Adapt api package to new interfaces.

api/api.go

@@ -1,6 +1,7 @@
 package api
 
 import (
+	"context"
 	"crypto/dsa"
 	"crypto/ecdsa"
 	"crypto/rsa"
@@ -29,7 +30,7 @@ type Authority interface {
 	SSHAuthority
 	// NOTE: Authorize will be deprecated in future releases. Please use the
 	// context specific Authoirize[Sign|Revoke|etc.] methods.
-	Authorize(ott string) ([]provisioner.SignOption, error)
+	Authorize(ctx context.Context, ott string) ([]provisioner.SignOption, error)
 	AuthorizeSign(ott string) ([]provisioner.SignOption, error)
 	GetTLSOptions() *tlsutil.TLSOptions
 	Root(shasum string) (*x509.Certificate, error)

api/api_test.go

@@ -23,6 +23,8 @@ import (
 	"testing"
 	"time"
 
+	"golang.org/x/crypto/ssh"
+
 	"github.com/go-chi/chi"
 	"github.com/smallstep/certificates/authority"
 	"github.com/smallstep/certificates/authority/provisioner"
@@ -418,7 +420,7 @@ type mockProvisioner struct {
 	getEncryptedKey  func() (string, string, bool)
 	init             func(provisioner.Config) error
 	authorizeRevoke  func(ott string) error
-	authorizeSign    func(ott string) ([]provisioner.SignOption, error)
+	authorizeSign    func(ctx context.Context, ott string) ([]provisioner.SignOption, error)
 	authorizeRenewal func(*x509.Certificate) error
 }
 
@@ -474,9 +476,9 @@ func (m *mockProvisioner) AuthorizeRevoke(ott string) error {
 	return m.err
 }
 
-func (m *mockProvisioner) AuthorizeSign(ott string) ([]provisioner.SignOption, error) {
+func (m *mockProvisioner) AuthorizeSign(ctx context.Context, ott string) ([]provisioner.SignOption, error) {
 	if m.authorizeSign != nil {
-		return m.authorizeSign(ott)
+		return m.authorizeSign(ctx, ott)
 	}
 	return m.ret1.([]provisioner.SignOption), m.err
 }
@@ -495,6 +497,7 @@ type mockAuthority struct {
 	getTLSOptions                func() *tlsutil.TLSOptions
 	root                         func(shasum string) (*x509.Certificate, error)
 	sign                         func(cr *x509.CertificateRequest, opts provisioner.Options, signOpts ...provisioner.SignOption) (*x509.Certificate, *x509.Certificate, error)
+	singSSH                      func(key ssh.PublicKey, opts provisioner.SSHOptions, signOpts ...provisioner.SignOption) (*ssh.Certificate, error)
 	renew                        func(cert *x509.Certificate) (*x509.Certificate, *x509.Certificate, error)
 	loadProvisionerByCertificate func(cert *x509.Certificate) (provisioner.Interface, error)
 	getProvisioners              func(nextCursor string, limit int) (provisioner.List, string, error)
@@ -505,7 +508,7 @@ type mockAuthority struct {
 }
 
 // TODO: remove once Authorize is deprecated.
-func (m *mockAuthority) Authorize(ott string) ([]provisioner.SignOption, error) {
+func (m *mockAuthority) Authorize(ctx context.Context, ott string) ([]provisioner.SignOption, error) {
 	return m.AuthorizeSign(ott)
 }
 
@@ -537,6 +540,13 @@ func (m *mockAuthority) Sign(cr *x509.CertificateRequest, opts provisioner.Optio
 	return m.ret1.(*x509.Certificate), m.ret2.(*x509.Certificate), m.err
 }
 
+func (m *mockAuthority) SignSSH(key ssh.PublicKey, opts provisioner.SSHOptions, signOpts ...provisioner.SignOption) (*ssh.Certificate, error) {
+	if m.singSSH != nil {
+		return m.singSSH(key, opts, signOpts...)
+	}
+	return m.ret1.(*ssh.Certificate), m.err
+}
+
 func (m *mockAuthority) Renew(cert *x509.Certificate) (*x509.Certificate, *x509.Certificate, error) {
 	if m.renew != nil {
 		return m.renew(cert)

api/ssh.go

@@ -1,6 +1,7 @@
 package api
 
 import (
+	"context"
 	"encoding/base64"
 	"encoding/json"
 	"net/http"
@@ -111,7 +112,8 @@ func (h *caHandler) SignSSH(w http.ResponseWriter, r *http.Request) {
 		ValidAfter:  body.ValidAfter,
 	}
 
-	signOpts, err := h.Authority.AuthorizeSign(body.OTT)
+	ctx := provisioner.NewContextWithMethod(context.Background(), provisioner.SignSSHMethod)
+	signOpts, err := h.Authority.Authorize(ctx, body.OTT)
 	if err != nil {
 		WriteError(w, Unauthorized(err))
 		return