forked from TrueCloudLab/certificates
Ignore principals validations with OIDC
This commit will ignore principals validation when an OIDC provisioner is used. When the principals in the server does not match the principals given the validation was failing, even if the proper principals were set by templates or webhooks. With this change OIDC will not validate the principals and just set the default ones (name, name@example.org) plus the ones in the templates. This commit also includes a change in the templates to allow to pass a provisioner to the $(step path)/ssh/config template Related to #807
This commit is contained in:
parent
9007e2ef75
commit
5d87201abc
3 changed files with 8 additions and 12 deletions
|
@ -385,16 +385,13 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption
|
||||||
}
|
}
|
||||||
|
|
||||||
var data sshutil.TemplateData
|
var data sshutil.TemplateData
|
||||||
var principals []string
|
|
||||||
|
|
||||||
if claims.Email == "" {
|
if claims.Email == "" {
|
||||||
// If email is empty, use the Subject claim instead to create minimal data for the template to use
|
// If email is empty, use the Subject claim instead to create minimal
|
||||||
|
// data for the template to use.
|
||||||
data = sshutil.CreateTemplateData(sshutil.UserCert, claims.Subject, nil)
|
data = sshutil.CreateTemplateData(sshutil.UserCert, claims.Subject, nil)
|
||||||
if v, err := unsafeParseSigned(token); err == nil {
|
if v, err := unsafeParseSigned(token); err == nil {
|
||||||
data.SetToken(v)
|
data.SetToken(v)
|
||||||
}
|
}
|
||||||
|
|
||||||
principals = nil
|
|
||||||
} else {
|
} else {
|
||||||
// Get the identity using either the default identityFunc or one injected
|
// Get the identity using either the default identityFunc or one injected
|
||||||
// externally. Note that the PreferredUsername might be empty.
|
// externally. Note that the PreferredUsername might be empty.
|
||||||
|
@ -417,8 +414,6 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption
|
||||||
for k, v := range iden.Permissions.CriticalOptions {
|
for k, v := range iden.Permissions.CriticalOptions {
|
||||||
data.AddCriticalOption(k, v)
|
data.AddCriticalOption(k, v)
|
||||||
}
|
}
|
||||||
|
|
||||||
principals = iden.Usernames
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Use the default template unless no-templates are configured and email is
|
// Use the default template unless no-templates are configured and email is
|
||||||
|
@ -447,7 +442,6 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption
|
||||||
} else {
|
} else {
|
||||||
signOptions = append(signOptions, sshCertOptionsValidator(SignSSHOptions{
|
signOptions = append(signOptions, sshCertOptionsValidator(SignSSHOptions{
|
||||||
CertType: SSHUserCert,
|
CertType: SSHUserCert,
|
||||||
Principals: principals,
|
|
||||||
}))
|
}))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -582,6 +582,9 @@ func TestOIDC_AuthorizeSSHSign(t *testing.T) {
|
||||||
{"ok-principals", p1, args{t1, SignSSHOptions{Principals: []string{"name"}}, pub},
|
{"ok-principals", p1, args{t1, SignSSHOptions{Principals: []string{"name"}}, pub},
|
||||||
&SignSSHOptions{CertType: "user", Principals: []string{"name", "name@smallstep.com"},
|
&SignSSHOptions{CertType: "user", Principals: []string{"name", "name@smallstep.com"},
|
||||||
ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(userDuration))}, http.StatusOK, false, false},
|
ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(userDuration))}, http.StatusOK, false, false},
|
||||||
|
{"ok-principals-ignore-passed", p1, args{t1, SignSSHOptions{Principals: []string{"root"}}, pub},
|
||||||
|
&SignSSHOptions{CertType: "user", Principals: []string{"name", "name@smallstep.com"},
|
||||||
|
ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(userDuration))}, http.StatusOK, false, false},
|
||||||
{"ok-principals-getIdentity", p4, args{okGetIdentityToken, SignSSHOptions{Principals: []string{"mariano"}}, pub},
|
{"ok-principals-getIdentity", p4, args{okGetIdentityToken, SignSSHOptions{Principals: []string{"mariano"}}, pub},
|
||||||
&SignSSHOptions{CertType: "user", Principals: []string{"max", "mariano"},
|
&SignSSHOptions{CertType: "user", Principals: []string{"max", "mariano"},
|
||||||
ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(userDuration))}, http.StatusOK, false, false},
|
ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(userDuration))}, http.StatusOK, false, false},
|
||||||
|
@ -600,7 +603,6 @@ func TestOIDC_AuthorizeSSHSign(t *testing.T) {
|
||||||
ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(userDuration))}, http.StatusOK, false, false},
|
ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(userDuration))}, http.StatusOK, false, false},
|
||||||
{"fail-rsa1024", p1, args{t1, SignSSHOptions{}, rsa1024.Public()}, expectedUserOptions, http.StatusOK, false, true},
|
{"fail-rsa1024", p1, args{t1, SignSSHOptions{}, rsa1024.Public()}, expectedUserOptions, http.StatusOK, false, true},
|
||||||
{"fail-user-host", p1, args{t1, SignSSHOptions{CertType: "host"}, pub}, nil, http.StatusOK, false, true},
|
{"fail-user-host", p1, args{t1, SignSSHOptions{CertType: "host"}, pub}, nil, http.StatusOK, false, true},
|
||||||
{"fail-user-principals", p1, args{t1, SignSSHOptions{Principals: []string{"root"}}, pub}, nil, http.StatusOK, false, true},
|
|
||||||
{"fail-getIdentity", p5, args{failGetIdentityToken, SignSSHOptions{}, pub}, nil, http.StatusInternalServerError, true, false},
|
{"fail-getIdentity", p5, args{failGetIdentityToken, SignSSHOptions{}, pub}, nil, http.StatusInternalServerError, true, false},
|
||||||
{"fail-sshCA-disabled", p6, args{"foo", SignSSHOptions{}, pub}, nil, http.StatusUnauthorized, true, false},
|
{"fail-sshCA-disabled", p6, args{"foo", SignSSHOptions{}, pub}, nil, http.StatusUnauthorized, true, false},
|
||||||
// Missing parametrs
|
// Missing parametrs
|
||||||
|
|
|
@ -108,10 +108,10 @@ var DefaultSSHTemplateData = map[string]string{
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if or .User.GOOS "none" | eq "windows" }}
|
{{- if or .User.GOOS "none" | eq "windows" }}
|
||||||
UserKnownHostsFile "{{.User.StepPath}}\ssh\known_hosts"
|
UserKnownHostsFile "{{.User.StepPath}}\ssh\known_hosts"
|
||||||
ProxyCommand C:\Windows\System32\cmd.exe /c step ssh proxycommand{{- if .User.Context }} --context {{ .User.Context }}{{- end }} %r %h %p
|
ProxyCommand C:\Windows\System32\cmd.exe /c step ssh proxycommand{{- if .User.Context }} --context {{ .User.Context }}{{- end }}{{- if .User.Provisioner }} --provisioner {{ .User.Provisioner }}{{- end }} %r %h %p
|
||||||
{{- else }}
|
{{- else }}
|
||||||
UserKnownHostsFile "{{.User.StepPath}}/ssh/known_hosts"
|
UserKnownHostsFile "{{.User.StepPath}}/ssh/known_hosts"
|
||||||
ProxyCommand step ssh proxycommand{{- if .User.Context }} --context {{ .User.Context }}{{- end }} %r %h %p
|
ProxyCommand step ssh proxycommand{{- if .User.Context }} --context {{ .User.Context }}{{- end }}{{- if .User.Provisioner }} --provisioner {{ .User.Provisioner }}{{- end }} %r %h %p
|
||||||
{{- end }}
|
{{- end }}
|
||||||
`,
|
`,
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue