crypt/step-ca-cli
1
0
Fork 0
mirror of https://github.com/smallstep/cli.git synced 2025-08-09 03:22:43 +03:00
Code Activity

Remove principals on OIDC and write identity in proxycommand.

Browse Source
This commit is contained in:
Mariano Cano
2019-11-21 12:08:47 -08:00
committed by max furman
parent 72c9890c82
commit e5cf3de1f5
3 changed files with 53 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
command/ssh/login.go
View File

@@ -197,6 +197,14 @@ func loginAction(ctx *cli.Context) error {
identityKey = key identityKey = key
} }
// NOTE: For OIDC token the principals should be completely empty. The OIDC
// provisioner is responsible for setting default principals by using an
// identity function.
if email, ok := tokenHasEmail(token); ok {
principals = []string{}
subject = email
}
resp, err := caClient.SSHSign(&api.SSHSignRequest{ resp, err := caClient.SSHSign(&api.SSHSignRequest{
PublicKey: sshPub.Marshal(), PublicKey: sshPub.Marshal(),
OTT: token, OTT: token,

35
command/ssh/proxycommand.go
View File

@@ -1,6 +1,7 @@
package ssh package ssh
import ( import (
"crypto"
"encoding/json" "encoding/json"
"io" "io"
"net" "net"
@@ -13,6 +14,7 @@ import (
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/smallstep/certificates/api" "github.com/smallstep/certificates/api"
"github.com/smallstep/certificates/authority/provisioner" "github.com/smallstep/certificates/authority/provisioner"
"github.com/smallstep/certificates/ca"
"github.com/smallstep/cli/command" "github.com/smallstep/cli/command"
"github.com/smallstep/cli/crypto/keys" "github.com/smallstep/cli/crypto/keys"
"github.com/smallstep/cli/crypto/sshutil" "github.com/smallstep/cli/crypto/sshutil"
@@ -146,11 +148,36 @@ func doLoginIfNeeded(ctx *cli.Context, subject string) error {
return err return err
} }
// NOTE: For OIDC token the principals should be completely empty. The OIDC
// provisioner is responsible for setting default principals by using an
// identity function.
if email, ok := tokenHasEmail(token); ok {
principals = []string{}
subject = email
}
caClient, err := flow.GetClient(ctx, token) caClient, err := flow.GetClient(ctx, token)
if err != nil { if err != nil {
return err return err
} }
version, err := caClient.Version()
if err != nil {
return err
}
// Generate identity certificate (x509) if necessary
var identityCSR api.CertificateRequest
var identityKey crypto.PrivateKey
if version.RequireClientAuthentication {
csr, key, err := ca.NewIdentityRequest(subject)
if err != nil {
return err
}
identityCSR = *csr
identityKey = key
}
// Generate keypair // Generate keypair
pub, priv, err := keys.GenerateDefaultKeyPair() pub, priv, err := keys.GenerateDefaultKeyPair()
if err != nil { if err != nil {
@@ -170,11 +197,19 @@ func doLoginIfNeeded(ctx *cli.Context, subject string) error {
CertType: provisioner.SSHUserCert, CertType: provisioner.SSHUserCert,
ValidAfter: validAfter, ValidAfter: validAfter,
ValidBefore: validBefore, ValidBefore: validBefore,
IdentityCSR: identityCSR,
}) })
if err != nil { if err != nil {
return err return err
} }
// Write x509 identity certificate
if version.RequireClientAuthentication {
if err := ca.WriteDefaultIdentity(resp.IdentityCertificate, identityKey); err != nil {
return err
}
}
// Add certificate and private key to agent // Add certificate and private key to agent
if err := agent.AddCertificate(subject, resp.Certificate.Certificate, priv); err != nil { if err := agent.AddCertificate(subject, resp.Certificate.Certificate, priv); err != nil {
return err return err

10
command/ssh/ssh.go
View File

@@ -194,3 +194,13 @@ func loginOnUnauthorized(ctx *cli.Context) (ca.RetryFunc, error) {
return true return true
}, nil }, nil
} }
// tokenHasEmail returns if the token payload has an email address. This is
// mainly used on OIDC token.
func tokenHasEmail(s string) (string, bool) {
jwt, err := token.ParseInsecure(s)
if err != nil {
return "", false
}
return jwt.Payload.Email, jwt.Payload.Email != ""
}