Mariano Cano
7846696fbb
Fix return sign options on ssh sign.
2020-01-29 11:58:47 -08:00
max furman
d482ae2fb5
Remove test that is no longer implemented by the method.
2020-01-28 13:29:40 -08:00
max furman
397a181d10
Add backdate validation to sshCertValidityValidator.
2020-01-28 13:29:40 -08:00
max furman
df60fe3f0d
Remove all references to old apiError.
2020-01-28 13:29:40 -08:00
max furman
1cb8bb3ae1
Simplify statuscoder error generators.
2020-01-28 13:29:40 -08:00
max furman
dccbdf3a90
Introduce generalized statusCoder errors and loads of ssh unit tests.
...
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2020-01-28 13:29:40 -08:00
Mariano Cano
895d3054a3
Remove the use of custom x509 package.
...
Upgrade cli dependency.
2020-01-28 13:29:39 -08:00
Mariano Cano
144acb9ee3
Remove debug statement.
2020-01-28 13:29:39 -08:00
Mariano Cano
06411d1715
Add tests of profileLimitDuration with backdate.
2020-01-28 13:29:39 -08:00
Mariano Cano
8297e5c717
Add tests for backdate and sshDefaultDuration
2020-01-28 13:29:39 -08:00
Mariano Cano
93b65bee7c
Add unit test for profileDefaultDuration.
2020-01-28 13:29:39 -08:00
Mariano Cano
74b5d7f984
Add backdate support on ssh rekey.
2020-01-28 13:29:39 -08:00
Mariano Cano
84ff172093
Add support for backdate to SSH certificates.
2020-01-28 13:29:39 -08:00
Mariano Cano
5565d61bf3
Add fault tolerance against clock skew accross system on TLS certificates.
2020-01-28 13:29:39 -08:00
max furman
b9f6aacb0f
Move api errors to their own package and modify the typedef
2020-01-28 13:29:39 -08:00
Mariano Cano
f033422ffa
Allow no provisioners.
2020-01-28 13:29:39 -08:00
Mariano Cano
f4615d6258
Addapt test to api change.
2020-01-28 13:29:39 -08:00
max furman
3ac388612a
Use x5cInsecure token for /ssh/check-host endpoint
2020-01-28 13:29:39 -08:00
Mariano Cano
08eac1b00d
Make sure to define the KeyID from the token if available.
2020-01-28 13:29:39 -08:00
Mariano Cano
de3ba58455
Store renew certificate in the database.
2020-01-28 13:29:39 -08:00
Mariano Cano
caa2b8dbb7
Add leeway in identity not before.
2020-01-28 13:29:39 -08:00
max furman
9caadbb341
Fix authority calling wrong revoke method
2020-01-28 13:29:39 -08:00
Mariano Cano
f26103d150
Make test compilable.
2020-01-28 13:29:39 -08:00
Mariano Cano
557a45abfa
Update template tests.
2020-01-28 13:29:39 -08:00
max furman
656f35e522
Use an actual Hosts type when returning ssh hosts
2020-01-28 13:29:39 -08:00
Mariano Cano
03bb26fb91
Add missing version.go file.
2020-01-28 13:28:17 -08:00
Mariano Cano
c60641701b
Add version endpoint.
2020-01-28 13:28:16 -08:00
max furman
f92bb06b6c
change func def for getSSHHosts
...
* continue to return all hosts if injection method not specified
2020-01-28 13:28:16 -08:00
Mariano Cano
11c8639782
Add identity certificate in ssh response.
2020-01-28 13:28:16 -08:00
max furman
d940ab7c20
Add getSSHHosts injection func
2020-01-28 13:28:16 -08:00
max furman
414a94b210
Instrument getIdentity func for OIDC ssh provisioner
2020-01-28 13:28:16 -08:00
max furman
3d970b45c8
remove printfs
2020-01-28 13:28:16 -08:00
max furman
f74cd04a6a
Add WithGetIdentityFunc option and attr to authority
...
* Add Identity type to provisioner
2020-01-28 13:28:16 -08:00
Mariano Cano
8bf3bf701e
Add support for /ssh/bastion method.
2020-01-28 13:28:16 -08:00
Mariano Cano
a6edcd0a3d
Make test to compile, they still fail.
2020-01-28 13:28:16 -08:00
Mariano Cano
000885dea7
Move Option type to a new file.
2020-01-28 13:28:16 -08:00
Mariano Cano
a86dc78b5d
Add missing comment.
2020-01-28 13:28:16 -08:00
Mariano Cano
7db7b1ee4c
Fix some provisioner tests
2020-01-28 13:28:16 -08:00
Mariano Cano
29be322b1c
Make audiences compatible with the old version.
2020-01-28 13:28:16 -08:00
Mariano Cano
39ae5636fe
Complete AuthDB interface.
2020-01-28 13:28:16 -08:00
Mariano Cano
d4627d1282
Make provisioner tests compile, they are still failing.
2020-01-28 13:28:16 -08:00
Mariano Cano
a8a6d0ada3
Fix indentation.
2020-01-28 13:28:16 -08:00
Mariano Cano
cf592fa0e1
Remove global check for number of k8sSA provisioners.
...
This was causing a bug in the reload of the ca.
2020-01-28 13:28:16 -08:00
max furman
5788ac3f4f
sshpop token should not allow renew/rekey of user ssh certs
2020-01-28 13:28:16 -08:00
max furman
54e3cf7322
Add multiuse capability to k8ssa provisioners
2020-01-28 13:28:16 -08:00
max furman
29853ae016
sshpop provisioner + ssh renew | revoke | rekey first pass
2020-01-28 13:28:16 -08:00
max furman
c04f1e1bd4
sshpop first pass
2020-01-28 13:28:16 -08:00
max furman
5616386eed
Add SSH getHosts api
2020-01-28 13:28:16 -08:00
Mariano Cano
c7e4cc96a4
Change default user duration to 16h.
2020-01-28 13:28:16 -08:00
Mariano Cano
c729c5f925
Fix list of user ssh public keys.
2020-01-28 13:28:16 -08:00
Mariano Cano
ee22778264
Fix lint error.
2020-01-28 13:28:16 -08:00
Mariano Cano
8939caace4
Add tests for ssh authority methods.
2020-01-28 13:28:16 -08:00
Mariano Cano
4f06f3901e
Add some ssh related tests.
2020-01-28 13:28:16 -08:00
Mariano Cano
08850d5334
Add support for federated keys.
2020-01-28 13:28:16 -08:00
Mariano Cano
37f17213bb
Add initial support for check-host endpoint.
2020-01-28 13:28:16 -08:00
Mariano Cano
d08db4df23
Rename SSH methods.
2020-01-28 13:28:16 -08:00
Mariano Cano
b5bc249e1c
Add support for multiple ssh roots.
...
Fixes #125
2020-01-28 13:28:16 -08:00
Mariano Cano
91130b9c3f
Add support for user data in templates.
2020-01-28 13:28:16 -08:00
Mariano Cano
a35988ff08
Add initial support for ssh config.
...
Related to smallstep/cli#170
2020-01-28 13:28:16 -08:00
Mariano Cano
d4c47cf3e1
Fix tests.
2020-01-28 13:28:16 -08:00
Mariano Cano
961be1fbc7
Add endpoint to return the SSH public keys.
...
Related to smallstep/ca-component#195
2020-01-28 13:28:16 -08:00
Mariano Cano
a197158426
Add initial implementation of ssh config.
2020-01-28 13:28:16 -08:00
Mariano Cano
69a1b68283
Merge branch 'ssh' into kms
2020-01-27 15:41:14 -08:00
max furman
92c48949d7
Remove test that is no longer implemented by the method.
2020-01-24 13:47:15 -08:00
max furman
1e5763031b
Add backdate validation to sshCertValidityValidator.
2020-01-24 13:46:54 -08:00
max furman
99e5bf4782
Remove all references to old apiError.
2020-01-24 13:46:41 -08:00
max furman
b265877050
Simplify statuscoder error generators.
2020-01-24 13:46:11 -08:00
max furman
c387b21808
Introduce generalized statusCoder errors and loads of ssh unit tests.
...
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2020-01-22 17:25:23 -08:00
Mariano Cano
9021951f1a
Fix types.
2020-01-14 18:47:05 -08:00
Mariano Cano
9641ab33b8
Use crypto.Signer instead of ssh.Signer in SSH options.
2020-01-14 18:38:29 -08:00
Mariano Cano
e98d7832b9
Add options to read the roots and federated roots from a bundle.
2020-01-10 18:33:48 -08:00
Mariano Cano
44eccc6bd8
Merge branch 'ssh' into kms
2020-01-10 17:49:52 -08:00
Mariano Cano
085ae82163
Remove the use of custom x509 package.
...
Upgrade cli dependency.
2020-01-10 10:58:49 -08:00
Mariano Cano
c62526b39f
Add wip support for kms.
2020-01-09 18:42:26 -08:00
Mariano Cano
77af30bfa3
Remove debug statement.
2020-01-08 11:46:33 -08:00
Mariano Cano
f46dc03111
Add tests of profileLimitDuration with backdate.
2020-01-06 14:34:59 -08:00
Mariano Cano
165a91858e
Add tests for backdate and sshDefaultDuration
2020-01-06 14:21:13 -08:00
Mariano Cano
7e33aeb8d3
Add unit test for profileDefaultDuration.
2020-01-06 12:19:00 -08:00
Mariano Cano
f06db4099e
Add backdate support on ssh rekey.
2020-01-03 18:30:17 -08:00
Mariano Cano
935d0d4542
Add support for backdate to SSH certificates.
2020-01-03 18:22:52 -08:00
Mariano Cano
e67ccd9e3d
Add fault tolerance against clock skew accross system on TLS certificates.
2020-01-02 17:48:28 -08:00
max furman
f9ef5070f9
Move api errors to their own package and modify the typedef
2019-12-17 14:26:02 -08:00
Mariano Cano
6d6f496331
Allow no provisioners.
2019-12-16 11:22:24 -08:00
Mariano Cano
96b6989658
Addapt test to api change.
2019-12-11 18:21:20 -08:00
Max
1f42637ba1
Merge pull request #143 from smallstep/expired-cert
...
Expired cert
2019-12-11 14:55:21 -08:00
max furman
1e17ec7d33
Use x5cInsecure token for /ssh/check-host endpoint
2019-12-11 14:54:29 -08:00
Mariano Cano
e841a86b48
Make sure to define the KeyID from the token if available.
2019-12-10 16:34:01 -08:00
Mariano Cano
8eeb82d0ce
Store renew certificate in the database.
2019-12-10 13:10:45 -08:00
Mariano Cano
50152391a3
Add leeway in identity not before.
2019-12-09 16:55:25 -08:00
max furman
55237d635c
Fix authority calling wrong revoke method
2019-12-03 12:39:57 -05:00
Mariano Cano
92d1db1616
Make test compilable.
2019-11-26 18:53:36 -08:00
Mariano Cano
5d35586402
Update template tests.
2019-11-26 18:53:36 -08:00
max furman
c2a3bcfab5
resolving merge
2019-11-20 17:26:04 -08:00
max furman
927784237d
Use an actual Hosts type when returning ssh hosts
2019-11-20 17:23:51 -08:00
Mariano Cano
7a06a60f88
Add missing version.go file.
2019-11-20 17:02:06 -08:00
Mariano Cano
2f18a26d4f
Add version endpoint.
2019-11-20 17:01:31 -08:00
max furman
35912cc906
change func def for getSSHHosts
...
* continue to return all hosts if injection method not specified
2019-11-20 12:59:48 -08:00
Mariano Cano
3fda081e42
Add identity certificate in ssh response.
2019-11-20 11:52:20 -08:00
max furman
c407a9319b
Add getSSHHosts injection func
2019-11-20 11:32:27 -08:00
max furman
8b2105a8f9
Instrument getIdentity func for OIDC ssh provisioner
2019-11-19 13:32:58 -08:00
max furman
f25a2a43eb
remove printfs
2019-11-15 11:59:12 -08:00
max furman
6ca1df5081
Add WithGetIdentityFunc option and attr to authority
...
* Add Identity type to provisioner
2019-11-14 20:38:39 -08:00
Mariano Cano
86a0558587
Add support for /ssh/bastion method.
2019-11-14 18:24:58 -08:00
Mariano Cano
8585b29711
Make test to compile, they still fail.
2019-11-14 18:07:16 -08:00
Mariano Cano
43b663e0c3
Move Option type to a new file.
2019-11-14 15:29:04 -08:00
Mariano Cano
be93c9e1f4
Add missing comment.
2019-11-14 15:27:12 -08:00
Mariano Cano
fcccb06696
Fix some provisioner tests
2019-11-14 15:26:37 -08:00
Mariano Cano
2cb6bd880b
Make audiences compatible with the old version.
2019-11-14 15:18:49 -08:00
Mariano Cano
efc2180c4a
Complete AuthDB interface.
2019-11-14 10:49:13 -08:00
Mariano Cano
a4fd76f1a8
Make provisioner tests compile, they are still failing.
2019-11-14 10:48:06 -08:00
Mariano Cano
0c3b9ebf45
Fix indentation.
2019-11-13 11:18:05 -08:00
Mariano Cano
69a7058ff0
Remove global check for number of k8sSA provisioners.
...
This was causing a bug in the reload of the ca.
2019-11-08 17:44:39 -08:00
max furman
e679deddd7
sshpop token should not allow renew/rekey of user ssh certs
2019-11-07 21:39:36 -08:00
max furman
946094d2b7
Add multiuse capability to k8ssa provisioners
2019-11-06 15:54:04 -08:00
max furman
a9ea292bd4
sshpop provisioner + ssh renew | revoke | rekey first pass
2019-11-05 16:41:42 -08:00
max furman
b5f15531d8
sshpop first pass
2019-11-05 16:41:17 -08:00
max furman
64b69374fa
Add SSH getHosts api
2019-11-05 16:41:17 -08:00
Mariano Cano
cf2b9301c0
Change default user duration to 16h.
2019-11-05 16:41:17 -08:00
Mariano Cano
e5da24f269
Fix list of user ssh public keys.
2019-11-05 16:41:17 -08:00
Mariano Cano
91ccc3802c
Fix lint error.
2019-11-05 16:41:17 -08:00
Mariano Cano
c2e20c7877
Add tests for ssh authority methods.
2019-11-05 16:41:17 -08:00
Mariano Cano
40052a1824
Add some ssh related tests.
2019-11-05 16:41:17 -08:00
Mariano Cano
38d735be6e
Add support for federated keys.
2019-11-05 16:41:17 -08:00
Mariano Cano
3ee0dcec93
Add initial support for check-host endpoint.
2019-11-05 16:41:17 -08:00
Mariano Cano
a50d59338e
Rename SSH methods.
2019-11-05 16:41:17 -08:00
Mariano Cano
e84489775b
Add support for multiple ssh roots.
...
Fixes #125
2019-11-05 16:41:17 -08:00
Mariano Cano
caa2174efc
Add support for user data in templates.
2019-11-05 16:41:17 -08:00
Mariano Cano
7b8bb6deb4
Add initial support for ssh config.
...
Related to smallstep/cli#170
2019-11-05 16:41:17 -08:00
Mariano Cano
c6a5772356
Fix tests.
2019-11-05 16:41:17 -08:00
Mariano Cano
fe3149cf52
Add endpoint to return the SSH public keys.
...
Related to smallstep/ca-component#195
2019-11-05 16:41:17 -08:00
Mariano Cano
dc6ffb7670
Add initial implementation of ssh config.
2019-11-05 16:41:17 -08:00
max furman
8f07ff6a39
Add kubernetes service account provisioner
2019-10-29 17:42:50 -07:00
Max
0a96062b76
Merge pull request #128 from jkralik/returnCertChain
...
Change api of functions Authority.Sign, Authority.Renew
2019-10-18 14:00:18 -07:00
max furman
d368791606
Add x5c provisioner capabilities
2019-10-14 14:51:37 -07:00
Jozef Kralik
bc6074f596
Change api of functions Authority.Sign, Authority.Renew
...
Returns certificate chain instead of 2 members.
Implements #126
2019-10-09 22:23:00 +02:00
Mariano Cano
59526d3225
Merge pull request #105 from smallstep/okta-support
...
Address support on OIDC provisioners
2019-09-20 15:33:11 -07:00
Mariano Cano
39b41b5e83
Merge pull request #107 from smallstep/ssh-valid-after
...
Truncate to seconds ValidAfter
2019-09-19 15:27:28 -07:00
Mariano Cano
d59a5b222f
Truncate to seconds to avoid rounding up times.
...
It can cause that certs are not valid yet, if they are used right away.
2019-09-19 13:42:24 -07:00
max furman
fe7973c060
wip
2019-09-19 13:17:45 -07:00
Mariano Cano
adc1d54b0d
Define valid after as 1m before now.
...
It avoids errors with immediate use of cert.
2019-09-19 12:37:41 -07:00
Mariano Cano
72f1a61f06
Increase coverage.
2019-09-18 18:08:26 -07:00
Mariano Cano
b7045f27a9
Increase coverage.
2019-09-18 17:13:58 -07:00
Mariano Cano
a16b2125bc
Fix tests.
2019-09-18 16:04:43 -07:00
Mariano Cano
6c4abfabbb
Make /.well-known/openid-configuration optional
2019-09-18 15:54:10 -07:00
Mariano Cano
3527ee6940
Add support for listenAddress parameter if OIDC provisioners.
...
Fixes smallstep/cli#150
2019-09-18 15:25:28 -07:00
max furman
44e864030d
Remove debug logging
2019-09-16 10:45:33 -07:00
max furman
e3826dd1c3
Add ACME CA capabilities
2019-09-13 15:48:33 -07:00
max furman
d204469280
Add a few more validity checks to default ssh cert validator
2019-09-12 19:27:59 -07:00
Mariano Cano
396b4222aa
Implement validator for ssh keys.
...
Fixes #100
2019-09-10 17:04:13 -07:00
max furman
61d52a8510
Small fixes associated with PR review
...
* additions and grammar edits to documentation
* clarification of error msgs
2019-09-08 21:05:36 -07:00
Mariano Cano
10e7b81b9f
Merge branch 'master' into ssh-ca
2019-09-05 23:06:01 +02:00
max furman
ac234771c7
Remove unknown provisioner WARNning and leave TODO
2019-08-29 10:49:52 -07:00
max furman
ca8daf5f12
Update comment and warn
2019-08-28 17:28:03 -07:00
Mariano Cano
9200f11ed8
Skip unsupported provisioners.
2019-08-28 17:25:39 -07:00
Max
5dac2459c3
Merge pull request #96 from smallstep/max/2084
...
Enforce >= 2048 bit rsa keys in CSRs
2019-08-28 09:41:58 -07:00
max furman
d3e74a0d2e
switch from metalinter to golangci-lint
2019-08-27 16:39:48 -07:00
max furman
2b41faa9cf
Enforce >= 2048 bit rsa keys at the provisioner layer
...
* Fixes #94
* In the future this should be configurable by provisioner
2019-08-27 14:44:59 -07:00
max furman
635c59ed24
Accept emails SANs
2019-08-23 15:59:30 -07:00
Mariano Cano
db4baa0487
Add tests for authority sign ssh methods.
2019-08-05 18:35:00 -07:00
Mariano Cano
34e1e3380a
Fix lint errors.
2019-08-05 16:14:25 -07:00
Mariano Cano
57a529cc1a
Allow to enable the SSH CA per provisioner
2019-08-05 11:40:27 -07:00
Mariano Cano
e71072d389
Add experimental support for provisioning users.
2019-08-02 17:48:34 -07:00
Mariano Cano
390aecca0b
Check for error creating signers.
2019-08-01 18:15:04 -07:00
Mariano Cano
004ea12212
Allow to use custom SSH user/host key files.
2019-08-01 15:04:56 -07:00
Mariano Cano
dc657565a7
Add SSH test for GCP.
2019-07-31 18:22:21 -07:00
Mariano Cano
7983aa8661
Add azure ssh tests.
2019-07-31 18:16:17 -07:00
Mariano Cano
2cac85a8c8
Add aws tests.
2019-07-31 18:11:46 -07:00
Mariano Cano
f8a71899fd
Add missing file.
2019-07-31 17:46:28 -07:00
Mariano Cano
d231bfb764
Update jwk and oidc tests.
2019-07-31 17:04:17 -07:00
Mariano Cano
a8f4ad1b8e
Set default SSH options if no user options are given.
2019-07-31 17:03:33 -07:00
Mariano Cano
c17375a10a
Create convenient method to mock the timeduration.
2019-07-31 12:53:03 -07:00
Mariano Cano
4c1a11c1bc
Add Unix method to TimeDuration.
2019-07-31 12:36:31 -07:00
Mariano Cano
b0240772da
Add tests for SSH certs with JWK provisioners.
2019-07-30 18:23:54 -07:00
Mariano Cano
780eeb5487
Remove debug print.
2019-07-30 16:56:30 -07:00
Mariano Cano
ad91842d06
Add test for SanitizeSSHUserPrincipal
2019-07-30 15:28:04 -07:00
Mariano Cano
f8cacc11b1
Fix tests.
2019-07-29 18:24:34 -07:00
Mariano Cano
b827a59e96
Add SSH host certificate support for GCP provisioner.
2019-07-29 18:17:20 -07:00
Mariano Cano
221d323b68
Fix containsAllMembers
2019-07-29 18:16:52 -07:00
Mariano Cano
18a285e847
Change azure ssh key id.
2019-07-29 18:04:01 -07:00
Mariano Cano
aef52e4334
Add support for SSH host certificates in azure.
2019-07-29 18:01:20 -07:00
Mariano Cano
7d670b20ea
Add support of ssh host certinficates in AWS provisioner.
2019-07-29 17:54:38 -07:00
Mariano Cano
7583f1c739
Do not require all principals, allow subgroups.
2019-07-29 17:54:13 -07:00
Mariano Cano
41b97372e6
Rename function to SanitizeSSHUserPrincipal
2019-07-29 16:38:57 -07:00
Mariano Cano
53f62f871c
Set not extensions to host certificates.
2019-07-29 16:36:46 -07:00
Mariano Cano
48c98dea2a
Make SanitizeSSHPrincipal a public function.
2019-07-29 16:21:22 -07:00
Mariano Cano
f01286bb48
Add support for SSH certificates to OIDC.
...
Update the interface for all the provisioners.
2019-07-29 15:54:07 -07:00
Mariano Cano
7a64a84761
Pass the given context.
2019-07-29 15:53:09 -07:00
Mariano Cano
e1cd5ee8c3
Add context to the Authorize method.
...
Fix tests.
2019-07-29 12:34:27 -07:00
Mariano Cano
2127d09ef3
Rename context type to apiCtx.
...
It will conflict with the context package.
2019-07-29 11:56:14 -07:00
Mariano Cano
082ebda85b
Merge branch 'master' of github.com:smallstep/certificates into ssh-ca
2019-07-26 15:38:46 -07:00
Mariano Cano
d7221e15ac
Always marshal timeduration as a string
2019-07-25 18:41:46 -07:00
Mariano Cano
3ff410c695
fix ssh validity modifier
2019-07-25 18:41:32 -07:00
Mariano Cano
1c8f610ca9
Add initial implementation of an SSH CA using the JWK provisioner.
...
Fixes smallstep/ca-component#187
2019-07-23 18:46:43 -07:00
Mariano Cano
f5beed3b96
Merge pull request #83 from matteo-s/oidc-groups
...
Add option for checking group membership declared in JWT token
2019-07-23 10:05:18 -07:00
Mariano Cano
3e69194cc4
Fix lint error
2019-07-15 16:35:51 -07:00
Mariano Cano
900ab9cc12
Allow custom common names in cloud identity provisioners.
2019-07-15 15:52:36 -07:00
Mariano Cano
5f4217ca4c
Simplify abs, it performs even better.
2019-06-25 11:04:48 -07:00
Matteo Saloni
1919cfdff3
Add option for checking group membership declared in JWT token
2019-06-25 10:50:55 +02:00
Mariano Cano
e66272d6f0
Fix panic when max-age is set to zero.
...
Fixes #81
2019-06-24 13:40:14 -07:00
Mariano Cano
578beec25d
Merge pull request #65 from smallstep/cloud-identities
...
Cloud identities
2019-06-07 11:36:31 -07:00
Mariano Cano
8f8c862c04
Fix spelling errors.
2019-06-07 11:24:56 -07:00
Mariano Cano
b88a2f1373
Fix provisioner id in LoadByCertificate
2019-06-06 15:24:15 -07:00
Mariano Cano
37dff5124b
Fix audience tests.
...
Fixes smallstep/step#156
2019-06-06 13:09:00 -07:00
Mariano Cano
2491593cdd
Add ca-url based audience for AWS tokens
...
Fixes smallstep/step#156
2019-06-06 12:49:51 -07:00
Mariano Cano
4fa9e9333d
Add NewDuration constructor.
2019-06-05 17:53:28 -07:00
Mariano Cano
37f2096dff
Add Stringer interface to provisioner.Type.
...
Add missing file.
2019-06-05 17:52:29 -07:00
Mariano Cano
6e4a09651a
Add comments with links to cloud docs.
2019-06-05 11:04:00 -07:00
Mariano Cano
536ec36b9e
Add support for instance age check in AWS.
...
Fixes smallstep/step#164
2019-06-04 16:31:33 -07:00
Mariano Cano
c431538ff2
Add support for instance age check in GCP.
...
Fixes smallstep/step#164
2019-06-04 15:57:15 -07:00
Mariano Cano
4cef086c00
Allow to use emails as service accounts on GCP
...
Fixes smallstep/step#163
2019-06-03 17:28:39 -07:00
Mariano Cano
0a756ce9d0
Use on GCP audiences with the format https://<ca-url>#<provisioner-type>/<provisioner-name>
...
Fixes smallstep/step#156
2019-06-03 17:19:44 -07:00
Mariano Cano
a54bf925eb
Add filtering by GCP Project ID.
...
Fixes smallstep/step#155
2019-06-03 11:56:42 -07:00
Mariano Cano
54d0186d1f
Change condition to fail if the length is not the expected.
2019-05-13 11:50:22 -07:00
Mariano Cano
dbd3131068
Fix comments.
2019-05-10 17:54:18 -07:00
Mariano Cano
9f39cb5f2a
Add test.
2019-05-10 16:53:35 -07:00
Mariano Cano
fb6a1afd89
Fix typo.
2019-05-10 16:04:30 -07:00
Mariano Cano
3a1a4c5ea9
Do not allow reload with database configuration changes.
...
Fixes #smallstep/ca-component#170
2019-05-10 15:58:37 -07:00
Mariano Cano
cf07c8f4c0
Fix typos.
2019-05-09 18:56:24 -07:00
Mariano Cano
54570095d4
Merge branch 'master' into cloud-identities
2019-05-08 17:19:03 -07:00
Mariano Cano
423d505d04
Replace subscriptions with resource groups.
2019-05-08 17:11:55 -07:00
Mariano Cano
32d2d6b75a
Remove debug code.
2019-05-08 17:11:33 -07:00
Mariano Cano
e0aaa1a577
Use tenant id in azures's provisioner x509 extension.
2019-05-08 15:58:15 -07:00
Mariano Cano
89eeada2a2
Add support for loading azure tokens by tenant id.
2019-05-08 15:39:50 -07:00
Mariano Cano
803d81d332
Improve azure unit tests.
2019-05-08 12:47:45 -07:00
Mariano Cano
4c5fec06bf
Require TenantID in azure, add some tests.
2019-05-07 19:07:49 -07:00
Mariano Cano
12937c6b75
Remove pkcs7 related variables and structs.
2019-05-07 17:12:12 -07:00
Mariano Cano
6412b1a79b
Add first version of Asure support.
...
Fixes #69
2019-05-07 17:07:04 -07:00
max furman
81db527f12
NoopDB -> SimpleDB
2019-05-07 12:26:30 -07:00
max furman
b73fe8c157
Add used OTT to DB during authToken step
2019-05-06 15:52:02 -07:00
Mariano Cano
70196b2331
Add skeleton for the Azure provisioner.
...
Related to #69
2019-05-03 17:30:54 -07:00
Mariano Cano
81bfd2c1cb
Add tests for AWS provisioner
...
Fixes #68
2019-04-24 19:52:58 -07:00
Mariano Cano
f755fddc35
Fix lint errors.
2019-04-24 14:59:01 -07:00
Mariano Cano
b6a5ebcfc9
Move code to switch default.
2019-04-24 14:50:22 -07:00
Mariano Cano
a7f06c765d
Fix load of gcp and aws provisioner by certificate.
2019-04-24 14:49:28 -07:00
Mariano Cano
da93e40f90
Add constant for Azure type.
2019-04-24 14:26:37 -07:00
Mariano Cano
37e84aa535
Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner.
...
Fixes #67
2019-04-24 13:05:46 -07:00
Mariano Cano
75ef5a2275
Add AWS provisioner.
...
Fixes #68
2019-04-24 12:12:36 -07:00
Mariano Cano
5defd8289d
Add missing config in tests.
2019-04-24 11:30:37 -07:00
Mariano Cano
27c98806c0
Use GetTokenID.
2019-04-24 11:29:57 -07:00
Mariano Cano
2c68915b70
Fix comment.
2019-04-23 14:36:11 -07:00
Mariano Cano
fb6321fb2c
Use gcpConfig type to keep configuration urls.
...
Fixes #67
2019-04-23 14:33:36 -07:00
Mariano Cano
7e53b28320
Disable revoke for GCP.
2019-04-23 14:20:14 -07:00
Mariano Cano
7727fa5665
Update GCP tests.
2019-04-19 10:44:11 -07:00
Mariano Cano
1ea4b0ad64
Add unit test for GCP provider
2019-04-18 16:01:30 -07:00
Mariano Cano
b4729cd670
Use JWKSet to get the GCP keys.
2019-04-17 17:38:24 -07:00
Mariano Cano
f794dbeb93
Add support for GCP identity tokens.
2019-04-17 17:28:21 -07:00
max furman
9977eff153
bump cli dep and fix text error msg
2019-04-10 14:00:36 -07:00
max furman
ff20d9f5af
Fix composite literal uses unkeyed field
2019-04-10 13:50:35 -07:00
max furman
ab4d569f36
Add /revoke API with interface db backend
2019-04-10 13:50:35 -07:00
Mariano Cano
1812c0619a
Update go-jose to 2.3.0.
...
This is a dependency for smallstep/cli#105 , it will be solved once
square/go-jose#224 gets merged
2019-04-05 12:54:23 -07:00
Mariano Cano
04da00d716
Merge pull request #55 from smallstep/x509util-real-x509
...
Use standard x509 creating signed certificates
2019-03-25 15:50:57 -07:00
Mariano Cano
7b9e08bcfa
Fix comment.
2019-03-25 14:18:46 -07:00
Mariano Cano
64f2615864
Fix tests.
2019-03-25 12:35:21 -07:00
Mariano Cano
6d92ba75b9
Don't use pointer in TimeDuration.MarshalJSON
2019-03-25 12:34:01 -07:00
Mariano Cano
698058baa9
Add tests for TimeDuration.
2019-03-25 12:05:34 -07:00
Mariano Cano
00fed1c538
Add initial version of time duration support in sign requests.
2019-03-22 18:55:28 -07:00
Mariano Cano
8c8547bf65
Remove unnecessary parse and improve tests.
2019-03-20 18:11:45 -07:00
Mariano Cano
b9530909a4
Fix tests.
2019-03-20 17:41:37 -07:00
Mariano Cano
a3e2b4a552
Move certificate check to the right place.
2019-03-20 17:36:45 -07:00
Mariano Cano
30a6889d1f
Use standard x509 instead of step one.
2019-03-20 17:12:52 -07:00
Mariano Cano
68ff077ea9
Improve tests.
2019-03-19 15:31:14 -07:00
Mariano Cano
76618558ae
Improve unit tests.
2019-03-19 15:27:41 -07:00
Mariano Cano
7378ed27ac
Refactor claims so they can be totally omitted if only the parent is set.
2019-03-19 15:10:52 -07:00
Mariano Cano
5d5f03f963
Set omitempty to admins and domains.
2019-03-19 11:23:18 -07:00
Mariano Cano
8a05cdde52
Add audience in the error v2
2019-03-18 10:59:36 -07:00
Mariano Cano
f8fba4df6b
Add audience in error.
2019-03-18 10:57:29 -07:00
Mariano Cano
60880d1f0a
Add domains and check emails properly.
2019-03-15 13:49:50 -07:00
Mariano Cano
5edbce017f
Set docs for client secret as mandatory, but it can be blank.
2019-03-15 11:10:52 -07:00
Mariano Cano
2c0c0112c6
Add an optional client secret field.
2019-03-14 18:00:11 -07:00
Mariano Cano
945a1371f1
Fix tests.
2019-03-13 16:46:12 -07:00
Mariano Cano
0b4cde1ad3
Move type to the first position of the struct.
2019-03-13 15:33:52 -07:00
Mariano Cano
23e6de57a2
Address comments in code review.
2019-03-13 11:26:18 -07:00
Mariano Cano
07cdc1021c
Use OIDC nonce as the reuse key.
2019-03-12 15:47:18 -07:00
Mariano Cano
7fd737cbb1
Fix lint warnings.
2019-03-11 18:47:57 -07:00
Mariano Cano
1f5ff5c899
Fix sign and renew tests.
2019-03-11 18:15:24 -07:00
Mariano Cano
2fb77b8a4d
Truncate to seconds the startTime to simplify tests.
2019-03-11 18:14:20 -07:00
Mariano Cano
1a9e8bad74
Truncate to seconds instead of rounding.
2019-03-11 18:13:20 -07:00
Mariano Cano
b77621675c
Fix and simplify authorize tests.
2019-03-11 16:38:48 -07:00
Mariano Cano
ef4d809ee6
Move matchesAudience and stripPort tests to provisioner package.
2019-03-11 15:47:57 -07:00
Mariano Cano
636d92b19b
Add missing files.
2019-03-11 14:55:42 -07:00
Mariano Cano
a8d03c39bb
Move Duration to a new file and move tests to provisioner package.
2019-03-11 14:54:25 -07:00
Mariano Cano
c24d868d9d
Add tests for sign options.
2019-03-11 13:25:19 -07:00
Mariano Cano
5dfcbcf5dc
Add noop tests.
2019-03-11 12:56:47 -07:00
Mariano Cano
4ceb88fbae
Add tests for OIDC and complete some JWK tests.
2019-03-11 12:48:46 -07:00
Mariano Cano
dce3100cfb
Add missing time in validation.
2019-03-11 11:12:47 -07:00
Mariano Cano
fb279c89fb
Restore deleted methods.
2019-03-11 10:40:55 -07:00
Mariano Cano
955405d6aa
Add some comments added to master.
2019-03-08 18:09:35 -08:00
Mariano Cano
af9688c419
Fix some testing errors.
2019-03-08 18:05:11 -08:00
Mariano Cano
f17d2d9694
Remove debug statements.
2019-03-08 17:29:18 -08:00
Mariano Cano
67c79fd014
Add tests for default provisioner.
2019-03-08 17:24:58 -08:00
Mariano Cano
cf2dba3efb
Add tests for keyStore.
2019-03-08 15:08:18 -08:00
Mariano Cano
2a5430fee1
Complete tests for collection.
2019-03-08 12:19:44 -08:00
Mariano Cano
54d86ca1c1
testing work in progress.
2019-03-07 19:30:17 -08:00
Mariano Cano
9f7f871f25
Add noop provisioner and use it if a provisioner cannot been found from a cert.
2019-03-07 16:05:13 -08:00
Mariano Cano
47817ab212
Fix interface type.
2019-03-07 16:04:56 -08:00
Mariano Cano
cc8764c343
Initialize the list for backward compatibility.
2019-03-07 16:04:29 -08:00
Mariano Cano
c0ef6f8dc5
Add missing modifier and change return codes.
2019-03-07 16:03:38 -08:00
Mariano Cano
a97ea87caa
Move options to provisioner so we can set the duration of the cert.
2019-03-07 15:14:18 -08:00
Mariano Cano
507fd01062
Remove provisioner intermediate type.
2019-03-07 13:07:39 -08:00
Mariano Cano
1671ab2590
Fix some tests.
2019-03-07 12:15:18 -08:00
Mariano Cano
d92a7f2948
Rename provisioner to jwk.
2019-03-06 18:36:35 -08:00
Mariano Cano
a1782733fe
Rename files.
2019-03-06 18:33:40 -08:00
Mariano Cano
2d00cd0933
Validate audiences in the default provisioner.
2019-03-06 18:32:56 -08:00
Mariano Cano
33c1449360
Remove deprecated file.
2019-03-06 17:42:17 -08:00
Mariano Cano
57b705f6cf
Use provisioner sign options.
2019-03-06 17:37:49 -08:00
Mariano Cano
9d4034fbf6
Remove unused code.
2019-03-06 17:37:08 -08:00
Mariano Cano
6d395f3818
Add missing validy validator to oidc.
2019-03-06 17:30:14 -08:00
Mariano Cano
602a42813c
Re-enable replay protection for JWK provisioner.
2019-03-06 17:00:45 -08:00
Mariano Cano
ab1cca03d7
Use new provisioners in authorize methods.
2019-03-06 15:04:28 -08:00
Mariano Cano
54ed49f072
Rename package.
2019-03-06 15:01:51 -08:00
Mariano Cano
c776ca3bd6
Use provisioner.Collection to store and request the provisioners.
2019-03-06 15:00:23 -08:00
Mariano Cano
34833d4fd5
Add validators from the authority package.
2019-03-06 14:58:46 -08:00
Mariano Cano
0dee841a4f
Complete first version of provisioner implementations.
2019-03-06 14:54:56 -08:00
Mariano Cano
7eb6eb1d3e
Complete provisioner.Claims with methods from authority.
2019-03-06 14:51:12 -08:00
Mariano Cano
fb77397fc7
Add new options to locate or list provisioners.
2019-03-06 14:50:13 -08:00
Mariano Cano
34ff388828
Use new types in config.
2019-03-06 14:49:25 -08:00
Mariano Cano
62dab7b6b8
Rename interface method.
2019-03-05 14:52:26 -08:00
Mariano Cano
5a8f78d9d0
Add support to collection to load the encrypted keys.
2019-03-05 14:45:57 -08:00
Mariano Cano
dd0376657c
Move collection to a new file.
2019-03-05 14:28:32 -08:00
Mariano Cano
4b2b6ffe32
Create the provisioner type used to englobe all different provisioners.
2019-03-05 12:42:49 -08:00
Mariano Cano
bed3132028
Move provisioner to authority/provisioner package.
2019-03-04 18:19:14 -08:00
Mariano Cano
fc0b2ca5a6
Revert "Move provisioners to authority/provisioner package."
...
This reverts commit f88d622a67
.
2019-03-04 18:17:35 -08:00
Mariano Cano
f88d622a67
Move provisioners to authority/provisioner package.
2019-03-04 18:10:19 -08:00
Mariano Cano
a2a45f635b
Add initial implementation of an OIDC provisioner.
2019-03-04 17:58:20 -08:00
max furman
229e5908b7
Added test for different authority key id after renew
...
Also ran dep ensure.
2019-02-14 19:17:42 -08:00
Mariano Cano
d78febec7a
Fix extensions copy on renew
...
Fixes #36
2019-02-14 16:44:36 -08:00
max furman
7e43402575
bug fix: don't add common name to CSR validation claims in Sign
...
* added unit test for this case
2019-02-06 16:26:25 -08:00
max furman
3415a1fef8
move SplitSANs to cli
2019-02-05 19:32:01 -08:00
max furman
6937bfea7b
claims.SANS -> claims.SANs
2019-02-04 20:22:02 -08:00
max furman
93f39c64a0
backwards compat only when SANS empty
2019-02-04 20:02:56 -08:00
max furman
fe8c8614b2
SANS backwards compat when token missing sujbect SAN
2019-02-01 12:18:10 -06:00
max furman
e6e8443f3c
allow multiple identical SANs in cert
2019-01-31 11:20:21 -06:00
max furman
f0683c2e0a
Enable signing certificates with custom SANs
...
* validate against SANs in token. must be 1:1 equivalent.
2019-01-30 18:21:03 -06:00
Derrick Lyndon Pallas
7a5c4a1112
authority/provisioners: fix overflow on 32-bit systems
...
In Go, len returns signed ints, not unsigned ints; consequently, this code
comparison overflows on 32-bit systems, like ARM.
2019-01-28 00:54:15 +00:00
max furman
2c72ada610
remove dead code
2019-01-20 21:37:12 -08:00
max furman
6dc89f46d8
make Duration public
2019-01-20 21:33:14 -08:00
max furman
0615f7eb11
don't wrap time.Duration
2019-01-18 12:08:18 -08:00
max furman
4b742042ee
make Duration wrapper publicly accessible
2019-01-18 10:39:12 -08:00
Mariano Cano
e8ac3f4888
Add comment to differentiate GetRootCertificates and GetRoots.
2019-01-14 18:11:55 -08:00
Mariano Cano
6e620073f5
Rename method Empties to HasEmpties
2019-01-14 18:11:55 -08:00
max furman
cfbb2a6f41
method documentation grammar fix
2019-01-14 17:55:01 -08:00
Mariano Cano
518b597535
Remove mTLS client requirement in /roots and /federation
2019-01-11 19:08:08 -08:00
Mariano Cano
1763ede99d
Add tests for new methods.
2019-01-10 13:19:51 -08:00
Mariano Cano
d296cf95a9
Add mTLS request to get all the root CAs, not the federated ones.
2019-01-07 17:48:56 -08:00
Mariano Cano
98cc243a37
Add support for multiple roots.
2019-01-07 15:30:28 -08:00
Mariano Cano
722bcb7e7a
Add initial support for federated root certificates.
2019-01-04 17:51:32 -08:00
Mariano Cano
7e95fc0e45
Strip ports on audience check.
...
Services might have proxies behind them so we cannot rely on them.
Fixes #17
2018-12-21 15:27:22 -08:00
Mariano Cano
9b87e08faf
Do not require the port in the audience check.
...
Fixes #17
2018-12-21 14:04:22 -08:00
Mariano Cano
7da1d1adc2
Fix typo.
2018-11-01 15:51:20 -07:00
Mariano Cano
d6cad2a7f3
Add provisioner option to disable renewal.
...
Fixes smallstep/ca-component#108
2018-11-01 15:43:24 -07:00
max furman
c74fcd57a7
ca-component -> certificates
...
* fix redundant error check
* add README
2018-10-31 21:36:01 -07:00
Mariano Cano
428661f472
Use name instead of issuer in error message.
2018-10-30 15:25:52 -07:00
max furman
0d9dd2d14b
provisioner issuer -> name
2018-10-29 18:00:30 -07:00
Mariano Cano
ea0307239a
Fix dead code and add missing error check.
2018-10-26 15:05:37 -07:00
Mariano Cano
d574545d94
Format code with gofmt -s
2018-10-26 15:01:02 -07:00
max furman
7fa06643b2
change step provisioner OID and ASN1 representation
2018-10-26 14:24:16 -07:00
max furman
b457b15292
fix: omit empty claims in AuthConfig
2018-10-26 10:51:40 -07:00
max furman
ca6087145f
fix unit test
2018-10-25 23:55:31 -07:00
max furman
a4a461466b
withProvisionerOID and unit test
2018-10-25 23:49:23 -07:00
max furman
283dc42904
add unit tests for MatchOne (token audience) and Authority.New
2018-10-25 15:17:22 -07:00
Mariano Cano
0ccf775f2e
Add support for cursors in the api.
2018-10-25 18:53:13 -07:00
Mariano Cano
1de8eb4bfa
Fix provisioner package move.
2018-10-25 17:27:40 -07:00
Mariano Cano
1db177b80d
Add backend support for provisioners with cursors.
...
Fixes #83
2018-10-25 15:40:12 -07:00
max furman
d2872564b4
accidentally removed DisableIssuedAtCheck during merge
2018-10-25 00:15:17 -07:00
max furman
ee7db4006a
change sign + authorize authority api | add provisioners
...
* authorize returns []interface{}
- operators in this list can conform to any interface the user decides
- our implementation has a combination of certificate claim validators
and certificate template modifiers.
* provisioners can set and enforce tls cert options
2018-10-18 22:26:39 -07:00
Mariano Cano
1c1ac1b3fb
Add disableIssuedAt check functionality
...
Fixes #86
2018-10-24 18:59:48 -07:00
Mariano Cano
69da47a727
Set audience using the sign url.
2018-10-19 18:25:59 -07:00
max furman
0b5f6487e1
change provisioners api
...
* /provisioners -> /provisioners/jwk-set-by-issuer
* /provisioners now returns a list of Provisioners
2018-10-11 23:03:00 -07:00
max furman
f1dc00c810
add Provisioner config validation
2018-10-08 23:25:18 -07:00
max furman
0e904989d2
add unit tests for authority.Provisioners api
2018-10-08 22:40:07 -07:00
max furman
d773770a44
add authority.New unit tests
2018-10-08 21:48:44 -07:00
max furman
c284a2c0ab
first commit
2018-10-05 21:48:36 +00:00