luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity
open-vault/builtin/credential/cert/path_certs.go

442 lines
13 KiB
Go
Raw Normal View History

credential/cert: major refactor
2015-04-24 17:31:57 +00:00
package cert
import (
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers
2018-01-08 18:31:38 +00:00
"context"
supporting non-ca certs for verification
2016-02-29 15:40:15 +00:00
"crypto/x509"
Add CRLSets endpoints; write method is done. Add verification logic to login path. Change certs "ttl" field to be a string to match common backend behavior.
2015-10-06 01:10:20 +00:00
"fmt"
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
"strings"
credential/cert: support leasing and renewal
2015-04-24 19:58:39 +00:00
"time"
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
Run goimports across the repository (#6010) The result will still pass gofmtcheck and won't trigger additional changes if someone isn't using goimports, but it will avoid the piecemeal imports changes we've been seeing.
2019-01-09 00:48:57 +00:00
sockaddr "github.com/hashicorp/go-sockaddr"
Switch to go modules (#6585) * Switch to go modules * Make fmt
2019-04-13 07:44:06 +00:00
"github.com/hashicorp/vault/sdk/framework"
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
"github.com/hashicorp/vault/sdk/helper/tokenutil"
Create sdk/ and api/ submodules (#6583)
2019-04-12 21:54:35 +00:00
"github.com/hashicorp/vault/sdk/logical"
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
)
Add list support to certs in cert auth backend. Fixes #1212
2016-03-15 18:07:40 +00:00
func pathListCerts(b *backend) *framework.Path {
return &framework.Path{
Pattern: "certs/?",
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ListOperation: b.pathCertList,
},
HelpSynopsis: pathCertHelpSyn,
HelpDescription: pathCertHelpDesc,
Enable generated items for more auth methods (#7513) * enable auth method item configuration in go code * properly parse and list generated items * make sure we only set name on attrs if a label comes from openAPI * correctly construct paths object for method index route * set sensitive property on password for userpass * remove debugger statements * pass method model to list route template to use paths on model for tabs * update tab generation in generated item list, undo enabling userpass users * enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint * add editType to DisplayAttributes, pull tokenutil fields into field group * show sensitive message for sensitive fields displayed in fieldGroupShow component * grab sensitive and editType fields from displayAttrs in openapi-to-attrs util * make sure we don't ask for paths for secret backends since that isn't setup yet * fix styling of sensitive text for fieldGroupShow component * update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test * properly log errors to the console * capitalize This value is sensitive... * get rid of extra padding on bottom of fieldgroupshow * make auth methods clickable and use new confirm ux * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * add whitespace * return intErr instead of err * uncomment out helpUrl because we need it * remove extra box class * use const instead of let * remove extra conditional since we already split the pathName later on * ensure we request the correct url when listing generated items * use const * link to list and show pages * remove dead code * show nested item name instead of id * add comments * show tooltip for text-file inputs * fix storybook * remove extra filter * add TODOs * add comments * comment out unused variables but leave them in function signature * only link to auth methods that can be fully managed in the ui * clean up comments * only render tooltip if there is helpText * rename id authMethodPath * remove optionsForQuery since we don't need it * add indentation * standardize ConfirmMessage and show model name instead of id when editing * standardize ConfirmMessage and show model name instead of id when editing * add comments * post to the correct updateUrl so we can edit users and groups * use pop instead of slice * add TODO for finding a better way to store ids * ensure ids are handled the same way on list and show pages; fix editing and deleting * add comment about difference between list and show urls * use model.id instead of name since we do not need it * remove dead code * ensure list pages have page headers * standardize using authMethodPath instead of method and remove dead code * i love indentation * remove more dead code * use new Confirm * show correct flash message when deleting an item * update flash message for creating and updating * use plus icon for creating group/user instead of an arrow
2019-10-17 23:19:14 +00:00
DisplayAttrs: &framework.DisplayAttributes{
Navigation: true,
ItemType: "Certificate",
},
Add list support to certs in cert auth backend. Fixes #1212
2016-03-15 18:07:40 +00:00
}
}
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
func pathCerts(b *backend) *framework.Path {
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
p := &framework.Path{
Vault: Fix wild card paths for all backends
2015-08-21 07:56:13 +00:00
Pattern: "certs/" + framework.GenericNameRegex("name"),
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
Fields: map[string]*framework.FieldSchema{
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"name": {
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
Type: framework.TypeString,
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
Description: "The name of the certificate",
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"certificate": {
Make TLS backend honor SystemView default values. Expose lease TTLs on read. Make auth command show lease TTL if one exists. Addresses most of #527
2015-09-18 18:01:28 +00:00
Type: framework.TypeString,
Description: `The public certificate that should be trusted.
Must be x509 PEM encoded.`,
Enable generated items for more auth methods (#7513) * enable auth method item configuration in go code * properly parse and list generated items * make sure we only set name on attrs if a label comes from openAPI * correctly construct paths object for method index route * set sensitive property on password for userpass * remove debugger statements * pass method model to list route template to use paths on model for tabs * update tab generation in generated item list, undo enabling userpass users * enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint * add editType to DisplayAttributes, pull tokenutil fields into field group * show sensitive message for sensitive fields displayed in fieldGroupShow component * grab sensitive and editType fields from displayAttrs in openapi-to-attrs util * make sure we don't ask for paths for secret backends since that isn't setup yet * fix styling of sensitive text for fieldGroupShow component * update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test * properly log errors to the console * capitalize This value is sensitive... * get rid of extra padding on bottom of fieldgroupshow * make auth methods clickable and use new confirm ux * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * add whitespace * return intErr instead of err * uncomment out helpUrl because we need it * remove extra box class * use const instead of let * remove extra conditional since we already split the pathName later on * ensure we request the correct url when listing generated items * use const * link to list and show pages * remove dead code * show nested item name instead of id * add comments * show tooltip for text-file inputs * fix storybook * remove extra filter * add TODOs * add comments * comment out unused variables but leave them in function signature * only link to auth methods that can be fully managed in the ui * clean up comments * only render tooltip if there is helpText * rename id authMethodPath * remove optionsForQuery since we don't need it * add indentation * standardize ConfirmMessage and show model name instead of id when editing * standardize ConfirmMessage and show model name instead of id when editing * add comments * post to the correct updateUrl so we can edit users and groups * use pop instead of slice * add TODO for finding a better way to store ids * ensure ids are handled the same way on list and show pages; fix editing and deleting * add comment about difference between list and show urls * use model.id instead of name since we do not need it * remove dead code * ensure list pages have page headers * standardize using authMethodPath instead of method and remove dead code * i love indentation * remove more dead code * use new Confirm * show correct flash message when deleting an item * update flash message for creating and updating * use plus icon for creating group/user instead of an arrow
2019-10-17 23:19:14 +00:00
DisplayAttrs: &framework.DisplayAttributes{
EditType: "file",
},
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"allowed_names": {
Add constraints on the Common Name for certificate-based authentication (#2595) * Refactor to consolidate constraints on the matching chain * Add CN prefix/suffix constraint * Maintain backwards compatibility (pick a random cert if multiple match) * Vendor go-glob * Replace cn_prefix/suffix with required_name/globbing Move all the new tests to acceptance-capable tests instead of embedding in the CRL test * Allow authenticating against a single cert * Add new params to documentation * Add CLI support for new param * Refactor for style * Support multiple (ORed) name patterns * Rename required_names to allowed_names * Update docs for parameter rename * Use the new TypeCommaStringSlice
2017-04-30 15:37:10 +00:00
Type: framework.TypeCommaStringSlice,
Description: `A comma-separated list of names.
Breakout parameters for x.509 certificate login (#4463)
2018-05-25 14:34:46 +00:00
At least one must exist in either the Common Name or SANs. Supports globbing.
This parameter is deprecated, please use allowed_common_names, allowed_dns_sans,
allowed_email_sans, allowed_uri_sans.`,
Enable generated items for more auth methods (#7513) * enable auth method item configuration in go code * properly parse and list generated items * make sure we only set name on attrs if a label comes from openAPI * correctly construct paths object for method index route * set sensitive property on password for userpass * remove debugger statements * pass method model to list route template to use paths on model for tabs * update tab generation in generated item list, undo enabling userpass users * enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint * add editType to DisplayAttributes, pull tokenutil fields into field group * show sensitive message for sensitive fields displayed in fieldGroupShow component * grab sensitive and editType fields from displayAttrs in openapi-to-attrs util * make sure we don't ask for paths for secret backends since that isn't setup yet * fix styling of sensitive text for fieldGroupShow component * update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test * properly log errors to the console * capitalize This value is sensitive... * get rid of extra padding on bottom of fieldgroupshow * make auth methods clickable and use new confirm ux * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * add whitespace * return intErr instead of err * uncomment out helpUrl because we need it * remove extra box class * use const instead of let * remove extra conditional since we already split the pathName later on * ensure we request the correct url when listing generated items * use const * link to list and show pages * remove dead code * show nested item name instead of id * add comments * show tooltip for text-file inputs * fix storybook * remove extra filter * add TODOs * add comments * comment out unused variables but leave them in function signature * only link to auth methods that can be fully managed in the ui * clean up comments * only render tooltip if there is helpText * rename id authMethodPath * remove optionsForQuery since we don't need it * add indentation * standardize ConfirmMessage and show model name instead of id when editing * standardize ConfirmMessage and show model name instead of id when editing * add comments * post to the correct updateUrl so we can edit users and groups * use pop instead of slice * add TODO for finding a better way to store ids * ensure ids are handled the same way on list and show pages; fix editing and deleting * add comment about difference between list and show urls * use model.id instead of name since we do not need it * remove dead code * ensure list pages have page headers * standardize using authMethodPath instead of method and remove dead code * i love indentation * remove more dead code * use new Confirm * show correct flash message when deleting an item * update flash message for creating and updating * use plus icon for creating group/user instead of an arrow
2019-10-17 23:19:14 +00:00
DisplayAttrs: &framework.DisplayAttributes{
Group: "Constraints",
},
Breakout parameters for x.509 certificate login (#4463)
2018-05-25 14:34:46 +00:00
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"allowed_common_names": {
Breakout parameters for x.509 certificate login (#4463)
2018-05-25 14:34:46 +00:00
Type: framework.TypeCommaStringSlice,
Description: `A comma-separated list of names.
At least one must exist in the Common Name. Supports globbing.`,
Enable generated items for more auth methods (#7513) * enable auth method item configuration in go code * properly parse and list generated items * make sure we only set name on attrs if a label comes from openAPI * correctly construct paths object for method index route * set sensitive property on password for userpass * remove debugger statements * pass method model to list route template to use paths on model for tabs * update tab generation in generated item list, undo enabling userpass users * enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint * add editType to DisplayAttributes, pull tokenutil fields into field group * show sensitive message for sensitive fields displayed in fieldGroupShow component * grab sensitive and editType fields from displayAttrs in openapi-to-attrs util * make sure we don't ask for paths for secret backends since that isn't setup yet * fix styling of sensitive text for fieldGroupShow component * update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test * properly log errors to the console * capitalize This value is sensitive... * get rid of extra padding on bottom of fieldgroupshow * make auth methods clickable and use new confirm ux * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * add whitespace * return intErr instead of err * uncomment out helpUrl because we need it * remove extra box class * use const instead of let * remove extra conditional since we already split the pathName later on * ensure we request the correct url when listing generated items * use const * link to list and show pages * remove dead code * show nested item name instead of id * add comments * show tooltip for text-file inputs * fix storybook * remove extra filter * add TODOs * add comments * comment out unused variables but leave them in function signature * only link to auth methods that can be fully managed in the ui * clean up comments * only render tooltip if there is helpText * rename id authMethodPath * remove optionsForQuery since we don't need it * add indentation * standardize ConfirmMessage and show model name instead of id when editing * standardize ConfirmMessage and show model name instead of id when editing * add comments * post to the correct updateUrl so we can edit users and groups * use pop instead of slice * add TODO for finding a better way to store ids * ensure ids are handled the same way on list and show pages; fix editing and deleting * add comment about difference between list and show urls * use model.id instead of name since we do not need it * remove dead code * ensure list pages have page headers * standardize using authMethodPath instead of method and remove dead code * i love indentation * remove more dead code * use new Confirm * show correct flash message when deleting an item * update flash message for creating and updating * use plus icon for creating group/user instead of an arrow
2019-10-17 23:19:14 +00:00
DisplayAttrs: &framework.DisplayAttributes{
Group: "Constraints",
},
Breakout parameters for x.509 certificate login (#4463)
2018-05-25 14:34:46 +00:00
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"allowed_dns_sans": {
Breakout parameters for x.509 certificate login (#4463)
2018-05-25 14:34:46 +00:00
Type: framework.TypeCommaStringSlice,
Description: `A comma-separated list of DNS names.
At least one must exist in the SANs. Supports globbing.`,
Enable generated items for more auth methods (#7513) * enable auth method item configuration in go code * properly parse and list generated items * make sure we only set name on attrs if a label comes from openAPI * correctly construct paths object for method index route * set sensitive property on password for userpass * remove debugger statements * pass method model to list route template to use paths on model for tabs * update tab generation in generated item list, undo enabling userpass users * enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint * add editType to DisplayAttributes, pull tokenutil fields into field group * show sensitive message for sensitive fields displayed in fieldGroupShow component * grab sensitive and editType fields from displayAttrs in openapi-to-attrs util * make sure we don't ask for paths for secret backends since that isn't setup yet * fix styling of sensitive text for fieldGroupShow component * update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test * properly log errors to the console * capitalize This value is sensitive... * get rid of extra padding on bottom of fieldgroupshow * make auth methods clickable and use new confirm ux * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * add whitespace * return intErr instead of err * uncomment out helpUrl because we need it * remove extra box class * use const instead of let * remove extra conditional since we already split the pathName later on * ensure we request the correct url when listing generated items * use const * link to list and show pages * remove dead code * show nested item name instead of id * add comments * show tooltip for text-file inputs * fix storybook * remove extra filter * add TODOs * add comments * comment out unused variables but leave them in function signature * only link to auth methods that can be fully managed in the ui * clean up comments * only render tooltip if there is helpText * rename id authMethodPath * remove optionsForQuery since we don't need it * add indentation * standardize ConfirmMessage and show model name instead of id when editing * standardize ConfirmMessage and show model name instead of id when editing * add comments * post to the correct updateUrl so we can edit users and groups * use pop instead of slice * add TODO for finding a better way to store ids * ensure ids are handled the same way on list and show pages; fix editing and deleting * add comment about difference between list and show urls * use model.id instead of name since we do not need it * remove dead code * ensure list pages have page headers * standardize using authMethodPath instead of method and remove dead code * i love indentation * remove more dead code * use new Confirm * show correct flash message when deleting an item * update flash message for creating and updating * use plus icon for creating group/user instead of an arrow
2019-10-17 23:19:14 +00:00
DisplayAttrs: &framework.DisplayAttributes{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
Name: "Allowed DNS SANs",
Enable generated items for more auth methods (#7513) * enable auth method item configuration in go code * properly parse and list generated items * make sure we only set name on attrs if a label comes from openAPI * correctly construct paths object for method index route * set sensitive property on password for userpass * remove debugger statements * pass method model to list route template to use paths on model for tabs * update tab generation in generated item list, undo enabling userpass users * enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint * add editType to DisplayAttributes, pull tokenutil fields into field group * show sensitive message for sensitive fields displayed in fieldGroupShow component * grab sensitive and editType fields from displayAttrs in openapi-to-attrs util * make sure we don't ask for paths for secret backends since that isn't setup yet * fix styling of sensitive text for fieldGroupShow component * update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test * properly log errors to the console * capitalize This value is sensitive... * get rid of extra padding on bottom of fieldgroupshow * make auth methods clickable and use new confirm ux * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * add whitespace * return intErr instead of err * uncomment out helpUrl because we need it * remove extra box class * use const instead of let * remove extra conditional since we already split the pathName later on * ensure we request the correct url when listing generated items * use const * link to list and show pages * remove dead code * show nested item name instead of id * add comments * show tooltip for text-file inputs * fix storybook * remove extra filter * add TODOs * add comments * comment out unused variables but leave them in function signature * only link to auth methods that can be fully managed in the ui * clean up comments * only render tooltip if there is helpText * rename id authMethodPath * remove optionsForQuery since we don't need it * add indentation * standardize ConfirmMessage and show model name instead of id when editing * standardize ConfirmMessage and show model name instead of id when editing * add comments * post to the correct updateUrl so we can edit users and groups * use pop instead of slice * add TODO for finding a better way to store ids * ensure ids are handled the same way on list and show pages; fix editing and deleting * add comment about difference between list and show urls * use model.id instead of name since we do not need it * remove dead code * ensure list pages have page headers * standardize using authMethodPath instead of method and remove dead code * i love indentation * remove more dead code * use new Confirm * show correct flash message when deleting an item * update flash message for creating and updating * use plus icon for creating group/user instead of an arrow
2019-10-17 23:19:14 +00:00
Group: "Constraints",
},
Breakout parameters for x.509 certificate login (#4463)
2018-05-25 14:34:46 +00:00
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"allowed_email_sans": {
Breakout parameters for x.509 certificate login (#4463)
2018-05-25 14:34:46 +00:00
Type: framework.TypeCommaStringSlice,
Description: `A comma-separated list of Email Addresses.
At least one must exist in the SANs. Supports globbing.`,
Enable generated items for more auth methods (#7513) * enable auth method item configuration in go code * properly parse and list generated items * make sure we only set name on attrs if a label comes from openAPI * correctly construct paths object for method index route * set sensitive property on password for userpass * remove debugger statements * pass method model to list route template to use paths on model for tabs * update tab generation in generated item list, undo enabling userpass users * enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint * add editType to DisplayAttributes, pull tokenutil fields into field group * show sensitive message for sensitive fields displayed in fieldGroupShow component * grab sensitive and editType fields from displayAttrs in openapi-to-attrs util * make sure we don't ask for paths for secret backends since that isn't setup yet * fix styling of sensitive text for fieldGroupShow component * update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test * properly log errors to the console * capitalize This value is sensitive... * get rid of extra padding on bottom of fieldgroupshow * make auth methods clickable and use new confirm ux * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * add whitespace * return intErr instead of err * uncomment out helpUrl because we need it * remove extra box class * use const instead of let * remove extra conditional since we already split the pathName later on * ensure we request the correct url when listing generated items * use const * link to list and show pages * remove dead code * show nested item name instead of id * add comments * show tooltip for text-file inputs * fix storybook * remove extra filter * add TODOs * add comments * comment out unused variables but leave them in function signature * only link to auth methods that can be fully managed in the ui * clean up comments * only render tooltip if there is helpText * rename id authMethodPath * remove optionsForQuery since we don't need it * add indentation * standardize ConfirmMessage and show model name instead of id when editing * standardize ConfirmMessage and show model name instead of id when editing * add comments * post to the correct updateUrl so we can edit users and groups * use pop instead of slice * add TODO for finding a better way to store ids * ensure ids are handled the same way on list and show pages; fix editing and deleting * add comment about difference between list and show urls * use model.id instead of name since we do not need it * remove dead code * ensure list pages have page headers * standardize using authMethodPath instead of method and remove dead code * i love indentation * remove more dead code * use new Confirm * show correct flash message when deleting an item * update flash message for creating and updating * use plus icon for creating group/user instead of an arrow
2019-10-17 23:19:14 +00:00
DisplayAttrs: &framework.DisplayAttributes{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
Name: "Allowed Email SANs",
Enable generated items for more auth methods (#7513) * enable auth method item configuration in go code * properly parse and list generated items * make sure we only set name on attrs if a label comes from openAPI * correctly construct paths object for method index route * set sensitive property on password for userpass * remove debugger statements * pass method model to list route template to use paths on model for tabs * update tab generation in generated item list, undo enabling userpass users * enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint * add editType to DisplayAttributes, pull tokenutil fields into field group * show sensitive message for sensitive fields displayed in fieldGroupShow component * grab sensitive and editType fields from displayAttrs in openapi-to-attrs util * make sure we don't ask for paths for secret backends since that isn't setup yet * fix styling of sensitive text for fieldGroupShow component * update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test * properly log errors to the console * capitalize This value is sensitive... * get rid of extra padding on bottom of fieldgroupshow * make auth methods clickable and use new confirm ux * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * add whitespace * return intErr instead of err * uncomment out helpUrl because we need it * remove extra box class * use const instead of let * remove extra conditional since we already split the pathName later on * ensure we request the correct url when listing generated items * use const * link to list and show pages * remove dead code * show nested item name instead of id * add comments * show tooltip for text-file inputs * fix storybook * remove extra filter * add TODOs * add comments * comment out unused variables but leave them in function signature * only link to auth methods that can be fully managed in the ui * clean up comments * only render tooltip if there is helpText * rename id authMethodPath * remove optionsForQuery since we don't need it * add indentation * standardize ConfirmMessage and show model name instead of id when editing * standardize ConfirmMessage and show model name instead of id when editing * add comments * post to the correct updateUrl so we can edit users and groups * use pop instead of slice * add TODO for finding a better way to store ids * ensure ids are handled the same way on list and show pages; fix editing and deleting * add comment about difference between list and show urls * use model.id instead of name since we do not need it * remove dead code * ensure list pages have page headers * standardize using authMethodPath instead of method and remove dead code * i love indentation * remove more dead code * use new Confirm * show correct flash message when deleting an item * update flash message for creating and updating * use plus icon for creating group/user instead of an arrow
2019-10-17 23:19:14 +00:00
Group: "Constraints",
},
Breakout parameters for x.509 certificate login (#4463)
2018-05-25 14:34:46 +00:00
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"allowed_uri_sans": {
Breakout parameters for x.509 certificate login (#4463)
2018-05-25 14:34:46 +00:00
Type: framework.TypeCommaStringSlice,
Description: `A comma-separated list of URIs.
At least one must exist in the SANs. Supports globbing.`,
Enable generated items for more auth methods (#7513) * enable auth method item configuration in go code * properly parse and list generated items * make sure we only set name on attrs if a label comes from openAPI * correctly construct paths object for method index route * set sensitive property on password for userpass * remove debugger statements * pass method model to list route template to use paths on model for tabs * update tab generation in generated item list, undo enabling userpass users * enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint * add editType to DisplayAttributes, pull tokenutil fields into field group * show sensitive message for sensitive fields displayed in fieldGroupShow component * grab sensitive and editType fields from displayAttrs in openapi-to-attrs util * make sure we don't ask for paths for secret backends since that isn't setup yet * fix styling of sensitive text for fieldGroupShow component * update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test * properly log errors to the console * capitalize This value is sensitive... * get rid of extra padding on bottom of fieldgroupshow * make auth methods clickable and use new confirm ux * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * add whitespace * return intErr instead of err * uncomment out helpUrl because we need it * remove extra box class * use const instead of let * remove extra conditional since we already split the pathName later on * ensure we request the correct url when listing generated items * use const * link to list and show pages * remove dead code * show nested item name instead of id * add comments * show tooltip for text-file inputs * fix storybook * remove extra filter * add TODOs * add comments * comment out unused variables but leave them in function signature * only link to auth methods that can be fully managed in the ui * clean up comments * only render tooltip if there is helpText * rename id authMethodPath * remove optionsForQuery since we don't need it * add indentation * standardize ConfirmMessage and show model name instead of id when editing * standardize ConfirmMessage and show model name instead of id when editing * add comments * post to the correct updateUrl so we can edit users and groups * use pop instead of slice * add TODO for finding a better way to store ids * ensure ids are handled the same way on list and show pages; fix editing and deleting * add comment about difference between list and show urls * use model.id instead of name since we do not need it * remove dead code * ensure list pages have page headers * standardize using authMethodPath instead of method and remove dead code * i love indentation * remove more dead code * use new Confirm * show correct flash message when deleting an item * update flash message for creating and updating * use plus icon for creating group/user instead of an arrow
2019-10-17 23:19:14 +00:00
DisplayAttrs: &framework.DisplayAttributes{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
Name: "Allowed URI SANs",
Enable generated items for more auth methods (#7513) * enable auth method item configuration in go code * properly parse and list generated items * make sure we only set name on attrs if a label comes from openAPI * correctly construct paths object for method index route * set sensitive property on password for userpass * remove debugger statements * pass method model to list route template to use paths on model for tabs * update tab generation in generated item list, undo enabling userpass users * enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint * add editType to DisplayAttributes, pull tokenutil fields into field group * show sensitive message for sensitive fields displayed in fieldGroupShow component * grab sensitive and editType fields from displayAttrs in openapi-to-attrs util * make sure we don't ask for paths for secret backends since that isn't setup yet * fix styling of sensitive text for fieldGroupShow component * update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test * properly log errors to the console * capitalize This value is sensitive... * get rid of extra padding on bottom of fieldgroupshow * make auth methods clickable and use new confirm ux * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * add whitespace * return intErr instead of err * uncomment out helpUrl because we need it * remove extra box class * use const instead of let * remove extra conditional since we already split the pathName later on * ensure we request the correct url when listing generated items * use const * link to list and show pages * remove dead code * show nested item name instead of id * add comments * show tooltip for text-file inputs * fix storybook * remove extra filter * add TODOs * add comments * comment out unused variables but leave them in function signature * only link to auth methods that can be fully managed in the ui * clean up comments * only render tooltip if there is helpText * rename id authMethodPath * remove optionsForQuery since we don't need it * add indentation * standardize ConfirmMessage and show model name instead of id when editing * standardize ConfirmMessage and show model name instead of id when editing * add comments * post to the correct updateUrl so we can edit users and groups * use pop instead of slice * add TODO for finding a better way to store ids * ensure ids are handled the same way on list and show pages; fix editing and deleting * add comment about difference between list and show urls * use model.id instead of name since we do not need it * remove dead code * ensure list pages have page headers * standardize using authMethodPath instead of method and remove dead code * i love indentation * remove more dead code * use new Confirm * show correct flash message when deleting an item * update flash message for creating and updating * use plus icon for creating group/user instead of an arrow
2019-10-17 23:19:14 +00:00
Group: "Constraints",
},
Add constraints on the Common Name for certificate-based authentication (#2595) * Refactor to consolidate constraints on the matching chain * Add CN prefix/suffix constraint * Maintain backwards compatibility (pick a random cert if multiple match) * Vendor go-glob * Replace cn_prefix/suffix with required_name/globbing Move all the new tests to acceptance-capable tests instead of embedding in the CRL test * Allow authenticating against a single cert * Add new params to documentation * Add CLI support for new param * Refactor for style * Support multiple (ORed) name patterns * Rename required_names to allowed_names * Update docs for parameter rename * Use the new TypeCommaStringSlice
2017-04-30 15:37:10 +00:00
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"allowed_organizational_units": {
add allowed_organiztaional_units parameter to cert credential backend (#5252) Specifying the `allowed_organiztaional_units` parameter to a cert auth backend role will require client certificates to contain at least one of a list of one or more "organizational units" (OU). Example use cases: Certificates are issued to entities in an organization arrangement by organizational unit (OU). The OU may be a department, team, or any other logical grouping of resources with similar roles. The entities within the OU should be granted the same policies. ``` $ vault write auth/cert/certs/ou-engineering \ certificate=@ca.pem \ policies=engineering \ allowed_organiztaional_units=engineering $ vault write auth/cert/certs/ou-engineering \ certificate=@ca.pem \ policies=engineering \ allowed_organiztaional_units=engineering,support ```
2018-09-28 00:04:55 +00:00
Type: framework.TypeCommaStringSlice,
Description: `A comma-separated list of Organizational Units names.
At least one must exist in the OU field.`,
Enable generated items for more auth methods (#7513) * enable auth method item configuration in go code * properly parse and list generated items * make sure we only set name on attrs if a label comes from openAPI * correctly construct paths object for method index route * set sensitive property on password for userpass * remove debugger statements * pass method model to list route template to use paths on model for tabs * update tab generation in generated item list, undo enabling userpass users * enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint * add editType to DisplayAttributes, pull tokenutil fields into field group * show sensitive message for sensitive fields displayed in fieldGroupShow component * grab sensitive and editType fields from displayAttrs in openapi-to-attrs util * make sure we don't ask for paths for secret backends since that isn't setup yet * fix styling of sensitive text for fieldGroupShow component * update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test * properly log errors to the console * capitalize This value is sensitive... * get rid of extra padding on bottom of fieldgroupshow * make auth methods clickable and use new confirm ux * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * add whitespace * return intErr instead of err * uncomment out helpUrl because we need it * remove extra box class * use const instead of let * remove extra conditional since we already split the pathName later on * ensure we request the correct url when listing generated items * use const * link to list and show pages * remove dead code * show nested item name instead of id * add comments * show tooltip for text-file inputs * fix storybook * remove extra filter * add TODOs * add comments * comment out unused variables but leave them in function signature * only link to auth methods that can be fully managed in the ui * clean up comments * only render tooltip if there is helpText * rename id authMethodPath * remove optionsForQuery since we don't need it * add indentation * standardize ConfirmMessage and show model name instead of id when editing * standardize ConfirmMessage and show model name instead of id when editing * add comments * post to the correct updateUrl so we can edit users and groups * use pop instead of slice * add TODO for finding a better way to store ids * ensure ids are handled the same way on list and show pages; fix editing and deleting * add comment about difference between list and show urls * use model.id instead of name since we do not need it * remove dead code * ensure list pages have page headers * standardize using authMethodPath instead of method and remove dead code * i love indentation * remove more dead code * use new Confirm * show correct flash message when deleting an item * update flash message for creating and updating * use plus icon for creating group/user instead of an arrow
2019-10-17 23:19:14 +00:00
DisplayAttrs: &framework.DisplayAttributes{
Group: "Constraints",
},
add allowed_organiztaional_units parameter to cert credential backend (#5252) Specifying the `allowed_organiztaional_units` parameter to a cert auth backend role will require client certificates to contain at least one of a list of one or more "organizational units" (OU). Example use cases: Certificates are issued to entities in an organization arrangement by organizational unit (OU). The OU may be a department, team, or any other logical grouping of resources with similar roles. The entities within the OU should be granted the same policies. ``` $ vault write auth/cert/certs/ou-engineering \ certificate=@ca.pem \ policies=engineering \ allowed_organiztaional_units=engineering $ vault write auth/cert/certs/ou-engineering \ certificate=@ca.pem \ policies=engineering \ allowed_organiztaional_units=engineering,support ```
2018-09-28 00:04:55 +00:00
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"required_extensions": {
Use Custom Cert Extensions as Cert Auth Constraint (#3634)
2017-12-18 17:53:44 +00:00
Type: framework.TypeCommaStringSlice,
Description: `A comma-separated string or array of extensions
formatted as "oid:value". Expects the extension value to be some type of ASN1 encoded string.
All values much match. Supports globbing on "value".`,
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"display_name": {
Make TLS backend honor SystemView default values. Expose lease TTLs on read. Make auth command show lease TTL if one exists. Addresses most of #527
2015-09-18 18:01:28 +00:00
Type: framework.TypeString,
Description: `The display name to use for clients using this
certificate.`,
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"policies": {
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
Type: framework.TypeCommaStringSlice,
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
Description: tokenutil.DeprecationText("token_policies"),
Deprecated: true,
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"lease": {
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
Type: framework.TypeInt,
Description: tokenutil.DeprecationText("token_ttl"),
Deprecated: true,
Make TLS backend honor SystemView default values. Expose lease TTLs on read. Make auth command show lease TTL if one exists. Addresses most of #527
2015-09-18 18:01:28 +00:00
},
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"ttl": {
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
Type: framework.TypeDurationSecond,
Description: tokenutil.DeprecationText("token_ttl"),
Deprecated: true,
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"max_ttl": {
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
Type: framework.TypeDurationSecond,
Description: tokenutil.DeprecationText("token_max_ttl"),
Deprecated: true,
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"period": {
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
Type: framework.TypeDurationSecond,
Description: tokenutil.DeprecationText("token_period"),
Deprecated: true,
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
},
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"bound_cidrs": {
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
Type: framework.TypeCommaStringSlice,
Description: tokenutil.DeprecationText("token_bound_cidrs"),
Deprecated: true,
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
},
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.DeleteOperation: b.pathCertDelete,
logical.ReadOperation: b.pathCertRead,
supporting non-ca certs for verification
2016-02-29 15:40:15 +00:00
logical.UpdateOperation: b.pathCertWrite,
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
},
HelpSynopsis: pathCertHelpSyn,
HelpDescription: pathCertHelpDesc,
Enable generated items for more auth methods (#7513) * enable auth method item configuration in go code * properly parse and list generated items * make sure we only set name on attrs if a label comes from openAPI * correctly construct paths object for method index route * set sensitive property on password for userpass * remove debugger statements * pass method model to list route template to use paths on model for tabs * update tab generation in generated item list, undo enabling userpass users * enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint * add editType to DisplayAttributes, pull tokenutil fields into field group * show sensitive message for sensitive fields displayed in fieldGroupShow component * grab sensitive and editType fields from displayAttrs in openapi-to-attrs util * make sure we don't ask for paths for secret backends since that isn't setup yet * fix styling of sensitive text for fieldGroupShow component * update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test * properly log errors to the console * capitalize This value is sensitive... * get rid of extra padding on bottom of fieldgroupshow * make auth methods clickable and use new confirm ux * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * Update sdk/framework/path.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * add whitespace * return intErr instead of err * uncomment out helpUrl because we need it * remove extra box class * use const instead of let * remove extra conditional since we already split the pathName later on * ensure we request the correct url when listing generated items * use const * link to list and show pages * remove dead code * show nested item name instead of id * add comments * show tooltip for text-file inputs * fix storybook * remove extra filter * add TODOs * add comments * comment out unused variables but leave them in function signature * only link to auth methods that can be fully managed in the ui * clean up comments * only render tooltip if there is helpText * rename id authMethodPath * remove optionsForQuery since we don't need it * add indentation * standardize ConfirmMessage and show model name instead of id when editing * standardize ConfirmMessage and show model name instead of id when editing * add comments * post to the correct updateUrl so we can edit users and groups * use pop instead of slice * add TODO for finding a better way to store ids * ensure ids are handled the same way on list and show pages; fix editing and deleting * add comment about difference between list and show urls * use model.id instead of name since we do not need it * remove dead code * ensure list pages have page headers * standardize using authMethodPath instead of method and remove dead code * i love indentation * remove more dead code * use new Confirm * show correct flash message when deleting an item * update flash message for creating and updating * use plus icon for creating group/user instead of an arrow
2019-10-17 23:19:14 +00:00
DisplayAttrs: &framework.DisplayAttributes{
Action: "Create",
ItemType: "Certificate",
},
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
}
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
tokenutil.AddTokenFields(p.Fields)
return p
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
}
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
func (b *backend) Cert(ctx context.Context, s logical.Storage, n string) (*CertEntry, error) {
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
entry, err := s.Get(ctx, "cert/"+strings.ToLower(n))
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
if err != nil {
return nil, err
}
if entry == nil {
return nil, nil
}
var result CertEntry
if err := entry.DecodeJSON(&result); err != nil {
return nil, err
}
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
if result.TokenTTL == 0 && result.TTL > 0 {
result.TokenTTL = result.TTL
}
if result.TokenMaxTTL == 0 && result.MaxTTL > 0 {
result.TokenMaxTTL = result.MaxTTL
}
if result.TokenPeriod == 0 && result.Period > 0 {
result.TokenPeriod = result.Period
}
if len(result.TokenPolicies) == 0 && len(result.Policies) > 0 {
result.TokenPolicies = result.Policies
}
if len(result.TokenBoundCIDRs) == 0 && len(result.BoundCIDRs) > 0 {
result.TokenBoundCIDRs = result.BoundCIDRs
}
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
return &result, nil
}
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers
2018-01-08 18:31:38 +00:00
func (b *backend) pathCertDelete(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
err := req.Storage.Delete(ctx, "cert/"+strings.ToLower(d.Get("name").(string)))
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
if err != nil {
return nil, err
}
return nil, nil
}
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers
2018-01-08 18:31:38 +00:00
func (b *backend) pathCertList(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
certs, err := req.Storage.List(ctx, "cert/")
Add list support to certs in cert auth backend. Fixes #1212
2016-03-15 18:07:40 +00:00
if err != nil {
return nil, err
}
return logical.ListResponse(certs), nil
}
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers
2018-01-08 18:31:38 +00:00
func (b *backend) pathCertRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
cert, err := b.Cert(ctx, req.Storage, strings.ToLower(d.Get("name").(string)))
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
if err != nil {
return nil, err
}
if cert == nil {
return nil, nil
}
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
data := map[string]interface{}{
"certificate": cert.Certificate,
"display_name": cert.DisplayName,
"allowed_names": cert.AllowedNames,
"allowed_common_names": cert.AllowedCommonNames,
"allowed_dns_sans": cert.AllowedDNSSANs,
"allowed_email_sans": cert.AllowedEmailSANs,
"allowed_uri_sans": cert.AllowedURISANs,
"allowed_organizational_units": cert.AllowedOrganizationalUnits,
"required_extensions": cert.RequiredExtensions,
}
cert.PopulateTokenData(data)
if cert.TTL > 0 {
data["ttl"] = int64(cert.TTL.Seconds())
}
if cert.MaxTTL > 0 {
data["max_ttl"] = int64(cert.MaxTTL.Seconds())
}
if cert.Period > 0 {
data["period"] = int64(cert.Period.Seconds())
}
if len(cert.Policies) > 0 {
data["policies"] = data["token_policies"]
}
if len(cert.BoundCIDRs) > 0 {
data["bound_cidrs"] = data["token_bound_cidrs"]
}
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
return &logical.Response{
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
Data: data,
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
}, nil
}
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers
2018-01-08 18:31:38 +00:00
func (b *backend) pathCertWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
name := strings.ToLower(d.Get("name").(string))
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
cert, err := b.Cert(ctx, req.Storage, name)
if err != nil {
return nil, err
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
}
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
if cert == nil {
cert = &CertEntry{
Name: name,
}
Add period and max_ttl to cert role creation (#3642)
2017-12-18 20:29:45 +00:00
}
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
// Get non tokenutil fields
if certificateRaw, ok := d.GetOk("certificate"); ok {
cert.Certificate = certificateRaw.(string)
Add period and max_ttl to cert role creation (#3642)
2017-12-18 20:29:45 +00:00
}
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
if displayNameRaw, ok := d.GetOk("display_name"); ok {
cert.DisplayName = displayNameRaw.(string)
}
if allowedNamesRaw, ok := d.GetOk("allowed_names"); ok {
cert.AllowedNames = allowedNamesRaw.([]string)
}
if allowedCommonNamesRaw, ok := d.GetOk("allowed_common_names"); ok {
cert.AllowedCommonNames = allowedCommonNamesRaw.([]string)
}
if allowedDNSSANsRaw, ok := d.GetOk("allowed_dns_sans"); ok {
cert.AllowedDNSSANs = allowedDNSSANsRaw.([]string)
}
if allowedEmailSANsRaw, ok := d.GetOk("allowed_email_sans"); ok {
cert.AllowedEmailSANs = allowedEmailSANsRaw.([]string)
}
if allowedURISANsRaw, ok := d.GetOk("allowed_uri_sans"); ok {
cert.AllowedURISANs = allowedURISANsRaw.([]string)
}
if allowedOrganizationalUnitsRaw, ok := d.GetOk("allowed_organizational_units"); ok {
cert.AllowedOrganizationalUnits = allowedOrganizationalUnitsRaw.([]string)
}
if requiredExtensionsRaw, ok := d.GetOk("required_extensions"); ok {
cert.RequiredExtensions = requiredExtensionsRaw.([]string)
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
}
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
// Get tokenutil fields
if err := cert.ParseTokenFields(req, d); err != nil {
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
Add period and max_ttl to cert role creation (#3642)
2017-12-18 20:29:45 +00:00
}
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
// Handle upgrade cases
{
Add UpgradeValue path to tokenutil (#7041) This drastically reduces boilerplate for upgrading existing values
2019-07-02 13:52:05 +00:00
if err := tokenutil.UpgradeValue(d, "policies", "token_policies", &cert.Policies, &cert.TokenPolicies); err != nil {
return logical.ErrorResponse(err.Error()), nil
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
}
Add UpgradeValue path to tokenutil (#7041) This drastically reduces boilerplate for upgrading existing values
2019-07-02 13:52:05 +00:00
if err := tokenutil.UpgradeValue(d, "ttl", "token_ttl", &cert.TTL, &cert.TokenTTL); err != nil {
return logical.ErrorResponse(err.Error()), nil
}
// Special case here for old lease value
_, ok := d.GetOk("token_ttl")
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
if !ok {
_, ok = d.GetOk("ttl")
Add UpgradeValue path to tokenutil (#7041) This drastically reduces boilerplate for upgrading existing values
2019-07-02 13:52:05 +00:00
if !ok {
ttlRaw, ok := d.GetOk("lease")
if ok {
cert.TTL = time.Duration(ttlRaw.(int)) * time.Second
cert.TokenTTL = cert.TTL
}
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
}
}
Add UpgradeValue path to tokenutil (#7041) This drastically reduces boilerplate for upgrading existing values
2019-07-02 13:52:05 +00:00
if err := tokenutil.UpgradeValue(d, "max_ttl", "token_max_ttl", &cert.MaxTTL, &cert.TokenMaxTTL); err != nil {
return logical.ErrorResponse(err.Error()), nil
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
}
Add UpgradeValue path to tokenutil (#7041) This drastically reduces boilerplate for upgrading existing values
2019-07-02 13:52:05 +00:00
if err := tokenutil.UpgradeValue(d, "period", "token_period", &cert.Period, &cert.TokenPeriod); err != nil {
return logical.ErrorResponse(err.Error()), nil
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
}
Add UpgradeValue path to tokenutil (#7041) This drastically reduces boilerplate for upgrading existing values
2019-07-02 13:52:05 +00:00
if err := tokenutil.UpgradeValue(d, "bound_cidrs", "token_bound_cidrs", &cert.BoundCIDRs, &cert.TokenBoundCIDRs); err != nil {
return logical.ErrorResponse(err.Error()), nil
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
}
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
}
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
var resp logical.Response
systemDefaultTTL := b.System().DefaultLeaseTTL()
if cert.TokenTTL > systemDefaultTTL {
resp.AddWarning(fmt.Sprintf("Given ttl of %d seconds is greater than current mount/system default of %d seconds", cert.TokenTTL/time.Second, systemDefaultTTL/time.Second))
}
systemMaxTTL := b.System().MaxLeaseTTL()
if cert.TokenMaxTTL > systemMaxTTL {
resp.AddWarning(fmt.Sprintf("Given max_ttl of %d seconds is greater than current mount/system default of %d seconds", cert.TokenMaxTTL/time.Second, systemMaxTTL/time.Second))
}
if cert.TokenMaxTTL != 0 && cert.TokenTTL > cert.TokenMaxTTL {
return logical.ErrorResponse("ttl should be shorter than max_ttl"), nil
}
if cert.TokenPeriod > systemMaxTTL {
resp.AddWarning(fmt.Sprintf("Given period of %d seconds is greater than the backend's maximum TTL of %d seconds", cert.TokenPeriod/time.Second, systemMaxTTL/time.Second))
Add period and max_ttl to cert role creation (#3642)
2017-12-18 20:29:45 +00:00
}
credential/cert: default display name
2015-04-24 17:52:17 +00:00
// Default the display name to the certificate name if not given
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
if cert.DisplayName == "" {
cert.DisplayName = name
credential/cert: default display name
2015-04-24 17:52:17 +00:00
}
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
parsed := parsePEM([]byte(cert.Certificate))
credential/cert: more validation on cert setup
2015-04-24 17:39:44 +00:00
if len(parsed) == 0 {
return logical.ErrorResponse("failed to parse certificate"), nil
}
supporting non-ca certs for verification
2016-02-29 15:40:15 +00:00
// If the certificate is not a CA cert, then ensure that x509.ExtKeyUsageClientAuth is set
corrections, policy matching changes and test cert changes
2016-02-29 23:29:41 +00:00
if !parsed[0].IsCA && parsed[0].ExtKeyUsage != nil {
Added testcase for cert writes
2016-02-29 21:02:19 +00:00
var clientAuth bool
supporting non-ca certs for verification
2016-02-29 15:40:15 +00:00
for _, usage := range parsed[0].ExtKeyUsage {
Added ExtKeyUsageAny, changed big.Int comparison and fixed code flow
2016-03-01 15:24:22 +00:00
if usage == x509.ExtKeyUsageClientAuth || usage == x509.ExtKeyUsageAny {
supporting non-ca certs for verification
2016-02-29 15:40:15 +00:00
clientAuth = true
Added ExtKeyUsageAny, changed big.Int comparison and fixed code flow
2016-03-01 15:24:22 +00:00
break
supporting non-ca certs for verification
2016-02-29 15:40:15 +00:00
}
}
if !clientAuth {
corrections, policy matching changes and test cert changes
2016-02-29 23:29:41 +00:00
return logical.ErrorResponse("non-CA certificates should have TLS client authentication set as an extended key usage"), nil
supporting non-ca certs for verification
2016-02-29 15:40:15 +00:00
}
}
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
// Store it
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
entry, err := logical.StorageEntryJSON("cert/"+name, cert)
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
if err != nil {
return nil, err
}
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
if err := req.Storage.Put(ctx, entry); err != nil {
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
return nil, err
}
Add period and max_ttl to cert role creation (#3642)
2017-12-18 20:29:45 +00:00
if len(resp.Warnings) == 0 {
return nil, nil
}
return &resp, nil
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
}
type CertEntry struct {
Switch cert to tokenutil (#7037)
2019-07-01 20:31:37 +00:00
tokenutil.TokenParams
add allowed_organiztaional_units parameter to cert credential backend (#5252) Specifying the `allowed_organiztaional_units` parameter to a cert auth backend role will require client certificates to contain at least one of a list of one or more "organizational units" (OU). Example use cases: Certificates are issued to entities in an organization arrangement by organizational unit (OU). The OU may be a department, team, or any other logical grouping of resources with similar roles. The entities within the OU should be granted the same policies. ``` $ vault write auth/cert/certs/ou-engineering \ certificate=@ca.pem \ policies=engineering \ allowed_organiztaional_units=engineering $ vault write auth/cert/certs/ou-engineering \ certificate=@ca.pem \ policies=engineering \ allowed_organiztaional_units=engineering,support ```
2018-09-28 00:04:55 +00:00
Name string
Certificate string
DisplayName string
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
Policies []string
TTL time.Duration
MaxTTL time.Duration
Period time.Duration
add allowed_organiztaional_units parameter to cert credential backend (#5252) Specifying the `allowed_organiztaional_units` parameter to a cert auth backend role will require client certificates to contain at least one of a list of one or more "organizational units" (OU). Example use cases: Certificates are issued to entities in an organization arrangement by organizational unit (OU). The OU may be a department, team, or any other logical grouping of resources with similar roles. The entities within the OU should be granted the same policies. ``` $ vault write auth/cert/certs/ou-engineering \ certificate=@ca.pem \ policies=engineering \ allowed_organiztaional_units=engineering $ vault write auth/cert/certs/ou-engineering \ certificate=@ca.pem \ policies=engineering \ allowed_organiztaional_units=engineering,support ```
2018-09-28 00:04:55 +00:00
AllowedNames []string
AllowedCommonNames []string
AllowedDNSSANs []string
AllowedEmailSANs []string
AllowedURISANs []string
AllowedOrganizationalUnits []string
RequiredExtensions []string
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 16:23:40 +00:00
BoundCIDRs []*sockaddr.SockAddrMarshaler
credential/cert: major refactor
2015-04-24 17:31:57 +00:00
}
const pathCertHelpSyn = `
Manage trusted certificates used for authentication.
`
const pathCertHelpDesc = `
This endpoint allows you to create, read, update, and delete trusted certificates
that are allowed to authenticate.
Deleting a certificate will not revoke auth for prior authenticated connections.
To do this, do a revoke on "login". If you don't need to revoke login immediately,
then the next renew will cause the lease to expire.
`