crypt/step-ca-cli
1
0
Fork 0
mirror of https://github.com/smallstep/cli.git synced 2025-08-09 03:22:43 +03:00
Code Activity

Remove principals when OIDC provisioner is used.

Browse Source 
OIDC provisioners use an identity function to get the principals
for a given email, so there's no need to provide principals.
Moreover, if the email and principal does not match
`step ssh proxycommand` will fail if the username does not match
the email address.

For an unknown reason this feature was removed in an unrelated
commit: smallstep/cli@2c9b200

Fixes smallstep/certificates#550
This commit is contained in:
Mariano Cano
2021-04-28 19:37:36 -07:00
parent de0076bf01
commit 0c3921f1aa
2 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
command/ssh/login.go
View File

@@ -202,6 +202,7 @@ func loginAction(ctx *cli.Context) error {
// provisioner is responsible for setting default principals by using an // provisioner is responsible for setting default principals by using an
// identity function. // identity function.
if email, ok := tokenHasEmail(token); ok { if email, ok := tokenHasEmail(token); ok {
principals = []string{}
subject = email subject = email
} }

1
command/ssh/proxycommand.go
View File

@@ -147,6 +147,7 @@ func doLoginIfNeeded(ctx *cli.Context, subject string) error {
// provisioner is responsible for setting default principals by using an // provisioner is responsible for setting default principals by using an
// identity function. // identity function.
if email, ok := tokenHasEmail(token); ok { if email, ok := tokenHasEmail(token); ok {
principals = []string{}
subject = email subject = email
} }