Commit Graph

53 Commits

Author SHA1 Message Date
Herman Slatman
aeb5e1b366
Address linter issues 2024-08-20 16:54:29 +02:00
Mariano Cano
656a03e5d1
Use x5rt#S256 claim instead of kid 2024-07-23 12:51:11 -07:00
Mariano Cano
6c6ed46fef
Remove sshFingerprintValidator and rename fingerprintValidator 2024-07-23 11:48:46 -07:00
Mariano Cano
508b6e8668
Check cnf claim with CSR or SSH public key fingerprint
This commit allows tying tokens with the provided  CSR or SSH public
key. Tokens with a confirmation claim kid (cnf.kid) will validate that
the provided fingerprint (kid) matches the CSR or SSH public key.

This check will only be present in JWK and X5C provisioners.

Fixes #1637
2024-01-05 15:46:16 -08:00
Max
9f84f7ce35
Allow for identity certificate signing (in sshSign) by skipping validators (#1572)
- skip urisValidator for identity certificate signing. Implemented
  by building the validator with the context in a hacky way.
2023-10-06 14:02:19 -07:00
Mariano Cano
c7c7decd5e
Add support for the disableSmallstepExtensions claim
This commit adds a new claim to exclude the Smallstep provisioner
extension from the generated certificates.

Fixes #620
2023-07-27 15:05:01 -07:00
Josh Drake
904f416d20
Include authorization principal in provisioner webhooks. 2023-07-24 00:30:05 -05:00
Mariano Cano
5bfe96d8c7
Send X5C leaf certificate to webhooks
This commit adds a new property that will be sent to authorizing and
enriching webhooks when signing certificates using the X5C provisioner.
2023-07-20 13:03:45 -07:00
max furman
8b256f0351
address linter warning for go 1.19 2023-05-09 23:47:28 -07:00
Andrew Reed
7101fbb0ee
Provisioner webhooks (#1001) 2022-09-29 19:16:26 -05:00
Mariano Cano
a1f54921d2 Rename internal field 2022-08-03 12:07:45 -07:00
Mariano Cano
9408d0f24b Send RA provisioner information to the CA 2022-08-02 19:28:49 -07:00
Mariano Cano
e7d7eb1a94 Add provisioner as a signOption for SSH 2022-05-18 18:42:42 -07:00
Herman Slatman
5e9bce508d
Unexport GetPolicy() 2022-05-05 12:32:53 +02:00
Herman Slatman
c40a4d2694
Contain policy engines inside provisioner Controller 2022-04-22 01:20:38 +02:00
Herman Slatman
9797b3350e
Merge branch 'master' into herman/allow-deny 2022-04-08 16:01:56 +02:00
Mariano Cano
5ab79f53be Fix linter errors 2022-03-28 14:55:39 -07:00
Herman Slatman
dc23fd23bf
Merge branch 'master' into herman/allow-deny-next 2022-03-24 12:36:12 +01:00
Mariano Cano
b401376829 Add current provisioner to AuthorizeSign SignOptions.
The original provisioner cannot be retrieved from a certificate
if a linked ra is used.
2022-03-21 19:21:40 -07:00
Mariano Cano
ad8a813abe Fix linter errors 2022-03-21 16:53:57 -07:00
Mariano Cano
259e95947c Add support for the provisioner controller
The claimer, audiences and custom callback methods are now managed
by the provisioner controller in an uniform way.
2022-03-09 18:43:45 -08:00
Herman Slatman
7c541888ad
Refactor configuration of allow/deny on authority level 2022-03-08 13:26:07 +01:00
Herman Slatman
c3c6f3da72
Merge branch 'master' into herman/allow-deny 2022-02-22 17:36:56 +01:00
Mariano Cano
abe951d416 Fix name of the variable in comment. 2022-02-17 17:59:17 -08:00
Mariano Cano
a0cf808393 Make the X5C leaf certificate available to the templates.
X509 and SSH templates of the X5C provisioner will have now access
to the leaf certificate used to sign the token using the template
variable .AuthorizationCrt

Fixes #433
2022-02-17 17:53:44 -08:00
Herman Slatman
88c7b63c9d
Split SSH user and cert policy configuration and execution 2022-02-01 15:18:39 +01:00
Herman Slatman
512b8d6730
Refactor instantiation of policy engines
Instead of using the `base` struct, the x509 and SSH policy
engines are now added to each provisioner directly.
2022-01-25 16:45:25 +01:00
Herman Slatman
9539729bd9
Add initial implementation of x509 and SSH allow/deny policy engine 2022-01-03 12:25:24 +01:00
Mariano Cano
668d3ea6c7 Modify errs.Wrap() with bad request to send messages to users. 2021-11-18 18:44:58 -08:00
max furman
9fdef64709 Admin level API for provisioner mgmt v1 2021-07-02 19:05:17 -07:00
max furman
638766c615 wip 2021-05-19 18:23:20 -07:00
Mariano Cano
ba918100d0 Use go.step.sm/crypto/jose
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
2020-08-24 14:44:11 -07:00
Mariano Cano
e83e47a91e Use sshutil and randutil from go.step.sm/crypto. 2020-08-10 11:26:51 -07:00
Mariano Cano
f437b86a7b Merge branch 'cert-templates' into ssh-cert-templates 2020-08-05 18:43:07 -07:00
Mariano Cano
c8d225a763 Use x509util from go.step.sm/crypto/x509util 2020-08-05 16:02:46 -07:00
Mariano Cano
aa657cdb4b Use SSHOptions inside provisioner options. 2020-07-30 18:44:52 -07:00
Mariano Cano
8ff8d90f8c On JWK and X5C validate the key id on the request. 2020-07-30 17:45:03 -07:00
Mariano Cano
8e7bf96769 Fix error prefix. 2020-07-30 17:45:03 -07:00
Mariano Cano
c2dc76550c Add ssh certificate template to X5C provisioner. 2020-07-30 17:45:03 -07:00
Mariano Cano
6c64fb3ed2 Rename provisioner options structs:
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
2020-07-22 18:24:45 -07:00
Mariano Cano
02c4f9817d Set full token payload instead of only the known properties. 2020-07-21 14:21:54 -07:00
Mariano Cano
04f5053a7a Add template support for x5c. 2020-07-21 14:18:06 -07:00
max furman
3636ba3228 wip 2020-06-23 17:13:39 -07:00
max furman
1951669e13 wip 2020-06-23 11:10:45 -07:00
max furman
7d5cf34ce5 Update profileLimitDuration validator ...
- respect notBefore of the provisioner
- modify/fix the reported errors
2020-06-16 12:16:43 -07:00
max furman
1cb8bb3ae1 Simplify statuscoder error generators. 2020-01-28 13:29:40 -08:00
max furman
dccbdf3a90 Introduce generalized statusCoder errors and loads of ssh unit tests.
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2020-01-28 13:29:40 -08:00
Mariano Cano
84ff172093 Add support for backdate to SSH certificates. 2020-01-28 13:29:39 -08:00
max furman
414a94b210 Instrument getIdentity func for OIDC ssh provisioner 2020-01-28 13:28:16 -08:00
Mariano Cano
7db7b1ee4c Fix some provisioner tests 2020-01-28 13:28:16 -08:00