Commit graph

1093 commits

Author SHA1 Message Date
Herman Slatman
6b620c8e9c
Improve protobuf unmarshaling error handling 2022-03-24 10:54:45 +01:00
Mariano Cano
082734474b
Merge pull request #845 from vijayjt/azure-user-mi-token
WIP: Support Azure tokens generated by managed identities
2022-03-23 17:18:51 -07:00
Carl Tashian
25cc9a1728
Update authority/authority.go
Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>
2022-03-22 07:38:09 -07:00
Mariano Cano
9d027c17d0 Send current provisioner on PostCertificate 2022-03-21 19:24:05 -07:00
Mariano Cano
b401376829 Add current provisioner to AuthorizeSign SignOptions.
The original provisioner cannot be retrieved from a certificate
if a linked ra is used.
2022-03-21 19:21:40 -07:00
vijayjt
24a963766e Pass in the resource name regardless of if its a VM or managed identity 2022-03-22 00:10:43 +00:00
Carl Tashian
baf3c40fef Print some basic configuration info on startup 2022-03-21 16:55:09 -07:00
Mariano Cano
ad8a813abe Fix linter errors 2022-03-21 16:53:57 -07:00
Herman Slatman
101ca6a2d3
Check admin subjects before changing policy 2022-03-21 15:53:59 +01:00
Panagiotis Siatras
4fb38afc57
authority/admin/api: refactored to use the read package 2022-03-18 20:21:00 +02:00
Herman Slatman
81b0c6c37c
Add API implementation for authority and provisioner policy 2022-03-15 15:56:04 +01:00
Mariano Cano
6d532045dc Fix validity check for sshpop provisioner. 2022-03-14 17:31:21 -07:00
Mariano Cano
c903f00cd4 Rename claim to allowRenewAfterExpiry. 2022-03-14 15:40:01 -07:00
Mariano Cano
4690fa64ed Add public methods to retrieve the provisioner extensions. 2022-03-11 14:59:42 -08:00
Mariano Cano
616490a9c6 Refactor renew after expiry token authorization
This changes adds a new authority method that authorizes the
renew after expiry tokens.
2022-03-10 20:21:01 -08:00
Mariano Cano
79349b4d7c Add options to use custom renewal methods. 2022-03-10 13:01:08 -08:00
Mariano Cano
389815642d Fix tests: certs are truncated to seconds. 2022-03-10 10:46:28 -08:00
Mariano Cano
8ef8f4f665 Use the provisioner controller in Nebula renewals 2022-03-10 10:45:12 -08:00
Mariano Cano
259e95947c Add support for the provisioner controller
The claimer, audiences and custom callback methods are now managed
by the provisioner controller in an uniform way.
2022-03-09 18:43:45 -08:00
Mariano Cano
3c2ff33ca9 Add provisioner controller tests. 2022-03-09 18:43:27 -08:00
Mariano Cano
fd6a2eeb9c Add provisioner controller
The provisioner controller has the implementation of the identity
function as well as the renew methods with renew after expiry
support.
2022-03-09 18:39:09 -08:00
Herman Slatman
3ec9a7310c
Fix ACME order identifier allow/deny check 2022-03-08 14:17:59 +01:00
Herman Slatman
7c541888ad
Refactor configuration of allow/deny on authority level 2022-03-08 13:26:07 +01:00
Herman Slatman
af53a17bb4
Merge branch 'master' into herman/allow-deny 2022-03-07 14:13:13 +01:00
vijayjt
4822516d72 Remove redundant parameter type declaration 2022-03-07 12:07:48 +00:00
vijayjt
e699244291 Support Azure tokens from managed identities not associated with a VM 2022-03-07 11:24:58 +00:00
Mariano Cano
15b1049f19 Fix json tag for Azure.ObjectIDs. 2022-02-28 14:36:37 -08:00
Mariano Cano
6f46cdb432
Merge pull request #829 from vijayjt/new-azure-token-authz-options
Add subscription and object ID validation options to Azure provisioner
2022-02-28 14:31:28 -08:00
max furman
a79d4af19b change return value of generateProvisionerConfig to value
- always used as value (rather than pointer)
2022-02-28 11:04:40 -08:00
max furman
6030f8bc2e Validate provisioner configuration before storing in DB 2022-02-28 10:48:01 -08:00
vijayjt
b128e37090 Add SubscriptionIDs and ObjectIDs to provisioner-linkedca conversion functions 2022-02-25 11:06:48 +00:00
vijayjt
4a10f2c584 Rename new fields as per feedback to remove AAD from the name 2022-02-24 09:26:45 +00:00
vijayjt
8b68bedffa Add support for validation of certificate requests using Azure subscription and AAD object IDs. See #735 2022-02-22 17:20:18 +00:00
Herman Slatman
c3c6f3da72
Merge branch 'master' into herman/allow-deny 2022-02-22 17:36:56 +01:00
Mariano Cano
abe951d416 Fix name of the variable in comment. 2022-02-17 17:59:17 -08:00
Mariano Cano
a0cf808393 Make the X5C leaf certificate available to the templates.
X509 and SSH templates of the X5C provisioner will have now access
to the leaf certificate used to sign the token using the template
variable .AuthorizationCrt

Fixes #433
2022-02-17 17:53:44 -08:00
Mariano Cano
c0525381eb Merge branch 'master' into feat/vault 2022-02-16 18:19:23 -08:00
Herman Slatman
4ebf43c011
Merge pull request #820 from smallstep/herman/acme-api
Refactor ACME Admin API
2022-02-10 13:11:44 +01:00
Herman Slatman
5b713a564c
Change CM link 2022-02-10 12:55:47 +01:00
Herman Slatman
5cb23c6029
Merge pull request #804 from smallstep/herman/normalize-ipv6-dns-names
Normalize IPv6 hostname addresses
2022-02-09 11:25:24 +01:00
Herman Slatman
d00729df0b
Refactor ACME Admin API 2022-02-08 13:26:30 +01:00
max furman
62690ab52e Fix linting errors and pin linter version in release action 2022-02-03 12:23:02 -08:00
Mariano Cano
d384b534c7
Merge pull request #814 from smallstep/x509-enforcer
Authority enforcer option
2022-02-03 10:53:04 -08:00
Herman Slatman
bfa2245abb
Merge branch 'master' into herman/normalize-ipv6-dns-names 2022-02-03 17:24:08 +01:00
Herman Slatman
e887ccaa07
Ensure the CA TLS certificate represents IPv6 DNS names as IP in cert
If an IPv6 domain name (i.e. [::1]) is provided manually in the `ca.json`,
this commit will ensure that it's represented as an IP SAN in the TLS
certificate. Before this change, the IPv6 would become a DNS SAN.
2022-02-03 14:21:23 +01:00
Mariano Cano
300c19f8b9 Add a custom enforcer that can be used to modify a cert. 2022-02-02 14:36:58 -08:00
Herman Slatman
88c7b63c9d
Split SSH user and cert policy configuration and execution 2022-02-01 15:18:39 +01:00
Herman Slatman
acd13cb92d
Merge branch 'master' of github.com:smallstep/certificates into herman/allow-deny 2022-01-31 14:43:46 +01:00
Herman Slatman
c1424036bf
Merge branch 'master' into herman/allow-deny 2022-01-31 14:24:34 +01:00
Herman Slatman
c7c5c3c94e
Merge branch 'master' into herman/scep-macos-renewal-fixes 2022-01-31 13:20:16 +01:00
Herman Slatman
9617edf0c2
Improve internationalized domain name handling
This PR improves internationalized domain name handling according
to rules of IDNA and based on the description in RFC 5280, section 7:
https://datatracker.ietf.org/doc/html/rfc5280#section-7.

Support for internationalized URI(s), so-called IRIs, still needs to
be done.
2022-01-27 17:18:33 +01:00
Herman Slatman
512b8d6730
Refactor instantiation of policy engines
Instead of using the `base` struct, the x509 and SSH policy
engines are now added to each provisioner directly.
2022-01-25 16:45:25 +01:00
Herman Slatman
066bf32086
Fix part of PR comments 2022-01-25 15:00:07 +01:00
Herman Slatman
fd9845e9c7
Add cursor and limit to ACME EAB DB interface 2022-01-24 14:03:56 +01:00
Herman Slatman
3b72d241e0
Add LinkedCA integration for improved SCEP provisioner 2022-01-21 16:07:50 +01:00
Herman Slatman
868cc4ad7f
Increase test coverage for additional indexes 2022-01-20 17:06:23 +01:00
Herman Slatman
8838961b68
Merge branch 'master' into hs/acme-eab 2022-01-20 11:05:28 +01:00
Herman Slatman
716b946e7a
Normalize IPv6 hostname addresses 2022-01-19 17:14:45 +01:00
Herman Slatman
64680bb16d
Fix PR comments 2022-01-19 11:31:33 +01:00
Herman Slatman
3612eefc31
Cleanup 2022-01-18 15:54:18 +01:00
Herman Slatman
6440870a80
Clean up, improve test cases and coverage 2022-01-18 14:39:21 +01:00
Herman Slatman
1e808b61e5
Merge logic for X509 and SSH policy 2022-01-17 23:36:13 +01:00
Herman Slatman
6bc301339f
Improve test case and code coverage 2022-01-17 22:55:28 +01:00
Herman Slatman
91d51c2b88
Add allow/deny to Nebula provisioner 2022-01-14 13:06:32 +01:00
Herman Slatman
d9c56d67cc
Merge branch 'master' into herman/allow-deny 2022-01-14 12:58:07 +01:00
Herman Slatman
9c6580ccd2
Fix macOS SCEP client issues
Fixes #746
2022-01-14 10:48:23 +01:00
Ahmet DEMIR
68b980d689
feat(authority): avoid hardcoded cn in authority csr 2022-01-13 20:30:54 +01:00
Herman Slatman
988efc8cd4
Merge pull request #792 from smallstep/herman/improve-template-errors
Improve errors related to template execution failures
2022-01-12 21:38:51 +01:00
Herman Slatman
50c3bce98d
Change if/if to if/else-if when checking the type of JSON error 2022-01-12 21:34:38 +01:00
max furman
4afcdd55ff Update doc line on WithSSHGetHosts 2022-01-12 12:25:04 -08:00
Herman Slatman
a3cf6bac36
Add special handling for *json.UnmarshalTypeError 2022-01-12 11:15:39 +01:00
Herman Slatman
0475a4d26f
Refactor extraction of JSON template syntax errors 2022-01-12 10:41:36 +01:00
Herman Slatman
a5455d3572
Improve errors related to template execution failures (slightly) 2022-01-10 15:49:37 +01:00
Mariano Cano
de549adf2d Do not add extra new lines when creating nebula provisioners 2022-01-07 11:24:59 -08:00
Mariano Cano
0920224816 Fix error message. 2022-01-07 11:09:32 -08:00
Herman Slatman
ef16febf40
Refactor ACME EAB queries
The ACME EAB keys are now also indexed by the provisioner. This
solves part of the issue in which too many EAB keys may be in
memory at a given time.
2022-01-07 16:59:55 +01:00
Mariano Cano
449a9fdfd6 Address review comments. 2022-01-06 12:00:58 -08:00
Mariano Cano
b424aa3dc1 Add nebula header and use der version of certificate. 2022-01-06 11:19:46 -08:00
Herman Slatman
30859d3c83
Remove server-side paging logic for ExternalAccountKeys 2022-01-06 14:09:35 +01:00
Mariano Cano
f49a4b326f Add missing comments. 2022-01-05 10:54:09 -08:00
Mariano Cano
6600f1253e Fix error messages after review. 2022-01-05 10:12:49 -08:00
Mariano Cano
6a1d0cb9f8 Add linkedca conversions. 2022-01-04 18:42:57 -08:00
Mariano Cano
de51c2edfb More unit tests for nebula. 2022-01-04 18:16:41 -08:00
Mariano Cano
99845d38bb Add some extra unit tests for nebula. 2022-01-04 12:06:44 -08:00
Mariano Cano
76794ce613 Use default SANs without sans in the token.
Fix step claim condition in SSH
2022-01-04 12:05:58 -08:00
Herman Slatman
6bc0513468
Add more tests 2022-01-04 15:41:40 +01:00
Mariano Cano
9ec0276887 Update certificate set with new api. 2022-01-03 18:54:01 -08:00
Herman Slatman
9539729bd9
Add initial implementation of x509 and SSH allow/deny policy engine 2022-01-03 12:25:24 +01:00
Mariano Cano
cb72796a2d Fix decoding of certificate. 2021-12-29 16:07:05 -08:00
Mariano Cano
32390a2964 Add initial implementation of a nebula provisioner.
A nebula provisioner will generate a X509 or SSH certificate with
the identities in the nebula certificate embedded in the token.
The token is signed with the private key of the nebula certificate.
2021-12-29 14:12:03 -08:00
Herman Slatman
5fe9909174
Refactor AdminAuthority interface 2021-12-22 15:30:40 +01:00
Herman Slatman
f9ae875f9d
Use short if-style statements 2021-12-20 14:30:01 +01:00
Herman Slatman
5f224b729e
Add tests for Provisioner Admin API 2021-12-09 23:15:38 +01:00
Herman Slatman
43a78f495f
Add tests for Admin API 2021-12-09 17:29:23 +01:00
Herman Slatman
bd169f505f
Add Admin API Middleware tests 2021-12-09 15:26:18 +01:00
Herman Slatman
d799359917
Merge branch 'master' into hs/acme-eab 2021-12-09 13:58:40 +01:00
Herman Slatman
63371a8fb6
Add additional tests for ACME EAB Admin 2021-12-09 13:46:47 +01:00
Herman Slatman
3bc3957b06
Merge branch 'master' into hs/acme-revocation 2021-12-09 09:36:52 +01:00
Herman Slatman
2215a05c28
Add tests for ACME EAB Admin
Refactored some of the existing bits for testing the Authority
API by creation of a new LinkedAuthority interface and changing
visibility of the MockAuthority to be usable by other packages.

At this time, not all of the functions of MockAuthority it usable
yet. Will refactor when needed or requested.
2021-12-08 15:19:38 +01:00
Herman Slatman
d0c23973cc
Merge branch 'master' into hs/acme-eab 2021-12-06 13:01:23 +01:00
Mariano Cano
e0fee84694 Add comment about public key validator. 2021-12-03 15:24:42 -08:00
Herman Slatman
47a8a3c463
Add test case for ACME Revoke to Authority 2021-12-02 17:11:36 +01:00
Herman Slatman
a7fbbc4748
Add tests for GetCertificateBySerial 2021-11-28 21:20:57 +01:00
Herman Slatman
2d357da99b
Add tests for ACME revocation 2021-11-26 17:27:42 +01:00
Herman Slatman
c9cd876a7d
Merge branch 'master' into hs/acme-revocation 2021-11-25 00:40:56 +01:00
Mariano Cano
d35848f7a9 Fix unit tests. 2021-11-24 11:43:24 -08:00
Mariano Cano
c3f98fd04d Change some bad requests to forbidded.
Change in the sign options bad requests to forbidded if is the
provisioner the one adding a restriction, e.g. list of dns names,
validity, ...
2021-11-24 11:32:35 -08:00
Mariano Cano
ff04873a2a Change the default error type to forbidden in Sign.
The errors will also be propagated from sign options.
2021-11-23 18:58:16 -08:00
Mariano Cano
b9beab071d Fix unit tests. 2021-11-23 18:43:36 -08:00
Mariano Cano
507a272b4d Return always http errors in sign options. 2021-11-23 18:32:33 -08:00
Mariano Cano
a33709ce8d Fix sign ssh options tests. 2021-11-23 18:06:18 -08:00
Mariano Cano
1da7ea6646 Return always http errors in sign ssh options. 2021-11-23 17:52:39 -08:00
Mariano Cano
031d4d7000 Return BadRequest when validating sign options. 2021-11-23 17:52:17 -08:00
Mariano Cano
bb26799583 Modify errs.Wrap with forbidden errors. 2021-11-23 12:04:51 -08:00
Herman Slatman
2d50c96d99
Merge branch 'master' into hs/acme-revocation 2021-11-19 17:00:18 +01:00
Mariano Cano
b6ebd118fc Update temporal solution for sending message to users 2021-11-18 18:47:55 -08:00
Mariano Cano
668d3ea6c7 Modify errs.Wrap() with bad request to send messages to users. 2021-11-18 18:44:58 -08:00
Mariano Cano
8c8db0d4b7 Modify errs.BadRequestErr() to always return an error to the client. 2021-11-18 18:17:36 -08:00
Mariano Cano
8ce807a6cb Modify errs.BadRequest() calls to always send an error to the client. 2021-11-18 15:12:44 -08:00
Max
de2ce5cf9f
Merge pull request #692 from smallstep/max/context
Context management
2021-11-17 12:06:42 -08:00
Mariano Cano
440616cffa
Merge pull request #750 from smallstep/duration-errors
Report duration errors directly to the cli.
2021-11-17 12:06:31 -08:00
Mariano Cano
acd0bac025 Remove extra and in comment. 2021-11-17 12:03:29 -08:00
Mariano Cano
1aadd63cef Use always badRequest on duration errors. 2021-11-17 12:00:54 -08:00
Mariano Cano
41fec1577d Report duration errors directly to the cli. 2021-11-17 11:46:57 -08:00
max furman
7fac8c96c3 Merge branch 'master' into max/context 2021-11-17 11:40:01 -08:00
max furman
922d239171 Simplify conditional 2021-11-16 21:47:14 -08:00
max furman
a7d144996f SSH backwards compat updates
- use existence of new value in data map as boolean
- add tests for backwards and forwards compatibility
- fix old tests that used static dir locations
2021-11-16 21:47:14 -08:00
max furman
507be61e8c Use a more distint map key to indicate template version
- make the key a variable that can be reused on the CLI side.
2021-11-16 21:47:14 -08:00
max furman
f426c152a9 backwards compatibility for version of cli older than v0.18.0 2021-11-16 21:47:14 -08:00
max furman
ed4b56732e updates after rebase to keep up with master 2021-11-16 21:47:14 -08:00
Herman Slatman
e7a988b2cd
Pin golangci-lint to v1.43.0 and fix issues 2021-11-13 01:30:03 +01:00
Herman Slatman
3151255a25
Merge branch 'master' into hs/acme-revocation 2021-10-30 15:41:29 +02:00
Herman Slatman
4d726d6b4c
Add pagination to ACME EAB credentials endpoint 2021-10-17 22:42:36 +02:00
Herman Slatman
bc5f0e429b
Fix gocritic remark 2021-10-17 12:53:02 +02:00
Herman Slatman
d354d55e7f
Improve handling duplicate ACME EAB references 2021-10-16 14:44:56 +02:00
Herman Slatman
dd4b4b0435
Fix remaining gocritic remarks 2021-10-11 23:34:23 +02:00
Herman Slatman
e0b495e4c8
Merge branch 'master' into hs/acme-eab 2021-10-09 01:06:49 +02:00
Herman Slatman
c26041f835
Add ACME EAB nosql tests 2021-10-09 01:02:00 +02:00
max furman
933b40a02a Introduce gocritic linter and address warnings 2021-10-08 14:59:57 -04:00
Herman Slatman
f34d68897a
Refactor retrieval of provisioner into middleware 2021-10-08 14:29:44 +02:00
Herman Slatman
9d4cafc4bd
Merge branch 'master' into hs/acme-eab 2021-10-08 10:33:09 +02:00
Mariano Cano
9fb6df3abb Fix ssh template variables when CA is injected using options. 2021-09-28 18:50:45 -07:00
Mariano Cano
aedd7fcc05 Be able to start a SSH host or SSH user only CA
In previous versions if the host or user CA is not configured, the
start of step-ca was crashing. This allows to configure a user or
host only ssh ca.
2021-09-28 15:07:09 -07:00
Mariano Cano
a50654b468 Check for admins in both emails and groups. 2021-09-23 15:49:28 -07:00
max furman
2d5bfd3485 fix comment 2021-09-22 11:56:52 -07:00
Herman Slatman
c2bc1351c6
Add provisioner to remove endpoint and clear reference index on delete 2021-09-17 17:48:09 +02:00
Herman Slatman
746c5c9fd9
Disallow creation of EAB keys with non-unique references 2021-09-17 17:25:19 +02:00
Herman Slatman
9c0020352b
Add lookup by reference and make reference optional 2021-09-17 17:08:02 +02:00
Herman Slatman
02cd3b6b3b
Fix PR comments 2021-09-16 23:09:24 +02:00
Mariano Cano
6729c79253 Add support for setting individual password for ssh and tls keys
This change add the following flags:
 * --ssh-host-password-file
 * --ssh-user-password-file

Fixes #693
2021-09-16 11:55:41 -07:00
Herman Slatman
66464ae302
Merge branch 'master' into hs/acme-eab 2021-09-16 18:20:39 +02:00
Mariano Cano
141c519171 Simplify check of principals in a case insensitive way
Fixes #679
2021-09-08 16:00:33 -07:00
Fearghal O Floinn
7a94b0c157 Converts group and subgroup to lowercase for comparison.
Fixes #679
2021-09-08 12:24:49 +01:00
Mariano Cano
f919535475 Add an extra way to distinguish Azure and Azure OIDC tokens.
We used to distinguish these tokens using the azp claim, but this
claim does not appear on new azure oidc tokens, at least on some
configurations.

This change will try to load by audience (client id) if the token
contains an email, required for OIDC.
2021-08-30 16:37:29 -07:00
Mariano Cano
097a918da7 Fix tests when we create re-use a token with a new authority. 2021-08-30 16:36:18 -07:00
Herman Slatman
f11c0cdc0c
Add endpoint for listing ACME EAB keys 2021-08-27 16:58:04 +02:00
Herman Slatman
9d09f5e575
Add support for deleting ACME EAB keys 2021-08-27 14:10:00 +02:00
Herman Slatman
a98fe03e80
Merge branch 'master' into hs/acme-eab 2021-08-27 12:50:19 +02:00
Herman Slatman
1dba8698e3
Use LinkedCA.EABKey type in ACME EAB API 2021-08-27 12:39:37 +02:00
Mariano Cano
40e77f6e9a Initialize required variables on GetIdentityToken
Fixes smallstep/cli#465
2021-08-26 17:56:40 -07:00
Mariano Cano
42fde8ba28
Merge branch 'master' into linkedca 2021-08-25 15:56:50 -07:00
Mariano Cano
61b8bfda1a Fix comment typos. 2021-08-23 15:18:54 -07:00
Mariano Cano
da2802504b Use Default min version if not specified. 2021-08-11 15:33:45 -07:00
Mariano Cano
d4ae267add Fix ErrAllowTokenReuse comment. 2021-08-11 14:59:26 -07:00
Mariano Cano
9e5762fe06 Allow the reuse of azure token if DisableTrustOnFirstUse is true
Azure caches tokens for 24h and we cannot issue a new certificate
for the same instance in that period of time.

The meaning of this parameter is to allow the signing of multiple
certificate in one instance. This is possible in GCP, because we
get a new token, and is possible in AWS because we can generate
a new one. On Azure there was no other way to do it unless you
wait for 24h.

Fixes #656
2021-08-11 11:50:54 -07:00
Mariano Cano
492ff4b632 Ask for the first provisioner password if none is provided. 2021-08-10 17:30:33 -07:00
Mariano Cano
28e882c9b3 Add deployment type to export. 2021-08-10 17:14:17 -07:00
Mariano Cano
072ba4227c Add deployment type to config.
This field is ignored except for the start of the ca. If the type
is linked and the token is not passed, it will fail with an error.
2021-08-10 17:07:15 -07:00
Herman Slatman
f31ca4f6a4
Add tests for validateExternalAccountBinding 2021-08-10 12:39:44 +02:00
Herman Slatman
492256f2d7
Add first test cases for EAB and make provisioner unique per EAB
Before this commit, EAB keys could be used CA-wide, meaning that
an EAB credential could be used at any ACME provisioner. This
commit changes that behavior, so that EAB credentials are now
intended to be used with a specific ACME provisioner. I think
that makes sense, because from the perspective of an ACME client
the provisioner is like a distinct CA.

Besides that this commit also includes the first tests for EAB.
The logic for creating the EAB JWS as a client has been taken
from github.com/mholt/acmez. This logic may be moved or otherwise
sourced (i.e. from a vendor) as soon as the step client also
(needs to) support(s) EAB with ACME.
2021-08-09 10:37:32 +02:00
Herman Slatman
71b3f65df1
Add processing of RequireEAB through Linked CA 2021-08-07 01:33:08 +02:00
Mariano Cano
536536c92d Wrap json errors. 2021-08-06 14:55:17 -07:00
Mariano Cano
9d51c2cceb Fix linter errors in the name of export methods. 2021-08-06 14:29:54 -07:00
Mariano Cano
16d3afb92a Remove unused method. 2021-08-06 12:37:20 -07:00
Mariano Cano
d72fa953ac Remove debug statements. 2021-08-05 18:50:18 -07:00
Mariano Cano
3f07eb597a Implement revocation using linkedca. 2021-08-05 18:45:50 -07:00
Mariano Cano
798b90c359 Move linkedca configuration to the main package. 2021-08-04 20:15:04 -07:00
Mariano Cano
384be6e205 Do not show provisioners if they are not required.
For deployment types like linked ca, the list of provisioners in
the ca.json are not required, so we should tag the json as omitempty.
2021-08-02 15:34:39 -07:00
Mariano Cano
b0e0f2b89d Use linkedca GetAdmin and GetProvisioner. 2021-08-02 14:45:59 -07:00
Mariano Cano
91a369f618 Automatically enable admin properly on linked cas. 2021-08-02 12:13:39 -07:00
Mariano Cano
26122a2cbf Enable admin automatically if a token is provided. 2021-08-02 11:48:37 -07:00
Mariano Cano
2620c38aee Add is converting provisioners to linkedca.
The ids are required to be able to link admins with provisioners.
2021-07-28 18:05:57 -07:00
Mariano Cano
e62d7988b8 Do not store password on exports. 2021-07-28 15:22:21 -07:00
Mariano Cano
4f27f4b002 Change default ciphersuites to newer names. 2021-07-28 13:56:05 -07:00
Mariano Cano
07f7316851 Add bastion to export. 2021-07-27 19:22:29 -07:00
Mariano Cano
0730a165fd Add collection of files and authority template. 2021-07-27 19:19:58 -07:00
Mariano Cano
c7f8516142 Add to export all the information in the ca.json 2021-07-27 18:29:29 -07:00
Mariano Cano
887423ee6e Update TLS cipher suites. 2021-07-27 18:29:10 -07:00
Mariano Cano
dc1ec18b52 Create a way to export ca configurations. 2021-07-26 19:01:56 -07:00
Mariano Cano
3a00b6b396 Properly marshal a certificate when we send it to linkedca. 2021-07-26 14:31:42 -07:00
Mariano Cano
4ad82a2f76 Check linkedca for revocation. 2021-07-23 16:10:13 -07:00
Herman Slatman
7dad7038c3
Fix missing ACME EAB API endpoints 2021-07-23 15:41:24 +02:00
Herman Slatman
c6a4c4ecba
Change ACME EAB endpoint 2021-07-23 15:16:11 +02:00
Herman Slatman
c6bfc6eac2
Fix PR comments 2021-07-22 23:48:41 +02:00
Herman Slatman
b65a588d5b
Make authentication work for /admin/eak 2021-07-22 22:43:21 +02:00
Mariano Cano
f7542a5bd9 Move check of ssh revocation from provisioner to the authority. 2021-07-21 15:22:57 -07:00
Mariano Cano
71f8019243 Store x509 and ssh certificates on linkedca if enabled. 2021-07-20 18:16:24 -07:00
Mariano Cano
8fb5340dc9 Use a token at start time to configure linkedca.
Instead of using `step-ca login` we will use a new token provided
as a flag to configure and start linkedca. Certificates will be kept
in memory and refreshed automatically.
2021-07-19 19:28:06 -07:00
Herman Slatman
f81d49d963
Add first working version of External Account Binding 2021-07-17 17:35:44 +02:00
Mariano Cano
dd9850ce4c Add working implementation of the linkedca.
Replaces the authority adminDB with a new impmentation that users the
linkedca client to retrieve the data.

Note that this implementation still hardcodes the endpoint to localhost.
2021-07-12 18:11:00 +02:00
Mariano Cano
49c1427d15 Use authorityId instead of authorityID.
In json or javascript world authorityId, userId, ... are more common
than authorityID, ...
2021-07-12 15:31:05 +02:00
Herman Slatman
258efca0fa
Improve revocation authorization 2021-07-10 00:28:31 +02:00
Herman Slatman
8f7e700f09
Merge branch 'master' into hs/acme-revocation 2021-07-09 11:22:25 +02:00
max furman
1df21b9b6a Addressing comments in PR review
- added a bit of validation to admin create and update
- using protojson where possible in admin api
- fixing a few instances of admin -> acme in errors
2021-07-06 17:14:13 -07:00
max furman
5679c9933d Fixes from PR review 2021-07-03 12:08:30 -07:00
max furman
77fdfc9fa3 Merge branch 'master' into max/cert-mgr-crud 2021-07-02 20:26:46 -07:00
max furman
9fdef64709 Admin level API for provisioner mgmt v1 2021-07-02 19:05:17 -07:00
Herman Slatman
84e7d468f2
Improve handling of ACME revocation 2021-07-03 00:21:17 +02:00
Herman Slatman
7e82bd6ef3 Add setup for Authority tests 2021-05-26 16:15:26 -07:00
Herman Slatman
a64974c179 Fix small typo in divisible 2021-05-26 16:15:26 -07:00
Herman Slatman
d46a4eaca4 Change fmt to errors package for formatting errors 2021-05-26 16:15:26 -07:00
Herman Slatman
2beea1aa89 Add configuration option for specifying the minimum public key length
Instead of using the defaultPublicKeyValidator a new validator called
publicKeyMinimumLengthValidator has been implemented that uses a
configurable minimum length for public keys in CSRs.

It's also an option to alter the defaultPublicKeyValidator to also
take a parameter, but that would touch quite some lines of code. This
might be a viable option after merging SCEP support.
2021-05-26 16:15:26 -07:00
Herman Slatman
4168449935 Fix typo 2021-05-26 16:15:26 -07:00
Herman Slatman
fa100a5138 Mask challenge password after it has been read 2021-05-26 16:15:26 -07:00
Herman Slatman
13fe7a0121 Make serving SCEP endpoints optional
Only when a SCEP provisioner is enabled, the SCEP endpoints
will now be available.

The SCEP endpoints will be served on an "insecure" server,
without TLS, only when an additional "insecureAddress" and a
SCEP provisioner are configured for the CA.
2021-05-26 16:13:57 -07:00
Herman Slatman
97b88c4d58 Address (most) PR comments 2021-05-26 16:12:57 -07:00
Herman Slatman
be528da709 Make tests green 2021-05-26 16:10:22 -07:00
Herman Slatman
57a62964b1 Make tests not fail hard on ECDSA keys
All tests for the Authority failed because the test data
contains ECDSA keys. ECDSA keys are no crypto.Decrypter,
resulting in a failure when instantiating the Authority.
2021-05-26 16:10:22 -07:00
Herman Slatman
491c2b8d93 Improve initialization of SCEP authority 2021-05-26 16:10:21 -07:00
Herman Slatman
2d85d4c1c1 Add non-TLS server and improve crypto.Decrypter interface
A server without TLS was added to serve the SCEP endpoints. According
to the RFC, SCEP has to be served via HTTP. The `sscep` client, for
example, will stop any URL that does not start with `http://` from
being used, so serving SCEP seems to be the right way to do it.

This commit adds a second server for which no TLS configuration is
configured. A distinct field in the configuration, `insecureAddress`
was added to specify the address for the insecure server.

The SCEP endpoints will also still be served via HTTPS. Some clients
may be able to work with that.

This commit also improves how the crypto.Decrypter interface is
handled for the different types of KMSes supported by step. The
apiv1.Decrypter interface was added. Currently only SoftKMS
implements this interface, providing a crypto.Decrypter required
for SCEP operations.
2021-05-26 16:09:38 -07:00
Herman Slatman
e7cb80f880 Fix linter issues 2021-05-26 16:08:24 -07:00
Herman Slatman
4fe7179b95 Add support for configuring capabilities (cacaps) 2021-05-26 16:08:24 -07:00
Herman Slatman
3b86550dbf Add support for challenge password 2021-05-26 16:08:24 -07:00
Herman Slatman
da65f46d0f Add AuthorizeSign method to SCEP authority 2021-05-26 16:04:21 -07:00
Herman Slatman
2a249d20de Refactor initialization of SCEP authority 2021-05-26 16:04:19 -07:00
Herman Slatman
339039768c Refactor SCEP authority initialization and clean some code 2021-05-26 16:00:08 -07:00
Herman Slatman
48c86716a0 Add rudimentary (and incomplete) support for SCEP 2021-05-26 15:58:04 -07:00
max furman
94ba057f01 wip 2021-05-26 14:55:31 -07:00
max furman
01a4460812 wip 2021-05-25 21:13:01 -07:00
max furman
1726076ea2 wip 2021-05-25 16:52:06 -07:00
max furman
423942da44 wip 2021-05-24 13:38:24 -07:00
max furman
9bfb1c2e7b wip 2021-05-21 13:31:41 -07:00
max furman
d8d5d7332b wip 2021-05-20 16:02:20 -07:00
max furman
5929244fda wip 2021-05-20 13:12:02 -07:00
max furman
9bf9bf142d wip 2021-05-20 13:01:58 -07:00
Herman Slatman
375687cd1b
Add setup for Authority tests 2021-05-20 21:31:52 +02:00
max furman
638766c615 wip 2021-05-19 18:23:20 -07:00
max furman
4f3e5ef64d wip 2021-05-19 15:20:16 -07:00
max furman
5d09d04d14 wip 2021-05-19 15:20:16 -07:00
max furman
4d48072746 wip admin CRUD 2021-05-19 15:20:16 -07:00
max furman
98a6e54530 wip 2021-05-19 15:20:16 -07:00
max furman
af3cf7dae9 first steps 2021-05-19 15:20:16 -07:00
max furman
2f60f20b0b lots of codes 2021-05-19 15:20:16 -07:00
max furman
7b5d6968a5 first commit 2021-05-19 15:20:16 -07:00
Herman Slatman
a3ec890e71
Fix small typo in divisible 2021-05-07 00:31:34 +02:00
Herman Slatman
d0a9cbc797
Change fmt to errors package for formatting errors 2021-05-07 00:22:06 +02:00
Herman Slatman
ff1b46c95d
Add configuration option for specifying the minimum public key length
Instead of using the defaultPublicKeyValidator a new validator called
publicKeyMinimumLengthValidator has been implemented that uses a
configurable minimum length for public keys in CSRs.

It's also an option to alter the defaultPublicKeyValidator to also
take a parameter, but that would touch quite some lines of code. This
might be a viable option after merging SCEP support.
2021-05-06 22:56:28 +02:00
Herman Slatman
c04f556dc2
Merge branch 'master' into hs/scep 2021-05-06 22:00:29 +02:00
Cristian Le
d7eec869c2 Fix the previous tests 2021-05-05 10:37:30 +09:00
Cristian Le
c2d30f7260 gofmt everything 2021-05-05 10:29:47 +09:00
Cristian Le
f38a72a62b Leftover from previous commit 2021-05-05 10:17:08 +09:00
Cristian Le
1d2445e1d8 Removed the variadic username
Could be useful later on, but for the current PR changes should be minimized
2021-05-05 10:12:38 +09:00
Cristian Le
9e00b82bdf Revert oidc_test.go
Moving the `preferred_username` to a separate PR
2021-05-05 08:49:03 +09:00
Cristian Le
decf0fc8ce Revert using preferred_username
It might present a security issue if the users can change this value for themselves. Needs further investigation
2021-05-05 08:15:26 +09:00
Cristian Le
21732f213b Fix shadow issue in CI 2021-05-05 08:15:26 +09:00
Mariano Cano
08e5ec6ad1 Fix IsAdminGroup comment. 2021-05-05 08:15:26 +09:00
Mariano Cano
46c1dc80fb Use map[string]struct{} instead of map[string]bool 2021-05-05 08:15:26 +09:00
Mariano Cano
aafac179a5 Add test for oidc with preferred usernames. 2021-05-05 08:15:26 +09:00
Cristian Le
f730c0bec4 Sanitize usernames 2021-05-05 08:15:26 +09:00
Cristian Le
48666792c7 Draft: adding usernames to GetIdentityFunc 2021-05-05 08:15:26 +09:00
Cristian Le
79eec83f3e Rename and reformat to PreferredUsername 2021-05-05 08:15:26 +09:00
Cristian Le
09a21fef26 Implement #550
- Read `preferred_username` from token
- Add `preferred_username` to the default Usernames
- Check the `admin` array for admin groups that the user might belong to
2021-05-05 08:15:26 +09:00
max furman
8c709fe3c2 Init config on load | Add wrapper for cli 2021-05-04 14:45:11 -07:00
Mariano Cano
2cbaee9c1d Allow to use an alternative interface to store renewed certs.
This can be useful to know if a certificate has been renewed and
link one certificate with the 'parent'.
2021-04-29 15:55:22 -07:00
Herman Slatman
68d5f6d0d2
Merge branch 'master' into hs/scep 2021-04-29 22:18:00 +02:00
Mariano Cano
e6833ecee3 Add extension of db.AuthDB to store the fullchain.
Add a temporary solution to allow an extension of an db.AuthDB
interface that logs the fullchain of certificates instead of just
the leaf.
2021-04-26 12:28:51 -07:00
Herman Slatman
2336936b5c
Fix typo 2021-04-16 15:49:33 +02:00
Herman Slatman
9787728fbd
Mask challenge password after it has been read 2021-04-16 14:09:34 +02:00
Herman Slatman
0487686f69
Merge branch 'master' into hs/scep 2021-04-16 13:25:01 +02:00
Max
b724af30ad
Merge pull request #496 from smallstep/max/acme
Convert to ACME DB interface
2021-04-13 15:02:03 -07:00
Mariano Cano
aea2a7c9f3 Update sshd_config.tpl to a Match all block.
Fixes #479
2021-04-12 18:37:10 -07:00
Herman Slatman
b815478981
Make serving SCEP endpoints optional
Only when a SCEP provisioner is enabled, the SCEP endpoints
will now be available.

The SCEP endpoints will be served on an "insecure" server,
without TLS, only when an additional "insecureAddress" and a
SCEP provisioner are configured for the CA.
2021-03-26 16:05:33 +01:00
Herman Slatman
c5e4ea08b3
Merge branch 'master' into hs/scep 2021-03-26 15:22:41 +01:00
max furman
2ae43ef2dc [acme db interface] wip errors 2021-03-25 12:05:46 -07:00
Mariano Cano
0b8528ce6b Allow mTLS revocation without provisioner. 2021-03-22 13:37:31 -07:00
Herman Slatman
583d60dc0d
Address (most) PR comments 2021-03-21 16:42:41 +01:00
Mariano Cano
bcf70206ac Add support for revocation using an extra provisioner in the RA. 2021-03-17 19:47:36 -07:00
Mariano Cano
a6115e29c2 Add initial implementation of StepCAS.
StepCAS allows to configure step-ca as an RA using another step-ca
as the main CA.
2021-03-17 19:33:35 -07:00
Herman Slatman
a4844fee7b
Make tests green 2021-03-12 16:58:52 +01:00
Herman Slatman
99952080c7
Make tests not fail hard on ECDSA keys
All tests for the Authority failed because the test data
contains ECDSA keys. ECDSA keys are no crypto.Decrypter,
resulting in a failure when instantiating the Authority.
2021-03-12 16:27:26 +01:00
Herman Slatman
e1cab4966f
Improve initialization of SCEP authority 2021-03-12 15:49:39 +01:00
Herman Slatman
8c5b12e21d
Add non-TLS server and improve crypto.Decrypter interface
A server without TLS was added to serve the SCEP endpoints. According
to the RFC, SCEP has to be served via HTTP. The `sscep` client, for
example, will stop any URL that does not start with `http://` from
being used, so serving SCEP seems to be the right way to do it.

This commit adds a second server for which no TLS configuration is
configured. A distinct field in the configuration, `insecureAddress`
was added to specify the address for the insecure server.

The SCEP endpoints will also still be served via HTTPS. Some clients
may be able to work with that.

This commit also improves how the crypto.Decrypter interface is
handled for the different types of KMSes supported by step. The
apiv1.Decrypter interface was added. Currently only SoftKMS
implements this interface, providing a crypto.Decrypter required
for SCEP operations.
2021-03-12 14:18:36 +01:00
Herman Slatman
538fe8114d
Fix linter issues 2021-03-10 22:39:20 +01:00
Herman Slatman
2536a08dc2
Add support for configuring capabilities (cacaps) 2021-03-07 00:50:00 +01:00
Herman Slatman
e4d7ea8fa0
Add support for challenge password 2021-03-07 00:30:37 +01:00
Herman Slatman
311c9d767b
Add AuthorizeSign method to SCEP authority 2021-02-26 14:00:47 +01:00
Herman Slatman
7ad90d10b3
Refactor initialization of SCEP authority 2021-02-26 00:32:21 +01:00
Herman Slatman
9e43dc85d8
Merge branch 'master' into hs/scep-master 2021-02-19 10:16:39 +01:00
Herman Slatman
713b571d7a
Refactor SCEP authority initialization and clean some code 2021-02-12 17:02:39 +01:00
Herman Slatman
ffdd58ea3c
Add rudimentary (and incomplete) support for SCEP 2021-02-12 12:03:08 +01:00
Mariano Cano
fbd2208044 Close key manager for safe reloads when a cgo module is used. 2021-02-01 17:14:44 -08:00
max furman
16665c97f0 Allow empty SAN in CSR for validation ...
- The default template will always use the SANs from the token.
- If there are any SANs they must be validated against the token.
2021-01-14 15:26:46 -06:00
Miclain Keffeler
cf063d1f4a Revert "Begins to fix issue 87"
This reverts commit e2ba4159c3.
2020-12-23 22:46:21 -06:00
Miclain Keffeler
21dc406382 Begins to fix issue 87 2020-12-23 22:46:21 -06:00
Miclain Keffeler
7545b4a625 leverage intermediate_ca.crt for appending certs. 2020-12-23 22:41:10 -06:00
Mariano Cano
5017b7d21f Recalculate token id instead of validating it. 2020-12-17 14:52:34 -08:00
Mariano Cano
86c947babc Upgrade crypto and fix test. 2020-12-17 14:17:08 -08:00
Mariano Cano
0cf594a003 Validate payload ID.
Related to #435
2020-12-17 13:35:14 -08:00
Anton Lundin
3e6137110b Add support for using ssh-agent as a KMS
This adds a new KMS, SSHAgentKMS, which is a KMS to provide signing keys
for issuing ssh certificates signed by a key managed by a ssh-agent. It
uses the golang.org/x/crypto package to get a native Go implementation
to talk to a ssh-agent.

This was primarly written to be able to use gpg-agent to provide the
keys stored in a YubiKeys openpgp interface, but can be used for other
setups like proxying a ssh-agent over network.

That way the signing key for ssh certificates can be kept in a
"sign-only" hsm.

This code was written for my employer Intinor AB, but for simplicity
sake gifted to me to contribute upstream.

Signed-off-by: Anton Lundin <glance@acc.umu.se>
2020-11-04 09:06:23 +01:00
Mariano Cano
39b23c057d Add all AWS certificates used to verify base64 signatures. 2020-10-28 17:47:44 -07:00