forked from TrueCloudLab/certificates
Merge pull request #1489 from smallstep/josh/authorization-principal-in-webhook
Include authorization principal in provisioner webhooks.
This commit is contained in:
commit
a1350b14fb
7 changed files with 57 additions and 11 deletions
|
@ -24,6 +24,7 @@ import (
|
|||
"go.step.sm/linkedca"
|
||||
|
||||
"github.com/smallstep/certificates/errs"
|
||||
"github.com/smallstep/certificates/webhook"
|
||||
)
|
||||
|
||||
// awsIssuer is the string used as issuer in the generated tokens.
|
||||
|
@ -521,7 +522,11 @@ func (p *AWS) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro
|
|||
commonNameValidator(payload.Claims.Subject),
|
||||
newValidityValidator(p.ctl.Claimer.MinTLSCertDuration(), p.ctl.Claimer.MaxTLSCertDuration()),
|
||||
newX509NamePolicyValidator(p.ctl.getPolicy().getX509()),
|
||||
p.ctl.newWebhookController(data, linkedca.Webhook_X509),
|
||||
p.ctl.newWebhookController(
|
||||
data,
|
||||
linkedca.Webhook_X509,
|
||||
webhook.WithAuthorizationPrincipal(doc.InstanceID),
|
||||
),
|
||||
), nil
|
||||
}
|
||||
|
||||
|
@ -804,6 +809,10 @@ func (p *AWS) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e
|
|||
// Ensure that all principal names are allowed
|
||||
newSSHNamePolicyValidator(p.ctl.getPolicy().getSSHHost(), nil),
|
||||
// Call webhooks
|
||||
p.ctl.newWebhookController(data, linkedca.Webhook_SSH),
|
||||
p.ctl.newWebhookController(
|
||||
data,
|
||||
linkedca.Webhook_SSH,
|
||||
webhook.WithAuthorizationPrincipal(doc.InstanceID),
|
||||
),
|
||||
), nil
|
||||
}
|
||||
|
|
|
@ -20,6 +20,7 @@ import (
|
|||
"go.step.sm/linkedca"
|
||||
|
||||
"github.com/smallstep/certificates/errs"
|
||||
"github.com/smallstep/certificates/webhook"
|
||||
)
|
||||
|
||||
// azureOIDCBaseURL is the base discovery url for Microsoft Azure tokens.
|
||||
|
@ -403,7 +404,11 @@ func (p *Azure) AuthorizeSign(_ context.Context, token string) ([]SignOption, er
|
|||
defaultPublicKeyValidator{},
|
||||
newValidityValidator(p.ctl.Claimer.MinTLSCertDuration(), p.ctl.Claimer.MaxTLSCertDuration()),
|
||||
newX509NamePolicyValidator(p.ctl.getPolicy().getX509()),
|
||||
p.ctl.newWebhookController(data, linkedca.Webhook_X509),
|
||||
p.ctl.newWebhookController(
|
||||
data,
|
||||
linkedca.Webhook_X509,
|
||||
webhook.WithAuthorizationPrincipal(identityObjectID),
|
||||
),
|
||||
), nil
|
||||
}
|
||||
|
||||
|
@ -421,7 +426,7 @@ func (p *Azure) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption,
|
|||
return nil, errs.Unauthorized("azure.AuthorizeSSHSign; sshCA is disabled for provisioner '%s'", p.GetName())
|
||||
}
|
||||
|
||||
_, name, _, _, _, err := p.authorizeToken(token)
|
||||
_, name, _, _, identityObjectID, err := p.authorizeToken(token)
|
||||
if err != nil {
|
||||
return nil, errs.Wrap(http.StatusInternalServerError, err, "azure.AuthorizeSSHSign")
|
||||
}
|
||||
|
@ -473,7 +478,11 @@ func (p *Azure) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption,
|
|||
// Ensure that all principal names are allowed
|
||||
newSSHNamePolicyValidator(p.ctl.getPolicy().getSSHHost(), nil),
|
||||
// Call webhooks
|
||||
p.ctl.newWebhookController(data, linkedca.Webhook_SSH),
|
||||
p.ctl.newWebhookController(
|
||||
data,
|
||||
linkedca.Webhook_SSH,
|
||||
webhook.WithAuthorizationPrincipal(identityObjectID),
|
||||
),
|
||||
), nil
|
||||
}
|
||||
|
||||
|
|
|
@ -21,6 +21,7 @@ import (
|
|||
"go.step.sm/linkedca"
|
||||
|
||||
"github.com/smallstep/certificates/errs"
|
||||
"github.com/smallstep/certificates/webhook"
|
||||
)
|
||||
|
||||
// gcpCertsURL is the url that serves Google OAuth2 public keys.
|
||||
|
@ -275,7 +276,11 @@ func (p *GCP) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro
|
|||
defaultPublicKeyValidator{},
|
||||
newValidityValidator(p.ctl.Claimer.MinTLSCertDuration(), p.ctl.Claimer.MaxTLSCertDuration()),
|
||||
newX509NamePolicyValidator(p.ctl.getPolicy().getX509()),
|
||||
p.ctl.newWebhookController(data, linkedca.Webhook_X509),
|
||||
p.ctl.newWebhookController(
|
||||
data,
|
||||
linkedca.Webhook_X509,
|
||||
webhook.WithAuthorizationPrincipal(ce.InstanceID),
|
||||
),
|
||||
), nil
|
||||
}
|
||||
|
||||
|
@ -442,6 +447,10 @@ func (p *GCP) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e
|
|||
// Ensure that all principal names are allowed
|
||||
newSSHNamePolicyValidator(p.ctl.getPolicy().getSSHHost(), nil),
|
||||
// Call webhooks
|
||||
p.ctl.newWebhookController(data, linkedca.Webhook_SSH),
|
||||
p.ctl.newWebhookController(
|
||||
data,
|
||||
linkedca.Webhook_SSH,
|
||||
webhook.WithAuthorizationPrincipal(ce.InstanceID),
|
||||
),
|
||||
), nil
|
||||
}
|
||||
|
|
|
@ -248,7 +248,12 @@ func (p *X5C) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro
|
|||
defaultPublicKeyValidator{},
|
||||
newValidityValidator(p.ctl.Claimer.MinTLSCertDuration(), p.ctl.Claimer.MaxTLSCertDuration()),
|
||||
newX509NamePolicyValidator(p.ctl.getPolicy().getX509()),
|
||||
p.ctl.newWebhookController(data, linkedca.Webhook_X509, webhook.WithX5CCertificate(x5cLeaf)),
|
||||
p.ctl.newWebhookController(
|
||||
data,
|
||||
linkedca.Webhook_X509,
|
||||
webhook.WithX5CCertificate(x5cLeaf),
|
||||
webhook.WithAuthorizationPrincipal(x5cLeaf.Subject.CommonName),
|
||||
),
|
||||
}, nil
|
||||
}
|
||||
|
||||
|
@ -338,6 +343,11 @@ func (p *X5C) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e
|
|||
// Ensure that all principal names are allowed
|
||||
newSSHNamePolicyValidator(p.ctl.getPolicy().getSSHHost(), p.ctl.getPolicy().getSSHUser()),
|
||||
// Call webhooks
|
||||
p.ctl.newWebhookController(data, linkedca.Webhook_SSH, webhook.WithX5CCertificate(x5cLeaf)),
|
||||
p.ctl.newWebhookController(
|
||||
data,
|
||||
linkedca.Webhook_SSH,
|
||||
webhook.WithX5CCertificate(x5cLeaf),
|
||||
webhook.WithAuthorizationPrincipal(x5cLeaf.Subject.CommonName),
|
||||
),
|
||||
), nil
|
||||
}
|
||||
|
|
|
@ -499,7 +499,7 @@ func TestX5C_AuthorizeSign(t *testing.T) {
|
|||
case *WebhookController:
|
||||
assert.Len(t, 0, v.webhooks)
|
||||
assert.Equals(t, linkedca.Webhook_X509, v.certType)
|
||||
assert.Len(t, 1, v.options)
|
||||
assert.Len(t, 2, v.options)
|
||||
default:
|
||||
assert.FatalError(t, fmt.Errorf("unexpected sign option of type %T", v))
|
||||
}
|
||||
|
@ -805,7 +805,7 @@ func TestX5C_AuthorizeSSHSign(t *testing.T) {
|
|||
case *WebhookController:
|
||||
assert.Len(t, 0, v.webhooks)
|
||||
assert.Equals(t, linkedca.Webhook_SSH, v.certType)
|
||||
assert.Len(t, 1, v.options)
|
||||
assert.Len(t, 2, v.options)
|
||||
default:
|
||||
assert.FatalError(t, fmt.Errorf("unexpected sign option of type %T", v))
|
||||
}
|
||||
|
|
|
@ -68,6 +68,13 @@ func WithAttestationData(data *AttestationData) RequestBodyOption {
|
|||
}
|
||||
}
|
||||
|
||||
func WithAuthorizationPrincipal(p string) RequestBodyOption {
|
||||
return func(rb *RequestBody) error {
|
||||
rb.AuthorizationPrincipal = p
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func WithSSHCertificateRequest(cr sshutil.CertificateRequest) RequestBodyOption {
|
||||
return func(rb *RequestBody) error {
|
||||
rb.SSHCertificateRequest = &SSHCertificateRequest{
|
||||
|
|
|
@ -84,4 +84,6 @@ type RequestBody struct {
|
|||
SCEPTransactionID string `json:"scepTransactionID,omitempty"`
|
||||
// Only set for X5C provisioners
|
||||
X5CCertificate *X5CCertificate `json:"x5cCertificate,omitempty"`
|
||||
// Set for X5C, AWS, GCP, and Azure provisioners
|
||||
AuthorizationPrincipal string `json:"authorizationPrincipal,omitempty"`
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue