Updated all refrences of bastion_ip to bastion_ips.
Added some extra checks to the bless_request.

…bastion_ip to bastion_ips.

Removing a package from requirements.txt that isn't needed.

Added a flag for bypassing validity check

…ft-sync

…ensions and explicitly set the defaults instead of needing ssh_certificate_builder.py to set them.

fixes #30 : add coveralls for test coverage reporting

… Requests and the lambda responses.

Changing BLESS requests from using remote_username to remote_usernames, a comma-separated list.
remote_usernames can be used for SSH principals specified in an AuthorizedPrincipalsFile (see SSHD_CONFIG(5)).
Aligning BLESS returns so that Lambda configuration errors raise exceptions, and request errors return a dictionary with either errorType and errorMessage or a certificate.
Updating the sample BLESS client to deal with the new lambda return values.

Addressing open issues:
Pulling in contributions from lyft/bless.
Fixing #27 and #29
Pulling in #9 by way of lyft/bless.
Pulling in #33 with explicit defaults in the config.
Resolving #34 with changes from lyft/bless.
Bumping version to BLESS v.0.2.0 which changes the format of BLESS Requests and the lambda responses.

Document permissions required for CA key file

Add support to compile dependencies in container

Fixes while merge testing

For decryption the key id is part of the ciphertext.

Remove unused option 'kms_key_id'

Allow overriding settings with environment variables.

Leveraging the environment variables in AWS Lambda makes it possible to
include the bless_deploy.cfg in the same repo, without exposing secrets
or to deploy the same zip with multiple configurations


When deploying the same zip in mulitple regions, you can leave out the
region_passwprd option and set the default_password option with environment
variables. This allows you the change the same variable in every region

* Add 'ca_private_key' option

This extra option allows passing in the (encrypted) private key directly.
When setting this with an environment variable it can be used to have one
zip that can be deployed with different ca's.

  * Use enum type and raise exception for wrong value

…validation in addition to bastion_user.

Added an email and principal validation option.
Updated bless_deploy_example with the new options.

… the top level of the published .zip.

Replace non word characters in environment key

…format.

Updated the lambda log message to match.

Revising the certifiace key_id to keep consistency in the key[value] …

Update the kmsauth token validation code to verify that all remote_usernames are checked against the offered kmsauth_token.

Fix Issue 53

Fixing typos in readme.

Enhancing PR#43.

bastion_user and remote_usernames now have configurable validation schemas.  See bless_request.py:USERNAME_VALIDATION_OPTIONS

…to allow different remote_usernames

added positive test mocking kmsauth sucessfully decrypting a token

…t, so that it better matches the format used when logging.

This change gives the option to validate the remote username against
the IAM groups containing the user invoking the lambda function. This
is an optional feature which is used in conjunction with kmsauth.

For example, if there were two groups of users, you could put your
admins in the ssh-admin IAM group to allow them to generate certificates
with a remote_username of 'admin'. Users with fewer permissions could be
in the ssh-user group to allow them to generate certificates for the 'user'
account.

The group name is configurable, however they must all be in a consistent
format, and must all contain the relevant remote_username once.

Netflix#74)

* Allowing BLESS lambda to accept ed25519 keys, completing Netflix#71 .  Thanks @jnewbigin .

* Moving BLESS to python 3.6.
You just need to rebuild, publish, and switch your lambda runtime from 2.7 to 3.6.

* Moving TravisCI to Python3.6 as well.

Allows username validation against IAM groups

…icular SSH Authorized Principals from being included in a BLESS certificate.

…password.

Also cleaned up and added bz2 support to Netflix#67 .

Compressed CA private key support

Features include:
Python 3.6 Lambda support
Caching of the KMS decrypted CA Private Key Password.
Compressed CA Private Key support, allowing RSA 4096 keys to be set in the Lambda Environment.
Issue certificates for ED25519 public keys (RSA CA).
New option to validate the remote username against the IAM groups of the calling user.
Updated dependencies.

I had to go and discover the right link. I'd like to save that trouble for other readers.

Add link to Amazon Linux repository

The flag is not needed and breaks scripts if the input device does not have a TTY

… latest Amazon Linux.

* Plus minor formatting proposals

Netflix#87

Netflix#86

…' into lambda-host-split.

… request schemas.

You can now use bless_lambda_user.lambda_handler_user for user cert requests and bless_lambda_host.lambda_handler_host for host cert requests.  Please note that as implemented, anyone who can call the host lambda can obtain host certs for any hostname.

In addition to bless_lambda.lambda_handler, you can now use bless_lambda_user.lambda_handler_user for user cert requests and bless_lambda_host.lambda_handler_host for host cert requests.  Please note that as implemented, anyone who can call the host lambda can obtain host certs for any hostname.

Features include:
New support for a Host SSH Certificate Lambda.  Please consider how you will control who can obtain host certs for which hostnames before using.
Updated publishing code to build with the latest Amazon Linux 2.
Validated for Python 3.7 Lambda runtime.
Updated dependencies.
Various typo fixes.

Release prep

Pull upstream changes in netflix/bless into lyft's fork lyft/bless