Oleksandr Kovalchuk
503c9f6101
Add config option to force CN
...
Add configuration option `forceCN` to ACME provisioner. When this option
is set to `true`, provisioner should generate Subject.CommonName for
certificate if it was not present in the request. Default value of
`false` should keep the existing behavior (do not modify CSR and
certificate).
Ref: https://github.com/smallstep/certificates/issues/259
2020-05-14 13:20:55 +03:00
Mariano Cano
4e9bff0986
Add support for OIDC multitoken tenants for azure.
2020-04-24 14:36:32 -07:00
Mariano Cano
a2dfa6faa8
Fix unit tests.
2020-04-20 12:29:23 -07:00
Mariano Cano
13507efb35
Remove the requirement for CSR to have a common name.
...
Fixes #226
2020-04-20 10:43:33 -07:00
Mariano Cano
bfe1f4952d
Rename interface to CertificateEnforcer and add tests.
2020-03-31 11:41:36 -07:00
Mariano Cano
64f26c0f40
Enforce a duration for identity certificates.
2020-03-30 17:33:04 -07:00
Mariano Cano
fa416336a8
Add context to tests.
2020-03-10 19:17:32 -07:00
Mariano Cano
c49a9d5e33
Add context parameter to all SSH methods.
2020-03-10 19:01:45 -07:00
Mariano Cano
f868e07a76
Allow to use custom principals on cloud provisioners.
...
Fixes #203
2020-03-05 14:33:42 -08:00
Mariano Cano
59fc8cdd2d
Fix typo in comments.
2020-02-27 10:48:16 -08:00
max furman
397a181d10
Add backdate validation to sshCertValidityValidator.
2020-01-28 13:29:40 -08:00
max furman
1cb8bb3ae1
Simplify statuscoder error generators.
2020-01-28 13:29:40 -08:00
max furman
dccbdf3a90
Introduce generalized statusCoder errors and loads of ssh unit tests.
...
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2020-01-28 13:29:40 -08:00
Mariano Cano
895d3054a3
Remove the use of custom x509 package.
...
Upgrade cli dependency.
2020-01-28 13:29:39 -08:00
Mariano Cano
144acb9ee3
Remove debug statement.
2020-01-28 13:29:39 -08:00
Mariano Cano
06411d1715
Add tests of profileLimitDuration with backdate.
2020-01-28 13:29:39 -08:00
Mariano Cano
8297e5c717
Add tests for backdate and sshDefaultDuration
2020-01-28 13:29:39 -08:00
Mariano Cano
93b65bee7c
Add unit test for profileDefaultDuration.
2020-01-28 13:29:39 -08:00
Mariano Cano
84ff172093
Add support for backdate to SSH certificates.
2020-01-28 13:29:39 -08:00
Mariano Cano
5565d61bf3
Add fault tolerance against clock skew accross system on TLS certificates.
2020-01-28 13:29:39 -08:00
Mariano Cano
08eac1b00d
Make sure to define the KeyID from the token if available.
2020-01-28 13:29:39 -08:00
max furman
9caadbb341
Fix authority calling wrong revoke method
2020-01-28 13:29:39 -08:00
max furman
414a94b210
Instrument getIdentity func for OIDC ssh provisioner
2020-01-28 13:28:16 -08:00
max furman
3d970b45c8
remove printfs
2020-01-28 13:28:16 -08:00
max furman
f74cd04a6a
Add WithGetIdentityFunc option and attr to authority
...
* Add Identity type to provisioner
2020-01-28 13:28:16 -08:00
Mariano Cano
a86dc78b5d
Add missing comment.
2020-01-28 13:28:16 -08:00
Mariano Cano
7db7b1ee4c
Fix some provisioner tests
2020-01-28 13:28:16 -08:00
Mariano Cano
d4627d1282
Make provisioner tests compile, they are still failing.
2020-01-28 13:28:16 -08:00
Mariano Cano
cf592fa0e1
Remove global check for number of k8sSA provisioners.
...
This was causing a bug in the reload of the ca.
2020-01-28 13:28:16 -08:00
max furman
5788ac3f4f
sshpop token should not allow renew/rekey of user ssh certs
2020-01-28 13:28:16 -08:00
max furman
54e3cf7322
Add multiuse capability to k8ssa provisioners
2020-01-28 13:28:16 -08:00
max furman
29853ae016
sshpop provisioner + ssh renew | revoke | rekey first pass
2020-01-28 13:28:16 -08:00
max furman
c04f1e1bd4
sshpop first pass
2020-01-28 13:28:16 -08:00
max furman
8f07ff6a39
Add kubernetes service account provisioner
2019-10-29 17:42:50 -07:00
max furman
d368791606
Add x5c provisioner capabilities
2019-10-14 14:51:37 -07:00
Mariano Cano
59526d3225
Merge pull request #105 from smallstep/okta-support
...
Address support on OIDC provisioners
2019-09-20 15:33:11 -07:00
Mariano Cano
39b41b5e83
Merge pull request #107 from smallstep/ssh-valid-after
...
Truncate to seconds ValidAfter
2019-09-19 15:27:28 -07:00
Mariano Cano
d59a5b222f
Truncate to seconds to avoid rounding up times.
...
It can cause that certs are not valid yet, if they are used right away.
2019-09-19 13:42:24 -07:00
max furman
fe7973c060
wip
2019-09-19 13:17:45 -07:00
Mariano Cano
adc1d54b0d
Define valid after as 1m before now.
...
It avoids errors with immediate use of cert.
2019-09-19 12:37:41 -07:00
Mariano Cano
72f1a61f06
Increase coverage.
2019-09-18 18:08:26 -07:00
Mariano Cano
b7045f27a9
Increase coverage.
2019-09-18 17:13:58 -07:00
Mariano Cano
a16b2125bc
Fix tests.
2019-09-18 16:04:43 -07:00
Mariano Cano
6c4abfabbb
Make /.well-known/openid-configuration optional
2019-09-18 15:54:10 -07:00
Mariano Cano
3527ee6940
Add support for listenAddress parameter if OIDC provisioners.
...
Fixes smallstep/cli#150
2019-09-18 15:25:28 -07:00
max furman
44e864030d
Remove debug logging
2019-09-16 10:45:33 -07:00
max furman
e3826dd1c3
Add ACME CA capabilities
2019-09-13 15:48:33 -07:00
max furman
d204469280
Add a few more validity checks to default ssh cert validator
2019-09-12 19:27:59 -07:00
Mariano Cano
396b4222aa
Implement validator for ssh keys.
...
Fixes #100
2019-09-10 17:04:13 -07:00
max furman
61d52a8510
Small fixes associated with PR review
...
* additions and grammar edits to documentation
* clarification of error msgs
2019-09-08 21:05:36 -07:00
Mariano Cano
10e7b81b9f
Merge branch 'master' into ssh-ca
2019-09-05 23:06:01 +02:00
max furman
ac234771c7
Remove unknown provisioner WARNning and leave TODO
2019-08-29 10:49:52 -07:00
max furman
ca8daf5f12
Update comment and warn
2019-08-28 17:28:03 -07:00
Mariano Cano
9200f11ed8
Skip unsupported provisioners.
2019-08-28 17:25:39 -07:00
max furman
2b41faa9cf
Enforce >= 2048 bit rsa keys at the provisioner layer
...
* Fixes #94
* In the future this should be configurable by provisioner
2019-08-27 14:44:59 -07:00
max furman
635c59ed24
Accept emails SANs
2019-08-23 15:59:30 -07:00
Mariano Cano
34e1e3380a
Fix lint errors.
2019-08-05 16:14:25 -07:00
Mariano Cano
57a529cc1a
Allow to enable the SSH CA per provisioner
2019-08-05 11:40:27 -07:00
Mariano Cano
e71072d389
Add experimental support for provisioning users.
2019-08-02 17:48:34 -07:00
Mariano Cano
dc657565a7
Add SSH test for GCP.
2019-07-31 18:22:21 -07:00
Mariano Cano
7983aa8661
Add azure ssh tests.
2019-07-31 18:16:17 -07:00
Mariano Cano
2cac85a8c8
Add aws tests.
2019-07-31 18:11:46 -07:00
Mariano Cano
f8a71899fd
Add missing file.
2019-07-31 17:46:28 -07:00
Mariano Cano
d231bfb764
Update jwk and oidc tests.
2019-07-31 17:04:17 -07:00
Mariano Cano
a8f4ad1b8e
Set default SSH options if no user options are given.
2019-07-31 17:03:33 -07:00
Mariano Cano
c17375a10a
Create convenient method to mock the timeduration.
2019-07-31 12:53:03 -07:00
Mariano Cano
4c1a11c1bc
Add Unix method to TimeDuration.
2019-07-31 12:36:31 -07:00
Mariano Cano
b0240772da
Add tests for SSH certs with JWK provisioners.
2019-07-30 18:23:54 -07:00
Mariano Cano
780eeb5487
Remove debug print.
2019-07-30 16:56:30 -07:00
Mariano Cano
ad91842d06
Add test for SanitizeSSHUserPrincipal
2019-07-30 15:28:04 -07:00
Mariano Cano
f8cacc11b1
Fix tests.
2019-07-29 18:24:34 -07:00
Mariano Cano
b827a59e96
Add SSH host certificate support for GCP provisioner.
2019-07-29 18:17:20 -07:00
Mariano Cano
221d323b68
Fix containsAllMembers
2019-07-29 18:16:52 -07:00
Mariano Cano
18a285e847
Change azure ssh key id.
2019-07-29 18:04:01 -07:00
Mariano Cano
aef52e4334
Add support for SSH host certificates in azure.
2019-07-29 18:01:20 -07:00
Mariano Cano
7d670b20ea
Add support of ssh host certinficates in AWS provisioner.
2019-07-29 17:54:38 -07:00
Mariano Cano
7583f1c739
Do not require all principals, allow subgroups.
2019-07-29 17:54:13 -07:00
Mariano Cano
41b97372e6
Rename function to SanitizeSSHUserPrincipal
2019-07-29 16:38:57 -07:00
Mariano Cano
53f62f871c
Set not extensions to host certificates.
2019-07-29 16:36:46 -07:00
Mariano Cano
48c98dea2a
Make SanitizeSSHPrincipal a public function.
2019-07-29 16:21:22 -07:00
Mariano Cano
f01286bb48
Add support for SSH certificates to OIDC.
...
Update the interface for all the provisioners.
2019-07-29 15:54:07 -07:00
Mariano Cano
082ebda85b
Merge branch 'master' of github.com:smallstep/certificates into ssh-ca
2019-07-26 15:38:46 -07:00
Mariano Cano
d7221e15ac
Always marshal timeduration as a string
2019-07-25 18:41:46 -07:00
Mariano Cano
3ff410c695
fix ssh validity modifier
2019-07-25 18:41:32 -07:00
Mariano Cano
1c8f610ca9
Add initial implementation of an SSH CA using the JWK provisioner.
...
Fixes smallstep/ca-component#187
2019-07-23 18:46:43 -07:00
Mariano Cano
f5beed3b96
Merge pull request #83 from matteo-s/oidc-groups
...
Add option for checking group membership declared in JWT token
2019-07-23 10:05:18 -07:00
Mariano Cano
3e69194cc4
Fix lint error
2019-07-15 16:35:51 -07:00
Mariano Cano
900ab9cc12
Allow custom common names in cloud identity provisioners.
2019-07-15 15:52:36 -07:00
Mariano Cano
5f4217ca4c
Simplify abs, it performs even better.
2019-06-25 11:04:48 -07:00
Matteo Saloni
1919cfdff3
Add option for checking group membership declared in JWT token
2019-06-25 10:50:55 +02:00
Mariano Cano
e66272d6f0
Fix panic when max-age is set to zero.
...
Fixes #81
2019-06-24 13:40:14 -07:00
Mariano Cano
8f8c862c04
Fix spelling errors.
2019-06-07 11:24:56 -07:00
Mariano Cano
b88a2f1373
Fix provisioner id in LoadByCertificate
2019-06-06 15:24:15 -07:00
Mariano Cano
37dff5124b
Fix audience tests.
...
Fixes smallstep/step#156
2019-06-06 13:09:00 -07:00
Mariano Cano
2491593cdd
Add ca-url based audience for AWS tokens
...
Fixes smallstep/step#156
2019-06-06 12:49:51 -07:00
Mariano Cano
4fa9e9333d
Add NewDuration constructor.
2019-06-05 17:53:28 -07:00
Mariano Cano
37f2096dff
Add Stringer interface to provisioner.Type.
...
Add missing file.
2019-06-05 17:52:29 -07:00
Mariano Cano
6e4a09651a
Add comments with links to cloud docs.
2019-06-05 11:04:00 -07:00
Mariano Cano
536ec36b9e
Add support for instance age check in AWS.
...
Fixes smallstep/step#164
2019-06-04 16:31:33 -07:00
Mariano Cano
c431538ff2
Add support for instance age check in GCP.
...
Fixes smallstep/step#164
2019-06-04 15:57:15 -07:00