Mariano Cano
10f6a901ec
Let the CA determine the RA lifetime
...
When the RA mode with StepCAS is used, let the CA decide which lifetime
the RA should get instead of requiring always 24h.
This commit also fixes linter warnings.
Related to #1094
7 months ago
Mariano Cano
49045a1150
Change CommonName validator in JWK
...
This commit changes the common name validator in the JWK provisioner to
accept either the token subject or any of the sans in the token.
12 months ago
Max
9f84f7ce35
Allow for identity certificate signing (in sshSign) by skipping validators ( #1572 )
...
- skip urisValidator for identity certificate signing. Implemented
by building the validator with the context in a hacky way.
1 year ago
Mariano Cano
c7c7decd5e
Add support for the disableSmallstepExtensions claim
...
This commit adds a new claim to exclude the Smallstep provisioner
extension from the generated certificates.
Fixes #620
1 year ago
max furman
8b256f0351
address linter warning for go 1.19
1 year ago
Andrew Reed
7101fbb0ee
Provisioner webhooks ( #1001 )
2 years ago
Mariano Cano
a1f54921d2
Rename internal field
2 years ago
Mariano Cano
9408d0f24b
Send RA provisioner information to the CA
2 years ago
Mariano Cano
e7d7eb1a94
Add provisioner as a signOption for SSH
2 years ago
Herman Slatman
5e9bce508d
Unexport GetPolicy()
2 years ago
Herman Slatman
c40a4d2694
Contain policy engines inside provisioner Controller
3 years ago
Herman Slatman
9797b3350e
Merge branch 'master' into herman/allow-deny
3 years ago
Herman Slatman
571b21abbc
Fix (most) PR comments
3 years ago
Herman Slatman
dc23fd23bf
Merge branch 'master' into herman/allow-deny-next
3 years ago
Mariano Cano
b401376829
Add current provisioner to AuthorizeSign SignOptions.
...
The original provisioner cannot be retrieved from a certificate
if a linked ra is used.
3 years ago
Mariano Cano
616490a9c6
Refactor renew after expiry token authorization
...
This changes adds a new authority method that authorizes the
renew after expiry tokens.
3 years ago
Mariano Cano
259e95947c
Add support for the provisioner controller
...
The claimer, audiences and custom callback methods are now managed
by the provisioner controller in an uniform way.
3 years ago
Herman Slatman
7c541888ad
Refactor configuration of allow/deny on authority level
3 years ago
Herman Slatman
88c7b63c9d
Split SSH user and cert policy configuration and execution
3 years ago
Herman Slatman
512b8d6730
Refactor instantiation of policy engines
...
Instead of using the `base` struct, the x509 and SSH policy
engines are now added to each provisioner directly.
3 years ago
Herman Slatman
6440870a80
Clean up, improve test cases and coverage
3 years ago
Herman Slatman
6bc0513468
Add more tests
3 years ago
Herman Slatman
9539729bd9
Add initial implementation of x509 and SSH allow/deny policy engine
3 years ago
Mariano Cano
668d3ea6c7
Modify errs.Wrap() with bad request to send messages to users.
3 years ago
max furman
9fdef64709
Admin level API for provisioner mgmt v1
3 years ago
max furman
638766c615
wip
3 years ago
max furman
5d09d04d14
wip
3 years ago
Mariano Cano
ba918100d0
Use go.step.sm/crypto/jose
...
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
4 years ago
Mariano Cano
e83e47a91e
Use sshutil and randutil from go.step.sm/crypto.
4 years ago
Mariano Cano
f437b86a7b
Merge branch 'cert-templates' into ssh-cert-templates
4 years ago
Mariano Cano
c8d225a763
Use x509util from go.step.sm/crypto/x509util
4 years ago
Mariano Cano
aa657cdb4b
Use SSHOptions inside provisioner options.
4 years ago
Mariano Cano
8ff8d90f8c
On JWK and X5C validate the key id on the request.
4 years ago
Mariano Cano
380a0d6daf
Add ssh certificate templates to JWK provisioner.
4 years ago
Mariano Cano
6c64fb3ed2
Rename provisioner options structs:
...
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
4 years ago
Mariano Cano
02c4f9817d
Set full token payload instead of only the known properties.
4 years ago
Mariano Cano
e6fed5e0aa
Minor fixes and comments.
4 years ago
Mariano Cano
ca2fb42d68
Move options to the provisioner.
4 years ago
Mariano Cano
9f3acc254b
Set the token payload in the JWK provisioner.
4 years ago
Mariano Cano
ef0ed0ff95
Integrate simple templates in the JWK provisioner.
4 years ago
max furman
71d87b4e61
wip
4 years ago
max furman
3636ba3228
wip
4 years ago
max furman
1951669e13
wip
4 years ago
max furman
1cb8bb3ae1
Simplify statuscoder error generators.
5 years ago
max furman
dccbdf3a90
Introduce generalized statusCoder errors and loads of ssh unit tests.
...
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
5 years ago
Mariano Cano
84ff172093
Add support for backdate to SSH certificates.
5 years ago
Mariano Cano
08eac1b00d
Make sure to define the KeyID from the token if available.
5 years ago
max furman
9caadbb341
Fix authority calling wrong revoke method
5 years ago
max furman
414a94b210
Instrument getIdentity func for OIDC ssh provisioner
5 years ago
Mariano Cano
a86dc78b5d
Add missing comment.
5 years ago