Commit graph

54 commits

Author SHA1 Message Date
Mariano Cano
c7f226bcec
Add support for renew when using stepcas
It supports renewing X.509 certificates when an RA is configured with stepcas.
This will only work when the renewal uses a token, and it won't work with mTLS.

The audience cannot be properly verified when an RA is used, to avoid this we
will get from the database if an RA was used to issue the initial certificate
and we will accept the renew token.

Fixes #1021 for stepcas
2022-11-04 16:42:07 -07:00
Andrew Reed
7101fbb0ee
Provisioner webhooks (#1001) 2022-09-29 19:16:26 -05:00
max furman
4c7a2ce3eb
Fix errors.As linter warnings 2022-09-22 00:04:31 -07:00
max furman
7c5e5b2b87
Even more linter fixes 2022-09-20 21:48:04 -07:00
max furman
ab0d2503ae
Standardize linting file and fix or ignore lots of linting errors 2022-09-20 16:35:41 -07:00
Mariano Cano
6b3a8f22f3 Add provisioner to SSH renewals
This commit allows to report the provisioner to the linkedca when
a SSH certificate is renewed.
2022-05-20 14:41:44 -07:00
Mariano Cano
a627f21440 Fix AuthorizeSSHSign tests with extra SignOption 2022-05-18 18:51:36 -07:00
Herman Slatman
abcad679ff
Merge branch 'master' into herman/allow-deny 2022-04-18 21:54:55 +02:00
Mariano Cano
c066694c0c Allow renew token issuer to be the provisioner name.
For consistency with AuthorizeAdminToken, AuthorizeRenewToken will
allow the issuer to be either the fixed string 'step-ca-client/1.0'
or the provisioner name.
2022-04-18 12:38:09 -07:00
Mariano Cano
5f714f2485 Fix tests for AuthorizeRenewToken 2022-04-13 15:59:37 -07:00
Mariano Cano
af8fcf5b01 Use always LoadProvisionerByCertificate on authority package 2022-04-08 14:18:24 -07:00
Herman Slatman
9797b3350e
Merge branch 'master' into herman/allow-deny 2022-04-08 16:01:56 +02:00
Mariano Cano
b7e11da480 Merge branch 'master' into feat/linkedra 2022-04-07 18:19:04 -07:00
Herman Slatman
2fbdf7d5b0
Merge branch 'master' into herman/allow-deny 2022-03-30 14:50:14 +02:00
Panagiotis Siatras
00634fb648
api/render, api/log: initial implementation of the packages (#860)
* api/render: initial implementation of the package

* acme/api: refactored to support api/render

* authority/admin: refactored to support api/render

* ca: refactored to support api/render

* api: refactored to support api/render

* api/render: implemented Error

* api: refactored to support api/render.Error

* acme/api: refactored to support api/render.Error

* authority/admin: refactored to support api/render.Error

* ca: refactored to support api/render.Error

* ca: fixed broken tests

* api/render, api/log: moved error logging to this package

* acme: refactored Error so that it implements render.RenderableError

* authority/admin: refactored Error so that it implements render.RenderableError

* api/render: implemented RenderableError

* api/render: added test coverage for Error

* api/render: implemented statusCodeFromError

* api: refactored RootsPEM to work with render.Error

* acme, authority/admin: fixed pointer receiver name for consistency

* api/render, errs: moved StatusCoder & StackTracer to the render package
2022-03-30 11:22:22 +03:00
Mariano Cano
6851842841 Fix unit tests. 2022-03-28 15:06:56 -07:00
Herman Slatman
dc23fd23bf
Merge branch 'master' into herman/allow-deny-next 2022-03-24 12:36:12 +01:00
Mariano Cano
616490a9c6 Refactor renew after expiry token authorization
This changes adds a new authority method that authorizes the
renew after expiry tokens.
2022-03-10 20:21:01 -08:00
Mariano Cano
79349b4d7c Add options to use custom renewal methods. 2022-03-10 13:01:08 -08:00
Mariano Cano
259e95947c Add support for the provisioner controller
The claimer, audiences and custom callback methods are now managed
by the provisioner controller in an uniform way.
2022-03-09 18:43:45 -08:00
Herman Slatman
9539729bd9
Add initial implementation of x509 and SSH allow/deny policy engine 2022-01-03 12:25:24 +01:00
max furman
933b40a02a Introduce gocritic linter and address warnings 2021-10-08 14:59:57 -04:00
max furman
9fdef64709 Admin level API for provisioner mgmt v1 2021-07-02 19:05:17 -07:00
Mariano Cano
d79b4e709e Create a hash of a token if a token id is empty. 2020-09-18 16:25:08 -07:00
Mariano Cano
ba918100d0 Use go.step.sm/crypto/jose
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
2020-08-24 14:44:11 -07:00
Mariano Cano
d30a95236d Use always go.step.sm/crypto 2020-08-14 15:33:50 -07:00
Mariano Cano
e83e47a91e Use sshutil and randutil from go.step.sm/crypto. 2020-08-10 11:26:51 -07:00
Mariano Cano
c4bbc81d9f Fix authority tests. 2020-08-03 18:36:05 -07:00
Mariano Cano
6c64fb3ed2 Rename provisioner options structs:
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
2020-07-22 18:24:45 -07:00
Mariano Cano
d64cb99a22 Fix authority package tests. 2020-07-21 14:21:48 -07:00
max furman
71d87b4e61 wip 2020-06-24 23:25:15 -07:00
max furman
1cb8bb3ae1 Simplify statuscoder error generators. 2020-01-28 13:29:40 -08:00
max furman
dccbdf3a90 Introduce generalized statusCoder errors and loads of ssh unit tests.
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2020-01-28 13:29:40 -08:00
Mariano Cano
f26103d150 Make test compilable. 2020-01-28 13:29:39 -08:00
Mariano Cano
a6edcd0a3d Make test to compile, they still fail. 2020-01-28 13:28:16 -08:00
Mariano Cano
10e7b81b9f Merge branch 'master' into ssh-ca 2019-09-05 23:06:01 +02:00
max furman
2b41faa9cf Enforce >= 2048 bit rsa keys at the provisioner layer
* Fixes #94
* In the future this should be configurable by provisioner
2019-08-27 14:44:59 -07:00
max furman
635c59ed24 Accept emails SANs 2019-08-23 15:59:30 -07:00
Mariano Cano
e1cd5ee8c3 Add context to the Authorize method.
Fix tests.
2019-07-29 12:34:27 -07:00
max furman
81db527f12 NoopDB -> SimpleDB 2019-05-07 12:26:30 -07:00
max furman
b73fe8c157 Add used OTT to DB during authToken step 2019-05-06 15:52:02 -07:00
max furman
ab4d569f36 Add /revoke API with interface db backend 2019-04-10 13:50:35 -07:00
Mariano Cano
1f5ff5c899 Fix sign and renew tests. 2019-03-11 18:15:24 -07:00
Mariano Cano
b77621675c Fix and simplify authorize tests. 2019-03-11 16:38:48 -07:00
Mariano Cano
ef4d809ee6 Move matchesAudience and stripPort tests to provisioner package. 2019-03-11 15:47:57 -07:00
Mariano Cano
af9688c419 Fix some testing errors. 2019-03-08 18:05:11 -08:00
Mariano Cano
54d86ca1c1 testing work in progress. 2019-03-07 19:30:17 -08:00
Mariano Cano
7e95fc0e45 Strip ports on audience check.
Services might have proxies behind them so we cannot rely on them.
Fixes #17
2018-12-21 15:27:22 -08:00
max furman
0d9dd2d14b provisioner issuer -> name 2018-10-29 18:00:30 -07:00
Mariano Cano
d574545d94 Format code with gofmt -s 2018-10-26 15:01:02 -07:00