Commit graph

63 commits

Author SHA1 Message Date
Herman Slatman
c40a4d2694
Contain policy engines inside provisioner Controller 2022-04-22 01:20:38 +02:00
Herman Slatman
9797b3350e
Merge branch 'master' into herman/allow-deny 2022-04-08 16:01:56 +02:00
Herman Slatman
571b21abbc
Fix (most) PR comments 2022-03-31 16:12:29 +02:00
Herman Slatman
dc23fd23bf
Merge branch 'master' into herman/allow-deny-next 2022-03-24 12:36:12 +01:00
Mariano Cano
b401376829 Add current provisioner to AuthorizeSign SignOptions.
The original provisioner cannot be retrieved from a certificate
if a linked ra is used.
2022-03-21 19:21:40 -07:00
Mariano Cano
616490a9c6 Refactor renew after expiry token authorization
This changes adds a new authority method that authorizes the
renew after expiry tokens.
2022-03-10 20:21:01 -08:00
Mariano Cano
259e95947c Add support for the provisioner controller
The claimer, audiences and custom callback methods are now managed
by the provisioner controller in an uniform way.
2022-03-09 18:43:45 -08:00
Herman Slatman
7c541888ad
Refactor configuration of allow/deny on authority level 2022-03-08 13:26:07 +01:00
Herman Slatman
88c7b63c9d
Split SSH user and cert policy configuration and execution 2022-02-01 15:18:39 +01:00
Herman Slatman
512b8d6730
Refactor instantiation of policy engines
Instead of using the `base` struct, the x509 and SSH policy
engines are now added to each provisioner directly.
2022-01-25 16:45:25 +01:00
Herman Slatman
6440870a80
Clean up, improve test cases and coverage 2022-01-18 14:39:21 +01:00
Herman Slatman
6bc0513468
Add more tests 2022-01-04 15:41:40 +01:00
Herman Slatman
9539729bd9
Add initial implementation of x509 and SSH allow/deny policy engine 2022-01-03 12:25:24 +01:00
Mariano Cano
668d3ea6c7 Modify errs.Wrap() with bad request to send messages to users. 2021-11-18 18:44:58 -08:00
max furman
9fdef64709 Admin level API for provisioner mgmt v1 2021-07-02 19:05:17 -07:00
max furman
638766c615 wip 2021-05-19 18:23:20 -07:00
max furman
5d09d04d14 wip 2021-05-19 15:20:16 -07:00
Mariano Cano
ba918100d0 Use go.step.sm/crypto/jose
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
2020-08-24 14:44:11 -07:00
Mariano Cano
e83e47a91e Use sshutil and randutil from go.step.sm/crypto. 2020-08-10 11:26:51 -07:00
Mariano Cano
f437b86a7b Merge branch 'cert-templates' into ssh-cert-templates 2020-08-05 18:43:07 -07:00
Mariano Cano
c8d225a763 Use x509util from go.step.sm/crypto/x509util 2020-08-05 16:02:46 -07:00
Mariano Cano
aa657cdb4b Use SSHOptions inside provisioner options. 2020-07-30 18:44:52 -07:00
Mariano Cano
8ff8d90f8c On JWK and X5C validate the key id on the request. 2020-07-30 17:45:03 -07:00
Mariano Cano
380a0d6daf Add ssh certificate templates to JWK provisioner. 2020-07-30 17:45:03 -07:00
Mariano Cano
6c64fb3ed2 Rename provisioner options structs:
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
2020-07-22 18:24:45 -07:00
Mariano Cano
02c4f9817d Set full token payload instead of only the known properties. 2020-07-21 14:21:54 -07:00
Mariano Cano
e6fed5e0aa Minor fixes and comments. 2020-07-21 14:18:05 -07:00
Mariano Cano
ca2fb42d68 Move options to the provisioner. 2020-07-21 14:18:05 -07:00
Mariano Cano
9f3acc254b Set the token payload in the JWK provisioner. 2020-07-21 14:18:04 -07:00
Mariano Cano
ef0ed0ff95 Integrate simple templates in the JWK provisioner. 2020-07-21 14:18:04 -07:00
max furman
71d87b4e61 wip 2020-06-24 23:25:15 -07:00
max furman
3636ba3228 wip 2020-06-23 17:13:39 -07:00
max furman
1951669e13 wip 2020-06-23 11:10:45 -07:00
max furman
1cb8bb3ae1 Simplify statuscoder error generators. 2020-01-28 13:29:40 -08:00
max furman
dccbdf3a90 Introduce generalized statusCoder errors and loads of ssh unit tests.
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2020-01-28 13:29:40 -08:00
Mariano Cano
84ff172093 Add support for backdate to SSH certificates. 2020-01-28 13:29:39 -08:00
Mariano Cano
08eac1b00d Make sure to define the KeyID from the token if available. 2020-01-28 13:29:39 -08:00
max furman
9caadbb341 Fix authority calling wrong revoke method 2020-01-28 13:29:39 -08:00
max furman
414a94b210 Instrument getIdentity func for OIDC ssh provisioner 2020-01-28 13:28:16 -08:00
Mariano Cano
a86dc78b5d Add missing comment. 2020-01-28 13:28:16 -08:00
Mariano Cano
7db7b1ee4c Fix some provisioner tests 2020-01-28 13:28:16 -08:00
max furman
54e3cf7322 Add multiuse capability to k8ssa provisioners 2020-01-28 13:28:16 -08:00
max furman
29853ae016 sshpop provisioner + ssh renew | revoke | rekey first pass 2020-01-28 13:28:16 -08:00
max furman
d368791606 Add x5c provisioner capabilities 2019-10-14 14:51:37 -07:00
Mariano Cano
396b4222aa Implement validator for ssh keys.
Fixes #100
2019-09-10 17:04:13 -07:00
Mariano Cano
10e7b81b9f Merge branch 'master' into ssh-ca 2019-09-05 23:06:01 +02:00
max furman
2b41faa9cf Enforce >= 2048 bit rsa keys at the provisioner layer
* Fixes #94
* In the future this should be configurable by provisioner
2019-08-27 14:44:59 -07:00
max furman
635c59ed24 Accept emails SANs 2019-08-23 15:59:30 -07:00
Mariano Cano
57a529cc1a Allow to enable the SSH CA per provisioner 2019-08-05 11:40:27 -07:00
Mariano Cano
a8f4ad1b8e Set default SSH options if no user options are given. 2019-07-31 17:03:33 -07:00