As a user, I want to use Rot as a server so I can securely distribute secrets from it
thequailman opened this issue · 0 comments
thequailman commented
Requirements
- Authn
- JWT auth with filters for the JWTs
- OAuth auth
- X509 auth
- WebAuthn (use multiple domains, expose a generator to add output to config?)
- Source IP lockdown with x-forwarded-for support
- Authz
- Path and method filters based on Authn
- Keyring Decryption
- Push decrypt keys
- Shamir unlock
- JWT issuance
- Expirations for JWTs, PEMs, SSH, etc should inherit from JWTs
- Run as a daemon
- OAuth sign in screen
- Docs on how to use Server mode
- Swagger/OpenAPI spec
- Script framework
Design Notes
Server
- server.signingKey is path to signing key for tokens
- server.expiresSec (15*60)
- server.authn.expiresSec (must be less than server.tokenExpiresSec)
- server.authn.noBindSourceIP
- GET /v1/authn - ReadAuthnProviders
- Get /v1/authn/ - ReadAuthnProvider
- POST /v1/authn/ - CreateAuthnProvider
- GET /v1/authz - ReadAuthz
- POST /v1/keys/private- CreateKeysPrivate
- POST /v1/keys/shamir - CreateKeysShamir
- GET /v1/script - ReadScripts
- POST /v1/script/ - RunScript
- GET /v1/session - ReadSession
- GET /v1/system/info - ReadSystemInfo
- GET /v1/system/metrics - ReadSystemMetrics
- GET /v1/values - ReadValues
- GET /v1/values/ - ReadValue
CLI
- listen
-
rot auth <path>- CLI should be able to execute commands against a remote rot instance
- CLI should store token details under ~/.rot-token, ROT_tokenPath