diff --git a/api/api.go b/api/api.go index a001dac6..4639e20c 100644 --- a/api/api.go +++ b/api/api.go @@ -1,6 +1,7 @@ package api import ( + "context" "crypto/dsa" "crypto/ecdsa" "crypto/rsa" @@ -29,7 +30,7 @@ type Authority interface { SSHAuthority // NOTE: Authorize will be deprecated in future releases. Please use the // context specific Authoirize[Sign|Revoke|etc.] methods. - Authorize(ott string) ([]provisioner.SignOption, error) + Authorize(ctx context.Context, ott string) ([]provisioner.SignOption, error) AuthorizeSign(ott string) ([]provisioner.SignOption, error) GetTLSOptions() *tlsutil.TLSOptions Root(shasum string) (*x509.Certificate, error) diff --git a/api/api_test.go b/api/api_test.go index 3f99dd68..7a3c843d 100644 --- a/api/api_test.go +++ b/api/api_test.go @@ -23,6 +23,8 @@ import ( "testing" "time" + "golang.org/x/crypto/ssh" + "github.com/go-chi/chi" "github.com/smallstep/certificates/authority" "github.com/smallstep/certificates/authority/provisioner" @@ -418,7 +420,7 @@ type mockProvisioner struct { getEncryptedKey func() (string, string, bool) init func(provisioner.Config) error authorizeRevoke func(ott string) error - authorizeSign func(ott string) ([]provisioner.SignOption, error) + authorizeSign func(ctx context.Context, ott string) ([]provisioner.SignOption, error) authorizeRenewal func(*x509.Certificate) error } @@ -474,9 +476,9 @@ func (m *mockProvisioner) AuthorizeRevoke(ott string) error { return m.err } -func (m *mockProvisioner) AuthorizeSign(ott string) ([]provisioner.SignOption, error) { +func (m *mockProvisioner) AuthorizeSign(ctx context.Context, ott string) ([]provisioner.SignOption, error) { if m.authorizeSign != nil { - return m.authorizeSign(ott) + return m.authorizeSign(ctx, ott) } return m.ret1.([]provisioner.SignOption), m.err } @@ -495,6 +497,7 @@ type mockAuthority struct { getTLSOptions func() *tlsutil.TLSOptions root func(shasum string) (*x509.Certificate, error) sign func(cr *x509.CertificateRequest, opts provisioner.Options, signOpts ...provisioner.SignOption) (*x509.Certificate, *x509.Certificate, error) + singSSH func(key ssh.PublicKey, opts provisioner.SSHOptions, signOpts ...provisioner.SignOption) (*ssh.Certificate, error) renew func(cert *x509.Certificate) (*x509.Certificate, *x509.Certificate, error) loadProvisionerByCertificate func(cert *x509.Certificate) (provisioner.Interface, error) getProvisioners func(nextCursor string, limit int) (provisioner.List, string, error) @@ -505,7 +508,7 @@ type mockAuthority struct { } // TODO: remove once Authorize is deprecated. -func (m *mockAuthority) Authorize(ott string) ([]provisioner.SignOption, error) { +func (m *mockAuthority) Authorize(ctx context.Context, ott string) ([]provisioner.SignOption, error) { return m.AuthorizeSign(ott) } @@ -537,6 +540,13 @@ func (m *mockAuthority) Sign(cr *x509.CertificateRequest, opts provisioner.Optio return m.ret1.(*x509.Certificate), m.ret2.(*x509.Certificate), m.err } +func (m *mockAuthority) SignSSH(key ssh.PublicKey, opts provisioner.SSHOptions, signOpts ...provisioner.SignOption) (*ssh.Certificate, error) { + if m.singSSH != nil { + return m.singSSH(key, opts, signOpts...) + } + return m.ret1.(*ssh.Certificate), m.err +} + func (m *mockAuthority) Renew(cert *x509.Certificate) (*x509.Certificate, *x509.Certificate, error) { if m.renew != nil { return m.renew(cert) diff --git a/api/ssh.go b/api/ssh.go index de91b559..7e730bc3 100644 --- a/api/ssh.go +++ b/api/ssh.go @@ -1,6 +1,7 @@ package api import ( + "context" "encoding/base64" "encoding/json" "net/http" @@ -111,7 +112,8 @@ func (h *caHandler) SignSSH(w http.ResponseWriter, r *http.Request) { ValidAfter: body.ValidAfter, } - signOpts, err := h.Authority.AuthorizeSign(body.OTT) + ctx := provisioner.NewContextWithMethod(context.Background(), provisioner.SignSSHMethod) + signOpts, err := h.Authority.Authorize(ctx, body.OTT) if err != nil { WriteError(w, Unauthorized(err)) return