|
|
|
@ -2,6 +2,7 @@ package api
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"crypto/x509"
|
|
|
|
|
"encoding/base64"
|
|
|
|
|
"encoding/json"
|
|
|
|
|
"net/http"
|
|
|
|
@ -23,7 +24,7 @@ type SSHAuthority interface {
|
|
|
|
|
GetSSHFederation() (*authority.SSHKeys, error)
|
|
|
|
|
GetSSHConfig(typ string, data map[string]string) ([]templates.Output, error)
|
|
|
|
|
CheckSSHHost(principal string) (bool, error)
|
|
|
|
|
GetSSHHosts(user string) ([]string, error)
|
|
|
|
|
GetSSHHosts(cert *x509.Certificate) ([]string, error)
|
|
|
|
|
GetSSHBastion(user string, hostname string) (*authority.Bastion, error)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -436,18 +437,12 @@ func (h *caHandler) SSHCheckHost(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
|
|
|
|
|
// SSHGetHosts is the HTTP handler that returns a list of valid ssh hosts.
|
|
|
|
|
func (h *caHandler) SSHGetHosts(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
if r.TLS == nil || len(r.TLS.PeerCertificates) == 0 {
|
|
|
|
|
WriteError(w, BadRequest(errors.New("missing peer certificate")))
|
|
|
|
|
return
|
|
|
|
|
var cert *x509.Certificate
|
|
|
|
|
if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
|
|
|
|
|
cert = r.TLS.PeerCertificates[0]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cert := r.TLS.PeerCertificates[0]
|
|
|
|
|
email := cert.EmailAddresses[0]
|
|
|
|
|
if len(email) == 0 {
|
|
|
|
|
WriteError(w, BadRequest(errors.New("client certificate missing email SAN")))
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
hosts, err := h.Authority.GetSSHHosts(email)
|
|
|
|
|
hosts, err := h.Authority.GetSSHHosts(cert)
|
|
|
|
|
if err != nil {
|
|
|
|
|
WriteError(w, InternalServerError(err))
|
|
|
|
|
return
|
|
|
|
|