73 Commits

Author	SHA1	Message	Date
Mariano Cano	10f6a901ec	Let the CA determine the RA lifetime ... When the RA mode with StepCAS is used, let the CA decide which lifetime the RA should get instead of requiring always 24h. This commit also fixes linter warnings. Related to #1094	2024-03-12 14:29:55 -07:00
Mariano Cano	49045a1150	Change CommonName validator in JWK ... This commit changes the common name validator in the JWK provisioner to accept either the token subject or any of the sans in the token.	2023-10-31 16:44:18 -07:00
Max	9f84f7ce35	Allow for identity certificate signing (in sshSign) by skipping validators (#1572) ... - skip urisValidator for identity certificate signing. Implemented by building the validator with the context in a hacky way.	2023-10-06 14:02:19 -07:00
Mariano Cano	c7c7decd5e	Add support for the disableSmallstepExtensions claim ... This commit adds a new claim to exclude the Smallstep provisioner extension from the generated certificates. Fixes #620	2023-07-27 15:05:01 -07:00
max furman	8b256f0351	address linter warning for go 1.19	2023-05-09 23:47:28 -07:00
Andrew Reed	7101fbb0ee	Provisioner webhooks (#1001)	2022-09-29 19:16:26 -05:00
Mariano Cano	a1f54921d2	Rename internal field	2022-08-03 12:07:45 -07:00
Mariano Cano	9408d0f24b	Send RA provisioner information to the CA	2022-08-02 19:28:49 -07:00
Mariano Cano	e7d7eb1a94	Add provisioner as a signOption for SSH	2022-05-18 18:42:42 -07:00
Herman Slatman	5e9bce508d	Unexport GetPolicy()	2022-05-05 12:32:53 +02:00
Herman Slatman	c40a4d2694	Contain policy engines inside provisioner Controller	2022-04-22 01:20:38 +02:00
Herman Slatman	9797b3350e	Merge branch 'master' into herman/allow-deny	2022-04-08 16:01:56 +02:00
Herman Slatman	571b21abbc	Fix (most) PR comments	2022-03-31 16:12:29 +02:00
Herman Slatman	dc23fd23bf	Merge branch 'master' into herman/allow-deny-next	2022-03-24 12:36:12 +01:00
Mariano Cano	b401376829	Add current provisioner to AuthorizeSign SignOptions. ... The original provisioner cannot be retrieved from a certificate if a linked ra is used.	2022-03-21 19:21:40 -07:00
Mariano Cano	616490a9c6	Refactor renew after expiry token authorization ... This changes adds a new authority method that authorizes the renew after expiry tokens.	2022-03-10 20:21:01 -08:00
Mariano Cano	259e95947c	Add support for the provisioner controller ... The claimer, audiences and custom callback methods are now managed by the provisioner controller in an uniform way.	2022-03-09 18:43:45 -08:00
Herman Slatman	7c541888ad	Refactor configuration of allow/deny on authority level	2022-03-08 13:26:07 +01:00
Herman Slatman	88c7b63c9d	Split SSH user and cert policy configuration and execution	2022-02-01 15:18:39 +01:00
Herman Slatman	512b8d6730	Refactor instantiation of policy engines ... Instead of using the `base` struct, the x509 and SSH policy engines are now added to each provisioner directly.	2022-01-25 16:45:25 +01:00
Herman Slatman	6440870a80	Clean up, improve test cases and coverage	2022-01-18 14:39:21 +01:00
Herman Slatman	6bc0513468	Add more tests	2022-01-04 15:41:40 +01:00
Herman Slatman	9539729bd9	Add initial implementation of x509 and SSH allow/deny policy engine	2022-01-03 12:25:24 +01:00
Mariano Cano	668d3ea6c7	Modify errs.Wrap() with bad request to send messages to users.	2021-11-18 18:44:58 -08:00
max furman	9fdef64709	Admin level API for provisioner mgmt v1	2021-07-02 19:05:17 -07:00
max furman	638766c615	wip	2021-05-19 18:23:20 -07:00
max furman	5d09d04d14	wip	2021-05-19 15:20:16 -07:00
Mariano Cano	ba918100d0	Use go.step.sm/crypto/jose ... Replace use of github.com/smallstep/cli/crypto with the new package go.step.sm/crypto/jose.	2020-08-24 14:44:11 -07:00
Mariano Cano	e83e47a91e	Use sshutil and randutil from go.step.sm/crypto.	2020-08-10 11:26:51 -07:00
Mariano Cano	f437b86a7b	Merge branch 'cert-templates' into ssh-cert-templates	2020-08-05 18:43:07 -07:00
Mariano Cano	c8d225a763	Use x509util from go.step.sm/crypto/x509util	2020-08-05 16:02:46 -07:00
Mariano Cano	aa657cdb4b	Use SSHOptions inside provisioner options.	2020-07-30 18:44:52 -07:00
Mariano Cano	8ff8d90f8c	On JWK and X5C validate the key id on the request.	2020-07-30 17:45:03 -07:00
Mariano Cano	380a0d6daf	Add ssh certificate templates to JWK provisioner.	2020-07-30 17:45:03 -07:00
Mariano Cano	6c64fb3ed2	Rename provisioner options structs: ... * provisioner.ProvisionerOptions => provisioner.Options * provisioner.Options => provisioner.SignOptions * provisioner.SSHOptions => provisioner.SingSSHOptions	2020-07-22 18:24:45 -07:00
Mariano Cano	02c4f9817d	Set full token payload instead of only the known properties.	2020-07-21 14:21:54 -07:00
Mariano Cano	e6fed5e0aa	Minor fixes and comments.	2020-07-21 14:18:05 -07:00
Mariano Cano	ca2fb42d68	Move options to the provisioner.	2020-07-21 14:18:05 -07:00
Mariano Cano	9f3acc254b	Set the token payload in the JWK provisioner.	2020-07-21 14:18:04 -07:00
Mariano Cano	ef0ed0ff95	Integrate simple templates in the JWK provisioner.	2020-07-21 14:18:04 -07:00
max furman	71d87b4e61	wip	2020-06-24 23:25:15 -07:00
max furman	3636ba3228	wip	2020-06-23 17:13:39 -07:00
max furman	1951669e13	wip	2020-06-23 11:10:45 -07:00
max furman	1cb8bb3ae1	Simplify statuscoder error generators.	2020-01-28 13:29:40 -08:00
max furman	dccbdf3a90	Introduce generalized statusCoder errors and loads of ssh unit tests. ... * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.	2020-01-28 13:29:40 -08:00
Mariano Cano	84ff172093	Add support for backdate to SSH certificates.	2020-01-28 13:29:39 -08:00
Mariano Cano	08eac1b00d	Make sure to define the KeyID from the token if available.	2020-01-28 13:29:39 -08:00
max furman	9caadbb341	Fix authority calling wrong revoke method	2020-01-28 13:29:39 -08:00
max furman	414a94b210	Instrument getIdentity func for OIDC ssh provisioner	2020-01-28 13:28:16 -08:00
Mariano Cano	a86dc78b5d	Add missing comment.	2020-01-28 13:28:16 -08:00