max furman
933b40a02a
Introduce gocritic linter and address warnings
3 years ago
Mariano Cano
42fde8ba28
Merge branch 'master' into linkedca
3 years ago
Mariano Cano
9e5762fe06
Allow the reuse of azure token if DisableTrustOnFirstUse is true
...
Azure caches tokens for 24h and we cannot issue a new certificate
for the same instance in that period of time.
The meaning of this parameter is to allow the signing of multiple
certificate in one instance. This is possible in GCP, because we
get a new token, and is possible in AWS because we can generate
a new one. On Azure there was no other way to do it unless you
wait for 24h.
Fixes #656
3 years ago
Mariano Cano
4ad82a2f76
Check linkedca for revocation.
3 years ago
Mariano Cano
f7542a5bd9
Move check of ssh revocation from provisioner to the authority.
3 years ago
max furman
9fdef64709
Admin level API for provisioner mgmt v1
3 years ago
Mariano Cano
d79b4e709e
Create a hash of a token if a token id is empty.
4 years ago
Mariano Cano
ba918100d0
Use go.step.sm/crypto/jose
...
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
4 years ago
Mariano Cano
7846696fbb
Fix return sign options on ssh sign.
5 years ago
max furman
1cb8bb3ae1
Simplify statuscoder error generators.
5 years ago
max furman
dccbdf3a90
Introduce generalized statusCoder errors and loads of ssh unit tests.
...
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
5 years ago
max furman
9caadbb341
Fix authority calling wrong revoke method
5 years ago
Mariano Cano
11c8639782
Add identity certificate in ssh response.
5 years ago
max furman
29853ae016
sshpop provisioner + ssh renew | revoke | rekey first pass
5 years ago
max furman
61d52a8510
Small fixes associated with PR review
...
* additions and grammar edits to documentation
* clarification of error msgs
5 years ago
Mariano Cano
004ea12212
Allow to use custom SSH user/host key files.
5 years ago
Mariano Cano
7a64a84761
Pass the given context.
5 years ago
Mariano Cano
e1cd5ee8c3
Add context to the Authorize method.
...
Fix tests.
5 years ago
Mariano Cano
2127d09ef3
Rename context type to apiCtx.
...
It will conflict with the context package.
5 years ago
Mariano Cano
54570095d4
Merge branch 'master' into cloud-identities
5 years ago
max furman
81db527f12
NoopDB -> SimpleDB
6 years ago
max furman
b73fe8c157
Add used OTT to DB during authToken step
6 years ago
Mariano Cano
27c98806c0
Use GetTokenID.
6 years ago
max furman
9977eff153
bump cli dep and fix text error msg
6 years ago
max furman
ab4d569f36
Add /revoke API with interface db backend
6 years ago
Mariano Cano
1812c0619a
Update go-jose to 2.3.0.
...
This is a dependency for smallstep/cli#105 , it will be solved once
square/go-jose#224 gets merged
6 years ago
Mariano Cano
8a05cdde52
Add audience in the error v2
6 years ago
Mariano Cano
f8fba4df6b
Add audience in error.
6 years ago
Mariano Cano
23e6de57a2
Address comments in code review.
6 years ago
Mariano Cano
07cdc1021c
Use OIDC nonce as the reuse key.
6 years ago
Mariano Cano
ef4d809ee6
Move matchesAudience and stripPort tests to provisioner package.
6 years ago
Mariano Cano
af9688c419
Fix some testing errors.
6 years ago
Mariano Cano
2d00cd0933
Validate audiences in the default provisioner.
6 years ago
Mariano Cano
57b705f6cf
Use provisioner sign options.
6 years ago
Mariano Cano
602a42813c
Re-enable replay protection for JWK provisioner.
6 years ago
Mariano Cano
ab1cca03d7
Use new provisioners in authorize methods.
6 years ago
max furman
3415a1fef8
move SplitSANs to cli
6 years ago
max furman
6937bfea7b
claims.SANS -> claims.SANs
6 years ago
max furman
93f39c64a0
backwards compat only when SANS empty
6 years ago
max furman
fe8c8614b2
SANS backwards compat when token missing sujbect SAN
6 years ago
max furman
f0683c2e0a
Enable signing certificates with custom SANs
...
* validate against SANs in token. must be 1:1 equivalent.
6 years ago
Mariano Cano
7e95fc0e45
Strip ports on audience check.
...
Services might have proxies behind them so we cannot rely on them.
Fixes #17
6 years ago
Mariano Cano
d6cad2a7f3
Add provisioner option to disable renewal.
...
Fixes smallstep/ca-component#108
6 years ago
max furman
0d9dd2d14b
provisioner issuer -> name
6 years ago
max furman
a4a461466b
withProvisionerOID and unit test
6 years ago
max furman
283dc42904
add unit tests for MatchOne (token audience) and Authority.New
6 years ago
max furman
ee7db4006a
change sign + authorize authority api | add provisioners
...
* authorize returns []interface{}
- operators in this list can conform to any interface the user decides
- our implementation has a combination of certificate claim validators
and certificate template modifiers.
* provisioners can set and enforce tls cert options
6 years ago
Mariano Cano
1c1ac1b3fb
Add disableIssuedAt check functionality
...
Fixes #86
6 years ago
Mariano Cano
69da47a727
Set audience using the sign url.
6 years ago
max furman
0b5f6487e1
change provisioners api
...
* /provisioners -> /provisioners/jwk-set-by-issuer
* /provisioners now returns a list of Provisioners
6 years ago