Merge pull request #1118 from hashicorp/ssh-api-fix

ssh-helper related API changes

api/ssh.go

@@ -10,7 +10,7 @@ type SSH struct {
 
 // SSH returns the client for logical-backend API calls.
 func (c *Client) SSH() *SSH {
-	return c.SSHWithMountPoint(SSHAgentDefaultMountPoint)
+	return c.SSHWithMountPoint(SSHHelperDefaultMountPoint)
 }
 
 // SSHWithMountPoint returns the client with specific SSH mount point.

api/ssh_agent.go

@@ -14,19 +14,19 @@ import (
 
 const (
 	// Default path at which SSH backend will be mounted in Vault server
-	SSHAgentDefaultMountPoint = "ssh"
+	SSHHelperDefaultMountPoint = "ssh"
 
-	// Echo request message sent as OTP by the agent
+	// Echo request message sent as OTP by the ssh-helper
 	VerifyEchoRequest = "verify-echo-request"
 
 	// Echo response message sent as a response to OTP matching echo request
 	VerifyEchoResponse = "verify-echo-response"
 )
 
-// SSHAgent is a structure representing an SSH agent which can talk to vault server
+// SSHHelper is a structure representing a ssh-helper which can talk to vault server
 // in order to verify the OTP entered by the user. It contains the path at which
 // SSH backend is mounted at the server.
-type SSHAgent struct {
+type SSHHelper struct {
 	c          *Client
 	MountPoint string
 }
@@ -45,21 +45,20 @@ type SSHVerifyResponse struct {
 	IP string `mapstructure:"ip"`
 }
 
-// SSHAgentConfig is a structure which represents the entries from the agent's configuration file.
-type SSHAgentConfig struct {
+// SSHHelperConfig is a structure which represents the entries from the ssh-helper's configuration file.
+type SSHHelperConfig struct {
 	VaultAddr       string `hcl:"vault_addr"`
 	SSHMountPoint   string `hcl:"ssh_mount_point"`
 	CACert          string `hcl:"ca_cert"`
 	CAPath          string `hcl:"ca_path"`
-	TLSSkipVerify   bool   `hcl:"tls_skip_verify"`
 	AllowedCidrList string `hcl:"allowed_cidr_list"`
 }
 
 // TLSClient returns a HTTP client that uses TLS verification (TLS 1.2) for a given
 // certificate pool.
-func (c *SSHAgentConfig) SetTLSParameters(clientConfig *Config, certPool *x509.CertPool) {
+func (c *SSHHelperConfig) SetTLSParameters(clientConfig *Config, certPool *x509.CertPool) {
 	tlsConfig := &tls.Config{
-		InsecureSkipVerify: c.TLSSkipVerify,
+		InsecureSkipVerify: true,
 		MinVersion:         tls.VersionTLS12,
 		RootCAs:            certPool,
 	}
@@ -70,10 +69,10 @@ func (c *SSHAgentConfig) SetTLSParameters(clientConfig *Config, certPool *x509.C
 }
 
 // NewClient returns a new client for the configuration. This client will be used by the
-// SSH agent to communicate with Vault server and verify the OTP entered by user.
+// ssh-helper to communicate with Vault server and verify the OTP entered by user.
 // If the configuration supplies Vault SSL certificates, then the client will
 // have TLS configured in its transport.
-func (c *SSHAgentConfig) NewClient() (*Client, error) {
+func (c *SSHHelperConfig) NewClient() (*Client, error) {
 	// Creating a default client configuration for communicating with vault server.
 	clientConfig := DefaultConfig()
 
@@ -81,7 +80,7 @@ func (c *SSHAgentConfig) NewClient() (*Client, error) {
 	clientConfig.Address = c.VaultAddr
 
 	// Check if certificates are provided via config file.
-	if c.CACert != "" || c.CAPath != "" || c.TLSSkipVerify {
+	if c.CACert != "" || c.CAPath != "" {
 		var certPool *x509.CertPool
 		var err error
 		if c.CACert != "" {
@@ -106,13 +105,13 @@ func (c *SSHAgentConfig) NewClient() (*Client, error) {
 	return client, nil
 }
 
-// LoadSSHAgentConfig loads agent's configuration from the file and populates the corresponding
+// LoadSSHHelperConfig loads ssh-helper's configuration from the file and populates the corresponding
 // in-memory structure.
 //
 // Vault address is a required parameter.
 // Mount point defaults to "ssh".
-func LoadSSHAgentConfig(path string) (*SSHAgentConfig, error) {
-	var config SSHAgentConfig
+func LoadSSHHelperConfig(path string) (*SSHHelperConfig, error) {
+	var config SSHHelperConfig
 	contents, err := ioutil.ReadFile(path)
 	if !os.IsNotExist(err) {
 		obj, err := hcl.Parse(string(contents))
@@ -131,22 +130,22 @@ func LoadSSHAgentConfig(path string) (*SSHAgentConfig, error) {
 		return nil, fmt.Errorf("config missing vault_addr")
 	}
 	if config.SSHMountPoint == "" {
-		config.SSHMountPoint = SSHAgentDefaultMountPoint
+		config.SSHMountPoint = SSHHelperDefaultMountPoint
 	}
 
 	return &config, nil
 }
 
-// SSHAgent creates an SSHAgent object which can talk to Vault server with SSH backend
+// SSHHelper creates an SSHHelper object which can talk to Vault server with SSH backend
 // mounted at default path ("ssh").
-func (c *Client) SSHAgent() *SSHAgent {
-	return c.SSHAgentWithMountPoint(SSHAgentDefaultMountPoint)
+func (c *Client) SSHHelper() *SSHHelper {
+	return c.SSHHelperWithMountPoint(SSHHelperDefaultMountPoint)
 }
 
-// SSHAgentWithMountPoint creates an SSHAgent object which can talk to Vault server with SSH backend
+// SSHHelperWithMountPoint creates an SSHHelper object which can talk to Vault server with SSH backend
 // mounted at a specific mount point.
-func (c *Client) SSHAgentWithMountPoint(mountPoint string) *SSHAgent {
-	return &SSHAgent{
+func (c *Client) SSHHelperWithMountPoint(mountPoint string) *SSHHelper {
+	return &SSHHelper{
 		c:          c,
 		MountPoint: mountPoint,
 	}
@@ -155,9 +154,9 @@ func (c *Client) SSHAgentWithMountPoint(mountPoint string) *SSHAgent {
 // Verify verifies if the key provided by user is present in Vault server. The response
 // will contain the IP address and username associated with the OTP. In case the
 // OTP matches the echo request message, instead of searching an entry for the OTP,
-// an echo response message is returned. This feature is used by agent to verify if
+// an echo response message is returned. This feature is used by ssh-helper to verify if
 // its configured correctly.
-func (c *SSHAgent) Verify(otp string) (*SSHVerifyResponse, error) {
+func (c *SSHHelper) Verify(otp string) (*SSHVerifyResponse, error) {
 	data := map[string]interface{}{
 		"otp": otp,
 	}