Add host fields and protos for ssh identities #51024
Conversation
fspmarshall
added
the
no-changelog
fspmarshall
force-pushed
the
fspmarshall/pdp-ssh-identity-proto
branch
from
6a0c7c7 to
f4fcde4
Compare
lib/auth/keygen/keygen.go
Outdated
| // since this method ignores the supplied values for ValidBefore/ValidAfter, avoid confusing by | ||
| // rejecting identities where they are set. | ||
| if ident.ValidBefore != 0 { | ||
| return nil, trace.BadParameter("ValidBefore should not be set in calls to GenerateUserCert") |
There was a problem hiding this comment.
Just curious what the value of explicitly rejecting the request is when the valid before/after is set.
There was a problem hiding this comment.
And would this make more or less sense to put in the req.Check() method? More just asking for my own edification.
There was a problem hiding this comment.
The reason is that the values are intended to be derived from TTL by this function rather than supplied by the caller, so a nonzero value in one of those fields may indicate human error. Basically, this check is just intended to help catch mistakes.
In terms of the location of the check, no real reason... I was just working on this part of the code when I first decided that it would be good to have a check like this. Moved it to req.Check().
fspmarshall
force-pushed
the
fspmarshall/pdp-ssh-identity-proto
branch
2 times, most recently
from
f02998f to
fabe0fa
Compare
fspmarshall
force-pushed
the
fspmarshall/pdp-ssh-identity-proto
branch
from
fabe0fa to
a4b94e2
Compare
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
Updates
sshca.Identityto support host identity fields and addsSSHIdentityto thedecisionfamily of protos.The original
sshca.Identityobject was added in #50787 and was initially specialized to user identities only. At the time I thought I'd be able to mostly avoid caring about host identities. It turns out that there is enough ssh certificate handling logic that is intended to work with host and user certs, that it is best to be able to handle both using the same identity type.I'm not completely happy with having host and user identity fields living alongside one another, and I did experiment a bit with the idea of having separate
HostIdentityandUserIdentitytypes, with a common interface so that logic that is generic over both can continue to operate on identities as a single object. This ended up being a bit too much scope creep for the purposes of these changes (especially since the more commontlsca.Identityis already monolithic).Part of ongoing work related to the PDP proposal (https://github.com/gravitational/teleport.e/pull/5736).