Add getSSHHosts injection func

dopey · dopey · commit d940ab7c2063 · 2020-01-28T13:28:16.000-08:00
diff --git a/api/ssh.go b/api/ssh.go
@@ -23,7 +23,7 @@ type SSHAuthority interface {
 	GetSSHFederation() (*authority.SSHKeys, error)
 	GetSSHConfig(typ string, data map[string]string) ([]templates.Output, error)
 	CheckSSHHost(principal string) (bool, error)
-	GetSSHHosts() ([]string, error)
+	GetSSHHosts(user string) ([]string, error)
 	GetSSHBastion(user string, hostname string) (*authority.Bastion, error)
 }
 
@@ -406,7 +406,18 @@ func (h *caHandler) SSHCheckHost(w http.ResponseWriter, r *http.Request) {
 
 // SSHGetHosts is the HTTP handler that returns a list of valid ssh hosts.
 func (h *caHandler) SSHGetHosts(w http.ResponseWriter, r *http.Request) {
-	hosts, err := h.Authority.GetSSHHosts()
+	if r.TLS == nil || len(r.TLS.PeerCertificates) == 0 {
+		WriteError(w, BadRequest(errors.New("missing peer certificate")))
+		return
+	}
+
+	cert := r.TLS.PeerCertificates[0]
+	email := cert.EmailAddresses[0]
+	if len(email) == 0 {
+		WriteError(w, BadRequest(errors.New("client certificate missing email SAN")))
+		return
+	}
+	hosts, err := h.Authority.GetSSHHosts(email)
 	if err != nil {
 		WriteError(w, InternalServerError(err))
 		return
diff --git a/authority/authority.go b/authority/authority.go
@@ -41,6 +41,7 @@ type Authority struct {
 	initOnce bool
 	// Custom functions
 	sshBastionFunc  func(user, hostname string) (*Bastion, error)
+	sshGetHostsFunc func(user string) ([]string, error)
 	getIdentityFunc provisioner.GetIdentityFunc
 }
 
diff --git a/authority/options.go b/authority/options.go
@@ -16,6 +16,14 @@ func WithDatabase(db db.AuthDB) Option {
 	}
 }
 
+// WithGetIdentityFunc sets a custom function to retrieve the identity from
+// an external resource.
+func WithGetIdentityFunc(fn func(p provisioner.Interface, email string) (*provisioner.Identity, error)) Option {
+	return func(a *Authority) {
+		a.getIdentityFunc = fn
+	}
+}
+
 // WithSSHBastionFunc sets a custom function to get the bastion for a
 // given user-host pair.
 func WithSSHBastionFunc(fn func(user, host string) (*Bastion, error)) Option {
@@ -24,10 +32,10 @@ func WithSSHBastionFunc(fn func(user, host string) (*Bastion, error)) Option {
 	}
 }
 
-// WithGetIdentityFunc sets a custom function to retrieve the identity from
-// an external resource.
-func WithGetIdentityFunc(fn func(p provisioner.Interface, email string) (*provisioner.Identity, error)) Option {
+// WithSSHGetHosts sets a custom function to get the bastion for a
+// given user-host pair.
+func WithSSHGetHosts(fn func(user string) ([]string, error)) Option {
 	return func(a *Authority) {
-		a.getIdentityFunc = fn
+		a.sshGetHostsFunc = fn
 	}
 }
diff --git a/authority/ssh.go b/authority/ssh.go
@@ -673,13 +673,14 @@ func (a *Authority) CheckSSHHost(principal string) (bool, error) {
 }
 
 // GetSSHHosts returns a list of valid host principals.
-func (a *Authority) GetSSHHosts() ([]string, error) {
-	ps, err := a.db.GetSSHHostPrincipals()
-	if err != nil {
-		return nil, err
+func (a *Authority) GetSSHHosts(email string) ([]string, error) {
+	if a.sshBastionFunc != nil {
+		return a.sshGetHostsFunc(email)
+	}
+	return nil, &apiError{
+		err:  errors.New("getSSHHosts is not configured"),
+		code: http.StatusNotFound,
 	}
-
-	return ps, nil
 }
 
 func (a *Authority) getAddUserPrincipal() (cmd string) {

Original file line number	Diff line number	Diff line change
`@@ -41,6 +41,7 @@ type Authority struct {`
`41`	`41`	`initOnce bool`
`42`	`42`	`// Custom functions`
`43`	`43`	`sshBastionFunc func(user, hostname string) (*Bastion, error)`
	`44`	`+ sshGetHostsFunc func(user string) ([]string, error)`
`44`	`45`	`getIdentityFunc provisioner.GetIdentityFunc`
`45`	`46`	`}`
`46`	`47`
Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,14 @@ func WithDatabase(db db.AuthDB) Option {`
`16`	`16`	`}`
`17`	`17`	`}`
`18`	`18`
	`19`	`+// WithGetIdentityFunc sets a custom function to retrieve the identity from`
	`20`	`+// an external resource.`
	`21`	`+func WithGetIdentityFunc(fn func(p provisioner.Interface, email string) (*provisioner.Identity, error)) Option {`
	`22`	`+ return func(a *Authority) {`
	`23`	`+ a.getIdentityFunc = fn`
	`24`	`+ }`
	`25`	`+}`
	`26`	`+`
`19`	`27`	`// WithSSHBastionFunc sets a custom function to get the bastion for a`
`20`	`28`	`// given user-host pair.`
`21`	`29`	`func WithSSHBastionFunc(fn func(user, host string) (*Bastion, error)) Option {`
`@@ -24,10 +32,10 @@ func WithSSHBastionFunc(fn func(user, host string) (*Bastion, error)) Option {`
`24`	`32`	`}`
`25`	`33`	`}`
`26`	`34`
`27`		`-// WithGetIdentityFunc sets a custom function to retrieve the identity from`
`28`		`-// an external resource.`
`29`		`-func WithGetIdentityFunc(fn func(p provisioner.Interface, email string) (*provisioner.Identity, error)) Option {`
	`35`	`+// WithSSHGetHosts sets a custom function to get the bastion for a`
	`36`	`+// given user-host pair.`
	`37`	`+func WithSSHGetHosts(fn func(user string) ([]string, error)) Option {`
`30`	`38`	`return func(a *Authority) {`
`31`		`- a.getIdentityFunc = fn`
	`39`	`+ a.sshGetHostsFunc = fn`
`32`	`40`	`}`
`33`	`41`	`}`
Original file line number	Diff line number	Diff line change
`@@ -673,13 +673,14 @@ func (a *Authority) CheckSSHHost(principal string) (bool, error) {`
`673`	`673`	`}`
`674`	`674`
`675`	`675`	`// GetSSHHosts returns a list of valid host principals.`
`676`		`-func (a *Authority) GetSSHHosts() ([]string, error) {`
`677`		`- ps, err := a.db.GetSSHHostPrincipals()`
`678`		`- if err != nil {`
`679`		`- return nil, err`
	`676`	`+func (a *Authority) GetSSHHosts(email string) ([]string, error) {`
	`677`	`+ if a.sshBastionFunc != nil {`
	`678`	`+ return a.sshGetHostsFunc(email)`
	`679`	`+ }`
	`680`	`+ return nil, &apiError{`
	`681`	`+ err: errors.New("getSSHHosts is not configured"),`
	`682`	`+ code: http.StatusNotFound,`
`680`	`683`	`}`
`681`		`-`
`682`		`- return ps, nil`
`683`	`684`	`}`
`684`	`685`
`685`	`686`	`func (a *Authority) getAddUserPrincipal() (cmd string) {`