Adding allow_user_key_ids field to SSH role config (#2494)

Adding a boolean field that determines whether users will be allowed to
set the ID of the signed SSH key or whether it will always be the token
display name.  Preventing users from changing the ID and always using
the token name is useful for auditing who actually used a key to access
a remote host since sshd logs key IDs.

builtin/logical/ssh/path_sign.go

@@ -107,13 +107,13 @@ func (b *backend) pathSignCertificate(req *logical.Request, data *framework.Fiel
 		return logical.ErrorResponse(fmt.Sprintf("failed to parse public_key as SSH key: %s", err)), nil
 	}
 
-	keyId := data.Get("key_id").(string)
-	if keyId == "" {
-		keyId = req.DisplayName
-	}
-
 	// Note that these various functions always return "user errors" so we pass
 	// them as 4xx values
+	keyId, err := b.calculateKeyId(data, req, role)
+	if err != nil {
+		return logical.ErrorResponse(err.Error()), nil
+	}
+
 	certificateType, err := b.calculateCertificateType(data, role)
 	if err != nil {
 		return logical.ErrorResponse(err.Error()), nil
@@ -263,6 +263,20 @@ func (b *backend) calculateCertificateType(data *framework.FieldData, role *sshR
 	return certificateType, nil
 }
 
+func (b *backend) calculateKeyId(data *framework.FieldData, req *logical.Request, role *sshRole) (string, error) {
+	keyId := data.Get("key_id").(string)
+
+	if keyId != "" && !role.AllowUserKeyIDs {
+		return "", fmt.Errorf("Setting key_id is not allowed by role")
+	}
+
+	if keyId == "" {
+		keyId = req.DisplayName
+	}
+
+	return keyId, nil
+}
+
 func (b *backend) calculateCriticalOptions(data *framework.FieldData, role *sshRole) (map[string]string, error) {
 	unparsedCriticalOptions := data.Get("critical_options").(map[string]interface{})
 	if len(unparsedCriticalOptions) == 0 {