Use SSHOptions inside provisioner options.

4 years ago · aa657cdb4b
parent d82bdc1a00
commit aa657cdb4b
12 changed files with 123 additions and 154 deletions
--- a/authority/provisioner/aws.go
+++ b/authority/provisioner/aws.go
@ -127,15 +127,14 @@ type awsInstanceIdentityDocument struct {
 // https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
 type AWS struct {
 	*base
-	Type                   string      `json:"type"`
-	Name                   string      `json:"name"`
-	Accounts               []string    `json:"accounts"`
-	DisableCustomSANs      bool        `json:"disableCustomSANs"`
-	DisableTrustOnFirstUse bool        `json:"disableTrustOnFirstUse"`
-	InstanceAge            Duration    `json:"instanceAge,omitempty"`
-	Claims                 *Claims     `json:"claims,omitempty"`
-	Options                *Options    `json:"options,omitempty"`
-	SSHOptions             *SSHOptions `json:"sshOptions,omitempty"`
+	Type                   string   `json:"type"`
+	Name                   string   `json:"name"`
+	Accounts               []string `json:"accounts"`
+	DisableCustomSANs      bool     `json:"disableCustomSANs"`
+	DisableTrustOnFirstUse bool     `json:"disableTrustOnFirstUse"`
+	InstanceAge            Duration `json:"instanceAge,omitempty"`
+	Claims                 *Claims  `json:"claims,omitempty"`
+	Options                *Options `json:"options,omitempty"`
 	claimer                *Claimer
 	config                 *awsConfig
 	audiences              Audiences
@ -499,7 +498,7 @@ func (p *AWS) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
 		data.SetToken(v)
 	}

-	templateOptions, err := CustomSSHTemplateOptions(p.SSHOptions, data, defaultTemplate)
+	templateOptions, err := CustomSSHTemplateOptions(p.Options, data, defaultTemplate)
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "aws.AuthorizeSSHSign")
 	}
--- a/authority/provisioner/azure.go
+++ b/authority/provisioner/azure.go
@ -84,16 +84,15 @@ type azurePayload struct {
 // and https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service
 type Azure struct {
 	*base
-	Type                   string      `json:"type"`
-	Name                   string      `json:"name"`
-	TenantID               string      `json:"tenantID"`
-	ResourceGroups         []string    `json:"resourceGroups"`
-	Audience               string      `json:"audience,omitempty"`
-	DisableCustomSANs      bool        `json:"disableCustomSANs"`
-	DisableTrustOnFirstUse bool        `json:"disableTrustOnFirstUse"`
-	Claims                 *Claims     `json:"claims,omitempty"`
-	Options                *Options    `json:"options,omitempty"`
-	SSHOptions             *SSHOptions `json:"sshOptions,omitempty"`
+	Type                   string   `json:"type"`
+	Name                   string   `json:"name"`
+	TenantID               string   `json:"tenantID"`
+	ResourceGroups         []string `json:"resourceGroups"`
+	Audience               string   `json:"audience,omitempty"`
+	DisableCustomSANs      bool     `json:"disableCustomSANs"`
+	DisableTrustOnFirstUse bool     `json:"disableTrustOnFirstUse"`
+	Claims                 *Claims  `json:"claims,omitempty"`
+	Options                *Options `json:"options,omitempty"`
 	claimer                *Claimer
 	config                 *azureConfig
 	oidcConfig             openIDConfiguration
@ -367,7 +366,7 @@ func (p *Azure) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOptio
 		data.SetToken(v)
 	}

-	templateOptions, err := CustomSSHTemplateOptions(p.SSHOptions, data, defaultTemplate)
+	templateOptions, err := CustomSSHTemplateOptions(p.Options, data, defaultTemplate)
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "azure.AuthorizeSSHSign")
 	}
--- a/authority/provisioner/gcp.go
+++ b/authority/provisioner/gcp.go
@ -78,16 +78,15 @@ func newGCPConfig() *gcpConfig {
 // https://cloud.google.com/compute/docs/instances/verifying-instance-identity
 type GCP struct {
 	*base
-	Type                   string      `json:"type"`
-	Name                   string      `json:"name"`
-	ServiceAccounts        []string    `json:"serviceAccounts"`
-	ProjectIDs             []string    `json:"projectIDs"`
-	DisableCustomSANs      bool        `json:"disableCustomSANs"`
-	DisableTrustOnFirstUse bool        `json:"disableTrustOnFirstUse"`
-	InstanceAge            Duration    `json:"instanceAge,omitempty"`
-	Claims                 *Claims     `json:"claims,omitempty"`
-	Options                *Options    `json:"options,omitempty"`
-	SSHOptions             *SSHOptions `json:"sshOptions,omitempty"`
+	Type                   string   `json:"type"`
+	Name                   string   `json:"name"`
+	ServiceAccounts        []string `json:"serviceAccounts"`
+	ProjectIDs             []string `json:"projectIDs"`
+	DisableCustomSANs      bool     `json:"disableCustomSANs"`
+	DisableTrustOnFirstUse bool     `json:"disableTrustOnFirstUse"`
+	InstanceAge            Duration `json:"instanceAge,omitempty"`
+	Claims                 *Claims  `json:"claims,omitempty"`
+	Options                *Options `json:"options,omitempty"`
 	claimer                *Claimer
 	config                 *gcpConfig
 	keyStore               *keyStore
@ -410,7 +409,7 @@ func (p *GCP) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
 		data.SetToken(v)
 	}

-	templateOptions, err := CustomSSHTemplateOptions(p.SSHOptions, data, defaultTemplate)
+	templateOptions, err := CustomSSHTemplateOptions(p.Options, data, defaultTemplate)
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "gcp.AuthorizeSSHSign")
 	}
--- a/authority/provisioner/jwk.go
+++ b/authority/provisioner/jwk.go
@ -34,7 +34,6 @@ type JWK struct {
 	EncryptedKey string           `json:"encryptedKey,omitempty"`
 	Claims       *Claims          `json:"claims,omitempty"`
 	Options      *Options         `json:"options,omitempty"`
-	SSHOptions   *SSHOptions      `json:"sshOptions,omitempty"`
 	claimer      *Claimer
 	audiences    Audiences
 }
@ -205,7 +204,7 @@ func (p *JWK) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,

 	opts := claims.Step.SSH
 	signOptions := []SignOption{
-		// validates user's SSHOptions with the ones in the token
+		// validates user's SignSSHOptions with the ones in the token
 		sshCertOptionsValidator(*opts),
 		// validate users's KeyID is the token subject.
 		sshCertOptionsValidator(SignSSHOptions{KeyID: claims.Subject}),
@ -235,7 +234,7 @@ func (p *JWK) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
 		data.SetToken(v)
 	}

-	templateOptions, err := TemplateSSHOptions(p.SSHOptions, data)
+	templateOptions, err := TemplateSSHOptions(p.Options, data)
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "jwk.AuthorizeSign")
 	}
--- a/authority/provisioner/k8sSA.go
+++ b/authority/provisioner/k8sSA.go
@ -42,14 +42,13 @@ type k8sSAPayload struct {
 // entity trusted to make signature requests.
 type K8sSA struct {
 	*base
-	Type       string      `json:"type"`
-	Name       string      `json:"name"`
-	PubKeys    []byte      `json:"publicKeys,omitempty"`
-	Claims     *Claims     `json:"claims,omitempty"`
-	Options    *Options    `json:"options,omitempty"`
-	SSHOptions *SSHOptions `json:"sshOptions,omitempty"`
-	claimer    *Claimer
-	audiences  Audiences
+	Type      string   `json:"type"`
+	Name      string   `json:"name"`
+	PubKeys   []byte   `json:"publicKeys,omitempty"`
+	Claims    *Claims  `json:"claims,omitempty"`
+	Options   *Options `json:"options,omitempty"`
+	claimer   *Claimer
+	audiences Audiences
 	//kauthn    kauthn.AuthenticationV1Interface
 	pubKeys []interface{}
 }
@ -263,7 +262,7 @@ func (p *K8sSA) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOptio
 		data.SetToken(v)
 	}

-	templateOptions, err := CustomSSHTemplateOptions(p.SSHOptions, data, sshutil.CertificateRequestTemplate)
+	templateOptions, err := CustomSSHTemplateOptions(p.Options, data, sshutil.CertificateRequestTemplate)
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "k8ssa.AuthorizeSSHSign")
 	}
--- a/authority/provisioner/oidc.go
+++ b/authority/provisioner/oidc.go
@ -54,19 +54,18 @@ type openIDPayload struct {
 // ClientSecret is mandatory, but it can be an empty string.
 type OIDC struct {
 	*base
-	Type                  string      `json:"type"`
-	Name                  string      `json:"name"`
-	ClientID              string      `json:"clientID"`
-	ClientSecret          string      `json:"clientSecret"`
-	ConfigurationEndpoint string      `json:"configurationEndpoint"`
-	TenantID              string      `json:"tenantID,omitempty"`
-	Admins                []string    `json:"admins,omitempty"`
-	Domains               []string    `json:"domains,omitempty"`
-	Groups                []string    `json:"groups,omitempty"`
-	ListenAddress         string      `json:"listenAddress,omitempty"`
-	Claims                *Claims     `json:"claims,omitempty"`
-	Options               *Options    `json:"options,omitempty"`
-	SSHOptions            *SSHOptions `json:"sshOptions,omitempty"`
+	Type                  string   `json:"type"`
+	Name                  string   `json:"name"`
+	ClientID              string   `json:"clientID"`
+	ClientSecret          string   `json:"clientSecret"`
+	ConfigurationEndpoint string   `json:"configurationEndpoint"`
+	TenantID              string   `json:"tenantID,omitempty"`
+	Admins                []string `json:"admins,omitempty"`
+	Domains               []string `json:"domains,omitempty"`
+	Groups                []string `json:"groups,omitempty"`
+	ListenAddress         string   `json:"listenAddress,omitempty"`
+	Claims                *Claims  `json:"claims,omitempty"`
+	Options               *Options `json:"options,omitempty"`
 	configuration         openIDConfiguration
 	keyStore              *keyStore
 	claimer               *Claimer
@ -393,7 +392,7 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption
 		data.AddCriticalOption(k, v)
 	}

-	templateOptions, err := TemplateSSHOptions(o.SSHOptions, data)
+	templateOptions, err := TemplateSSHOptions(o.Options, data)
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "jwk.AuthorizeSign")
 	}
--- a/authority/provisioner/options.go
+++ b/authority/provisioner/options.go
@ -25,9 +25,10 @@ func (fn certificateOptionsFunc) Options(so SignOptions) []x509util.Option {
 // each provisioner.
 type Options struct {
 	X509 *X509Options `json:"x509,omitempty"`
+	SSH  *SSHOptions  `json:"ssh,omitempty"`
 }

-// GetX509Options returns the X.509Options
+// GetX509Options returns the X.509 options.
 func (o *Options) GetX509Options() *X509Options {
 	if o == nil {
 		return nil
@ -35,6 +36,14 @@ func (o *Options) GetX509Options() *X509Options {
 	return o.X509
 }

+// GetSSHOptions returns the SSH options.
+func (o *Options) GetSSHOptions() *SSHOptions {
+	if o == nil {
+		return nil
+	}
+	return o.SSH
+}
+
 // X509Options contains specific options for X.509 certificates.
 type X509Options struct {
 	// Template contains a X.509 certificate template. It can be a JSON template
--- a/authority/provisioner/options_test.go
+++ b/authority/provisioner/options_test.go
@ -46,6 +46,28 @@ func TestOptions_GetX509Options(t *testing.T) {
 	}
 }

+func TestOptions_GetSSHOptions(t *testing.T) {
+	type fields struct {
+		o *Options
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		want   *SSHOptions
+	}{
+		{"ok", fields{&Options{SSH: &SSHOptions{Template: "foo"}}}, &SSHOptions{Template: "foo"}},
+		{"nil", fields{&Options{}}, nil},
+		{"nilOptions", fields{nil}, nil},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := tt.fields.o.GetSSHOptions(); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("Options.GetSSHOptions() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
 func TestProvisionerX509Options_HasTemplate(t *testing.T) {
 	type fields struct {
 		Template     string
--- a/authority/provisioner/sign_ssh_options_test.go
+++ b/authority/provisioner/sign_ssh_options_test.go
@ -1,7 +1,6 @@
 package provisioner

 import (
-	"fmt"
 	"reflect"
 	"testing"
 	"time"
@ -40,7 +39,7 @@ func TestSSHOptions_Type(t *testing.T) {

 func TestSSHOptions_Modify(t *testing.T) {
 	type test struct {
-		so    *SignSSHOptions
+		so    SignSSHOptions
 		cert  *ssh.Certificate
 		valid func(*ssh.Certificate)
 		err   error
@ -48,21 +47,21 @@ func TestSSHOptions_Modify(t *testing.T) {
 	tests := map[string](func() test){
 		"fail/unexpected-cert-type": func() test {
 			return test{
-				so:   &SignSSHOptions{CertType: "foo"},
+				so:   SignSSHOptions{CertType: "foo"},
 				cert: new(ssh.Certificate),
 				err:  errors.Errorf("ssh certificate has an unknown type - foo"),
 			}
 		},
 		"fail/validAfter-greater-validBefore": func() test {
 			return test{
-				so:   &SignSSHOptions{CertType: "user"},
+				so:   SignSSHOptions{CertType: "user"},
 				cert: &ssh.Certificate{ValidAfter: uint64(15), ValidBefore: uint64(10)},
 				err:  errors.Errorf("ssh certificate valid after cannot be greater than valid before"),
 			}
 		},
 		"ok/user-cert": func() test {
 			return test{
-				so:   &SignSSHOptions{CertType: "user"},
+				so:   SignSSHOptions{CertType: "user"},
 				cert: new(ssh.Certificate),
 				valid: func(cert *ssh.Certificate) {
 					assert.Equals(t, cert.CertType, uint32(ssh.UserCert))
@ -71,7 +70,7 @@ func TestSSHOptions_Modify(t *testing.T) {
 		},
 		"ok/host-cert": func() test {
 			return test{
-				so:   &SignSSHOptions{CertType: "host"},
+				so:   SignSSHOptions{CertType: "host"},
 				cert: new(ssh.Certificate),
 				valid: func(cert *ssh.Certificate) {
 					assert.Equals(t, cert.CertType, uint32(ssh.HostCert))
@ -81,7 +80,7 @@ func TestSSHOptions_Modify(t *testing.T) {
 		"ok": func() test {
 			va := time.Now().Add(5 * time.Minute)
 			vb := time.Now().Add(1 * time.Hour)
-			so := &SignSSHOptions{CertType: "host", KeyID: "foo", Principals: []string{"foo", "bar"},
+			so := SignSSHOptions{CertType: "host", KeyID: "foo", Principals: []string{"foo", "bar"},
 				ValidAfter: NewTimeDuration(va), ValidBefore: NewTimeDuration(vb)}
 			return test{
 				so:   so,
@ -99,7 +98,7 @@ func TestSSHOptions_Modify(t *testing.T) {
 	for name, run := range tests {
 		t.Run(name, func(t *testing.T) {
 			tc := run()
-			if err := tc.so.Modify(tc.cert); err != nil {
+			if err := tc.so.Modify(tc.cert, tc.so); err != nil {
 				if assert.NotNil(t, tc.err) {
 					assert.HasPrefix(t, err.Error(), tc.err.Error())
 				}
@ -222,7 +221,7 @@ func Test_sshCertPrincipalsModifier_Modify(t *testing.T) {
 	for name, run := range tests {
 		t.Run(name, func(t *testing.T) {
 			tc := run()
-			if assert.Nil(t, tc.modifier.Modify(tc.cert)) {
+			if assert.Nil(t, tc.modifier.Modify(tc.cert, SignSSHOptions{})) {
 				assert.Equals(t, tc.cert.ValidPrincipals, tc.expected)
 			}
 		})
@ -248,7 +247,7 @@ func Test_sshCertKeyIDModifier_Modify(t *testing.T) {
 	for name, run := range tests {
 		t.Run(name, func(t *testing.T) {
 			tc := run()
-			if assert.Nil(t, tc.modifier.Modify(tc.cert)) {
+			if assert.Nil(t, tc.modifier.Modify(tc.cert, SignSSHOptions{})) {
 				assert.Equals(t, tc.cert.KeyId, tc.expected)
 			}
 		})
@ -287,7 +286,7 @@ func Test_sshCertTypeModifier_Modify(t *testing.T) {
 	for name, run := range tests {
 		t.Run(name, func(t *testing.T) {
 			tc := run()
-			if assert.Nil(t, tc.modifier.Modify(tc.cert)) {
+			if assert.Nil(t, tc.modifier.Modify(tc.cert, SignSSHOptions{})) {
 				assert.Equals(t, tc.cert.CertType, uint32(tc.expected))
 			}
 		})
@ -312,7 +311,7 @@ func Test_sshCertValidAfterModifier_Modify(t *testing.T) {
 	for name, run := range tests {
 		t.Run(name, func(t *testing.T) {
 			tc := run()
-			if assert.Nil(t, tc.modifier.Modify(tc.cert)) {
+			if assert.Nil(t, tc.modifier.Modify(tc.cert, SignSSHOptions{})) {
 				assert.Equals(t, tc.cert.ValidAfter, tc.expected)
 			}
 		})
@ -375,7 +374,7 @@ func Test_sshCertDefaultsModifier_Modify(t *testing.T) {
 	for name, run := range tests {
 		t.Run(name, func(t *testing.T) {
 			tc := run()
-			if assert.Nil(t, tc.modifier.Modify(tc.cert)) {
+			if assert.Nil(t, tc.modifier.Modify(tc.cert, SignSSHOptions{})) {
 				tc.valid(tc.cert)
 			}
 		})
@ -476,7 +475,7 @@ func Test_sshDefaultExtensionModifier_Modify(t *testing.T) {
 	for name, run := range tests {
 		t.Run(name, func(t *testing.T) {
 			tc := run()
-			if err := tc.modifier.Modify(tc.cert); err != nil {
+			if err := tc.modifier.Modify(tc.cert, SignSSHOptions{}); err != nil {
 				if assert.NotNil(t, tc.err) {
 					assert.HasPrefix(t, err.Error(), tc.err.Error())
 				}
@ -908,7 +907,7 @@ func Test_sshValidityModifier(t *testing.T) {
 	for name, run := range tests {
 		t.Run(name, func(t *testing.T) {
 			tt := run()
-			if err := tt.svm.Option(SignSSHOptions{}).Modify(tt.cert); err != nil {
+			if err := tt.svm.Modify(tt.cert, SignSSHOptions{}); err != nil {
 				if assert.NotNil(t, tt.err) {
 					assert.HasPrefix(t, err.Error(), tt.err.Error())
 				}
@ -921,28 +920,6 @@ func Test_sshValidityModifier(t *testing.T) {
 	}
 }

-func Test_sshModifierFunc_Modify(t *testing.T) {
-	type args struct {
-		cert *ssh.Certificate
-	}
-	tests := []struct {
-		name    string
-		f       sshModifierFunc
-		args    args
-		wantErr bool
-	}{
-		{"ok", func(cert *ssh.Certificate) error { return nil }, args{&ssh.Certificate{}}, false},
-		{"fail", func(cert *ssh.Certificate) error { return fmt.Errorf("an error") }, args{&ssh.Certificate{}}, true},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if err := tt.f.Modify(tt.args.cert); (err != nil) != tt.wantErr {
-				t.Errorf("sshModifierFunc.Modify() error = %v, wantErr %v", err, tt.wantErr)
-			}
-		})
-	}
-}
-
 func Test_sshDefaultDuration_Option(t *testing.T) {
 	tm, fn := mockNow()
 	defer fn()
@ -998,8 +975,7 @@ func Test_sshDefaultDuration_Option(t *testing.T) {
 			m := &sshDefaultDuration{
 				Claimer: tt.fields.Claimer,
 			}
-			v := m.Option(tt.args.o)
-			if err := v.Modify(tt.args.cert); (err != nil) != tt.wantErr {
+			if err := m.Modify(tt.args.cert, tt.args.o); (err != nil) != tt.wantErr {
 				t.Errorf("sshDefaultDuration.Option() error = %v, wantErr %v", err, tt.wantErr)
 			}
 			if !reflect.DeepEqual(tt.args.cert, tt.want) {
@ -1008,32 +984,3 @@ func Test_sshDefaultDuration_Option(t *testing.T) {
 		})
 	}
 }
-
-func Test_sshLimitDuration_Option(t *testing.T) {
-	type fields struct {
-		Claimer  *Claimer
-		NotAfter time.Time
-	}
-	type args struct {
-		o SignSSHOptions
-	}
-	tests := []struct {
-		name   string
-		fields fields
-		args   args
-		want   SSHCertModifier
-	}{
-		// TODO: Add test cases.
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			m := &sshLimitDuration{
-				Claimer:  tt.fields.Claimer,
-				NotAfter: tt.fields.NotAfter,
-			}
-			if got := m.Option(tt.args.o); !reflect.DeepEqual(got, tt.want) {
-				t.Errorf("sshLimitDuration.Option() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
--- a/authority/provisioner/ssh_options.go
+++ b/authority/provisioner/ssh_options.go
@ -44,7 +44,7 @@ func (o *SSHOptions) HasTemplate() bool {
 // defined in the ProvisionerOptions, the provisioner generated data, and the
 // user data provided in the request. If no template has been provided,
 // x509util.DefaultLeafTemplate will be used.
-func TemplateSSHOptions(o *SSHOptions, data sshutil.TemplateData) (SSHCertificateOptions, error) {
+func TemplateSSHOptions(o *Options, data sshutil.TemplateData) (SSHCertificateOptions, error) {
 	return CustomSSHTemplateOptions(o, data, sshutil.DefaultCertificate)
 }

@ -52,15 +52,16 @@ func TemplateSSHOptions(o *SSHOptions, data sshutil.TemplateData) (SSHCertificat
 // defined in the ProvisionerOptions, the provisioner generated data and the
 // user data provided in the request. If no template has been provided in the
 // ProvisionerOptions, the given template will be used.
-func CustomSSHTemplateOptions(o *SSHOptions, data sshutil.TemplateData, defaultTemplate string) (SSHCertificateOptions, error) {
-	if o != nil {
-		if data == nil {
-			data = sshutil.NewTemplateData()
-		}
+func CustomSSHTemplateOptions(o *Options, data sshutil.TemplateData, defaultTemplate string) (SSHCertificateOptions, error) {
+	opts := o.GetSSHOptions()
+	if data == nil {
+		data = sshutil.NewTemplateData()
+	}

+	if opts != nil {
 		// Add template data if any.
-		if len(o.TemplateData) > 0 {
-			if err := json.Unmarshal(o.TemplateData, &data); err != nil {
+		if len(opts.TemplateData) > 0 {
+			if err := json.Unmarshal(opts.TemplateData, &data); err != nil {
 				return nil, errors.Wrap(err, "error unmarshaling template data")
 			}
 		}
@ -68,7 +69,7 @@ func CustomSSHTemplateOptions(o *SSHOptions, data sshutil.TemplateData, defaultT

 	return sshCertificateOptionsFunc(func(so SignSSHOptions) []sshutil.Option {
 		// We're not provided user data without custom templates.
-		if !o.HasTemplate() {
+		if !opts.HasTemplate() {
 			return []sshutil.Option{
 				sshutil.WithTemplate(defaultTemplate, data),
 			}
@ -85,15 +86,15 @@ func CustomSSHTemplateOptions(o *SSHOptions, data sshutil.TemplateData, defaultT
 		}

 		// Load a template from a file if Template is not defined.
-		if o.Template == "" && o.TemplateFile != "" {
+		if opts.Template == "" && opts.TemplateFile != "" {
 			return []sshutil.Option{
-				sshutil.WithTemplateFile(o.TemplateFile, data),
+				sshutil.WithTemplateFile(opts.TemplateFile, data),
 			}
 		}

 		// Load a template from the Template fields
 		// 1. As a JSON in a string.
-		template := strings.TrimSpace(o.Template)
+		template := strings.TrimSpace(opts.Template)
 		if strings.HasPrefix(template, "{") {
 			return []sshutil.Option{
 				sshutil.WithTemplate(template, data),
--- a/authority/provisioner/ssh_test.go
+++ b/authority/provisioner/ssh_test.go
@ -53,9 +53,6 @@ func signSSHCertificate(key crypto.PublicKey, opts SignSSHOptions, signOpts []Si
 		// modify the ssh.Certificate
 		case SSHCertModifier:
 			mods = append(mods, o)
-		// modify the ssh.Certificate given the SSHOptions
-		case SSHCertOptionModifier:
-			mods = append(mods, o.Option(opts))
 		// validate the ssh.Certificate
 		case SSHCertValidator:
 			validators = append(validators, o)
@ -77,13 +74,13 @@ func signSSHCertificate(key crypto.PublicKey, opts SignSSHOptions, signOpts []Si
 	}

 	// Use opts to modify the certificate
-	if err := opts.Modify(cert); err != nil {
+	if err := opts.Modify(cert, opts); err != nil {
 		return nil, err
 	}

 	// Use provisioner modifiers
 	for _, m := range mods {
-		if err := m.Modify(cert); err != nil {
+		if err := m.Modify(cert, opts); err != nil {
 			return nil, err
 		}
 	}
--- a/authority/provisioner/x5c.go
+++ b/authority/provisioner/x5c.go
@ -26,15 +26,14 @@ type x5cPayload struct {
 // signature requests.
 type X5C struct {
 	*base
-	Type       string      `json:"type"`
-	Name       string      `json:"name"`
-	Roots      []byte      `json:"roots"`
-	Claims     *Claims     `json:"claims,omitempty"`
-	Options    *Options    `json:"options,omitempty"`
-	SSHOptions *SSHOptions `json:"sshOptions,omitempty"`
-	claimer    *Claimer
-	audiences  Audiences
-	rootPool   *x509.CertPool
+	Type      string   `json:"type"`
+	Name      string   `json:"name"`
+	Roots     []byte   `json:"roots"`
+	Claims    *Claims  `json:"claims,omitempty"`
+	Options   *Options `json:"options,omitempty"`
+	claimer   *Claimer
+	audiences Audiences
+	rootPool  *x509.CertPool
 }

 // GetID returns the provisioner unique identifier. The name and credential id
@ -277,7 +276,7 @@ func (p *X5C) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
 		data.SetToken(v)
 	}

-	templateOptions, err := TemplateSSHOptions(p.SSHOptions, data)
+	templateOptions, err := TemplateSSHOptions(p.Options, data)
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "x5c.AuthorizeSSHSign")
 	}