Remove the Principal field from the request

The server will always overwrite this field with the username obtained from
the auth provider. Allowing the client to set it is a waste of time.

4 files changed, 9 insertions, 13 deletions

diff --git a/cmd/cashierd/main.go b/cmd/cashierd/main.go
index e3aec93..e71c126 100644
--- a/cmd/cashierd/main.go
+++ b/cmd/cashierd/main.go
@@ -159,9 +159,9 @@ func signHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int, er
 	if err != nil {
 		return http.StatusInternalServerError, err
 	}
-	req.Principal = a.authprovider.Username(token)
+	username := a.authprovider.Username(token)
 	a.authprovider.Revoke(token) // We don't need this anymore.
-	cert, err := a.sshKeySigner.SignUserKey(req)
+	cert, err := a.sshKeySigner.SignUserKey(req, username)
 	if err != nil {
 		return http.StatusInternalServerError, err
 	}
diff --git a/lib/const.go b/lib/const.go
index fd771a0..1ba2749 100644
--- a/lib/const.go
+++ b/lib/const.go
@@ -5,7 +5,6 @@ import "time"
 // SignRequest represents a signing request sent to the server.
 type SignRequest struct {
 	Key        string    `json:"key"`
-	Principal  string    `json:"principal"`
 	ValidUntil time.Time `json:"valid_until"`
 }
 
diff --git a/server/signer/signer.go b/server/signer/signer.go
index 0bff1c3..5ee170a 100644
--- a/server/signer/signer.go
+++ b/server/signer/signer.go
@@ -27,7 +27,7 @@ type KeySigner struct {
 }
 
 // SignUserKey returns a signed ssh certificate.
-func (s *KeySigner) SignUserKey(req *lib.SignRequest) (*ssh.Certificate, error) {
+func (s *KeySigner) SignUserKey(req *lib.SignRequest, username string) (*ssh.Certificate, error) {
 	pubkey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(req.Key))
 	if err != nil {
 		return nil, err
@@ -39,11 +39,11 @@ func (s *KeySigner) SignUserKey(req *lib.SignRequest) (*ssh.Certificate, error)
 	cert := &ssh.Certificate{
 		CertType:    ssh.UserCert,
 		Key:         pubkey,
-		KeyId:       fmt.Sprintf("%s_%d", req.Principal, time.Now().UTC().Unix()),
+		KeyId:       fmt.Sprintf("%s_%d", username, time.Now().UTC().Unix()),
 		ValidBefore: uint64(req.ValidUntil.Unix()),
 		ValidAfter:  uint64(time.Now().UTC().Add(-5 * time.Minute).Unix()),
 	}
-	cert.ValidPrincipals = append(cert.ValidPrincipals, req.Principal)
+	cert.ValidPrincipals = append(cert.ValidPrincipals, username)
 	cert.ValidPrincipals = append(cert.ValidPrincipals, s.principals...)
 	cert.Extensions = s.permissions
 	if err := cert.SignCert(rand.Reader, s.ca); err != nil {
diff --git a/server/signer/signer_test.go b/server/signer/signer_test.go
index 805f0fc..cdfb4ca 100644
--- a/server/signer/signer_test.go
+++ b/server/signer/signer_test.go
@@ -27,10 +27,9 @@ func TestCert(t *testing.T) {
 	t.Parallel()
 	r := &lib.SignRequest{
 		Key:        string(testdata.Pub),
-		Principal:  "gopher1",
 		ValidUntil: time.Now().Add(1 * time.Hour),
 	}
-	cert, err := signer.SignUserKey(r)
+	cert, err := signer.SignUserKey(r, "gopher1")
 	if err != nil {
 		t.Error(err)
 	}
@@ -38,7 +37,7 @@ func TestCert(t *testing.T) {
 		t.Error("Cert signer and server signer don't match")
 	}
 	var principals []string
-	principals = append(principals, r.Principal)
+	principals = append(principals, "gopher1")
 	principals = append(principals, signer.principals...)
 	if !reflect.DeepEqual(cert.ValidPrincipals, principals) {
 		t.Errorf("Expected %s, got %s", cert.ValidPrincipals, principals)
@@ -57,12 +56,10 @@ func TestRevocationList(t *testing.T) {
 	t.Parallel()
 	r := &lib.SignRequest{
 		Key:        string(testdata.Pub),
-		Principal:  "revoked",
 		ValidUntil: time.Now().Add(1 * time.Hour),
 	}
-	cert1, _ := signer.SignUserKey(r)
-	r.Principal = "ok"
-	cert2, _ := signer.SignUserKey(r)
+	cert1, _ := signer.SignUserKey(r, "revoked")
+	cert2, _ := signer.SignUserKey(r, "ok")
 	var rec []*store.CertRecord
 	rec = append(rec, &store.CertRecord{
 		KeyID: cert1.KeyId,