forked from TrueCloudLab/certificates
Reformat the SSH certificate logging output for read- and parsability
This commit is contained in:
parent
4c56877d97
commit
f17bfdf57d
2 changed files with 20 additions and 9 deletions
23
api/api.go
23
api/api.go
|
@ -508,21 +508,32 @@ func LogCertificate(w http.ResponseWriter, cert *x509.Certificate) {
|
||||||
func LogSSHCertificate(w http.ResponseWriter, cert *ssh.Certificate) {
|
func LogSSHCertificate(w http.ResponseWriter, cert *ssh.Certificate) {
|
||||||
if rl, ok := w.(logging.ResponseLogger); ok {
|
if rl, ok := w.(logging.ResponseLogger); ok {
|
||||||
mak := bytes.TrimSpace(ssh.MarshalAuthorizedKey(cert))
|
mak := bytes.TrimSpace(ssh.MarshalAuthorizedKey(cert))
|
||||||
certType := "user"
|
var certificate string
|
||||||
if cert.CertType == ssh.HostCert {
|
parts := strings.Split(string(mak), " ")
|
||||||
certType = "host"
|
if len(parts) > 1 {
|
||||||
|
certificate = parts[1]
|
||||||
}
|
}
|
||||||
|
var userOrHost string
|
||||||
|
if cert.CertType == ssh.HostCert {
|
||||||
|
userOrHost = "host"
|
||||||
|
} else {
|
||||||
|
userOrHost = "user"
|
||||||
|
}
|
||||||
|
certificateType := fmt.Sprintf("%s %s certificate", parts[0], userOrHost) // e.g. ecdsa-sha2-nistp256-cert-v01@openssh.com user certificate
|
||||||
m := map[string]interface{}{
|
m := map[string]interface{}{
|
||||||
"serial": cert.Serial,
|
"serial": cert.Serial,
|
||||||
"principals": cert.ValidPrincipals,
|
"principals": cert.ValidPrincipals,
|
||||||
"valid-from": time.Unix(int64(cert.ValidAfter), 0).Format(time.RFC3339),
|
"valid-from": time.Unix(int64(cert.ValidAfter), 0).Format(time.RFC3339),
|
||||||
"valid-to": time.Unix(int64(cert.ValidBefore), 0).Format(time.RFC3339),
|
"valid-to": time.Unix(int64(cert.ValidBefore), 0).Format(time.RFC3339),
|
||||||
"certificate": string(mak),
|
"certificate": certificate,
|
||||||
"certificate-type": certType,
|
"certificate-type": certificateType,
|
||||||
}
|
}
|
||||||
fingerprint, err := sshutil.FormatFingerprint(mak, sshutil.DefaultFingerprint)
|
fingerprint, err := sshutil.FormatFingerprint(mak, sshutil.DefaultFingerprint)
|
||||||
if err == nil {
|
if err == nil {
|
||||||
m["public-key"] = fingerprint
|
fpParts := strings.Split(fingerprint, " ")
|
||||||
|
if len(fpParts) > 3 {
|
||||||
|
m["public-key"] = fmt.Sprintf("%s %s", fpParts[1], fpParts[len(fpParts)-1])
|
||||||
|
}
|
||||||
}
|
}
|
||||||
rl.WithFields(m)
|
rl.WithFields(m)
|
||||||
}
|
}
|
||||||
|
|
|
@ -1680,9 +1680,9 @@ func TestLogSSHCertificate(t *testing.T) {
|
||||||
fields := rl.Fields()
|
fields := rl.Fields()
|
||||||
sassert.Equal(t, uint64(14376510277651266987), fields["serial"])
|
sassert.Equal(t, uint64(14376510277651266987), fields["serial"])
|
||||||
sassert.Equal(t, []string{"herman"}, fields["principals"])
|
sassert.Equal(t, []string{"herman"}, fields["principals"])
|
||||||
sassert.Equal(t, "user", fields["certificate-type"])
|
sassert.Equal(t, "ecdsa-sha2-nistp256-cert-v01@openssh.com user certificate", fields["certificate-type"])
|
||||||
sassert.Equal(t, time.Unix(1674129191, 0).Format(time.RFC3339), fields["valid-from"])
|
sassert.Equal(t, time.Unix(1674129191, 0).Format(time.RFC3339), fields["valid-from"])
|
||||||
sassert.Equal(t, time.Unix(1674186851, 0).Format(time.RFC3339), fields["valid-to"])
|
sassert.Equal(t, time.Unix(1674186851, 0).Format(time.RFC3339), fields["valid-to"])
|
||||||
sassert.Equal(t, "ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgLnkvSk4odlo3b1R+RDw+LmorL3RkN354IilCIVFVen4AAAAIbmlzdHAyNTYAAABBBHjKHss8WM2ffMYlavisoLXR0I6UEIU+cidV1ogEH1U6+/SYaFPrlzQo0tGLM5CNkMbhInbyasQsrHzn8F1Rt7nHg5/tcSf9qwAAAAEAAAAGaGVybWFuAAAACgAAAAZoZXJtYW4AAAAAY8kvJwAAAABjyhBjAAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAAGgAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAAhuaXN0cDI1NgAAAEEE/ayqpPrZZF5uA1UlDt4FreTf15agztQIzpxnWq/XoxAHzagRSkFGkdgFpjgsfiRpP8URHH3BZScqc0ZDCTxhoQAAAGQAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAEkAAAAhAJuP1wCVwoyrKrEtHGfFXrVbRHySDjvXtS1tVTdHyqymAAAAIBa/CSSzfZb4D2NLP+eEmOOMJwSjYOiNM8fiOoAaqglI", fields["certificate"])
|
sassert.Equal(t, "AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgLnkvSk4odlo3b1R+RDw+LmorL3RkN354IilCIVFVen4AAAAIbmlzdHAyNTYAAABBBHjKHss8WM2ffMYlavisoLXR0I6UEIU+cidV1ogEH1U6+/SYaFPrlzQo0tGLM5CNkMbhInbyasQsrHzn8F1Rt7nHg5/tcSf9qwAAAAEAAAAGaGVybWFuAAAACgAAAAZoZXJtYW4AAAAAY8kvJwAAAABjyhBjAAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAAGgAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAAhuaXN0cDI1NgAAAEEE/ayqpPrZZF5uA1UlDt4FreTf15agztQIzpxnWq/XoxAHzagRSkFGkdgFpjgsfiRpP8URHH3BZScqc0ZDCTxhoQAAAGQAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAEkAAAAhAJuP1wCVwoyrKrEtHGfFXrVbRHySDjvXtS1tVTdHyqymAAAAIBa/CSSzfZb4D2NLP+eEmOOMJwSjYOiNM8fiOoAaqglI", fields["certificate"])
|
||||||
sassert.Equal(t, "256 SHA256:RvkDPGwl/G9d7LUFm1kmWhvOD9I/moPq4yxcb0STwr0 no comment (ECDSA-CERT)", fields["public-key"])
|
sassert.Equal(t, "SHA256:RvkDPGwl/G9d7LUFm1kmWhvOD9I/moPq4yxcb0STwr0 (ECDSA-CERT)", fields["public-key"])
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue