Support specifying the principals in use

Allows you to change or add the user names that the user using this
certificate is allowed to use. If you got creative with your systems you
could use this to very finely control which nodes a certificate granted
you access to.

Author: bobveznat

scripts/sign_key

@@ -36,14 +36,16 @@ if __name__ == '__main__':
 
     parser = argparse.ArgumentParser(__doc__)
     parser.add_argument('-a', '--authority', dest='authority',
-                        default=default_authority, help='Pick one: s3')
+        default=default_authority, help='Pick one: s3')
     parser.add_argument('-c', '--config', dest='config_file',
-                        default=default_config,
-                        help='The configuration file to use.  Can also be '
-                             'specified in the SSH_CA_CONFIG environment '
-                             'variable.  Default: %(default)s')
+        default=default_config,
+        help='The configuration file to use.  Can also be '
+             'specified in the SSH_CA_CONFIG environment '
+             'variable.  Default: %(default)s')
     parser.add_argument('-e', '--environment', required=True,
-                        help='Environment name')
+        help='Environment name')
+    parser.add_argument('--principal', action='append',
+        help='A principal (username) that the user is allowed to use',)
     parser.add_argument(
         '-p', help='Path to public key. If set we try to upload this. '
         'Otherwise we try to download one.',
@@ -120,9 +122,14 @@ if __name__ == '__main__':
             print 'Reason is way too long. Type less.'
             sys.exit(1)
 
+    if args.principal:
+        principal = args.principal
+    else:
+        principal = ['ec2-user', 'ubuntu']
+
     # Sign the key
-    cert_contents = ca.sign_public_key(
-        public_path, username, args.expires_in, reason)
+    cert_contents = ca.sign_public_user_key(
+        public_path, username, args.expires_in, reason, principal)
 
     print
     print 'Public key signed, certificate available for download here:'

ssh_ca/__init__.py

@@ -37,15 +37,15 @@ def get_public_key(self, username, environment):
     def increment_serial_number(self):
         pass
 
-    def make_audit_log(
-            self, serial, valid_for, username, ca_key_filename, reason):
+    def make_audit_log(self,
+            serial, valid_for, username, ca_key_filename, reason, principals):
         pass
 
     def upload_public_key(self, username, public_path):
         pass
 
-    def sign_public_key(
-            self, public_key_filename, username, expires_in, reason):
+    def sign_public_user_key(self,
+            public_key_filename, username, expires_in, reason, principals):
         serial = self.increment_serial_number()
 
         subprocess.check_output([
@@ -54,10 +54,11 @@ def sign_public_key(
             '-s', self.ca_key,
             '-I', username,
             '-V', expires_in,
-            '-n', 'ubuntu,ec2-user',
+            '-n', ','.join(principals),
             public_key_filename])
 
-        self.make_audit_log(serial, expires_in, username, self.ca_key, reason)
+        self.make_audit_log(
+            serial, expires_in, username, self.ca_key, reason, principals)
 
         if public_key_filename.endswith('.pub'):
             public_key_filename = public_key_filename[:-4]

ssh_ca/s3.py

@@ -69,8 +69,8 @@ def upload_public_key_cert(self, username, cert_contents):
         )
         return k.generate_url(7200)
 
-    def make_audit_log(
-            self, serial, valid_for, username, ca_key_filename, reason):
+    def make_audit_log(self,
+            serial, valid_for, username, ca_key_filename, reason, principals):
         timestamp = datetime.datetime.strftime(
             datetime.datetime.utcnow(), '%Y-%m-%d-%H:%M:%S.%f')
         k = self.ssh_bucket.new_key('audit_log/%d.json' % (serial,))
@@ -82,5 +82,6 @@ def make_audit_log(
             'access_key': self.s3_conn.access_key,
             'ca_key_filename': ca_key_filename,
             'reason': reason,
+            'principals': principals,
         }
         k.set_contents_from_string(json.dumps(audit_info))