Change authority policy to use dbPolicy model

2 years ago · 77893ea55c
parent d82e51b748
commit 77893ea55c
2 changed files with 706 additions and 21 deletions
--- a/authority/admin/db/nosql/policy.go
+++ b/authority/admin/db/nosql/policy.go
@ -11,17 +11,64 @@ import (
 	"github.com/smallstep/nosql"
 )

+type dbX509Policy struct {
+	Allow              *dbX509Names `json:"allow,omitempty"`
+	Deny               *dbX509Names `json:"deny,omitempty"`
+	AllowWildcardNames bool         `json:"allow_wildcard_names,omitempty"`
+}
+
+type dbX509Names struct {
+	CommonNames    []string `json:"cn,omitempty"`
+	DNSDomains     []string `json:"dns,omitempty"`
+	IPRanges       []string `json:"ip,omitempty"`
+	EmailAddresses []string `json:"email,omitempty"`
+	URIDomains     []string `json:"uri,omitempty"`
+}
+
+type dbSSHPolicy struct {
+	// User contains SSH user certificate options.
+	User *dbSSHUserPolicy `json:"user,omitempty"`
+	// Host contains SSH host certificate options.
+	Host *dbSSHHostPolicy `json:"host,omitempty"`
+}
+
+type dbSSHHostPolicy struct {
+	Allow *dbSSHHostNames `json:"allow,omitempty"`
+	Deny  *dbSSHHostNames `json:"deny,omitempty"`
+}
+
+type dbSSHHostNames struct {
+	DNSDomains []string `json:"dns,omitempty"`
+	IPRanges   []string `json:"ip,omitempty"`
+	Principals []string `json:"principal,omitempty"`
+}
+
+type dbSSHUserPolicy struct {
+	Allow *dbSSHUserNames `json:"allow,omitempty"`
+	Deny  *dbSSHUserNames `json:"deny,omitempty"`
+}
+
+type dbSSHUserNames struct {
+	EmailAddresses []string `json:"email,omitempty"`
+	Principals     []string `json:"principal,omitempty"`
+}
+
+type dbPolicy struct {
+	X509 *dbX509Policy `json:"x509,omitempty"`
+	SSH  *dbSSHPolicy  `json:"ssh,omitempty"`
+}
+
 type dbAuthorityPolicy struct {
-	ID          string           `json:"id"`
-	AuthorityID string           `json:"authorityID"`
-	Policy      *linkedca.Policy `json:"policy"`
+	ID          string    `json:"id"`
+	AuthorityID string    `json:"authorityID"`
+	Policy      *dbPolicy `json:"policy,omitempty"`
 }

 func (dbap *dbAuthorityPolicy) convert() *linkedca.Policy {
 	if dbap == nil {
 		return nil
 	}
-	return dbap.Policy
+	return dbToLinked(dbap.Policy)
 }

 func (db *DB) getDBAuthorityPolicyBytes(ctx context.Context, authorityID string) ([]byte, error) {
@ -69,7 +116,7 @@ func (db *DB) CreateAuthorityPolicy(ctx context.Context, policy *linkedca.Policy
 	dbap := &dbAuthorityPolicy{
 		ID:          db.authorityID,
 		AuthorityID: db.authorityID,
-		Policy:      policy,
+		Policy:      linkedToDB(policy),
 	}

 	if err := db.save(ctx, dbap.ID, dbap, nil, "authority_policy", authorityPoliciesTable); err != nil {
@ -97,7 +144,7 @@ func (db *DB) UpdateAuthorityPolicy(ctx context.Context, policy *linkedca.Policy
 	dbap := &dbAuthorityPolicy{
 		ID:          db.authorityID,
 		AuthorityID: db.authorityID,
-		Policy:      policy,
+		Policy:      linkedToDB(policy),
 	}

 	if err := db.save(ctx, dbap.ID, dbap, old, "authority_policy", authorityPoliciesTable); err != nil {
@ -119,3 +166,174 @@ func (db *DB) DeleteAuthorityPolicy(ctx context.Context) error {

 	return nil
 }
+
+func dbToLinked(p *dbPolicy) *linkedca.Policy {
+	if p == nil {
+		return nil
+	}
+	r := &linkedca.Policy{}
+	if x509 := p.X509; x509 != nil {
+		r.X509 = &linkedca.X509Policy{}
+		if allow := x509.Allow; allow != nil {
+			r.X509.Allow = &linkedca.X509Names{}
+			r.X509.Allow.Dns = allow.DNSDomains
+			r.X509.Allow.Emails = allow.EmailAddresses
+			r.X509.Allow.Ips = allow.IPRanges
+			r.X509.Allow.Uris = allow.URIDomains
+			r.X509.Allow.CommonNames = allow.CommonNames
+		}
+		if deny := x509.Deny; deny != nil {
+			r.X509.Deny = &linkedca.X509Names{}
+			r.X509.Deny.Dns = deny.DNSDomains
+			r.X509.Deny.Emails = deny.EmailAddresses
+			r.X509.Deny.Ips = deny.IPRanges
+			r.X509.Deny.Uris = deny.URIDomains
+			r.X509.Deny.CommonNames = deny.CommonNames
+		}
+		r.X509.AllowWildcardNames = x509.AllowWildcardNames
+	}
+	if ssh := p.SSH; ssh != nil {
+		r.Ssh = &linkedca.SSHPolicy{}
+		if host := ssh.Host; host != nil {
+			r.Ssh.Host = &linkedca.SSHHostPolicy{}
+			if allow := host.Allow; allow != nil {
+				r.Ssh.Host.Allow = &linkedca.SSHHostNames{}
+				r.Ssh.Host.Allow.Dns = allow.DNSDomains
+				r.Ssh.Host.Allow.Ips = allow.IPRanges
+				r.Ssh.Host.Allow.Principals = allow.Principals
+			}
+			if deny := host.Deny; deny != nil {
+				r.Ssh.Host.Deny = &linkedca.SSHHostNames{}
+				r.Ssh.Host.Deny.Dns = deny.DNSDomains
+				r.Ssh.Host.Deny.Ips = deny.IPRanges
+				r.Ssh.Host.Deny.Principals = deny.Principals
+			}
+		}
+		if user := ssh.User; user != nil {
+			r.Ssh.User = &linkedca.SSHUserPolicy{}
+			if allow := user.Allow; allow != nil {
+				r.Ssh.User.Allow = &linkedca.SSHUserNames{}
+				r.Ssh.User.Allow.Emails = allow.EmailAddresses
+				r.Ssh.User.Allow.Principals = allow.Principals
+			}
+			if deny := user.Deny; deny != nil {
+				r.Ssh.User.Deny = &linkedca.SSHUserNames{}
+				r.Ssh.User.Deny.Emails = deny.EmailAddresses
+				r.Ssh.User.Deny.Principals = deny.Principals
+			}
+		}
+	}
+
+	return r
+}
+
+func linkedToDB(p *linkedca.Policy) *dbPolicy {
+
+	if p == nil {
+		return nil
+	}
+
+	// return early if x509 nor SSH is set
+	if p.GetX509() == nil && p.GetSsh() == nil {
+		return nil
+	}
+
+	r := &dbPolicy{}
+	// fill x509 policy configuration
+	if x509 := p.GetX509(); x509 != nil {
+		r.X509 = &dbX509Policy{}
+		if allow := x509.GetAllow(); allow != nil {
+			r.X509.Allow = &dbX509Names{}
+			if allow.Dns != nil {
+				r.X509.Allow.DNSDomains = allow.Dns
+			}
+			if allow.Ips != nil {
+				r.X509.Allow.IPRanges = allow.Ips
+			}
+			if allow.Emails != nil {
+				r.X509.Allow.EmailAddresses = allow.Emails
+			}
+			if allow.Uris != nil {
+				r.X509.Allow.URIDomains = allow.Uris
+			}
+			if allow.CommonNames != nil {
+				r.X509.Allow.CommonNames = allow.CommonNames
+			}
+		}
+		if deny := x509.GetDeny(); deny != nil {
+			r.X509.Deny = &dbX509Names{}
+			if deny.Dns != nil {
+				r.X509.Deny.DNSDomains = deny.Dns
+			}
+			if deny.Ips != nil {
+				r.X509.Deny.IPRanges = deny.Ips
+			}
+			if deny.Emails != nil {
+				r.X509.Deny.EmailAddresses = deny.Emails
+			}
+			if deny.Uris != nil {
+				r.X509.Deny.URIDomains = deny.Uris
+			}
+			if deny.CommonNames != nil {
+				r.X509.Deny.CommonNames = deny.CommonNames
+			}
+		}
+
+		r.X509.AllowWildcardNames = x509.GetAllowWildcardNames()
+	}
+
+	// fill ssh policy configuration
+	if ssh := p.GetSsh(); ssh != nil {
+		r.SSH = &dbSSHPolicy{}
+		if host := ssh.GetHost(); host != nil {
+			r.SSH.Host = &dbSSHHostPolicy{}
+			if allow := host.GetAllow(); allow != nil {
+				r.SSH.Host.Allow = &dbSSHHostNames{}
+				if allow.Dns != nil {
+					r.SSH.Host.Allow.DNSDomains = allow.Dns
+				}
+				if allow.Ips != nil {
+					r.SSH.Host.Allow.IPRanges = allow.Ips
+				}
+				if allow.Principals != nil {
+					r.SSH.Host.Allow.Principals = allow.Principals
+				}
+			}
+			if deny := host.GetDeny(); deny != nil {
+				r.SSH.Host.Deny = &dbSSHHostNames{}
+				if deny.Dns != nil {
+					r.SSH.Host.Deny.DNSDomains = deny.Dns
+				}
+				if deny.Ips != nil {
+					r.SSH.Host.Deny.IPRanges = deny.Ips
+				}
+				if deny.Principals != nil {
+					r.SSH.Host.Deny.Principals = deny.Principals
+				}
+			}
+		}
+		if user := ssh.GetUser(); user != nil {
+			r.SSH.User = &dbSSHUserPolicy{}
+			if allow := user.GetAllow(); allow != nil {
+				r.SSH.User.Allow = &dbSSHUserNames{}
+				if allow.Emails != nil {
+					r.SSH.User.Allow.EmailAddresses = allow.Emails
+				}
+				if allow.Principals != nil {
+					r.SSH.User.Allow.Principals = allow.Principals
+				}
+			}
+			if deny := user.GetDeny(); deny != nil {
+				r.SSH.User.Deny = &dbSSHUserNames{}
+				if deny.Emails != nil {
+					r.SSH.User.Deny.EmailAddresses = deny.Emails
+				}
+				if deny.Principals != nil {
+					r.SSH.User.Deny.Principals = deny.Principals
+				}
+			}
+		}
+	}
+
+	return r
+}
--- a/authority/admin/db/nosql/policy_test.go
+++ b/authority/admin/db/nosql/policy_test.go
@ -4,15 +4,15 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
+	"reflect"
 	"testing"

-	"go.step.sm/linkedca"
-
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/authority/admin"
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/nosql"
 	nosqldb "github.com/smallstep/nosql/database"
+	"go.step.sm/linkedca"
 )

 func TestDB_getDBAuthorityPolicyBytes(t *testing.T) {
@ -136,13 +136,13 @@ func TestDB_getDBAuthorityPolicy(t *testing.T) {
 			dbp := &dbAuthorityPolicy{
 				ID:          "ID",
 				AuthorityID: "diffAuthID",
-				Policy: &linkedca.Policy{
+				Policy: linkedToDB(&linkedca.Policy{
 					X509: &linkedca.X509Policy{
 						Allow: &linkedca.X509Names{
 							Dns: []string{"*.local"},
 						},
 					},
-				},
+				}),
 			}
 			b, err := json.Marshal(dbp)
 			assert.FatalError(t, err)
@ -177,13 +177,13 @@ func TestDB_getDBAuthorityPolicy(t *testing.T) {
 			dbap := &dbAuthorityPolicy{
 				ID:          "ID",
 				AuthorityID: authID,
-				Policy: &linkedca.Policy{
+				Policy: linkedToDB(&linkedca.Policy{
 					X509: &linkedca.X509Policy{
 						Allow: &linkedca.X509Names{
 							Dns: []string{"*.local"},
 						},
 					},
-				},
+				}),
 			}
 			b, err := json.Marshal(dbap)
 			assert.FatalError(t, err)
@ -266,7 +266,7 @@ func TestDB_CreateAuthorityPolicy(t *testing.T) {

 						assert.Equals(t, _dbap.ID, authID)
 						assert.Equals(t, _dbap.AuthorityID, authID)
-						assert.Equals(t, _dbap.Policy, policy)
+						assert.Equals(t, _dbap.Policy, linkedToDB(policy))

 						return nil, false, errors.New("force")
 					},
@ -296,7 +296,7 @@ func TestDB_CreateAuthorityPolicy(t *testing.T) {

 						assert.Equals(t, _dbap.ID, authID)
 						assert.Equals(t, _dbap.AuthorityID, authID)
-						assert.Equals(t, _dbap.Policy, policy)
+						assert.Equals(t, _dbap.Policy, linkedToDB(policy))

 						return nil, true, nil
 					},
@ -388,7 +388,7 @@ func TestDB_GetAuthorityPolicy(t *testing.T) {
 						dbap := &dbAuthorityPolicy{
 							ID:          authID,
 							AuthorityID: authID,
-							Policy:      policy,
+							Policy:      linkedToDB(policy),
 						}

 						b, err := json.Marshal(dbap)
@ -496,7 +496,7 @@ func TestDB_UpdateAuthorityPolicy(t *testing.T) {
 						dbap := &dbAuthorityPolicy{
 							ID:          authID,
 							AuthorityID: authID,
-							Policy:      oldPolicy,
+							Policy:      linkedToDB(oldPolicy),
 						}

 						b, err := json.Marshal(dbap)
@ -513,7 +513,7 @@ func TestDB_UpdateAuthorityPolicy(t *testing.T) {

 						assert.Equals(t, _dbap.ID, authID)
 						assert.Equals(t, _dbap.AuthorityID, authID)
-						assert.Equals(t, _dbap.Policy, policy)
+						assert.Equals(t, _dbap.Policy, linkedToDB(policy))

 						return nil, false, errors.New("force")
 					},
@ -548,7 +548,7 @@ func TestDB_UpdateAuthorityPolicy(t *testing.T) {
 						dbap := &dbAuthorityPolicy{
 							ID:          authID,
 							AuthorityID: authID,
-							Policy:      oldPolicy,
+							Policy:      linkedToDB(oldPolicy),
 						}

 						b, err := json.Marshal(dbap)
@ -565,7 +565,7 @@ func TestDB_UpdateAuthorityPolicy(t *testing.T) {

 						assert.Equals(t, _dbap.ID, authID)
 						assert.Equals(t, _dbap.AuthorityID, authID)
-						assert.Equals(t, _dbap.Policy, policy)
+						assert.Equals(t, _dbap.Policy, linkedToDB(policy))

 						return nil, true, nil
 					},
@ -656,7 +656,7 @@ func TestDB_DeleteAuthorityPolicy(t *testing.T) {
 						dbap := &dbAuthorityPolicy{
 							ID:          authID,
 							AuthorityID: authID,
-							Policy:      oldPolicy,
+							Policy:      linkedToDB(oldPolicy),
 						}

 						b, err := json.Marshal(dbap)
@ -694,7 +694,7 @@ func TestDB_DeleteAuthorityPolicy(t *testing.T) {
 						dbap := &dbAuthorityPolicy{
 							ID:          authID,
 							AuthorityID: authID,
-							Policy:      oldPolicy,
+							Policy:      linkedToDB(oldPolicy),
 						}

 						b, err := json.Marshal(dbap)
@ -737,3 +737,470 @@ func TestDB_DeleteAuthorityPolicy(t *testing.T) {
 		})
 	}
 }
+
+func Test_linkedToDB(t *testing.T) {
+	type args struct {
+		p *linkedca.Policy
+	}
+	tests := []struct {
+		name string
+		args args
+		want *dbPolicy
+	}{
+		{
+			name: "nil policy",
+			args: args{
+				p: nil,
+			},
+			want: nil,
+		},
+		{
+			name: "no x509 nor ssh",
+			args: args{
+				p: &linkedca.Policy{},
+			},
+			want: nil,
+		},
+		{
+			name: "x509",
+			args: args{
+				p: &linkedca.Policy{
+					X509: &linkedca.X509Policy{
+						Allow: &linkedca.X509Names{
+							Dns:         []string{"*.local"},
+							Ips:         []string{"192.168.0.1/24"},
+							Emails:      []string{"@example.com"},
+							Uris:        []string{"*.example.com"},
+							CommonNames: []string{"some name"},
+						},
+						Deny: &linkedca.X509Names{
+							Dns:         []string{"badhost.local"},
+							Ips:         []string{"192.168.0.30"},
+							Emails:      []string{"root@example.com"},
+							Uris:        []string{"bad.example.com"},
+							CommonNames: []string{"bad name"},
+						},
+						AllowWildcardNames: true,
+					},
+				},
+			},
+			want: &dbPolicy{
+				X509: &dbX509Policy{
+					Allow: &dbX509Names{
+						DNSDomains:     []string{"*.local"},
+						IPRanges:       []string{"192.168.0.1/24"},
+						EmailAddresses: []string{"@example.com"},
+						URIDomains:     []string{"*.example.com"},
+						CommonNames:    []string{"some name"},
+					},
+					Deny: &dbX509Names{
+						DNSDomains:     []string{"badhost.local"},
+						IPRanges:       []string{"192.168.0.30"},
+						EmailAddresses: []string{"root@example.com"},
+						URIDomains:     []string{"bad.example.com"},
+						CommonNames:    []string{"bad name"},
+					},
+					AllowWildcardNames: true,
+				},
+			},
+		},
+		{
+			name: "ssh user",
+			args: args{
+				p: &linkedca.Policy{
+					Ssh: &linkedca.SSHPolicy{
+						User: &linkedca.SSHUserPolicy{
+							Allow: &linkedca.SSHUserNames{
+								Emails:     []string{"@example.com"},
+								Principals: []string{"user"},
+							},
+							Deny: &linkedca.SSHUserNames{
+								Emails:     []string{"root@example.com"},
+								Principals: []string{"root"},
+							},
+						},
+					},
+				},
+			},
+			want: &dbPolicy{
+				SSH: &dbSSHPolicy{
+					User: &dbSSHUserPolicy{
+						Allow: &dbSSHUserNames{
+							EmailAddresses: []string{"@example.com"},
+							Principals:     []string{"user"},
+						},
+						Deny: &dbSSHUserNames{
+							EmailAddresses: []string{"root@example.com"},
+							Principals:     []string{"root"},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "full ssh policy",
+			args: args{
+				p: &linkedca.Policy{
+					Ssh: &linkedca.SSHPolicy{
+						Host: &linkedca.SSHHostPolicy{
+							Allow: &linkedca.SSHHostNames{
+								Dns:        []string{"*.local"},
+								Ips:        []string{"192.168.0.1/24"},
+								Principals: []string{"host"},
+							},
+							Deny: &linkedca.SSHHostNames{
+								Dns:        []string{"badhost.local"},
+								Ips:        []string{"192.168.0.30"},
+								Principals: []string{"bad"},
+							},
+						},
+					},
+				},
+			},
+			want: &dbPolicy{
+				SSH: &dbSSHPolicy{
+					Host: &dbSSHHostPolicy{
+						Allow: &dbSSHHostNames{
+							DNSDomains: []string{"*.local"},
+							IPRanges:   []string{"192.168.0.1/24"},
+							Principals: []string{"host"},
+						},
+						Deny: &dbSSHHostNames{
+							DNSDomains: []string{"badhost.local"},
+							IPRanges:   []string{"192.168.0.30"},
+							Principals: []string{"bad"},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "full policy",
+			args: args{
+				p: &linkedca.Policy{
+					X509: &linkedca.X509Policy{
+						Allow: &linkedca.X509Names{
+							Dns:         []string{"*.local"},
+							Ips:         []string{"192.168.0.1/24"},
+							Emails:      []string{"@example.com"},
+							Uris:        []string{"*.example.com"},
+							CommonNames: []string{"some name"},
+						},
+						Deny: &linkedca.X509Names{
+							Dns:         []string{"badhost.local"},
+							Ips:         []string{"192.168.0.30"},
+							Emails:      []string{"root@example.com"},
+							Uris:        []string{"bad.example.com"},
+							CommonNames: []string{"bad name"},
+						},
+						AllowWildcardNames: true,
+					},
+					Ssh: &linkedca.SSHPolicy{
+						User: &linkedca.SSHUserPolicy{
+							Allow: &linkedca.SSHUserNames{
+								Emails:     []string{"@example.com"},
+								Principals: []string{"user"},
+							},
+							Deny: &linkedca.SSHUserNames{
+								Emails:     []string{"root@example.com"},
+								Principals: []string{"root"},
+							},
+						},
+						Host: &linkedca.SSHHostPolicy{
+							Allow: &linkedca.SSHHostNames{
+								Dns:        []string{"*.local"},
+								Ips:        []string{"192.168.0.1/24"},
+								Principals: []string{"host"},
+							},
+							Deny: &linkedca.SSHHostNames{
+								Dns:        []string{"badhost.local"},
+								Ips:        []string{"192.168.0.30"},
+								Principals: []string{"bad"},
+							},
+						},
+					},
+				},
+			},
+			want: &dbPolicy{
+				X509: &dbX509Policy{
+					Allow: &dbX509Names{
+						DNSDomains:     []string{"*.local"},
+						IPRanges:       []string{"192.168.0.1/24"},
+						EmailAddresses: []string{"@example.com"},
+						URIDomains:     []string{"*.example.com"},
+						CommonNames:    []string{"some name"},
+					},
+					Deny: &dbX509Names{
+						DNSDomains:     []string{"badhost.local"},
+						IPRanges:       []string{"192.168.0.30"},
+						EmailAddresses: []string{"root@example.com"},
+						URIDomains:     []string{"bad.example.com"},
+						CommonNames:    []string{"bad name"},
+					},
+					AllowWildcardNames: true,
+				},
+				SSH: &dbSSHPolicy{
+					User: &dbSSHUserPolicy{
+						Allow: &dbSSHUserNames{
+							EmailAddresses: []string{"@example.com"},
+							Principals:     []string{"user"},
+						},
+						Deny: &dbSSHUserNames{
+							EmailAddresses: []string{"root@example.com"},
+							Principals:     []string{"root"},
+						},
+					},
+					Host: &dbSSHHostPolicy{
+						Allow: &dbSSHHostNames{
+							DNSDomains: []string{"*.local"},
+							IPRanges:   []string{"192.168.0.1/24"},
+							Principals: []string{"host"},
+						},
+						Deny: &dbSSHHostNames{
+							DNSDomains: []string{"badhost.local"},
+							IPRanges:   []string{"192.168.0.30"},
+							Principals: []string{"bad"},
+						},
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := linkedToDB(tt.args.p); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("linkedToDB() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func Test_dbToLinked(t *testing.T) {
+	type args struct {
+		p *dbPolicy
+	}
+	tests := []struct {
+		name string
+		args args
+		want *linkedca.Policy
+	}{
+		{
+			name: "nil policy",
+			args: args{
+				p: nil,
+			},
+			want: nil,
+		},
+		{
+			name: "x509",
+			args: args{
+				p: &dbPolicy{
+					X509: &dbX509Policy{
+						Allow: &dbX509Names{
+							DNSDomains:     []string{"*.local"},
+							IPRanges:       []string{"192.168.0.1/24"},
+							EmailAddresses: []string{"@example.com"},
+							URIDomains:     []string{"*.example.com"},
+							CommonNames:    []string{"some name"},
+						},
+						Deny: &dbX509Names{
+							DNSDomains:     []string{"badhost.local"},
+							IPRanges:       []string{"192.168.0.30"},
+							EmailAddresses: []string{"root@example.com"},
+							URIDomains:     []string{"bad.example.com"},
+							CommonNames:    []string{"bad name"},
+						},
+						AllowWildcardNames: true,
+					},
+				},
+			},
+			want: &linkedca.Policy{
+				X509: &linkedca.X509Policy{
+					Allow: &linkedca.X509Names{
+						Dns:         []string{"*.local"},
+						Ips:         []string{"192.168.0.1/24"},
+						Emails:      []string{"@example.com"},
+						Uris:        []string{"*.example.com"},
+						CommonNames: []string{"some name"},
+					},
+					Deny: &linkedca.X509Names{
+						Dns:         []string{"badhost.local"},
+						Ips:         []string{"192.168.0.30"},
+						Emails:      []string{"root@example.com"},
+						Uris:        []string{"bad.example.com"},
+						CommonNames: []string{"bad name"},
+					},
+					AllowWildcardNames: true,
+				},
+			},
+		},
+		{
+			name: "ssh user",
+			args: args{
+				p: &dbPolicy{
+					SSH: &dbSSHPolicy{
+						User: &dbSSHUserPolicy{
+							Allow: &dbSSHUserNames{
+								EmailAddresses: []string{"@example.com"},
+								Principals:     []string{"user"},
+							},
+							Deny: &dbSSHUserNames{
+								EmailAddresses: []string{"root@example.com"},
+								Principals:     []string{"root"},
+							},
+						},
+					},
+				},
+			},
+			want: &linkedca.Policy{
+				Ssh: &linkedca.SSHPolicy{
+					User: &linkedca.SSHUserPolicy{
+						Allow: &linkedca.SSHUserNames{
+							Emails:     []string{"@example.com"},
+							Principals: []string{"user"},
+						},
+						Deny: &linkedca.SSHUserNames{
+							Emails:     []string{"root@example.com"},
+							Principals: []string{"root"},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "ssh host",
+			args: args{
+				p: &dbPolicy{
+					SSH: &dbSSHPolicy{
+						Host: &dbSSHHostPolicy{
+							Allow: &dbSSHHostNames{
+								DNSDomains: []string{"*.local"},
+								IPRanges:   []string{"192.168.0.1/24"},
+								Principals: []string{"host"},
+							},
+							Deny: &dbSSHHostNames{
+								DNSDomains: []string{"badhost.local"},
+								IPRanges:   []string{"192.168.0.30"},
+								Principals: []string{"bad"},
+							},
+						},
+					},
+				},
+			},
+			want: &linkedca.Policy{
+				Ssh: &linkedca.SSHPolicy{
+					Host: &linkedca.SSHHostPolicy{
+						Allow: &linkedca.SSHHostNames{
+							Dns:        []string{"*.local"},
+							Ips:        []string{"192.168.0.1/24"},
+							Principals: []string{"host"},
+						},
+						Deny: &linkedca.SSHHostNames{
+							Dns:        []string{"badhost.local"},
+							Ips:        []string{"192.168.0.30"},
+							Principals: []string{"bad"},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "full policy",
+			args: args{
+				p: &dbPolicy{
+					X509: &dbX509Policy{
+						Allow: &dbX509Names{
+							DNSDomains:     []string{"*.local"},
+							IPRanges:       []string{"192.168.0.1/24"},
+							EmailAddresses: []string{"@example.com"},
+							URIDomains:     []string{"*.example.com"},
+							CommonNames:    []string{"some name"},
+						},
+						Deny: &dbX509Names{
+							DNSDomains:     []string{"badhost.local"},
+							IPRanges:       []string{"192.168.0.30"},
+							EmailAddresses: []string{"root@example.com"},
+							URIDomains:     []string{"bad.example.com"},
+							CommonNames:    []string{"bad name"},
+						},
+						AllowWildcardNames: true,
+					},
+					SSH: &dbSSHPolicy{
+						User: &dbSSHUserPolicy{
+							Allow: &dbSSHUserNames{
+								EmailAddresses: []string{"@example.com"},
+								Principals:     []string{"user"},
+							},
+							Deny: &dbSSHUserNames{
+								EmailAddresses: []string{"root@example.com"},
+								Principals:     []string{"root"},
+							},
+						},
+						Host: &dbSSHHostPolicy{
+							Allow: &dbSSHHostNames{
+								DNSDomains: []string{"*.local"},
+								IPRanges:   []string{"192.168.0.1/24"},
+								Principals: []string{"host"},
+							},
+							Deny: &dbSSHHostNames{
+								DNSDomains: []string{"badhost.local"},
+								IPRanges:   []string{"192.168.0.30"},
+								Principals: []string{"bad"},
+							},
+						},
+					},
+				},
+			},
+			want: &linkedca.Policy{
+				X509: &linkedca.X509Policy{
+					Allow: &linkedca.X509Names{
+						Dns:         []string{"*.local"},
+						Ips:         []string{"192.168.0.1/24"},
+						Emails:      []string{"@example.com"},
+						Uris:        []string{"*.example.com"},
+						CommonNames: []string{"some name"},
+					},
+					Deny: &linkedca.X509Names{
+						Dns:         []string{"badhost.local"},
+						Ips:         []string{"192.168.0.30"},
+						Emails:      []string{"root@example.com"},
+						Uris:        []string{"bad.example.com"},
+						CommonNames: []string{"bad name"},
+					},
+					AllowWildcardNames: true,
+				},
+				Ssh: &linkedca.SSHPolicy{
+					User: &linkedca.SSHUserPolicy{
+						Allow: &linkedca.SSHUserNames{
+							Emails:     []string{"@example.com"},
+							Principals: []string{"user"},
+						},
+						Deny: &linkedca.SSHUserNames{
+							Emails:     []string{"root@example.com"},
+							Principals: []string{"root"},
+						},
+					},
+					Host: &linkedca.SSHHostPolicy{
+						Allow: &linkedca.SSHHostNames{
+							Dns:        []string{"*.local"},
+							Ips:        []string{"192.168.0.1/24"},
+							Principals: []string{"host"},
+						},
+						Deny: &linkedca.SSHHostNames{
+							Dns:        []string{"badhost.local"},
+							Ips:        []string{"192.168.0.30"},
+							Principals: []string{"bad"},
+						},
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := dbToLinked(tt.args.p); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("dbToLinked() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}