Mariano Cano
|
f5beed3b96
|
Merge pull request #83 from matteo-s/oidc-groups
Add option for checking group membership declared in JWT token
|
2019-07-23 10:05:18 -07:00 |
|
Mariano Cano
|
3e69194cc4
|
Fix lint error
|
2019-07-15 16:35:51 -07:00 |
|
Mariano Cano
|
900ab9cc12
|
Allow custom common names in cloud identity provisioners.
|
2019-07-15 15:52:36 -07:00 |
|
Mariano Cano
|
5f4217ca4c
|
Simplify abs, it performs even better.
|
2019-06-25 11:04:48 -07:00 |
|
Matteo Saloni
|
1919cfdff3
|
Add option for checking group membership declared in JWT token
|
2019-06-25 10:50:55 +02:00 |
|
Mariano Cano
|
e66272d6f0
|
Fix panic when max-age is set to zero.
Fixes #81
|
2019-06-24 13:40:14 -07:00 |
|
Mariano Cano
|
578beec25d
|
Merge pull request #65 from smallstep/cloud-identities
Cloud identities
|
2019-06-07 11:36:31 -07:00 |
|
Mariano Cano
|
8f8c862c04
|
Fix spelling errors.
|
2019-06-07 11:24:56 -07:00 |
|
Mariano Cano
|
b88a2f1373
|
Fix provisioner id in LoadByCertificate
|
2019-06-06 15:24:15 -07:00 |
|
Mariano Cano
|
37dff5124b
|
Fix audience tests.
Fixes smallstep/step#156
|
2019-06-06 13:09:00 -07:00 |
|
Mariano Cano
|
2491593cdd
|
Add ca-url based audience for AWS tokens
Fixes smallstep/step#156
|
2019-06-06 12:49:51 -07:00 |
|
Mariano Cano
|
4fa9e9333d
|
Add NewDuration constructor.
|
2019-06-05 17:53:28 -07:00 |
|
Mariano Cano
|
37f2096dff
|
Add Stringer interface to provisioner.Type.
Add missing file.
|
2019-06-05 17:52:29 -07:00 |
|
Mariano Cano
|
6e4a09651a
|
Add comments with links to cloud docs.
|
2019-06-05 11:04:00 -07:00 |
|
Mariano Cano
|
536ec36b9e
|
Add support for instance age check in AWS.
Fixes smallstep/step#164
|
2019-06-04 16:31:33 -07:00 |
|
Mariano Cano
|
c431538ff2
|
Add support for instance age check in GCP.
Fixes smallstep/step#164
|
2019-06-04 15:57:15 -07:00 |
|
Mariano Cano
|
4cef086c00
|
Allow to use emails as service accounts on GCP
Fixes smallstep/step#163
|
2019-06-03 17:28:39 -07:00 |
|
Mariano Cano
|
0a756ce9d0
|
Use on GCP audiences with the format https://<ca-url>#<provisioner-type>/<provisioner-name>
Fixes smallstep/step#156
|
2019-06-03 17:19:44 -07:00 |
|
Mariano Cano
|
a54bf925eb
|
Add filtering by GCP Project ID.
Fixes smallstep/step#155
|
2019-06-03 11:56:42 -07:00 |
|
Mariano Cano
|
54d0186d1f
|
Change condition to fail if the length is not the expected.
|
2019-05-13 11:50:22 -07:00 |
|
Mariano Cano
|
dbd3131068
|
Fix comments.
|
2019-05-10 17:54:18 -07:00 |
|
Mariano Cano
|
9f39cb5f2a
|
Add test.
|
2019-05-10 16:53:35 -07:00 |
|
Mariano Cano
|
fb6a1afd89
|
Fix typo.
|
2019-05-10 16:04:30 -07:00 |
|
Mariano Cano
|
3a1a4c5ea9
|
Do not allow reload with database configuration changes.
Fixes #smallstep/ca-component#170
|
2019-05-10 15:58:37 -07:00 |
|
Mariano Cano
|
cf07c8f4c0
|
Fix typos.
|
2019-05-09 18:56:24 -07:00 |
|
Mariano Cano
|
54570095d4
|
Merge branch 'master' into cloud-identities
|
2019-05-08 17:19:03 -07:00 |
|
Mariano Cano
|
423d505d04
|
Replace subscriptions with resource groups.
|
2019-05-08 17:11:55 -07:00 |
|
Mariano Cano
|
32d2d6b75a
|
Remove debug code.
|
2019-05-08 17:11:33 -07:00 |
|
Mariano Cano
|
e0aaa1a577
|
Use tenant id in azures's provisioner x509 extension.
|
2019-05-08 15:58:15 -07:00 |
|
Mariano Cano
|
89eeada2a2
|
Add support for loading azure tokens by tenant id.
|
2019-05-08 15:39:50 -07:00 |
|
Mariano Cano
|
803d81d332
|
Improve azure unit tests.
|
2019-05-08 12:47:45 -07:00 |
|
Mariano Cano
|
4c5fec06bf
|
Require TenantID in azure, add some tests.
|
2019-05-07 19:07:49 -07:00 |
|
Mariano Cano
|
12937c6b75
|
Remove pkcs7 related variables and structs.
|
2019-05-07 17:12:12 -07:00 |
|
Mariano Cano
|
6412b1a79b
|
Add first version of Asure support.
Fixes #69
|
2019-05-07 17:07:04 -07:00 |
|
max furman
|
81db527f12
|
NoopDB -> SimpleDB
|
2019-05-07 12:26:30 -07:00 |
|
max furman
|
b73fe8c157
|
Add used OTT to DB during authToken step
|
2019-05-06 15:52:02 -07:00 |
|
Mariano Cano
|
70196b2331
|
Add skeleton for the Azure provisioner.
Related to #69
|
2019-05-03 17:30:54 -07:00 |
|
Mariano Cano
|
81bfd2c1cb
|
Add tests for AWS provisioner
Fixes #68
|
2019-04-24 19:52:58 -07:00 |
|
Mariano Cano
|
f755fddc35
|
Fix lint errors.
|
2019-04-24 14:59:01 -07:00 |
|
Mariano Cano
|
b6a5ebcfc9
|
Move code to switch default.
|
2019-04-24 14:50:22 -07:00 |
|
Mariano Cano
|
a7f06c765d
|
Fix load of gcp and aws provisioner by certificate.
|
2019-04-24 14:49:28 -07:00 |
|
Mariano Cano
|
da93e40f90
|
Add constant for Azure type.
|
2019-04-24 14:26:37 -07:00 |
|
Mariano Cano
|
37e84aa535
|
Add DisableCustomSANs and DisableTrustOnFirstUse to GCP provisioner.
Fixes #67
|
2019-04-24 13:05:46 -07:00 |
|
Mariano Cano
|
75ef5a2275
|
Add AWS provisioner.
Fixes #68
|
2019-04-24 12:12:36 -07:00 |
|
Mariano Cano
|
5defd8289d
|
Add missing config in tests.
|
2019-04-24 11:30:37 -07:00 |
|
Mariano Cano
|
27c98806c0
|
Use GetTokenID.
|
2019-04-24 11:29:57 -07:00 |
|
Mariano Cano
|
2c68915b70
|
Fix comment.
|
2019-04-23 14:36:11 -07:00 |
|
Mariano Cano
|
fb6321fb2c
|
Use gcpConfig type to keep configuration urls.
Fixes #67
|
2019-04-23 14:33:36 -07:00 |
|
Mariano Cano
|
7e53b28320
|
Disable revoke for GCP.
|
2019-04-23 14:20:14 -07:00 |
|
Mariano Cano
|
7727fa5665
|
Update GCP tests.
|
2019-04-19 10:44:11 -07:00 |
|
Mariano Cano
|
1ea4b0ad64
|
Add unit test for GCP provider
|
2019-04-18 16:01:30 -07:00 |
|
Mariano Cano
|
b4729cd670
|
Use JWKSet to get the GCP keys.
|
2019-04-17 17:38:24 -07:00 |
|
Mariano Cano
|
f794dbeb93
|
Add support for GCP identity tokens.
|
2019-04-17 17:28:21 -07:00 |
|
max furman
|
9977eff153
|
bump cli dep and fix text error msg
|
2019-04-10 14:00:36 -07:00 |
|
max furman
|
ff20d9f5af
|
Fix composite literal uses unkeyed field
|
2019-04-10 13:50:35 -07:00 |
|
max furman
|
ab4d569f36
|
Add /revoke API with interface db backend
|
2019-04-10 13:50:35 -07:00 |
|
Mariano Cano
|
1812c0619a
|
Update go-jose to 2.3.0.
This is a dependency for smallstep/cli#105, it will be solved once
square/go-jose#224 gets merged
|
2019-04-05 12:54:23 -07:00 |
|
Mariano Cano
|
04da00d716
|
Merge pull request #55 from smallstep/x509util-real-x509
Use standard x509 creating signed certificates
|
2019-03-25 15:50:57 -07:00 |
|
Mariano Cano
|
7b9e08bcfa
|
Fix comment.
|
2019-03-25 14:18:46 -07:00 |
|
Mariano Cano
|
64f2615864
|
Fix tests.
|
2019-03-25 12:35:21 -07:00 |
|
Mariano Cano
|
6d92ba75b9
|
Don't use pointer in TimeDuration.MarshalJSON
|
2019-03-25 12:34:01 -07:00 |
|
Mariano Cano
|
698058baa9
|
Add tests for TimeDuration.
|
2019-03-25 12:05:34 -07:00 |
|
Mariano Cano
|
00fed1c538
|
Add initial version of time duration support in sign requests.
|
2019-03-22 18:55:28 -07:00 |
|
Mariano Cano
|
8c8547bf65
|
Remove unnecessary parse and improve tests.
|
2019-03-20 18:11:45 -07:00 |
|
Mariano Cano
|
b9530909a4
|
Fix tests.
|
2019-03-20 17:41:37 -07:00 |
|
Mariano Cano
|
a3e2b4a552
|
Move certificate check to the right place.
|
2019-03-20 17:36:45 -07:00 |
|
Mariano Cano
|
30a6889d1f
|
Use standard x509 instead of step one.
|
2019-03-20 17:12:52 -07:00 |
|
Mariano Cano
|
68ff077ea9
|
Improve tests.
|
2019-03-19 15:31:14 -07:00 |
|
Mariano Cano
|
76618558ae
|
Improve unit tests.
|
2019-03-19 15:27:41 -07:00 |
|
Mariano Cano
|
7378ed27ac
|
Refactor claims so they can be totally omitted if only the parent is set.
|
2019-03-19 15:10:52 -07:00 |
|
Mariano Cano
|
5d5f03f963
|
Set omitempty to admins and domains.
|
2019-03-19 11:23:18 -07:00 |
|
Mariano Cano
|
8a05cdde52
|
Add audience in the error v2
|
2019-03-18 10:59:36 -07:00 |
|
Mariano Cano
|
f8fba4df6b
|
Add audience in error.
|
2019-03-18 10:57:29 -07:00 |
|
Mariano Cano
|
60880d1f0a
|
Add domains and check emails properly.
|
2019-03-15 13:49:50 -07:00 |
|
Mariano Cano
|
5edbce017f
|
Set docs for client secret as mandatory, but it can be blank.
|
2019-03-15 11:10:52 -07:00 |
|
Mariano Cano
|
2c0c0112c6
|
Add an optional client secret field.
|
2019-03-14 18:00:11 -07:00 |
|
Mariano Cano
|
945a1371f1
|
Fix tests.
|
2019-03-13 16:46:12 -07:00 |
|
Mariano Cano
|
0b4cde1ad3
|
Move type to the first position of the struct.
|
2019-03-13 15:33:52 -07:00 |
|
Mariano Cano
|
23e6de57a2
|
Address comments in code review.
|
2019-03-13 11:26:18 -07:00 |
|
Mariano Cano
|
07cdc1021c
|
Use OIDC nonce as the reuse key.
|
2019-03-12 15:47:18 -07:00 |
|
Mariano Cano
|
7fd737cbb1
|
Fix lint warnings.
|
2019-03-11 18:47:57 -07:00 |
|
Mariano Cano
|
1f5ff5c899
|
Fix sign and renew tests.
|
2019-03-11 18:15:24 -07:00 |
|
Mariano Cano
|
2fb77b8a4d
|
Truncate to seconds the startTime to simplify tests.
|
2019-03-11 18:14:20 -07:00 |
|
Mariano Cano
|
1a9e8bad74
|
Truncate to seconds instead of rounding.
|
2019-03-11 18:13:20 -07:00 |
|
Mariano Cano
|
b77621675c
|
Fix and simplify authorize tests.
|
2019-03-11 16:38:48 -07:00 |
|
Mariano Cano
|
ef4d809ee6
|
Move matchesAudience and stripPort tests to provisioner package.
|
2019-03-11 15:47:57 -07:00 |
|
Mariano Cano
|
636d92b19b
|
Add missing files.
|
2019-03-11 14:55:42 -07:00 |
|
Mariano Cano
|
a8d03c39bb
|
Move Duration to a new file and move tests to provisioner package.
|
2019-03-11 14:54:25 -07:00 |
|
Mariano Cano
|
c24d868d9d
|
Add tests for sign options.
|
2019-03-11 13:25:19 -07:00 |
|
Mariano Cano
|
5dfcbcf5dc
|
Add noop tests.
|
2019-03-11 12:56:47 -07:00 |
|
Mariano Cano
|
4ceb88fbae
|
Add tests for OIDC and complete some JWK tests.
|
2019-03-11 12:48:46 -07:00 |
|
Mariano Cano
|
dce3100cfb
|
Add missing time in validation.
|
2019-03-11 11:12:47 -07:00 |
|
Mariano Cano
|
fb279c89fb
|
Restore deleted methods.
|
2019-03-11 10:40:55 -07:00 |
|
Mariano Cano
|
955405d6aa
|
Add some comments added to master.
|
2019-03-08 18:09:35 -08:00 |
|
Mariano Cano
|
af9688c419
|
Fix some testing errors.
|
2019-03-08 18:05:11 -08:00 |
|
Mariano Cano
|
f17d2d9694
|
Remove debug statements.
|
2019-03-08 17:29:18 -08:00 |
|
Mariano Cano
|
67c79fd014
|
Add tests for default provisioner.
|
2019-03-08 17:24:58 -08:00 |
|
Mariano Cano
|
cf2dba3efb
|
Add tests for keyStore.
|
2019-03-08 15:08:18 -08:00 |
|
Mariano Cano
|
2a5430fee1
|
Complete tests for collection.
|
2019-03-08 12:19:44 -08:00 |
|
Mariano Cano
|
54d86ca1c1
|
testing work in progress.
|
2019-03-07 19:30:17 -08:00 |
|
Mariano Cano
|
9f7f871f25
|
Add noop provisioner and use it if a provisioner cannot been found from a cert.
|
2019-03-07 16:05:13 -08:00 |
|
Mariano Cano
|
47817ab212
|
Fix interface type.
|
2019-03-07 16:04:56 -08:00 |
|
Mariano Cano
|
cc8764c343
|
Initialize the list for backward compatibility.
|
2019-03-07 16:04:29 -08:00 |
|
Mariano Cano
|
c0ef6f8dc5
|
Add missing modifier and change return codes.
|
2019-03-07 16:03:38 -08:00 |
|
Mariano Cano
|
a97ea87caa
|
Move options to provisioner so we can set the duration of the cert.
|
2019-03-07 15:14:18 -08:00 |
|
Mariano Cano
|
507fd01062
|
Remove provisioner intermediate type.
|
2019-03-07 13:07:39 -08:00 |
|
Mariano Cano
|
1671ab2590
|
Fix some tests.
|
2019-03-07 12:15:18 -08:00 |
|
Mariano Cano
|
d92a7f2948
|
Rename provisioner to jwk.
|
2019-03-06 18:36:35 -08:00 |
|
Mariano Cano
|
a1782733fe
|
Rename files.
|
2019-03-06 18:33:40 -08:00 |
|
Mariano Cano
|
2d00cd0933
|
Validate audiences in the default provisioner.
|
2019-03-06 18:32:56 -08:00 |
|
Mariano Cano
|
33c1449360
|
Remove deprecated file.
|
2019-03-06 17:42:17 -08:00 |
|
Mariano Cano
|
57b705f6cf
|
Use provisioner sign options.
|
2019-03-06 17:37:49 -08:00 |
|
Mariano Cano
|
9d4034fbf6
|
Remove unused code.
|
2019-03-06 17:37:08 -08:00 |
|
Mariano Cano
|
6d395f3818
|
Add missing validy validator to oidc.
|
2019-03-06 17:30:14 -08:00 |
|
Mariano Cano
|
602a42813c
|
Re-enable replay protection for JWK provisioner.
|
2019-03-06 17:00:45 -08:00 |
|
Mariano Cano
|
ab1cca03d7
|
Use new provisioners in authorize methods.
|
2019-03-06 15:04:28 -08:00 |
|
Mariano Cano
|
54ed49f072
|
Rename package.
|
2019-03-06 15:01:51 -08:00 |
|
Mariano Cano
|
c776ca3bd6
|
Use provisioner.Collection to store and request the provisioners.
|
2019-03-06 15:00:23 -08:00 |
|
Mariano Cano
|
34833d4fd5
|
Add validators from the authority package.
|
2019-03-06 14:58:46 -08:00 |
|
Mariano Cano
|
0dee841a4f
|
Complete first version of provisioner implementations.
|
2019-03-06 14:54:56 -08:00 |
|
Mariano Cano
|
7eb6eb1d3e
|
Complete provisioner.Claims with methods from authority.
|
2019-03-06 14:51:12 -08:00 |
|
Mariano Cano
|
fb77397fc7
|
Add new options to locate or list provisioners.
|
2019-03-06 14:50:13 -08:00 |
|
Mariano Cano
|
34ff388828
|
Use new types in config.
|
2019-03-06 14:49:25 -08:00 |
|
Mariano Cano
|
62dab7b6b8
|
Rename interface method.
|
2019-03-05 14:52:26 -08:00 |
|
Mariano Cano
|
5a8f78d9d0
|
Add support to collection to load the encrypted keys.
|
2019-03-05 14:45:57 -08:00 |
|
Mariano Cano
|
dd0376657c
|
Move collection to a new file.
|
2019-03-05 14:28:32 -08:00 |
|
Mariano Cano
|
4b2b6ffe32
|
Create the provisioner type used to englobe all different provisioners.
|
2019-03-05 12:42:49 -08:00 |
|
Mariano Cano
|
bed3132028
|
Move provisioner to authority/provisioner package.
|
2019-03-04 18:19:14 -08:00 |
|
Mariano Cano
|
fc0b2ca5a6
|
Revert "Move provisioners to authority/provisioner package."
This reverts commit f88d622a67 .
|
2019-03-04 18:17:35 -08:00 |
|
Mariano Cano
|
f88d622a67
|
Move provisioners to authority/provisioner package.
|
2019-03-04 18:10:19 -08:00 |
|
Mariano Cano
|
a2a45f635b
|
Add initial implementation of an OIDC provisioner.
|
2019-03-04 17:58:20 -08:00 |
|
max furman
|
229e5908b7
|
Added test for different authority key id after renew
Also ran dep ensure.
|
2019-02-14 19:17:42 -08:00 |
|
Mariano Cano
|
d78febec7a
|
Fix extensions copy on renew
Fixes #36
|
2019-02-14 16:44:36 -08:00 |
|
max furman
|
7e43402575
|
bug fix: don't add common name to CSR validation claims in Sign
* added unit test for this case
|
2019-02-06 16:26:25 -08:00 |
|
max furman
|
3415a1fef8
|
move SplitSANs to cli
|
2019-02-05 19:32:01 -08:00 |
|
max furman
|
6937bfea7b
|
claims.SANS -> claims.SANs
|
2019-02-04 20:22:02 -08:00 |
|
max furman
|
93f39c64a0
|
backwards compat only when SANS empty
|
2019-02-04 20:02:56 -08:00 |
|
max furman
|
fe8c8614b2
|
SANS backwards compat when token missing sujbect SAN
|
2019-02-01 12:18:10 -06:00 |
|
max furman
|
e6e8443f3c
|
allow multiple identical SANs in cert
|
2019-01-31 11:20:21 -06:00 |
|
max furman
|
f0683c2e0a
|
Enable signing certificates with custom SANs
* validate against SANs in token. must be 1:1 equivalent.
|
2019-01-30 18:21:03 -06:00 |
|
Derrick Lyndon Pallas
|
7a5c4a1112
|
authority/provisioners: fix overflow on 32-bit systems
In Go, len returns signed ints, not unsigned ints; consequently, this code
comparison overflows on 32-bit systems, like ARM.
|
2019-01-28 00:54:15 +00:00 |
|
max furman
|
2c72ada610
|
remove dead code
|
2019-01-20 21:37:12 -08:00 |
|
max furman
|
6dc89f46d8
|
make Duration public
|
2019-01-20 21:33:14 -08:00 |
|
max furman
|
0615f7eb11
|
don't wrap time.Duration
|
2019-01-18 12:08:18 -08:00 |
|
max furman
|
4b742042ee
|
make Duration wrapper publicly accessible
|
2019-01-18 10:39:12 -08:00 |
|
Mariano Cano
|
e8ac3f4888
|
Add comment to differentiate GetRootCertificates and GetRoots.
|
2019-01-14 18:11:55 -08:00 |
|
Mariano Cano
|
6e620073f5
|
Rename method Empties to HasEmpties
|
2019-01-14 18:11:55 -08:00 |
|
max furman
|
cfbb2a6f41
|
method documentation grammar fix
|
2019-01-14 17:55:01 -08:00 |
|
Mariano Cano
|
518b597535
|
Remove mTLS client requirement in /roots and /federation
|
2019-01-11 19:08:08 -08:00 |
|
Mariano Cano
|
1763ede99d
|
Add tests for new methods.
|
2019-01-10 13:19:51 -08:00 |
|