conduit/policy/input/ssh.go

package input

import (
	"time"

	"golang.org/x/crypto/ssh"

	"git.maze.io/maze/conduit/ssh/sshutil"
)

// Certificate represents a [ssh.Certificate].
type Certificate struct {
	Nonce           []byte     `json:"nonce"`
	Key             *PublicKey `json:"key"`
	Serial          uint64     `json:"serial"`
	CertType        uint32     `json:"type"`
	KeyId           string     `json:"key_id"`
	ValidPrincipals []string   `json:"valid_principals"`
	ValidAfter      *time.Time `json:"valid_after"`
	ValidBefore     *time.Time `json:"valid_before"`
	SignatureKey    *PublicKey `json:"signature_key"`
	Signature       []byte     `json:"signature"`
	SignatureFormat string     `json:"signature_format"`
}

// NewCertificate converts an [ssh.Certificate] to [Certificate] input.
func NewCertificate(cert *ssh.Certificate) *Certificate {
	if cert == nil {
		return nil
	}
	c := &Certificate{
		Nonce:           cert.Nonce,
		Key:             NewPublicKey(cert.Key),
		Serial:          cert.Serial,
		CertType:        cert.CertType,
		KeyId:           cert.KeyId,
		ValidPrincipals: cert.ValidPrincipals,
		SignatureKey:    NewPublicKey(cert.SignatureKey),
	}
	if cert.ValidAfter > 0 {
		t := time.Unix(int64(cert.ValidAfter), 0)
		c.ValidAfter = &t
	}
	if cert.ValidBefore > 0 {
		t := time.Unix(int64(cert.ValidBefore), 0)
		c.ValidBefore = &t
	}

	if cert.Signature != nil {
		c.Signature = cert.Signature.Blob
		c.SignatureFormat = cert.Signature.Format
	}
	return c
}

// ConnMetadata is a Rego input that represents a [ssh.ConnMetadata].
type ConnMetadata struct {
	User          string `json:"user"`           // User is the user ID for this connection.
	SessionID     []byte `json:"session_id"`     // SessionID is the session hash, also denoted by H.
	ClientVersion string `json:"client_version"` // ClientVersion is the client's version.
	ServerVersion string `json:"server_version"` // ServerVersion is the server's version
	RemoteAddr    *Addr  `json:"remote_addr"`    // RemoteAddr is the remote address for this connection.
	LocalAddr     *Addr  `json:"local_addr"`     // LocalAddr is the local address for this connection.
}

// NewConnMetadata converts an [ssh.ConnMetadata] to [ConnMetadata] input.
func NewConnMetadata(meta ssh.ConnMetadata) *ConnMetadata {
	if meta == nil {
		return nil
	}
	return &ConnMetadata{
		User:          meta.User(),
		SessionID:     meta.SessionID(),
		ClientVersion: string(meta.ClientVersion()),
		ServerVersion: string(meta.ServerVersion()),
		RemoteAddr:    NewAddr(meta.RemoteAddr()),
		LocalAddr:     NewAddr(meta.LocalAddr()),
	}
}

// PublicKey represents a [ssh.PublicKey].
type PublicKey struct {
	Type        string `json:"type"`
	Bits        int    `json:"bits"`
	Fingerprint string `json:"fingerprint"`
}

// NewPublicKey converts an [ssh.PublicKey] to [PublicKey] input.
func NewPublicKey(key ssh.PublicKey) *PublicKey {
	if key == nil {
		return nil
	}
	return &PublicKey{
		Type:        sshutil.KeyType(key),
		Bits:        sshutil.KeyBits(key),
		Fingerprint: ssh.FingerprintSHA256(key),
	}
}