go/access: set principal name, set presence required by host

This commit is contained in:
Luke Granger-Brown 2022-03-25 01:47:18 +00:00
parent 3a32590571
commit f5d66318a3

View file

@ -12,6 +12,7 @@ import (
"net"
"os"
"os/exec"
"os/user"
"path/filepath"
"strings"
"time"
@ -26,8 +27,29 @@ var (
vaultAddress = flag.String("vault_address", "https://vault.int.lukegb.com", "Address of Vault")
sshMountPoint = flag.String("ssh_mount_point", "ssh-client", "SSH mount point in Vault")
sshRole = flag.String("ssh_role", "user", "SSH role")
sshPrincipal = flag.String("principal", currentUsername(), "principal to request in certificate")
requirePresence = flag.Bool("require_presence", shouldRequirePresence(), "whether to require presence when using certificate")
)
func currentUsername() string {
// What's our principal?
u, err := user.Current()
if err != nil {
log.Fatalf("looking up current user: %v", err)
}
return u.Username
}
func shouldRequirePresence() bool {
hn, err := os.Hostname()
if err != nil {
log.Fatalf("getting hostname: %v", err)
}
// WSL2 makes things hard.
return hn != "PORCOROSSO"
}
const (
sshAgentComment = "vault certificate"
)
@ -223,6 +245,7 @@ func main() {
vssh := vaultClient.SSHWithMountPoint(*sshMountPoint)
sec, err := vssh.SignKey(*sshRole, map[string]interface{}{
"public_key": string(ssh.MarshalAuthorizedKey(sshPubKey)),
"valid_principals": *sshPrincipal,
})
if err != nil {
log.Fatalf("signing SSH key: %v", err)
@ -245,7 +268,7 @@ func main() {
Certificate: signedCert,
Comment: sshAgentComment,
LifetimeSecs: uint32(certLifetime.Seconds()),
ConfirmBeforeUse: true,
ConfirmBeforeUse: *requirePresence,
}); err != nil {
log.Fatalf("adding key to agent: %w", err)
}