Fixes ContainerSSH/ContainerSSH#331: Add SSH certificate information to webhook.

Author: Janos Bonic

auditlog/message/auth.go

@@ -36,8 +36,9 @@ func (p PayloadAuthPasswordBackendError) Equals(other Payload) bool {
 
 // PayloadAuthPubKey is a payload for a public key based authentication.
 type PayloadAuthPubKey struct {
-	Username string `json:"username" yaml:"username"`
-	Key      string `json:"key" yaml:"key"`
+	Username string         `json:"username" yaml:"username"`
+	Key      string         `json:"key" yaml:"key"`
+	CACert   *CACertificate `json:"caCertificate" yaml:"caCertificate"`
 }
 
 // Equals compares two PayloadAuthPubKey payloads.
@@ -46,6 +47,12 @@ func (p PayloadAuthPubKey) Equals(other Payload) bool {
 	if !ok {
 		return false
 	}
+	if p.CACert == nil && p2.CACert != nil || p.CACert != nil && p.CACert == nil {
+		return false
+	}
+	if p.CACert != nil && !p.CACert.Equals(p2.CACert) {
+		return false
+	}
 	return p.Username == p2.Username && p.Key == p2.Key
 }
 

auditlog/message/cacertificate.go

@@ -0,0 +1,50 @@
+package message
+
+import "time"
+
+// CACertificate is an SSH certificate presented by a client to verify their key against a CA.
+type CACertificate struct {
+	// PublicKey contains the public key of the CA signing the public key presented in the OpenSSH authorized key
+	// format.
+	PublicKey string `json:"key"`
+	// KeyID contains an identifier for the key.
+	KeyID string `json:"keyID"`
+	// ValidPrincipals contains a list of principals for which this CA certificate is valid.
+	ValidPrincipals []string `json:"validPrincipals"`
+	// ValidAfter contains the time after which this certificate is valid. This may be empty.
+	ValidAfter time.Time `json:"validAfter"`
+	// ValidBefore contains the time when this certificate expires. This may be empty.
+	ValidBefore time.Time `json:"validBefore"`
+}
+
+// Equals compares the CACertificate record.
+func (c *CACertificate) Equals(cert *CACertificate) bool {
+	if c == nil {
+		return cert == nil
+	}
+	if cert == nil {
+		return false
+	}
+	if c.PublicKey != cert.PublicKey {
+		return false
+	}
+	if c.KeyID != cert.KeyID {
+		return false
+	}
+	if len(c.ValidPrincipals) != len(cert.ValidPrincipals) {
+		return false
+	}
+	for _, validPrincipal := range c.ValidPrincipals {
+		found := false
+		for _, otherPrincipal := range cert.ValidPrincipals {
+			if otherPrincipal == validPrincipal {
+				found = true
+				break
+			}
+		}
+		if !found {
+			return false
+		}
+	}
+	return c.ValidAfter == cert.ValidAfter && c.ValidBefore == cert.ValidBefore
+}

auth/protocol.go

@@ -1,5 +1,7 @@
 package auth
 
+import "time"
+
 // PasswordAuthRequest is an authentication request for password authentication.
 //
 // swagger:model PasswordAuthRequest
@@ -58,6 +60,13 @@ type PublicKeyAuthRequest struct {
 	//
 	// required: true
 	PublicKey string `json:"publicKey"`
+
+	// CACertificate contains information about the SSH certificate presented by a connecting client. This certificate
+	// is not an SSL/TLS/x509 certificate and has a much simpler structure. However, this can be used to verify if the
+	// connecting client belongs to an organization.
+	//
+	// required: false
+	CACertificate *CACertificate `json:"caCertificate,omitempty"`
 }
 
 // ResponseBody is a response to authentication requests.
@@ -85,3 +94,22 @@ type Response struct {
 	// in: body
 	ResponseBody
 }
+
+// CACertificate contains information about the SSH certificate presented by a connecting client. This certificate
+// is not an SSL/TLS/x509 certificate and has a much simpler structure. However, this can be used to verify if the
+// connecting client belongs to an organization.
+//
+// swagger:model CACertificate
+type CACertificate struct {
+	// PublicKey contains the public key of the CA signing the public key presented in the OpenSSH authorized key
+	// format.
+	PublicKey string `json:"key"`
+	// KeyID contains an identifier for the key.
+	KeyID string `json:"keyID"`
+	// ValidPrincipals contains a list of principals for which this CA certificate is valid.
+	ValidPrincipals []string `json:"validPrincipals"`
+	// ValidAfter contains the time after which this certificate is valid.
+	ValidAfter time.Time `json:"validAfter"`
+	// ValidBefore contains the time when this certificate expires.
+	ValidBefore time.Time `json:"validBefore"`
+}

auth/webhook/client.go

@@ -3,6 +3,7 @@ package webhook
 import (
 	"net"
 
+	protocol "github.com/containerssh/libcontainerssh/auth"
 	"github.com/containerssh/libcontainerssh/config"
 	"github.com/containerssh/libcontainerssh/internal/auth"
 	"github.com/containerssh/libcontainerssh/internal/geoip/dummy"
@@ -22,11 +23,22 @@ type Client interface {
 
 	// PubKey authenticates with a public key from the client. It returns a bool if the authentication as successful
 	// or not. If an error happened while contacting the authentication server it will return an error.
+	//
+	// The parameters are as follows:
+	//
+	// - username is the username provided by the connecting client.
+	// - pubKey is the public key offered by the connecting client. The client may offer multiple keys which will be
+	// presented by calling this function multiple times.
+	// - connectionID is an opaque random string representing this SSH connection across multiple webhooks and logs.
+	// - remoteAddr is the IP address of the connecting client.
+	// - caPubKey is the verified public key of the SSH CA certificate offered by the client. If no CA certificate
+	// was offered this value is nil.
 	PubKey(
 		username string,
 		pubKey string,
 		connectionID string,
 		remoteAddr net.IP,
+		caPubKey *protocol.CACertificate,
 	) AuthenticationContext
 }
 
@@ -79,6 +91,7 @@ func (a authClientWrapper) PubKey(
 	pubKey string,
 	connectionID string,
 	remoteAddr net.IP,
+	caPubKey *protocol.CACertificate,
 ) AuthenticationContext {
-	return a.c.PubKey(username, pubKey, connectionID, remoteAddr)
+	return a.c.PubKey(username, pubKey, connectionID, remoteAddr, caPubKey)
 }

internal/auditlog/logger.go

@@ -34,7 +34,7 @@ type Connection interface {
 	OnAuthPasswordBackendError(username string, password []byte, reason string)
 
 	// OnAuthPubKey creates an audit log message for an authentication attempt with public key.
-	OnAuthPubKey(username string, pubKey string)
+	OnAuthPubKey(username string, pubKey string, caKey *message.CACertificate)
 	// OnAuthPubKeySuccess creates an audit log message for a successful public key authentication.
 	OnAuthPubKeySuccess(username string, pubKey string)
 	// OnAuthPubKeyFailed creates an audit log message for a failed public key authentication.

internal/auditlog/logger_empty.go

@@ -73,7 +73,7 @@ func (e *empty) OnAuthPasswordFailed(_ string, _ []byte) {}
 
 func (e *empty) OnAuthPasswordBackendError(_ string, _ []byte, _ string) {}
 
-func (e *empty) OnAuthPubKey(_ string, _ string) {}
+func (e *empty) OnAuthPubKey(_ string, _ string, _ *message.CACertificate) {}
 
 func (e *empty) OnAuthPubKeySuccess(_ string, _ string) {}
 

internal/auditlog/logger_impl.go

@@ -156,14 +156,15 @@ func (l *loggerConnection) OnAuthPasswordBackendError(username string, password
 	})
 }
 
-func (l *loggerConnection) OnAuthPubKey(username string, pubKey string) {
+func (l *loggerConnection) OnAuthPubKey(username string, pubKey string, caCert *message.CACertificate) {
 	l.log(message.Message{
 		ConnectionID: l.connectionID,
 		Timestamp:    time.Now().UnixNano(),
 		MessageType:  message.TypeAuthPubKey,
 		Payload: message.PayloadAuthPubKey{
 			Username: username,
 			Key:      pubKey,
+			CACert:   caCert,
 		},
 		ChannelID: nil,
 	})

internal/auditlog/logger_test.go

@@ -254,11 +254,11 @@ func TestAuth(t *testing.T) {
 	connection.OnAuthPasswordFailed("foo", []byte("bar"))
 	connection.OnAuthPassword("foo", []byte("baz"))
 	connection.OnAuthPasswordSuccess("foo", []byte("baz"))
-	connection.OnAuthPubKey("foo", "ssh-rsa ASDF")
+	connection.OnAuthPubKey("foo", "ssh-rsa ASDF", "")
 	connection.OnAuthPubKeyBackendError("foo", "ssh-rsa ASDF", "no particular reason")
-	connection.OnAuthPubKey("foo", "ssh-rsa ASDF")
+	connection.OnAuthPubKey("foo", "ssh-rsa ASDF", "")
 	connection.OnAuthPubKeyFailed("foo", "ssh-rsa ASDF")
-	connection.OnAuthPubKey("foo", "ssh-rsa ABCDEF")
+	connection.OnAuthPubKey("foo", "ssh-rsa ABCDEF", "")
 	connection.OnAuthPubKeySuccess("foo", "ssh-rsa ABCDEF")
 	connection.OnHandshakeSuccessful("foo")
 	connection.OnDisconnect()

internal/auditlogintegration/handler_networkconnection.go

@@ -83,17 +83,22 @@ func (n *networkConnectionHandler) OnAuthPassword(
 	return response, metadata, reason
 }
 
-func (n *networkConnectionHandler) OnAuthPubKey(
-	username string,
-	pubKey string,
-	clientVersion string,
-) (
-	response sshserver.AuthResponse,
-	metadata map[string]string,
-	reason error,
-) {
-	n.audit.OnAuthPubKey(username, pubKey)
-	response, metadata, reason = n.backend.OnAuthPubKey(username, pubKey, clientVersion)
+func convertCACertificate(caCert *sshserver.CACertificate) *message.CACertificate {
+	if caCert == nil {
+		return nil
+	}
+	return &message.CACertificate{
+		PublicKey:       caCert.PublicKey,
+		KeyID:           caCert.KeyID,
+		ValidPrincipals: caCert.ValidPrincipals,
+		ValidAfter:      caCert.ValidAfter,
+		ValidBefore:     caCert.ValidBefore,
+	}
+}
+
+func (n *networkConnectionHandler) OnAuthPubKey(username string, pubKey string, clientVersion string, caCert *sshserver.CACertificate) (response sshserver.AuthResponse, metadata map[string]string, reason error) {
+	n.audit.OnAuthPubKey(username, pubKey, convertCACertificate(caCert))
+	response, metadata, reason = n.backend.OnAuthPubKey(username, pubKey, clientVersion, caCert)
 	switch response {
 	case sshserver.AuthResponseSuccess:
 		n.audit.OnAuthPubKeySuccess(username, pubKey)

internal/auditlogintegration/integration_test.go

@@ -316,11 +316,7 @@ func (b *backendHandler) OnAuthPassword(username string, _ []byte, _ string) (
 	return sshserver.AuthResponseFailure, nil, nil
 }
 
-func (b *backendHandler) OnAuthPubKey(_ string, _ string, _ string) (
-	response sshserver.AuthResponse,
-	metadata map[string]string,
-	reason error,
-) {
+func (b *backendHandler) OnAuthPubKey(username string, pubKey string, clientVersion string, caKey string) (response sshserver.AuthResponse, metadata map[string]string, reason error) {
 	return sshserver.AuthResponseFailure, nil, nil
 }