f8df6a1acc
Change variable name for consistency
2 years ago
616490a9c6
Refactor renew after expiry token authorization
...
This changes adds a new authority method that authorizes the
renew after expiry tokens.
2 years ago
afb5d36206
Allow to renew certificates using an x5c-like token.
2 years ago
5fe9909174
Refactor AdminAuthority interface
2 years ago
5f224b729e
Add tests for Provisioner Admin API
2 years ago
d799359917
Merge branch 'master' into hs/acme-eab
2 years ago
2215a05c28
Add tests for ACME EAB Admin
...
Refactored some of the existing bits for testing the Authority
API by creation of a new LinkedAuthority interface and changing
visibility of the MockAuthority to be usable by other packages.
At this time, not all of the functions of MockAuthority it usable
yet. Will refactor when needed or requested.
2 years ago
0cebde3db5
Change fallback message on RekeySSH.
2 years ago
9fd147f3da
Change error message.
2 years ago
b5db3f5706
Modify errs.ForbiddenErr to always return an error to the cli.
3 years ago
668d3ea6c7
Modify errs.Wrap() with bad request to send messages to users.
3 years ago
8c8db0d4b7
Modify errs.BadRequestErr() to always return an error to the client.
3 years ago
8ce807a6cb
Modify errs.BadRequest() calls to always send an error to the client.
3 years ago
e7a988b2cd
Pin golangci-lint to v1.43.0 and fix issues
3 years ago
933b40a02a
Introduce gocritic linter and address warnings
3 years ago
833d28cb6a
Clone the certificate in case we need to look at it later.
3 years ago
568fce201a
Enforce identity cert to match ssh cert on renewals.
3 years ago
4aa529605d
Merge pull request #641 from hillu/quote-serial
...
Log certificate's serial number as stringified decimal number
3 years ago
9210a6740b
Fix logging provisioner name as string
3 years ago
edb01bc9f2
Log certificate's serial number as stringified decimal number
...
Using a JSON string fixes a common issue with JSON parsers that
deserialize all numbers to a 64-bit IEEE-754 floats. (Certificate
serial numbers are usually 128 bit values.)
This change is consistent with existing log entries for revocation
requests.
See also: #630 , #631
3 years ago
77fdfc9fa3
Merge branch 'master' into max/cert-mgr-crud
3 years ago
9fdef64709
Admin level API for provisioner mgmt v1
3 years ago
65dacc2795
Replace golint with revive
3 years ago
a191319da9
Improve SCEP API logic and error handling
3 years ago
bc2bb53009
Merge branch 'master' into hs/scep
3 years ago
4f3e5ef64d
wip
3 years ago
5d09d04d14
wip
3 years ago
7b5d6968a5
first commit
3 years ago
c1c986922b
Show Ed25519 in the public-key log field.
3 years ago
0487686f69
Merge branch 'master' into hs/scep
3 years ago
2e0e62bc4c
add WriteError method for acme api
3 years ago
fd447c5b54
Fix small nbf->naf bug in db.CreateOrder
...
- still needs unit test
3 years ago
1135ae04fc
[acme db interface] wip
3 years ago
2fc5a7f22e
Improve SCEP API logic and error handling
3 years ago
f88f58440f
add //nolint for new 1.16 deprecation warnings
...
- dsa
- pem.DecryptPEMBlock
3 years ago
c94a1c51be
Merge branch 'master' into ssh-cert-templates
4 years ago
ba918100d0
Use go.step.sm/crypto/jose
...
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
4 years ago
aaaa7e9b4e
Merge branch 'master' into cert-templates
4 years ago
8e3481a8ef
[logger map] small optimization
...
Rather than doing two key writes and one lookup, just write once.
4 years ago
55bf5a4526
Add cert logging for acme/certificate api
4 years ago
4943ae58d8
Move TLSOption, TLSVersion, CipherSuites and ASN1DN to certificates.
4 years ago
e83e47a91e
Use sshutil and randutil from go.step.sm/crypto.
4 years ago
3b19bb9796
Add TemplateData to SSHSignRequest.
...
Add some omitempty tags.
4 years ago
6c64fb3ed2
Rename provisioner options structs:
...
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
4 years ago
068bafe5a3
Add templateData to api sign request.
4 years ago
fd05f3249b
A few last fixes and tests added for rekey/renew ...
...
- remove all `renewOrRekey`
- explicitly test difference between renew and rekey (diff pub keys)
- add back tests for renew
4 years ago
dfda497929
Renamed RenewOrRekey to Rekey
4 years ago
a3b5211e0f
gofmted the code
4 years ago
954fda657b
Added renewOrRekey to mockAuthority. Added Test_caHandler_Rekey
4 years ago
01a6469d25
Moved peer certificate check to the first line
4 years ago
8f504483ce
Added RenewOrRekey function based on @maraino suggestion. RenewOrReky is called from Renew.
4 years ago
3813f57b1a
Add support for rekeying Fixes #292
4 years ago
b0ff731d18
Add support for user provisioner certificates on OIDC provisioners.
...
OIDC provisioners create an SSH certificate with two principals. This
was avoiding the creationg of user provisioner certificates for those
provisioners.
Fixes smallstep/cli#268
4 years ago
eb42ea90db
ssh/api: Use host tags instead of groups
...
Tags are more flexible and what we use in the managed offering.
4 years ago
bfe1f4952d
Rename interface to CertificateEnforcer and add tests.
4 years ago
64f26c0f40
Enforce a duration for identity certificates.
4 years ago
fa416336a8
Add context to tests.
4 years ago
c49a9d5e33
Add context parameter to all SSH methods.
4 years ago
1cb8bb3ae1
Simplify statuscoder error generators.
4 years ago
dccbdf3a90
Introduce generalized statusCoder errors and loads of ssh unit tests.
...
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
4 years ago
ed26e97487
Fix tests.
4 years ago
c1bd1561dd
Renew identity certificate in /ssh/rekey and /ssh/renew
4 years ago
b9f6aacb0f
Move api errors to their own package and modify the typedef
4 years ago
dedf6b17be
Addapt tests to the api change.
4 years ago
3ac388612a
Use x5cInsecure token for /ssh/check-host endpoint
4 years ago
f0eb12372b
Add missing unit tests for ssh.
4 years ago
f6ffa2cc43
Check at the cert type instead of at the body.
4 years ago
5d7829b198
Replace /ssh/get-hosts to /ssh/hosts
4 years ago
d8b3e05a3f
Add error marshaling tests.
4 years ago
7b81bec8aa
Use default duration for host certificates identity files.
4 years ago
b179ad3662
Fix api tests.
4 years ago
3a16835cdd
Make identity duration the same as the SSH cert.
4 years ago
4f08a7816f
Fix extra write header.
4 years ago
656f35e522
Use an actual Hosts type when returning ssh hosts
4 years ago
c60641701b
Add version endpoint.
4 years ago
f92bb06b6c
change func def for getSSHHosts
...
* continue to return all hosts if injection method not specified
4 years ago
11c8639782
Add identity certificate in ssh response.
4 years ago
d940ab7c20
Add getSSHHosts injection func
4 years ago
8bf3bf701e
Add support for /ssh/bastion method.
4 years ago
54e3cf7322
Add multiuse capability to k8ssa provisioners
4 years ago
0ae9bab21e
Fix api tests.
4 years ago
29853ae016
sshpop provisioner + ssh renew | revoke | rekey first pass
4 years ago
862d704f6b
get-hosts fixes
4 years ago
5616386eed
Add SSH getHosts api
4 years ago
385bf0a14a
Fix lint, add keys to fields.
4 years ago
d880a98295
Add tests for ssh api methods.
4 years ago
a713277453
Fix return of host configurations.
4 years ago
37f17213bb
Add initial support for check-host endpoint.
4 years ago
d08db4df23
Rename SSH methods.
4 years ago
b5bc249e1c
Add support for multiple ssh roots.
...
Fixes #125
4 years ago
91130b9c3f
Add support for user data in templates.
4 years ago
a35988ff08
Add initial support for ssh config.
...
Related to smallstep/cli#170
4 years ago
b000b59ee6
Fix HTTP method for /ssh/sign
4 years ago
961be1fbc7
Add endpoint to return the SSH public keys.
...
Related to smallstep/ca-component#195
4 years ago
a197158426
Add initial implementation of ssh config.
4 years ago
bc6074f596
Change api of functions Authority.Sign, Authority.Renew
...
Returns certificate chain instead of 2 members.
Implements #126
5 years ago
fe7973c060
wip
5 years ago
e3826dd1c3
Add ACME CA capabilities
5 years ago
61d52a8510
Small fixes associated with PR review
...
* additions and grammar edits to documentation
* clarification of error msgs
5 years ago
10e7b81b9f
Merge branch 'master' into ssh-ca
5 years ago
2b41faa9cf
Enforce >= 2048 bit rsa keys at the provisioner layer
...
* Fixes #94
* In the future this should be configurable by provisioner
5 years ago
ca74bb1de5
Add ssh api tests.
5 years ago
e71072d389
Add experimental support for provisioning users.
5 years ago
a44b0a1d52
Fix typo
5 years ago
ba2ba54928
Adapt api package to new interfaces.
5 years ago
d008d2d4d1
Use default base64 encoding for public key
5 years ago
1c8f610ca9
Add initial implementation of an SSH CA using the JWK provisioner.
...
Fixes smallstep/ca-component#187
5 years ago
ab4d569f36
Add /revoke API with interface db backend
5 years ago
64f2615864
Fix tests.
5 years ago
00fed1c538
Add initial version of time duration support in sign requests.
5 years ago
a97ea87caa
Move options to provisioner so we can set the duration of the cert.
5 years ago
aa8385b8ba
Fix api tests.
5 years ago
507fd01062
Remove provisioner intermediate type.
5 years ago
bcaba4f72a
Fix api tests.
5 years ago
bc12036330
Update Authority interface.
5 years ago
1c7155298b
Log always the token, even on errors.
5 years ago
adbc496b40
Improve tests
5 years ago
b974957868
Add certificate information to logs.
...
Fixes smallstep/ca-component#147
5 years ago
8252608ca2
Fix mock
5 years ago
518b597535
Remove mTLS client requirement in /roots and /federation
5 years ago
d296cf95a9
Add mTLS request to get all the root CAs, not the federated ones.
5 years ago
37149ed3ea
Add method to get all the certs.
5 years ago
c74fcd57a7
ca-component -> certificates
...
* fix redundant error check
* add README
6 years ago
0d9dd2d14b
provisioner issuer -> name
6 years ago
e54086662f
Add tests with cursors.
6 years ago
99cab73360
Remove unused import /provisioners/jwk-set-by-issuer
6 years ago
0ccf775f2e
Add support for cursors in the api.
6 years ago
ee7db4006a
change sign + authorize authority api | add provisioners
...
* authorize returns []interface{}
- operators in this list can conform to any interface the user decides
- our implementation has a combination of certificate claim validators
and certificate template modifiers.
* provisioners can set and enforce tls cert options
6 years ago
f938ab113b
Add /re-sign endpoint for compatibility with old code.
6 years ago
828798418c
gofmt
6 years ago
0b5f6487e1
change provisioners api
...
* /provisioners -> /provisioners/jwk-set-by-issuer
* /provisioners now returns a list of Provisioners
6 years ago
ed13132037
Add unit tests for provisioner endpoints.
6 years ago
ff67c17893
Add provisioners endpoints.
6 years ago
c284a2c0ab
first commit
6 years ago
Mariano Cano
Herman Slatman
max furman
Mariano Cano
Hilko Bengen
dharanikumar-s
David Cowden
Jozef Kralik