Mariano Cano
|
59fc8cdd2d
|
Fix typo in comments.
|
5 years ago |
max furman
|
397a181d10
|
Add backdate validation to sshCertValidityValidator.
|
5 years ago |
max furman
|
1cb8bb3ae1
|
Simplify statuscoder error generators.
|
5 years ago |
max furman
|
dccbdf3a90
|
Introduce generalized statusCoder errors and loads of ssh unit tests.
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
|
5 years ago |
Mariano Cano
|
895d3054a3
|
Remove the use of custom x509 package.
Upgrade cli dependency.
|
5 years ago |
Mariano Cano
|
144acb9ee3
|
Remove debug statement.
|
5 years ago |
Mariano Cano
|
06411d1715
|
Add tests of profileLimitDuration with backdate.
|
5 years ago |
Mariano Cano
|
8297e5c717
|
Add tests for backdate and sshDefaultDuration
|
5 years ago |
Mariano Cano
|
93b65bee7c
|
Add unit test for profileDefaultDuration.
|
5 years ago |
Mariano Cano
|
84ff172093
|
Add support for backdate to SSH certificates.
|
5 years ago |
Mariano Cano
|
5565d61bf3
|
Add fault tolerance against clock skew accross system on TLS certificates.
|
5 years ago |
Mariano Cano
|
08eac1b00d
|
Make sure to define the KeyID from the token if available.
|
5 years ago |
max furman
|
9caadbb341
|
Fix authority calling wrong revoke method
|
5 years ago |
max furman
|
414a94b210
|
Instrument getIdentity func for OIDC ssh provisioner
|
5 years ago |
max furman
|
3d970b45c8
|
remove printfs
|
5 years ago |
max furman
|
f74cd04a6a
|
Add WithGetIdentityFunc option and attr to authority
* Add Identity type to provisioner
|
5 years ago |
Mariano Cano
|
a86dc78b5d
|
Add missing comment.
|
5 years ago |
Mariano Cano
|
7db7b1ee4c
|
Fix some provisioner tests
|
5 years ago |
Mariano Cano
|
d4627d1282
|
Make provisioner tests compile, they are still failing.
|
5 years ago |
Mariano Cano
|
cf592fa0e1
|
Remove global check for number of k8sSA provisioners.
This was causing a bug in the reload of the ca.
|
5 years ago |
max furman
|
5788ac3f4f
|
sshpop token should not allow renew/rekey of user ssh certs
|
5 years ago |
max furman
|
54e3cf7322
|
Add multiuse capability to k8ssa provisioners
|
5 years ago |
max furman
|
29853ae016
|
sshpop provisioner + ssh renew | revoke | rekey first pass
|
5 years ago |
max furman
|
c04f1e1bd4
|
sshpop first pass
|
5 years ago |
max furman
|
8f07ff6a39
|
Add kubernetes service account provisioner
|
5 years ago |
max furman
|
d368791606
|
Add x5c provisioner capabilities
|
5 years ago |
Mariano Cano
|
59526d3225
|
Merge pull request #105 from smallstep/okta-support
Address support on OIDC provisioners
|
5 years ago |
Mariano Cano
|
39b41b5e83
|
Merge pull request #107 from smallstep/ssh-valid-after
Truncate to seconds ValidAfter
|
5 years ago |
Mariano Cano
|
d59a5b222f
|
Truncate to seconds to avoid rounding up times.
It can cause that certs are not valid yet, if they are used right away.
|
5 years ago |
max furman
|
fe7973c060
|
wip
|
5 years ago |
Mariano Cano
|
adc1d54b0d
|
Define valid after as 1m before now.
It avoids errors with immediate use of cert.
|
5 years ago |
Mariano Cano
|
72f1a61f06
|
Increase coverage.
|
5 years ago |
Mariano Cano
|
b7045f27a9
|
Increase coverage.
|
5 years ago |
Mariano Cano
|
a16b2125bc
|
Fix tests.
|
5 years ago |
Mariano Cano
|
6c4abfabbb
|
Make /.well-known/openid-configuration optional
|
5 years ago |
Mariano Cano
|
3527ee6940
|
Add support for listenAddress parameter if OIDC provisioners.
Fixes smallstep/cli#150
|
5 years ago |
max furman
|
44e864030d
|
Remove debug logging
|
5 years ago |
max furman
|
e3826dd1c3
|
Add ACME CA capabilities
|
5 years ago |
max furman
|
d204469280
|
Add a few more validity checks to default ssh cert validator
|
5 years ago |
Mariano Cano
|
396b4222aa
|
Implement validator for ssh keys.
Fixes #100
|
5 years ago |
max furman
|
61d52a8510
|
Small fixes associated with PR review
* additions and grammar edits to documentation
* clarification of error msgs
|
5 years ago |
Mariano Cano
|
10e7b81b9f
|
Merge branch 'master' into ssh-ca
|
5 years ago |
max furman
|
ac234771c7
|
Remove unknown provisioner WARNning and leave TODO
|
5 years ago |
max furman
|
ca8daf5f12
|
Update comment and warn
|
5 years ago |
Mariano Cano
|
9200f11ed8
|
Skip unsupported provisioners.
|
5 years ago |
max furman
|
2b41faa9cf
|
Enforce >= 2048 bit rsa keys at the provisioner layer
* Fixes #94
* In the future this should be configurable by provisioner
|
5 years ago |
max furman
|
635c59ed24
|
Accept emails SANs
|
5 years ago |
Mariano Cano
|
34e1e3380a
|
Fix lint errors.
|
5 years ago |
Mariano Cano
|
57a529cc1a
|
Allow to enable the SSH CA per provisioner
|
5 years ago |
Mariano Cano
|
e71072d389
|
Add experimental support for provisioning users.
|
5 years ago |
Mariano Cano
|
dc657565a7
|
Add SSH test for GCP.
|
5 years ago |
Mariano Cano
|
7983aa8661
|
Add azure ssh tests.
|
5 years ago |
Mariano Cano
|
2cac85a8c8
|
Add aws tests.
|
5 years ago |
Mariano Cano
|
f8a71899fd
|
Add missing file.
|
5 years ago |
Mariano Cano
|
d231bfb764
|
Update jwk and oidc tests.
|
5 years ago |
Mariano Cano
|
a8f4ad1b8e
|
Set default SSH options if no user options are given.
|
5 years ago |
Mariano Cano
|
c17375a10a
|
Create convenient method to mock the timeduration.
|
5 years ago |
Mariano Cano
|
4c1a11c1bc
|
Add Unix method to TimeDuration.
|
5 years ago |
Mariano Cano
|
b0240772da
|
Add tests for SSH certs with JWK provisioners.
|
5 years ago |
Mariano Cano
|
780eeb5487
|
Remove debug print.
|
5 years ago |
Mariano Cano
|
ad91842d06
|
Add test for SanitizeSSHUserPrincipal
|
5 years ago |
Mariano Cano
|
f8cacc11b1
|
Fix tests.
|
5 years ago |
Mariano Cano
|
b827a59e96
|
Add SSH host certificate support for GCP provisioner.
|
5 years ago |
Mariano Cano
|
221d323b68
|
Fix containsAllMembers
|
5 years ago |
Mariano Cano
|
18a285e847
|
Change azure ssh key id.
|
5 years ago |
Mariano Cano
|
aef52e4334
|
Add support for SSH host certificates in azure.
|
5 years ago |
Mariano Cano
|
7d670b20ea
|
Add support of ssh host certinficates in AWS provisioner.
|
5 years ago |
Mariano Cano
|
7583f1c739
|
Do not require all principals, allow subgroups.
|
5 years ago |
Mariano Cano
|
41b97372e6
|
Rename function to SanitizeSSHUserPrincipal
|
5 years ago |
Mariano Cano
|
53f62f871c
|
Set not extensions to host certificates.
|
5 years ago |
Mariano Cano
|
48c98dea2a
|
Make SanitizeSSHPrincipal a public function.
|
5 years ago |
Mariano Cano
|
f01286bb48
|
Add support for SSH certificates to OIDC.
Update the interface for all the provisioners.
|
5 years ago |
Mariano Cano
|
082ebda85b
|
Merge branch 'master' of github.com:smallstep/certificates into ssh-ca
|
5 years ago |
Mariano Cano
|
d7221e15ac
|
Always marshal timeduration as a string
|
5 years ago |
Mariano Cano
|
3ff410c695
|
fix ssh validity modifier
|
5 years ago |
Mariano Cano
|
1c8f610ca9
|
Add initial implementation of an SSH CA using the JWK provisioner.
Fixes smallstep/ca-component#187
|
5 years ago |
Mariano Cano
|
f5beed3b96
|
Merge pull request #83 from matteo-s/oidc-groups
Add option for checking group membership declared in JWT token
|
5 years ago |
Mariano Cano
|
3e69194cc4
|
Fix lint error
|
5 years ago |
Mariano Cano
|
900ab9cc12
|
Allow custom common names in cloud identity provisioners.
|
5 years ago |
Mariano Cano
|
5f4217ca4c
|
Simplify abs, it performs even better.
|
5 years ago |
Matteo Saloni
|
1919cfdff3
|
Add option for checking group membership declared in JWT token
|
5 years ago |
Mariano Cano
|
e66272d6f0
|
Fix panic when max-age is set to zero.
Fixes #81
|
5 years ago |
Mariano Cano
|
8f8c862c04
|
Fix spelling errors.
|
5 years ago |
Mariano Cano
|
b88a2f1373
|
Fix provisioner id in LoadByCertificate
|
5 years ago |
Mariano Cano
|
37dff5124b
|
Fix audience tests.
Fixes smallstep/step#156
|
5 years ago |
Mariano Cano
|
2491593cdd
|
Add ca-url based audience for AWS tokens
Fixes smallstep/step#156
|
5 years ago |
Mariano Cano
|
4fa9e9333d
|
Add NewDuration constructor.
|
5 years ago |
Mariano Cano
|
37f2096dff
|
Add Stringer interface to provisioner.Type.
Add missing file.
|
5 years ago |
Mariano Cano
|
6e4a09651a
|
Add comments with links to cloud docs.
|
5 years ago |
Mariano Cano
|
536ec36b9e
|
Add support for instance age check in AWS.
Fixes smallstep/step#164
|
5 years ago |
Mariano Cano
|
c431538ff2
|
Add support for instance age check in GCP.
Fixes smallstep/step#164
|
5 years ago |
Mariano Cano
|
4cef086c00
|
Allow to use emails as service accounts on GCP
Fixes smallstep/step#163
|
5 years ago |
Mariano Cano
|
0a756ce9d0
|
Use on GCP audiences with the format https://<ca-url>#<provisioner-type>/<provisioner-name>
Fixes smallstep/step#156
|
5 years ago |
Mariano Cano
|
a54bf925eb
|
Add filtering by GCP Project ID.
Fixes smallstep/step#155
|
5 years ago |
Mariano Cano
|
54d0186d1f
|
Change condition to fail if the length is not the expected.
|
5 years ago |
Mariano Cano
|
cf07c8f4c0
|
Fix typos.
|
5 years ago |
Mariano Cano
|
423d505d04
|
Replace subscriptions with resource groups.
|
5 years ago |
Mariano Cano
|
32d2d6b75a
|
Remove debug code.
|
5 years ago |
Mariano Cano
|
e0aaa1a577
|
Use tenant id in azures's provisioner x509 extension.
|
5 years ago |
Mariano Cano
|
89eeada2a2
|
Add support for loading azure tokens by tenant id.
|
5 years ago |