go/access: set principal name, set presence required by host

2022-03-25 01:47:18 +00:00 · 2022-03-25 01:47:18 +00:00 · f5d66318a3
commit f5d66318a3
parent 3a32590571
1 changed files with 25 additions and 2 deletions
--- a/go/access/access.go
+++ b/go/access/access.go
@ -12,6 +12,7 @@ import (
 	"net"
 	"os"
 	"os/exec"
+	"os/user"
 	"path/filepath"
 	"strings"
 	"time"
@ -26,8 +27,29 @@ var (
 	vaultAddress  = flag.String("vault_address", "https://vault.int.lukegb.com", "Address of Vault")
 	sshMountPoint = flag.String("ssh_mount_point", "ssh-client", "SSH mount point in Vault")
 	sshRole       = flag.String("ssh_role", "user", "SSH role")
+	sshPrincipal  = flag.String("principal", currentUsername(), "principal to request in certificate")
+
+	requirePresence = flag.Bool("require_presence", shouldRequirePresence(), "whether to require presence when using certificate")
 )

+func currentUsername() string {
+	// What's our principal?
+	u, err := user.Current()
+	if err != nil {
+		log.Fatalf("looking up current user: %v", err)
+	}
+	return u.Username
+}
+
+func shouldRequirePresence() bool {
+	hn, err := os.Hostname()
+	if err != nil {
+		log.Fatalf("getting hostname: %v", err)
+	}
+	// WSL2 makes things hard.
+	return hn != "PORCOROSSO"
+}
+
 const (
 	sshAgentComment = "vault certificate"
 )
@ -222,7 +244,8 @@ func main() {
 	// Sign the key.
 	vssh := vaultClient.SSHWithMountPoint(*sshMountPoint)
 	sec, err := vssh.SignKey(*sshRole, map[string]interface{}{
-		"public_key": string(ssh.MarshalAuthorizedKey(sshPubKey)),
+		"public_key":       string(ssh.MarshalAuthorizedKey(sshPubKey)),
+		"valid_principals": *sshPrincipal,
 	})
 	if err != nil {
 		log.Fatalf("signing SSH key: %v", err)
@ -245,7 +268,7 @@ func main() {
 		Certificate:      signedCert,
 		Comment:          sshAgentComment,
 		LifetimeSecs:     uint32(certLifetime.Seconds()),
-		ConfirmBeforeUse: true,
+		ConfirmBeforeUse: *requirePresence,
 	}); err != nil {
 		log.Fatalf("adding key to agent: %w", err)
 	}