Merge pull request smallstep#1951 from smallstep/herman/clarify-ssh-policy-errors

hslatman · web-flow · commit b3fcfed97e3e · 2024-08-05T14:49:41.000+02:00
diff --git a/authority/policy/engine.go b/authority/policy/engine.go
@@ -91,7 +91,7 @@ func (e *Engine) IsSSHCertificateAllowed(cert *ssh.Certificate) error {
 		// when no host policy engine is configured, but a user policy engine is
 		// configured, the host certificate is denied.
 		if e.sshHostPolicy == nil && e.sshUserPolicy != nil {
-			return errors.New("authority not allowed to sign ssh host certificates")
+			return errors.New("authority not allowed to sign SSH host certificates when SSH user certificate policy is active")
 		}
 
 		// return result of SSH host policy evaluation
@@ -100,12 +100,12 @@ func (e *Engine) IsSSHCertificateAllowed(cert *ssh.Certificate) error {
 		// 	when no user policy engine is configured, but a host policy engine is
 		// 	configured, the user certificate is denied.
 		if e.sshUserPolicy == nil && e.sshHostPolicy != nil {
-			return errors.New("authority not allowed to sign ssh user certificates")
+			return errors.New("authority not allowed to sign SSH user certificates when SSH host certificate policy is active")
 		}
 
 		// return result of SSH user policy evaluation
 		return e.sshUserPolicy.IsSSHCertificateAllowed(cert)
 	default:
-		return fmt.Errorf("unexpected ssh certificate type %q", cert.CertType)
+		return fmt.Errorf("unexpected SSH certificate type %q", cert.CertType)
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -91,7 +91,7 @@ func (e Engine) IsSSHCertificateAllowed(cert ssh.Certificate) error {`
`91`	`91`	`// when no host policy engine is configured, but a user policy engine is`
`92`	`92`	`// configured, the host certificate is denied.`
`93`	`93`	`if e.sshHostPolicy == nil && e.sshUserPolicy != nil {`
`94`		`- return errors.New("authority not allowed to sign ssh host certificates")`
	`94`	`+ return errors.New("authority not allowed to sign SSH host certificates when SSH user certificate policy is active")`
`95`	`95`	`}`
`96`	`96`
`97`	`97`	`// return result of SSH host policy evaluation`
`@@ -100,12 +100,12 @@ func (e Engine) IsSSHCertificateAllowed(cert ssh.Certificate) error {`
`100`	`100`	`// when no user policy engine is configured, but a host policy engine is`
`101`	`101`	`// configured, the user certificate is denied.`
`102`	`102`	`if e.sshUserPolicy == nil && e.sshHostPolicy != nil {`
`103`		`- return errors.New("authority not allowed to sign ssh user certificates")`
	`103`	`+ return errors.New("authority not allowed to sign SSH user certificates when SSH host certificate policy is active")`
`104`	`104`	`}`
`105`	`105`
`106`	`106`	`// return result of SSH user policy evaluation`
`107`	`107`	`return e.sshUserPolicy.IsSSHCertificateAllowed(cert)`
`108`	`108`	`default:`
`109`		`- return fmt.Errorf("unexpected ssh certificate type %q", cert.CertType)`
	`109`	`+ return fmt.Errorf("unexpected SSH certificate type %q", cert.CertType)`
`110`	`110`	`}`
`111`	`111`	`}`