go/access: set principal name, set presence required by host

This commit is contained in:
Luke Granger-Brown 2022-03-25 01:47:18 +00:00
parent 3a32590571
commit f5d66318a3

View file

@ -12,6 +12,7 @@ import (
"net" "net"
"os" "os"
"os/exec" "os/exec"
"os/user"
"path/filepath" "path/filepath"
"strings" "strings"
"time" "time"
@ -26,8 +27,29 @@ var (
vaultAddress = flag.String("vault_address", "https://vault.int.lukegb.com", "Address of Vault") vaultAddress = flag.String("vault_address", "https://vault.int.lukegb.com", "Address of Vault")
sshMountPoint = flag.String("ssh_mount_point", "ssh-client", "SSH mount point in Vault") sshMountPoint = flag.String("ssh_mount_point", "ssh-client", "SSH mount point in Vault")
sshRole = flag.String("ssh_role", "user", "SSH role") sshRole = flag.String("ssh_role", "user", "SSH role")
sshPrincipal = flag.String("principal", currentUsername(), "principal to request in certificate")
requirePresence = flag.Bool("require_presence", shouldRequirePresence(), "whether to require presence when using certificate")
) )
func currentUsername() string {
// What's our principal?
u, err := user.Current()
if err != nil {
log.Fatalf("looking up current user: %v", err)
}
return u.Username
}
func shouldRequirePresence() bool {
hn, err := os.Hostname()
if err != nil {
log.Fatalf("getting hostname: %v", err)
}
// WSL2 makes things hard.
return hn != "PORCOROSSO"
}
const ( const (
sshAgentComment = "vault certificate" sshAgentComment = "vault certificate"
) )
@ -223,6 +245,7 @@ func main() {
vssh := vaultClient.SSHWithMountPoint(*sshMountPoint) vssh := vaultClient.SSHWithMountPoint(*sshMountPoint)
sec, err := vssh.SignKey(*sshRole, map[string]interface{}{ sec, err := vssh.SignKey(*sshRole, map[string]interface{}{
"public_key": string(ssh.MarshalAuthorizedKey(sshPubKey)), "public_key": string(ssh.MarshalAuthorizedKey(sshPubKey)),
"valid_principals": *sshPrincipal,
}) })
if err != nil { if err != nil {
log.Fatalf("signing SSH key: %v", err) log.Fatalf("signing SSH key: %v", err)
@ -245,7 +268,7 @@ func main() {
Certificate: signedCert, Certificate: signedCert,
Comment: sshAgentComment, Comment: sshAgentComment,
LifetimeSecs: uint32(certLifetime.Seconds()), LifetimeSecs: uint32(certLifetime.Seconds()),
ConfirmBeforeUse: true, ConfirmBeforeUse: *requirePresence,
}); err != nil { }); err != nil {
log.Fatalf("adding key to agent: %w", err) log.Fatalf("adding key to agent: %w", err)
} }