62 Commits

Author	SHA1	Message	Date
Andrew Reed	7101fbb0ee	Provisioner webhooks (#1001)	2022-09-29 19:16:26 -05:00
Mariano Cano	5df1694250	Add endpoint id for the RA certificate ... In a linked RA mode, send an endpoint id to group the server certificates.	2022-08-11 14:47:11 -07:00
Mariano Cano	6b5d3dca95	Add provisioner name to RA info	2022-08-03 18:44:04 -07:00
Mariano Cano	9408d0f24b	Send RA provisioner information to the CA	2022-08-02 19:28:49 -07:00
Mariano Cano	df8ffb35af	Remove unnecessary database in provisioner config.	2022-04-05 17:39:06 -07:00
Mariano Cano	616490a9c6	Refactor renew after expiry token authorization ... This changes adds a new authority method that authorizes the renew after expiry tokens.	2022-03-10 20:21:01 -08:00
Mariano Cano	fd6a2eeb9c	Add provisioner controller ... The provisioner controller has the implementation of the identity function as well as the renew methods with renew after expiry support.	2022-03-09 18:39:09 -08:00
Mariano Cano	32390a2964	Add initial implementation of a nebula provisioner. ... A nebula provisioner will generate a X509 or SSH certificate with the identities in the nebula certificate embedded in the token. The token is signed with the private key of the nebula certificate.	2021-12-29 14:12:03 -08:00
max furman	933b40a02a	Introduce gocritic linter and address warnings	2021-10-08 14:59:57 -04:00
Mariano Cano	d4ae267add	Fix ErrAllowTokenReuse comment.	2021-08-11 14:59:26 -07:00
Mariano Cano	9e5762fe06	Allow the reuse of azure token if DisableTrustOnFirstUse is true ... Azure caches tokens for 24h and we cannot issue a new certificate for the same instance in that period of time. The meaning of this parameter is to allow the signing of multiple certificate in one instance. This is possible in GCP, because we get a new token, and is possible in AWS because we can generate a new one. On Azure there was no other way to do it unless you wait for 24h. Fixes #656	2021-08-11 11:50:54 -07:00
Herman Slatman	339039768c	Refactor SCEP authority initialization and clean some code	2021-05-26 16:00:08 -07:00
Herman Slatman	48c86716a0	Add rudimentary (and incomplete) support for SCEP	2021-05-26 15:58:04 -07:00
max furman	638766c615	wip	2021-05-19 18:23:20 -07:00
Cristian Le	1d2445e1d8	Removed the variadic username ... Could be useful later on, but for the current PR changes should be minimized	2021-05-05 10:12:38 +09:00
Cristian Le	9e00b82bdf	Revert oidc_test.go ... Moving the `preferred_username` to a separate PR	2021-05-05 08:49:03 +09:00
Cristian Le	21732f213b	Fix shadow issue in CI	2021-05-05 08:15:26 +09:00
Mariano Cano	46c1dc80fb	Use map[string]struct{} instead of map[string]bool	2021-05-05 08:15:26 +09:00
Mariano Cano	aafac179a5	Add test for oidc with preferred usernames.	2021-05-05 08:15:26 +09:00
Cristian Le	f730c0bec4	Sanitize usernames	2021-05-05 08:15:26 +09:00
Cristian Le	48666792c7	Draft: adding usernames to GetIdentityFunc	2021-05-05 08:15:26 +09:00
Mariano Cano	02379d494b	Add support for extensions and critical options on the identity ... function.	2020-07-30 17:45:03 -07:00
Mariano Cano	ca2fb42d68	Move options to the provisioner.	2020-07-21 14:18:05 -07:00
Mariano Cano	ef0ed0ff95	Integrate simple templates in the JWK provisioner.	2020-07-21 14:18:04 -07:00
Mariano Cano	0b5fd156e8	Add a third principal on OIDC tokens with the raw local part of the email. ... For the email first.last@example.com it will create the principals ["firstlast", "first.last", "first.last@example.com"] Fixes #253, #254	2020-05-21 12:09:11 -07:00
Mariano Cano	c49a9d5e33	Add context parameter to all SSH methods.	2020-03-10 19:01:45 -07:00
Mariano Cano	59fc8cdd2d	Fix typo in comments.	2020-02-27 10:48:16 -08:00
max furman	1cb8bb3ae1	Simplify statuscoder error generators.	2020-01-28 13:29:40 -08:00
max furman	dccbdf3a90	Introduce generalized statusCoder errors and loads of ssh unit tests. ... * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners.	2020-01-28 13:29:40 -08:00
max furman	414a94b210	Instrument getIdentity func for OIDC ssh provisioner	2020-01-28 13:28:16 -08:00
max furman	f74cd04a6a	Add WithGetIdentityFunc option and attr to authority ... * Add Identity type to provisioner	2020-01-28 13:28:16 -08:00
max furman	29853ae016	sshpop provisioner + ssh renew | revoke | rekey first pass	2020-01-28 13:28:16 -08:00
max furman	c04f1e1bd4	sshpop first pass	2020-01-28 13:28:16 -08:00
max furman	8f07ff6a39	Add kubernetes service account provisioner	2019-10-29 17:42:50 -07:00
max furman	d368791606	Add x5c provisioner capabilities	2019-10-14 14:51:37 -07:00
max furman	e3826dd1c3	Add ACME CA capabilities	2019-09-13 15:48:33 -07:00
Mariano Cano	10e7b81b9f	Merge branch 'master' into ssh-ca	2019-09-05 23:06:01 +02:00
max furman	ac234771c7	Remove unknown provisioner WARNning and leave TODO	2019-08-29 10:49:52 -07:00
max furman	ca8daf5f12	Update comment and warn	2019-08-28 17:28:03 -07:00
Mariano Cano	9200f11ed8	Skip unsupported provisioners.	2019-08-28 17:25:39 -07:00
Mariano Cano	41b97372e6	Rename function to SanitizeSSHUserPrincipal	2019-07-29 16:38:57 -07:00
Mariano Cano	48c98dea2a	Make SanitizeSSHPrincipal a public function.	2019-07-29 16:21:22 -07:00
Mariano Cano	f01286bb48	Add support for SSH certificates to OIDC. ... Update the interface for all the provisioners.	2019-07-29 15:54:07 -07:00
Mariano Cano	8f8c862c04	Fix spelling errors.	2019-06-07 11:24:56 -07:00
Mariano Cano	37f2096dff	Add Stringer interface to provisioner.Type. ... Add missing file.	2019-06-05 17:52:29 -07:00
Mariano Cano	0a756ce9d0	Use on GCP audiences with the format https://<ca-url>#<provisioner-type>/<provisioner-name> ... Fixes smallstep/step#156	2019-06-03 17:19:44 -07:00
Mariano Cano	70196b2331	Add skeleton for the Azure provisioner. ... Related to #69	2019-05-03 17:30:54 -07:00
Mariano Cano	da93e40f90	Add constant for Azure type.	2019-04-24 14:26:37 -07:00
Mariano Cano	75ef5a2275	Add AWS provisioner. ... Fixes #68	2019-04-24 12:12:36 -07:00
Mariano Cano	f794dbeb93	Add support for GCP identity tokens.	2019-04-17 17:28:21 -07:00