Add support for templated values in SSH CA DefaultExtensions.

[robison]

This PR adds support for using identity templates in values used in Default Extensions. The primary focus here is to allow the Vault SSH CA backend to function as a point of identity/authentication for GitHub Enterprise (and Github.com) users, by supporting their identity semantics, as documented here.

I've based a large chunk of this on #7548 - happy to make changes as requested/needed to get this into the tree.

[hashicorp-cla]

All committers have signed the CLA.

[briankassouf]

Thanks for submitting this enhancement!

[briankassouf]

At this point in time the extensions map could contain user provided extensions (from the data.Get("extensions") call above). The boolean you added only (by name) covers the DefaultExtensions. It may be safer to only allow default extensions to be templated so users cannot query unintended identity data. We could return early above if user provided extensions are passed.

[robison]

Ah, excllent point. Let me re-think this portion; originally I had struggled a bit with working out all of the possible unintended consequences (like this).

[robison]

So, I'm going to send an additional commit here, to demonstrate my thought process. Ideally, I think we'd want to have Default Extensions that are configured by the role (and templated, if the flag is enabled), but also if there are Allowed Extensions configured, then take user input and override the Default Extensions (sans templating). Is that a more reasonable approach?

[briankassouf]

I think that sounds right. The existing logic prioritizes user input and does not try to merge it with the default extensions. I think we should continue to have the same semantics. So if user supplied extensions exist process those (without templating), else use the defaults with optional templating.

[robison]

Thanks for the feedback - I've sent a commit to rework the logic, and also add a basic test - can extend this test structure, if it looks acceptable.

[robison]

@briankassouf Is there anything else I can do on this PR?

[briankassouf]

I believe there is a behavior change here. If the role has no AllowedExtensions the below branch will be skipped and nothing will be added to the extensions map. Should we assign extensions here like we were previously?

The docs for AllowedExtensions state:

Specifies a comma-separated list of extensions that certificates can have when signed. To allow any extensions, set this to an empty string. Will default to allowing any extensions.

[robison]

Got it - added a commit to fix up this inadvertent change in behavior, and added a test case to cover it.

[briankassouf]

Thanks for adding the test and Changelog entry! Everything is looking great except for this one comment

[robison]

As an aside: any thoughts/preferences on cleaning up the tests I've introduced here? I think they've gotten to the point of needing to be broken out into separate cases, but also don't want to start crowding backend_test.go with a ton of additional helper functions. Feedback requested!

[briankassouf]

Thank you for the latest commit. My only feedback on the test would be the user supplied tests could be broken into a separate test from the templating tests

[robison]

I'll do that right now, and send an additional commit shortly.

[briankassouf]

Looks great! Thanks for submitting this enhancement