match authenticated user and principal before signing certificate for user

Author: binarycodes

go-ssh-signer/main.go

@@ -63,7 +63,7 @@ type AccessToken struct {
 type SignRequest struct {
 	Filename  string `json:"filename"`
 	PublicKey string `json:"publicKey"`
-	Hostname  string `json:"data"`
+	Hostname  string `json:"principal"`
 }
 
 type SignedResponse struct {

ssh-key-signer-server/environment-setup/dev/docker/docker-compose.yml

@@ -1,4 +1,4 @@
-name: ssh-key-signer
+name: dev-ca
 
 networks:
   local:
@@ -24,7 +24,6 @@ services:
       interval: 5s
       timeout: 2s
       retries: 15
-    container_name: app_db
     networks:
       - local
   sso:
@@ -55,18 +54,16 @@ services:
       timeout: 2s
       retries: 15
     command: --verbose start-dev --health-enabled=true --import-realm
-    container_name: app_sso
     networks:
       - local
   sso-init:
     image: node:latest
-    container_name: sso-init
     depends_on:
       sso:
         condition: service_healthy
     volumes:
       - ./keycloak/init.js:/tmp/init.js
-    entrypoint: ["node", "/tmp/init.js"]
+    entrypoint: [ "node", "/tmp/init.js" ]
     environment:
       KC_ADMIN_USERNAME: admin
       KC_ADMIN_PASSWORD: admin

ssh-key-signer-server/environment-setup/dev/docker/keycloak/init.js

@@ -11,20 +11,23 @@
       do not share the secret key in public
     */
     const clientSecret = 'UTRtYkyYN1nbgdPPbBru1FDVsE8ye5JE';
+    const testUserNames = ["user", "binarycodes"]
 
-    const users = [{
-        username: "user",
-        firstName: "John",
-        lastName: "Doe",
-        email: "[email protected]",
-        emailVerified: true,
-        enabled: true,
-        credentials: [{
-            type: "password",
-            value: "user",
-            temporary: false
-        }]
-    }];
+    const users = testUserNames.map(user=> {
+        return {
+            username: user,
+            firstName: `Firstname ${user}`,
+            lastName: `Lastname ${user}`,
+            email: `${user}@example.com`,
+            emailVerified: true,
+            enabled: true,
+            credentials: [{
+                type: "password",
+                value: `${user}`,
+                temporary: false
+            }]
+        };
+    })
 
     /* wrapped in a function because we may need to generate access token more than once during the setup process */
     const fetchToken = async () => {
@@ -72,7 +75,10 @@
             const createRealmResponse = await fetch(`${keycloakBaseUrl}/admin/realms`, {
                 method: "POST",
                 headers: await authorization_header(),
-                body: JSON.stringify({ realm: realmName, enabled: true })
+                body: JSON.stringify({
+                    realm: realmName,
+                    enabled: true
+                })
             });
 
             if (createRealmResponse.ok) {