Jimmy Zelinskie
aadb22aaca
Merge pull request #1332 from coreos-inc/keyserver
...
JWT Key Server
2016-04-29 17:16:02 -04:00
Evan Cordell
af4106e5c0
Fix generatepresharedkey script
2016-04-29 15:21:19 -05:00
Jimmy Zelinskie
2aa88dcb80
only send notifications when superusers enabled
2016-04-29 15:42:25 -04:00
Jimmy Zelinskie
b89d81d748
test: add missing helpers.py file
2016-04-29 14:44:52 -04:00
Jimmy Zelinskie
29e2d7c9d4
data.model.log: remove unused method
2016-04-29 14:22:53 -04:00
Joseph Schorr
b5afc4bed6
Tiny CSS merge fix
2016-04-29 14:16:19 -04:00
Jimmy Zelinskie
e47b29a974
migration: add missing delete from down migration
...
This also reorganizes the file a bit.
2016-04-29 14:10:33 -04:00
Jimmy Zelinskie
4a521f5844
database: revert logentry foreign key proxy
2016-04-29 14:10:33 -04:00
Evan Cordell
85ab543e9e
Explicit expiration date param
2016-04-29 14:10:33 -04:00
Evan Cordell
489752a0b7
Only refresh current instance service key
2016-04-29 14:10:33 -04:00
Evan Cordell
a6f6a114c2
service key worker to refresh automatic keys
2016-04-29 14:10:33 -04:00
Evan Cordell
2242c6773d
Add 'Automatic' ServiceKeyApprovalType
2016-04-29 14:10:33 -04:00
Evan Cordell
c766727d1d
address review comments
...
- more inline documentation
- don't explicitly specify audience
- approver is optional in `generate_key`
- ADD -> RUN for better caching of jwtproxy
2016-04-29 14:10:33 -04:00
Evan Cordell
9df650688b
Install jwtproxy in /usr/local/bin
2016-04-29 14:10:33 -04:00
Evan Cordell
97ad9684d7
Use jwtproxy binary from github
2016-04-29 14:10:33 -04:00
Evan Cordell
d2aa4be29e
Explicitly set jwtproxy audience
2016-04-29 14:10:33 -04:00
Evan Cordell
0c2ecec9a9
Don't check for client certs when talking to clair
2016-04-29 14:10:33 -04:00
Evan Cordell
4d0627f83d
Turn down logging on jwtproxy
2016-04-29 14:10:33 -04:00
Evan Cordell
47a52a47eb
Remove unneeded service key expiration
2016-04-29 14:10:33 -04:00
Evan Cordell
9ffc32f680
Generate preshared key on boot
2016-04-29 14:10:33 -04:00
Evan Cordell
f30a9e56f3
Be really sure about proxy protocol
2016-04-29 14:10:33 -04:00
Evan Cordell
cf5f7aa476
Create JWK formatted key on startup
2016-04-29 14:10:33 -04:00
Evan Cordell
8595140f38
Use signer proxy for all http(s) requests
2016-04-29 14:10:33 -04:00
Evan Cordell
f4d2fae5d8
Separate jwtproxy signer config from secscan config
2016-04-29 14:10:33 -04:00
Evan Cordell
474884acd7
Don't require certs for clair anymore
2016-04-29 14:10:33 -04:00
Evan Cordell
822b253b85
Add message when no approval user exists
2016-04-29 14:10:33 -04:00
Evan Cordell
e499c4a8ef
Actually go through signer proxy
2016-04-29 14:10:33 -04:00
Evan Cordell
52590687ae
Dockerfile fixes
2016-04-29 14:10:33 -04:00
Evan Cordell
668ce2c7cd
Generate private key on startup
2016-04-29 14:10:33 -04:00
Evan Cordell
85667a9cf6
Creat mitm certs on boot
2016-04-29 14:10:33 -04:00
Evan Cordell
6754131350
Optional tests (on by default) and better load order to reduce build time
2016-04-29 14:10:33 -04:00
Evan Cordell
492dcf4781
Verify that jwt was issued by clair
2016-04-29 14:10:33 -04:00
Evan Cordell
118f2d0ce5
Add mitm certs to jwtproxy
2016-04-29 14:10:33 -04:00
Evan Cordell
9e7a501dae
Authenticate in the other direction with jwtproxy
2016-04-29 14:10:33 -04:00
Evan Cordell
da0a988650
Configure jwtproxy from stack/conf yaml
2016-04-29 14:10:33 -04:00
Evan Cordell
adc86456b5
Secure the correct endpoint
2016-04-29 14:10:33 -04:00
Evan Cordell
8c8ee9c2be
Add jwtproxy and configure verifier for /secscan/notify
2016-04-29 14:10:33 -04:00
Joseph Schorr
6091db983b
Hide expired keys outside of their staleness window
2016-04-29 14:10:33 -04:00
Joseph Schorr
a55e92bc95
Add UI support for multiple operations on keys
2016-04-29 14:09:37 -04:00
Jimmy Zelinskie
726cb5fe6a
key server: 403 on expired approved keys ( #1410 )
2016-04-29 14:09:37 -04:00
Joseph Schorr
4f63a50a17
Change account-less logs to use a user and not null
...
This allows us to skip the migration
2016-04-29 14:09:37 -04:00
Jimmy Zelinskie
5cb6ba4d12
keyserver migration: fix constraint name
2016-04-29 14:09:37 -04:00
Joseph Schorr
28a80ef6a9
Make sure to verify service names on key creation
2016-04-29 14:09:37 -04:00
Joseph Schorr
dc9bcec9ce
Add pre shared generation tool
2016-04-29 14:09:37 -04:00
Jimmy Zelinskie
ca5794ba18
key server: use total_seconds() for cache headers
2016-04-29 14:09:37 -04:00
Joseph Schorr
5d6e5a42e8
Add delete logging and tests for logging
2016-04-29 14:09:09 -04:00
Jimmy Zelinskie
6aa7040f39
keyserver: add cache-control headers
2016-04-29 14:05:16 -04:00
Joseph Schorr
bc08ac2749
Fix timeouts in the JWT endpoint tests
2016-04-29 14:05:16 -04:00
Joseph Schorr
522cf68c5d
Lots of smaller fixes:
...
- Add the rotation_duration to the keys API
- Have the key service UI use the new rotation_duration field
- Fix notification deletion lookup path
- Add proper support for the new notification in the UI
- Only delete expired keys after 7 days (configurable)
- Fix angular digest loop
- Fix unit tests
- Regenerate initdb
2016-04-29 14:05:16 -04:00
Jimmy Zelinskie
2805dad64f
test_endpoints: update to use JWT headers
2016-04-29 14:05:16 -04:00