Herman Slatman
|
c40a4d2694
|
Contain policy engines inside provisioner Controller
|
2022-04-22 01:20:38 +02:00 |
|
Herman Slatman
|
9797b3350e
|
Merge branch 'master' into herman/allow-deny
|
2022-04-08 16:01:56 +02:00 |
|
Herman Slatman
|
571b21abbc
|
Fix (most) PR comments
|
2022-03-31 16:12:29 +02:00 |
|
Herman Slatman
|
dc23fd23bf
|
Merge branch 'master' into herman/allow-deny-next
|
2022-03-24 12:36:12 +01:00 |
|
Mariano Cano
|
b401376829
|
Add current provisioner to AuthorizeSign SignOptions.
The original provisioner cannot be retrieved from a certificate
if a linked ra is used.
|
2022-03-21 19:21:40 -07:00 |
|
Mariano Cano
|
616490a9c6
|
Refactor renew after expiry token authorization
This changes adds a new authority method that authorizes the
renew after expiry tokens.
|
2022-03-10 20:21:01 -08:00 |
|
Mariano Cano
|
259e95947c
|
Add support for the provisioner controller
The claimer, audiences and custom callback methods are now managed
by the provisioner controller in an uniform way.
|
2022-03-09 18:43:45 -08:00 |
|
Herman Slatman
|
7c541888ad
|
Refactor configuration of allow/deny on authority level
|
2022-03-08 13:26:07 +01:00 |
|
Herman Slatman
|
88c7b63c9d
|
Split SSH user and cert policy configuration and execution
|
2022-02-01 15:18:39 +01:00 |
|
Herman Slatman
|
512b8d6730
|
Refactor instantiation of policy engines
Instead of using the `base` struct, the x509 and SSH policy
engines are now added to each provisioner directly.
|
2022-01-25 16:45:25 +01:00 |
|
Herman Slatman
|
6440870a80
|
Clean up, improve test cases and coverage
|
2022-01-18 14:39:21 +01:00 |
|
Herman Slatman
|
6bc0513468
|
Add more tests
|
2022-01-04 15:41:40 +01:00 |
|
Herman Slatman
|
9539729bd9
|
Add initial implementation of x509 and SSH allow/deny policy engine
|
2022-01-03 12:25:24 +01:00 |
|
Mariano Cano
|
668d3ea6c7
|
Modify errs.Wrap() with bad request to send messages to users.
|
2021-11-18 18:44:58 -08:00 |
|
max furman
|
9fdef64709
|
Admin level API for provisioner mgmt v1
|
2021-07-02 19:05:17 -07:00 |
|
max furman
|
638766c615
|
wip
|
2021-05-19 18:23:20 -07:00 |
|
max furman
|
5d09d04d14
|
wip
|
2021-05-19 15:20:16 -07:00 |
|
Mariano Cano
|
ba918100d0
|
Use go.step.sm/crypto/jose
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
|
2020-08-24 14:44:11 -07:00 |
|
Mariano Cano
|
e83e47a91e
|
Use sshutil and randutil from go.step.sm/crypto.
|
2020-08-10 11:26:51 -07:00 |
|
Mariano Cano
|
f437b86a7b
|
Merge branch 'cert-templates' into ssh-cert-templates
|
2020-08-05 18:43:07 -07:00 |
|
Mariano Cano
|
c8d225a763
|
Use x509util from go.step.sm/crypto/x509util
|
2020-08-05 16:02:46 -07:00 |
|
Mariano Cano
|
aa657cdb4b
|
Use SSHOptions inside provisioner options.
|
2020-07-30 18:44:52 -07:00 |
|
Mariano Cano
|
8ff8d90f8c
|
On JWK and X5C validate the key id on the request.
|
2020-07-30 17:45:03 -07:00 |
|
Mariano Cano
|
380a0d6daf
|
Add ssh certificate templates to JWK provisioner.
|
2020-07-30 17:45:03 -07:00 |
|
Mariano Cano
|
6c64fb3ed2
|
Rename provisioner options structs:
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
|
2020-07-22 18:24:45 -07:00 |
|
Mariano Cano
|
02c4f9817d
|
Set full token payload instead of only the known properties.
|
2020-07-21 14:21:54 -07:00 |
|
Mariano Cano
|
e6fed5e0aa
|
Minor fixes and comments.
|
2020-07-21 14:18:05 -07:00 |
|
Mariano Cano
|
ca2fb42d68
|
Move options to the provisioner.
|
2020-07-21 14:18:05 -07:00 |
|
Mariano Cano
|
9f3acc254b
|
Set the token payload in the JWK provisioner.
|
2020-07-21 14:18:04 -07:00 |
|
Mariano Cano
|
ef0ed0ff95
|
Integrate simple templates in the JWK provisioner.
|
2020-07-21 14:18:04 -07:00 |
|
max furman
|
71d87b4e61
|
wip
|
2020-06-24 23:25:15 -07:00 |
|
max furman
|
3636ba3228
|
wip
|
2020-06-23 17:13:39 -07:00 |
|
max furman
|
1951669e13
|
wip
|
2020-06-23 11:10:45 -07:00 |
|
max furman
|
1cb8bb3ae1
|
Simplify statuscoder error generators.
|
2020-01-28 13:29:40 -08:00 |
|
max furman
|
dccbdf3a90
|
Introduce generalized statusCoder errors and loads of ssh unit tests.
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
|
2020-01-28 13:29:40 -08:00 |
|
Mariano Cano
|
84ff172093
|
Add support for backdate to SSH certificates.
|
2020-01-28 13:29:39 -08:00 |
|
Mariano Cano
|
08eac1b00d
|
Make sure to define the KeyID from the token if available.
|
2020-01-28 13:29:39 -08:00 |
|
max furman
|
9caadbb341
|
Fix authority calling wrong revoke method
|
2020-01-28 13:29:39 -08:00 |
|
max furman
|
414a94b210
|
Instrument getIdentity func for OIDC ssh provisioner
|
2020-01-28 13:28:16 -08:00 |
|
Mariano Cano
|
a86dc78b5d
|
Add missing comment.
|
2020-01-28 13:28:16 -08:00 |
|
Mariano Cano
|
7db7b1ee4c
|
Fix some provisioner tests
|
2020-01-28 13:28:16 -08:00 |
|
max furman
|
54e3cf7322
|
Add multiuse capability to k8ssa provisioners
|
2020-01-28 13:28:16 -08:00 |
|
max furman
|
29853ae016
|
sshpop provisioner + ssh renew | revoke | rekey first pass
|
2020-01-28 13:28:16 -08:00 |
|
max furman
|
d368791606
|
Add x5c provisioner capabilities
|
2019-10-14 14:51:37 -07:00 |
|
Mariano Cano
|
396b4222aa
|
Implement validator for ssh keys.
Fixes #100
|
2019-09-10 17:04:13 -07:00 |
|
Mariano Cano
|
10e7b81b9f
|
Merge branch 'master' into ssh-ca
|
2019-09-05 23:06:01 +02:00 |
|
max furman
|
2b41faa9cf
|
Enforce >= 2048 bit rsa keys at the provisioner layer
* Fixes #94
* In the future this should be configurable by provisioner
|
2019-08-27 14:44:59 -07:00 |
|
max furman
|
635c59ed24
|
Accept emails SANs
|
2019-08-23 15:59:30 -07:00 |
|
Mariano Cano
|
57a529cc1a
|
Allow to enable the SSH CA per provisioner
|
2019-08-05 11:40:27 -07:00 |
|
Mariano Cano
|
a8f4ad1b8e
|
Set default SSH options if no user options are given.
|
2019-07-31 17:03:33 -07:00 |
|