Merge branch 'master' into wire_subject_test_coverage

authority/export.go

@@ -8,10 +8,12 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
-	"github.com/smallstep/certificates/authority/provisioner"
-	"go.step.sm/cli-utils/step"
-	"go.step.sm/linkedca"
 	"google.golang.org/protobuf/types/known/structpb"
+
+	"github.com/smallstep/cli-utils/step"
+	"go.step.sm/linkedca"
+
+	"github.com/smallstep/certificates/authority/provisioner"
 )
 
 // Export creates a linkedca configuration form the current ca.json and loaded

authority/provisioner/aws.go

@@ -358,7 +358,7 @@ func (p *AWS) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 	if p.DisableCustomSANs {
 		dnsName := fmt.Sprintf("ip-%s.%s.compute.internal", strings.ReplaceAll(doc.PrivateIP, ".", "-"), doc.Region)
 		so = append(so,
-			dnsNamesValidator([]string{dnsName}),
+			dnsNamesSubsetValidator([]string{dnsName}),
 			ipAddressesValidator([]net.IP{
 				net.ParseIP(doc.PrivateIP),
 			}),

authority/provisioner/aws_test.go

@@ -698,7 +698,7 @@ func TestAWS_AuthorizeSign(t *testing.T) {
 					case *urisValidator:
 						assert.Equals(t, v.uris, nil)
 						assert.Equals(t, MethodFromContext(v.ctx), SignMethod)
-					case dnsNamesValidator:
+					case dnsNamesSubsetValidator:
 						assert.Equals(t, []string(v), []string{"ip-127-0-0-1.us-west-1.compute.internal"})
 					case *x509NamePolicyValidator:
 						assert.Equals(t, nil, v.policyEngine)

authority/provisioner/azure.go

@@ -379,7 +379,7 @@ func (p *Azure) AuthorizeSign(ctx context.Context, token string) ([]SignOption,
 		// name will work only inside the virtual network
 		so = append(so,
 			commonNameValidator(name),
-			dnsNamesValidator([]string{name}),
+			dnsNamesSubsetValidator([]string{name}),
 			ipAddressesValidator(nil),
 			emailAddressesValidator(nil),
 			newURIsValidator(ctx, nil),

authority/provisioner/azure_test.go

@@ -563,7 +563,7 @@ func TestAzure_AuthorizeSign(t *testing.T) {
 					case *urisValidator:
 						assert.Equals(t, v.uris, nil)
 						assert.Equals(t, MethodFromContext(v.ctx), SignMethod)
-					case dnsNamesValidator:
+					case dnsNamesSubsetValidator:
 						assert.Equals(t, []string(v), []string{"virtualMachine"})
 					case *x509NamePolicyValidator:
 						assert.Equals(t, nil, v.policyEngine)

authority/provisioner/gcp.go

@@ -265,7 +265,7 @@ func (p *GCP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 			commonNameSliceValidator([]string{
 				ce.InstanceName, ce.InstanceID, dnsName1, dnsName2,
 			}),
-			dnsNamesValidator([]string{
+			dnsNamesSubsetValidator([]string{
 				dnsName1, dnsName2,
 			}),
 			ipAddressesValidator(nil),

authority/provisioner/gcp_test.go

@@ -579,7 +579,7 @@ func TestGCP_AuthorizeSign(t *testing.T) {
 					case *urisValidator:
 						assert.Equals(t, v.uris, nil)
 						assert.Equals(t, MethodFromContext(v.ctx), SignMethod)
-					case dnsNamesValidator:
+					case dnsNamesSubsetValidator:
 						assert.Equals(t, []string(v), []string{"instance-name.c.project-id.internal", "instance-name.zone.c.project-id.internal"})
 					case *x509NamePolicyValidator:
 						assert.Equals(t, nil, v.policyEngine)

authority/provisioner/options.go

@@ -6,7 +6,7 @@ import (
 
 	"github.com/pkg/errors"
 
-	"go.step.sm/cli-utils/step"
+	"github.com/smallstep/cli-utils/step"
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/x509util"
 

authority/provisioner/sign_options.go

@@ -190,6 +190,27 @@ func (v dnsNamesValidator) Valid(req *x509.CertificateRequest) error {
 	return nil
 }
 
+// dnsNamesSubsetValidator validates the DNS name SANs of a certificate request.
+type dnsNamesSubsetValidator []string
+
+// Valid checks that all DNS name SANs in the certificate request are present in
+// the allowed list of DNS names.
+func (v dnsNamesSubsetValidator) Valid(req *x509.CertificateRequest) error {
+	if len(req.DNSNames) == 0 {
+		return nil
+	}
+	allowed := make(map[string]struct{}, len(v))
+	for _, s := range v {
+		allowed[s] = struct{}{}
+	}
+	for _, s := range req.DNSNames {
+		if _, ok := allowed[s]; !ok {
+			return errs.Forbidden("certificate request contains unauthorized DNS names - got %v, allowed %v", req.DNSNames, v)
+		}
+	}
+	return nil
+}
+
 // ipAddressesValidator validates the IP addresses SAN of a certificate request.
 type ipAddressesValidator []net.IP
 

authority/provisioner/sign_options_test.go

@@ -186,6 +186,39 @@ func Test_dnsNamesValidator_Valid(t *testing.T) {
 	}
 }
 
+func Test_dnsNamesSubsetValidator_Valid(t *testing.T) {
+	type args struct {
+		req *x509.CertificateRequest
+	}
+	tests := []struct {
+		name    string
+		v       dnsNamesSubsetValidator
+		args    args
+		wantErr bool
+	}{
+		{"ok0", []string{}, args{&x509.CertificateRequest{DNSNames: []string{}}}, false},
+		{"ok1", []string{"foo.bar.zar"}, args{&x509.CertificateRequest{DNSNames: []string{"foo.bar.zar"}}}, false},
+		{"ok2", []string{"foo.bar.zar", "bar.zar"}, args{&x509.CertificateRequest{DNSNames: []string{"foo.bar.zar", "bar.zar"}}}, false},
+		{"ok3", []string{"foo.bar.zar", "bar.zar"}, args{&x509.CertificateRequest{DNSNames: []string{"bar.zar", "foo.bar.zar"}}}, false},
+		{"ok4", []string{"foo.bar.zar", "bar.zar"}, args{&x509.CertificateRequest{}}, false},
+		{"ok5", []string{"foo.bar.zar", "bar.zar"}, args{&x509.CertificateRequest{DNSNames: []string{"bar.zar"}}}, false},
+		{"ok6", []string{"foo", "bar", "baz", "zar", "zap"}, args{&x509.CertificateRequest{DNSNames: []string{"zap", "baz", "foo"}}}, false},
+		{"fail1", []string{"foo.bar.zar"}, args{&x509.CertificateRequest{DNSNames: []string{"bar.zar"}}}, true},
+		{"fail2", []string{"foo.bar.zar"}, args{&x509.CertificateRequest{DNSNames: []string{"bar.zar", "foo.bar.zar"}}}, true},
+		{"fail3", []string{"foo.bar.zar", "bar.zar"}, args{&x509.CertificateRequest{DNSNames: []string{"foo.bar.zar", "zar.bar"}}}, true},
+		{"fail4", []string{"foo", "bar", "baz", "zar", "zap"}, args{&x509.CertificateRequest{DNSNames: []string{"zap", "baz", "foO"}}}, true},
+		{"fail5", []string{"foo", "bar", "baz", "zar", "zap"}, args{&x509.CertificateRequest{DNSNames: []string{"zap", "baz", "fax", "foo"}}}, true},
+		{"fail6", []string{}, args{&x509.CertificateRequest{DNSNames: []string{"zap", "baz", "fax", "foo"}}}, true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := tt.v.Valid(tt.args.req); (err != nil) != tt.wantErr {
+				t.Errorf("dnsNamesSubsetValidator.Valid() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
+
 func Test_ipAddressesValidator_Valid(t *testing.T) {
 	ip1 := net.IPv4(10, 3, 2, 1)
 	ip2 := net.IPv4(10, 3, 2, 2)

authority/provisioner/ssh_options.go

@@ -5,7 +5,8 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
-	"go.step.sm/cli-utils/step"
+
+	"github.com/smallstep/cli-utils/step"
 	"go.step.sm/crypto/sshutil"
 
 	"github.com/smallstep/certificates/authority/policy"

authority/provisioners.go

@@ -11,8 +11,8 @@ import (
 
 	"github.com/pkg/errors"
 
-	"go.step.sm/cli-utils/step"
-	"go.step.sm/cli-utils/ui"
+	"github.com/smallstep/cli-utils/step"
+	"github.com/smallstep/cli-utils/ui"
 	"go.step.sm/crypto/jose"
 	"go.step.sm/linkedca"
 
@@ -955,6 +955,8 @@ func ProvisionerToCertificates(p *linkedca.Provisioner) (provisioner.Interface,
 			ProjectIDs:             cfg.ProjectIds,
 			DisableCustomSANs:      cfg.DisableCustomSans,
 			DisableTrustOnFirstUse: cfg.DisableTrustOnFirstUse,
+			DisableSSHCAUser:       cfg.DisableSshCaUser,
+			DisableSSHCAHost:       cfg.DisableSshCaHost,
 			InstanceAge:            instanceAge,
 			Claims:                 claims,
 			Options:                options,
@@ -1095,6 +1097,8 @@ func ProvisionerToLinkedca(p provisioner.Interface) (*linkedca.Provisioner, erro
 						ProjectIds:             p.ProjectIDs,
 						DisableCustomSans:      p.DisableCustomSANs,
 						DisableTrustOnFirstUse: p.DisableTrustOnFirstUse,
+						DisableSshCaUser:       p.DisableSSHCAUser,
+						DisableSshCaHost:       p.DisableSSHCAHost,
 						InstanceAge:            p.InstanceAge.String(),
 					},
 				},

authority/provisioners_test.go

@@ -9,12 +9,12 @@ import (
 	"testing"
 	"time"
 
+	"github.com/stretchr/testify/require"
+
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/linkedca"
 
-	"github.com/stretchr/testify/require"
-
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/api/render"
 	"github.com/smallstep/certificates/authority/admin"

ca/adminClient.go

@@ -15,8 +15,8 @@ import (
 	"github.com/pkg/errors"
 	"google.golang.org/protobuf/encoding/protojson"
 
-	"go.step.sm/cli-utils/token"
-	"go.step.sm/cli-utils/token/provision"
+	"github.com/smallstep/cli-utils/token"
+	"github.com/smallstep/cli-utils/token/provision"
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/randutil"
 	"go.step.sm/linkedca"

ca/ca.go

@@ -18,6 +18,11 @@ import (
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
 	"github.com/pkg/errors"
+
+	"github.com/smallstep/cli-utils/step"
+	"github.com/smallstep/nosql"
+	"go.step.sm/crypto/x509util"
+
 	"github.com/smallstep/certificates/acme"
 	acmeAPI "github.com/smallstep/certificates/acme/api"
 	acmeNoSQL "github.com/smallstep/certificates/acme/db/nosql"
@@ -35,9 +40,6 @@ import (
 	"github.com/smallstep/certificates/scep"
 	scepAPI "github.com/smallstep/certificates/scep/api"
 	"github.com/smallstep/certificates/server"
-	"github.com/smallstep/nosql"
-	"go.step.sm/cli-utils/step"
-	"go.step.sm/crypto/x509util"
 )
 
 type options struct {

ca/client.go

@@ -24,21 +24,23 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
+	"golang.org/x/net/http2"
+	"google.golang.org/protobuf/encoding/protojson"
+	"google.golang.org/protobuf/proto"
+
+	"github.com/smallstep/cli-utils/step"
+	"go.step.sm/crypto/jose"
+	"go.step.sm/crypto/keyutil"
+	"go.step.sm/crypto/pemutil"
+	"go.step.sm/crypto/randutil"
+	"go.step.sm/crypto/x509util"
+
 	"github.com/smallstep/certificates/api"
 	"github.com/smallstep/certificates/authority"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/ca/client"
 	"github.com/smallstep/certificates/ca/identity"
 	"github.com/smallstep/certificates/errs"
-	"go.step.sm/cli-utils/step"
-	"go.step.sm/crypto/jose"
-	"go.step.sm/crypto/keyutil"
-	"go.step.sm/crypto/pemutil"
-	"go.step.sm/crypto/randutil"
-	"go.step.sm/crypto/x509util"
-	"golang.org/x/net/http2"
-	"google.golang.org/protobuf/encoding/protojson"
-	"google.golang.org/protobuf/proto"
 )
 
 // DisableIdentity is a global variable to disable the identity.

ca/identity/identity.go

@@ -14,9 +14,11 @@ import (
 	"time"
 
 	"github.com/pkg/errors"
-	"github.com/smallstep/certificates/api"
-	"go.step.sm/cli-utils/step"
+
+	"github.com/smallstep/cli-utils/step"
 	"go.step.sm/crypto/pemutil"
+
+	"github.com/smallstep/certificates/api"
 )
 
 // Type represents the different types of identity files.

ca/provisioner.go

@@ -6,11 +6,13 @@ import (
 	"time"
 
 	"github.com/pkg/errors"
-	"github.com/smallstep/certificates/authority/provisioner"
-	"go.step.sm/cli-utils/token"
-	"go.step.sm/cli-utils/token/provision"
+
+	"github.com/smallstep/cli-utils/token"
+	"github.com/smallstep/cli-utils/token/provision"
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/randutil"
+
+	"github.com/smallstep/certificates/authority/provisioner"
 )
 
 const tokenLifetime = 5 * time.Minute

cas/stepcas/jwk_issuer.go

@@ -8,12 +8,14 @@ import (
 	"time"
 
 	"github.com/pkg/errors"
+
+	"github.com/smallstep/cli-utils/ui"
+	"go.step.sm/crypto/jose"
+	"go.step.sm/crypto/randutil"
+
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/ca"
 	"github.com/smallstep/certificates/cas/apiv1"
-	"go.step.sm/cli-utils/ui"
-	"go.step.sm/crypto/jose"
-	"go.step.sm/crypto/randutil"
 )
 
 type jwkIssuer struct {

cmd/step-ca/main.go

@@ -16,14 +16,15 @@ import (
 	//nolint:gosec // profile server, if enabled runs on a different port
 	_ "net/http/pprof"
 
+	"github.com/urfave/cli"
+
 	"github.com/smallstep/certificates/authority"
 	"github.com/smallstep/certificates/commands"
-	"github.com/urfave/cli"
-	"go.step.sm/cli-utils/command"
-	"go.step.sm/cli-utils/command/version"
-	"go.step.sm/cli-utils/step"
-	"go.step.sm/cli-utils/ui"
-	"go.step.sm/cli-utils/usage"
+	"github.com/smallstep/cli-utils/command"
+	"github.com/smallstep/cli-utils/command/version"
+	"github.com/smallstep/cli-utils/step"
+	"github.com/smallstep/cli-utils/ui"
+	"github.com/smallstep/cli-utils/usage"
 	"go.step.sm/crypto/pemutil"
 
 	// Enabled kms interfaces.

commands/app.go

@@ -13,15 +13,17 @@ import (
 	"unicode"
 
 	"github.com/pkg/errors"
+	"github.com/urfave/cli"
+
+	"github.com/smallstep/cli-utils/errs"
+	"github.com/smallstep/cli-utils/step"
+
 	"github.com/smallstep/certificates/acme"
 	"github.com/smallstep/certificates/authority/config"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/ca"
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/certificates/pki"
-	"github.com/urfave/cli"
-	"go.step.sm/cli-utils/errs"
-	"go.step.sm/cli-utils/step"
 )
 
 // AppCommand is the action used as the top action.

commands/export.go

@@ -8,13 +8,14 @@ import (
 	"unicode"
 
 	"github.com/pkg/errors"
-	"github.com/smallstep/certificates/authority"
-	"github.com/smallstep/certificates/authority/config"
 	"github.com/urfave/cli"
 	"google.golang.org/protobuf/encoding/protojson"
 
-	"go.step.sm/cli-utils/command"
-	"go.step.sm/cli-utils/errs"
+	"github.com/smallstep/cli-utils/command"
+	"github.com/smallstep/cli-utils/errs"
+
+	"github.com/smallstep/certificates/authority"
+	"github.com/smallstep/certificates/authority/config"
 )
 
 func init() {