Panagiotis Siatras
dd1ff9c15b
Implementation of the Prometheus endpoint ( #1669 )
...
Implementation of the http://{metricsAddress}/metrics Prometheus endpoint.
9 months ago
Max
9f84f7ce35
Allow for identity certificate signing (in sshSign) by skipping validators ( #1572 )
...
- skip urisValidator for identity certificate signing. Implemented
by building the validator with the context in a hacky way.
1 year ago
Max
b7c4ed26fb
Use provisioner name in error message ( #1524 )
1 year ago
max furman
8b256f0351
address linter warning for go 1.19
1 year ago
Mariano Cano
c7f226bcec
Add support for renew when using stepcas
...
It supports renewing X.509 certificates when an RA is configured with stepcas.
This will only work when the renewal uses a token, and it won't work with mTLS.
The audience cannot be properly verified when an RA is used, to avoid this we
will get from the database if an RA was used to issue the initial certificate
and we will accept the renew token.
Fixes #1021 for stepcas
2 years ago
max furman
ab0d2503ae
Standardize linting file and fix or ignore lots of linting errors
2 years ago
Mariano Cano
8fc4a58242
Fix nil pointer exception, missing error
2 years ago
Mariano Cano
911cec21da
Merge pull request #943 from smallstep/ssh-renew-provisioner
...
Add provisioner to SSH renewals
2 years ago
Mariano Cano
94f5b92513
Use proper context in authority package
2 years ago
Mariano Cano
1be74eca62
Merge branch 'master' into ssh-renew-provisioner
2 years ago
Mariano Cano
6b3a8f22f3
Add provisioner to SSH renewals
...
This commit allows to report the provisioner to the linkedca when
a SSH certificate is renewed.
2 years ago
Mariano Cano
43ddcf2efe
Do not use deprecated AuthorizeSign
2 years ago
Mariano Cano
c066694c0c
Allow renew token issuer to be the provisioner name.
...
For consistency with AuthorizeAdminToken, AuthorizeRenewToken will
allow the issuer to be either the fixed string 'step-ca-client/1.0'
or the provisioner name.
3 years ago
Mariano Cano
ad5aedfa60
Fix backward compatibility in AuthorizeAdminToken
...
This commit validates both new and old issuers.
3 years ago
Mariano Cano
4e4d4e882f
Use a fixed string for renewal token issuer.
3 years ago
Mariano Cano
0a5dc237df
Fix typo in comment.
3 years ago
Mariano Cano
00cd0f5f21
Apply suggestions from code review
...
Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>
3 years ago
Mariano Cano
c8c59d68f5
Allow mTLS renewals if the provisioner extension does not exists.
...
This fixes a backward compatibility issue with with the new
LoadProvisionerByCertificate.
3 years ago
Mariano Cano
af8fcf5b01
Use always LoadProvisionerByCertificate on authority package
3 years ago
Mariano Cano
c55b27a2fc
Refactor admin token to use with RAs.
3 years ago
Mariano Cano
616490a9c6
Refactor renew after expiry token authorization
...
This changes adds a new authority method that authorizes the
renew after expiry tokens.
3 years ago
Mariano Cano
259e95947c
Add support for the provisioner controller
...
The claimer, audiences and custom callback methods are now managed
by the provisioner controller in an uniform way.
3 years ago
Herman Slatman
2d357da99b
Add tests for ACME revocation
3 years ago
max furman
933b40a02a
Introduce gocritic linter and address warnings
3 years ago
Mariano Cano
42fde8ba28
Merge branch 'master' into linkedca
3 years ago
Mariano Cano
9e5762fe06
Allow the reuse of azure token if DisableTrustOnFirstUse is true
...
Azure caches tokens for 24h and we cannot issue a new certificate
for the same instance in that period of time.
The meaning of this parameter is to allow the signing of multiple
certificate in one instance. This is possible in GCP, because we
get a new token, and is possible in AWS because we can generate
a new one. On Azure there was no other way to do it unless you
wait for 24h.
Fixes #656
3 years ago
Mariano Cano
4ad82a2f76
Check linkedca for revocation.
3 years ago
Mariano Cano
f7542a5bd9
Move check of ssh revocation from provisioner to the authority.
3 years ago
max furman
9fdef64709
Admin level API for provisioner mgmt v1
3 years ago
Mariano Cano
d79b4e709e
Create a hash of a token if a token id is empty.
4 years ago
Mariano Cano
ba918100d0
Use go.step.sm/crypto/jose
...
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
4 years ago
Mariano Cano
7846696fbb
Fix return sign options on ssh sign.
5 years ago
max furman
1cb8bb3ae1
Simplify statuscoder error generators.
5 years ago
max furman
dccbdf3a90
Introduce generalized statusCoder errors and loads of ssh unit tests.
...
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
5 years ago
max furman
9caadbb341
Fix authority calling wrong revoke method
5 years ago
Mariano Cano
11c8639782
Add identity certificate in ssh response.
5 years ago
max furman
29853ae016
sshpop provisioner + ssh renew | revoke | rekey first pass
5 years ago
max furman
61d52a8510
Small fixes associated with PR review
...
* additions and grammar edits to documentation
* clarification of error msgs
5 years ago
Mariano Cano
004ea12212
Allow to use custom SSH user/host key files.
5 years ago
Mariano Cano
7a64a84761
Pass the given context.
5 years ago
Mariano Cano
e1cd5ee8c3
Add context to the Authorize method.
...
Fix tests.
5 years ago
Mariano Cano
2127d09ef3
Rename context type to apiCtx.
...
It will conflict with the context package.
5 years ago
Mariano Cano
54570095d4
Merge branch 'master' into cloud-identities
6 years ago
max furman
81db527f12
NoopDB -> SimpleDB
6 years ago
max furman
b73fe8c157
Add used OTT to DB during authToken step
6 years ago
Mariano Cano
27c98806c0
Use GetTokenID.
6 years ago
max furman
9977eff153
bump cli dep and fix text error msg
6 years ago
max furman
ab4d569f36
Add /revoke API with interface db backend
6 years ago
Mariano Cano
1812c0619a
Update go-jose to 2.3.0.
...
This is a dependency for smallstep/cli#105 , it will be solved once
square/go-jose#224 gets merged
6 years ago
Mariano Cano
8a05cdde52
Add audience in the error v2
6 years ago