Herman Slatman
512b8d6730
Refactor instantiation of policy engines
...
Instead of using the `base` struct, the x509 and SSH policy
engines are now added to each provisioner directly.
2022-01-25 16:45:25 +01:00
Herman Slatman
1e808b61e5
Merge logic for X509 and SSH policy
2022-01-17 23:36:13 +01:00
Herman Slatman
d9c56d67cc
Merge branch 'master' into herman/allow-deny
2022-01-14 12:58:07 +01:00
Herman Slatman
9539729bd9
Add initial implementation of x509 and SSH allow/deny policy engine
2022-01-03 12:25:24 +01:00
Mariano Cano
32390a2964
Add initial implementation of a nebula provisioner.
...
A nebula provisioner will generate a X509 or SSH certificate with
the identities in the nebula certificate embedded in the token.
The token is signed with the private key of the nebula certificate.
2021-12-29 14:12:03 -08:00
max furman
933b40a02a
Introduce gocritic linter and address warnings
2021-10-08 14:59:57 -04:00
Mariano Cano
d4ae267add
Fix ErrAllowTokenReuse comment.
2021-08-11 14:59:26 -07:00
Mariano Cano
9e5762fe06
Allow the reuse of azure token if DisableTrustOnFirstUse is true
...
Azure caches tokens for 24h and we cannot issue a new certificate
for the same instance in that period of time.
The meaning of this parameter is to allow the signing of multiple
certificate in one instance. This is possible in GCP, because we
get a new token, and is possible in AWS because we can generate
a new one. On Azure there was no other way to do it unless you
wait for 24h.
Fixes #656
2021-08-11 11:50:54 -07:00
Herman Slatman
339039768c
Refactor SCEP authority initialization and clean some code
2021-05-26 16:00:08 -07:00
Herman Slatman
48c86716a0
Add rudimentary (and incomplete) support for SCEP
2021-05-26 15:58:04 -07:00
max furman
638766c615
wip
2021-05-19 18:23:20 -07:00
Cristian Le
1d2445e1d8
Removed the variadic username
...
Could be useful later on, but for the current PR changes should be minimized
2021-05-05 10:12:38 +09:00
Cristian Le
9e00b82bdf
Revert oidc_test.go
...
Moving the `preferred_username` to a separate PR
2021-05-05 08:49:03 +09:00
Cristian Le
21732f213b
Fix shadow issue in CI
2021-05-05 08:15:26 +09:00
Mariano Cano
46c1dc80fb
Use map[string]struct{} instead of map[string]bool
2021-05-05 08:15:26 +09:00
Mariano Cano
aafac179a5
Add test for oidc with preferred usernames.
2021-05-05 08:15:26 +09:00
Cristian Le
f730c0bec4
Sanitize usernames
2021-05-05 08:15:26 +09:00
Cristian Le
48666792c7
Draft: adding usernames to GetIdentityFunc
2021-05-05 08:15:26 +09:00
Mariano Cano
02379d494b
Add support for extensions and critical options on the identity
...
function.
2020-07-30 17:45:03 -07:00
Mariano Cano
ca2fb42d68
Move options to the provisioner.
2020-07-21 14:18:05 -07:00
Mariano Cano
ef0ed0ff95
Integrate simple templates in the JWK provisioner.
2020-07-21 14:18:04 -07:00
Mariano Cano
0b5fd156e8
Add a third principal on OIDC tokens with the raw local part of the email.
...
For the email first.last@example.com it will create the principals
["firstlast", "first.last", "first.last@example.com"]
Fixes #253 , #254
2020-05-21 12:09:11 -07:00
Mariano Cano
c49a9d5e33
Add context parameter to all SSH methods.
2020-03-10 19:01:45 -07:00
Mariano Cano
59fc8cdd2d
Fix typo in comments.
2020-02-27 10:48:16 -08:00
max furman
1cb8bb3ae1
Simplify statuscoder error generators.
2020-01-28 13:29:40 -08:00
max furman
dccbdf3a90
Introduce generalized statusCoder errors and loads of ssh unit tests.
...
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2020-01-28 13:29:40 -08:00
max furman
414a94b210
Instrument getIdentity func for OIDC ssh provisioner
2020-01-28 13:28:16 -08:00
max furman
f74cd04a6a
Add WithGetIdentityFunc option and attr to authority
...
* Add Identity type to provisioner
2020-01-28 13:28:16 -08:00
max furman
29853ae016
sshpop provisioner + ssh renew | revoke | rekey first pass
2020-01-28 13:28:16 -08:00
max furman
c04f1e1bd4
sshpop first pass
2020-01-28 13:28:16 -08:00
max furman
8f07ff6a39
Add kubernetes service account provisioner
2019-10-29 17:42:50 -07:00
max furman
d368791606
Add x5c provisioner capabilities
2019-10-14 14:51:37 -07:00
max furman
e3826dd1c3
Add ACME CA capabilities
2019-09-13 15:48:33 -07:00
Mariano Cano
10e7b81b9f
Merge branch 'master' into ssh-ca
2019-09-05 23:06:01 +02:00
max furman
ac234771c7
Remove unknown provisioner WARNning and leave TODO
2019-08-29 10:49:52 -07:00
max furman
ca8daf5f12
Update comment and warn
2019-08-28 17:28:03 -07:00
Mariano Cano
9200f11ed8
Skip unsupported provisioners.
2019-08-28 17:25:39 -07:00
Mariano Cano
41b97372e6
Rename function to SanitizeSSHUserPrincipal
2019-07-29 16:38:57 -07:00
Mariano Cano
48c98dea2a
Make SanitizeSSHPrincipal a public function.
2019-07-29 16:21:22 -07:00
Mariano Cano
f01286bb48
Add support for SSH certificates to OIDC.
...
Update the interface for all the provisioners.
2019-07-29 15:54:07 -07:00
Mariano Cano
8f8c862c04
Fix spelling errors.
2019-06-07 11:24:56 -07:00
Mariano Cano
37f2096dff
Add Stringer interface to provisioner.Type.
...
Add missing file.
2019-06-05 17:52:29 -07:00
Mariano Cano
0a756ce9d0
Use on GCP audiences with the format https://<ca-url>#<provisioner-type>/<provisioner-name>
...
Fixes smallstep/step#156
2019-06-03 17:19:44 -07:00
Mariano Cano
70196b2331
Add skeleton for the Azure provisioner.
...
Related to #69
2019-05-03 17:30:54 -07:00
Mariano Cano
da93e40f90
Add constant for Azure type.
2019-04-24 14:26:37 -07:00
Mariano Cano
75ef5a2275
Add AWS provisioner.
...
Fixes #68
2019-04-24 12:12:36 -07:00
Mariano Cano
f794dbeb93
Add support for GCP identity tokens.
2019-04-17 17:28:21 -07:00
max furman
ab4d569f36
Add /revoke API with interface db backend
2019-04-10 13:50:35 -07:00
Mariano Cano
cc8764c343
Initialize the list for backward compatibility.
2019-03-07 16:04:29 -08:00
Mariano Cano
507fd01062
Remove provisioner intermediate type.
2019-03-07 13:07:39 -08:00