Mariano Cano
616490a9c6
Refactor renew after expiry token authorization
...
This changes adds a new authority method that authorizes the
renew after expiry tokens.
3 years ago
Mariano Cano
afb5d36206
Allow to renew certificates using an x5c-like token.
3 years ago
Herman Slatman
5fe9909174
Refactor AdminAuthority interface
3 years ago
Herman Slatman
5f224b729e
Add tests for Provisioner Admin API
3 years ago
Herman Slatman
d799359917
Merge branch 'master' into hs/acme-eab
3 years ago
Herman Slatman
2215a05c28
Add tests for ACME EAB Admin
...
Refactored some of the existing bits for testing the Authority
API by creation of a new LinkedAuthority interface and changing
visibility of the MockAuthority to be usable by other packages.
At this time, not all of the functions of MockAuthority it usable
yet. Will refactor when needed or requested.
3 years ago
Mariano Cano
0cebde3db5
Change fallback message on RekeySSH.
3 years ago
Mariano Cano
9fd147f3da
Change error message.
3 years ago
Mariano Cano
b5db3f5706
Modify errs.ForbiddenErr to always return an error to the cli.
3 years ago
Mariano Cano
668d3ea6c7
Modify errs.Wrap() with bad request to send messages to users.
3 years ago
Mariano Cano
8c8db0d4b7
Modify errs.BadRequestErr() to always return an error to the client.
3 years ago
Mariano Cano
8ce807a6cb
Modify errs.BadRequest() calls to always send an error to the client.
3 years ago
Herman Slatman
e7a988b2cd
Pin golangci-lint to v1.43.0 and fix issues
3 years ago
max furman
933b40a02a
Introduce gocritic linter and address warnings
3 years ago
Mariano Cano
833d28cb6a
Clone the certificate in case we need to look at it later.
3 years ago
Mariano Cano
568fce201a
Enforce identity cert to match ssh cert on renewals.
3 years ago
Mariano Cano
4aa529605d
Merge pull request #641 from hillu/quote-serial
...
Log certificate's serial number as stringified decimal number
3 years ago
Herman Slatman
9210a6740b
Fix logging provisioner name as string
3 years ago
Hilko Bengen
edb01bc9f2
Log certificate's serial number as stringified decimal number
...
Using a JSON string fixes a common issue with JSON parsers that
deserialize all numbers to a 64-bit IEEE-754 floats. (Certificate
serial numbers are usually 128 bit values.)
This change is consistent with existing log entries for revocation
requests.
See also: #630 , #631
3 years ago
max furman
77fdfc9fa3
Merge branch 'master' into max/cert-mgr-crud
3 years ago
max furman
9fdef64709
Admin level API for provisioner mgmt v1
3 years ago
Mariano Cano
65dacc2795
Replace golint with revive
3 years ago
Herman Slatman
a191319da9
Improve SCEP API logic and error handling
3 years ago
Herman Slatman
bc2bb53009
Merge branch 'master' into hs/scep
3 years ago
max furman
4f3e5ef64d
wip
3 years ago
max furman
5d09d04d14
wip
3 years ago
max furman
7b5d6968a5
first commit
3 years ago
Mariano Cano
c1c986922b
Show Ed25519 in the public-key log field.
4 years ago
Herman Slatman
0487686f69
Merge branch 'master' into hs/scep
4 years ago
max furman
2e0e62bc4c
add WriteError method for acme api
4 years ago
max furman
fd447c5b54
Fix small nbf->naf bug in db.CreateOrder
...
- still needs unit test
4 years ago
max furman
1135ae04fc
[acme db interface] wip
4 years ago
Herman Slatman
2fc5a7f22e
Improve SCEP API logic and error handling
4 years ago
max furman
f88f58440f
add //nolint for new 1.16 deprecation warnings
...
- dsa
- pem.DecryptPEMBlock
4 years ago
Mariano Cano
c94a1c51be
Merge branch 'master' into ssh-cert-templates
4 years ago
Mariano Cano
ba918100d0
Use go.step.sm/crypto/jose
...
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
4 years ago
Mariano Cano
aaaa7e9b4e
Merge branch 'master' into cert-templates
4 years ago
max furman
8e3481a8ef
[logger map] small optimization
...
Rather than doing two key writes and one lookup, just write once.
4 years ago
max furman
55bf5a4526
Add cert logging for acme/certificate api
4 years ago
Mariano Cano
4943ae58d8
Move TLSOption, TLSVersion, CipherSuites and ASN1DN to certificates.
4 years ago
Mariano Cano
e83e47a91e
Use sshutil and randutil from go.step.sm/crypto.
4 years ago
Mariano Cano
3b19bb9796
Add TemplateData to SSHSignRequest.
...
Add some omitempty tags.
4 years ago
Mariano Cano
6c64fb3ed2
Rename provisioner options structs:
...
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
4 years ago
Mariano Cano
068bafe5a3
Add templateData to api sign request.
4 years ago
max furman
fd05f3249b
A few last fixes and tests added for rekey/renew ...
...
- remove all `renewOrRekey`
- explicitly test difference between renew and rekey (diff pub keys)
- add back tests for renew
4 years ago
dharanikumar-s
dfda497929
Renamed RenewOrRekey to Rekey
4 years ago
dharanikumar-s
a3b5211e0f
gofmted the code
4 years ago
dharanikumar-s
954fda657b
Added renewOrRekey to mockAuthority. Added Test_caHandler_Rekey
4 years ago
dharanikumar-s
01a6469d25
Moved peer certificate check to the first line
4 years ago
dharanikumar-s
8f504483ce
Added RenewOrRekey function based on @maraino suggestion. RenewOrReky is called from Renew.
4 years ago
dharanikumar-s
3813f57b1a
Add support for rekeying Fixes #292
4 years ago
Mariano Cano
b0ff731d18
Add support for user provisioner certificates on OIDC provisioners.
...
OIDC provisioners create an SSH certificate with two principals. This
was avoiding the creationg of user provisioner certificates for those
provisioners.
Fixes smallstep/cli#268
5 years ago
David Cowden
eb42ea90db
ssh/api: Use host tags instead of groups
...
Tags are more flexible and what we use in the managed offering.
5 years ago
Mariano Cano
bfe1f4952d
Rename interface to CertificateEnforcer and add tests.
5 years ago
Mariano Cano
64f26c0f40
Enforce a duration for identity certificates.
5 years ago
Mariano Cano
fa416336a8
Add context to tests.
5 years ago
Mariano Cano
c49a9d5e33
Add context parameter to all SSH methods.
5 years ago
max furman
1cb8bb3ae1
Simplify statuscoder error generators.
5 years ago
max furman
dccbdf3a90
Introduce generalized statusCoder errors and loads of ssh unit tests.
...
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
5 years ago
Mariano Cano
ed26e97487
Fix tests.
5 years ago
Mariano Cano
c1bd1561dd
Renew identity certificate in /ssh/rekey and /ssh/renew
5 years ago
max furman
b9f6aacb0f
Move api errors to their own package and modify the typedef
5 years ago
Mariano Cano
dedf6b17be
Addapt tests to the api change.
5 years ago
max furman
3ac388612a
Use x5cInsecure token for /ssh/check-host endpoint
5 years ago
Mariano Cano
f0eb12372b
Add missing unit tests for ssh.
5 years ago
Mariano Cano
f6ffa2cc43
Check at the cert type instead of at the body.
5 years ago
Mariano Cano
5d7829b198
Replace /ssh/get-hosts to /ssh/hosts
5 years ago
Mariano Cano
d8b3e05a3f
Add error marshaling tests.
5 years ago
Mariano Cano
7b81bec8aa
Use default duration for host certificates identity files.
5 years ago
Mariano Cano
b179ad3662
Fix api tests.
5 years ago
Mariano Cano
3a16835cdd
Make identity duration the same as the SSH cert.
5 years ago
Mariano Cano
4f08a7816f
Fix extra write header.
5 years ago
max furman
656f35e522
Use an actual Hosts type when returning ssh hosts
5 years ago
Mariano Cano
c60641701b
Add version endpoint.
5 years ago
max furman
f92bb06b6c
change func def for getSSHHosts
...
* continue to return all hosts if injection method not specified
5 years ago
Mariano Cano
11c8639782
Add identity certificate in ssh response.
5 years ago
max furman
d940ab7c20
Add getSSHHosts injection func
5 years ago
Mariano Cano
8bf3bf701e
Add support for /ssh/bastion method.
5 years ago
max furman
54e3cf7322
Add multiuse capability to k8ssa provisioners
5 years ago
Mariano Cano
0ae9bab21e
Fix api tests.
5 years ago
max furman
29853ae016
sshpop provisioner + ssh renew | revoke | rekey first pass
5 years ago
max furman
862d704f6b
get-hosts fixes
5 years ago
max furman
5616386eed
Add SSH getHosts api
5 years ago
Mariano Cano
385bf0a14a
Fix lint, add keys to fields.
5 years ago
Mariano Cano
d880a98295
Add tests for ssh api methods.
5 years ago
Mariano Cano
a713277453
Fix return of host configurations.
5 years ago
Mariano Cano
37f17213bb
Add initial support for check-host endpoint.
5 years ago
Mariano Cano
d08db4df23
Rename SSH methods.
5 years ago
Mariano Cano
b5bc249e1c
Add support for multiple ssh roots.
...
Fixes #125
5 years ago
Mariano Cano
91130b9c3f
Add support for user data in templates.
5 years ago
Mariano Cano
a35988ff08
Add initial support for ssh config.
...
Related to smallstep/cli#170
5 years ago
Mariano Cano
b000b59ee6
Fix HTTP method for /ssh/sign
5 years ago
Mariano Cano
961be1fbc7
Add endpoint to return the SSH public keys.
...
Related to smallstep/ca-component#195
5 years ago
Mariano Cano
a197158426
Add initial implementation of ssh config.
5 years ago
Jozef Kralik
bc6074f596
Change api of functions Authority.Sign, Authority.Renew
...
Returns certificate chain instead of 2 members.
Implements #126
5 years ago
max furman
fe7973c060
wip
5 years ago
max furman
e3826dd1c3
Add ACME CA capabilities
5 years ago
max furman
61d52a8510
Small fixes associated with PR review
...
* additions and grammar edits to documentation
* clarification of error msgs
5 years ago
Mariano Cano
10e7b81b9f
Merge branch 'master' into ssh-ca
5 years ago
max furman
2b41faa9cf
Enforce >= 2048 bit rsa keys at the provisioner layer
...
* Fixes #94
* In the future this should be configurable by provisioner
5 years ago
Mariano Cano
ca74bb1de5
Add ssh api tests.
5 years ago
Mariano Cano
e71072d389
Add experimental support for provisioning users.
5 years ago
Mariano Cano
a44b0a1d52
Fix typo
5 years ago
Mariano Cano
ba2ba54928
Adapt api package to new interfaces.
5 years ago
Mariano Cano
d008d2d4d1
Use default base64 encoding for public key
5 years ago
Mariano Cano
1c8f610ca9
Add initial implementation of an SSH CA using the JWK provisioner.
...
Fixes smallstep/ca-component#187
5 years ago
max furman
ab4d569f36
Add /revoke API with interface db backend
6 years ago
Mariano Cano
64f2615864
Fix tests.
6 years ago
Mariano Cano
00fed1c538
Add initial version of time duration support in sign requests.
6 years ago
Mariano Cano
a97ea87caa
Move options to provisioner so we can set the duration of the cert.
6 years ago
Mariano Cano
aa8385b8ba
Fix api tests.
6 years ago
Mariano Cano
507fd01062
Remove provisioner intermediate type.
6 years ago
Mariano Cano
bcaba4f72a
Fix api tests.
6 years ago
Mariano Cano
bc12036330
Update Authority interface.
6 years ago
Mariano Cano
1c7155298b
Log always the token, even on errors.
6 years ago
Mariano Cano
adbc496b40
Improve tests
6 years ago
Mariano Cano
b974957868
Add certificate information to logs.
...
Fixes smallstep/ca-component#147
6 years ago
Mariano Cano
8252608ca2
Fix mock
6 years ago
Mariano Cano
518b597535
Remove mTLS client requirement in /roots and /federation
6 years ago
Mariano Cano
d296cf95a9
Add mTLS request to get all the root CAs, not the federated ones.
6 years ago
Mariano Cano
37149ed3ea
Add method to get all the certs.
6 years ago
max furman
c74fcd57a7
ca-component -> certificates
...
* fix redundant error check
* add README
6 years ago
max furman
0d9dd2d14b
provisioner issuer -> name
6 years ago
Mariano Cano
e54086662f
Add tests with cursors.
6 years ago
Mariano Cano
99cab73360
Remove unused import /provisioners/jwk-set-by-issuer
6 years ago
Mariano Cano
0ccf775f2e
Add support for cursors in the api.
6 years ago
max furman
ee7db4006a
change sign + authorize authority api | add provisioners
...
* authorize returns []interface{}
- operators in this list can conform to any interface the user decides
- our implementation has a combination of certificate claim validators
and certificate template modifiers.
* provisioners can set and enforce tls cert options
6 years ago
Mariano Cano
f938ab113b
Add /re-sign endpoint for compatibility with old code.
6 years ago
max furman
828798418c
gofmt
6 years ago
max furman
0b5f6487e1
change provisioners api
...
* /provisioners -> /provisioners/jwk-set-by-issuer
* /provisioners now returns a list of Provisioners
6 years ago
Mariano Cano
ed13132037
Add unit tests for provisioner endpoints.
6 years ago
Mariano Cano
ff67c17893
Add provisioners endpoints.
6 years ago
max furman
c284a2c0ab
first commit
6 years ago