Max
|
9f84f7ce35
|
Allow for identity certificate signing (in sshSign) by skipping validators (#1572)
- skip urisValidator for identity certificate signing. Implemented
by building the validator with the context in a hacky way.
|
1 year ago |
Mariano Cano
|
c7c7decd5e
|
Add support for the disableSmallstepExtensions claim
This commit adds a new claim to exclude the Smallstep provisioner
extension from the generated certificates.
Fixes #620
|
1 year ago |
Josh Drake
|
904f416d20
|
Include authorization principal in provisioner webhooks.
|
1 year ago |
max furman
|
8b256f0351
|
address linter warning for go 1.19
|
1 year ago |
Andrew Reed
|
7101fbb0ee
|
Provisioner webhooks (#1001)
|
2 years ago |
max furman
|
ab0d2503ae
|
Standardize linting file and fix or ignore lots of linting errors
|
2 years ago |
Mariano Cano
|
e7d7eb1a94
|
Add provisioner as a signOption for SSH
|
2 years ago |
Herman Slatman
|
5e9bce508d
|
Unexport GetPolicy()
|
2 years ago |
Herman Slatman
|
c40a4d2694
|
Contain policy engines inside provisioner Controller
|
3 years ago |
Herman Slatman
|
9797b3350e
|
Merge branch 'master' into herman/allow-deny
|
3 years ago |
Herman Slatman
|
dc23fd23bf
|
Merge branch 'master' into herman/allow-deny-next
|
3 years ago |
Mariano Cano
|
b401376829
|
Add current provisioner to AuthorizeSign SignOptions.
The original provisioner cannot be retrieved from a certificate
if a linked ra is used.
|
3 years ago |
Mariano Cano
|
259e95947c
|
Add support for the provisioner controller
The claimer, audiences and custom callback methods are now managed
by the provisioner controller in an uniform way.
|
3 years ago |
Herman Slatman
|
7c541888ad
|
Refactor configuration of allow/deny on authority level
|
3 years ago |
Herman Slatman
|
88c7b63c9d
|
Split SSH user and cert policy configuration and execution
|
3 years ago |
Herman Slatman
|
512b8d6730
|
Refactor instantiation of policy engines
Instead of using the `base` struct, the x509 and SSH policy
engines are now added to each provisioner directly.
|
3 years ago |
Herman Slatman
|
9539729bd9
|
Add initial implementation of x509 and SSH allow/deny policy engine
|
3 years ago |
Herman Slatman
|
e7a988b2cd
|
Pin golangci-lint to v1.43.0 and fix issues
|
3 years ago |
max furman
|
933b40a02a
|
Introduce gocritic linter and address warnings
|
3 years ago |
max furman
|
9fdef64709
|
Admin level API for provisioner mgmt v1
|
3 years ago |
max furman
|
638766c615
|
wip
|
3 years ago |
Mariano Cano
|
ba918100d0
|
Use go.step.sm/crypto/jose
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
|
4 years ago |
Mariano Cano
|
e83e47a91e
|
Use sshutil and randutil from go.step.sm/crypto.
|
4 years ago |
Mariano Cano
|
f437b86a7b
|
Merge branch 'cert-templates' into ssh-cert-templates
|
4 years ago |
Mariano Cano
|
c8d225a763
|
Use x509util from go.step.sm/crypto/x509util
|
4 years ago |
Mariano Cano
|
9822305bb6
|
Use only the IID template on IID provisioners.
Use always sshutil.DefaultIIDCertificate and require at least one
principal on IID provisioners.
|
4 years ago |
Mariano Cano
|
aa657cdb4b
|
Use SSHOptions inside provisioner options.
|
4 years ago |
Mariano Cano
|
6c36ceb158
|
Add initial template support for iid provisisioners.
|
4 years ago |
Mariano Cano
|
6c64fb3ed2
|
Rename provisioner options structs:
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
|
4 years ago |
Mariano Cano
|
02c4f9817d
|
Set full token payload instead of only the known properties.
|
4 years ago |
Mariano Cano
|
eb8886d828
|
Add CR subject as iid default subject.
Add a minimal subject with just a common name to iid provisioners
in case we want to use it.
|
4 years ago |
Mariano Cano
|
e60ea419cc
|
Add template support for gcp provisioner.
|
4 years ago |
max furman
|
1951669e13
|
wip
|
4 years ago |
Mariano Cano
|
f868e07a76
|
Allow to use custom principals on cloud provisioners.
Fixes #203
|
5 years ago |
max furman
|
1cb8bb3ae1
|
Simplify statuscoder error generators.
|
5 years ago |
max furman
|
dccbdf3a90
|
Introduce generalized statusCoder errors and loads of ssh unit tests.
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
|
5 years ago |
Mariano Cano
|
84ff172093
|
Add support for backdate to SSH certificates.
|
5 years ago |
max furman
|
29853ae016
|
sshpop provisioner + ssh renew | revoke | rekey first pass
|
5 years ago |
max furman
|
d368791606
|
Add x5c provisioner capabilities
|
5 years ago |
Mariano Cano
|
396b4222aa
|
Implement validator for ssh keys.
Fixes #100
|
5 years ago |
Mariano Cano
|
10e7b81b9f
|
Merge branch 'master' into ssh-ca
|
5 years ago |
max furman
|
2b41faa9cf
|
Enforce >= 2048 bit rsa keys at the provisioner layer
* Fixes #94
* In the future this should be configurable by provisioner
|
5 years ago |
Mariano Cano
|
57a529cc1a
|
Allow to enable the SSH CA per provisioner
|
5 years ago |
Mariano Cano
|
a8f4ad1b8e
|
Set default SSH options if no user options are given.
|
5 years ago |
Mariano Cano
|
b827a59e96
|
Add SSH host certificate support for GCP provisioner.
|
5 years ago |
Mariano Cano
|
f01286bb48
|
Add support for SSH certificates to OIDC.
Update the interface for all the provisioners.
|
5 years ago |
Mariano Cano
|
900ab9cc12
|
Allow custom common names in cloud identity provisioners.
|
5 years ago |
Mariano Cano
|
6e4a09651a
|
Add comments with links to cloud docs.
|
5 years ago |
Mariano Cano
|
c431538ff2
|
Add support for instance age check in GCP.
Fixes smallstep/step#164
|
5 years ago |
Mariano Cano
|
4cef086c00
|
Allow to use emails as service accounts on GCP
Fixes smallstep/step#163
|
5 years ago |