From d8776d8f7f86f3e9de55f6e9bfe4d5a2532e253a Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Fri, 1 Apr 2022 15:37:48 +0200 Subject: [PATCH] Add K8sSA SSH user policy back According to the docs, the K8sSA provisioner can be configured to issue SSH user certs. --- authority/provisioner/k8sSA.go | 8 +++++++- policy/options_test.go | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/authority/provisioner/k8sSA.go b/authority/provisioner/k8sSA.go index ec813b6c..b127ed13 100644 --- a/authority/provisioner/k8sSA.go +++ b/authority/provisioner/k8sSA.go @@ -56,6 +56,7 @@ type K8sSA struct { ctl *Controller x509Policy policy.X509Policy sshHostPolicy policy.HostPolicy + sshUserPolicy policy.UserPolicy } // GetID returns the provisioner unique identifier. The name and credential id @@ -148,6 +149,11 @@ func (p *K8sSA) Init(config Config) (err error) { return err } + // Initialize the SSH allow/deny policy engine for user certificates + if p.sshUserPolicy, err = policy.NewSSHUserPolicyEngine(p.Options.GetSSHOptions()); err != nil { + return err + } + // Initialize the SSH allow/deny policy engine for host certificates if p.sshHostPolicy, err = policy.NewSSHHostPolicyEngine(p.Options.GetSSHOptions()); err != nil { return err @@ -298,7 +304,7 @@ func (p *K8sSA) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOptio // Require and validate all the default fields in the SSH certificate. &sshCertDefaultValidator{}, // Ensure that all principal names are allowed - newSSHNamePolicyValidator(p.sshHostPolicy, nil), + newSSHNamePolicyValidator(p.sshHostPolicy, p.sshUserPolicy), ), nil } diff --git a/policy/options_test.go b/policy/options_test.go index b7390545..74982fd8 100644 --- a/policy/options_test.go +++ b/policy/options_test.go @@ -135,7 +135,7 @@ func Test_normalizeAndValidateEmailConstraint(t *testing.T) { }, { name: "fail/idna-internationalized-domain", - constraint: `mail@xn--bla.local`, + constraint: "mail@xn--bla.local", want: "", wantErr: true, },