New sshcerts, fix unexpected behaviour in DB

obelisk · May 5, 2021 · 274469f · 274469f
1 parent 0ceb116
commit 274469f
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 10 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/rustica-agent/Cargo.toml b/rustica-agent/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "rustica-agent"
-version = "0.3.4"
+version = "0.3.5"
 authors = ["Mitchell Grenier <mitchell@confurious.io>"]
 edition = "2018"
 
@@ -20,7 +20,10 @@ ring = "0.16.9"
 serde = "1.0.97"
 serde_derive = "1.0"
 sha2 = "0.9.2"
-sshcerts = {git = "https://github.com/obelisk/sshcerts", features = ["yubikey"]}
+# For Production
+sshcerts = {version = "0.4.4", features = ["yubikey"]}
+# For Development
+# sshcerts = {git = "https://github.com/obelisk/sshcerts", features = ["yubikey"]}
 tokio = { version = "1.0.0", features = ["full"] }
 toml = "0.5.8"
 tonic = {version = "0.4", features = ["tls"] }

diff --git a/rustica/Cargo.toml b/rustica/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "rustica"
-version = "0.3.4"
+version = "0.3.5"
 authors = ["Mitchell Grenier <mitchell@confurious.io>"]
 edition = "2018"
 
@@ -20,7 +20,10 @@ log = "0.4.13"
 prost = "0.7"
 ring = "0.16.9"
 sha2 = "0.9.2"
-sshcerts = {git = "https://github.com/obelisk/sshcerts", features = ["yubikey"]}
+# For Production
+sshcerts = {version = "0.4.4", features = ["yubikey"]}
+# For Development
+# sshcerts = {git = "https://github.com/obelisk/sshcerts", features = ["yubikey"]}
 tokio = { version = "1.0.0", features = ["full"] }
 tonic = {version = "0.4", features = ["tls"] }
 x509-parser = {version = "0.9", features = ["verify"]}

diff --git a/rustica/src/auth/database.rs b/rustica/src/auth/database.rs
@@ -37,7 +37,7 @@ impl LocalDatabase {
         };
 
         let conn = establish_connection();
-        let principals = {
+        let principals: Vec<String> = {
             use schema::fingerprint_principal_authorizations::dsl::*;
             let results = fingerprint_principal_authorizations.filter(fingerprint.eq(fp))
                 .load::<models::FingerprintPrincipalAuthorization>(&conn)
@@ -75,10 +75,26 @@ impl LocalDatabase {
                         }
                     }
                 };
+
+                // If a host is principal unrestricted we put no principals
+                // in the certificate which allows all.
+                let principals = if results[0].principal_unrestricted {
+                    vec![]
+                } else if !principals.is_empty() {
+                    // If a host is not principal unrestricted and has
+                    // principals, those are the only ones that will be
+                    // inserted into a final certificate.
+                    principals
+                } else {
+                    // If a host is not principal unrestricted but has no
+                    // principals, we return an Authorization error
+                    return Err(AuthorizationError::NotAuthorized)
+                };
+
                 Ok(Authorization {
                     serial: 0x000000000000000,
                     // When principal is unrestricted, we just pass their requested principals through
-                    principals: if results[0].principal_unrestricted {req.principals.clone()} else {principals},
+                    principals,
                     // When host is unrestricted we return None
                     hosts: if results[0].host_unrestricted {None} else {hosts},
                     extensions: Extensions::Standard,