Skip to content

Added a flag for bypassing validity check #34

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
vivianho merged 1 commit into from
Feb 24, 2017
Merged

Added a flag for bypassing validity check #34

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion bless/aws_lambda/bless_lambda.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,9 +122,11 @@ def lambda_handler(event, context=None, ca_private_key_password=None,
# certificate where valid_before < valid_after
valid_before = current_time
valid_after = current_time + 1
bypass_time_validity_check = True
else:
valid_before = current_time + certificate_validity_after_seconds
valid_after = current_time - certificate_validity_before_seconds
bypass_time_validity_check = False

# Authenticate the user with KMS, if key is setup
if config.get(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION):
Expand Down Expand Up @@ -164,7 +166,7 @@ def lambda_handler(event, context=None, ca_private_key_password=None,
time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_before)))
cert_builder.set_critical_option_source_address('{},{}'.format(request.bastion_user_ip, request.bastion_ips))
cert_builder.set_key_id(key_id)
cert = cert_builder.get_cert_file()
cert = cert_builder.get_cert_file(bypass_time_validity_check)

logger.info(
'Issued a cert to bastion_ips[{}] for the remote_username of [{}] with the key_id[{}] and '
Expand Down
10 changes: 6 additions & 4 deletions bless/ssh/certificates/ssh_certificate_builder.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -195,7 +195,7 @@ def add_extension(self, extension):

self.extensions.add(extension)

def get_cert_file(self):
def get_cert_file(self, bypass_time_validity_check=False):
"""
Generate the SSH Certificate that can be written to id_rsa-cert.pub or similar file.

Expand All @@ -206,7 +206,8 @@ def get_cert_file(self):
"""
file_contents = (
"{} {} {}"
).format(self.cert_key_type, base64.b64encode(self._sign_cert()),
).format(self.cert_key_type,
base64.b64encode(self._sign_cert(bypass_time_validity_check)),
self.public_key_comment)
return file_contents

Expand Down Expand Up @@ -238,11 +239,12 @@ def _validate_cert_properties(self):
if self.valid_after >= self.valid_before:
raise ValueError("Impossible validity period")

def _sign_cert(self):
def _sign_cert(self, bypass_time_validity_check=False):
if self.signed_cert is None:
# build cert body
self._initialize_unset_attributes()
self._validate_cert_properties()
if not bypass_time_validity_check:
self._validate_cert_properties()
body_bytes = self._serialize_certificate_body()

# sign the body
Expand Down