Max
9f84f7ce35
Allow for identity certificate signing (in sshSign) by skipping validators ( #1572 )
...
- skip urisValidator for identity certificate signing. Implemented
by building the validator with the context in a hacky way.
1 year ago
Mariano Cano
c7c7decd5e
Add support for the disableSmallstepExtensions claim
...
This commit adds a new claim to exclude the Smallstep provisioner
extension from the generated certificates.
Fixes #620
1 year ago
Josh Drake
904f416d20
Include authorization principal in provisioner webhooks.
1 year ago
max furman
8b256f0351
address linter warning for go 1.19
1 year ago
Remi Vichery
09cbe8ba65
fixup! Add identity token for all Azure cloud environments
2 years ago
Remi Vichery
b2c2eec76b
Add identity token for all Azure cloud environments
...
* Azure Public Cloud (default)
* Azure China Cloud
* Azure US Gov Cloud
* Azure German Cloud
2 years ago
Andrew Reed
7101fbb0ee
Provisioner webhooks ( #1001 )
2 years ago
max furman
ab0d2503ae
Standardize linting file and fix or ignore lots of linting errors
2 years ago
Mariano Cano
23b8f45b37
Address gosec warnings
...
Most if not all false positives
2 years ago
Mariano Cano
e7d7eb1a94
Add provisioner as a signOption for SSH
2 years ago
Herman Slatman
5e9bce508d
Unexport GetPolicy()
2 years ago
Herman Slatman
c40a4d2694
Contain policy engines inside provisioner Controller
3 years ago
Herman Slatman
9797b3350e
Merge branch 'master' into herman/allow-deny
3 years ago
vijayjt
37207793f9
Pass in the resource name regardless of if its a VM or managed identity
3 years ago
vijayjt
7b605b2d16
Support Azure tokens from managed identities not associated with a VM
3 years ago
Herman Slatman
dc23fd23bf
Merge branch 'master' into herman/allow-deny-next
3 years ago
Mariano Cano
082734474b
Merge pull request #845 from vijayjt/azure-user-mi-token
...
WIP: Support Azure tokens generated by managed identities
3 years ago
Mariano Cano
b401376829
Add current provisioner to AuthorizeSign SignOptions.
...
The original provisioner cannot be retrieved from a certificate
if a linked ra is used.
3 years ago
vijayjt
24a963766e
Pass in the resource name regardless of if its a VM or managed identity
3 years ago
Mariano Cano
259e95947c
Add support for the provisioner controller
...
The claimer, audiences and custom callback methods are now managed
by the provisioner controller in an uniform way.
3 years ago
Herman Slatman
7c541888ad
Refactor configuration of allow/deny on authority level
3 years ago
Herman Slatman
af53a17bb4
Merge branch 'master' into herman/allow-deny
3 years ago
vijayjt
e699244291
Support Azure tokens from managed identities not associated with a VM
3 years ago
Mariano Cano
15b1049f19
Fix json tag for Azure.ObjectIDs.
3 years ago
vijayjt
4a10f2c584
Rename new fields as per feedback to remove AAD from the name
3 years ago
vijayjt
8b68bedffa
Add support for validation of certificate requests using Azure subscription and AAD object IDs. See #735
3 years ago
Herman Slatman
88c7b63c9d
Split SSH user and cert policy configuration and execution
3 years ago
Herman Slatman
512b8d6730
Refactor instantiation of policy engines
...
Instead of using the `base` struct, the x509 and SSH policy
engines are now added to each provisioner directly.
3 years ago
Herman Slatman
9539729bd9
Add initial implementation of x509 and SSH allow/deny policy engine
3 years ago
Herman Slatman
e7a988b2cd
Pin golangci-lint to v1.43.0 and fix issues
3 years ago
max furman
933b40a02a
Introduce gocritic linter and address warnings
3 years ago
Mariano Cano
9e5762fe06
Allow the reuse of azure token if DisableTrustOnFirstUse is true
...
Azure caches tokens for 24h and we cannot issue a new certificate
for the same instance in that period of time.
The meaning of this parameter is to allow the signing of multiple
certificate in one instance. This is possible in GCP, because we
get a new token, and is possible in AWS because we can generate
a new one. On Azure there was no other way to do it unless you
wait for 24h.
Fixes #656
3 years ago
max furman
9fdef64709
Admin level API for provisioner mgmt v1
3 years ago
max furman
638766c615
wip
3 years ago
Mariano Cano
ba918100d0
Use go.step.sm/crypto/jose
...
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
4 years ago
Mariano Cano
e83e47a91e
Use sshutil and randutil from go.step.sm/crypto.
4 years ago
Mariano Cano
f437b86a7b
Merge branch 'cert-templates' into ssh-cert-templates
4 years ago
Mariano Cano
c8d225a763
Use x509util from go.step.sm/crypto/x509util
4 years ago
Mariano Cano
9822305bb6
Use only the IID template on IID provisioners.
...
Use always sshutil.DefaultIIDCertificate and require at least one
principal on IID provisioners.
4 years ago
Mariano Cano
aa657cdb4b
Use SSHOptions inside provisioner options.
4 years ago
Mariano Cano
6c36ceb158
Add initial template support for iid provisisioners.
4 years ago
Mariano Cano
6c64fb3ed2
Rename provisioner options structs:
...
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
4 years ago
Mariano Cano
02c4f9817d
Set full token payload instead of only the known properties.
4 years ago
Mariano Cano
32646c49bf
Add templates support to Azure provisioner.
4 years ago
max furman
1951669e13
wip
4 years ago
Mariano Cano
4e9bff0986
Add support for OIDC multitoken tenants for azure.
5 years ago
Mariano Cano
f868e07a76
Allow to use custom principals on cloud provisioners.
...
Fixes #203
5 years ago
max furman
1cb8bb3ae1
Simplify statuscoder error generators.
5 years ago
max furman
dccbdf3a90
Introduce generalized statusCoder errors and loads of ssh unit tests.
...
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
5 years ago
Mariano Cano
84ff172093
Add support for backdate to SSH certificates.
5 years ago