Commit Graph

1091 Commits

Author SHA1 Message Date
David Cowden
b8b3ca2ac1 acme/authority: Add descriptive intro to ValidateChallenge 2020-05-13 11:38:40 -07:00
David Cowden
5e5a76c3b5 acme/api: Set Link and Location headers for all 200
On the challenge resource, set "Link" and "Location" headers for all
successful requests to the challenge resource.
2020-05-13 11:10:14 -07:00
David Cowden
5354906b9c acme/api: Add func name to beginning of comment 2020-05-13 10:56:19 -07:00
David Cowden
976c8f82c6 acme/authority: Fix tests
Also, return early from ValidateChallenge if the challenge is already
valid. Interestingly, we aren't actually testing most of the
ValidateChallenge func, just the early error and return conditions. We
should add some more coverage here.
2020-05-13 07:55:38 -07:00
David Cowden
b061d0af34 acme/authority: Fix error message in test
The error message was updated. Make the test should reflect the new
changes.
2020-05-13 07:31:21 -07:00
David Cowden
609e1312da acme/api: Write headers for invalid challenges
Include the "Link" and "Location" headers on invalid challenge
resources. An invalid challenge is still a perfectly acceptable
response.
2020-05-13 07:29:12 -07:00
David Cowden
8ae32f50f2 acme: Fix comment style to appease linter
The linter likes comments on public functions to start with their name,
for some reason...
2020-05-13 05:04:49 -07:00
David Cowden
794725bcc3 acme/api: Remove unused BackoffChallenge func
The mock has an old func that is no longer used. Remove it.
2020-05-13 04:03:47 -07:00
David Cowden
8556d45c3f acme/authority: Move comment onto correct block
The comment appeared too early.
2020-05-13 04:03:01 -07:00
David Cowden
84af2ad562 acme: Fix test compile
* Add toACME test for the "processing" state.
2020-05-12 08:33:32 -07:00
David Cowden
2514b58f58 acme/api: Fixup handler_test
Remove superfluous test. Add test checking for the Retry-After header if
the challenge's RetryAfter field is set.
2020-05-12 04:52:44 -07:00
David Cowden
089e3aea4f acme/challenge: Fix error return type on KeyAuthorization
In golang, one should always return error types rather than interfaces
that conform to an error protocol. Why? Because of this:

    https://play.golang.org/p/MVa5vowuNRo

Feels ~~like JavaScript~~ bad, man.
2020-05-11 21:30:50 -07:00
David Cowden
9f18882973 acme/challenge: Copy retry information on clone
When cloning a challenge, deeply clone the retry field if it is not nil.
2020-05-11 21:25:31 -07:00
David Cowden
a857c45847 acme/authority: Polymorph the challenge type
Prior to validation, we must wrap the base challenge in the correct
concrete challenge type so that we dispatch the correct validation
method.
2020-05-11 21:23:55 -07:00
David Cowden
2d0a00c4e1 acme/api: Add missing return
Stop execution when the error happens. This was previously a typo.
2020-05-11 21:22:40 -07:00
David Cowden
8326632f5b vscode: Ignore vscode binaries
It might make sense to check in the vscode workspace file if we can make
everything relative to the project directory.
2020-05-11 18:47:07 -07:00
David Cowden
9518ba44b1 provisioner/acme: Add TODO for retry restarts
The comment in acme/authority directs users to this file so put a TODO
in for posterity.
2020-05-11 18:46:15 -07:00
David Cowden
bdadea8a37 acme: go fmt 2020-05-07 09:27:16 -07:00
David Cowden
9af4dd3692 acme: Retry challenge validation attempts
Section 8.2 of RFC 8555 explains how retries apply to the validation
process. However, much is left up to the implementer.

Add retries every 12 seconds for 2 minutes after a client requests a
validation. The challenge status remains "processing" indefinitely until
a distinct conclusion is reached. This allows a client to continually
re-request a validation by sending a post-get to the challenge resource
until the process fails or succeeds.

Challenges in the processing state include information about why a
validation did not complete in the error field. The server also includes
a Retry-After header to help clients and servers coordinate.

Retries are inherently stateful because they're part of the public API.
When running step-ca in a highly available setup with replicas, care
must be taken to maintain a persistent identifier for each instance
"slot". In kubernetes, this implies a *stateful set*.
2020-05-06 07:39:13 -07:00
David Cowden
5e6a020da5 acme/authority: Add space around *
Makes the line more readable.
2020-04-30 04:44:36 -07:00
David Cowden
f56c449ea4 handler_test: Add BackoffChallenge
The mock acme authority needs to in order to conform to the updated acme
authority interface.
2020-04-30 04:44:08 -07:00
David Cowden
8fb558da10 handler_test: Remove unused field "Backoffs" 2020-04-30 04:44:08 -07:00
Wesley Graham
8d4356733e Implement standard backoff strategy 2020-04-30 04:44:08 -07:00
Wesley Graham
f9779d0bed Polish retry conditions 2020-04-30 04:44:08 -07:00
Wesley Graham
66b2c4b1a4 Add automated challenge retries, RFC 8555 2020-04-30 04:44:08 -07:00
Wesley Graham
40d7c42e33 Implement acme RFC 8555, challenge retries 2020-04-30 04:44:08 -07:00
David Cowden
6fdbd856f7 git: Ignore *.code-workspace
These are visual studio code's workspace configuration files.
2020-04-30 04:44:08 -07:00
max furman
d40c029582 Fix docs database link. 2020-04-28 10:42:05 -07:00
max furman
30e38dc501 Bumpt the version of cli for a certificates RC. 2020-04-28 09:34:10 -07:00
Mariano Cano
df3b9f637e Use a tagged version of nosql. 2020-04-27 18:13:54 -07:00
Mariano Cano
18869323f4
Merge pull request #234 from smallstep/oidc-multinenant
Add support for multi-tenant OIDC provisioners
2020-04-27 15:21:55 -07:00
Mariano Cano
4e9bff0986 Add support for OIDC multitoken tenants for azure. 2020-04-24 14:36:32 -07:00
Mariano Cano
c7907a4626
Merge pull request #233 from smallstep/oidc-add-user-cert
Add support for user provisioner certificates on OIDC provisioners.
2020-04-24 10:54:25 -07:00
Mariano Cano
8bc3b05232 Add new extra test case. 2020-04-24 10:27:44 -07:00
Mariano Cano
b0ff731d18 Add support for user provisioner certificates on OIDC provisioners.
OIDC provisioners create an SSH certificate with two principals. This
was avoiding the creationg of user provisioner certificates for those
provisioners.

Fixes smallstep/cli#268
2020-04-23 19:42:55 -07:00
Max
59a57d487b
Merge pull request #232 from wishdev/fingerprint
Add root fingerprint to pki if certificate given
2020-04-23 14:49:06 -07:00
John W Higgins
d1f78cf6d2 Add root fingerprint to pki if certificate given
If a root certificate is provided to init an authority the fingerprint
is not currently stored in the default.json file. This patch simply
stores the fingerprint of the supplied certificate.
2020-04-23 13:47:41 -07:00
Max
00998d053d
Merge pull request #231 from smallstep/badgerV1+V2
Simultaneous support for Badger V1+V2 and ...
2020-04-21 10:16:22 -07:00
max furman
95b931bb52 Increase linter timeout limit ...
* Breaking in Travis
2020-04-21 10:10:33 -07:00
max furman
1a34e64c65 Try old method of installing golang linter ...
* Method from docs is broken in travis.
2020-04-21 09:59:54 -07:00
max furman
a179a72342 Update installer location of golangci-lint. 2020-04-21 09:39:48 -07:00
max furman
3c0970c28a Bump golangci-lint to v1.24.0 2020-04-21 09:35:57 -07:00
max furman
3be95a82d0 Update version of nosql. 2020-04-21 09:27:42 -07:00
Mariano Cano
7861069018 Fix command in distribution.md. 2020-04-20 17:42:29 -07:00
max furman
d51f254ee4 ValueLogLoadingMode -> FileLoading Mode badger 2020-04-20 16:09:07 -07:00
Mariano Cano
2993ccf16d
Merge pull request #230 from smallstep/empty-common-names
Remove the requirement for CSR to have a common name
2020-04-20 15:53:14 -07:00
Mariano Cano
a2dfa6faa8 Fix unit tests. 2020-04-20 12:29:23 -07:00
max furman
0573c00bd3 Simultaneous support for Badger V1+V2 and ...
* valueLogLoadingMode config for low RAM badger environments
2020-04-20 11:46:47 -07:00
Mariano Cano
13507efb35 Remove the requirement for CSR to have a common name.
Fixes #226
2020-04-20 10:43:33 -07:00
Mariano Cano
bcc5a91d17
Merge pull request #227 from smallstep/disable-forward-agent
Do not enable by default ForwardAgent
2020-04-15 17:27:18 -07:00