Max
9f84f7ce35
Allow for identity certificate signing (in sshSign) by skipping validators ( #1572 )
...
- skip urisValidator for identity certificate signing. Implemented
by building the validator with the context in a hacky way.
1 year ago
Remi Vichery
82b8e16d7f
Add all AWS identity document certificates
...
* move to use embed instead of a multi-line string
* add test to ensure all certificates are valid
* add test to ensure validity (no expired certificate)
1 year ago
Mariano Cano
c7c7decd5e
Add support for the disableSmallstepExtensions claim
...
This commit adds a new claim to exclude the Smallstep provisioner
extension from the generated certificates.
Fixes #620
1 year ago
Josh Drake
904f416d20
Include authorization principal in provisioner webhooks.
1 year ago
Mariano Cano
71fcdf8a0a
Fix linter errors from #1404
1 year ago
Ruslan Nugmanov
1031324273
add AWS public certificates for me-central-1 and ap-southeast-3
...
As per https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-signature.html
1 year ago
max furman
8b256f0351
address linter warning for go 1.19
1 year ago
Andrew Reed
7101fbb0ee
Provisioner webhooks ( #1001 )
2 years ago
max furman
7c5e5b2b87
Even more linter fixes
2 years ago
max furman
ab0d2503ae
Standardize linting file and fix or ignore lots of linting errors
2 years ago
Mariano Cano
23b8f45b37
Address gosec warnings
...
Most if not all false positives
2 years ago
Shulhan
fe04f93d7f
all: reformat all go files with the next gofmt (Go 1.19)
...
There are some changes that manually edited, for example using '-' as
default list and grouping imports.
2 years ago
Mariano Cano
e7d7eb1a94
Add provisioner as a signOption for SSH
2 years ago
Herman Slatman
5e9bce508d
Unexport GetPolicy()
2 years ago
Herman Slatman
c40a4d2694
Contain policy engines inside provisioner Controller
3 years ago
Herman Slatman
9797b3350e
Merge branch 'master' into herman/allow-deny
3 years ago
Herman Slatman
613c99f00f
Fix linting issues
3 years ago
Herman Slatman
dc23fd23bf
Merge branch 'master' into herman/allow-deny-next
3 years ago
Mariano Cano
b401376829
Add current provisioner to AuthorizeSign SignOptions.
...
The original provisioner cannot be retrieved from a certificate
if a linked ra is used.
3 years ago
Mariano Cano
259e95947c
Add support for the provisioner controller
...
The claimer, audiences and custom callback methods are now managed
by the provisioner controller in an uniform way.
3 years ago
Herman Slatman
7c541888ad
Refactor configuration of allow/deny on authority level
3 years ago
Herman Slatman
88c7b63c9d
Split SSH user and cert policy configuration and execution
3 years ago
Herman Slatman
512b8d6730
Refactor instantiation of policy engines
...
Instead of using the `base` struct, the x509 and SSH policy
engines are now added to each provisioner directly.
3 years ago
Herman Slatman
9539729bd9
Add initial implementation of x509 and SSH allow/deny policy engine
3 years ago
Herman Slatman
e7a988b2cd
Pin golangci-lint to v1.43.0 and fix issues
3 years ago
max furman
933b40a02a
Introduce gocritic linter and address warnings
3 years ago
Mariano Cano
40e77f6e9a
Initialize required variables on GetIdentityToken
...
Fixes smallstep/cli#465
3 years ago
max furman
9fdef64709
Admin level API for provisioner mgmt v1
3 years ago
max furman
638766c615
wip
3 years ago
Mariano Cano
5017b7d21f
Recalculate token id instead of validating it.
4 years ago
Mariano Cano
0cf594a003
Validate payload ID.
...
Related to #435
4 years ago
Mariano Cano
39b23c057d
Add all AWS certificates used to verify base64 signatures.
4 years ago
Mariano Cano
7d1686dc53
Add option to specify the AWS IID certificates to use.
...
This changes adds a new option `iidRoots` that allows a user to
define one or more certificates that will be used for AWS IID
signature validation.
Fixes #393
4 years ago
Mariano Cano
c94a1c51be
Merge branch 'master' into ssh-cert-templates
4 years ago
Mariano Cano
ba918100d0
Use go.step.sm/crypto/jose
...
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
4 years ago
Mariano Cano
aaaa7e9b4e
Merge branch 'master' into cert-templates
4 years ago
Mariano Cano
e83e47a91e
Use sshutil and randutil from go.step.sm/crypto.
4 years ago
Mariano Cano
f437b86a7b
Merge branch 'cert-templates' into ssh-cert-templates
4 years ago
Mariano Cano
c8d225a763
Use x509util from go.step.sm/crypto/x509util
4 years ago
Mariano Cano
9822305bb6
Use only the IID template on IID provisioners.
...
Use always sshutil.DefaultIIDCertificate and require at least one
principal on IID provisioners.
4 years ago
Mariano Cano
aa657cdb4b
Use SSHOptions inside provisioner options.
4 years ago
Mariano Cano
6c36ceb158
Add initial template support for iid provisisioners.
4 years ago
David Cowden
86efe7aff0
aws: use http.NoBody instead of nil
...
It's a little more descriptive.
4 years ago
Mariano Cano
6c64fb3ed2
Rename provisioner options structs:
...
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
4 years ago
David Cowden
51f16ee2e0
aws: add tests covering metadata service versions
...
* Add constructor tests for the aws provisioner.
* Add a test to make sure the "v1" logic continues to work.
By and large, v2 is the way to go. However, there are some instances of
things that specifically request metadata service version 1 and so this
adds minimal coverage to make sure we don't accidentally break the path
should anyone need to depend on the former logic.
4 years ago
David Cowden
5efe5f3573
metadata-v2: pull in joshathysolate-master
...
Taking of this PR to get it across the goal line.
4 years ago
Mariano Cano
02c4f9817d
Set full token payload instead of only the known properties.
4 years ago
Mariano Cano
eb8886d828
Add CR subject as iid default subject.
...
Add a minimal subject with just a common name to iid provisioners
in case we want to use it.
4 years ago
Mariano Cano
a44f0ca866
Add token payload.
4 years ago
Mariano Cano
13b704aeed
Add template support for AWS provisioner.
4 years ago