Herman Slatman
613c99f00f
Fix linting issues
3 years ago
Herman Slatman
dc23fd23bf
Merge branch 'master' into herman/allow-deny-next
3 years ago
Mariano Cano
259e95947c
Add support for the provisioner controller
...
The claimer, audiences and custom callback methods are now managed
by the provisioner controller in an uniform way.
3 years ago
Herman Slatman
7c541888ad
Refactor configuration of allow/deny on authority level
3 years ago
Herman Slatman
88c7b63c9d
Split SSH user and cert policy configuration and execution
3 years ago
Herman Slatman
512b8d6730
Refactor instantiation of policy engines
...
Instead of using the `base` struct, the x509 and SSH policy
engines are now added to each provisioner directly.
3 years ago
Herman Slatman
9539729bd9
Add initial implementation of x509 and SSH allow/deny policy engine
3 years ago
Herman Slatman
e7a988b2cd
Pin golangci-lint to v1.43.0 and fix issues
3 years ago
max furman
933b40a02a
Introduce gocritic linter and address warnings
3 years ago
Mariano Cano
40e77f6e9a
Initialize required variables on GetIdentityToken
...
Fixes smallstep/cli#465
3 years ago
max furman
9fdef64709
Admin level API for provisioner mgmt v1
3 years ago
max furman
638766c615
wip
3 years ago
Mariano Cano
5017b7d21f
Recalculate token id instead of validating it.
4 years ago
Mariano Cano
0cf594a003
Validate payload ID.
...
Related to #435
4 years ago
Mariano Cano
39b23c057d
Add all AWS certificates used to verify base64 signatures.
4 years ago
Mariano Cano
7d1686dc53
Add option to specify the AWS IID certificates to use.
...
This changes adds a new option `iidRoots` that allows a user to
define one or more certificates that will be used for AWS IID
signature validation.
Fixes #393
4 years ago
Mariano Cano
c94a1c51be
Merge branch 'master' into ssh-cert-templates
4 years ago
Mariano Cano
ba918100d0
Use go.step.sm/crypto/jose
...
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
4 years ago
Mariano Cano
aaaa7e9b4e
Merge branch 'master' into cert-templates
4 years ago
Mariano Cano
e83e47a91e
Use sshutil and randutil from go.step.sm/crypto.
4 years ago
Mariano Cano
f437b86a7b
Merge branch 'cert-templates' into ssh-cert-templates
4 years ago
Mariano Cano
c8d225a763
Use x509util from go.step.sm/crypto/x509util
4 years ago
Mariano Cano
9822305bb6
Use only the IID template on IID provisioners.
...
Use always sshutil.DefaultIIDCertificate and require at least one
principal on IID provisioners.
4 years ago
Mariano Cano
aa657cdb4b
Use SSHOptions inside provisioner options.
4 years ago
Mariano Cano
6c36ceb158
Add initial template support for iid provisisioners.
4 years ago
David Cowden
86efe7aff0
aws: use http.NoBody instead of nil
...
It's a little more descriptive.
4 years ago
Mariano Cano
6c64fb3ed2
Rename provisioner options structs:
...
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
4 years ago
David Cowden
51f16ee2e0
aws: add tests covering metadata service versions
...
* Add constructor tests for the aws provisioner.
* Add a test to make sure the "v1" logic continues to work.
By and large, v2 is the way to go. However, there are some instances of
things that specifically request metadata service version 1 and so this
adds minimal coverage to make sure we don't accidentally break the path
should anyone need to depend on the former logic.
4 years ago
David Cowden
5efe5f3573
metadata-v2: pull in joshathysolate-master
...
Taking of this PR to get it across the goal line.
4 years ago
Mariano Cano
02c4f9817d
Set full token payload instead of only the known properties.
4 years ago
Mariano Cano
eb8886d828
Add CR subject as iid default subject.
...
Add a minimal subject with just a common name to iid provisioners
in case we want to use it.
4 years ago
Mariano Cano
a44f0ca866
Add token payload.
4 years ago
Mariano Cano
13b704aeed
Add template support for AWS provisioner.
4 years ago
max furman
1951669e13
wip
4 years ago
Josh Hogle
e9b500daf2
Updated error message
4 years ago
Josh Hogle
044d00045a
Fixed missing initialization of IMDS versions
4 years ago
Josh Hogle
18ac5c07e2
Added support for specifying IMDS version preference
4 years ago
Josh Hogle
dd27901b12
Moved token URL and TTL to config values
4 years ago
Josh Hogle
bbbe4738c7
Added status code checking
4 years ago
Josh Hogle
af0f21d744
added support for IMDSv2 API
4 years ago
Mariano Cano
f868e07a76
Allow to use custom principals on cloud provisioners.
...
Fixes #203
5 years ago
max furman
1cb8bb3ae1
Simplify statuscoder error generators.
5 years ago
max furman
dccbdf3a90
Introduce generalized statusCoder errors and loads of ssh unit tests.
...
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
5 years ago
Mariano Cano
84ff172093
Add support for backdate to SSH certificates.
5 years ago
max furman
29853ae016
sshpop provisioner + ssh renew | revoke | rekey first pass
5 years ago
max furman
d368791606
Add x5c provisioner capabilities
5 years ago
Mariano Cano
396b4222aa
Implement validator for ssh keys.
...
Fixes #100
5 years ago
Mariano Cano
10e7b81b9f
Merge branch 'master' into ssh-ca
5 years ago
max furman
2b41faa9cf
Enforce >= 2048 bit rsa keys at the provisioner layer
...
* Fixes #94
* In the future this should be configurable by provisioner
5 years ago
Mariano Cano
57a529cc1a
Allow to enable the SSH CA per provisioner
5 years ago