From 9fb6df3abb4178e5b95b02daaee1e223c9425a37 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano.cano@gmail.com>
Date: Tue, 28 Sep 2021 18:50:45 -0700
Subject: [PATCH] Fix ssh template variables when CA is injected using options.

---
 authority/authority.go | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/authority/authority.go b/authority/authority.go
index e26ce591..3f97ceab 100644
--- a/authority/authority.go
+++ b/authority/authority.go
@@ -361,8 +361,6 @@ func (a *Authority) init() error {
 			// Append public key to list of host certs
 			a.sshCAHostCerts = append(a.sshCAHostCerts, a.sshCAHostCertSignKey.PublicKey())
 			a.sshCAHostFederatedCerts = append(a.sshCAHostFederatedCerts, a.sshCAHostCertSignKey.PublicKey())
-			// Configure template variables.
-			tmplVars.SSH.HostKey = a.sshCAHostCertSignKey.PublicKey()
 		}
 		if a.config.SSH.UserKey != "" {
 			signer, err := a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
@@ -389,8 +387,6 @@ func (a *Authority) init() error {
 			// Append public key to list of user certs
 			a.sshCAUserCerts = append(a.sshCAUserCerts, a.sshCAUserCertSignKey.PublicKey())
 			a.sshCAUserFederatedCerts = append(a.sshCAUserFederatedCerts, a.sshCAUserCertSignKey.PublicKey())
-			// Configure template variables.
-			tmplVars.SSH.UserKey = a.sshCAUserCertSignKey.PublicKey()
 		}
 
 		// Append other public keys and add them to the template variables.
@@ -400,14 +396,12 @@ func (a *Authority) init() error {
 			case provisioner.SSHHostCert:
 				if key.Federated {
 					a.sshCAHostFederatedCerts = append(a.sshCAHostFederatedCerts, publicKey)
-					tmplVars.SSH.HostFederatedKeys = append(tmplVars.SSH.HostFederatedKeys, publicKey)
 				} else {
 					a.sshCAHostCerts = append(a.sshCAHostCerts, publicKey)
 				}
 			case provisioner.SSHUserCert:
 				if key.Federated {
 					a.sshCAUserFederatedCerts = append(a.sshCAUserFederatedCerts, publicKey)
-					tmplVars.SSH.UserFederatedKeys = append(tmplVars.SSH.UserFederatedKeys, publicKey)
 				} else {
 					a.sshCAUserCerts = append(a.sshCAUserCerts, publicKey)
 				}
@@ -417,6 +411,25 @@ func (a *Authority) init() error {
 		}
 	}
 
+	// Configure template variables. On the template variables HostFederatedKeys
+	// and UserFederatedKeys we will skip the actual CA that will be available
+	// in HostKey and UserKey.
+	//
+	// We cannot do it in the previous blocks because this configuration can be
+	// injected using options.
+	if a.sshCAHostCertSignKey != nil {
+		tmplVars.SSH.HostKey = a.sshCAHostCertSignKey.PublicKey()
+		tmplVars.SSH.HostFederatedKeys = append(tmplVars.SSH.HostFederatedKeys, a.sshCAHostFederatedCerts[1:]...)
+	} else {
+		tmplVars.SSH.HostFederatedKeys = append(tmplVars.SSH.HostFederatedKeys, a.sshCAHostFederatedCerts...)
+	}
+	if a.sshCAUserCertSignKey != nil {
+		tmplVars.SSH.UserKey = a.sshCAUserCertSignKey.PublicKey()
+		tmplVars.SSH.UserFederatedKeys = append(tmplVars.SSH.UserFederatedKeys, a.sshCAUserFederatedCerts[1:]...)
+	} else {
+		tmplVars.SSH.UserFederatedKeys = append(tmplVars.SSH.UserFederatedKeys, a.sshCAUserFederatedCerts...)
+	}
+
 	// Check if a KMS with decryption capability is required and available
 	if a.requiresDecrypter() {
 		if _, ok := a.keyManager.(kmsapi.Decrypter); !ok {