Merge pull request #534 from smallstep/mariano/validity

Add support validities in templates
smallstep · Jul 1, 2024 · c11e706 · c11e706
2 parents 5a67b5f + 4a9ee47
commit c11e706
Show file tree

Hide file tree

Showing 10 changed files with 232 additions and 28 deletions.
diff --git a/internal/templates/funcmap.go b/internal/templates/funcmap.go
@@ -3,14 +3,19 @@ package templates
 import (
 	"errors"
 	"text/template"
+	"time"
 
 	"github.com/Masterminds/sprig/v3"
+	"go.step.sm/crypto/jose"
 )
 
-// GetFuncMap returns the list of functions provided by sprig. It changes the
-// function "fail" to set the given string, this way we can report template
-// errors directly to the template without having the wrapper that text/template
-// adds.
+// GetFuncMap returns the list of functions provided by sprig. It adds the
+// function "toTime" and changes the function "fail".
+//
+// The "toTime" function receives a time or a Unix epoch and formats it to
+// RFC3339 in UTC. The "fail" function sets the provided message, so that
+// template errors are reported directly to the template without having the
+// wrapper that text/template adds.
 //
 // sprig "env" and "expandenv" functions are removed to avoid the leak of
 // information.
@@ -22,5 +27,31 @@ func GetFuncMap(failMessage *string) template.FuncMap {
 		*failMessage = msg
 		return "", errors.New(msg)
 	}
+	m["toTime"] = toTime
 	return m
 }
+
+func toTime(v any) string {
+	var t time.Time
+	switch date := v.(type) {
+	case time.Time:
+		t = date
+	case *time.Time:
+		t = *date
+	case int64:
+		t = time.Unix(date, 0)
+	case float64: // from json
+		t = time.Unix(int64(date), 0)
+	case int:
+		t = time.Unix(int64(date), 0)
+	case int32:
+		t = time.Unix(int64(date), 0)
+	case jose.NumericDate:
+		t = date.Time()
+	case *jose.NumericDate:
+		t = date.Time()
+	default:
+		t = time.Now()
+	}
+	return t.UTC().Format(time.RFC3339)
+}
diff --git a/internal/templates/funcmap_test.go b/internal/templates/funcmap_test.go
@@ -3,6 +3,11 @@ package templates
 import (
 	"errors"
 	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.step.sm/crypto/jose"
 )
 
 func Test_GetFuncMap_fail(t *testing.T) {
@@ -20,3 +25,51 @@ func Test_GetFuncMap_fail(t *testing.T) {
 		t.Errorf("fail() message = \"%s\", want \"the fail message\"", failMesage)
 	}
 }
+
+func TestGetFuncMap_toTime(t *testing.T) {
+	now := time.Now()
+	numericDate := jose.NewNumericDate(now)
+	expected := now.UTC().Format(time.RFC3339)
+	loc, err := time.LoadLocation("America/Los_Angeles")
+	require.NoError(t, err)
+
+	type args struct {
+		v any
+	}
+	tests := []struct {
+		name string
+		args args
+		want string
+	}{
+		{"time", args{now}, expected},
+		{"time pointer", args{&now}, expected},
+		{"time UTC", args{now.UTC()}, expected},
+		{"time with location", args{now.In(loc)}, expected},
+		{"unix", args{now.Unix()}, expected},
+		{"unix int", args{int(now.Unix())}, expected},
+		{"unix int32", args{int32(now.Unix())}, expected},
+		{"unix float64", args{float64(now.Unix())}, expected},
+		{"unix float64", args{float64(now.Unix()) + 0.999}, expected},
+		{"jose.NumericDate", args{*numericDate}, expected},
+		{"jose.NumericDate pointer", args{numericDate}, expected},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var failMesage string
+			fns := GetFuncMap(&failMesage)
+			fn := fns["toTime"].(func(any) string)
+			assert.Equal(t, tt.want, fn(tt.args.v))
+		})
+	}
+
+	t.Run("default", func(t *testing.T) {
+		var failMesage string
+		fns := GetFuncMap(&failMesage)
+		fn := fns["toTime"].(func(any) string)
+		want := time.Now()
+		got, err := time.Parse(time.RFC3339, fn(nil))
+		require.NoError(t, err)
+		assert.WithinDuration(t, want, got, time.Second)
+		assert.Equal(t, time.UTC, got.Location())
+	})
+}
diff --git a/sshutil/certificate.go b/sshutil/certificate.go
@@ -6,6 +6,7 @@ import (
 	"crypto/rand"
 	"encoding/binary"
 	"encoding/json"
+	"time"
 
 	"github.com/pkg/errors"
 	"go.step.sm/crypto/randutil"
@@ -20,8 +21,8 @@ type Certificate struct {
 	Type            CertType          `json:"type"`
 	KeyID           string            `json:"keyId"`
 	Principals      []string          `json:"principals"`
-	ValidAfter      uint64            `json:"-"`
-	ValidBefore     uint64            `json:"-"`
+	ValidAfter      time.Time         `json:"validAfter"`
+	ValidBefore     time.Time         `json:"validBefore"`
 	CriticalOptions map[string]string `json:"criticalOptions"`
 	Extensions      map[string]string `json:"extensions"`
 	Reserved        []byte            `json:"reserved"`
@@ -62,8 +63,8 @@ func (c *Certificate) GetCertificate() *ssh.Certificate {
 		CertType:        uint32(c.Type),
 		KeyId:           c.KeyID,
 		ValidPrincipals: c.Principals,
-		ValidAfter:      c.ValidAfter,
-		ValidBefore:     c.ValidBefore,
+		ValidAfter:      toValidity(c.ValidAfter),
+		ValidBefore:     toValidity(c.ValidBefore),
 		Permissions: ssh.Permissions{
 			CriticalOptions: c.CriticalOptions,
 			Extensions:      c.Extensions,
@@ -124,3 +125,10 @@ func CreateCertificate(cert *ssh.Certificate, signer ssh.Signer) (*ssh.Certifica
 
 	return cert, nil
 }
+
+func toValidity(t time.Time) uint64 {
+	if t.IsZero() {
+		return 0
+	}
+	return uint64(t.Unix())
+}
diff --git a/sshutil/certificate_test.go b/sshutil/certificate_test.go
@@ -10,7 +10,9 @@ import (
 	"io"
 	"reflect"
 	"testing"
+	"time"
 
+	"github.com/stretchr/testify/assert"
 	"golang.org/x/crypto/ssh"
 )
 
@@ -71,6 +73,7 @@ func mustGeneratePublicKey(t *testing.T) ssh.PublicKey {
 }
 
 func TestNewCertificate(t *testing.T) {
+	now := time.Now().Truncate(time.Second)
 	key := mustGeneratePublicKey(t)
 	cr := CertificateRequest{
 		Key: key,
@@ -100,8 +103,8 @@ func TestNewCertificate(t *testing.T) {
 			Type:            UserCert,
 			KeyID:           "jane@doe.com",
 			Principals:      []string{"jane"},
-			ValidAfter:      0,
-			ValidBefore:     0,
+			ValidAfter:      time.Time{},
+			ValidBefore:     time.Time{},
 			CriticalOptions: nil,
 			Extensions: map[string]string{
 				"permit-X11-forwarding":   "",
@@ -121,8 +124,8 @@ func TestNewCertificate(t *testing.T) {
 			Type:            HostCert,
 			KeyID:           "foobar",
 			Principals:      []string{"foo.internal", "bar.internal"},
-			ValidAfter:      0,
-			ValidBefore:     0,
+			ValidAfter:      time.Time{},
+			ValidBefore:     time.Time{},
 			CriticalOptions: nil,
 			Extensions:      nil,
 			Reserved:        nil,
@@ -136,8 +139,8 @@ func TestNewCertificate(t *testing.T) {
 			Type:            HostCert,
 			KeyID:           `foobar", "criticalOptions": {"foo": "bar"},"foo":"`,
 			Principals:      []string{"foo.internal", "bar.internal"},
-			ValidAfter:      0,
-			ValidBefore:     0,
+			ValidAfter:      time.Time{},
+			ValidBefore:     time.Time{},
 			CriticalOptions: nil,
 			Extensions:      nil,
 			Reserved:        nil,
@@ -159,8 +162,8 @@ func TestNewCertificate(t *testing.T) {
 			Type:            UserCert,
 			KeyID:           "john@doe.com",
 			Principals:      []string{"john", "john@doe.com"},
-			ValidAfter:      0,
-			ValidBefore:     0,
+			ValidAfter:      time.Time{},
+			ValidBefore:     time.Time{},
 			CriticalOptions: nil,
 			Extensions: map[string]string{
 				"login@github.com":        "john",
@@ -174,15 +177,47 @@ func TestNewCertificate(t *testing.T) {
 			SignatureKey: nil,
 			Signature:    nil,
 		}, false},
+		{"file with dates", args{cr, []Option{WithTemplateFile("./testdata/date.tpl", TemplateData{
+			TypeKey:       UserCert,
+			KeyIDKey:      "john@doe.com",
+			PrincipalsKey: []string{"john", "john@doe.com"},
+			ExtensionsKey: DefaultExtensions(UserCert),
+			InsecureKey: TemplateData{
+				"User": map[string]interface{}{"username": "john"},
+			},
+			WebhooksKey: TemplateData{
+				"Test": map[string]interface{}{"validity": "16h"},
+			},
+		})}}, &Certificate{
+			Nonce:           nil,
+			Key:             key,
+			Serial:          0,
+			Type:            UserCert,
+			KeyID:           "john@doe.com",
+			Principals:      []string{"john", "john@doe.com"},
+			ValidAfter:      now,
+			ValidBefore:     now.Add(16 * time.Hour),
+			CriticalOptions: nil,
+			Extensions: map[string]string{
+				"permit-X11-forwarding":   "",
+				"permit-agent-forwarding": "",
+				"permit-port-forwarding":  "",
+				"permit-pty":              "",
+				"permit-user-rc":          "",
+			},
+			Reserved:     nil,
+			SignatureKey: nil,
+			Signature:    nil,
+		}, false},
 		{"base64", args{cr, []Option{WithTemplateBase64(base64.StdEncoding.EncodeToString([]byte(DefaultTemplate)), CreateTemplateData(HostCert, "foo.internal", nil))}}, &Certificate{
 			Nonce:           nil,
 			Key:             key,
 			Serial:          0,
 			Type:            HostCert,
 			KeyID:           "foo.internal",
 			Principals:      nil,
-			ValidAfter:      0,
-			ValidBefore:     0,
+			ValidAfter:      time.Time{},
+			ValidBefore:     time.Time{},
 			CriticalOptions: nil,
 			Extensions:      nil,
 			Reserved:        nil,
@@ -203,6 +238,15 @@ func TestNewCertificate(t *testing.T) {
 				t.Errorf("NewCertificate() error = %v, wantErr %v", err, tt.wantErr)
 				return
 			}
+			if got != nil && tt.want != nil {
+				if assert.WithinDuration(t, tt.want.ValidAfter, got.ValidAfter, 2*time.Second) {
+					tt.want.ValidAfter = got.ValidAfter
+				}
+				if assert.WithinDuration(t, tt.want.ValidBefore, got.ValidBefore, 2*time.Second) {
+					tt.want.ValidBefore = got.ValidBefore
+				}
+
+			}
 			if !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("NewCertificate() = %v, want %v", got, tt.want)
 			}
@@ -212,6 +256,7 @@ func TestNewCertificate(t *testing.T) {
 
 func TestCertificate_GetCertificate(t *testing.T) {
 	key := mustGeneratePublicKey(t)
+	now := time.Now()
 
 	type fields struct {
 		Nonce           []byte
@@ -220,8 +265,8 @@ func TestCertificate_GetCertificate(t *testing.T) {
 		Type            CertType
 		KeyID           string
 		Principals      []string
-		ValidAfter      uint64
-		ValidBefore     uint64
+		ValidAfter      time.Time
+		ValidBefore     time.Time
 		CriticalOptions map[string]string
 		Extensions      map[string]string
 		Reserved        []byte
@@ -240,8 +285,8 @@ func TestCertificate_GetCertificate(t *testing.T) {
 			Type:            UserCert,
 			KeyID:           "key-id",
 			Principals:      []string{"john"},
-			ValidAfter:      1111,
-			ValidBefore:     2222,
+			ValidAfter:      now,
+			ValidBefore:     now.Add(time.Hour),
 			CriticalOptions: map[string]string{"foo": "bar"},
 			Extensions:      map[string]string{"login@github.com": "john"},
 			Reserved:        []byte("reserved"),
@@ -254,8 +299,8 @@ func TestCertificate_GetCertificate(t *testing.T) {
 			CertType:        ssh.UserCert,
 			KeyId:           "key-id",
 			ValidPrincipals: []string{"john"},
-			ValidAfter:      1111,
-			ValidBefore:     2222,
+			ValidAfter:      uint64(now.Unix()),
+			ValidBefore:     uint64(now.Add(time.Hour).Unix()),
 			Permissions: ssh.Permissions{
 				CriticalOptions: map[string]string{"foo": "bar"},
 				Extensions:      map[string]string{"login@github.com": "john"},
@@ -269,8 +314,8 @@ func TestCertificate_GetCertificate(t *testing.T) {
 			Type:            HostCert,
 			KeyID:           "key-id",
 			Principals:      []string{"foo.internal", "bar.internal"},
-			ValidAfter:      1111,
-			ValidBefore:     2222,
+			ValidAfter:      time.Time{},
+			ValidBefore:     time.Time{},
 			CriticalOptions: map[string]string{"foo": "bar"},
 			Extensions:      nil,
 			Reserved:        []byte("reserved"),
@@ -283,8 +328,8 @@ func TestCertificate_GetCertificate(t *testing.T) {
 			CertType:        ssh.HostCert,
 			KeyId:           "key-id",
 			ValidPrincipals: []string{"foo.internal", "bar.internal"},
-			ValidAfter:      1111,
-			ValidBefore:     2222,
+			ValidAfter:      0,
+			ValidBefore:     0,
 			Permissions: ssh.Permissions{
 				CriticalOptions: map[string]string{"foo": "bar"},
 				Extensions:      nil,

diff --git a/sshutil/testdata/date.tpl b/sshutil/testdata/date.tpl
@@ -0,0 +1,8 @@
+{
+	"type": "{{ .Type }}",
+	"keyId": "{{ .KeyID }}",
+	"principals": {{ toJson .Principals }},
+	"extensions": {{ toJson .Extensions }},
+	"validAfter": {{ now | toJson }},
+	"validBefore": {{ now | dateModify .Webhooks.Test.validity | toJson }}
+}
diff --git a/x509util/certificate.go b/x509util/certificate.go
@@ -7,6 +7,7 @@ import (
 	"crypto/rand"
 	"crypto/x509"
 	"encoding/json"
+	"time"
 
 	"github.com/pkg/errors"
 )
@@ -23,6 +24,8 @@ type Certificate struct {
 	IPAddresses           MultiIP                  `json:"ipAddresses"`
 	URIs                  MultiURL                 `json:"uris"`
 	SANs                  []SubjectAlternativeName `json:"sans"`
+	NotBefore             time.Time                `json:"notBefore"`
+	NotAfter              time.Time                `json:"notAfter"`
 	Extensions            []Extension              `json:"extensions"`
 	KeyUsage              KeyUsage                 `json:"keyUsage"`
 	ExtKeyUsage           ExtKeyUsage              `json:"extKeyUsage"`
@@ -165,6 +168,10 @@ func (c *Certificate) GetCertificate() *x509.Certificate {
 		e.Set(cert)
 	}
 
+	// Validity bounds.
+	cert.NotBefore = c.NotBefore
+	cert.NotAfter = c.NotAfter
+
 	// Others.
 	c.SerialNumber.Set(cert)
 	c.SignatureAlgorithm.Set(cert)