Commit graph

201 commits

Author SHA1 Message Date
Raal Goff
7d024cc4cb change GenerateCertificateRevocationList to return DER, store DER in db instead of PEM, nicer PEM encoding of CRL, add Mock stubs 2022-04-06 08:22:26 +08:00
Raal Goff
e8fdb703c9 initial support for CRL 2022-04-06 08:19:45 +08:00
Herman Slatman
571b21abbc
Fix (most) PR comments 2022-03-31 16:12:29 +02:00
Herman Slatman
628d7448de
Don't return policy in provisioner JSON 2022-03-30 15:20:38 +02:00
Herman Slatman
2fbdf7d5b0
Merge branch 'master' into herman/allow-deny 2022-03-30 14:50:14 +02:00
Panagiotis Siatras
00634fb648
api/render, api/log: initial implementation of the packages (#860)
* api/render: initial implementation of the package

* acme/api: refactored to support api/render

* authority/admin: refactored to support api/render

* ca: refactored to support api/render

* api: refactored to support api/render

* api/render: implemented Error

* api: refactored to support api/render.Error

* acme/api: refactored to support api/render.Error

* authority/admin: refactored to support api/render.Error

* ca: refactored to support api/render.Error

* ca: fixed broken tests

* api/render, api/log: moved error logging to this package

* acme: refactored Error so that it implements render.RenderableError

* authority/admin: refactored Error so that it implements render.RenderableError

* api/render: implemented RenderableError

* api/render: added test coverage for Error

* api/render: implemented statusCodeFromError

* api: refactored RootsPEM to work with render.Error

* acme, authority/admin: fixed pointer receiver name for consistency

* api/render, errs: moved StatusCoder & StackTracer to the render package
2022-03-30 11:22:22 +03:00
Andrew Reed
d5d70baba7
Add /roots.pem handler (#866)
* Add /roots.pem handler

* Review changes

* Remove no peer cert test case
2022-03-28 09:18:18 -05:00
Herman Slatman
23676d3bcc
Merge branch 'master' into herman/allow-deny 2022-03-24 18:35:20 +01:00
Panagiotis Siatras
b98f86a515
scep: minor cleanup (#867)
* api, scep: removed scep.Error

* scep/api: replaced nextHTTP with http.HandlerFunc

* scep/api: renamed writeSCEPResponse to writeResponse

* scep/api: renamed decodeSCEPRequest to decodeRequest

* scep/api: renamed writeError to fail

* scep/api: replaced pkg/errors with errors

* scep/api: formatted imports

* scep/api: do not export SCEPRequest & SCEPResponse

* scep/api: do not export Handler

* api: flush errors better
2022-03-24 14:58:50 +02:00
Herman Slatman
613c99f00f
Fix linting issues 2022-03-24 13:10:49 +01:00
Herman Slatman
dc23fd23bf
Merge branch 'master' into herman/allow-deny-next 2022-03-24 12:36:12 +01:00
Herman Slatman
6b620c8e9c
Improve protobuf unmarshaling error handling 2022-03-24 10:54:45 +01:00
Panagiotis Siatras
80abda22ee
api/log: initial implementation of the package (#859)
* api/log: initial implementation of the package

* api: refactored to support api/log

* scep/api: refactored to support api/log

* api/log: documented the package

* api: moved log-related tests to api/log
2022-03-22 14:31:18 +02:00
Panagiotis Siatras
df89ed5acb
api: moved read-related tests to api/read 2022-03-18 20:21:01 +02:00
Panagiotis Siatras
29092b9d8a
api: refactored to use the read package 2022-03-18 20:20:59 +02:00
Panagiotis Siatras
7fb8acda27
api/read: initial implementation of the package 2022-03-18 20:20:16 +02:00
Herman Slatman
81b0c6c37c
Add API implementation for authority and provisioner policy 2022-03-15 15:56:04 +01:00
Mariano Cano
f8df6a1acc Change variable name for consistency 2022-03-11 10:05:35 -08:00
Mariano Cano
616490a9c6 Refactor renew after expiry token authorization
This changes adds a new authority method that authorizes the
renew after expiry tokens.
2022-03-10 20:21:01 -08:00
Mariano Cano
afb5d36206 Allow to renew certificates using an x5c-like token. 2022-03-09 20:37:41 -08:00
Herman Slatman
5fe9909174
Refactor AdminAuthority interface 2021-12-22 15:30:40 +01:00
Herman Slatman
5f224b729e
Add tests for Provisioner Admin API 2021-12-09 23:15:38 +01:00
Herman Slatman
d799359917
Merge branch 'master' into hs/acme-eab 2021-12-09 13:58:40 +01:00
Herman Slatman
2215a05c28
Add tests for ACME EAB Admin
Refactored some of the existing bits for testing the Authority
API by creation of a new LinkedAuthority interface and changing
visibility of the MockAuthority to be usable by other packages.

At this time, not all of the functions of MockAuthority it usable
yet. Will refactor when needed or requested.
2021-12-08 15:19:38 +01:00
Mariano Cano
0cebde3db5 Change fallback message on RekeySSH. 2021-12-03 15:12:00 -08:00
Mariano Cano
9fd147f3da Change error message. 2021-12-02 16:44:57 -08:00
Mariano Cano
b5db3f5706 Modify errs.ForbiddenErr to always return an error to the cli. 2021-11-23 11:52:55 -08:00
Mariano Cano
668d3ea6c7 Modify errs.Wrap() with bad request to send messages to users. 2021-11-18 18:44:58 -08:00
Mariano Cano
8c8db0d4b7 Modify errs.BadRequestErr() to always return an error to the client. 2021-11-18 18:17:36 -08:00
Mariano Cano
8ce807a6cb Modify errs.BadRequest() calls to always send an error to the client. 2021-11-18 15:12:44 -08:00
Herman Slatman
e7a988b2cd
Pin golangci-lint to v1.43.0 and fix issues 2021-11-13 01:30:03 +01:00
max furman
933b40a02a Introduce gocritic linter and address warnings 2021-10-08 14:59:57 -04:00
Mariano Cano
833d28cb6a Clone the certificate in case we need to look at it later. 2021-08-25 16:15:12 -07:00
Mariano Cano
568fce201a Enforce identity cert to match ssh cert on renewals. 2021-08-23 15:15:36 -07:00
Mariano Cano
4aa529605d
Merge pull request #641 from hillu/quote-serial
Log certificate's serial number as stringified decimal number
2021-07-16 18:53:51 +02:00
Herman Slatman
9210a6740b
Fix logging provisioner name as string 2021-07-15 23:13:08 +02:00
Hilko Bengen
edb01bc9f2 Log certificate's serial number as stringified decimal number
Using a JSON string fixes a common issue with JSON parsers that
deserialize all numbers to a 64-bit IEEE-754 floats. (Certificate
serial numbers are usually 128 bit values.)

This change is consistent with existing log entries for revocation
requests.

See also: #630, #631
2021-07-14 12:06:28 +02:00
max furman
77fdfc9fa3 Merge branch 'master' into max/cert-mgr-crud 2021-07-02 20:26:46 -07:00
max furman
9fdef64709 Admin level API for provisioner mgmt v1 2021-07-02 19:05:17 -07:00
Mariano Cano
65dacc2795 Replace golint with revive 2021-06-23 09:53:26 +02:00
Herman Slatman
a191319da9 Improve SCEP API logic and error handling 2021-05-26 16:06:21 -07:00
Herman Slatman
bc2bb53009
Merge branch 'master' into hs/scep 2021-05-20 21:35:44 +02:00
max furman
4f3e5ef64d wip 2021-05-19 15:20:16 -07:00
max furman
5d09d04d14 wip 2021-05-19 15:20:16 -07:00
max furman
7b5d6968a5 first commit 2021-05-19 15:20:16 -07:00
Mariano Cano
c1c986922b Show Ed25519 in the public-key log field. 2021-05-06 18:09:40 -07:00
Herman Slatman
0487686f69
Merge branch 'master' into hs/scep 2021-04-16 13:25:01 +02:00
max furman
2e0e62bc4c add WriteError method for acme api 2021-03-29 23:16:39 -07:00
max furman
fd447c5b54 Fix small nbf->naf bug in db.CreateOrder
- still needs unit test
2021-03-25 16:45:26 -07:00
max furman
1135ae04fc [acme db interface] wip 2021-03-25 12:05:46 -07:00
Herman Slatman
2fc5a7f22e
Improve SCEP API logic and error handling 2021-02-27 00:34:50 +01:00
max furman
f88f58440f add //nolint for new 1.16 deprecation warnings
- dsa
- pem.DecryptPEMBlock
2021-02-18 20:14:20 -08:00
Mariano Cano
c94a1c51be Merge branch 'master' into ssh-cert-templates 2020-08-24 15:08:28 -07:00
Mariano Cano
ba918100d0 Use go.step.sm/crypto/jose
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
2020-08-24 14:44:11 -07:00
Mariano Cano
aaaa7e9b4e Merge branch 'master' into cert-templates 2020-08-14 10:45:41 -07:00
max furman
8e3481a8ef [logger map] small optimization
Rather than doing two key writes and one lookup, just write once.
2020-08-12 16:35:38 -07:00
max furman
55bf5a4526 Add cert logging for acme/certificate api 2020-08-12 15:50:45 -07:00
Mariano Cano
4943ae58d8 Move TLSOption, TLSVersion, CipherSuites and ASN1DN to certificates. 2020-08-10 15:29:18 -07:00
Mariano Cano
e83e47a91e Use sshutil and randutil from go.step.sm/crypto. 2020-08-10 11:26:51 -07:00
Mariano Cano
3b19bb9796 Add TemplateData to SSHSignRequest.
Add some omitempty tags.
2020-07-30 17:45:03 -07:00
Mariano Cano
6c64fb3ed2 Rename provisioner options structs:
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
2020-07-22 18:24:45 -07:00
Mariano Cano
068bafe5a3 Add templateData to api sign request. 2020-07-21 14:18:04 -07:00
max furman
fd05f3249b A few last fixes and tests added for rekey/renew ...
- remove all `renewOrRekey`
- explicitly test difference between renew and rekey (diff pub keys)
- add back tests for renew
2020-07-09 12:11:40 -07:00
dharanikumar-s
dfda497929 Renamed RenewOrRekey to Rekey 2020-07-08 11:47:59 +05:30
dharanikumar-s
a3b5211e0f gofmted the code 2020-07-05 22:40:36 +05:30
dharanikumar-s
954fda657b Added renewOrRekey to mockAuthority. Added Test_caHandler_Rekey 2020-07-05 22:05:00 +05:30
dharanikumar-s
01a6469d25 Moved peer certificate check to the first line 2020-07-03 16:00:22 +05:30
dharanikumar-s
8f504483ce Added RenewOrRekey function based on @maraino suggestion. RenewOrReky is called from Renew. 2020-07-03 15:58:15 +05:30
dharanikumar-s
3813f57b1a Add support for rekeying Fixes #292 2020-07-01 19:10:13 +05:30
Mariano Cano
b0ff731d18 Add support for user provisioner certificates on OIDC provisioners.
OIDC provisioners create an SSH certificate with two principals. This
was avoiding the creationg of user provisioner certificates for those
provisioners.

Fixes smallstep/cli#268
2020-04-23 19:42:55 -07:00
David Cowden
eb42ea90db ssh/api: Use host tags instead of groups
Tags are more flexible and what we use in the managed offering.
2020-04-03 12:11:19 -07:00
Mariano Cano
bfe1f4952d Rename interface to CertificateEnforcer and add tests. 2020-03-31 11:41:36 -07:00
Mariano Cano
64f26c0f40 Enforce a duration for identity certificates. 2020-03-30 17:33:04 -07:00
Mariano Cano
fa416336a8 Add context to tests. 2020-03-10 19:17:32 -07:00
Mariano Cano
c49a9d5e33 Add context parameter to all SSH methods. 2020-03-10 19:01:45 -07:00
max furman
1cb8bb3ae1 Simplify statuscoder error generators. 2020-01-28 13:29:40 -08:00
max furman
dccbdf3a90 Introduce generalized statusCoder errors and loads of ssh unit tests.
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2020-01-28 13:29:40 -08:00
Mariano Cano
ed26e97487 Fix tests. 2020-01-28 13:29:39 -08:00
Mariano Cano
c1bd1561dd Renew identity certificate in /ssh/rekey and /ssh/renew 2020-01-28 13:29:39 -08:00
max furman
b9f6aacb0f Move api errors to their own package and modify the typedef 2020-01-28 13:29:39 -08:00
Mariano Cano
dedf6b17be Addapt tests to the api change. 2020-01-28 13:29:39 -08:00
max furman
3ac388612a Use x5cInsecure token for /ssh/check-host endpoint 2020-01-28 13:29:39 -08:00
Mariano Cano
f0eb12372b Add missing unit tests for ssh. 2020-01-28 13:29:39 -08:00
Mariano Cano
f6ffa2cc43 Check at the cert type instead of at the body. 2020-01-28 13:29:39 -08:00
Mariano Cano
5d7829b198 Replace /ssh/get-hosts to /ssh/hosts 2020-01-28 13:29:39 -08:00
Mariano Cano
d8b3e05a3f Add error marshaling tests. 2020-01-28 13:29:39 -08:00
Mariano Cano
7b81bec8aa Use default duration for host certificates identity files. 2020-01-28 13:29:39 -08:00
Mariano Cano
b179ad3662 Fix api tests. 2020-01-28 13:29:39 -08:00
Mariano Cano
3a16835cdd Make identity duration the same as the SSH cert. 2020-01-28 13:29:39 -08:00
Mariano Cano
4f08a7816f Fix extra write header. 2020-01-28 13:29:39 -08:00
max furman
656f35e522 Use an actual Hosts type when returning ssh hosts 2020-01-28 13:29:39 -08:00
Mariano Cano
c60641701b Add version endpoint. 2020-01-28 13:28:16 -08:00
max furman
f92bb06b6c change func def for getSSHHosts
* continue to return all hosts if injection method not specified
2020-01-28 13:28:16 -08:00
Mariano Cano
11c8639782 Add identity certificate in ssh response. 2020-01-28 13:28:16 -08:00
max furman
d940ab7c20 Add getSSHHosts injection func 2020-01-28 13:28:16 -08:00
Mariano Cano
8bf3bf701e Add support for /ssh/bastion method. 2020-01-28 13:28:16 -08:00
max furman
54e3cf7322 Add multiuse capability to k8ssa provisioners 2020-01-28 13:28:16 -08:00
Mariano Cano
0ae9bab21e Fix api tests. 2020-01-28 13:28:16 -08:00
max furman
29853ae016 sshpop provisioner + ssh renew | revoke | rekey first pass 2020-01-28 13:28:16 -08:00
max furman
862d704f6b get-hosts fixes 2020-01-28 13:28:16 -08:00