Commit graph

756 commits

Author SHA1 Message Date
Jeff Mitchell 5dcfe7bf5f
Fix a dropped Okta error (#6592) 2019-04-16 13:05:50 -04:00
Jeff Mitchell 213b9fd1cf Update to api 1.0.1 and sdk 0.1.8 2019-04-15 14:10:07 -04:00
Jeff Mitchell 9ebc57581d
Switch to go modules (#6585)
* Switch to go modules

* Make fmt
2019-04-13 03:44:06 -04:00
Jeff Mitchell 28e2ce8577 Fix build breakages 2019-04-12 22:01:13 -04:00
Becca Petrin 6ded269700
Merge pull request #6268 from hashicorp/6234-aws-region
Add region to CLI for generating AWS login data
2019-04-12 16:15:38 -07:00
Jeff Mitchell 80c303ac83 Move ldaputil and tlsutil over to sdk 2019-04-12 18:26:54 -04:00
Jeff Mitchell a1796b3ece Move password to sdk 2019-04-12 18:12:13 -04:00
Jeff Mitchell 8d6ce1ffb5 Move policyutil to sdk 2019-04-12 18:08:46 -04:00
Jeff Mitchell 7ca424e8d2 Move cidrutil to sdk 2019-04-12 18:03:59 -04:00
Jeff Mitchell 8bcb533a1b
Create sdk/ and api/ submodules (#6583) 2019-04-12 17:54:35 -04:00
Becca Petrin 4a4eab50a1 Merge branch 'opensource-master' into 6234-aws-region 2019-04-03 11:37:33 -07:00
Jeff Mitchell 0e93244b14 Clean up test artifacts 2019-04-02 15:09:31 -04:00
Jeff Mitchell a6d6d55c03
Fix failing cert test due to cert expiration (#6520)
This introduces a way to just generate new certs for each test. It
doesn't port everything over but we can over time.
2019-04-02 14:49:42 -04:00
Calvin Leung Huang 000066aff7
Update builtin/credential/aws/cli.go
Co-Authored-By: tyrannosaurus-becks <beccapetrin@posteo.net>
2019-04-01 15:37:02 -07:00
Becca Petrin 339cfcaaf8 merge master 2019-04-01 13:52:44 -07:00
T.K 453f1ac109 changed misspelled english words (#6432) 2019-03-19 09:32:45 -04:00
Iskander (Alex) Sharipov b4d30a1b6c all: fix no-op append calls (#6360)
Append call in form of `append(s)` has no effect,
it just returns `s`. Sometimes such invocation is a sign
of a programming error, so it's better to remove these.

Signed-off-by: Iskander Sharipov <quasilyte@gmail.com>
2019-03-14 13:40:30 -07:00
Martin 1b9327fe3f Fix inverted description for ldap/users$ and ldap/groups$ endpoints (#6406) 2019-03-13 11:02:45 -07:00
Becca Petrin 5829774e91
Support env vars for STS region (#6284) 2019-02-28 09:31:06 -08:00
Joel Thompson dbff485a1f Coax AWS SDK to use right region for STS 2019-02-20 22:57:39 -05:00
Becca Petrin 65b8ad9187 allow aws region in cli login 2019-02-20 16:43:21 -08:00
madalynrose 625f0c7546
Update OpenAPI responses to include information the UI can use (#6204) 2019-02-14 12:42:44 -05:00
Jeff Mitchell 82a85aa8c8 Make fmt 2019-02-08 09:12:55 -05:00
Naoki Ainoya a967078d80 add missing key bound_cidrs in pathCertRead Response (#6080) 2019-02-07 22:41:38 -05:00
Jeff Mitchell 2f9a7c6203
Add more perf standby guards (#6149) 2019-02-01 16:56:57 -05:00
Jeff Mitchell bbc1d53a5d Revert "Refactor common token fields and operations into a helper (#5953)"
This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 11:23:40 -05:00
Joel Thompson 33400e6e99 Fix typo in help text (#6136)
Small typo introduced in #6133
2019-01-31 08:53:54 -08:00
Jeff Mitchell 85a560abba
Refactor common token fields and operations into a helper (#5953) 2019-01-30 16:23:28 -05:00
Jeff Mitchell d8b0015d71 Add role ID to token metadata and internal data 2019-01-30 16:17:31 -05:00
Jeff Mitchell 47accf8086 Add role_id as an alias name source for AWS and change the defaults 2019-01-30 15:51:45 -05:00
Jeff Mitchell 159f0c1b0a Fix typo in comment 2019-01-17 13:28:27 -05:00
Vishal Nayak 0c30f46587
Add option to configure ec2_alias values (#5846)
* Add option to configure ec2_alias values

* Doc updates

* Fix overwriting of previous config value

* s/configEntry/config

* Fix formatting

* Address review feedback

* Address review feedback
2019-01-09 18:28:29 -05:00
Jim Kalafut d0e2badbae Run goimports across the repository (#6010)
The result will still pass gofmtcheck and won't trigger additional
changes if someone isn't using goimports, but it will avoid the
piecemeal imports changes we've been seeing.
2019-01-08 16:48:57 -08:00
Brian Kassouf 0c6793d774
Update path_role.go (#5820) 2018-11-19 13:40:36 -08:00
Jeff Mitchell fa26beeaed fmt 2018-11-07 16:52:01 -05:00
Becca Petrin 7bd22e6779
Run all builtins as plugins (#5536) 2018-11-06 17:21:24 -08:00
Calvin Leung Huang b4503d02c6
Call wg.Add(1) outside of goroutine (#5716) 2018-11-06 16:36:13 -08:00
Jeff Mitchell 8eca41ee2d Fix build 2018-10-27 14:06:20 -04:00
Jeff Mitchell a21a7e9eb4
Change ordering of user lookup vs. password hashing (#5614)
* Change ordering of user lookup vs. password hashing

This fixes a very minor information leak where someone could brute force
the existence of a username. It's not perfect as the underlying storage
plays a part but bcrypt's slowness puts that much more in the noise.
2018-10-27 10:43:08 -07:00
Jeff Mitchell 89f0efb6a1 fmt 2018-10-20 21:09:51 -04:00
Jeff Mitchell 841c4fcdd1 Merge branch 'master-oss' into 1.0-beta-oss 2018-10-19 09:25:17 -04:00
Evgeniy Zakharochkin 46948aef80 ability to add NAS Identifier header to radius request (#5465) 2018-10-18 13:41:14 -04:00
Jeff Mitchell d843e0b52c Merge branch 'master-oss' into 1.0-beta-oss 2018-10-18 10:28:14 -04:00
Vishal Nayak 4c8aa842ad
Return absolute paths while listing in LDAP backend (#5537) 2018-10-17 14:56:51 -07:00
Jeff Mitchell a64fc7d7cb
Batch tokens (#755) 2018-10-15 12:56:24 -04:00
Becca Petrin 937cfff21a
Make builtin auth and secret plugins buildable (#5456) 2018-10-09 09:29:20 -07:00
Brian Kassouf 2995c06a53
Fix build (#5457) 2018-10-03 14:53:08 -07:00
Jeff Mitchell 13f98d9a4b
Fix reading Okta token parameter when config param exists (#5429)
Fixes #5409
2018-09-28 11:28:06 -04:00
joe miller d39ffc9e25 add allowed_organiztaional_units parameter to cert credential backend (#5252)
Specifying the `allowed_organiztaional_units` parameter to a cert auth
backend role will require client certificates to contain at least one of
a list of one or more "organizational units" (OU).

Example use cases:

Certificates are issued to entities in an organization arrangement by
organizational unit (OU). The OU may be a department, team, or any other logical
grouping of resources with similar roles. The entities within the OU
should be granted the same policies.

```
$ vault write auth/cert/certs/ou-engineering \
    certificate=@ca.pem \
    policies=engineering \
    allowed_organiztaional_units=engineering

$ vault write auth/cert/certs/ou-engineering \
    certificate=@ca.pem \
    policies=engineering \
    allowed_organiztaional_units=engineering,support
```
2018-09-27 19:04:55 -05:00
Joel Thompson 2dc468f4d1 auth/aws: Make identity alias configurable (#5247)
* auth/aws: Make identity alias configurable

This is inspired by #4178, though not quite exactly what is requested
there. Rather than just use RoleSessionName as the Identity alias, the
full ARN is uses as the Alias. This mitigates against concerns that an
AWS role with an insufficiently secured trust policy could allow an
attacker to generate arbitrary RoleSessionNames in AssumeRole calls to
impersonate anybody in the Identity store that had an alias set up.
By using the full ARN, the owner of the identity store has to explicitly
trust specific AWS roles in specific AWS accounts to generate an
appropriate RoleSessionName to map back to an identity.

Fixes #4178

* Respond to PR feedback

* Remove CreateOperation

Response to PR feedback
2018-09-26 08:27:12 -07:00
Clint 5882156f53
Translate AWS Rate limiting errors to 502 errors (#5270)
* Initial implemntation of returning 529 for rate limits

- bump aws iam and sts packages to v1.14.31 to get mocking interface
- promote the iam and sts clients to the aws backend struct, for mocking in tests
- this also promotes some functions to methods on the Backend struct, so
  that we can use the injected client

Generating creds requires reading config/root for credentials to contact
IAM. Here we make pathConfigRoot a method on aws/backend so we can clear
the clients on successful update of config/root path. Adds a mutex to
safely clear the clients

* refactor locking and unlocking into methods on *backend

* refactor/simply the locking

* check client after grabbing lock
2018-09-18 15:26:06 -05:00
Brian Kassouf a2608a3b61
Fix approle tidy on performance standbys (#5338)
* Fix approle tidy on performance standbys

* Forward PKI and AWS also
2018-09-17 09:53:23 -07:00
Clint 5f5af90dfe
Update AWS auth backend iam_request_headers to be TypeHeader (#5320)
Update AWS Auth backend to use TypeHeader for iam request headers

- Remove parseIamRequestHeaders function and test, no longer needed with new TypeHeader
- Update AWS auth login docs
2018-09-12 16:16:16 -05:00
Becca Petrin b2ff87c9c2
Poll for new creds in the AWS auth agent (#5300) 2018-09-12 13:30:57 -07:00
Jim Kalafut e1a326152d
Switch to strings.EqualFold (#5284) 2018-09-11 16:22:29 -07:00
Jeff Mitchell 7191bca71a
Re-add injecting into top routes (#5244) 2018-09-05 11:45:17 -04:00
Joel Thompson acc85de6b9 auth/aws: Fix outdated help texts (#5253) 2018-09-04 10:55:02 -07:00
Becca Petrin 7a8c116fb1
undo make fmt (#5265) 2018-09-04 09:29:18 -07:00
Becca Petrin ed7639b0ec
run make fmt (#5261) 2018-09-04 09:12:59 -07:00
Calvin Leung Huang 9988ace85e gofmt files (#5233) 2018-08-31 09:15:40 -07:00
Jeff Mitchell e58a8a63a7
Add the ability to specify token CIDR restrictions on secret IDs. (#5136)
Fixes #5034
2018-08-21 11:54:04 -04:00
Jim Kalafut 212b00593d
Improve error message formatting (#5029)
Fixes #4999
2018-08-01 16:20:56 -07:00
Jeff Mitchell 34a0ae1e5d
Update path_tidy_user_id_test.go 2018-07-25 03:37:24 -04:00
Jeff Mitchell 7e6faf021d Fix race in test 2018-07-25 00:18:32 -04:00
Jeff Mitchell 9bfd73bfc6 Modify approle tidy to validate dangling accessors (#4981) 2018-07-24 14:00:53 -07:00
Jeff Mitchell d144f2935e Two-pronged fix for renew policy checking (#4960)
1) In backends, ensure they are now using TokenPolicies
2) Don't reassign auth.Policies until after expmgr registration as we
don't need them at that point

Fixes #4829
2018-07-24 12:03:11 -07:00
andrejvanderzee c1c9e23fc5 Fixed writing config attribute 'max_retries' for existing client configs for aws auth method. (#4980) 2018-07-24 10:09:44 -04:00
Jeff Mitchell 9775340547 Log nil secret IDs instead of swallowing error 2018-07-23 17:46:20 -04:00
Jeff Mitchell 50ea7f3825 Fix context shadowing during radius login (#4941)
Fixes #4938
2018-07-17 11:17:07 -07:00
Becca Petrin ba39deb411 fix possible panic (#4942) 2018-07-17 11:15:28 -07:00
Jeff Mitchell 92ed8fa571 Fix test 2018-07-12 08:29:04 -04:00
Jeff Mitchell 4b354e1110
Re-add dockertest and fix up imports and update script (#4909) 2018-07-11 17:49:13 -04:00
Jeff Mitchell 4d1a6690f5
Use Go's in-built permitted DNS domain logic (#4908)
Fixes #4863
2018-07-11 17:35:46 -04:00
Jeff Mitchell 98bf463a65 Make single-lease revocation behave like expiration (#4883)
This change makes it so that if a lease is revoked through user action,
we set the expiration time to now and update pending, just as we do with
tokens. This allows the normal retry logic to apply in these cases as
well, instead of just erroring out immediately. The idea being that once
you tell Vault to revoke something it should keep doing its darndest to
actually make that happen.
2018-07-11 15:45:35 -04:00
Jeff Mitchell 3fee2cc8dd Simplify logic 2018-06-19 23:07:56 -04:00
Calvin Leung Huang ac4be8d44d Do not fail login if no policies are mapped to the user or group (#4798)
* Do not fail login if no policies are mapped to the user or group

* Remove debug line

* Remove restriction in radius
2018-06-19 23:00:22 -04:00
Becca Petrin 73cbbe2a9f Add bound cidrs to tokens in AppRole (#4680) 2018-06-19 22:57:11 -04:00
Chris Hoffman 52f9f7412c
correct delete path for tidy operations (#4799) 2018-06-19 20:58:12 -04:00
Vishal Nayak 69eff9c354
return 404 when role does exist on update operations (#4778) 2018-06-18 09:29:05 -04:00
Jeff Mitchell e52b554c0b
Add an idle timeout for the server (#4760)
* Add an idle timeout for the server

Because tidy operations can be long-running, this also changes all tidy
operations to behave the same operationally (kick off the process, get a
warning back, log errors to server log) and makes them all run in a
goroutine.

This could mean a sort of hard stop if Vault gets sealed because the
function won't have the read lock. This should generally be okay
(running tidy again should pick back up where it left off), but future
work could use cleanup funcs to trigger the functions to stop.

* Fix up tidy test

* Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 18:21:33 -04:00
Jeff Mitchell 5d44c54947
Changes the way policies are reported in audit logs (#4747)
* This changes the way policies are reported in audit logs.

Previously, only policies tied to tokens would be reported. This could
make it difficult to perform after-the-fact analysis based on both the
initial response entry and further requests. Now, the full set of
applicable policies from both the token and any derived policies from
Identity are reported.

To keep things consistent, token authentications now also return the
full set of policies in api.Secret.Auth responses, so this both makes it
easier for users to understand their actual full set, and it matches
what the audit logs now report.
2018-06-14 09:49:33 -04:00
Vishal Nayak cb3c689798
Fix panic due to metadata being nil (#4719)
* Fix panic due to metadata being nil

* added a nil check

* Added a test

* ensure metadata is never nil

* Remove unnecessary allocation

* revert back to early initialization
2018-06-11 11:22:26 -04:00
Jeff Mitchell 8916f6b625
Some atomic cleanup (#4732)
Taking inspiration from
https://github.com/golang/go/issues/17604#issuecomment-256384471
suggests that taking the address of a stack variable for use in atomics
works (at least, the race detector doesn't complain) but is doing it
wrong.

The only other change is a change in Leader() detecting if HA is enabled
to fast-path out. This value never changes after NewCore, so we don't
need to grab the read lock to check it.
2018-06-09 15:35:22 -04:00
Vishal Nayak 11e2fd2fce approle: Fix role name case sensitivity issue 2018-06-05 18:53:27 -04:00
Jeff Mitchell 0138351ea4
Return generic messages if pre-login ldap operations fail (#4700)
This avoids leaking any information about valid usernames.
2018-06-05 11:23:10 -04:00
Becca Petrin b558b388ce strip checking cidrs on renewals (#4682) 2018-06-03 09:22:54 -04:00
Jeff Mitchell c4b53bc805 Block travis from running ldap tests as the test server is often failing 2018-05-30 08:46:25 -04:00
Jeff Mitchell 3e95305efa Fix mistaken extra Period value 2018-05-25 11:54:36 -04:00
Nicholas Jackson 17460461a0 Breakout parameters for x.509 certificate login (#4463) 2018-05-25 10:34:46 -04:00
Becca Petrin 4c1d8013f3
move fields and field parsing to helper (#4603) 2018-05-21 17:04:26 -07:00
Becca Petrin fb04064967
Restrict userpass logins & tokens by CIDR (#4557) 2018-05-21 11:47:28 -07:00
Becca Petrin 910925457f
Move LDAP client and config code to helper (#4532) 2018-05-10 14:12:42 -07:00
Becca Petrin e4656c1264
Shorten code by using ParseAddrs (#4546) 2018-05-10 13:21:55 -07:00
Becca Petrin 76c717b081
Restrict cert auth by CIDR (#4478) 2018-05-09 15:39:55 -07:00
Vishal Nayak df8484f7af
approle: Make invalid role_id a 400 error instead of 500 (#4470)
* make invalid role_id a 400 error

* remove single-use validateCredentials function

* remove single-use validateBindSecretID function

* adjust the error message for CIDR check failure

* locking updates as review feedback
2018-05-04 10:15:16 -04:00
Jeff Mitchell b1d44a7dee
Fix alias data being used for cert auth (serial number -> common name) (#4495)
Fixes #4475
2018-05-04 10:08:23 -04:00
vishalnayak 9ef3a36007 s/enable_local_secret_ids/local_secret_ids 2018-04-24 17:52:42 -04:00
vishalnayak 965a16f888 remove unneeded comments 2018-04-24 16:28:25 -04:00
vishalnayak b91d53fd76 refactor to be able to defer lock.Unlock() 2018-04-24 16:17:24 -04:00
vishalnayak f3dd8b3d17 fix typo 2018-04-24 16:03:18 -04:00