Commit graph

610 commits

Author SHA1 Message Date
Herman Slatman
a64974c179 Fix small typo in divisible 2021-05-26 16:15:26 -07:00
Herman Slatman
d46a4eaca4 Change fmt to errors package for formatting errors 2021-05-26 16:15:26 -07:00
Herman Slatman
2beea1aa89 Add configuration option for specifying the minimum public key length
Instead of using the defaultPublicKeyValidator a new validator called
publicKeyMinimumLengthValidator has been implemented that uses a
configurable minimum length for public keys in CSRs.

It's also an option to alter the defaultPublicKeyValidator to also
take a parameter, but that would touch quite some lines of code. This
might be a viable option after merging SCEP support.
2021-05-26 16:15:26 -07:00
Herman Slatman
4168449935 Fix typo 2021-05-26 16:15:26 -07:00
Herman Slatman
fa100a5138 Mask challenge password after it has been read 2021-05-26 16:15:26 -07:00
Herman Slatman
13fe7a0121 Make serving SCEP endpoints optional
Only when a SCEP provisioner is enabled, the SCEP endpoints
will now be available.

The SCEP endpoints will be served on an "insecure" server,
without TLS, only when an additional "insecureAddress" and a
SCEP provisioner are configured for the CA.
2021-05-26 16:13:57 -07:00
Herman Slatman
97b88c4d58 Address (most) PR comments 2021-05-26 16:12:57 -07:00
Herman Slatman
be528da709 Make tests green 2021-05-26 16:10:22 -07:00
Herman Slatman
57a62964b1 Make tests not fail hard on ECDSA keys
All tests for the Authority failed because the test data
contains ECDSA keys. ECDSA keys are no crypto.Decrypter,
resulting in a failure when instantiating the Authority.
2021-05-26 16:10:22 -07:00
Herman Slatman
491c2b8d93 Improve initialization of SCEP authority 2021-05-26 16:10:21 -07:00
Herman Slatman
2d85d4c1c1 Add non-TLS server and improve crypto.Decrypter interface
A server without TLS was added to serve the SCEP endpoints. According
to the RFC, SCEP has to be served via HTTP. The `sscep` client, for
example, will stop any URL that does not start with `http://` from
being used, so serving SCEP seems to be the right way to do it.

This commit adds a second server for which no TLS configuration is
configured. A distinct field in the configuration, `insecureAddress`
was added to specify the address for the insecure server.

The SCEP endpoints will also still be served via HTTPS. Some clients
may be able to work with that.

This commit also improves how the crypto.Decrypter interface is
handled for the different types of KMSes supported by step. The
apiv1.Decrypter interface was added. Currently only SoftKMS
implements this interface, providing a crypto.Decrypter required
for SCEP operations.
2021-05-26 16:09:38 -07:00
Herman Slatman
e7cb80f880 Fix linter issues 2021-05-26 16:08:24 -07:00
Herman Slatman
4fe7179b95 Add support for configuring capabilities (cacaps) 2021-05-26 16:08:24 -07:00
Herman Slatman
3b86550dbf Add support for challenge password 2021-05-26 16:08:24 -07:00
Herman Slatman
da65f46d0f Add AuthorizeSign method to SCEP authority 2021-05-26 16:04:21 -07:00
Herman Slatman
2a249d20de Refactor initialization of SCEP authority 2021-05-26 16:04:19 -07:00
Herman Slatman
339039768c Refactor SCEP authority initialization and clean some code 2021-05-26 16:00:08 -07:00
Herman Slatman
48c86716a0 Add rudimentary (and incomplete) support for SCEP 2021-05-26 15:58:04 -07:00
max furman
94ba057f01 wip 2021-05-26 14:55:31 -07:00
max furman
01a4460812 wip 2021-05-25 21:13:01 -07:00
max furman
1726076ea2 wip 2021-05-25 16:52:06 -07:00
max furman
423942da44 wip 2021-05-24 13:38:24 -07:00
max furman
9bfb1c2e7b wip 2021-05-21 13:31:41 -07:00
max furman
d8d5d7332b wip 2021-05-20 16:02:20 -07:00
max furman
5929244fda wip 2021-05-20 13:12:02 -07:00
max furman
9bf9bf142d wip 2021-05-20 13:01:58 -07:00
max furman
638766c615 wip 2021-05-19 18:23:20 -07:00
max furman
4f3e5ef64d wip 2021-05-19 15:20:16 -07:00
max furman
5d09d04d14 wip 2021-05-19 15:20:16 -07:00
max furman
4d48072746 wip admin CRUD 2021-05-19 15:20:16 -07:00
max furman
98a6e54530 wip 2021-05-19 15:20:16 -07:00
max furman
af3cf7dae9 first steps 2021-05-19 15:20:16 -07:00
max furman
2f60f20b0b lots of codes 2021-05-19 15:20:16 -07:00
max furman
7b5d6968a5 first commit 2021-05-19 15:20:16 -07:00
Cristian Le
d7eec869c2 Fix the previous tests 2021-05-05 10:37:30 +09:00
Cristian Le
c2d30f7260 gofmt everything 2021-05-05 10:29:47 +09:00
Cristian Le
f38a72a62b Leftover from previous commit 2021-05-05 10:17:08 +09:00
Cristian Le
1d2445e1d8 Removed the variadic username
Could be useful later on, but for the current PR changes should be minimized
2021-05-05 10:12:38 +09:00
Cristian Le
9e00b82bdf Revert oidc_test.go
Moving the `preferred_username` to a separate PR
2021-05-05 08:49:03 +09:00
Cristian Le
decf0fc8ce Revert using preferred_username
It might present a security issue if the users can change this value for themselves. Needs further investigation
2021-05-05 08:15:26 +09:00
Cristian Le
21732f213b Fix shadow issue in CI 2021-05-05 08:15:26 +09:00
Mariano Cano
08e5ec6ad1 Fix IsAdminGroup comment. 2021-05-05 08:15:26 +09:00
Mariano Cano
46c1dc80fb Use map[string]struct{} instead of map[string]bool 2021-05-05 08:15:26 +09:00
Mariano Cano
aafac179a5 Add test for oidc with preferred usernames. 2021-05-05 08:15:26 +09:00
Cristian Le
f730c0bec4 Sanitize usernames 2021-05-05 08:15:26 +09:00
Cristian Le
48666792c7 Draft: adding usernames to GetIdentityFunc 2021-05-05 08:15:26 +09:00
Cristian Le
79eec83f3e Rename and reformat to PreferredUsername 2021-05-05 08:15:26 +09:00
Cristian Le
09a21fef26 Implement #550
- Read `preferred_username` from token
- Add `preferred_username` to the default Usernames
- Check the `admin` array for admin groups that the user might belong to
2021-05-05 08:15:26 +09:00
max furman
8c709fe3c2 Init config on load | Add wrapper for cli 2021-05-04 14:45:11 -07:00
Mariano Cano
2cbaee9c1d Allow to use an alternative interface to store renewed certs.
This can be useful to know if a certificate has been renewed and
link one certificate with the 'parent'.
2021-04-29 15:55:22 -07:00