27c98806c0
Use GetTokenID.
5 years ago
2c68915b70
Fix comment.
5 years ago
fb6321fb2c
Use gcpConfig type to keep configuration urls.
...
Fixes #67
5 years ago
7e53b28320
Disable revoke for GCP.
5 years ago
7727fa5665
Update GCP tests.
5 years ago
1ea4b0ad64
Add unit test for GCP provider
5 years ago
b4729cd670
Use JWKSet to get the GCP keys.
5 years ago
f794dbeb93
Add support for GCP identity tokens.
5 years ago
9977eff153
bump cli dep and fix text error msg
5 years ago
ff20d9f5af
Fix composite literal uses unkeyed field
5 years ago
ab4d569f36
Add /revoke API with interface db backend
5 years ago
1812c0619a
Update go-jose to 2.3.0.
...
This is a dependency for smallstep/cli#105 , it will be solved once
square/go-jose#224 gets merged
5 years ago
04da00d716
Merge pull request #55 from smallstep/x509util-real-x509
...
Use standard x509 creating signed certificates
5 years ago
7b9e08bcfa
Fix comment.
5 years ago
64f2615864
Fix tests.
5 years ago
6d92ba75b9
Don't use pointer in TimeDuration.MarshalJSON
5 years ago
698058baa9
Add tests for TimeDuration.
5 years ago
00fed1c538
Add initial version of time duration support in sign requests.
5 years ago
8c8547bf65
Remove unnecessary parse and improve tests.
5 years ago
b9530909a4
Fix tests.
5 years ago
a3e2b4a552
Move certificate check to the right place.
5 years ago
30a6889d1f
Use standard x509 instead of step one.
5 years ago
68ff077ea9
Improve tests.
5 years ago
76618558ae
Improve unit tests.
5 years ago
7378ed27ac
Refactor claims so they can be totally omitted if only the parent is set.
5 years ago
5d5f03f963
Set omitempty to admins and domains.
5 years ago
8a05cdde52
Add audience in the error v2
5 years ago
f8fba4df6b
Add audience in error.
5 years ago
60880d1f0a
Add domains and check emails properly.
5 years ago
5edbce017f
Set docs for client secret as mandatory, but it can be blank.
5 years ago
2c0c0112c6
Add an optional client secret field.
5 years ago
945a1371f1
Fix tests.
5 years ago
0b4cde1ad3
Move type to the first position of the struct.
5 years ago
23e6de57a2
Address comments in code review.
5 years ago
07cdc1021c
Use OIDC nonce as the reuse key.
5 years ago
7fd737cbb1
Fix lint warnings.
5 years ago
1f5ff5c899
Fix sign and renew tests.
5 years ago
2fb77b8a4d
Truncate to seconds the startTime to simplify tests.
5 years ago
1a9e8bad74
Truncate to seconds instead of rounding.
5 years ago
b77621675c
Fix and simplify authorize tests.
5 years ago
ef4d809ee6
Move matchesAudience and stripPort tests to provisioner package.
5 years ago
636d92b19b
Add missing files.
5 years ago
a8d03c39bb
Move Duration to a new file and move tests to provisioner package.
5 years ago
c24d868d9d
Add tests for sign options.
5 years ago
5dfcbcf5dc
Add noop tests.
5 years ago
4ceb88fbae
Add tests for OIDC and complete some JWK tests.
5 years ago
dce3100cfb
Add missing time in validation.
5 years ago
fb279c89fb
Restore deleted methods.
5 years ago
955405d6aa
Add some comments added to master.
5 years ago
af9688c419
Fix some testing errors.
5 years ago
f17d2d9694
Remove debug statements.
5 years ago
67c79fd014
Add tests for default provisioner.
5 years ago
cf2dba3efb
Add tests for keyStore.
5 years ago
2a5430fee1
Complete tests for collection.
5 years ago
54d86ca1c1
testing work in progress.
5 years ago
9f7f871f25
Add noop provisioner and use it if a provisioner cannot been found from a cert.
5 years ago
47817ab212
Fix interface type.
5 years ago
cc8764c343
Initialize the list for backward compatibility.
5 years ago
c0ef6f8dc5
Add missing modifier and change return codes.
5 years ago
a97ea87caa
Move options to provisioner so we can set the duration of the cert.
5 years ago
507fd01062
Remove provisioner intermediate type.
5 years ago
1671ab2590
Fix some tests.
5 years ago
d92a7f2948
Rename provisioner to jwk.
5 years ago
a1782733fe
Rename files.
5 years ago
2d00cd0933
Validate audiences in the default provisioner.
5 years ago
33c1449360
Remove deprecated file.
5 years ago
57b705f6cf
Use provisioner sign options.
5 years ago
9d4034fbf6
Remove unused code.
5 years ago
6d395f3818
Add missing validy validator to oidc.
5 years ago
602a42813c
Re-enable replay protection for JWK provisioner.
5 years ago
ab1cca03d7
Use new provisioners in authorize methods.
5 years ago
54ed49f072
Rename package.
5 years ago
c776ca3bd6
Use provisioner.Collection to store and request the provisioners.
5 years ago
34833d4fd5
Add validators from the authority package.
5 years ago
0dee841a4f
Complete first version of provisioner implementations.
5 years ago
7eb6eb1d3e
Complete provisioner.Claims with methods from authority.
5 years ago
fb77397fc7
Add new options to locate or list provisioners.
5 years ago
34ff388828
Use new types in config.
5 years ago
62dab7b6b8
Rename interface method.
5 years ago
5a8f78d9d0
Add support to collection to load the encrypted keys.
5 years ago
dd0376657c
Move collection to a new file.
5 years ago
4b2b6ffe32
Create the provisioner type used to englobe all different provisioners.
5 years ago
bed3132028
Move provisioner to authority/provisioner package.
5 years ago
fc0b2ca5a6
Revert "Move provisioners to authority/provisioner package."
...
This reverts commit f88d622a67
5 years ago
f88d622a67
Move provisioners to authority/provisioner package.
5 years ago
a2a45f635b
Add initial implementation of an OIDC provisioner.
5 years ago
229e5908b7
Added test for different authority key id after renew
...
Also ran dep ensure.
5 years ago
d78febec7a
Fix extensions copy on renew
...
Fixes #36
5 years ago
7e43402575
bug fix: don't add common name to CSR validation claims in Sign
...
* added unit test for this case
5 years ago
3415a1fef8
move SplitSANs to cli
5 years ago
6937bfea7b
claims.SANS -> claims.SANs
5 years ago
93f39c64a0
backwards compat only when SANS empty
5 years ago
fe8c8614b2
SANS backwards compat when token missing sujbect SAN
5 years ago
e6e8443f3c
allow multiple identical SANs in cert
5 years ago
f0683c2e0a
Enable signing certificates with custom SANs
...
* validate against SANs in token. must be 1:1 equivalent.
5 years ago
7a5c4a1112
authority/provisioners: fix overflow on 32-bit systems
...
In Go, len returns signed ints, not unsigned ints; consequently, this code
comparison overflows on 32-bit systems, like ARM.
5 years ago
2c72ada610
remove dead code
5 years ago
6dc89f46d8
make Duration public
5 years ago
0615f7eb11
don't wrap time.Duration
5 years ago
4b742042ee
make Duration wrapper publicly accessible
5 years ago
e8ac3f4888
Add comment to differentiate GetRootCertificates and GetRoots.
5 years ago
6e620073f5
Rename method Empties to HasEmpties
5 years ago
cfbb2a6f41
method documentation grammar fix
5 years ago
518b597535
Remove mTLS client requirement in /roots and /federation
5 years ago
1763ede99d
Add tests for new methods.
5 years ago
d296cf95a9
Add mTLS request to get all the root CAs, not the federated ones.
5 years ago
98cc243a37
Add support for multiple roots.
5 years ago
722bcb7e7a
Add initial support for federated root certificates.
5 years ago
7e95fc0e45
Strip ports on audience check.
...
Services might have proxies behind them so we cannot rely on them.
Fixes #17
6 years ago
9b87e08faf
Do not require the port in the audience check.
...
Fixes #17
6 years ago
7da1d1adc2
Fix typo.
6 years ago
d6cad2a7f3
Add provisioner option to disable renewal.
...
Fixes smallstep/ca-component#108
6 years ago
c74fcd57a7
ca-component -> certificates
...
* fix redundant error check
* add README
6 years ago
428661f472
Use name instead of issuer in error message.
6 years ago
0d9dd2d14b
provisioner issuer -> name
6 years ago
ea0307239a
Fix dead code and add missing error check.
6 years ago
d574545d94
Format code with `gofmt -s`
6 years ago
7fa06643b2
change step provisioner OID and ASN1 representation
6 years ago
b457b15292
fix: omit empty claims in AuthConfig
6 years ago
ca6087145f
fix unit test
6 years ago
a4a461466b
withProvisionerOID and unit test
6 years ago
283dc42904
add unit tests for MatchOne (token audience) and Authority.New
6 years ago
0ccf775f2e
Add support for cursors in the api.
6 years ago
1de8eb4bfa
Fix provisioner package move.
6 years ago
1db177b80d
Add backend support for provisioners with cursors.
...
Fixes #83
6 years ago
d2872564b4
accidentally removed DisableIssuedAtCheck during merge
6 years ago
ee7db4006a
change sign + authorize authority api | add provisioners
...
* authorize returns []interface{}
- operators in this list can conform to any interface the user decides
- our implementation has a combination of certificate claim validators
and certificate template modifiers.
* provisioners can set and enforce tls cert options
6 years ago
1c1ac1b3fb
Add disableIssuedAt check functionality
...
Fixes #86
6 years ago
69da47a727
Set audience using the sign url.
6 years ago
0b5f6487e1
change provisioners api
...
* /provisioners -> /provisioners/jwk-set-by-issuer
* /provisioners now returns a list of Provisioners
6 years ago
f1dc00c810
add Provisioner config validation
6 years ago
0e904989d2
add unit tests for authority.Provisioners api
6 years ago
d773770a44
add authority.New unit tests
6 years ago
c284a2c0ab
first commit
6 years ago
Mariano Cano
max furman
Mariano Cano
Derrick Lyndon Pallas