From dfb490755e47be4751820d38d35b36520693b4d8 Mon Sep 17 00:00:00 2001 From: max furman Date: Mon, 28 Oct 2024 09:39:43 -0700 Subject: [PATCH 1/4] Add disableSSHCAUser and disableSSHCAHost attributes to GCP provisioner --- command/ca/provisioner/add.go | 17 +++++++++++++++++ command/ca/provisioner/update.go | 9 +++++++++ 2 files changed, 26 insertions(+) diff --git a/command/ca/provisioner/add.go b/command/ca/provisioner/add.go index c8c0f2070..7af2eba0f 100644 --- a/command/ca/provisioner/add.go +++ b/command/ca/provisioner/add.go @@ -100,6 +100,7 @@ IID (AWS/GCP/Azure) [**--azure-audience**=] [**--azure-subscription-id**=] [**--azure-object-id**=] [**--instance-age**=] [**--iid-roots**=] [**--disable-custom-sans**] [**--disable-trust-on-first-use**] +[**--disable-ssh-ca-user**] [**--disable-ssh-ca-host**] [**--admin-cert**=] [**--admin-key**=] [**--admin-subject**=] [**--admin-provisioner**=] [**--admin-password-file**=] [**--ca-url**=] [**--root**=] [**--context**=] [**--ca-config**=] @@ -790,6 +791,20 @@ func createGCPDetails(ctx *cli.Context) (*linkedca.ProvisionerDetails, error) { return nil, err } + var ( + disableSSHCAUser *bool + disableSSHCAHost *bool + ) + + if ctx.IsSet("disable-ssh-ca-user") { + boolVal := ctx.Bool("disable-ssh-ca-user") + disableSSHCAUser = &boolVal + } + if ctx.IsSet("disable-ssh-ca-host") { + boolVal := ctx.Bool("disable-ssh-ca-host") + disableSSHCAHost = &boolVal + } + return &linkedca.ProvisionerDetails{ Data: &linkedca.ProvisionerDetails_GCP{ GCP: &linkedca.GCPProvisioner{ @@ -797,6 +812,8 @@ func createGCPDetails(ctx *cli.Context) (*linkedca.ProvisionerDetails, error) { ProjectIds: ctx.StringSlice("gcp-project"), DisableCustomSans: ctx.Bool("disable-custom-sans"), DisableTrustOnFirstUse: ctx.Bool("disable-trust-on-first-use"), + DisableSshCaUser: disableSSHCAUser, + DisableSshCaHost: disableSSHCAHost, InstanceAge: d, }, }, diff --git a/command/ca/provisioner/update.go b/command/ca/provisioner/update.go index fa64543fa..912d69d1e 100644 --- a/command/ca/provisioner/update.go +++ b/command/ca/provisioner/update.go @@ -92,6 +92,7 @@ IID (AWS/GCP/Azure) [**--azure-audience**=] [**--azure-subscription-id**=] [**--azure-object-id**=] [**--instance-age**=] [**--disable-custom-sans**] [**--disable-trust-on-first-use**] +[**--disable-ssh-ca-user**] [**--disable-ssh-ca-host**] [**--admin-cert**=] [**--admin-key**=] [**--admin-subject**=] [**--admin-provisioner**=] [**--admin-password-file**=] [**--ca-url**=] [**--root**=] [**--context**=] [**--ca-config**=] @@ -914,6 +915,14 @@ func updateGCPDetails(ctx *cli.Context, p *linkedca.Provisioner) error { if ctx.IsSet("disable-trust-on-first-use") { details.DisableTrustOnFirstUse = ctx.Bool("disable-trust-on-first-use") } + if ctx.IsSet("disable-ssh-ca-user") { + boolVal := ctx.Bool("disable-ssh-ca-user") + details.DisableSshCaUser = &boolVal + } + if ctx.IsSet("disable-ssh-ca-host") { + boolVal := ctx.Bool("disable-ssh-ca-host") + details.DisableSshCaHost = &boolVal + } if ctx.IsSet("remove-gcp-service-account") { details.ServiceAccounts = removeElements(details.ServiceAccounts, ctx.StringSlice("remove-gcp-service-account")) } From 93eb7d2a7688ec99f634045f8288809c642f4de5 Mon Sep 17 00:00:00 2001 From: max furman Date: Mon, 28 Oct 2024 10:20:10 -0700 Subject: [PATCH 2/4] Add --disable-ssh-ca-user and --disable-ssh-ca-host flags ... ... for provisioner add and update. Only works for GCP IID provisioner (for now). --- command/ca/provisioner/add.go | 2 ++ command/ca/provisioner/provisioner.go | 10 ++++++++++ command/ca/provisioner/update.go | 5 +++++ 3 files changed, 17 insertions(+) diff --git a/command/ca/provisioner/add.go b/command/ca/provisioner/add.go index 7af2eba0f..e950f9312 100644 --- a/command/ca/provisioner/add.go +++ b/command/ca/provisioner/add.go @@ -173,6 +173,8 @@ SCEP instanceAgeFlag, disableCustomSANsFlag, disableTOFUFlag, + disableSSHCAUserFlag, + disableSSHCAHostFlag, // Claims x509TemplateFlag, diff --git a/command/ca/provisioner/provisioner.go b/command/ca/provisioner/provisioner.go index 4f276b9dd..6f5c7cc3e 100644 --- a/command/ca/provisioner/provisioner.go +++ b/command/ca/provisioner/provisioner.go @@ -542,6 +542,16 @@ with the same instance will be accepted. By default only the first request will be accepted.`, } + disableSSHCAUserFlag = cli.BoolFlag{ + Name: "disable-ssh-ca-user", + Usage: `Disable ability to sign SSH user certificates`, + } + + disableSSHCAHostFlag = cli.BoolFlag{ + Name: "disable-ssh-ca-host", + Usage: `Disable ability to sign SSH host certificates`, + } + // Nebula provisioner flags nebulaRootFlag = cli.StringFlag{ Name: "nebula-root", diff --git a/command/ca/provisioner/update.go b/command/ca/provisioner/update.go index 912d69d1e..5d3cd76fc 100644 --- a/command/ca/provisioner/update.go +++ b/command/ca/provisioner/update.go @@ -177,6 +177,8 @@ SCEP instanceAgeFlag, disableCustomSANsFlag, disableTOFUFlag, + disableSSHCAUserFlag, + disableSSHCAHostFlag, // Claims x509TemplateFlag, @@ -917,6 +919,7 @@ func updateGCPDetails(ctx *cli.Context, p *linkedca.Provisioner) error { } if ctx.IsSet("disable-ssh-ca-user") { boolVal := ctx.Bool("disable-ssh-ca-user") + fmt.Printf("boolVal = %+v\n", boolVal) details.DisableSshCaUser = &boolVal } if ctx.IsSet("disable-ssh-ca-host") { @@ -935,6 +938,8 @@ func updateGCPDetails(ctx *cli.Context, p *linkedca.Provisioner) error { if ctx.IsSet("gcp-project") { details.ProjectIds = append(details.ProjectIds, ctx.StringSlice("gcp-project")...) } + + fmt.Printf("*details.DisableSshCaUser = %+v\n", *details.DisableSshCaUser) return nil } From 6b13f45bdb34277020173d2e8d7b120c7b82b923 Mon Sep 17 00:00:00 2001 From: max furman Date: Mon, 28 Oct 2024 13:54:32 -0700 Subject: [PATCH 3/4] Bump linkedca 0.22.2 --- command/ca/provisioner/update.go | 2 -- go.mod | 2 +- go.sum | 4 ++-- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/command/ca/provisioner/update.go b/command/ca/provisioner/update.go index 5d3cd76fc..90257d3a7 100644 --- a/command/ca/provisioner/update.go +++ b/command/ca/provisioner/update.go @@ -919,7 +919,6 @@ func updateGCPDetails(ctx *cli.Context, p *linkedca.Provisioner) error { } if ctx.IsSet("disable-ssh-ca-user") { boolVal := ctx.Bool("disable-ssh-ca-user") - fmt.Printf("boolVal = %+v\n", boolVal) details.DisableSshCaUser = &boolVal } if ctx.IsSet("disable-ssh-ca-host") { @@ -939,7 +938,6 @@ func updateGCPDetails(ctx *cli.Context, p *linkedca.Provisioner) error { details.ProjectIds = append(details.ProjectIds, ctx.StringSlice("gcp-project")...) } - fmt.Printf("*details.DisableSshCaUser = %+v\n", *details.DisableSshCaUser) return nil } diff --git a/go.mod b/go.mod index 63749fb0d..9b610cbdf 100644 --- a/go.mod +++ b/go.mod @@ -27,7 +27,7 @@ require ( github.com/urfave/cli v1.22.16 go.mozilla.org/pkcs7 v0.9.0 go.step.sm/crypto v0.54.0 - go.step.sm/linkedca v0.22.1 + go.step.sm/linkedca v0.22.2 golang.org/x/crypto v0.28.0 golang.org/x/sys v0.26.0 golang.org/x/term v0.25.0 diff --git a/go.sum b/go.sum index 4985a6eda..6f3627038 100644 --- a/go.sum +++ b/go.sum @@ -391,8 +391,8 @@ go.step.sm/cli-utils v0.9.0 h1:55jYcsQbnArNqepZyAwcato6Zy2MoZDRkWW+jF+aPfQ= go.step.sm/cli-utils v0.9.0/go.mod h1:Y/CRoWl1FVR9j+7PnAewufAwKmBOTzR6l9+7EYGAnp8= go.step.sm/crypto v0.54.0 h1:V8p+12Ld0NRA/RBMYoKXA0dWmVKZSdCwP56IwzweT9g= go.step.sm/crypto v0.54.0/go.mod h1:vQJyTngfZDW+UyZdFzOMCY/txWDAmcwViEUC7Gn4YfU= -go.step.sm/linkedca v0.22.1 h1:GvprpH9P4Sv9U+eZ3bxDgRSSpW14cFDYpe1kS6yWLkw= -go.step.sm/linkedca v0.22.1/go.mod h1:dOKdF4HSn73YUEkfS5/FECngZmBtj2Il5DTKWXY4S6Y= +go.step.sm/linkedca v0.22.2 h1:zmFIyDC77gFHo6FLQJ8OIXYpLYDIsgDWaYqtYs6A9/Q= +go.step.sm/linkedca v0.22.2/go.mod h1:ESY8r5VfhJA8ZVzI6hXIQcEX9LwaY3aoPnT+Hb9jpbw= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= From 79f96f0cbb8c2cdd713168ed57d175cfc35ba625 Mon Sep 17 00:00:00 2001 From: max furman Date: Mon, 28 Oct 2024 18:41:16 -0700 Subject: [PATCH 4/4] Friendly errors using --disable-ssh-ca-* with Azure or AWS provisioner --- command/ca/provisioner/add.go | 14 ++++++++++++++ command/ca/provisioner/update.go | 14 ++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/command/ca/provisioner/add.go b/command/ca/provisioner/add.go index e950f9312..2951fcbd2 100644 --- a/command/ca/provisioner/add.go +++ b/command/ca/provisioner/add.go @@ -747,6 +747,13 @@ func createOIDCDetails(ctx *cli.Context) (*linkedca.ProvisionerDetails, error) { } func createAWSDetails(ctx *cli.Context) (*linkedca.ProvisionerDetails, error) { + if ctx.IsSet("disable-ssh-ca-user") { + return nil, errors.New("flag disable-ssh-ca-user is not supported for AWS IID provisioners") + } + if ctx.IsSet("disable-ssh-ca-host") { + return nil, errors.New("flag disable-ssh-ca-host is not supported for AWS IID provisioners") + } + d, err := parseInstanceAge(ctx) if err != nil { return nil, err @@ -767,6 +774,13 @@ func createAWSDetails(ctx *cli.Context) (*linkedca.ProvisionerDetails, error) { } func createAzureDetails(ctx *cli.Context) (*linkedca.ProvisionerDetails, error) { + if ctx.IsSet("disable-ssh-ca-user") { + return nil, errors.New("flag disable-ssh-ca-user is not supported for Azure IID provisioners") + } + if ctx.IsSet("disable-ssh-ca-host") { + return nil, errors.New("flag disable-ssh-ca-host is not supported for Azure IID provisioners") + } + tenantID := ctx.String("azure-tenant") if tenantID == "" { return nil, errs.RequiredWithFlagValue(ctx, "type", ctx.String("type"), "azure-tenant") diff --git a/command/ca/provisioner/update.go b/command/ca/provisioner/update.go index 90257d3a7..1b041f2aa 100644 --- a/command/ca/provisioner/update.go +++ b/command/ca/provisioner/update.go @@ -829,6 +829,13 @@ func updateOIDCDetails(ctx *cli.Context, p *linkedca.Provisioner) error { } func updateAWSDetails(ctx *cli.Context, p *linkedca.Provisioner) error { + if ctx.IsSet("disable-ssh-ca-user") { + return errors.New("flag disable-ssh-ca-user is not supported for AWS IID provisioners") + } + if ctx.IsSet("disable-ssh-ca-host") { + return errors.New("flag disable-ssh-ca-host is not supported for AWS IID provisioners") + } + data, ok := p.Details.GetData().(*linkedca.ProvisionerDetails_AWS) if !ok { return errors.New("error casting details to AWS type") @@ -858,6 +865,13 @@ func updateAWSDetails(ctx *cli.Context, p *linkedca.Provisioner) error { } func updateAzureDetails(ctx *cli.Context, p *linkedca.Provisioner) error { + if ctx.IsSet("disable-ssh-ca-user") { + return errors.New("flag disable-ssh-ca-user is not supported for Azure IID provisioners") + } + if ctx.IsSet("disable-ssh-ca-host") { + return errors.New("flag disable-ssh-ca-host is not supported for Azure IID provisioners") + } + data, ok := p.Details.GetData().(*linkedca.ProvisionerDetails_Azure) if !ok { return errors.New("error casting details to Azure type")