luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/builtin/credential/cert/path_certs.go

455 lines
14 KiB
Go
Raw Normal View History

credential/cert: major refactor
2015-04-24 17:31:57 +00:00
package cert
import (
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers
2018-01-08 18:31:38 +00:00
"context"
supporting non-ca certs for verification
2016-02-29 15:40:15 +00:00
"crypto/x509"
Add CRLSets endpoints; write method is done. Add verification logic to login path. Change certs "ttl" field to be a string to match common backend behavior.
2015-10-06 01:10:20 +00:00
"fmt"
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
"strings"
credential/cert: support leasing and renewal
2015-04-24 19:58:39 +00:00
"time"
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
Run goimports across the repository (#6010) The result will still pass gofmtcheck and won't trigger additional changes if someone isn't using goimports, but it will avoid the piecemeal imports changes we've been seeing.
2019-01-09 00:48:57 +00:00
sockaddr "github.com/hashicorp/go-sockaddr"
Switch to go modules (#6585) * Switch to go modules * Make fmt
2019-04-13 07:44:06 +00:00
"github.com/hashicorp/vault/sdk/framework"
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
"github.com/hashicorp/vault/sdk/helper/tokenutil"
Create sdk/ and api/ submodules (#6583)
2019-04-12 21:54:35 +00:00
"github.com/hashicorp/vault/sdk/logical"
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
)
Add list support to certs in cert auth backend. Fixes #1212
2016-03-15 18:07:40 +00:00
func pathListCerts(b *backend) *framework.Path {
return &framework.Path{
Pattern: "certs/?",
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ListOperation: b.pathCertList,
},
HelpSynopsis: pathCertHelpSyn,
HelpDescription: pathCertHelpDesc,
Enable generated items for more auth methods (#7513) * enable auth method item configuration in go code * properly parse and list generated items * make sure we only set name on attrs if a label comes from openAPI * correctly construct paths object for method index route * set sensitive property on password for userpass * remove debugger statements * pass method model to list route template to use paths on model for tabs * update tab generation in generated item list, undo enabling userpass users * enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint * add editType to DisplayAttributes, pull tokenutil fields into field group * show sensitive message for sensitive fields displayed in fieldGroupShow component * grab sensitive and editType fields from displayAttrs in openapi-to-attrs util * make sure we don't ask for paths for secret backends since that isn't setup yet * fix styling of sensitive text for fieldGroupShow component * update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test * properly log errors to the console * capitalize This value is sensitive... * get rid of extra padding on bottom of fieldgroupshow * make auth methods clickable and use new confirm ux * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * add whitespace * return intErr instead of err * uncomment out helpUrl because we need it * remove extra box class * use const instead of let * remove extra conditional since we already split the pathName later on * ensure we request the correct url when listing generated items * use const * link to list and show pages * remove dead code * show nested item name instead of id * add comments * show tooltip for text-file inputs * fix storybook * remove extra filter * add TODOs * add comments * comment out unused variables but leave them in function signature * only link to auth methods that can be fully managed in the ui * clean up comments * only render tooltip if there is helpText * rename id authMethodPath * remove optionsForQuery since we don't need it * add indentation * standardize ConfirmMessage and show model name instead of id when editing * standardize ConfirmMessage and show model name instead of id when editing * add comments * post to the correct updateUrl so we can edit users and groups * use pop instead of slice * add TODO for finding a better way to store ids * ensure ids are handled the same way on list and show pages; fix editing and deleting * add comment about difference between list and show urls * use model.id instead of name since we do not need it * remove dead code * ensure list pages have page headers * standardize using authMethodPath instead of method and remove dead code * i love indentation * remove more dead code * use new Confirm * show correct flash message when deleting an item * update flash message for creating and updating * use plus icon for creating group/user instead of an arrow
2019-10-17 23:19:14 +00:00
DisplayAttrs: &framework.DisplayAttributes{
Navigation: true,
ItemType: "Certificate",
},
Add list support to certs in cert auth backend. Fixes #1212
2016-03-15 18:07:40 +00:00
}
}
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
func pathCerts(b *backend) *framework.Path {
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
p := &framework.Path{
Vault: Fix wild card paths for all backends
2015-08-21 07:56:13 +00:00
Pattern: "certs/" + framework.GenericNameRegex("name"),
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
Fields: map[string]*framework.FieldSchema{
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"name": {
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
Type: framework.TypeString,
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
Description: "The name of the certificate",
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"certificate": {
Make TLS backend honor SystemView default values. Expose lease TTLs on read. Make auth command show lease TTL if one exists. Addresses most of #527
2015-09-18 18:01:28 +00:00
Type: framework.TypeString,
Description: `The public certificate that should be trusted.
Must be x509 PEM encoded.`,
Enable generated items for more auth methods (#7513) * enable auth method item configuration in go code * properly parse and list generated items * make sure we only set name on attrs if a label comes from openAPI * correctly construct paths object for method index route * set sensitive property on password for userpass * remove debugger statements * pass method model to list route template to use paths on model for tabs * update tab generation in generated item list, undo enabling userpass users * enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint * add editType to DisplayAttributes, pull tokenutil fields into field group * show sensitive message for sensitive fields displayed in fieldGroupShow component * grab sensitive and editType fields from displayAttrs in openapi-to-attrs util * make sure we don't ask for paths for secret backends since that isn't setup yet * fix styling of sensitive text for fieldGroupShow component * update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test * properly log errors to the console * capitalize This value is sensitive... * get rid of extra padding on bottom of fieldgroupshow * make auth methods clickable and use new confirm ux * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * add whitespace * return intErr instead of err * uncomment out helpUrl because we need it * remove extra box class * use const instead of let * remove extra conditional since we already split the pathName later on * ensure we request the correct url when listing generated items * use const * link to list and show pages * remove dead code * show nested item name instead of id * add comments * show tooltip for text-file inputs * fix storybook * remove extra filter * add TODOs * add comments * comment out unused variables but leave them in function signature * only link to auth methods that can be fully managed in the ui * clean up comments * only render tooltip if there is helpText * rename id authMethodPath * remove optionsForQuery since we don't need it * add indentation * standardize ConfirmMessage and show model name instead of id when editing * standardize ConfirmMessage and show model name instead of id when editing * add comments * post to the correct updateUrl so we can edit users and groups * use pop instead of slice * add TODO for finding a better way to store ids * ensure ids are handled the same way on list and show pages; fix editing and deleting * add comment about difference between list and show urls * use model.id instead of name since we do not need it * remove dead code * ensure list pages have page headers * standardize using authMethodPath instead of method and remove dead code * i love indentation * remove more dead code * use new Confirm * show correct flash message when deleting an item * update flash message for creating and updating * use plus icon for creating group/user instead of an arrow
2019-10-17 23:19:14 +00:00
DisplayAttrs: &framework.DisplayAttributes{
EditType: "file",
},
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"allowed_names": {
Add constraints on the Common Name for certificate-based authentication (#2595) * Refactor to consolidate constraints on the matching chain * Add CN prefix/suffix constraint * Maintain backwards compatibility (pick a random cert if multiple match) * Vendor go-glob * Replace cn_prefix/suffix with required_name/globbing Move all the new tests to acceptance-capable tests instead of embedding in the CRL test * Allow authenticating against a single cert * Add new params to documentation * Add CLI support for new param * Refactor for style * Support multiple (ORed) name patterns * Rename required_names to allowed_names * Update docs for parameter rename * Use the new TypeCommaStringSlice
2017-04-30 15:37:10 +00:00
Type: framework.TypeCommaStringSlice,
Description: `A comma-separated list of names.
Breakout parameters for x.509 certificate login (#4463)
2018-05-25 14:34:46 +00:00
At least one must exist in either the Common Name or SANs. Supports globbing.
This parameter is deprecated, please use allowed_common_names, allowed_dns_sans,
allowed_email_sans, allowed_uri_sans.`,
Enable generated items for more auth methods (#7513) * enable auth method item configuration in go code * properly parse and list generated items * make sure we only set name on attrs if a label comes from openAPI * correctly construct paths object for method index route * set sensitive property on password for userpass * remove debugger statements * pass method model to list route template to use paths on model for tabs * update tab generation in generated item list, undo enabling userpass users * enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint * add editType to DisplayAttributes, pull tokenutil fields into field group * show sensitive message for sensitive fields displayed in fieldGroupShow component * grab sensitive and editType fields from displayAttrs in openapi-to-attrs util * make sure we don't ask for paths for secret backends since that isn't setup yet * fix styling of sensitive text for fieldGroupShow component * update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test * properly log errors to the console * capitalize This value is sensitive... * get rid of extra padding on bottom of fieldgroupshow * make auth methods clickable and use new confirm ux * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * add whitespace * return intErr instead of err * uncomment out helpUrl because we need it * remove extra box class * use const instead of let * remove extra conditional since we already split the pathName later on * ensure we request the correct url when listing generated items * use const * link to list and show pages * remove dead code * show nested item name instead of id * add comments * show tooltip for text-file inputs * fix storybook * remove extra filter * add TODOs * add comments * comment out unused variables but leave them in function signature * only link to auth methods that can be fully managed in the ui * clean up comments * only render tooltip if there is helpText * rename id authMethodPath * remove optionsForQuery since we don't need it * add indentation * standardize ConfirmMessage and show model name instead of id when editing * standardize ConfirmMessage and show model name instead of id when editing * add comments * post to the correct updateUrl so we can edit users and groups * use pop instead of slice * add TODO for finding a better way to store ids * ensure ids are handled the same way on list and show pages; fix editing and deleting * add comment about difference between list and show urls * use model.id instead of name since we do not need it * remove dead code * ensure list pages have page headers * standardize using authMethodPath instead of method and remove dead code * i love indentation * remove more dead code * use new Confirm * show correct flash message when deleting an item * update flash message for creating and updating * use plus icon for creating group/user instead of an arrow
2019-10-17 23:19:14 +00:00
DisplayAttrs: &framework.DisplayAttributes{
Group: "Constraints",
},
Breakout parameters for x.509 certificate login (#4463)
2018-05-25 14:34:46 +00:00
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"allowed_common_names": {
Breakout parameters for x.509 certificate login (#4463)
2018-05-25 14:34:46 +00:00
Type: framework.TypeCommaStringSlice,
Description: `A comma-separated list of names.
At least one must exist in the Common Name. Supports globbing.`,
Enable generated items for more auth methods (#7513) * enable auth method item configuration in go code * properly parse and list generated items * make sure we only set name on attrs if a label comes from openAPI * correctly construct paths object for method index route * set sensitive property on password for userpass * remove debugger statements * pass method model to list route template to use paths on model for tabs * update tab generation in generated item list, undo enabling userpass users * enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint * add editType to DisplayAttributes, pull tokenutil fields into field group * show sensitive message for sensitive fields displayed in fieldGroupShow component * grab sensitive and editType fields from displayAttrs in openapi-to-attrs util * make sure we don't ask for paths for secret backends since that isn't setup yet * fix styling of sensitive text for fieldGroupShow component * update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test * properly log errors to the console * capitalize This value is sensitive... * get rid of extra padding on bottom of fieldgroupshow * make auth methods clickable and use new confirm ux * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * add whitespace * return intErr instead of err * uncomment out helpUrl because we need it * remove extra box class * use const instead of let * remove extra conditional since we already split the pathName later on * ensure we request the correct url when listing generated items * use const * link to list and show pages * remove dead code * show nested item name instead of id * add comments * show tooltip for text-file inputs * fix storybook * remove extra filter * add TODOs * add comments * comment out unused variables but leave them in function signature * only link to auth methods that can be fully managed in the ui * clean up comments * only render tooltip if there is helpText * rename id authMethodPath * remove optionsForQuery since we don't need it * add indentation * standardize ConfirmMessage and show model name instead of id when editing * standardize ConfirmMessage and show model name instead of id when editing * add comments * post to the correct updateUrl so we can edit users and groups * use pop instead of slice * add TODO for finding a better way to store ids * ensure ids are handled the same way on list and show pages; fix editing and deleting * add comment about difference between list and show urls * use model.id instead of name since we do not need it * remove dead code * ensure list pages have page headers * standardize using authMethodPath instead of method and remove dead code * i love indentation * remove more dead code * use new Confirm * show correct flash message when deleting an item * update flash message for creating and updating * use plus icon for creating group/user instead of an arrow
2019-10-17 23:19:14 +00:00
DisplayAttrs: &framework.DisplayAttributes{
Group: "Constraints",
},
Breakout parameters for x.509 certificate login (#4463)
2018-05-25 14:34:46 +00:00
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"allowed_dns_sans": {
Breakout parameters for x.509 certificate login (#4463)
2018-05-25 14:34:46 +00:00
Type: framework.TypeCommaStringSlice,
Description: `A comma-separated list of DNS names.
At least one must exist in the SANs. Supports globbing.`,
Enable generated items for more auth methods (#7513) * enable auth method item configuration in go code * properly parse and list generated items * make sure we only set name on attrs if a label comes from openAPI * correctly construct paths object for method index route * set sensitive property on password for userpass * remove debugger statements * pass method model to list route template to use paths on model for tabs * update tab generation in generated item list, undo enabling userpass users * enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint * add editType to DisplayAttributes, pull tokenutil fields into field group * show sensitive message for sensitive fields displayed in fieldGroupShow component * grab sensitive and editType fields from displayAttrs in openapi-to-attrs util * make sure we don't ask for paths for secret backends since that isn't setup yet * fix styling of sensitive text for fieldGroupShow component * update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test * properly log errors to the console * capitalize This value is sensitive... * get rid of extra padding on bottom of fieldgroupshow * make auth methods clickable and use new confirm ux * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * add whitespace * return intErr instead of err * uncomment out helpUrl because we need it * remove extra box class * use const instead of let * remove extra conditional since we already split the pathName later on * ensure we request the correct url when listing generated items * use const * link to list and show pages * remove dead code * show nested item name instead of id * add comments * show tooltip for text-file inputs * fix storybook * remove extra filter * add TODOs * add comments * comment out unused variables but leave them in function signature * only link to auth methods that can be fully managed in the ui * clean up comments * only render tooltip if there is helpText * rename id authMethodPath * remove optionsForQuery since we don't need it * add indentation * standardize ConfirmMessage and show model name instead of id when editing * standardize ConfirmMessage and show model name instead of id when editing * add comments * post to the correct updateUrl so we can edit users and groups * use pop instead of slice * add TODO for finding a better way to store ids * ensure ids are handled the same way on list and show pages; fix editing and deleting * add comment about difference between list and show urls * use model.id instead of name since we do not need it * remove dead code * ensure list pages have page headers * standardize using authMethodPath instead of method and remove dead code * i love indentation * remove more dead code * use new Confirm * show correct flash message when deleting an item * update flash message for creating and updating * use plus icon for creating group/user instead of an arrow
2019-10-17 23:19:14 +00:00
DisplayAttrs: &framework.DisplayAttributes{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
Name: "Allowed DNS SANs",
Enable generated items for more auth methods (#7513) * enable auth method item configuration in go code * properly parse and list generated items * make sure we only set name on attrs if a label comes from openAPI * correctly construct paths object for method index route * set sensitive property on password for userpass * remove debugger statements * pass method model to list route template to use paths on model for tabs * update tab generation in generated item list, undo enabling userpass users * enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint * add editType to DisplayAttributes, pull tokenutil fields into field group * show sensitive message for sensitive fields displayed in fieldGroupShow component * grab sensitive and editType fields from displayAttrs in openapi-to-attrs util * make sure we don't ask for paths for secret backends since that isn't setup yet * fix styling of sensitive text for fieldGroupShow component * update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test * properly log errors to the console * capitalize This value is sensitive... * get rid of extra padding on bottom of fieldgroupshow * make auth methods clickable and use new confirm ux * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * add whitespace * return intErr instead of err * uncomment out helpUrl because we need it * remove extra box class * use const instead of let * remove extra conditional since we already split the pathName later on * ensure we request the correct url when listing generated items * use const * link to list and show pages * remove dead code * show nested item name instead of id * add comments * show tooltip for text-file inputs * fix storybook * remove extra filter * add TODOs * add comments * comment out unused variables but leave them in function signature * only link to auth methods that can be fully managed in the ui * clean up comments * only render tooltip if there is helpText * rename id authMethodPath * remove optionsForQuery since we don't need it * add indentation * standardize ConfirmMessage and show model name instead of id when editing * standardize ConfirmMessage and show model name instead of id when editing * add comments * post to the correct updateUrl so we can edit users and groups * use pop instead of slice * add TODO for finding a better way to store ids * ensure ids are handled the same way on list and show pages; fix editing and deleting * add comment about difference between list and show urls * use model.id instead of name since we do not need it * remove dead code * ensure list pages have page headers * standardize using authMethodPath instead of method and remove dead code * i love indentation * remove more dead code * use new Confirm * show correct flash message when deleting an item * update flash message for creating and updating * use plus icon for creating group/user instead of an arrow
2019-10-17 23:19:14 +00:00
Group: "Constraints",
},
Breakout parameters for x.509 certificate login (#4463)
2018-05-25 14:34:46 +00:00
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"allowed_email_sans": {
Breakout parameters for x.509 certificate login (#4463)
2018-05-25 14:34:46 +00:00
Type: framework.TypeCommaStringSlice,
Description: `A comma-separated list of Email Addresses.
At least one must exist in the SANs. Supports globbing.`,
Enable generated items for more auth methods (#7513) * enable auth method item configuration in go code * properly parse and list generated items * make sure we only set name on attrs if a label comes from openAPI * correctly construct paths object for method index route * set sensitive property on password for userpass * remove debugger statements * pass method model to list route template to use paths on model for tabs * update tab generation in generated item list, undo enabling userpass users * enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint * add editType to DisplayAttributes, pull tokenutil fields into field group * show sensitive message for sensitive fields displayed in fieldGroupShow component * grab sensitive and editType fields from displayAttrs in openapi-to-attrs util * make sure we don't ask for paths for secret backends since that isn't setup yet * fix styling of sensitive text for fieldGroupShow component * update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test * properly log errors to the console * capitalize This value is sensitive... * get rid of extra padding on bottom of fieldgroupshow * make auth methods clickable and use new confirm ux * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * add whitespace * return intErr instead of err * uncomment out helpUrl because we need it * remove extra box class * use const instead of let * remove extra conditional since we already split the pathName later on * ensure we request the correct url when listing generated items * use const * link to list and show pages * remove dead code * show nested item name instead of id * add comments * show tooltip for text-file inputs * fix storybook * remove extra filter * add TODOs * add comments * comment out unused variables but leave them in function signature * only link to auth methods that can be fully managed in the ui * clean up comments * only render tooltip if there is helpText * rename id authMethodPath * remove optionsForQuery since we don't need it * add indentation * standardize ConfirmMessage and show model name instead of id when editing * standardize ConfirmMessage and show model name instead of id when editing * add comments * post to the correct updateUrl so we can edit users and groups * use pop instead of slice * add TODO for finding a better way to store ids * ensure ids are handled the same way on list and show pages; fix editing and deleting * add comment about difference between list and show urls * use model.id instead of name since we do not need it * remove dead code * ensure list pages have page headers * standardize using authMethodPath instead of method and remove dead code * i love indentation * remove more dead code * use new Confirm * show correct flash message when deleting an item * update flash message for creating and updating * use plus icon for creating group/user instead of an arrow
2019-10-17 23:19:14 +00:00
DisplayAttrs: &framework.DisplayAttributes{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
Name: "Allowed Email SANs",
Enable generated items for more auth methods (#7513) * enable auth method item configuration in go code * properly parse and list generated items * make sure we only set name on attrs if a label comes from openAPI * correctly construct paths object for method index route * set sensitive property on password for userpass * remove debugger statements * pass method model to list route template to use paths on model for tabs * update tab generation in generated item list, undo enabling userpass users * enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint * add editType to DisplayAttributes, pull tokenutil fields into field group * show sensitive message for sensitive fields displayed in fieldGroupShow component * grab sensitive and editType fields from displayAttrs in openapi-to-attrs util * make sure we don't ask for paths for secret backends since that isn't setup yet * fix styling of sensitive text for fieldGroupShow component * update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test * properly log errors to the console * capitalize This value is sensitive... * get rid of extra padding on bottom of fieldgroupshow * make auth methods clickable and use new confirm ux * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * add whitespace * return intErr instead of err * uncomment out helpUrl because we need it * remove extra box class * use const instead of let * remove extra conditional since we already split the pathName later on * ensure we request the correct url when listing generated items * use const * link to list and show pages * remove dead code * show nested item name instead of id * add comments * show tooltip for text-file inputs * fix storybook * remove extra filter * add TODOs * add comments * comment out unused variables but leave them in function signature * only link to auth methods that can be fully managed in the ui * clean up comments * only render tooltip if there is helpText * rename id authMethodPath * remove optionsForQuery since we don't need it * add indentation * standardize ConfirmMessage and show model name instead of id when editing * standardize ConfirmMessage and show model name instead of id when editing * add comments * post to the correct updateUrl so we can edit users and groups * use pop instead of slice * add TODO for finding a better way to store ids * ensure ids are handled the same way on list and show pages; fix editing and deleting * add comment about difference between list and show urls * use model.id instead of name since we do not need it * remove dead code * ensure list pages have page headers * standardize using authMethodPath instead of method and remove dead code * i love indentation * remove more dead code * use new Confirm * show correct flash message when deleting an item * update flash message for creating and updating * use plus icon for creating group/user instead of an arrow
2019-10-17 23:19:14 +00:00
Group: "Constraints",
},
Breakout parameters for x.509 certificate login (#4463)
2018-05-25 14:34:46 +00:00
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"allowed_uri_sans": {
Breakout parameters for x.509 certificate login (#4463)
2018-05-25 14:34:46 +00:00
Type: framework.TypeCommaStringSlice,
Description: `A comma-separated list of URIs.
At least one must exist in the SANs. Supports globbing.`,
Enable generated items for more auth methods (#7513) * enable auth method item configuration in go code * properly parse and list generated items * make sure we only set name on attrs if a label comes from openAPI * correctly construct paths object for method index route * set sensitive property on password for userpass * remove debugger statements * pass method model to list route template to use paths on model for tabs * update tab generation in generated item list, undo enabling userpass users * enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint * add editType to DisplayAttributes, pull tokenutil fields into field group * show sensitive message for sensitive fields displayed in fieldGroupShow component * grab sensitive and editType fields from displayAttrs in openapi-to-attrs util * make sure we don't ask for paths for secret backends since that isn't setup yet * fix styling of sensitive text for fieldGroupShow component * update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test * properly log errors to the console * capitalize This value is sensitive... * get rid of extra padding on bottom of fieldgroupshow * make auth methods clickable and use new confirm ux * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * add whitespace * return intErr instead of err * uncomment out helpUrl because we need it * remove extra box class * use const instead of let * remove extra conditional since we already split the pathName later on * ensure we request the correct url when listing generated items * use const * link to list and show pages * remove dead code * show nested item name instead of id * add comments * show tooltip for text-file inputs * fix storybook * remove extra filter * add TODOs * add comments * comment out unused variables but leave them in function signature * only link to auth methods that can be fully managed in the ui * clean up comments * only render tooltip if there is helpText * rename id authMethodPath * remove optionsForQuery since we don't need it * add indentation * standardize ConfirmMessage and show model name instead of id when editing * standardize ConfirmMessage and show model name instead of id when editing * add comments * post to the correct updateUrl so we can edit users and groups * use pop instead of slice * add TODO for finding a better way to store ids * ensure ids are handled the same way on list and show pages; fix editing and deleting * add comment about difference between list and show urls * use model.id instead of name since we do not need it * remove dead code * ensure list pages have page headers * standardize using authMethodPath instead of method and remove dead code * i love indentation * remove more dead code * use new Confirm * show correct flash message when deleting an item * update flash message for creating and updating * use plus icon for creating group/user instead of an arrow
2019-10-17 23:19:14 +00:00
DisplayAttrs: &framework.DisplayAttributes{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
Name: "Allowed URI SANs",
Enable generated items for more auth methods (#7513) * enable auth method item configuration in go code * properly parse and list generated items * make sure we only set name on attrs if a label comes from openAPI * correctly construct paths object for method index route * set sensitive property on password for userpass * remove debugger statements * pass method model to list route template to use paths on model for tabs * update tab generation in generated item list, undo enabling userpass users * enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint * add editType to DisplayAttributes, pull tokenutil fields into field group * show sensitive message for sensitive fields displayed in fieldGroupShow component * grab sensitive and editType fields from displayAttrs in openapi-to-attrs util * make sure we don't ask for paths for secret backends since that isn't setup yet * fix styling of sensitive text for fieldGroupShow component * update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test * properly log errors to the console * capitalize This value is sensitive... * get rid of extra padding on bottom of fieldgroupshow * make auth methods clickable and use new confirm ux * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * add whitespace * return intErr instead of err * uncomment out helpUrl because we need it * remove extra box class * use const instead of let * remove extra conditional since we already split the pathName later on * ensure we request the correct url when listing generated items * use const * link to list and show pages * remove dead code * show nested item name instead of id * add comments * show tooltip for text-file inputs * fix storybook * remove extra filter * add TODOs * add comments * comment out unused variables but leave them in function signature * only link to auth methods that can be fully managed in the ui * clean up comments * only render tooltip if there is helpText * rename id authMethodPath * remove optionsForQuery since we don't need it * add indentation * standardize ConfirmMessage and show model name instead of id when editing * standardize ConfirmMessage and show model name instead of id when editing * add comments * post to the correct updateUrl so we can edit users and groups * use pop instead of slice * add TODO for finding a better way to store ids * ensure ids are handled the same way on list and show pages; fix editing and deleting * add comment about difference between list and show urls * use model.id instead of name since we do not need it * remove dead code * ensure list pages have page headers * standardize using authMethodPath instead of method and remove dead code * i love indentation * remove more dead code * use new Confirm * show correct flash message when deleting an item * update flash message for creating and updating * use plus icon for creating group/user instead of an arrow
2019-10-17 23:19:14 +00:00
Group: "Constraints",
},
Add constraints on the Common Name for certificate-based authentication (#2595) * Refactor to consolidate constraints on the matching chain * Add CN prefix/suffix constraint * Maintain backwards compatibility (pick a random cert if multiple match) * Vendor go-glob * Replace cn_prefix/suffix with required_name/globbing Move all the new tests to acceptance-capable tests instead of embedding in the CRL test * Allow authenticating against a single cert * Add new params to documentation * Add CLI support for new param * Refactor for style * Support multiple (ORed) name patterns * Rename required_names to allowed_names * Update docs for parameter rename * Use the new TypeCommaStringSlice
2017-04-30 15:37:10 +00:00
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"allowed_organizational_units": {
add allowed_organiztaional_units parameter to cert credential backend (#5252) Specifying the `allowed_organiztaional_units` parameter to a cert auth backend role will require client certificates to contain at least one of a list of one or more "organizational units" (OU). Example use cases: Certificates are issued to entities in an organization arrangement by organizational unit (OU). The OU may be a department, team, or any other logical grouping of resources with similar roles. The entities within the OU should be granted the same policies. ``` $ vault write auth/cert/certs/ou-engineering \ certificate=@ca.pem \ policies=engineering \ allowed_organiztaional_units=engineering $ vault write auth/cert/certs/ou-engineering \ certificate=@ca.pem \ policies=engineering \ allowed_organiztaional_units=engineering,support ```
2018-09-28 00:04:55 +00:00
Type: framework.TypeCommaStringSlice,
Description: `A comma-separated list of Organizational Units names.
At least one must exist in the OU field.`,
Enable generated items for more auth methods (#7513) * enable auth method item configuration in go code * properly parse and list generated items * make sure we only set name on attrs if a label comes from openAPI * correctly construct paths object for method index route * set sensitive property on password for userpass * remove debugger statements * pass method model to list route template to use paths on model for tabs * update tab generation in generated item list, undo enabling userpass users * enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint * add editType to DisplayAttributes, pull tokenutil fields into field group * show sensitive message for sensitive fields displayed in fieldGroupShow component * grab sensitive and editType fields from displayAttrs in openapi-to-attrs util * make sure we don't ask for paths for secret backends since that isn't setup yet * fix styling of sensitive text for fieldGroupShow component * update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test * properly log errors to the console * capitalize This value is sensitive... * get rid of extra padding on bottom of fieldgroupshow * make auth methods clickable and use new confirm ux * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * add whitespace * return intErr instead of err * uncomment out helpUrl because we need it * remove extra box class * use const instead of let * remove extra conditional since we already split the pathName later on * ensure we request the correct url when listing generated items * use const * link to list and show pages * remove dead code * show nested item name instead of id * add comments * show tooltip for text-file inputs * fix storybook * remove extra filter * add TODOs * add comments * comment out unused variables but leave them in function signature * only link to auth methods that can be fully managed in the ui * clean up comments * only render tooltip if there is helpText * rename id authMethodPath * remove optionsForQuery since we don't need it * add indentation * standardize ConfirmMessage and show model name instead of id when editing * standardize ConfirmMessage and show model name instead of id when editing * add comments * post to the correct updateUrl so we can edit users and groups * use pop instead of slice * add TODO for finding a better way to store ids * ensure ids are handled the same way on list and show pages; fix editing and deleting * add comment about difference between list and show urls * use model.id instead of name since we do not need it * remove dead code * ensure list pages have page headers * standardize using authMethodPath instead of method and remove dead code * i love indentation * remove more dead code * use new Confirm * show correct flash message when deleting an item * update flash message for creating and updating * use plus icon for creating group/user instead of an arrow
2019-10-17 23:19:14 +00:00
DisplayAttrs: &framework.DisplayAttributes{
Group: "Constraints",
},
add allowed_organiztaional_units parameter to cert credential backend (#5252) Specifying the `allowed_organiztaional_units` parameter to a cert auth backend role will require client certificates to contain at least one of a list of one or more "organizational units" (OU). Example use cases: Certificates are issued to entities in an organization arrangement by organizational unit (OU). The OU may be a department, team, or any other logical grouping of resources with similar roles. The entities within the OU should be granted the same policies. ``` $ vault write auth/cert/certs/ou-engineering \ certificate=@ca.pem \ policies=engineering \ allowed_organiztaional_units=engineering $ vault write auth/cert/certs/ou-engineering \ certificate=@ca.pem \ policies=engineering \ allowed_organiztaional_units=engineering,support ```
2018-09-28 00:04:55 +00:00
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"required_extensions": {
Use Custom Cert Extensions as Cert Auth Constraint (#3634)
2017-12-18 17:53:44 +00:00
Type: framework.TypeCommaStringSlice,
Description: `A comma-separated string or array of extensions
formatted as "oid:value". Expects the extension value to be some type of ASN1 encoded string.
All values much match. Supports globbing on "value".`,
},
auth/cert: Add certificate extensions as metadata (#13348) * auth/cert: Add certificate extensions as metadata Signed-off-by: Peter Verraedt <peter.verraedt@kuleuven.be> * Add changelog for #13348 Signed-off-by: Peter Verraedt <peter.verraedt@kuleuven.be>
2022-01-03 21:38:16 +00:00
"allowed_metadata_extensions": {
Type: framework.TypeCommaStringSlice,
Description: `A comma-separated string or array of oid extensions.
Upon successfull authentication, these extensions will be added as metadata if they are present
in the certificate. The metadata key will be the string consisting of the oid numbers
separated by a dash (-) instead of a dot (.) to allow usage in ACL templates.`,
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"display_name": {
Make TLS backend honor SystemView default values. Expose lease TTLs on read. Make auth command show lease TTL if one exists. Addresses most of #527
2015-09-18 18:01:28 +00:00
Type: framework.TypeString,
Description: `The display name to use for clients using this
certificate.`,
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"policies": {
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
Type: framework.TypeCommaStringSlice,
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
Description: tokenutil.DeprecationText("token_policies"),
Deprecated: true,
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"lease": {
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
Type: framework.TypeInt,
Description: tokenutil.DeprecationText("token_ttl"),
Deprecated: true,
Make TLS backend honor SystemView default values. Expose lease TTLs on read. Make auth command show lease TTL if one exists. Addresses most of #527
2015-09-18 18:01:28 +00:00
},
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"ttl": {
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
Type: framework.TypeDurationSecond,
Description: tokenutil.DeprecationText("token_ttl"),
Deprecated: true,
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"max_ttl": {
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
Type: framework.TypeDurationSecond,
Description: tokenutil.DeprecationText("token_max_ttl"),
Deprecated: true,
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"period": {
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
Type: framework.TypeDurationSecond,
Description: tokenutil.DeprecationText("token_period"),
Deprecated: true,
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
},
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"bound_cidrs": {
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
Type: framework.TypeCommaStringSlice,
Description: tokenutil.DeprecationText("token_bound_cidrs"),
Deprecated: true,
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
},
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.DeleteOperation: b.pathCertDelete,
logical.ReadOperation: b.pathCertRead,
supporting non-ca certs for verification
2016-02-29 15:40:15 +00:00
logical.UpdateOperation: b.pathCertWrite,
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
},
HelpSynopsis: pathCertHelpSyn,
HelpDescription: pathCertHelpDesc,
Enable generated items for more auth methods (#7513) * enable auth method item configuration in go code * properly parse and list generated items * make sure we only set name on attrs if a label comes from openAPI * correctly construct paths object for method index route * set sensitive property on password for userpass * remove debugger statements * pass method model to list route template to use paths on model for tabs * update tab generation in generated item list, undo enabling userpass users * enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint * add editType to DisplayAttributes, pull tokenutil fields into field group * show sensitive message for sensitive fields displayed in fieldGroupShow component * grab sensitive and editType fields from displayAttrs in openapi-to-attrs util * make sure we don't ask for paths for secret backends since that isn't setup yet * fix styling of sensitive text for fieldGroupShow component * update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test * properly log errors to the console * capitalize This value is sensitive... * get rid of extra padding on bottom of fieldgroupshow * make auth methods clickable and use new confirm ux * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * add whitespace * return intErr instead of err * uncomment out helpUrl because we need it * remove extra box class * use const instead of let * remove extra conditional since we already split the pathName later on * ensure we request the correct url when listing generated items * use const * link to list and show pages * remove dead code * show nested item name instead of id * add comments * show tooltip for text-file inputs * fix storybook * remove extra filter * add TODOs * add comments * comment out unused variables but leave them in function signature * only link to auth methods that can be fully managed in the ui * clean up comments * only render tooltip if there is helpText * rename id authMethodPath * remove optionsForQuery since we don't need it * add indentation * standardize ConfirmMessage and show model name instead of id when editing * standardize ConfirmMessage and show model name instead of id when editing * add comments * post to the correct updateUrl so we can edit users and groups * use pop instead of slice * add TODO for finding a better way to store ids * ensure ids are handled the same way on list and show pages; fix editing and deleting * add comment about difference between list and show urls * use model.id instead of name since we do not need it * remove dead code * ensure list pages have page headers * standardize using authMethodPath instead of method and remove dead code * i love indentation * remove more dead code * use new Confirm * show correct flash message when deleting an item * update flash message for creating and updating * use plus icon for creating group/user instead of an arrow
2019-10-17 23:19:14 +00:00
DisplayAttrs: &framework.DisplayAttributes{
Action: "Create",
ItemType: "Certificate",
},
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
}
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
tokenutil.AddTokenFields(p.Fields)
return p
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
}
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
func (b *backend) Cert(ctx context.Context, s logical.Storage, n string) (*CertEntry, error) {
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
entry, err := s.Get(ctx, "cert/"+strings.ToLower(n))
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
if err != nil {
return nil, err
}
if entry == nil {
return nil, nil
}
var result CertEntry
if err := entry.DecodeJSON(&result); err != nil {
return nil, err
}
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
if result.TokenTTL == 0 && result.TTL > 0 {
result.TokenTTL = result.TTL
}
if result.TokenMaxTTL == 0 && result.MaxTTL > 0 {
result.TokenMaxTTL = result.MaxTTL
}
if result.TokenPeriod == 0 && result.Period > 0 {
result.TokenPeriod = result.Period
}
if len(result.TokenPolicies) == 0 && len(result.Policies) > 0 {
result.TokenPolicies = result.Policies
}
if len(result.TokenBoundCIDRs) == 0 && len(result.BoundCIDRs) > 0 {
result.TokenBoundCIDRs = result.BoundCIDRs
}
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
return &result, nil
}
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers
2018-01-08 18:31:38 +00:00
func (b *backend) pathCertDelete(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
err := req.Storage.Delete(ctx, "cert/"+strings.ToLower(d.Get("name").(string)))
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
if err != nil {
return nil, err
}
return nil, nil
}
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers
2018-01-08 18:31:38 +00:00
func (b *backend) pathCertList(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
certs, err := req.Storage.List(ctx, "cert/")
Add list support to certs in cert auth backend. Fixes #1212
2016-03-15 18:07:40 +00:00
if err != nil {
return nil, err
}
return logical.ListResponse(certs), nil
}
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers
2018-01-08 18:31:38 +00:00
func (b *backend) pathCertRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
cert, err := b.Cert(ctx, req.Storage, strings.ToLower(d.Get("name").(string)))
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
if err != nil {
return nil, err
}
if cert == nil {
return nil, nil
}
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
data := map[string]interface{}{
"certificate": cert.Certificate,
"display_name": cert.DisplayName,
"allowed_names": cert.AllowedNames,
"allowed_common_names": cert.AllowedCommonNames,
"allowed_dns_sans": cert.AllowedDNSSANs,
"allowed_email_sans": cert.AllowedEmailSANs,
"allowed_uri_sans": cert.AllowedURISANs,
"allowed_organizational_units": cert.AllowedOrganizationalUnits,
"required_extensions": cert.RequiredExtensions,
auth/cert: Add certificate extensions as metadata (#13348) * auth/cert: Add certificate extensions as metadata Signed-off-by: Peter Verraedt <peter.verraedt@kuleuven.be> * Add changelog for #13348 Signed-off-by: Peter Verraedt <peter.verraedt@kuleuven.be>
2022-01-03 21:38:16 +00:00
"allowed_metadata_extensions": cert.AllowedMetadataExtensions,
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
}
cert.PopulateTokenData(data)
if cert.TTL > 0 {
data["ttl"] = int64(cert.TTL.Seconds())
}
if cert.MaxTTL > 0 {
data["max_ttl"] = int64(cert.MaxTTL.Seconds())
}
if cert.Period > 0 {
data["period"] = int64(cert.Period.Seconds())
}
if len(cert.Policies) > 0 {
data["policies"] = data["token_policies"]
}
if len(cert.BoundCIDRs) > 0 {
data["bound_cidrs"] = data["token_bound_cidrs"]
}
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
return &logical.Response{
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
Data: data,
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
}, nil
}
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers
2018-01-08 18:31:38 +00:00
func (b *backend) pathCertWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
name := strings.ToLower(d.Get("name").(string))
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
cert, err := b.Cert(ctx, req.Storage, name)
if err != nil {
return nil, err
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
}
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
if cert == nil {
cert = &CertEntry{
Name: name,
}
Add period and max_ttl to cert role creation (#3642)
2017-12-18 20:29:45 +00:00
}
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
// Get non tokenutil fields
if certificateRaw, ok := d.GetOk("certificate"); ok {
cert.Certificate = certificateRaw.(string)
Add period and max_ttl to cert role creation (#3642)
2017-12-18 20:29:45 +00:00
}
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
if displayNameRaw, ok := d.GetOk("display_name"); ok {
cert.DisplayName = displayNameRaw.(string)
}
if allowedNamesRaw, ok := d.GetOk("allowed_names"); ok {
cert.AllowedNames = allowedNamesRaw.([]string)
}
if allowedCommonNamesRaw, ok := d.GetOk("allowed_common_names"); ok {
cert.AllowedCommonNames = allowedCommonNamesRaw.([]string)
}
if allowedDNSSANsRaw, ok := d.GetOk("allowed_dns_sans"); ok {
cert.AllowedDNSSANs = allowedDNSSANsRaw.([]string)
}
if allowedEmailSANsRaw, ok := d.GetOk("allowed_email_sans"); ok {
cert.AllowedEmailSANs = allowedEmailSANsRaw.([]string)
}
if allowedURISANsRaw, ok := d.GetOk("allowed_uri_sans"); ok {
cert.AllowedURISANs = allowedURISANsRaw.([]string)
}
if allowedOrganizationalUnitsRaw, ok := d.GetOk("allowed_organizational_units"); ok {
cert.AllowedOrganizationalUnits = allowedOrganizationalUnitsRaw.([]string)
}
if requiredExtensionsRaw, ok := d.GetOk("required_extensions"); ok {
cert.RequiredExtensions = requiredExtensionsRaw.([]string)
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
}
auth/cert: Add certificate extensions as metadata (#13348) * auth/cert: Add certificate extensions as metadata Signed-off-by: Peter Verraedt <peter.verraedt@kuleuven.be> * Add changelog for #13348 Signed-off-by: Peter Verraedt <peter.verraedt@kuleuven.be>
2022-01-03 21:38:16 +00:00
if allowedMetadataExtensionsRaw, ok := d.GetOk("allowed_metadata_extensions"); ok {
cert.AllowedMetadataExtensions = allowedMetadataExtensionsRaw.([]string)
}
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
// Get tokenutil fields
if err := cert.ParseTokenFields(req, d); err != nil {
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
Add period and max_ttl to cert role creation (#3642)
2017-12-18 20:29:45 +00:00
}
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
// Handle upgrade cases
{
Add UpgradeValue path to tokenutil (#7041) This drastically reduces boilerplate for upgrading existing values
2019-07-02 13:52:05 +00:00
if err := tokenutil.UpgradeValue(d, "policies", "token_policies", &cert.Policies, &cert.TokenPolicies); err != nil {
return logical.ErrorResponse(err.Error()), nil
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
}
Add UpgradeValue path to tokenutil (#7041) This drastically reduces boilerplate for upgrading existing values
2019-07-02 13:52:05 +00:00
if err := tokenutil.UpgradeValue(d, "ttl", "token_ttl", &cert.TTL, &cert.TokenTTL); err != nil {
return logical.ErrorResponse(err.Error()), nil
}
// Special case here for old lease value
_, ok := d.GetOk("token_ttl")
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
if !ok {
_, ok = d.GetOk("ttl")
Add UpgradeValue path to tokenutil (#7041) This drastically reduces boilerplate for upgrading existing values
2019-07-02 13:52:05 +00:00
if !ok {
ttlRaw, ok := d.GetOk("lease")
if ok {
cert.TTL = time.Duration(ttlRaw.(int)) * time.Second
cert.TokenTTL = cert.TTL
}
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
}
}
Add UpgradeValue path to tokenutil (#7041) This drastically reduces boilerplate for upgrading existing values
2019-07-02 13:52:05 +00:00
if err := tokenutil.UpgradeValue(d, "max_ttl", "token_max_ttl", &cert.MaxTTL, &cert.TokenMaxTTL); err != nil {
return logical.ErrorResponse(err.Error()), nil
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
}
Add UpgradeValue path to tokenutil (#7041) This drastically reduces boilerplate for upgrading existing values
2019-07-02 13:52:05 +00:00
if err := tokenutil.UpgradeValue(d, "period", "token_period", &cert.Period, &cert.TokenPeriod); err != nil {
return logical.ErrorResponse(err.Error()), nil
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
}
Add UpgradeValue path to tokenutil (#7041) This drastically reduces boilerplate for upgrading existing values
2019-07-02 13:52:05 +00:00
if err := tokenutil.UpgradeValue(d, "bound_cidrs", "token_bound_cidrs", &cert.BoundCIDRs, &cert.TokenBoundCIDRs); err != nil {
return logical.ErrorResponse(err.Error()), nil
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
}
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
}
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
var resp logical.Response
systemDefaultTTL := b.System().DefaultLeaseTTL()
if cert.TokenTTL > systemDefaultTTL {
resp.AddWarning(fmt.Sprintf("Given ttl of %d seconds is greater than current mount/system default of %d seconds", cert.TokenTTL/time.Second, systemDefaultTTL/time.Second))
}
systemMaxTTL := b.System().MaxLeaseTTL()
if cert.TokenMaxTTL > systemMaxTTL {
resp.AddWarning(fmt.Sprintf("Given max_ttl of %d seconds is greater than current mount/system default of %d seconds", cert.TokenMaxTTL/time.Second, systemMaxTTL/time.Second))
}
if cert.TokenMaxTTL != 0 && cert.TokenTTL > cert.TokenMaxTTL {
return logical.ErrorResponse("ttl should be shorter than max_ttl"), nil
}
if cert.TokenPeriod > systemMaxTTL {
resp.AddWarning(fmt.Sprintf("Given period of %d seconds is greater than the backend's maximum TTL of %d seconds", cert.TokenPeriod/time.Second, systemMaxTTL/time.Second))
Add period and max_ttl to cert role creation (#3642)
2017-12-18 20:29:45 +00:00
}
credential/cert: default display name
2015-04-24 17:52:17 +00:00
// Default the display name to the certificate name if not given
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
if cert.DisplayName == "" {
cert.DisplayName = name
credential/cert: default display name
2015-04-24 17:52:17 +00:00
}
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
parsed := parsePEM([]byte(cert.Certificate))
credential/cert: more validation on cert setup
2015-04-24 17:39:44 +00:00
if len(parsed) == 0 {
return logical.ErrorResponse("failed to parse certificate"), nil
}
supporting non-ca certs for verification
2016-02-29 15:40:15 +00:00
// If the certificate is not a CA cert, then ensure that x509.ExtKeyUsageClientAuth is set
corrections, policy matching changes and test cert changes
2016-02-29 23:29:41 +00:00
if !parsed[0].IsCA && parsed[0].ExtKeyUsage != nil {
Added testcase for cert writes
2016-02-29 21:02:19 +00:00
var clientAuth bool
supporting non-ca certs for verification
2016-02-29 15:40:15 +00:00
for _, usage := range parsed[0].ExtKeyUsage {
Added ExtKeyUsageAny, changed big.Int comparison and fixed code flow
2016-03-01 15:24:22 +00:00
if usage == x509.ExtKeyUsageClientAuth || usage == x509.ExtKeyUsageAny {
supporting non-ca certs for verification
2016-02-29 15:40:15 +00:00
clientAuth = true
Added ExtKeyUsageAny, changed big.Int comparison and fixed code flow
2016-03-01 15:24:22 +00:00
break
supporting non-ca certs for verification
2016-02-29 15:40:15 +00:00
}
}
if !clientAuth {
corrections, policy matching changes and test cert changes
2016-02-29 23:29:41 +00:00
return logical.ErrorResponse("non-CA certificates should have TLS client authentication set as an extended key usage"), nil
supporting non-ca certs for verification
2016-02-29 15:40:15 +00:00
}
}
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
// Store it
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
entry, err := logical.StorageEntryJSON("cert/"+name, cert)
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
if err != nil {
return nil, err
}
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
if err := req.Storage.Put(ctx, entry); err != nil {
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
return nil, err
}
Add period and max_ttl to cert role creation (#3642)
2017-12-18 20:29:45 +00:00
if len(resp.Warnings) == 0 {
return nil, nil
}
return &resp, nil
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
}
type CertEntry struct {
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
tokenutil.TokenParams
add allowed_organiztaional_units parameter to cert credential backend (#5252) Specifying the `allowed_organiztaional_units` parameter to a cert auth backend role will require client certificates to contain at least one of a list of one or more "organizational units" (OU). Example use cases: Certificates are issued to entities in an organization arrangement by organizational unit (OU). The OU may be a department, team, or any other logical grouping of resources with similar roles. The entities within the OU should be granted the same policies. ``` $ vault write auth/cert/certs/ou-engineering \ certificate=@ca.pem \ policies=engineering \ allowed_organiztaional_units=engineering $ vault write auth/cert/certs/ou-engineering \ certificate=@ca.pem \ policies=engineering \ allowed_organiztaional_units=engineering,support ```
2018-09-28 00:04:55 +00:00
Name string
Certificate string
DisplayName string
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
Policies []string
TTL time.Duration
MaxTTL time.Duration
Period time.Duration
add allowed_organiztaional_units parameter to cert credential backend (#5252) Specifying the `allowed_organiztaional_units` parameter to a cert auth backend role will require client certificates to contain at least one of a list of one or more "organizational units" (OU). Example use cases: Certificates are issued to entities in an organization arrangement by organizational unit (OU). The OU may be a department, team, or any other logical grouping of resources with similar roles. The entities within the OU should be granted the same policies. ``` $ vault write auth/cert/certs/ou-engineering \ certificate=@ca.pem \ policies=engineering \ allowed_organiztaional_units=engineering $ vault write auth/cert/certs/ou-engineering \ certificate=@ca.pem \ policies=engineering \ allowed_organiztaional_units=engineering,support ```
2018-09-28 00:04:55 +00:00
AllowedNames []string
AllowedCommonNames []string
AllowedDNSSANs []string
AllowedEmailSANs []string
AllowedURISANs []string
AllowedOrganizationalUnits []string
RequiredExtensions []string
auth/cert: Add certificate extensions as metadata (#13348) * auth/cert: Add certificate extensions as metadata Signed-off-by: Peter Verraedt <peter.verraedt@kuleuven.be> * Add changelog for #13348 Signed-off-by: Peter Verraedt <peter.verraedt@kuleuven.be>
2022-01-03 21:38:16 +00:00
AllowedMetadataExtensions []string
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
BoundCIDRs []*sockaddr.SockAddrMarshaler
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
}
const pathCertHelpSyn = `
Manage trusted certificates used for authentication.
`
const pathCertHelpDesc = `
This endpoint allows you to create, read, update, and delete trusted certificates
that are allowed to authenticate.
Deleting a certificate will not revoke auth for prior authenticated connections.
To do this, do a revoke on "login". If you don't need to revoke login immediately,
then the next renew will cause the lease to expire.
`
Reference in a new issue Copy permalink