fix(ssh-policy): look up policy by gateway-qualified role#42
Merged
Conversation
Committed SSH policies are stored under the JWT's gateway-qualified role (e.g. ssh:Tide-GW:My Server:demo), but the SSH connect path was fetching by short-form 'ssh:<user>'. The lookup either 404'd or returned a stale row from an older code version, which then failed "Policy signature could not be verified" because the stored bytes were never associated with the freshly-committed signature. Plumb gatewayId through SSHSignatureRequest and resolve the policy via the existing /api/ssh-policies/committed/:roleId endpoint using the full role: ssh:<gatewayId>:<serverId>:<sshUser>. Non-gateway flows (missing gatewayId) skip the policy fetch with a warning instead of crashing.
4 tasks
sashyo
added a commit
that referenced
this pull request
May 20, 2026
…endpoint too After PR #42 the client fetches via /api/ssh-policies/committed/:roleId instead of the legacy /for-ssh-user/. The USE trace was only on the legacy endpoint, so a fresh round-trip after #42 produced no server-side USE line to compare against SIGN/ATTACH. Add the same trace to the new endpoint so all three logs appear on every fetch.
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Committed SSH policies are written under the JWT's gateway-qualified role (
ssh:<gatewayId>:<serverId>:<sshUser>, e.g.ssh:Tide-GW:My Server:demo), but the SSH connect path was fetching by the short-formssh:<user>(e.g.ssh:demo). The lookup either 404'd or returned a stale row from an older code revision, which then failed Sign #2 with "Policy signature could not be verified" because the bytes the ORK saw were never associated with the freshly-committed signature.What changed
client/src/lib/sshClient.ts—SSHSignatureRequestgainsgatewayId?: string; theDelegatingPublicKeyAlgorithmcallback forwardsthis.options.gatewayIdinto the signer.client/src/lib/tideSsh.ts— bothcreateTideSshSignerandcreateDynamicTideSshSignernow build the gateway-qualified role and fetch viaapi.sshPolicies.getByRole(roleId)(existing endpoint with exact lookup). Non-gateway flows (missinggatewayId/serverId) skip policy fetch with a warning instead of crashing.No server-side changes — the existing
GET /api/ssh-policies/committed/:roleIdendpoint already does exact role lookup, which is what we need.Verification via the trace logs from #41
Before this fix:
After this fix, all three should carry the same role and identical
dtv_sha.Pre-deploy: delete the orphan row
The pre-fix code-path may have left an
ssh:<user>row inssh_policiesthat no longer corresponds to a real JWT role:Test plan
ssh_policiesrows (optional cleanup)[PolicyTrace SIGN]with gateway-qualified role[PolicyTrace USE]and[PolicyTrace ATTACH]carry the same role and samedtv_shaas SIGN