Mariano Cano
6b3a8f22f3
Add provisioner to SSH renewals
...
This commit allows to report the provisioner to the linkedca when
a SSH certificate is renewed.
2022-05-20 14:41:44 -07:00
Mariano Cano
c066694c0c
Allow renew token issuer to be the provisioner name.
...
For consistency with AuthorizeAdminToken, AuthorizeRenewToken will
allow the issuer to be either the fixed string 'step-ca-client/1.0'
or the provisioner name.
2022-04-18 12:38:09 -07:00
Mariano Cano
ad5aedfa60
Fix backward compatibility in AuthorizeAdminToken
...
This commit validates both new and old issuers.
2022-04-13 16:00:15 -07:00
Mariano Cano
4e4d4e882f
Use a fixed string for renewal token issuer.
2022-04-13 14:50:06 -07:00
Mariano Cano
0a5dc237df
Fix typo in comment.
2022-04-12 17:56:39 -07:00
Mariano Cano
00cd0f5f21
Apply suggestions from code review
...
Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>
2022-04-12 14:44:55 -07:00
Mariano Cano
c8c59d68f5
Allow mTLS renewals if the provisioner extension does not exists.
...
This fixes a backward compatibility issue with with the new
LoadProvisionerByCertificate.
2022-04-11 12:19:42 -07:00
Mariano Cano
af8fcf5b01
Use always LoadProvisionerByCertificate on authority package
2022-04-08 14:18:24 -07:00
Mariano Cano
c55b27a2fc
Refactor admin token to use with RAs.
2022-04-07 18:14:43 -07:00
Mariano Cano
616490a9c6
Refactor renew after expiry token authorization
...
This changes adds a new authority method that authorizes the
renew after expiry tokens.
2022-03-10 20:21:01 -08:00
Mariano Cano
259e95947c
Add support for the provisioner controller
...
The claimer, audiences and custom callback methods are now managed
by the provisioner controller in an uniform way.
2022-03-09 18:43:45 -08:00
Herman Slatman
2d357da99b
Add tests for ACME revocation
2021-11-26 17:27:42 +01:00
max furman
933b40a02a
Introduce gocritic linter and address warnings
2021-10-08 14:59:57 -04:00
Mariano Cano
42fde8ba28
Merge branch 'master' into linkedca
2021-08-25 15:56:50 -07:00
Mariano Cano
9e5762fe06
Allow the reuse of azure token if DisableTrustOnFirstUse is true
...
Azure caches tokens for 24h and we cannot issue a new certificate
for the same instance in that period of time.
The meaning of this parameter is to allow the signing of multiple
certificate in one instance. This is possible in GCP, because we
get a new token, and is possible in AWS because we can generate
a new one. On Azure there was no other way to do it unless you
wait for 24h.
Fixes #656
2021-08-11 11:50:54 -07:00
Mariano Cano
4ad82a2f76
Check linkedca for revocation.
2021-07-23 16:10:13 -07:00
Mariano Cano
f7542a5bd9
Move check of ssh revocation from provisioner to the authority.
2021-07-21 15:22:57 -07:00
max furman
9fdef64709
Admin level API for provisioner mgmt v1
2021-07-02 19:05:17 -07:00
Mariano Cano
d79b4e709e
Create a hash of a token if a token id is empty.
2020-09-18 16:25:08 -07:00
Mariano Cano
ba918100d0
Use go.step.sm/crypto/jose
...
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
2020-08-24 14:44:11 -07:00
Mariano Cano
7846696fbb
Fix return sign options on ssh sign.
2020-01-29 11:58:47 -08:00
max furman
1cb8bb3ae1
Simplify statuscoder error generators.
2020-01-28 13:29:40 -08:00
max furman
dccbdf3a90
Introduce generalized statusCoder errors and loads of ssh unit tests.
...
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2020-01-28 13:29:40 -08:00
max furman
9caadbb341
Fix authority calling wrong revoke method
2020-01-28 13:29:39 -08:00
Mariano Cano
11c8639782
Add identity certificate in ssh response.
2020-01-28 13:28:16 -08:00
max furman
29853ae016
sshpop provisioner + ssh renew | revoke | rekey first pass
2020-01-28 13:28:16 -08:00
max furman
61d52a8510
Small fixes associated with PR review
...
* additions and grammar edits to documentation
* clarification of error msgs
2019-09-08 21:05:36 -07:00
Mariano Cano
004ea12212
Allow to use custom SSH user/host key files.
2019-08-01 15:04:56 -07:00
Mariano Cano
7a64a84761
Pass the given context.
2019-07-29 15:53:09 -07:00
Mariano Cano
e1cd5ee8c3
Add context to the Authorize method.
...
Fix tests.
2019-07-29 12:34:27 -07:00
Mariano Cano
2127d09ef3
Rename context type to apiCtx.
...
It will conflict with the context package.
2019-07-29 11:56:14 -07:00
Mariano Cano
54570095d4
Merge branch 'master' into cloud-identities
2019-05-08 17:19:03 -07:00
max furman
81db527f12
NoopDB -> SimpleDB
2019-05-07 12:26:30 -07:00
max furman
b73fe8c157
Add used OTT to DB during authToken step
2019-05-06 15:52:02 -07:00
Mariano Cano
27c98806c0
Use GetTokenID.
2019-04-24 11:29:57 -07:00
max furman
9977eff153
bump cli dep and fix text error msg
2019-04-10 14:00:36 -07:00
max furman
ab4d569f36
Add /revoke API with interface db backend
2019-04-10 13:50:35 -07:00
Mariano Cano
1812c0619a
Update go-jose to 2.3.0.
...
This is a dependency for smallstep/cli#105 , it will be solved once
square/go-jose#224 gets merged
2019-04-05 12:54:23 -07:00
Mariano Cano
8a05cdde52
Add audience in the error v2
2019-03-18 10:59:36 -07:00
Mariano Cano
f8fba4df6b
Add audience in error.
2019-03-18 10:57:29 -07:00
Mariano Cano
23e6de57a2
Address comments in code review.
2019-03-13 11:26:18 -07:00
Mariano Cano
07cdc1021c
Use OIDC nonce as the reuse key.
2019-03-12 15:47:18 -07:00
Mariano Cano
ef4d809ee6
Move matchesAudience and stripPort tests to provisioner package.
2019-03-11 15:47:57 -07:00
Mariano Cano
af9688c419
Fix some testing errors.
2019-03-08 18:05:11 -08:00
Mariano Cano
2d00cd0933
Validate audiences in the default provisioner.
2019-03-06 18:32:56 -08:00
Mariano Cano
57b705f6cf
Use provisioner sign options.
2019-03-06 17:37:49 -08:00
Mariano Cano
602a42813c
Re-enable replay protection for JWK provisioner.
2019-03-06 17:00:45 -08:00
Mariano Cano
ab1cca03d7
Use new provisioners in authorize methods.
2019-03-06 15:04:28 -08:00
max furman
3415a1fef8
move SplitSANs to cli
2019-02-05 19:32:01 -08:00
max furman
6937bfea7b
claims.SANS -> claims.SANs
2019-02-04 20:22:02 -08:00