Commit graph

380 commits

Author SHA1 Message Date
Mariano Cano
1c8f610ca9 Add initial implementation of an SSH CA using the JWK provisioner.
Fixes smallstep/ca-component#187
2019-07-23 18:46:43 -07:00
Mariano Cano
f5beed3b96
Merge pull request #83 from matteo-s/oidc-groups
Add option for checking group membership declared in JWT token
2019-07-23 10:05:18 -07:00
Mariano Cano
3e69194cc4 Fix lint error 2019-07-15 16:35:51 -07:00
Mariano Cano
900ab9cc12 Allow custom common names in cloud identity provisioners. 2019-07-15 15:52:36 -07:00
Mariano Cano
5f4217ca4c Simplify abs, it performs even better. 2019-06-25 11:04:48 -07:00
Matteo Saloni
1919cfdff3 Add option for checking group membership declared in JWT token 2019-06-25 10:50:55 +02:00
Mariano Cano
e66272d6f0 Fix panic when max-age is set to zero.
Fixes #81
2019-06-24 13:40:14 -07:00
Mariano Cano
578beec25d
Merge pull request #65 from smallstep/cloud-identities
Cloud identities
2019-06-07 11:36:31 -07:00
Mariano Cano
8f8c862c04 Fix spelling errors. 2019-06-07 11:24:56 -07:00
Mariano Cano
b88a2f1373 Fix provisioner id in LoadByCertificate 2019-06-06 15:24:15 -07:00
Mariano Cano
37dff5124b Fix audience tests.
Fixes smallstep/step#156
2019-06-06 13:09:00 -07:00
Mariano Cano
2491593cdd Add ca-url based audience for AWS tokens
Fixes smallstep/step#156
2019-06-06 12:49:51 -07:00
Mariano Cano
4fa9e9333d Add NewDuration constructor. 2019-06-05 17:53:28 -07:00
Mariano Cano
37f2096dff Add Stringer interface to provisioner.Type.
Add missing file.
2019-06-05 17:52:29 -07:00
Mariano Cano
6e4a09651a Add comments with links to cloud docs. 2019-06-05 11:04:00 -07:00
Mariano Cano
536ec36b9e Add support for instance age check in AWS.
Fixes smallstep/step#164
2019-06-04 16:31:33 -07:00
Mariano Cano
c431538ff2 Add support for instance age check in GCP.
Fixes smallstep/step#164
2019-06-04 15:57:15 -07:00
Mariano Cano
4cef086c00 Allow to use emails as service accounts on GCP
Fixes smallstep/step#163
2019-06-03 17:28:39 -07:00
Mariano Cano
0a756ce9d0 Use on GCP audiences with the format https://<ca-url>#<provisioner-type>/<provisioner-name>
Fixes smallstep/step#156
2019-06-03 17:19:44 -07:00
Mariano Cano
a54bf925eb Add filtering by GCP Project ID.
Fixes smallstep/step#155
2019-06-03 11:56:42 -07:00
Mariano Cano
54d0186d1f Change condition to fail if the length is not the expected. 2019-05-13 11:50:22 -07:00
Mariano Cano
dbd3131068 Fix comments. 2019-05-10 17:54:18 -07:00
Mariano Cano
9f39cb5f2a Add test. 2019-05-10 16:53:35 -07:00
Mariano Cano
fb6a1afd89 Fix typo. 2019-05-10 16:04:30 -07:00
Mariano Cano
3a1a4c5ea9 Do not allow reload with database configuration changes.
Fixes #smallstep/ca-component#170
2019-05-10 15:58:37 -07:00
Mariano Cano
cf07c8f4c0 Fix typos. 2019-05-09 18:56:24 -07:00
Mariano Cano
54570095d4 Merge branch 'master' into cloud-identities 2019-05-08 17:19:03 -07:00
Mariano Cano
423d505d04 Replace subscriptions with resource groups. 2019-05-08 17:11:55 -07:00
Mariano Cano
32d2d6b75a Remove debug code. 2019-05-08 17:11:33 -07:00
Mariano Cano
e0aaa1a577 Use tenant id in azures's provisioner x509 extension. 2019-05-08 15:58:15 -07:00
Mariano Cano
89eeada2a2 Add support for loading azure tokens by tenant id. 2019-05-08 15:39:50 -07:00
Mariano Cano
803d81d332 Improve azure unit tests. 2019-05-08 12:47:45 -07:00
Mariano Cano
4c5fec06bf Require TenantID in azure, add some tests. 2019-05-07 19:07:49 -07:00
Mariano Cano
12937c6b75 Remove pkcs7 related variables and structs. 2019-05-07 17:12:12 -07:00
Mariano Cano
6412b1a79b Add first version of Asure support.
Fixes #69
2019-05-07 17:07:04 -07:00
max furman
81db527f12 NoopDB -> SimpleDB 2019-05-07 12:26:30 -07:00
max furman
b73fe8c157 Add used OTT to DB during authToken step 2019-05-06 15:52:02 -07:00
Mariano Cano
70196b2331 Add skeleton for the Azure provisioner.
Related to #69
2019-05-03 17:30:54 -07:00
Mariano Cano
81bfd2c1cb Add tests for AWS provisioner
Fixes #68
2019-04-24 19:52:58 -07:00
Mariano Cano
f755fddc35 Fix lint errors. 2019-04-24 14:59:01 -07:00
Mariano Cano
b6a5ebcfc9 Move code to switch default. 2019-04-24 14:50:22 -07:00
Mariano Cano
a7f06c765d Fix load of gcp and aws provisioner by certificate. 2019-04-24 14:49:28 -07:00
Mariano Cano
da93e40f90 Add constant for Azure type. 2019-04-24 14:26:37 -07:00
Mariano Cano
37e84aa535 Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner.
Fixes #67
2019-04-24 13:05:46 -07:00
Mariano Cano
75ef5a2275 Add AWS provisioner.
Fixes #68
2019-04-24 12:12:36 -07:00
Mariano Cano
5defd8289d Add missing config in tests. 2019-04-24 11:30:37 -07:00
Mariano Cano
27c98806c0 Use GetTokenID. 2019-04-24 11:29:57 -07:00
Mariano Cano
2c68915b70 Fix comment. 2019-04-23 14:36:11 -07:00
Mariano Cano
fb6321fb2c Use gcpConfig type to keep configuration urls.
Fixes #67
2019-04-23 14:33:36 -07:00
Mariano Cano
7e53b28320 Disable revoke for GCP. 2019-04-23 14:20:14 -07:00
Mariano Cano
7727fa5665 Update GCP tests. 2019-04-19 10:44:11 -07:00
Mariano Cano
1ea4b0ad64 Add unit test for GCP provider 2019-04-18 16:01:30 -07:00
Mariano Cano
b4729cd670 Use JWKSet to get the GCP keys. 2019-04-17 17:38:24 -07:00
Mariano Cano
f794dbeb93 Add support for GCP identity tokens. 2019-04-17 17:28:21 -07:00
max furman
9977eff153 bump cli dep and fix text error msg 2019-04-10 14:00:36 -07:00
max furman
ff20d9f5af Fix composite literal uses unkeyed field 2019-04-10 13:50:35 -07:00
max furman
ab4d569f36 Add /revoke API with interface db backend 2019-04-10 13:50:35 -07:00
Mariano Cano
1812c0619a Update go-jose to 2.3.0.
This is a dependency for smallstep/cli#105, it will be solved once
square/go-jose#224 gets merged
2019-04-05 12:54:23 -07:00
Mariano Cano
04da00d716
Merge pull request #55 from smallstep/x509util-real-x509
Use standard x509 creating signed certificates
2019-03-25 15:50:57 -07:00
Mariano Cano
7b9e08bcfa Fix comment. 2019-03-25 14:18:46 -07:00
Mariano Cano
64f2615864 Fix tests. 2019-03-25 12:35:21 -07:00
Mariano Cano
6d92ba75b9 Don't use pointer in TimeDuration.MarshalJSON 2019-03-25 12:34:01 -07:00
Mariano Cano
698058baa9 Add tests for TimeDuration. 2019-03-25 12:05:34 -07:00
Mariano Cano
00fed1c538 Add initial version of time duration support in sign requests. 2019-03-22 18:55:28 -07:00
Mariano Cano
8c8547bf65 Remove unnecessary parse and improve tests. 2019-03-20 18:11:45 -07:00
Mariano Cano
b9530909a4 Fix tests. 2019-03-20 17:41:37 -07:00
Mariano Cano
a3e2b4a552 Move certificate check to the right place. 2019-03-20 17:36:45 -07:00
Mariano Cano
30a6889d1f Use standard x509 instead of step one. 2019-03-20 17:12:52 -07:00
Mariano Cano
68ff077ea9 Improve tests. 2019-03-19 15:31:14 -07:00
Mariano Cano
76618558ae Improve unit tests. 2019-03-19 15:27:41 -07:00
Mariano Cano
7378ed27ac Refactor claims so they can be totally omitted if only the parent is set. 2019-03-19 15:10:52 -07:00
Mariano Cano
5d5f03f963 Set omitempty to admins and domains. 2019-03-19 11:23:18 -07:00
Mariano Cano
8a05cdde52 Add audience in the error v2 2019-03-18 10:59:36 -07:00
Mariano Cano
f8fba4df6b Add audience in error. 2019-03-18 10:57:29 -07:00
Mariano Cano
60880d1f0a Add domains and check emails properly. 2019-03-15 13:49:50 -07:00
Mariano Cano
5edbce017f Set docs for client secret as mandatory, but it can be blank. 2019-03-15 11:10:52 -07:00
Mariano Cano
2c0c0112c6 Add an optional client secret field. 2019-03-14 18:00:11 -07:00
Mariano Cano
945a1371f1 Fix tests. 2019-03-13 16:46:12 -07:00
Mariano Cano
0b4cde1ad3 Move type to the first position of the struct. 2019-03-13 15:33:52 -07:00
Mariano Cano
23e6de57a2 Address comments in code review. 2019-03-13 11:26:18 -07:00
Mariano Cano
07cdc1021c Use OIDC nonce as the reuse key. 2019-03-12 15:47:18 -07:00
Mariano Cano
7fd737cbb1 Fix lint warnings. 2019-03-11 18:47:57 -07:00
Mariano Cano
1f5ff5c899 Fix sign and renew tests. 2019-03-11 18:15:24 -07:00
Mariano Cano
2fb77b8a4d Truncate to seconds the startTime to simplify tests. 2019-03-11 18:14:20 -07:00
Mariano Cano
1a9e8bad74 Truncate to seconds instead of rounding. 2019-03-11 18:13:20 -07:00
Mariano Cano
b77621675c Fix and simplify authorize tests. 2019-03-11 16:38:48 -07:00
Mariano Cano
ef4d809ee6 Move matchesAudience and stripPort tests to provisioner package. 2019-03-11 15:47:57 -07:00
Mariano Cano
636d92b19b Add missing files. 2019-03-11 14:55:42 -07:00
Mariano Cano
a8d03c39bb Move Duration to a new file and move tests to provisioner package. 2019-03-11 14:54:25 -07:00
Mariano Cano
c24d868d9d Add tests for sign options. 2019-03-11 13:25:19 -07:00
Mariano Cano
5dfcbcf5dc Add noop tests. 2019-03-11 12:56:47 -07:00
Mariano Cano
4ceb88fbae Add tests for OIDC and complete some JWK tests. 2019-03-11 12:48:46 -07:00
Mariano Cano
dce3100cfb Add missing time in validation. 2019-03-11 11:12:47 -07:00
Mariano Cano
fb279c89fb Restore deleted methods. 2019-03-11 10:40:55 -07:00
Mariano Cano
955405d6aa Add some comments added to master. 2019-03-08 18:09:35 -08:00
Mariano Cano
af9688c419 Fix some testing errors. 2019-03-08 18:05:11 -08:00
Mariano Cano
f17d2d9694 Remove debug statements. 2019-03-08 17:29:18 -08:00
Mariano Cano
67c79fd014 Add tests for default provisioner. 2019-03-08 17:24:58 -08:00
Mariano Cano
cf2dba3efb Add tests for keyStore. 2019-03-08 15:08:18 -08:00
Mariano Cano
2a5430fee1 Complete tests for collection. 2019-03-08 12:19:44 -08:00
Mariano Cano
54d86ca1c1 testing work in progress. 2019-03-07 19:30:17 -08:00
Mariano Cano
9f7f871f25 Add noop provisioner and use it if a provisioner cannot been found from a cert. 2019-03-07 16:05:13 -08:00
Mariano Cano
47817ab212 Fix interface type. 2019-03-07 16:04:56 -08:00
Mariano Cano
cc8764c343 Initialize the list for backward compatibility. 2019-03-07 16:04:29 -08:00
Mariano Cano
c0ef6f8dc5 Add missing modifier and change return codes. 2019-03-07 16:03:38 -08:00
Mariano Cano
a97ea87caa Move options to provisioner so we can set the duration of the cert. 2019-03-07 15:14:18 -08:00
Mariano Cano
507fd01062 Remove provisioner intermediate type. 2019-03-07 13:07:39 -08:00
Mariano Cano
1671ab2590 Fix some tests. 2019-03-07 12:15:18 -08:00
Mariano Cano
d92a7f2948 Rename provisioner to jwk. 2019-03-06 18:36:35 -08:00
Mariano Cano
a1782733fe Rename files. 2019-03-06 18:33:40 -08:00
Mariano Cano
2d00cd0933 Validate audiences in the default provisioner. 2019-03-06 18:32:56 -08:00
Mariano Cano
33c1449360 Remove deprecated file. 2019-03-06 17:42:17 -08:00
Mariano Cano
57b705f6cf Use provisioner sign options. 2019-03-06 17:37:49 -08:00
Mariano Cano
9d4034fbf6 Remove unused code. 2019-03-06 17:37:08 -08:00
Mariano Cano
6d395f3818 Add missing validy validator to oidc. 2019-03-06 17:30:14 -08:00
Mariano Cano
602a42813c Re-enable replay protection for JWK provisioner. 2019-03-06 17:00:45 -08:00
Mariano Cano
ab1cca03d7 Use new provisioners in authorize methods. 2019-03-06 15:04:28 -08:00
Mariano Cano
54ed49f072 Rename package. 2019-03-06 15:01:51 -08:00
Mariano Cano
c776ca3bd6 Use provisioner.Collection to store and request the provisioners. 2019-03-06 15:00:23 -08:00
Mariano Cano
34833d4fd5 Add validators from the authority package. 2019-03-06 14:58:46 -08:00
Mariano Cano
0dee841a4f Complete first version of provisioner implementations. 2019-03-06 14:54:56 -08:00
Mariano Cano
7eb6eb1d3e Complete provisioner.Claims with methods from authority. 2019-03-06 14:51:12 -08:00
Mariano Cano
fb77397fc7 Add new options to locate or list provisioners. 2019-03-06 14:50:13 -08:00
Mariano Cano
34ff388828 Use new types in config. 2019-03-06 14:49:25 -08:00
Mariano Cano
62dab7b6b8 Rename interface method. 2019-03-05 14:52:26 -08:00
Mariano Cano
5a8f78d9d0 Add support to collection to load the encrypted keys. 2019-03-05 14:45:57 -08:00
Mariano Cano
dd0376657c Move collection to a new file. 2019-03-05 14:28:32 -08:00
Mariano Cano
4b2b6ffe32 Create the provisioner type used to englobe all different provisioners. 2019-03-05 12:42:49 -08:00
Mariano Cano
bed3132028 Move provisioner to authority/provisioner package. 2019-03-04 18:19:14 -08:00
Mariano Cano
fc0b2ca5a6 Revert "Move provisioners to authority/provisioner package."
This reverts commit f88d622a67.
2019-03-04 18:17:35 -08:00
Mariano Cano
f88d622a67 Move provisioners to authority/provisioner package. 2019-03-04 18:10:19 -08:00
Mariano Cano
a2a45f635b Add initial implementation of an OIDC provisioner. 2019-03-04 17:58:20 -08:00
max furman
229e5908b7 Added test for different authority key id after renew
Also ran dep ensure.
2019-02-14 19:17:42 -08:00
Mariano Cano
d78febec7a Fix extensions copy on renew
Fixes #36
2019-02-14 16:44:36 -08:00
max furman
7e43402575 bug fix: don't add common name to CSR validation claims in Sign
* added unit test for this case
2019-02-06 16:26:25 -08:00
max furman
3415a1fef8 move SplitSANs to cli 2019-02-05 19:32:01 -08:00
max furman
6937bfea7b claims.SANS -> claims.SANs 2019-02-04 20:22:02 -08:00
max furman
93f39c64a0 backwards compat only when SANS empty 2019-02-04 20:02:56 -08:00
max furman
fe8c8614b2 SANS backwards compat when token missing sujbect SAN 2019-02-01 12:18:10 -06:00
max furman
e6e8443f3c allow multiple identical SANs in cert 2019-01-31 11:20:21 -06:00
max furman
f0683c2e0a Enable signing certificates with custom SANs
* validate against SANs in token. must be 1:1 equivalent.
2019-01-30 18:21:03 -06:00
Derrick Lyndon Pallas
7a5c4a1112 authority/provisioners: fix overflow on 32-bit systems
In Go, len returns signed ints, not unsigned ints; consequently, this code
comparison overflows on 32-bit systems, like ARM.
2019-01-28 00:54:15 +00:00
max furman
2c72ada610 remove dead code 2019-01-20 21:37:12 -08:00
max furman
6dc89f46d8 make Duration public 2019-01-20 21:33:14 -08:00
max furman
0615f7eb11 don't wrap time.Duration 2019-01-18 12:08:18 -08:00
max furman
4b742042ee make Duration wrapper publicly accessible 2019-01-18 10:39:12 -08:00
Mariano Cano
e8ac3f4888 Add comment to differentiate GetRootCertificates and GetRoots. 2019-01-14 18:11:55 -08:00
Mariano Cano
6e620073f5 Rename method Empties to HasEmpties 2019-01-14 18:11:55 -08:00
max furman
cfbb2a6f41 method documentation grammar fix 2019-01-14 17:55:01 -08:00
Mariano Cano
518b597535 Remove mTLS client requirement in /roots and /federation 2019-01-11 19:08:08 -08:00
Mariano Cano
1763ede99d Add tests for new methods. 2019-01-10 13:19:51 -08:00
Mariano Cano
d296cf95a9 Add mTLS request to get all the root CAs, not the federated ones. 2019-01-07 17:48:56 -08:00
Mariano Cano
98cc243a37 Add support for multiple roots. 2019-01-07 15:30:28 -08:00
Mariano Cano
722bcb7e7a Add initial support for federated root certificates. 2019-01-04 17:51:32 -08:00
Mariano Cano
7e95fc0e45 Strip ports on audience check.
Services might have proxies behind them so we cannot rely on them.
Fixes #17
2018-12-21 15:27:22 -08:00
Mariano Cano
9b87e08faf Do not require the port in the audience check.
Fixes #17
2018-12-21 14:04:22 -08:00
Mariano Cano
7da1d1adc2 Fix typo. 2018-11-01 15:51:20 -07:00
Mariano Cano
d6cad2a7f3 Add provisioner option to disable renewal.
Fixes smallstep/ca-component#108
2018-11-01 15:43:24 -07:00
max furman
c74fcd57a7 ca-component -> certificates
* fix redundant error check
* add README
2018-10-31 21:36:01 -07:00
Mariano Cano
428661f472 Use name instead of issuer in error message. 2018-10-30 15:25:52 -07:00
max furman
0d9dd2d14b provisioner issuer -> name 2018-10-29 18:00:30 -07:00
Mariano Cano
ea0307239a Fix dead code and add missing error check. 2018-10-26 15:05:37 -07:00
Mariano Cano
d574545d94 Format code with gofmt -s 2018-10-26 15:01:02 -07:00
max furman
7fa06643b2 change step provisioner OID and ASN1 representation 2018-10-26 14:24:16 -07:00
max furman
b457b15292 fix: omit empty claims in AuthConfig 2018-10-26 10:51:40 -07:00
max furman
ca6087145f fix unit test 2018-10-25 23:55:31 -07:00
max furman
a4a461466b withProvisionerOID and unit test 2018-10-25 23:49:23 -07:00
max furman
283dc42904 add unit tests for MatchOne (token audience) and Authority.New 2018-10-25 15:17:22 -07:00
Mariano Cano
0ccf775f2e Add support for cursors in the api. 2018-10-25 18:53:13 -07:00
Mariano Cano
1de8eb4bfa Fix provisioner package move. 2018-10-25 17:27:40 -07:00
Mariano Cano
1db177b80d Add backend support for provisioners with cursors.
Fixes #83
2018-10-25 15:40:12 -07:00
max furman
d2872564b4 accidentally removed DisableIssuedAtCheck during merge 2018-10-25 00:15:17 -07:00
max furman
ee7db4006a change sign + authorize authority api | add provisioners
* authorize returns []interface{}
 - operators in this list can conform to any interface the user decides
 - our implementation has a combination of certificate claim validators
 and certificate template modifiers.
* provisioners can set and enforce tls cert options
2018-10-18 22:26:39 -07:00
Mariano Cano
1c1ac1b3fb Add disableIssuedAt check functionality
Fixes #86
2018-10-24 18:59:48 -07:00
Mariano Cano
69da47a727 Set audience using the sign url. 2018-10-19 18:25:59 -07:00
max furman
0b5f6487e1 change provisioners api
* /provisioners -> /provisioners/jwk-set-by-issuer
* /provisioners now returns a list of Provisioners
2018-10-11 23:03:00 -07:00
max furman
f1dc00c810 add Provisioner config validation 2018-10-08 23:25:18 -07:00
max furman
0e904989d2 add unit tests for authority.Provisioners api 2018-10-08 22:40:07 -07:00
max furman
d773770a44 add authority.New unit tests 2018-10-08 21:48:44 -07:00
max furman
c284a2c0ab first commit 2018-10-05 21:48:36 +00:00