When running `sestest list-certificates`, the friendly name takes up a lot of horizontal space, causing lines to wrap and making the output hard to read.
This change defaults to displaying only the DNS name, but allowing an `extra-columns` argument for specifying that subject and/or friendly names should also be displayed.
This also addresses the point raised in #130 that it should be easy to see certificates by DNS name so that it should be easy to scan for, e.g. localhost.
The output of `sestest list-certificates` currently displays the same certificate multiple times (if it appears in multiple stores/locations).
These changes ensure certificates are only listed once.
`sestest` already supports `forsigning` and `forencryption` arguments to `list-certificates`, as well as grouping the output, to easily identify certificates which can be used for signing and encryption.
When running `sestest server` we also require another kind of certificate, i.e. that which can be used for server authentication (to enable clients to communicate via TLS). Identifying certificates which are appropriate for this involves selecting ones which:
- **If** the certificate has an enhanced key usage extension, the usages must include server authentication (OID 1.3.6.1.5.5.7.3.1). Without this the test server will throw an `InvalidOperationException` ("Certificate XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX cannot be used as an SSL server certificate. It has an Extended Key Usage extension but the usages do not include Server Authentication (OID 1.3.6.1.5.5.7.3.1)").
- (optionally) are trusted (and whose certificate chain can be validated).
- have a DNS name which matches the hostname by which requests will be made to the server (probably `localhost`)
This addresses the first two of these by allowing a `forserverauth` argument to `list-certificates`, and displaying two extra sections in the output: one for certificates suitable for server authentication that _can_ be verified, and one for those that can't.
* move handlers for each of the different API versions into different controller methods
* add controller methods for acquire, renew and release
* change structure of Errorable to allow LINQ query syntax
* use Result<TOk, TError> class for error handling in request handler classes, and re-implement Errorable extension methods on Results
* update documentation with PowerShell/curl/wget commands for testing the leasing API
* respond to ErrorCollection PR comments
* add braces around null check throws
* remove Errorable class (replace with Result/ErrorCollection)
* remove static Errorable class, and instead create Result instances using implicit operators
* rename ErrorCollection to ErrorSet, respond to PR comments in Result class
* API version changes in Server project
* suppress messages about implicit operator alternatives
* add documentation comments to API DTOs
* use DateTimeOffset in preference to DateTime
* change order of generic parameters in Result extension methods to be more readable
* rename generic type parameters and variables for consistency
* use AssertOk and AssertError consistently, without introducing separate variable for result
* rename local function in test
* follow existing pattern for datetime properties on FakeTokenPropertyProvider, and add test for expected errors on provider
* format Assert.Throws to wrap lines
* use ResultCodes property for returning specific result codes
* simplify test assertions for collections
* Add certificates for the sovereign clouds (#106)
* On Windows, work around OpenSSL not hooking into the Windows Automatic Root Certificates Update process. (#112)
* Add retry logic if we experience Curl-related errors
* Allow overriding CURLOPT_CONNECTTIMEOUT via environment variable
* Fix compiler errors for non-windows platform (#122)
* - Wrap WinHttpDeleter structure with _WIN32 macro.
- Use _WIN32 instead of WIN32
* More fixes for compiler errors on non-windows platform:
- Include missing headers ( thread, chrono )
- Wrap EnsureRootCertsArePopulated routine with _WIN32 macro
The managed projects all currently target dotnet core 2.0. This retargets them to 2.2, as well as updating nuget dependencies to the latest versions.
This also handles a couple of behaviour changes in the latest `System.IdentityModel.Tokens.Jwt` assembly's `ValidateToken` method: [`ValidateIssuerSigningKey` should not `false` if `RequireSignedTokens` is `false`](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/972), and some of the exception messages have changed.
Much of the existing code refers to 'entitlements' as properties of the token, or attributes which a token gives permission to.
We've agreed to redefine an 'entitlement' as something which is granted upon an API request. The token is used to obtain the entitlement, but the token is not the entitlement.
This updates the code to better reflect that way of thinking.
* Document prerequisites for sesclient.native.exe (#114)
* Update documentation to include `publish-archives.ps1`
* Update reference to psake when troubleshooting
* Remove platform option from build script
* Add details on using PowerShell to verify the token
* Add examples for curl and wget
* change NodeEntitlements to take IP Addresses and Application IDs as collections instead of adding one-by-one
build NodeEntitlements in a consistent manner between reading a token and reading from the command line (sestest generate)
* Extract interface from entitlement reading/parsing code, separate entitlement readers into separate JWT parsing and validation classes, and fix up unit
tests.
* refactor token verifier into an entitlement verifier that handles reading NodeEntitlements from a token as well as validating a request associated with that token
* move ErrorableExtensions.Then to Errorable.Bind and break up long token reading method
* added documentation comments
* implement Bind in concrete errorable classes
* Create base class for commands
* Extract functionality for list-certificates into service class
* Extract functionality for find-certificate into service class
* Extract functionality for generate into service class
* Code Gardening
* Add verify command to check entitlement
* Add expiry to software entitlement response
microsoft-github-policy-service[bot]
peterbom
Bevan Arps
Peter Bomber
Bevan Arps
Dave Fellows