aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNiall Sheridan <nsheridan@gmail.com>2016-09-01 22:28:12 +0100
committerNiall Sheridan <nsheridan@gmail.com>2016-09-01 22:28:12 +0100
commitdba3de4451f29fc0b8cb6474b9bbb18ed61d9eac (patch)
treea7735c443b922735821f1e8af141f46dbb68f1ff
parent9c58d4d6a324ed8422ef691471868d760b64f7bd (diff)
Remove the Principal field from the request
The server will always overwrite this field with the username obtained from the auth provider. Allowing the client to set it is a waste of time.
-rw-r--r--cmd/cashierd/main.go4
-rw-r--r--lib/const.go1
-rw-r--r--server/signer/signer.go6
-rw-r--r--server/signer/signer_test.go11
4 files changed, 9 insertions, 13 deletions
diff --git a/cmd/cashierd/main.go b/cmd/cashierd/main.go
index e3aec93..e71c126 100644
--- a/cmd/cashierd/main.go
+++ b/cmd/cashierd/main.go
@@ -159,9 +159,9 @@ func signHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int, er
if err != nil {
return http.StatusInternalServerError, err
}
- req.Principal = a.authprovider.Username(token)
+ username := a.authprovider.Username(token)
a.authprovider.Revoke(token) // We don't need this anymore.
- cert, err := a.sshKeySigner.SignUserKey(req)
+ cert, err := a.sshKeySigner.SignUserKey(req, username)
if err != nil {
return http.StatusInternalServerError, err
}
diff --git a/lib/const.go b/lib/const.go
index fd771a0..1ba2749 100644
--- a/lib/const.go
+++ b/lib/const.go
@@ -5,7 +5,6 @@ import "time"
// SignRequest represents a signing request sent to the server.
type SignRequest struct {
Key string `json:"key"`
- Principal string `json:"principal"`
ValidUntil time.Time `json:"valid_until"`
}
diff --git a/server/signer/signer.go b/server/signer/signer.go
index 0bff1c3..5ee170a 100644
--- a/server/signer/signer.go
+++ b/server/signer/signer.go
@@ -27,7 +27,7 @@ type KeySigner struct {
}
// SignUserKey returns a signed ssh certificate.
-func (s *KeySigner) SignUserKey(req *lib.SignRequest) (*ssh.Certificate, error) {
+func (s *KeySigner) SignUserKey(req *lib.SignRequest, username string) (*ssh.Certificate, error) {
pubkey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(req.Key))
if err != nil {
return nil, err
@@ -39,11 +39,11 @@ func (s *KeySigner) SignUserKey(req *lib.SignRequest) (*ssh.Certificate, error)
cert := &ssh.Certificate{
CertType: ssh.UserCert,
Key: pubkey,
- KeyId: fmt.Sprintf("%s_%d", req.Principal, time.Now().UTC().Unix()),
+ KeyId: fmt.Sprintf("%s_%d", username, time.Now().UTC().Unix()),
ValidBefore: uint64(req.ValidUntil.Unix()),
ValidAfter: uint64(time.Now().UTC().Add(-5 * time.Minute).Unix()),
}
- cert.ValidPrincipals = append(cert.ValidPrincipals, req.Principal)
+ cert.ValidPrincipals = append(cert.ValidPrincipals, username)
cert.ValidPrincipals = append(cert.ValidPrincipals, s.principals...)
cert.Extensions = s.permissions
if err := cert.SignCert(rand.Reader, s.ca); err != nil {
diff --git a/server/signer/signer_test.go b/server/signer/signer_test.go
index 805f0fc..cdfb4ca 100644
--- a/server/signer/signer_test.go
+++ b/server/signer/signer_test.go
@@ -27,10 +27,9 @@ func TestCert(t *testing.T) {
t.Parallel()
r := &lib.SignRequest{
Key: string(testdata.Pub),
- Principal: "gopher1",
ValidUntil: time.Now().Add(1 * time.Hour),
}
- cert, err := signer.SignUserKey(r)
+ cert, err := signer.SignUserKey(r, "gopher1")
if err != nil {
t.Error(err)
}
@@ -38,7 +37,7 @@ func TestCert(t *testing.T) {
t.Error("Cert signer and server signer don't match")
}
var principals []string
- principals = append(principals, r.Principal)
+ principals = append(principals, "gopher1")
principals = append(principals, signer.principals...)
if !reflect.DeepEqual(cert.ValidPrincipals, principals) {
t.Errorf("Expected %s, got %s", cert.ValidPrincipals, principals)
@@ -57,12 +56,10 @@ func TestRevocationList(t *testing.T) {
t.Parallel()
r := &lib.SignRequest{
Key: string(testdata.Pub),
- Principal: "revoked",
ValidUntil: time.Now().Add(1 * time.Hour),
}
- cert1, _ := signer.SignUserKey(r)
- r.Principal = "ok"
- cert2, _ := signer.SignUserKey(r)
+ cert1, _ := signer.SignUserKey(r, "revoked")
+ cert2, _ := signer.SignUserKey(r, "ok")
var rec []*store.CertRecord
rec = append(rec, &store.CertRecord{
KeyID: cert1.KeyId,