81 Commits

Author	SHA1	Message	Date
Andrew Reed	7101fbb0ee	Provisioner webhooks (#1001)	2022-09-29 19:16:26 -05:00
max furman	ab0d2503ae	Standardize linting file and fix or ignore lots of linting errors	2022-09-20 16:35:41 -07:00
Raal Goff	7a03c43fe2	allow missing Email claim in OIDC tokens, use subject when its missing	2022-09-05 12:43:32 +08:00
Mariano Cano	23b8f45b37	Address gosec warnings ... Most if not all false positives	2022-08-18 17:46:20 -07:00
Mariano Cano	e7d7eb1a94	Add provisioner as a signOption for SSH	2022-05-18 18:42:42 -07:00
Herman Slatman	5e9bce508d	Unexport GetPolicy()	2022-05-05 12:32:53 +02:00
Herman Slatman	c40a4d2694	Contain policy engines inside provisioner Controller	2022-04-22 01:20:38 +02:00
Herman Slatman	9797b3350e	Merge branch 'master' into herman/allow-deny	2022-04-08 16:01:56 +02:00
Herman Slatman	571b21abbc	Fix (most) PR comments	2022-03-31 16:12:29 +02:00
Herman Slatman	dc23fd23bf	Merge branch 'master' into herman/allow-deny-next	2022-03-24 12:36:12 +01:00
Mariano Cano	b401376829	Add current provisioner to AuthorizeSign SignOptions. ... The original provisioner cannot be retrieved from a certificate if a linked ra is used.	2022-03-21 19:21:40 -07:00
Mariano Cano	259e95947c	Add support for the provisioner controller ... The claimer, audiences and custom callback methods are now managed by the provisioner controller in an uniform way.	2022-03-09 18:43:45 -08:00
Herman Slatman	7c541888ad	Refactor configuration of allow/deny on authority level	2022-03-08 13:26:07 +01:00
Herman Slatman	88c7b63c9d	Split SSH user and cert policy configuration and execution	2022-02-01 15:18:39 +01:00
Herman Slatman	512b8d6730	Refactor instantiation of policy engines ... Instead of using the `base` struct, the x509 and SSH policy engines are now added to each provisioner directly.	2022-01-25 16:45:25 +01:00
Herman Slatman	9539729bd9	Add initial implementation of x509 and SSH allow/deny policy engine	2022-01-03 12:25:24 +01:00
max furman	933b40a02a	Introduce gocritic linter and address warnings	2021-10-08 14:59:57 -04:00
Mariano Cano	a50654b468	Check for admins in both emails and groups.	2021-09-23 15:49:28 -07:00
max furman	9fdef64709	Admin level API for provisioner mgmt v1	2021-07-02 19:05:17 -07:00
max furman	638766c615	wip	2021-05-19 18:23:20 -07:00
Cristian Le	c2d30f7260	gofmt everything	2021-05-05 10:29:47 +09:00
Cristian Le	1d2445e1d8	Removed the variadic username ... Could be useful later on, but for the current PR changes should be minimized	2021-05-05 10:12:38 +09:00
Cristian Le	decf0fc8ce	Revert using preferred_username ... It might present a security issue if the users can change this value for themselves. Needs further investigation	2021-05-05 08:15:26 +09:00
Mariano Cano	08e5ec6ad1	Fix IsAdminGroup comment.	2021-05-05 08:15:26 +09:00
Mariano Cano	aafac179a5	Add test for oidc with preferred usernames.	2021-05-05 08:15:26 +09:00
Cristian Le	48666792c7	Draft: adding usernames to GetIdentityFunc	2021-05-05 08:15:26 +09:00
Cristian Le	79eec83f3e	Rename and reformat to PreferredUsername	2021-05-05 08:15:26 +09:00
Cristian Le	09a21fef26	Implement #550 ... - Read `preferred_username` from token - Add `preferred_username` to the default Usernames - Check the `admin` array for admin groups that the user might belong to	2021-05-05 08:15:26 +09:00
Mariano Cano	4c8bf87dc1	Use new admin template for K8ssa and admin-OIDC provisioners. ... This change replaces the .Insecure.CR template to one that sets all the SANs, but uses key usages and extended key usages for regular TLS certificates.	2020-09-21 12:49:16 -07:00
Mariano Cano	ba918100d0	Use go.step.sm/crypto/jose ... Replace use of github.com/smallstep/cli/crypto with the new package go.step.sm/crypto/jose.	2020-08-24 14:44:11 -07:00
Mariano Cano	e83e47a91e	Use sshutil and randutil from go.step.sm/crypto.	2020-08-10 11:26:51 -07:00
Mariano Cano	f437b86a7b	Merge branch 'cert-templates' into ssh-cert-templates	2020-08-05 18:43:07 -07:00
Mariano Cano	c8d225a763	Use x509util from go.step.sm/crypto/x509util	2020-08-05 16:02:46 -07:00
Mariano Cano	b66bdfabcd	Enforce an OIDC users to send all template variables.	2020-08-03 15:28:48 -07:00
Mariano Cano	aa657cdb4b	Use SSHOptions inside provisioner options.	2020-07-30 18:44:52 -07:00
Mariano Cano	02379d494b	Add support for extensions and critical options on the identity ... function.	2020-07-30 17:45:03 -07:00
Mariano Cano	ad28f0f59a	Move variable where it is used.	2020-07-30 17:45:03 -07:00
Mariano Cano	715eb4eacc	Add initial support for ssh templates on OIDC.	2020-07-30 17:45:03 -07:00
Mariano Cano	3e80f41c19	Change provisioner options to have X509 as a field.	2020-07-30 17:44:22 -07:00
Mariano Cano	6c64fb3ed2	Rename provisioner options structs: ... * provisioner.ProvisionerOptions => provisioner.Options * provisioner.Options => provisioner.SignOptions * provisioner.SSHOptions => provisioner.SingSSHOptions	2020-07-22 18:24:45 -07:00
Mariano Cano	02c4f9817d	Set full token payload instead of only the known properties.	2020-07-21 14:21:54 -07:00
Mariano Cano	0c8376a7f6	Fix existing unit tests.	2020-07-21 14:21:54 -07:00
Mariano Cano	71be83b25e	Add iss#sub uri in OIDC certificates. ... Admin will use the CR template if none is provided.	2020-07-21 14:18:06 -07:00
Mariano Cano	e6fed5e0aa	Minor fixes and comments.	2020-07-21 14:18:05 -07:00
Mariano Cano	206bc6757a	Add initial support for templates in the OIDC provisioner.	2020-07-21 14:18:05 -07:00
Carl Tashian	912e298043	Whitelist -> Allowlist per https://tools.ietf.org/id/draft-knodel-terminology-01.html	2020-07-20 15:42:47 -07:00
Mariano Cano	4e9bff0986	Add support for OIDC multitoken tenants for azure.	2020-04-24 14:36:32 -07:00
Mariano Cano	c49a9d5e33	Add context parameter to all SSH methods.	2020-03-10 19:01:45 -07:00
max furman	1cb8bb3ae1	Simplify statuscoder error generators.	2020-01-28 13:29:40 -08:00
max furman	dccbdf3a90	Introduce generalized statusCoder errors and loads of ssh unit tests. ... * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.	2020-01-28 13:29:40 -08:00