go/access: set principal name, set presence required by host
This commit is contained in:
parent
3a32590571
commit
f5d66318a3
1 changed files with 25 additions and 2 deletions
|
@ -12,6 +12,7 @@ import (
|
|||
"net"
|
||||
"os"
|
||||
"os/exec"
|
||||
"os/user"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"time"
|
||||
|
@ -26,8 +27,29 @@ var (
|
|||
vaultAddress = flag.String("vault_address", "https://vault.int.lukegb.com", "Address of Vault")
|
||||
sshMountPoint = flag.String("ssh_mount_point", "ssh-client", "SSH mount point in Vault")
|
||||
sshRole = flag.String("ssh_role", "user", "SSH role")
|
||||
sshPrincipal = flag.String("principal", currentUsername(), "principal to request in certificate")
|
||||
|
||||
requirePresence = flag.Bool("require_presence", shouldRequirePresence(), "whether to require presence when using certificate")
|
||||
)
|
||||
|
||||
func currentUsername() string {
|
||||
// What's our principal?
|
||||
u, err := user.Current()
|
||||
if err != nil {
|
||||
log.Fatalf("looking up current user: %v", err)
|
||||
}
|
||||
return u.Username
|
||||
}
|
||||
|
||||
func shouldRequirePresence() bool {
|
||||
hn, err := os.Hostname()
|
||||
if err != nil {
|
||||
log.Fatalf("getting hostname: %v", err)
|
||||
}
|
||||
// WSL2 makes things hard.
|
||||
return hn != "PORCOROSSO"
|
||||
}
|
||||
|
||||
const (
|
||||
sshAgentComment = "vault certificate"
|
||||
)
|
||||
|
@ -223,6 +245,7 @@ func main() {
|
|||
vssh := vaultClient.SSHWithMountPoint(*sshMountPoint)
|
||||
sec, err := vssh.SignKey(*sshRole, map[string]interface{}{
|
||||
"public_key": string(ssh.MarshalAuthorizedKey(sshPubKey)),
|
||||
"valid_principals": *sshPrincipal,
|
||||
})
|
||||
if err != nil {
|
||||
log.Fatalf("signing SSH key: %v", err)
|
||||
|
@ -245,7 +268,7 @@ func main() {
|
|||
Certificate: signedCert,
|
||||
Comment: sshAgentComment,
|
||||
LifetimeSecs: uint32(certLifetime.Seconds()),
|
||||
ConfirmBeforeUse: true,
|
||||
ConfirmBeforeUse: *requirePresence,
|
||||
}); err != nil {
|
||||
log.Fatalf("adding key to agent: %w", err)
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue