Commit Graph

226 Commits (backports)

Author SHA1 Message Date
Herman Slatman d82e51b748
Update AllowWildcardNames configuration name 2 years ago
Herman Slatman 6e1f8dd7ab
Refactor policy engines into container 2 years ago
Herman Slatman 2a7620641f
Fix more PR comments 2 years ago
Herman Slatman fb81407d6f
Fix ACME policy comments 2 years ago
Herman Slatman 7f9034d22a
Add additional policy options 2 years ago
Herman Slatman a9f033ece5
Fix JSON property name for ACME policy 2 years ago
Herman Slatman 256fe113f7
Improve tests for ACME account policy 2 years ago
Herman Slatman 034b7943fe
Merge branch 'master' into herman/allow-deny 2 years ago
Herman Slatman 7df52dbb76
Add ACME EAB policy 2 years ago
Herman Slatman 479c6d2bf5
Fix ACME IPv6 HTTP-01 challenges
Fixes #890
2 years ago
Herman Slatman 2fbdf7d5b0
Merge branch 'master' into herman/allow-deny 2 years ago
Panagiotis Siatras 00634fb648
api/render, api/log: initial implementation of the packages (#860)
* api/render: initial implementation of the package

* acme/api: refactored to support api/render

* authority/admin: refactored to support api/render

* ca: refactored to support api/render

* api: refactored to support api/render

* api/render: implemented Error

* api: refactored to support api/render.Error

* acme/api: refactored to support api/render.Error

* authority/admin: refactored to support api/render.Error

* ca: refactored to support api/render.Error

* ca: fixed broken tests

* api/render, api/log: moved error logging to this package

* acme: refactored Error so that it implements render.RenderableError

* authority/admin: refactored Error so that it implements render.RenderableError

* api/render: implemented RenderableError

* api/render: added test coverage for Error

* api/render: implemented statusCodeFromError

* api: refactored RootsPEM to work with render.Error

* acme, authority/admin: fixed pointer receiver name for consistency

* api/render, errs: moved StatusCoder & StackTracer to the render package
2 years ago
Herman Slatman b49307f326
Fix ACME order tests with mock ACME CA 2 years ago
Herman Slatman 9e0edc7b50
Add early authority policy evaluation to ACME order API 2 years ago
Herman Slatman 101ca6a2d3
Check admin subjects before changing policy 2 years ago
Herman Slatman 3ec9a7310c
Fix ACME order identifier allow/deny check 2 years ago
Herman Slatman af53a17bb4
Merge branch 'master' into herman/allow-deny 2 years ago
Herman Slatman b6f6bd879c
Fix PR comment and add tests for ACME prerequisites checker 2 years ago
Herman Slatman e47dd0a666
Add ACME configuration prerequisites check 2 years ago
Herman Slatman c3c6f3da72
Merge branch 'master' into herman/allow-deny 2 years ago
Herman Slatman bfa2245abb
Merge branch 'master' into herman/normalize-ipv6-dns-names 2 years ago
Herman Slatman 1fe7362bee
Normalize IPv6 addresses in ACME linker 2 years ago
Herman Slatman c1424036bf
Merge branch 'master' into herman/allow-deny 2 years ago
Herman Slatman bf21319e76
Fix PR comments and issue with empty string slices 2 years ago
Herman Slatman fd9845e9c7
Add cursor and limit to ACME EAB DB interface 2 years ago
Herman Slatman c3f2fd8ef0
Add RW locks to prevent concurrent updates to the DB
Although this may slow certain API calls down and may not be, strictly
necessary, I think it's best to put all the ACME EAB operations behind
RW locks to prevent concurrent updates to the DB and guarantee
consistent result sets.
2 years ago
Herman Slatman 868cc4ad7f
Increase test coverage for additional indexes 2 years ago
Herman Slatman c0eb420806
Remove special case for empty slices 2 years ago
Herman Slatman 6440870a80
Clean up, improve test cases and coverage 2 years ago
Herman Slatman ef16febf40
Refactor ACME EAB queries
The ACME EAB keys are now also indexed by the provisioner. This
solves part of the issue in which too many EAB keys may be in
memory at a given time.
2 years ago
Herman Slatman 30859d3c83
Remove server-side paging logic for ExternalAccountKeys 2 years ago
Herman Slatman 9539729bd9
Add initial implementation of x509 and SSH allow/deny policy engine 2 years ago
Herman Slatman 11a7f01177
Simplify lookup cursor logic for ExternalAccountKeys 3 years ago
Herman Slatman 22ff90f655
Merge branch 'master' into hs/acme-eab 3 years ago
Herman Slatman a5f2f004e3
Change name of IP Common Name test for clarity 3 years ago
Herman Slatman f9ae875f9d
Use short if-style statements 3 years ago
Herman Slatman 80bebda69c
Fix code style issue 3 years ago
Herman Slatman bc0875bd7b
Disallow email address and URLs in the CSR
Before this commit `step` would allow email addresses and URLs
in the CSR. This doesn't fit nicely with the rest of ACME, in which
identifiers need to be authorized before a certificate is issued.
3 years ago
Herman Slatman 13a31fd862
Merge branch 'master' into herman/ip-sans-improvements 3 years ago
Herman Slatman ca707cbe05
Fix linting 3 years ago
Herman Slatman a5d33512fe
Fix test 3 years ago
Herman Slatman a2c9b5cd7e
Allow IP identifiers in subject, including authorization enforcement
To support IPs in the subject using `step-cli`, this PR ensures that
Subject Common Names that can be parsed as an IP are also checked
to have been authorized before.

The PR for `step-cli` is here: github.com/smallstep/cli/pull/576.
3 years ago
Herman Slatman d799359917
Merge branch 'master' into hs/acme-eab 3 years ago
Herman Slatman 63371a8fb6
Add additional tests for ACME EAB Admin 3 years ago
Herman Slatman 0524122191
Remove authorization flow for different Account private keys
As discussed in https://github.com/smallstep/certificates/issues/767,
we opted for not including this authorization flow to prevent users
from getting OOMs. We can add the functionality back when the
underlying data store can provide access to a long list of
Authorizations more efficiently, for example when a callback is
implemented.
3 years ago
Herman Slatman 2215a05c28
Add tests for ACME EAB Admin
Refactored some of the existing bits for testing the Authority
API by creation of a new LinkedAuthority interface and changing
visibility of the MockAuthority to be usable by other packages.

At this time, not all of the functions of MockAuthority it usable
yet. Will refactor when needed or requested.
3 years ago
Herman Slatman 9885d42711
Fix linting issues 3 years ago
Herman Slatman 6e11657204
Refactor creation of (raw) EAB JWS contents 3 years ago
Herman Slatman 23898e9b76
Improve EAB JWS validation and increase test coverage 3 years ago
Herman Slatman d0c23973cc
Merge branch 'master' into hs/acme-eab 3 years ago