Merge pull request #715 from smallstep/template-vars

Fix ssh template variables when CA is injected using options.
This commit is contained in:
Mariano Cano 2021-09-29 10:43:20 -07:00 committed by GitHub
commit 896fd5efae
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -361,8 +361,6 @@ func (a *Authority) init() error {
// Append public key to list of host certs // Append public key to list of host certs
a.sshCAHostCerts = append(a.sshCAHostCerts, a.sshCAHostCertSignKey.PublicKey()) a.sshCAHostCerts = append(a.sshCAHostCerts, a.sshCAHostCertSignKey.PublicKey())
a.sshCAHostFederatedCerts = append(a.sshCAHostFederatedCerts, a.sshCAHostCertSignKey.PublicKey()) a.sshCAHostFederatedCerts = append(a.sshCAHostFederatedCerts, a.sshCAHostCertSignKey.PublicKey())
// Configure template variables.
tmplVars.SSH.HostKey = a.sshCAHostCertSignKey.PublicKey()
} }
if a.config.SSH.UserKey != "" { if a.config.SSH.UserKey != "" {
signer, err := a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{ signer, err := a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
@ -389,8 +387,6 @@ func (a *Authority) init() error {
// Append public key to list of user certs // Append public key to list of user certs
a.sshCAUserCerts = append(a.sshCAUserCerts, a.sshCAUserCertSignKey.PublicKey()) a.sshCAUserCerts = append(a.sshCAUserCerts, a.sshCAUserCertSignKey.PublicKey())
a.sshCAUserFederatedCerts = append(a.sshCAUserFederatedCerts, a.sshCAUserCertSignKey.PublicKey()) a.sshCAUserFederatedCerts = append(a.sshCAUserFederatedCerts, a.sshCAUserCertSignKey.PublicKey())
// Configure template variables.
tmplVars.SSH.UserKey = a.sshCAUserCertSignKey.PublicKey()
} }
// Append other public keys and add them to the template variables. // Append other public keys and add them to the template variables.
@ -400,14 +396,12 @@ func (a *Authority) init() error {
case provisioner.SSHHostCert: case provisioner.SSHHostCert:
if key.Federated { if key.Federated {
a.sshCAHostFederatedCerts = append(a.sshCAHostFederatedCerts, publicKey) a.sshCAHostFederatedCerts = append(a.sshCAHostFederatedCerts, publicKey)
tmplVars.SSH.HostFederatedKeys = append(tmplVars.SSH.HostFederatedKeys, publicKey)
} else { } else {
a.sshCAHostCerts = append(a.sshCAHostCerts, publicKey) a.sshCAHostCerts = append(a.sshCAHostCerts, publicKey)
} }
case provisioner.SSHUserCert: case provisioner.SSHUserCert:
if key.Federated { if key.Federated {
a.sshCAUserFederatedCerts = append(a.sshCAUserFederatedCerts, publicKey) a.sshCAUserFederatedCerts = append(a.sshCAUserFederatedCerts, publicKey)
tmplVars.SSH.UserFederatedKeys = append(tmplVars.SSH.UserFederatedKeys, publicKey)
} else { } else {
a.sshCAUserCerts = append(a.sshCAUserCerts, publicKey) a.sshCAUserCerts = append(a.sshCAUserCerts, publicKey)
} }
@ -417,6 +411,25 @@ func (a *Authority) init() error {
} }
} }
// Configure template variables. On the template variables HostFederatedKeys
// and UserFederatedKeys we will skip the actual CA that will be available
// in HostKey and UserKey.
//
// We cannot do it in the previous blocks because this configuration can be
// injected using options.
if a.sshCAHostCertSignKey != nil {
tmplVars.SSH.HostKey = a.sshCAHostCertSignKey.PublicKey()
tmplVars.SSH.HostFederatedKeys = append(tmplVars.SSH.HostFederatedKeys, a.sshCAHostFederatedCerts[1:]...)
} else {
tmplVars.SSH.HostFederatedKeys = append(tmplVars.SSH.HostFederatedKeys, a.sshCAHostFederatedCerts...)
}
if a.sshCAUserCertSignKey != nil {
tmplVars.SSH.UserKey = a.sshCAUserCertSignKey.PublicKey()
tmplVars.SSH.UserFederatedKeys = append(tmplVars.SSH.UserFederatedKeys, a.sshCAUserFederatedCerts[1:]...)
} else {
tmplVars.SSH.UserFederatedKeys = append(tmplVars.SSH.UserFederatedKeys, a.sshCAUserFederatedCerts...)
}
// Check if a KMS with decryption capability is required and available // Check if a KMS with decryption capability is required and available
if a.requiresDecrypter() { if a.requiresDecrypter() {
if _, ok := a.keyManager.(kmsapi.Decrypter); !ok { if _, ok := a.keyManager.(kmsapi.Decrypter); !ok {