|
|
|
@ -56,6 +56,7 @@ type K8sSA struct {
|
|
|
|
|
ctl *Controller
|
|
|
|
|
x509Policy policy.X509Policy
|
|
|
|
|
sshHostPolicy policy.HostPolicy
|
|
|
|
|
sshUserPolicy policy.UserPolicy
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// GetID returns the provisioner unique identifier. The name and credential id
|
|
|
|
@ -148,6 +149,11 @@ func (p *K8sSA) Init(config Config) (err error) {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Initialize the SSH allow/deny policy engine for user certificates
|
|
|
|
|
if p.sshUserPolicy, err = policy.NewSSHUserPolicyEngine(p.Options.GetSSHOptions()); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Initialize the SSH allow/deny policy engine for host certificates
|
|
|
|
|
if p.sshHostPolicy, err = policy.NewSSHHostPolicyEngine(p.Options.GetSSHOptions()); err != nil {
|
|
|
|
|
return err
|
|
|
|
@ -298,7 +304,7 @@ func (p *K8sSA) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOptio
|
|
|
|
|
// Require and validate all the default fields in the SSH certificate.
|
|
|
|
|
&sshCertDefaultValidator{},
|
|
|
|
|
// Ensure that all principal names are allowed
|
|
|
|
|
newSSHNamePolicyValidator(p.sshHostPolicy, nil),
|
|
|
|
|
newSSHNamePolicyValidator(p.sshHostPolicy, p.sshUserPolicy),
|
|
|
|
|
), nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|