|
||||
&sshDefaultExtensionModifier{},
|
||||
// checks the validity bounds, and set the validity if has not been set
|
||||
&sshCertificateValidityModifier{o.claimer},
|
||||
// require all the fields in the SSH certificate
|
||||
|
|
|
@ -148,15 +148,23 @@ func (m sshCertificateValidBeforeModifier) Modify(cert *ssh.Certificate) error {
|
|||
type sshDefaultExtensionModifier struct{}
|
||||
|
||||
func (m *sshDefaultExtensionModifier) Modify(cert *ssh.Certificate) error {
|
||||
if cert.Extensions == nil {
|
||||
cert.Extensions = make(map[string]string)
|
||||
switch cert.CertType {
|
||||
// Default to no extensions to HostCert
|
||||
case ssh.HostCert:
|
||||
return nil
|
||||
case ssh.UserCert:
|
||||
if cert.Extensions == nil {
|
||||
cert.Extensions = make(map[string]string)
|
||||
}
|
||||
cert.Extensions["permit-X11-forwarding"] = ""
|
||||
cert.Extensions["permit-agent-forwarding"] = ""
|
||||
cert.Extensions["permit-port-forwarding"] = ""
|
||||
cert.Extensions["permit-pty"] = ""
|
||||
cert.Extensions["permit-user-rc"] = ""
|
||||
return nil
|
||||
default:
|
||||
return errors.New("ssh certificate type has not been set or is invalid")
|
||||
}
|
||||
cert.Extensions["permit-X11-forwarding"] = ""
|
||||
cert.Extensions["permit-agent-forwarding"] = ""
|
||||
cert.Extensions["permit-port-forwarding"] = ""
|
||||
cert.Extensions["permit-pty"] = ""
|
||||
cert.Extensions["permit-user-rc"] = ""
|
||||
return nil
|
||||
}
|
||||
|
||||
// sshCertificateValidityModifier is a SSHCertificateModifier checks the
|
||||
|
@ -240,7 +248,7 @@ func (v *sshCertificateDefaultValidator) Valid(crt *ssh.Certificate) error {
|
|||
return errors.New("ssh certificate valid after cannot be 0")
|
||||
case crt.ValidBefore == 0:
|
||||
return errors.New("ssh certificate valid before cannot be 0")
|
||||
case len(crt.Extensions) == 0:
|
||||
case crt.CertType == ssh.UserCert && len(crt.Extensions) == 0:
|
||||
return errors.New("ssh certificate extensions cannot be empty")
|
||||
case crt.SignatureKey == nil:
|
||||
return errors.New("ssh certificate signature key cannot be nil")
|
||||
|
|
Loading…
Reference in a new issue