Mariano Cano
c066694c0c
Allow renew token issuer to be the provisioner name.
...
For consistency with AuthorizeAdminToken, AuthorizeRenewToken will
allow the issuer to be either the fixed string 'step-ca-client/1.0'
or the provisioner name.
3 years ago
Mariano Cano
ad5aedfa60
Fix backward compatibility in AuthorizeAdminToken
...
This commit validates both new and old issuers.
3 years ago
Mariano Cano
4e4d4e882f
Use a fixed string for renewal token issuer.
3 years ago
Mariano Cano
0a5dc237df
Fix typo in comment.
3 years ago
Mariano Cano
00cd0f5f21
Apply suggestions from code review
...
Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>
3 years ago
Mariano Cano
c8c59d68f5
Allow mTLS renewals if the provisioner extension does not exists.
...
This fixes a backward compatibility issue with with the new
LoadProvisionerByCertificate.
3 years ago
Mariano Cano
af8fcf5b01
Use always LoadProvisionerByCertificate on authority package
3 years ago
Mariano Cano
c55b27a2fc
Refactor admin token to use with RAs.
3 years ago
Mariano Cano
616490a9c6
Refactor renew after expiry token authorization
...
This changes adds a new authority method that authorizes the
renew after expiry tokens.
3 years ago
Mariano Cano
259e95947c
Add support for the provisioner controller
...
The claimer, audiences and custom callback methods are now managed
by the provisioner controller in an uniform way.
3 years ago
Herman Slatman
2d357da99b
Add tests for ACME revocation
3 years ago
max furman
933b40a02a
Introduce gocritic linter and address warnings
3 years ago
Mariano Cano
42fde8ba28
Merge branch 'master' into linkedca
3 years ago
Mariano Cano
9e5762fe06
Allow the reuse of azure token if DisableTrustOnFirstUse is true
...
Azure caches tokens for 24h and we cannot issue a new certificate
for the same instance in that period of time.
The meaning of this parameter is to allow the signing of multiple
certificate in one instance. This is possible in GCP, because we
get a new token, and is possible in AWS because we can generate
a new one. On Azure there was no other way to do it unless you
wait for 24h.
Fixes #656
3 years ago
Mariano Cano
4ad82a2f76
Check linkedca for revocation.
3 years ago
Mariano Cano
f7542a5bd9
Move check of ssh revocation from provisioner to the authority.
3 years ago
max furman
9fdef64709
Admin level API for provisioner mgmt v1
3 years ago
Mariano Cano
d79b4e709e
Create a hash of a token if a token id is empty.
4 years ago
Mariano Cano
ba918100d0
Use go.step.sm/crypto/jose
...
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
4 years ago
Mariano Cano
7846696fbb
Fix return sign options on ssh sign.
5 years ago
max furman
1cb8bb3ae1
Simplify statuscoder error generators.
5 years ago
max furman
dccbdf3a90
Introduce generalized statusCoder errors and loads of ssh unit tests.
...
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
5 years ago
max furman
9caadbb341
Fix authority calling wrong revoke method
5 years ago
Mariano Cano
11c8639782
Add identity certificate in ssh response.
5 years ago
max furman
29853ae016
sshpop provisioner + ssh renew | revoke | rekey first pass
5 years ago
max furman
61d52a8510
Small fixes associated with PR review
...
* additions and grammar edits to documentation
* clarification of error msgs
5 years ago
Mariano Cano
004ea12212
Allow to use custom SSH user/host key files.
5 years ago
Mariano Cano
7a64a84761
Pass the given context.
5 years ago
Mariano Cano
e1cd5ee8c3
Add context to the Authorize method.
...
Fix tests.
5 years ago
Mariano Cano
2127d09ef3
Rename context type to apiCtx.
...
It will conflict with the context package.
5 years ago
Mariano Cano
54570095d4
Merge branch 'master' into cloud-identities
5 years ago
max furman
81db527f12
NoopDB -> SimpleDB
5 years ago
max furman
b73fe8c157
Add used OTT to DB during authToken step
5 years ago
Mariano Cano
27c98806c0
Use GetTokenID.
6 years ago
max furman
9977eff153
bump cli dep and fix text error msg
6 years ago
max furman
ab4d569f36
Add /revoke API with interface db backend
6 years ago
Mariano Cano
1812c0619a
Update go-jose to 2.3.0.
...
This is a dependency for smallstep/cli#105 , it will be solved once
square/go-jose#224 gets merged
6 years ago
Mariano Cano
8a05cdde52
Add audience in the error v2
6 years ago
Mariano Cano
f8fba4df6b
Add audience in error.
6 years ago
Mariano Cano
23e6de57a2
Address comments in code review.
6 years ago
Mariano Cano
07cdc1021c
Use OIDC nonce as the reuse key.
6 years ago
Mariano Cano
ef4d809ee6
Move matchesAudience and stripPort tests to provisioner package.
6 years ago
Mariano Cano
af9688c419
Fix some testing errors.
6 years ago
Mariano Cano
2d00cd0933
Validate audiences in the default provisioner.
6 years ago
Mariano Cano
57b705f6cf
Use provisioner sign options.
6 years ago
Mariano Cano
602a42813c
Re-enable replay protection for JWK provisioner.
6 years ago
Mariano Cano
ab1cca03d7
Use new provisioners in authorize methods.
6 years ago
max furman
3415a1fef8
move SplitSANs to cli
6 years ago
max furman
6937bfea7b
claims.SANS -> claims.SANs
6 years ago
max furman
93f39c64a0
backwards compat only when SANS empty
6 years ago