Herman Slatman
041b486c55
Remove usages of `Sign` without context
7 months ago
Panagiotis Siatras
dd1ff9c15b
Implementation of the Prometheus endpoint ( #1669 )
...
Implementation of the http://{metricsAddress}/metrics Prometheus endpoint.
8 months ago
Mariano Cano
c7f226bcec
Add support for renew when using stepcas
...
It supports renewing X.509 certificates when an RA is configured with stepcas.
This will only work when the renewal uses a token, and it won't work with mTLS.
The audience cannot be properly verified when an RA is used, to avoid this we
will get from the database if an RA was used to issue the initial certificate
and we will accept the renew token.
Fixes #1021 for stepcas
2 years ago
Andrew Reed
7101fbb0ee
Provisioner webhooks ( #1001 )
2 years ago
max furman
4c7a2ce3eb
Fix errors.As linter warnings
2 years ago
max furman
7c5e5b2b87
Even more linter fixes
2 years ago
max furman
ab0d2503ae
Standardize linting file and fix or ignore lots of linting errors
2 years ago
Mariano Cano
6b3a8f22f3
Add provisioner to SSH renewals
...
This commit allows to report the provisioner to the linkedca when
a SSH certificate is renewed.
2 years ago
Mariano Cano
a627f21440
Fix AuthorizeSSHSign tests with extra SignOption
2 years ago
Herman Slatman
abcad679ff
Merge branch 'master' into herman/allow-deny
2 years ago
Mariano Cano
c066694c0c
Allow renew token issuer to be the provisioner name.
...
For consistency with AuthorizeAdminToken, AuthorizeRenewToken will
allow the issuer to be either the fixed string 'step-ca-client/1.0'
or the provisioner name.
2 years ago
Mariano Cano
5f714f2485
Fix tests for AuthorizeRenewToken
3 years ago
Mariano Cano
af8fcf5b01
Use always LoadProvisionerByCertificate on authority package
3 years ago
Herman Slatman
9797b3350e
Merge branch 'master' into herman/allow-deny
3 years ago
Mariano Cano
b7e11da480
Merge branch 'master' into feat/linkedra
3 years ago
Herman Slatman
2fbdf7d5b0
Merge branch 'master' into herman/allow-deny
3 years ago
Panagiotis Siatras
00634fb648
api/render, api/log: initial implementation of the packages ( #860 )
...
* api/render: initial implementation of the package
* acme/api: refactored to support api/render
* authority/admin: refactored to support api/render
* ca: refactored to support api/render
* api: refactored to support api/render
* api/render: implemented Error
* api: refactored to support api/render.Error
* acme/api: refactored to support api/render.Error
* authority/admin: refactored to support api/render.Error
* ca: refactored to support api/render.Error
* ca: fixed broken tests
* api/render, api/log: moved error logging to this package
* acme: refactored Error so that it implements render.RenderableError
* authority/admin: refactored Error so that it implements render.RenderableError
* api/render: implemented RenderableError
* api/render: added test coverage for Error
* api/render: implemented statusCodeFromError
* api: refactored RootsPEM to work with render.Error
* acme, authority/admin: fixed pointer receiver name for consistency
* api/render, errs: moved StatusCoder & StackTracer to the render package
3 years ago
Mariano Cano
6851842841
Fix unit tests.
3 years ago
Herman Slatman
dc23fd23bf
Merge branch 'master' into herman/allow-deny-next
3 years ago
Mariano Cano
616490a9c6
Refactor renew after expiry token authorization
...
This changes adds a new authority method that authorizes the
renew after expiry tokens.
3 years ago
Mariano Cano
79349b4d7c
Add options to use custom renewal methods.
3 years ago
Mariano Cano
259e95947c
Add support for the provisioner controller
...
The claimer, audiences and custom callback methods are now managed
by the provisioner controller in an uniform way.
3 years ago
Herman Slatman
9539729bd9
Add initial implementation of x509 and SSH allow/deny policy engine
3 years ago
max furman
933b40a02a
Introduce gocritic linter and address warnings
3 years ago
max furman
9fdef64709
Admin level API for provisioner mgmt v1
3 years ago
Mariano Cano
d79b4e709e
Create a hash of a token if a token id is empty.
4 years ago
Mariano Cano
ba918100d0
Use go.step.sm/crypto/jose
...
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
4 years ago
Mariano Cano
d30a95236d
Use always go.step.sm/crypto
4 years ago
Mariano Cano
e83e47a91e
Use sshutil and randutil from go.step.sm/crypto.
4 years ago
Mariano Cano
c4bbc81d9f
Fix authority tests.
4 years ago
Mariano Cano
6c64fb3ed2
Rename provisioner options structs:
...
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
4 years ago
Mariano Cano
d64cb99a22
Fix authority package tests.
4 years ago
max furman
71d87b4e61
wip
4 years ago
max furman
1cb8bb3ae1
Simplify statuscoder error generators.
5 years ago
max furman
dccbdf3a90
Introduce generalized statusCoder errors and loads of ssh unit tests.
...
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
5 years ago
Mariano Cano
f26103d150
Make test compilable.
5 years ago
Mariano Cano
a6edcd0a3d
Make test to compile, they still fail.
5 years ago
Mariano Cano
10e7b81b9f
Merge branch 'master' into ssh-ca
5 years ago
max furman
2b41faa9cf
Enforce >= 2048 bit rsa keys at the provisioner layer
...
* Fixes #94
* In the future this should be configurable by provisioner
5 years ago
max furman
635c59ed24
Accept emails SANs
5 years ago
Mariano Cano
e1cd5ee8c3
Add context to the Authorize method.
...
Fix tests.
5 years ago
max furman
81db527f12
NoopDB -> SimpleDB
5 years ago
max furman
b73fe8c157
Add used OTT to DB during authToken step
5 years ago
max furman
ab4d569f36
Add /revoke API with interface db backend
6 years ago
Mariano Cano
1f5ff5c899
Fix sign and renew tests.
6 years ago
Mariano Cano
b77621675c
Fix and simplify authorize tests.
6 years ago
Mariano Cano
ef4d809ee6
Move matchesAudience and stripPort tests to provisioner package.
6 years ago
Mariano Cano
af9688c419
Fix some testing errors.
6 years ago
Mariano Cano
54d86ca1c1
testing work in progress.
6 years ago
Mariano Cano
7e95fc0e45
Strip ports on audience check.
...
Services might have proxies behind them so we cannot rely on them.
Fixes #17
6 years ago