From 7d670b20eaad043c81e48b3805849f4dea36118c Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Mon, 29 Jul 2019 17:54:38 -0700 Subject: [PATCH] Add support of ssh host certinficates in AWS provisioner. --- authority/provisioner/aws.go | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/authority/provisioner/aws.go b/authority/provisioner/aws.go index 738a2d33..03a0747e 100644 --- a/authority/provisioner/aws.go +++ b/authority/provisioner/aws.go @@ -441,5 +441,27 @@ func (p *AWS) authorizeToken(token string) (*awsPayload, error) { // authorizeSSHSign returns the list of SignOption for a SignSSH request. func (p *AWS) authorizeSSHSign(claims *awsPayload) ([]SignOption, error) { - return nil, nil + doc := claims.document + + signOptions := []SignOption{ + // set the key id to the token subject + sshCertificateKeyIDModifier(claims.Subject), + } + + signOptions = append(signOptions, &sshCertificateOptionsValidator{&SSHOptions{ + CertType: SSHHostCert, + Principals: []string{ + doc.PrivateIP, + fmt.Sprintf("ip-%s.%s.compute.internal", strings.Replace(doc.PrivateIP, ".", "-", -1), doc.Region), + }, + }}) + + return append(signOptions, + // set the default extensions + &sshDefaultExtensionModifier{}, + // checks the validity bounds, and set the validity if has not been set + &sshCertificateValidityModifier{p.claimer}, + // require all the fields in the SSH certificate + &sshCertificateDefaultValidator{}, + ), nil }