forked from TrueCloudLab/certificates
Merge pull request #715 from smallstep/template-vars
Fix ssh template variables when CA is injected using options.
This commit is contained in:
commit
896fd5efae
1 changed files with 19 additions and 6 deletions
|
@ -361,8 +361,6 @@ func (a *Authority) init() error {
|
||||||
// Append public key to list of host certs
|
// Append public key to list of host certs
|
||||||
a.sshCAHostCerts = append(a.sshCAHostCerts, a.sshCAHostCertSignKey.PublicKey())
|
a.sshCAHostCerts = append(a.sshCAHostCerts, a.sshCAHostCertSignKey.PublicKey())
|
||||||
a.sshCAHostFederatedCerts = append(a.sshCAHostFederatedCerts, a.sshCAHostCertSignKey.PublicKey())
|
a.sshCAHostFederatedCerts = append(a.sshCAHostFederatedCerts, a.sshCAHostCertSignKey.PublicKey())
|
||||||
// Configure template variables.
|
|
||||||
tmplVars.SSH.HostKey = a.sshCAHostCertSignKey.PublicKey()
|
|
||||||
}
|
}
|
||||||
if a.config.SSH.UserKey != "" {
|
if a.config.SSH.UserKey != "" {
|
||||||
signer, err := a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
|
signer, err := a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
|
||||||
|
@ -389,8 +387,6 @@ func (a *Authority) init() error {
|
||||||
// Append public key to list of user certs
|
// Append public key to list of user certs
|
||||||
a.sshCAUserCerts = append(a.sshCAUserCerts, a.sshCAUserCertSignKey.PublicKey())
|
a.sshCAUserCerts = append(a.sshCAUserCerts, a.sshCAUserCertSignKey.PublicKey())
|
||||||
a.sshCAUserFederatedCerts = append(a.sshCAUserFederatedCerts, a.sshCAUserCertSignKey.PublicKey())
|
a.sshCAUserFederatedCerts = append(a.sshCAUserFederatedCerts, a.sshCAUserCertSignKey.PublicKey())
|
||||||
// Configure template variables.
|
|
||||||
tmplVars.SSH.UserKey = a.sshCAUserCertSignKey.PublicKey()
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Append other public keys and add them to the template variables.
|
// Append other public keys and add them to the template variables.
|
||||||
|
@ -400,14 +396,12 @@ func (a *Authority) init() error {
|
||||||
case provisioner.SSHHostCert:
|
case provisioner.SSHHostCert:
|
||||||
if key.Federated {
|
if key.Federated {
|
||||||
a.sshCAHostFederatedCerts = append(a.sshCAHostFederatedCerts, publicKey)
|
a.sshCAHostFederatedCerts = append(a.sshCAHostFederatedCerts, publicKey)
|
||||||
tmplVars.SSH.HostFederatedKeys = append(tmplVars.SSH.HostFederatedKeys, publicKey)
|
|
||||||
} else {
|
} else {
|
||||||
a.sshCAHostCerts = append(a.sshCAHostCerts, publicKey)
|
a.sshCAHostCerts = append(a.sshCAHostCerts, publicKey)
|
||||||
}
|
}
|
||||||
case provisioner.SSHUserCert:
|
case provisioner.SSHUserCert:
|
||||||
if key.Federated {
|
if key.Federated {
|
||||||
a.sshCAUserFederatedCerts = append(a.sshCAUserFederatedCerts, publicKey)
|
a.sshCAUserFederatedCerts = append(a.sshCAUserFederatedCerts, publicKey)
|
||||||
tmplVars.SSH.UserFederatedKeys = append(tmplVars.SSH.UserFederatedKeys, publicKey)
|
|
||||||
} else {
|
} else {
|
||||||
a.sshCAUserCerts = append(a.sshCAUserCerts, publicKey)
|
a.sshCAUserCerts = append(a.sshCAUserCerts, publicKey)
|
||||||
}
|
}
|
||||||
|
@ -417,6 +411,25 @@ func (a *Authority) init() error {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Configure template variables. On the template variables HostFederatedKeys
|
||||||
|
// and UserFederatedKeys we will skip the actual CA that will be available
|
||||||
|
// in HostKey and UserKey.
|
||||||
|
//
|
||||||
|
// We cannot do it in the previous blocks because this configuration can be
|
||||||
|
// injected using options.
|
||||||
|
if a.sshCAHostCertSignKey != nil {
|
||||||
|
tmplVars.SSH.HostKey = a.sshCAHostCertSignKey.PublicKey()
|
||||||
|
tmplVars.SSH.HostFederatedKeys = append(tmplVars.SSH.HostFederatedKeys, a.sshCAHostFederatedCerts[1:]...)
|
||||||
|
} else {
|
||||||
|
tmplVars.SSH.HostFederatedKeys = append(tmplVars.SSH.HostFederatedKeys, a.sshCAHostFederatedCerts...)
|
||||||
|
}
|
||||||
|
if a.sshCAUserCertSignKey != nil {
|
||||||
|
tmplVars.SSH.UserKey = a.sshCAUserCertSignKey.PublicKey()
|
||||||
|
tmplVars.SSH.UserFederatedKeys = append(tmplVars.SSH.UserFederatedKeys, a.sshCAUserFederatedCerts[1:]...)
|
||||||
|
} else {
|
||||||
|
tmplVars.SSH.UserFederatedKeys = append(tmplVars.SSH.UserFederatedKeys, a.sshCAUserFederatedCerts...)
|
||||||
|
}
|
||||||
|
|
||||||
// Check if a KMS with decryption capability is required and available
|
// Check if a KMS with decryption capability is required and available
|
||||||
if a.requiresDecrypter() {
|
if a.requiresDecrypter() {
|
||||||
if _, ok := a.keyManager.(kmsapi.Decrypter); !ok {
|
if _, ok := a.keyManager.(kmsapi.Decrypter); !ok {
|
||||||
|
|
Loading…
Reference in a new issue