|
|
@ -253,19 +253,19 @@ type SSHBastionResponse struct {
|
|
|
|
func (h *caHandler) SSHSign(w http.ResponseWriter, r *http.Request) {
|
|
|
|
func (h *caHandler) SSHSign(w http.ResponseWriter, r *http.Request) {
|
|
|
|
var body SSHSignRequest
|
|
|
|
var body SSHSignRequest
|
|
|
|
if err := read.JSON(r.Body, &body); err != nil {
|
|
|
|
if err := read.JSON(r.Body, &body); err != nil {
|
|
|
|
WriteError(w, errs.BadRequestErr(err, "error reading request body"))
|
|
|
|
render.Error(w, errs.BadRequestErr(err, "error reading request body"))
|
|
|
|
return
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
logOtt(w, body.OTT)
|
|
|
|
logOtt(w, body.OTT)
|
|
|
|
if err := body.Validate(); err != nil {
|
|
|
|
if err := body.Validate(); err != nil {
|
|
|
|
WriteError(w, err)
|
|
|
|
render.Error(w, err)
|
|
|
|
return
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
publicKey, err := ssh.ParsePublicKey(body.PublicKey)
|
|
|
|
publicKey, err := ssh.ParsePublicKey(body.PublicKey)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
WriteError(w, errs.BadRequestErr(err, "error parsing publicKey"))
|
|
|
|
render.Error(w, errs.BadRequestErr(err, "error parsing publicKey"))
|
|
|
|
return
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
@ -273,7 +273,7 @@ func (h *caHandler) SSHSign(w http.ResponseWriter, r *http.Request) {
|
|
|
|
if body.AddUserPublicKey != nil {
|
|
|
|
if body.AddUserPublicKey != nil {
|
|
|
|
addUserPublicKey, err = ssh.ParsePublicKey(body.AddUserPublicKey)
|
|
|
|
addUserPublicKey, err = ssh.ParsePublicKey(body.AddUserPublicKey)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
WriteError(w, errs.BadRequestErr(err, "error parsing addUserPublicKey"))
|
|
|
|
render.Error(w, errs.BadRequestErr(err, "error parsing addUserPublicKey"))
|
|
|
|
return
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -290,13 +290,13 @@ func (h *caHandler) SSHSign(w http.ResponseWriter, r *http.Request) {
|
|
|
|
ctx := provisioner.NewContextWithMethod(r.Context(), provisioner.SSHSignMethod)
|
|
|
|
ctx := provisioner.NewContextWithMethod(r.Context(), provisioner.SSHSignMethod)
|
|
|
|
signOpts, err := h.Authority.Authorize(ctx, body.OTT)
|
|
|
|
signOpts, err := h.Authority.Authorize(ctx, body.OTT)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
WriteError(w, errs.UnauthorizedErr(err))
|
|
|
|
render.Error(w, errs.UnauthorizedErr(err))
|
|
|
|
return
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
cert, err := h.Authority.SignSSH(ctx, publicKey, opts, signOpts...)
|
|
|
|
cert, err := h.Authority.SignSSH(ctx, publicKey, opts, signOpts...)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
WriteError(w, errs.ForbiddenErr(err, "error signing ssh certificate"))
|
|
|
|
render.Error(w, errs.ForbiddenErr(err, "error signing ssh certificate"))
|
|
|
|
return
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
@ -304,7 +304,7 @@ func (h *caHandler) SSHSign(w http.ResponseWriter, r *http.Request) {
|
|
|
|
if addUserPublicKey != nil && authority.IsValidForAddUser(cert) == nil {
|
|
|
|
if addUserPublicKey != nil && authority.IsValidForAddUser(cert) == nil {
|
|
|
|
addUserCert, err := h.Authority.SignSSHAddUser(ctx, addUserPublicKey, cert)
|
|
|
|
addUserCert, err := h.Authority.SignSSHAddUser(ctx, addUserPublicKey, cert)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
WriteError(w, errs.ForbiddenErr(err, "error signing ssh certificate"))
|
|
|
|
render.Error(w, errs.ForbiddenErr(err, "error signing ssh certificate"))
|
|
|
|
return
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
addUserCertificate = &SSHCertificate{addUserCert}
|
|
|
|
addUserCertificate = &SSHCertificate{addUserCert}
|
|
|
@ -317,7 +317,7 @@ func (h *caHandler) SSHSign(w http.ResponseWriter, r *http.Request) {
|
|
|
|
ctx = provisioner.NewContextWithMethod(ctx, provisioner.SignMethod)
|
|
|
|
ctx = provisioner.NewContextWithMethod(ctx, provisioner.SignMethod)
|
|
|
|
signOpts, err := h.Authority.Authorize(ctx, body.OTT)
|
|
|
|
signOpts, err := h.Authority.Authorize(ctx, body.OTT)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
WriteError(w, errs.UnauthorizedErr(err))
|
|
|
|
render.Error(w, errs.UnauthorizedErr(err))
|
|
|
|
return
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
@ -329,7 +329,7 @@ func (h *caHandler) SSHSign(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
|
|
|
|
|
|
|
certChain, err := h.Authority.Sign(cr, provisioner.SignOptions{}, signOpts...)
|
|
|
|
certChain, err := h.Authority.Sign(cr, provisioner.SignOptions{}, signOpts...)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
WriteError(w, errs.ForbiddenErr(err, "error signing identity certificate"))
|
|
|
|
render.Error(w, errs.ForbiddenErr(err, "error signing identity certificate"))
|
|
|
|
return
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
identityCertificate = certChainToPEM(certChain)
|
|
|
|
identityCertificate = certChainToPEM(certChain)
|
|
|
@ -347,12 +347,12 @@ func (h *caHandler) SSHSign(w http.ResponseWriter, r *http.Request) {
|
|
|
|
func (h *caHandler) SSHRoots(w http.ResponseWriter, r *http.Request) {
|
|
|
|
func (h *caHandler) SSHRoots(w http.ResponseWriter, r *http.Request) {
|
|
|
|
keys, err := h.Authority.GetSSHRoots(r.Context())
|
|
|
|
keys, err := h.Authority.GetSSHRoots(r.Context())
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
WriteError(w, errs.InternalServerErr(err))
|
|
|
|
render.Error(w, errs.InternalServerErr(err))
|
|
|
|
return
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if len(keys.HostKeys) == 0 && len(keys.UserKeys) == 0 {
|
|
|
|
if len(keys.HostKeys) == 0 && len(keys.UserKeys) == 0 {
|
|
|
|
WriteError(w, errs.NotFound("no keys found"))
|
|
|
|
render.Error(w, errs.NotFound("no keys found"))
|
|
|
|
return
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
@ -372,12 +372,12 @@ func (h *caHandler) SSHRoots(w http.ResponseWriter, r *http.Request) {
|
|
|
|
func (h *caHandler) SSHFederation(w http.ResponseWriter, r *http.Request) {
|
|
|
|
func (h *caHandler) SSHFederation(w http.ResponseWriter, r *http.Request) {
|
|
|
|
keys, err := h.Authority.GetSSHFederation(r.Context())
|
|
|
|
keys, err := h.Authority.GetSSHFederation(r.Context())
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
WriteError(w, errs.InternalServerErr(err))
|
|
|
|
render.Error(w, errs.InternalServerErr(err))
|
|
|
|
return
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if len(keys.HostKeys) == 0 && len(keys.UserKeys) == 0 {
|
|
|
|
if len(keys.HostKeys) == 0 && len(keys.UserKeys) == 0 {
|
|
|
|
WriteError(w, errs.NotFound("no keys found"))
|
|
|
|
render.Error(w, errs.NotFound("no keys found"))
|
|
|
|
return
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
@ -397,17 +397,17 @@ func (h *caHandler) SSHFederation(w http.ResponseWriter, r *http.Request) {
|
|
|
|
func (h *caHandler) SSHConfig(w http.ResponseWriter, r *http.Request) {
|
|
|
|
func (h *caHandler) SSHConfig(w http.ResponseWriter, r *http.Request) {
|
|
|
|
var body SSHConfigRequest
|
|
|
|
var body SSHConfigRequest
|
|
|
|
if err := read.JSON(r.Body, &body); err != nil {
|
|
|
|
if err := read.JSON(r.Body, &body); err != nil {
|
|
|
|
WriteError(w, errs.BadRequestErr(err, "error reading request body"))
|
|
|
|
render.Error(w, errs.BadRequestErr(err, "error reading request body"))
|
|
|
|
return
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if err := body.Validate(); err != nil {
|
|
|
|
if err := body.Validate(); err != nil {
|
|
|
|
WriteError(w, err)
|
|
|
|
render.Error(w, err)
|
|
|
|
return
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
ts, err := h.Authority.GetSSHConfig(r.Context(), body.Type, body.Data)
|
|
|
|
ts, err := h.Authority.GetSSHConfig(r.Context(), body.Type, body.Data)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
WriteError(w, errs.InternalServerErr(err))
|
|
|
|
render.Error(w, errs.InternalServerErr(err))
|
|
|
|
return
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
@ -418,7 +418,7 @@ func (h *caHandler) SSHConfig(w http.ResponseWriter, r *http.Request) {
|
|
|
|
case provisioner.SSHHostCert:
|
|
|
|
case provisioner.SSHHostCert:
|
|
|
|
cfg.HostTemplates = ts
|
|
|
|
cfg.HostTemplates = ts
|
|
|
|
default:
|
|
|
|
default:
|
|
|
|
WriteError(w, errs.InternalServer("it should hot get here"))
|
|
|
|
render.Error(w, errs.InternalServer("it should hot get here"))
|
|
|
|
return
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
@ -429,17 +429,17 @@ func (h *caHandler) SSHConfig(w http.ResponseWriter, r *http.Request) {
|
|
|
|
func (h *caHandler) SSHCheckHost(w http.ResponseWriter, r *http.Request) {
|
|
|
|
func (h *caHandler) SSHCheckHost(w http.ResponseWriter, r *http.Request) {
|
|
|
|
var body SSHCheckPrincipalRequest
|
|
|
|
var body SSHCheckPrincipalRequest
|
|
|
|
if err := read.JSON(r.Body, &body); err != nil {
|
|
|
|
if err := read.JSON(r.Body, &body); err != nil {
|
|
|
|
WriteError(w, errs.BadRequestErr(err, "error reading request body"))
|
|
|
|
render.Error(w, errs.BadRequestErr(err, "error reading request body"))
|
|
|
|
return
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if err := body.Validate(); err != nil {
|
|
|
|
if err := body.Validate(); err != nil {
|
|
|
|
WriteError(w, err)
|
|
|
|
render.Error(w, err)
|
|
|
|
return
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
exists, err := h.Authority.CheckSSHHost(r.Context(), body.Principal, body.Token)
|
|
|
|
exists, err := h.Authority.CheckSSHHost(r.Context(), body.Principal, body.Token)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
WriteError(w, errs.InternalServerErr(err))
|
|
|
|
render.Error(w, errs.InternalServerErr(err))
|
|
|
|
return
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
render.JSON(w, &SSHCheckPrincipalResponse{
|
|
|
|
render.JSON(w, &SSHCheckPrincipalResponse{
|
|
|
@ -456,7 +456,7 @@ func (h *caHandler) SSHGetHosts(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
|
|
|
|
|
|
|
hosts, err := h.Authority.GetSSHHosts(r.Context(), cert)
|
|
|
|
hosts, err := h.Authority.GetSSHHosts(r.Context(), cert)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
WriteError(w, errs.InternalServerErr(err))
|
|
|
|
render.Error(w, errs.InternalServerErr(err))
|
|
|
|
return
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
render.JSON(w, &SSHGetHostsResponse{
|
|
|
|
render.JSON(w, &SSHGetHostsResponse{
|
|
|
@ -468,17 +468,17 @@ func (h *caHandler) SSHGetHosts(w http.ResponseWriter, r *http.Request) {
|
|
|
|
func (h *caHandler) SSHBastion(w http.ResponseWriter, r *http.Request) {
|
|
|
|
func (h *caHandler) SSHBastion(w http.ResponseWriter, r *http.Request) {
|
|
|
|
var body SSHBastionRequest
|
|
|
|
var body SSHBastionRequest
|
|
|
|
if err := read.JSON(r.Body, &body); err != nil {
|
|
|
|
if err := read.JSON(r.Body, &body); err != nil {
|
|
|
|
WriteError(w, errs.BadRequestErr(err, "error reading request body"))
|
|
|
|
render.Error(w, errs.BadRequestErr(err, "error reading request body"))
|
|
|
|
return
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if err := body.Validate(); err != nil {
|
|
|
|
if err := body.Validate(); err != nil {
|
|
|
|
WriteError(w, err)
|
|
|
|
render.Error(w, err)
|
|
|
|
return
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
bastion, err := h.Authority.GetSSHBastion(r.Context(), body.User, body.Hostname)
|
|
|
|
bastion, err := h.Authority.GetSSHBastion(r.Context(), body.User, body.Hostname)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
WriteError(w, errs.InternalServerErr(err))
|
|
|
|
render.Error(w, errs.InternalServerErr(err))
|
|
|
|
return
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|