aboutsummaryrefslogtreecommitdiff
path: root/server
diff options
context:
space:
mode:
authorNiall Sheridan <nsheridan@gmail.com>2016-09-01 22:28:12 +0100
committerNiall Sheridan <nsheridan@gmail.com>2016-09-01 22:28:12 +0100
commitdba3de4451f29fc0b8cb6474b9bbb18ed61d9eac (patch)
treea7735c443b922735821f1e8af141f46dbb68f1ff /server
parent9c58d4d6a324ed8422ef691471868d760b64f7bd (diff)
Remove the Principal field from the request
The server will always overwrite this field with the username obtained from the auth provider. Allowing the client to set it is a waste of time.
Diffstat (limited to 'server')
-rw-r--r--server/signer/signer.go6
-rw-r--r--server/signer/signer_test.go11
2 files changed, 7 insertions, 10 deletions
diff --git a/server/signer/signer.go b/server/signer/signer.go
index 0bff1c3..5ee170a 100644
--- a/server/signer/signer.go
+++ b/server/signer/signer.go
@@ -27,7 +27,7 @@ type KeySigner struct {
}
// SignUserKey returns a signed ssh certificate.
-func (s *KeySigner) SignUserKey(req *lib.SignRequest) (*ssh.Certificate, error) {
+func (s *KeySigner) SignUserKey(req *lib.SignRequest, username string) (*ssh.Certificate, error) {
pubkey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(req.Key))
if err != nil {
return nil, err
@@ -39,11 +39,11 @@ func (s *KeySigner) SignUserKey(req *lib.SignRequest) (*ssh.Certificate, error)
cert := &ssh.Certificate{
CertType: ssh.UserCert,
Key: pubkey,
- KeyId: fmt.Sprintf("%s_%d", req.Principal, time.Now().UTC().Unix()),
+ KeyId: fmt.Sprintf("%s_%d", username, time.Now().UTC().Unix()),
ValidBefore: uint64(req.ValidUntil.Unix()),
ValidAfter: uint64(time.Now().UTC().Add(-5 * time.Minute).Unix()),
}
- cert.ValidPrincipals = append(cert.ValidPrincipals, req.Principal)
+ cert.ValidPrincipals = append(cert.ValidPrincipals, username)
cert.ValidPrincipals = append(cert.ValidPrincipals, s.principals...)
cert.Extensions = s.permissions
if err := cert.SignCert(rand.Reader, s.ca); err != nil {
diff --git a/server/signer/signer_test.go b/server/signer/signer_test.go
index 805f0fc..cdfb4ca 100644
--- a/server/signer/signer_test.go
+++ b/server/signer/signer_test.go
@@ -27,10 +27,9 @@ func TestCert(t *testing.T) {
t.Parallel()
r := &lib.SignRequest{
Key: string(testdata.Pub),
- Principal: "gopher1",
ValidUntil: time.Now().Add(1 * time.Hour),
}
- cert, err := signer.SignUserKey(r)
+ cert, err := signer.SignUserKey(r, "gopher1")
if err != nil {
t.Error(err)
}
@@ -38,7 +37,7 @@ func TestCert(t *testing.T) {
t.Error("Cert signer and server signer don't match")
}
var principals []string
- principals = append(principals, r.Principal)
+ principals = append(principals, "gopher1")
principals = append(principals, signer.principals...)
if !reflect.DeepEqual(cert.ValidPrincipals, principals) {
t.Errorf("Expected %s, got %s", cert.ValidPrincipals, principals)
@@ -57,12 +56,10 @@ func TestRevocationList(t *testing.T) {
t.Parallel()
r := &lib.SignRequest{
Key: string(testdata.Pub),
- Principal: "revoked",
ValidUntil: time.Now().Add(1 * time.Hour),
}
- cert1, _ := signer.SignUserKey(r)
- r.Principal = "ok"
- cert2, _ := signer.SignUserKey(r)
+ cert1, _ := signer.SignUserKey(r, "revoked")
+ cert2, _ := signer.SignUserKey(r, "ok")
var rec []*store.CertRecord
rec = append(rec, &store.CertRecord{
KeyID: cert1.KeyId,