luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
6609 commits 1 branch 0 tags 214 MiB
Commit graph

830 commits

Author SHA1 Message Date
Brian Kassouf 3ecb344878 wrap plugin database type with metrics middleware 2017-03-14 13:12:47 -07:00
Brian Kassouf 822a3eb20a Add a metrics middleware 2017-03-14 13:11:28 -07:00
Stanislav Grozev 662b372364 Reads on unconfigured SSH CA public key return 400 2017-03-14 10:21:48 -04:00
Stanislav Grozev 7d59d7d3ac Reads on ssh/config/ca return the public keys 
If configured/generated.
 2017-03-14 10:21:48 -04:00
Stanislav Grozev 830de2dbbd If generating an SSH CA signing key - return the public part 
So that the user can actually use the SSH CA, by adding the public key
to their respective sshd_config/authorized_keys, etc.
 2017-03-14 10:21:48 -04:00
Brian Kassouf 2054fff890 Add a way to initalize plugins and builtin databases the same way. 2017-03-13 14:39:55 -07:00
Brian Kassouf 71b81aad23 Add checksum attribute 2017-03-10 14:10:42 -08:00
Brian Kassouf a11911d4d4 Rename reset to close 2017-03-09 22:35:45 -08:00
Brian Kassouf fda45f531d Add special path to enforce root on plugin configuration 2017-03-09 21:31:29 -08:00
Brian Kassouf 748c70cfb4 Add plugin file 2017-03-09 17:43:58 -08:00
Brian Kassouf 9099231229 Add plugin features 2017-03-09 17:43:37 -08:00
Vishal Nayak 220beb2cde doc: ssh allowed_users update (#2462) 
* doc: ssh allowed_users update

* added some more context in default_user field
 2017-03-09 10:34:55 -05:00
vishalnayak f085cd71ab Fix typo 2017-03-08 17:49:39 -05:00
Brian Kassouf b7128f8370 Update secrets fields 2017-03-08 14:46:53 -08:00
Vishal Nayak 766c2e6ee0 SSH CA enhancements (#2442) 
* Use constants for storage paths

* Upgrade path for public key storage

* Fix calculateValidPrincipals, upgrade ca_private_key, and other changes

* Remove a print statement

* Added tests for upgrade case

* Make exporting consistent in creation bundle

* unexporting and constants

* Move keys into a struct instead of plain string

* minor changes
 2017-03-08 17:36:21 -05:00
Brian Kassouf 2fb6bf9882 Fix renew and revoke calls 2017-03-07 17:21:44 -08:00
Brian Kassouf b7c3b4b0d7 Add defaults to the cassandra databse type 2017-03-07 17:00:52 -08:00
Brian Kassouf 3976a2a0a6 Pass statements object 2017-03-07 16:48:17 -08:00
Brian Kassouf 843d584254 Remove unused sql object 2017-03-07 15:34:23 -08:00
Brian Kassouf 919155ab12 Remove double lock 2017-03-07 15:33:05 -08:00
Brian Kassouf c959882b93 Update locking functionaility 2017-03-07 13:48:29 -08:00
Jeff Mitchell 5119b173c4 Rename helper 'duration' to 'parseutil'. (#2449) 
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.

Have config use ParseBool for UI and disabling mlock/cache.
 2017-03-07 11:21:22 -05:00
Brian Kassouf bc53e119ca rename mysql variable 2017-03-03 15:07:41 -08:00
Brian Kassouf bba832e6bf Make db instances immutable and add a reset path to tear down and create a new database instance with an updated config 2017-03-03 14:38:49 -08:00
Brian Kassouf 29e07ac9e8 Fix mysql connections 2017-03-03 14:38:49 -08:00
Brian Kassouf 24ddea9954 Add mysql into the factory 2017-03-03 14:38:48 -08:00
Brian Kassouf 8e8f260d96 Add max connection lifetime param and set consistancy on cassandra session 2017-03-03 14:38:48 -08:00
Brian Kassouf 1f009518cd s/Statement/Statements/ 2017-03-03 14:38:48 -08:00
Brian Kassouf 46aa7142c1 Add mysql database type 2017-03-03 14:38:48 -08:00
Brian Kassouf 2ec5ab5616 More work on refactor and cassandra database 2017-03-03 14:38:48 -08:00
Brian Kassouf acdcd79af3 Begin work on database refactor 2017-03-03 14:38:48 -08:00
Vishal Nayak 4b81bcb379 ssh: Added DeleteOperation to config/ca (#2434) 
* ssh: Added DeleteOperation to config/ca

* Address review feedback
 2017-03-03 10:19:45 -05:00
Jeff Mitchell 55e69277ce Update SSH CA logic/tests 2017-03-02 16:39:22 -05:00
Vishal Nayak a1331278ff Refactor the generate_signing_key processing (#2430) 2017-03-02 16:22:06 -05:00
Jeff Mitchell fa474924aa Update error text to make it more obvious what the issue is when valid principals aren't found 2017-03-02 15:56:08 -05:00
Jeff Mitchell eca68d5913 Fix a bunch of errors from returning 5xx, and parse more duration types 2017-03-02 15:38:34 -05:00
Will May 70bfdb5ae9 Changes from code review 2017-03-02 14:36:13 -05:00
Will May 36b3d89604 Allow internal generation of the signing SSH key pair 2017-03-02 14:36:13 -05:00
Vishal Nayak 3795d2ea64 Rework ssh ca (#2419) 
* docs: input format for default_critical_options and default_extensions

* s/sshca/ssh

* Added default_critical_options and default_extensions to the read endpoint of role

* Change default time return value to 0
 2017-03-01 15:50:23 -05:00
Will May 9f75f84175 Changes from code review 
Major changes are:
* Remove duplicate code
* Check the public key used to configure the backend is a valid one
 2017-03-01 15:19:18 -05:00
Will May ff1ff02bd7 Changes from code review 
Major changes are:
* Change `allow_{user,host}_certificates` to default to false
* Add separate `allowed_domains` role property
 2017-03-01 15:19:18 -05:00
Will May 099d561b20 Add ability to create SSH certificates 2017-03-01 15:19:18 -05:00
vishalnayak 2e911fc650 Fix broken build caused due to resolve merge conflicts 2017-02-24 12:41:20 -05:00
Vishal Nayak c6f138bb9a PKI: Role switch to control lease generation (#2403) 
* pki: Make generation of leases optional

* pki: add tests for upgrading generate_lease

* pki: add tests for leased and non-leased certs

* docs++ pki generate_lease

* Generate lease is applicable for both issuing and signing

* pki: fix tests

* Address review feedback

* Address review feedback
 2017-02-24 12:12:40 -05:00
Saj Goonatilleke 01f3056b8b pki: Include private_key_type on DER-formatted responses from /pki/issue/ (#2405) 2017-02-24 11:17:59 -05:00
Jeff Mitchell c81582fea0 More porting from rep (#2388) 
* More porting from rep

* Address review feedback
 2017-02-16 16:29:30 -05:00
Jeff Mitchell 0c39b613c8 Port some replication bits to OSS (#2386) 2017-02-16 15:15:02 -05:00
Jeff Mitchell c96fe56d44 Fix copypasta, thanks tests 2017-02-16 01:32:39 -05:00
Jeff Mitchell 817bec0955 Add Organization support to PKI backend. (#2380) 
Fixes #2369
 2017-02-16 01:04:29 -05:00
Vishal Nayak 7f2717b74a transit: change batch input format (#2331) 
* transit: change batch input format

* transit: no json-in-json for batch response

* docs: transit: update batch input format

* transit: fix tests after changing response format
 2017-02-06 14:56:16 -05:00
Vishal Nayak 5fb28f53cb Transit: Support batch encryption and decryption (#2143) 
* Transit: Support batch encryption

* Address review feedback

* Make the normal flow go through as a batch request

* Transit: Error out if encryption fails during batch processing

* Transit: Infer the 'derived' parameter based on 'context' being set

* Transit: Batch encryption doc updates

* Transit: Return a JSON string instead of []byte

* Transit: Add batch encryption tests

* Remove plaintext empty check

* Added tests for batch encryption, more coming..

* Added more batch encryption tests

* Check for base64 decoding of plaintext before encrypting

* Transit: Support batch decryption

* Transit: Added tests for batch decryption

* Transit: Doc update for batch decryption

* Transit: Sync the path-help and website docs for decrypt endpoint

* Add batch processing for rewrap

* transit: input validation for context

* transit: add rewrap batch option to docs

* Remove unnecessary variables from test

* transit: Added tests for rewrap use cases

* Address review feedback

* Address review feedback

* Address review feedback

* transit: move input checking out of critical path

* transit: allow empty plaintexts for batch encryption

* transit: use common structs for batch processing

* transit: avoid duplicate creation of structs; add omitempty to response structs

* transit: address review feedback

* transit: fix tests

* address review feedback

* transit: fix tests

* transit: rewrap encrypt user error should not error out

* transit: error out for internal errors
 2017-02-02 14:24:20 -05:00
Jeff Mitchell 47274eca88 Add cleanup functions to multiple DB backends. (#2313) 
Ensure it's called on unmount, not just for seal.
 2017-02-01 14:05:25 -05:00
Jeff Mitchell f1a5a858d3 Make export errors a bit more meaningful 2017-01-30 09:25:50 -05:00
Jeff Mitchell 2e15dc93df Have transit exporting return the same structure regardless of one key or many 2017-01-28 10:37:35 -05:00
Brian Kassouf e788780709 Migrate cassandra test from acceptance to dockertest (#2295) 2017-01-25 15:37:55 -05:00
Jeff Mitchell f43a041bf2 Revert "Disable PKI OU tests to fix the build" 
This reverts commit b1ab7c5603180af9073caab1b3022ca438dc12be.
 2017-01-24 09:58:28 -05:00
vishalnayak c8b6ab7223 Disable PKI OU tests to fix the build 2017-01-24 06:25:56 -05:00
joe miller 98df700495 allow roles to set OU value in certificates issued by the pki backend (#2251) 2017-01-23 12:44:45 -05:00
Chris Hoffman 7568a212b1 Adding support for exportable transit keys (#2133) 2017-01-23 11:04:43 -05:00
Vishal Nayak fa7d61baa3 Merge pull request #2202 from fcantournet/fix_govet_fatalf 
all: test: Fix govet warnings
 2017-01-17 16:45:35 -05:00
Matthew Irish cb8bbc4fbd Transit key actions (#2254) 
* add supports_* for transit key reads

* update transit docs with new supports_* fields
 2017-01-11 10:05:06 -06:00
joe miller 78dacc154a sign-verbatim should set use_csr_common_name to true (#2243) 2017-01-10 09:47:59 -05:00
Jeff Mitchell 80dc5819d3 Use dockertest.v2 (#2247) 
New dockertest has a totally different API and will require some serious
refactoring. This will tide over until then by pinning the API version.
 2017-01-09 13:46:54 -05:00
Félix Cantournet 103b7ceab2 all: test: Fix govet warnings 
Fix calls to t.Fatal() with formatting.
Fixed some calls to Fatalf() with wrong formatting
 2016-12-21 19:44:07 +01:00
vishalnayak 1816446f46 Address review feedback 2016-12-20 11:19:47 -05:00
vishalnayak b3e323bbcc pki: Avoiding a storage read 2016-12-20 11:07:20 -05:00
vishalnayak 2e23f1a992 pki: Appended error to error message 2016-12-19 10:49:32 -05:00
vishalnayak ba1cc709bd PKI: Added error to the error message 2016-12-19 10:47:29 -05:00
Jeff Mitchell bb54bd40f6 normalize some capitlization in error messages 2016-12-15 19:02:33 -05:00
Jeff Mitchell 6ee61af87f Fix nil value panic when Consul returns a user error (#2145) 2016-12-01 10:22:32 -08:00
vascop ba3dc07bb3 Fix typo and remove trailing whitespace. (#2074) 2016-11-08 09:32:23 -05:00
Jeff Mitchell 26fa2655b1 Add listing to Consul secret roles (#2065) 2016-11-04 12:35:16 -04:00
vishalnayak dc93e57cf1 Return the revocation_sql from role read all the time 2016-10-27 12:24:31 -04:00
vishalnayak e0fb8c17ce Added revocation_sql to the website docs 2016-10-27 12:15:08 -04:00
vishalnayak c14a6c8666 Move policy test to keysutil package 2016-10-26 19:57:28 -04:00
vishalnayak 6d1e1a3ba5 Pulled out transit's lock manager and policy structs into a helper 2016-10-26 19:52:31 -04:00
vishalnayak 931c96d1ba ssh: Use temporary file to store the identity file 2016-10-18 12:50:12 -04:00
Chris Hoffman 4b6e82afcb Add ability to list keys in transit backend (#1987) 2016-10-18 10:13:01 -04:00
Laura Bennett 5ce9737eb4 address feedback 2016-10-10 12:16:55 -04:00
Laura Bennett e5a7e3d6cb initial commit to fix empty consistency option issue 2016-10-08 20:22:26 -04:00
Jeff Mitchell 70a9fc47b4 Don't use quoted identifier for the username 2016-10-05 14:31:19 -04:00
Jeff Mitchell 7f9a88d8db Postgres revocation sql, beta mode (#1972) 2016-10-05 13:52:59 -04:00
vishalnayak de5dec6b15 Refactor mysql's revoke SQL 2016-10-04 19:30:25 -04:00
Vishal Nayak 1ab7023483 Merge pull request #1914 from jpweber/mysql-revoke 
Mysql revoke with non-wildcard hosts
 2016-10-04 17:44:15 -04:00
Jim Weber 87f206b536 removed an unused ok variable. Added warning and force use for default queries if role is nil 2016-10-04 17:15:29 -04:00
Jim Weber cc38f3253a fixed an incorrect assignment 2016-10-03 21:51:40 -04:00
Jim Weber ac78ddc178 More resilient around cases of missing role names and using the default when needed. 2016-10-03 20:20:00 -04:00
Jim Weber 0a7f1089ca Refactored logic some to make sure we can always fall back to default revoke statments 
Changed rolename to role
made default sql revoke statments a const
 2016-10-03 15:59:56 -04:00
Jim Weber 704fccaf2e fixed some more issues I had with the tests. 2016-10-03 15:58:09 -04:00
Jim Weber a2d6624a69 renamed rolname to role 2016-10-03 15:57:47 -04:00
Jim Weber bfb0c2d3ff Reduced duplicated code and fixed comments and simple variable name mistakes 2016-10-03 14:53:05 -04:00
Jim Weber bb70ecc5a7 Added test for revoking mysql user with wild card host and non-wildcard host 2016-10-02 22:28:54 -04:00
Jim Weber dbb00534d9 saving role name to the Secret Internal data. Default revoke query added 
The rolename is now saved to the secret internal data for fetching
later during the user revocation process. No longer deriving the role
name from request path

Added support for default revoke SQL statements that will provide the
same functionality as before. If not revoke SQL statements are provided
the default statements are used.

Cleaned up personal ignores from the .gitignore file
 2016-10-02 18:53:16 -04:00
Jeff Mitchell f0203741ff Change default TTL from 30 to 32 to accommodate monthly operations (#1942) 2016-09-28 18:32:49 -04:00
Laura Bennett 010293ccc3 Merge pull request #1931 from hashicorp/cass-consistency 
Adding consistency into cassandra
 2016-09-27 21:12:02 -04:00
Chris Hoffman d235acf809 Adding support for chained intermediate CAs in pki backend (#1694) 2016-09-27 17:50:17 -07:00
Laura Bennett 5ac43873c4 minor updates 2016-09-27 20:35:11 -04:00
Laura Bennett e14fe05c13 added parsing at role creation 2016-09-27 16:01:51 -04:00
Laura Bennett 4938aa56bf initial commit for consistency added into cassandra 2016-09-27 13:25:18 -04:00
Vishal Nayak b1ee56a15b Merge pull request #1910 from hashicorp/secret-id-cidr-list 
CIDR restrictions on Secret ID
 2016-09-26 10:22:48 -04:00
Jim Weber e0ea497cfe Getting role name from the creds path used in revocation 2016-09-23 16:57:08 -04:00
Jim Weber 8709406eb3 secretCredsRevoke command no longer uses hardcoded query 
The removal of a user from the db is now handled similar to the
creation. The SQL is read out of a key from the role and then executed
with values substituted for username.
 2016-09-23 16:05:49 -04:00
Jim Weber 1bed6bfc2c Added support for a revokeSQL key value pair to the role 2016-09-23 16:00:23 -04:00
Jeff Mitchell 6bf871995b Don't use time.Time in responses. (#1912) 
This fixes #1911 but not directly; it doesn't address the cause of the
panic. However, it turns out that this is the correct fix anyways,
because it ensures that the value being logged is RFC3339 format, which
is what the time turns into in JSON but not the normal time string
value, so what we audit log (and HMAC) matches what we are returning.
 2016-09-23 12:32:07 -04:00
vishalnayak c26754000b Fix ssh tests 2016-09-22 11:37:55 -04:00
vishalnayak 93604e1e2e Added cidrutil helper 2016-09-21 13:58:32 -04:00
Jeff Mitchell 676e7e0f07 Ensure upgrades have a valid HMAC key 2016-09-21 11:10:57 -04:00
Jeff Mitchell 0ff76e16d2 Transit and audit enhancements 2016-09-21 10:49:26 -04:00
Chris Hoffman 5c241d31e7 Renaming ttl_max -> max_ttl in mssql backend (#1905) 2016-09-20 12:39:02 -04:00
Jeff Mitchell 897d3c6d2c Rename GetOctalFormatted and add serial number to ParsedCertBundle. Basically a noop. 2016-09-16 11:05:43 -04:00
Jeff Mitchell 197c7eae5f Allow encrypting empty ciphertext values. (#1881) 
Replaces #1874
 2016-09-13 12:00:04 -04:00
vishalnayak b599948e1c Use uuid.GenerateRandomBytes 2016-09-09 14:17:09 -04:00
vishalnayak 127f61473b Not exposing structs from the backend's package 2016-09-01 11:57:28 -04:00
Jeff Mitchell 1db0544b7a Use unexported kdf const names 2016-08-31 07:19:58 -04:00
Jeff Mitchell d2239d22d9 Use hkdf for transit key derivation for new keys (#1812) 
Use hkdf for transit key derivation for new keys
 2016-08-30 16:29:09 -04:00
vishalnayak 9dbc97028b STS path field description update 2016-08-30 10:53:21 -04:00
vishalnayak 0b07ec7303 Added UpdateOperation to logical AWS STS path 2016-08-30 10:30:13 -04:00
Vishal Nayak cdd1d96a64 Merge pull request #1804 from hashicorp/issue-1800 
Mark STS secrets as non-renwable
 2016-08-29 11:46:19 -04:00
navinanandaraj 8612b6139e Fixes #1801 Reuse Cassandra session object for create creds (#1802) 2016-08-28 17:32:41 -04:00
Jeff Mitchell f0537572a8 Mark STS secrets as non-renwable 
Ping #1800
 2016-08-28 14:27:56 -04:00
Jeff Mitchell 0b113f7916 Derive nonce fully in convergent mode (#1796) 
Ping #1794
 2016-08-26 17:01:56 -04:00
Jeff Mitchell 2f5876dfe9 Use key derivation for convergent nonce. (#1794) 
Use key derivation for convergent nonce.

Fixes #1792
 2016-08-26 14:11:03 -04:00
Jeff Mitchell 28739f3528 Decode secret internal data into struct and fix type assertion. (#1781) 2016-08-24 15:04:04 -04:00
Jeff Mitchell 58b32e5432 Convert to logxi 2016-08-21 18:13:37 -04:00
Jeff Mitchell 2860dcc60f gofmt 2016-08-19 16:48:32 -04:00
Jeff Mitchell 86874def5c Parameter change 
Both revocation times are UTC so clarify via parameter name that it's just a formatting difference. Also leave as a time.Time here, as it automatically marshals into RFC3339.
 2016-08-14 21:43:57 -04:00
Jeff Mitchell 39cfd116b6 Cleanup 2016-08-13 11:52:09 -04:00
Jeff Mitchell 1b8711e7b7 Ensure utc value is not zero before adding 2016-08-13 11:50:57 -04:00
Jeff Mitchell d6d08250ff Ensure values to be encoded in a CRL are in UTC. This aligns with the 
RFC. You might expect Go to ensure this in the CRL generation call,
but...it doesn't.

Fixes #1727
 2016-08-13 08:40:09 -04:00
Jeff Mitchell b69ed7ea93 Fix build 2016-08-08 17:00:59 -04:00
Jeff Mitchell 7f6c58b807 Address review feedback 2016-08-08 16:30:48 -04:00
Jeff Mitchell 606ba64e23 Remove context-as-nonce, add docs, and properly support datakey 2016-08-07 15:53:40 -04:00
Jeff Mitchell 1976bc0534 Add unit tests for convergence in non-context mode 2016-08-07 15:16:36 -04:00
Jeff Mitchell 8b1d47037e Refactor convergent encryption to make specifying a nonce in addition to context possible 2016-08-05 17:52:44 -04:00
Vincent Batoufflet 0b73c2ff9a Fix PKI logical backend email alt_names 2016-08-04 12:10:34 +02:00
Jeff Mitchell 58e9cbbfc6 Add postgres test for block statements 2016-08-03 15:34:50 -04:00
Jeff Mitchell 9e204bd88c Add arbitrary string slice parsing. 
Like the KV function, this supports either separated strings or JSON
strings, base64-encoded or not.

Fixes #1619 in theory.
 2016-08-03 14:24:16 -04:00
vishalnayak cff7aada7a Fix invalid input getting marked as internal error 2016-07-28 16:23:11 -04:00
Jeff Mitchell e0c5f5f5fa Add convergence tests to transit backend 2016-07-28 11:30:52 -04:00
Laura Bennett 559b0a5006 Merge pull request #1635 from hashicorp/mysql-idle-conns 
Added maximum idle connections to mysql to close hashicorp/vault#1616
 2016-07-20 15:31:37 -04:00
Jeff Mitchell b558c35943 Set defaults to handle upgrade cases. 
Ping #1604
 2016-07-20 14:07:19 -04:00
Jeff Mitchell f2b6569b0b Merge pull request #1604 from memory/mysql-displayname-2 
concat role name and token displayname to form mysql username
 2016-07-20 14:02:17 -04:00
Nathan J. Mehl ea294f1d27 use both role name and token display name to form mysql username 2016-07-20 10:17:00 -07:00
Laura Bennett e6bf4fa489 whitespace error corrected 2016-07-20 12:00:05 -04:00
Nathan J. Mehl 0483457ad2 respond to feedback from @vishalnayak 
- split out usernameLength and displaynameLength truncation values,
  as they are different things

- fetch username and displayname lengths from the role, not from
  the request parameters

- add appropriate defaults for username and displayname lengths
 2016-07-20 06:36:51 -07:00
Laura Bennett 7cdb8a28bc max_idle_connections added 2016-07-20 09:26:26 -04:00
Laura Bennett 03c7eb7d18 initial commit before rebase to stay current with master 2016-07-19 14:18:37 -04:00
Jeff Mitchell 30ca541f99 Merge pull request #1414 from mhurne/mongodb-secret-backend 
Add mongodb secret backend
 2016-07-19 13:56:15 -04:00
Jeff Mitchell 3334b22993 Some minor linting 2016-07-19 13:54:18 -04:00
Matt Hurne 0f9ee8fbed Merge branch 'master' into mongodb-secret-backend 2016-07-19 12:47:58 -04:00
Matt Hurne 072c5bc915 mongodb secret backend: Remove redundant type declarations 2016-07-19 12:35:14 -04:00
Matt Hurne c7d42cb112 mongodb secret backend: Fix broken tests, clean up unused parameters 2016-07-19 12:26:23 -04:00
Vishal Nayak fbb04349b5 Merge pull request #1629 from hashicorp/remove-verify-connection 
Remove unused VerifyConnection from storage entries of SQL backends
 2016-07-19 12:21:23 -04:00
Vishal Nayak 8a1bb1626a Merge pull request #1583 from hashicorp/ssh-allowed-roles 
Add allowed_roles to ssh-helper-config and return role name from verify call
 2016-07-19 12:04:12 -04:00
vishalnayak 7fb04a1bbd Remove unused VerifyConnection from storage entries of SQL backends 2016-07-19 11:55:49 -04:00
Matt Hurne 316837857b mongodb secret backend: Return lease ttl and max_ttl in lease read in seconds rather than as duration strings 2016-07-19 11:23:56 -04:00
Matt Hurne f18d98272d mongodb secret backend: Don't bother persisting verify_connection field in connection config 2016-07-19 11:20:45 -04:00
Matt Hurne f8e6bcbb69 mongodb secret backend: Handle cases where stored username or db is not a string as expected when revoking credentials 2016-07-19 11:18:00 -04:00
Matt Hurne 75a5fbd8fe Merge branch 'master' into mongodb-secret-backend 2016-07-19 10:38:45 -04:00
Jeff Mitchell 434ed2faf2 Merge pull request #1573 from mickhansen/logical-postgresql-revoke-sequences 
handle revocations for roles that have privileges on sequences
 2016-07-18 13:30:42 -04:00
vishalnayak c14235b206 Merge branch 'master-oss' into json-use-number 
Conflicts:
	http/handler.go
	logical/framework/field_data.go
	logical/framework/wal.go
	vault/logical_passthrough.go
 2016-07-15 19:21:55 -04:00
Vishal Nayak cdf58da43b Merge pull request #1610 from hashicorp/min-tls-ver-12 
Set minimum TLS version in all tls.Config objects
 2016-07-13 10:53:14 -06:00
vishalnayak 09a4142fd3 Handled upgrade path for TLSMinVersion 2016-07-13 12:42:51 -04:00
Vishal Nayak 9f1e6c7b26 Merge pull request #1607 from hashicorp/standardize-time 
Remove redundant invocations of UTC() call on `time.Time` objects
 2016-07-13 10:19:23 -06:00
vishalnayak de19314f18 Address review feedback 2016-07-13 11:52:26 -04:00
vishalnayak 407722a9b4 Added tls_min_version to consul storage backend 2016-07-12 20:10:54 -04:00
Nathan J. Mehl 314a5ecec0 allow overriding the default truncation length for mysql usernames 
see https://github.com/hashicorp/vault/issues/1605
 2016-07-12 17:05:43 -07:00
vishalnayak f34f0ef503 Make 'tls_min_version' configurable 2016-07-12 19:32:47 -04:00
vishalnayak 46d34130ac Set minimum TLS version in all tls.Config objects 2016-07-12 17:06:28 -04:00
vishalnayak 8269f323d3 Revert 'risky' changes 2016-07-12 16:38:07 -04:00
Jeff Mitchell 57cdb58374 Switch to pester from go-retryablehttp to avoid swallowing 500 error messages 2016-07-11 21:37:46 +00:00
Mick Hansen 9ee4542a7c incorporate code style guidelines 2016-07-11 13:35:35 +02:00
Mick Hansen c25788e1d4 handle revocations for roles that have privileges on sequences 2016-07-11 13:16:45 +02:00
Nathan J. Mehl 2cf4490b37 use role name rather than token displayname in generated mysql usernames 
If a single token generates multiple myself roles, the generated mysql
username was previously prepended with the displayname of the vault
user; this makes the output of `show processlist` in mysql potentially
difficult to correlate with the roles actually in use without cross-
checking against the vault audit log.

See https://github.com/hashicorp/vault/pull/1603 for further discussion.
 2016-07-10 15:57:47 -07:00
Matt Hurne 6505e85dae mongodb secret backend: Improve safety of MongoDB roles storage 2016-07-09 21:12:42 -04:00
vishalnayak e09b40e155 Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC 2016-07-08 18:30:18 -04:00
Matt Hurne bb8a45eb8b Format code in mongodb secret backend 2016-07-07 23:16:11 -04:00
Matt Hurne 8d5a7992c1 mongodb secret backend: Improve and correct errors in documentation; improve "parameter is required" error response messages 2016-07-07 23:09:45 -04:00
Matt Hurne eee6f04e40 mongodb secret backend: Refactor to eliminate unnecessary variable 2016-07-07 22:29:17 -04:00
Matt Hurne ce845df43c mongodb secret backend: Consider a "user not found" response a success when removing a user from Mongo 2016-07-07 22:27:47 -04:00
Matt Hurne 138d74f745 mongodb secret backend: Improve roles path help 2016-07-07 22:16:34 -04:00
Matt Hurne 7f9d91acb6 mongodb secret backend: Remove default value for Mongo authentication DB for roles; validate that role name and authentication db were specified when creating a role 2016-07-07 22:09:00 -04:00
Matt Hurne de84cdabe6 mongodb secret backend: Leverage framework.TypeDurationSecond to simplify storage of lease ttl and max_ttl 2016-07-07 21:48:44 -04:00
Matt Hurne 6d7c9f5424 mongodb secret backend: Verify existing Session is still working before reusing it 2016-07-07 21:37:44 -04:00
vishalnayak db3670c353 Fix transit tests 2016-07-06 22:04:08 -04:00
vishalnayak ad7cb2c8f1 Added JSON Decode and Encode helpers. 
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
 2016-07-06 12:25:40 -04:00
vishalnayak 5367a7223d Add allowed_roles to ssh-helper-config and return role name from verify call 2016-07-05 11:14:29 -04:00
Matt Hurne 769d20c770 Merge branch 'master' into mongodb-secret-backend 2016-07-05 09:33:12 -04:00
Matt Hurne ba9c97b915 mongodb secret backend: Add support for reading connection configuration; Dockerize tests 2016-07-05 09:32:38 -04:00
Sean Chittenden 2e828383e0
Move the parameter down to where the statement is executed. 2016-07-03 16:20:27 -07:00
Sean Chittenden 08fb1a30d4
Use lib/pq's QuoteIdentifier() on all identifiers and Prepare 
for all literals.
 2016-07-03 16:01:39 -07:00
Matt Hurne 292c2fad69 Merge branch 'master' into mongodb-secret-backend 2016-07-01 20:39:13 -04:00
Jeff Mitchell 4a8d9eb942 Shave off a lot of PKI testing time by not requiring key generation when testing CSRs. Also enable all tests all the time. 2016-07-01 17:28:48 -04:00
Jeff Mitchell 369dcff5f9 Merge pull request #1581 from mp911de/cassandra_connect_timeout 
Support connect_timeout for Cassandra and align timeout.
 2016-07-01 22:33:24 +02:00
Mark Paluch ab63c938c4 Address review feedback. 
Switch ConnectTimeout to framework.TypeDurationSecond  with a default of 5. Remove own parsing code.
 2016-07-01 22:26:08 +02:00
Mark Paluch 3859f7938a Support connect_timeout for Cassandra and align timeout. 
The cassandra backend now supports a configurable connect timeout. The timeout is configured using the connect_timeout parameter in the session configuration.  Also align the timeout to 5 seconds which is the default for the Python and Java drivers.

Fixes #1538
 2016-07-01 21:22:37 +02:00
Jeff Mitchell db211a4b61 Migrate Consul acceptance tests to Docker 2016-07-01 13:59:56 -04:00
Matt Hurne cdde4071d7 mongodb secret backend: Parse ssl URI option as a boolean rather than relying on string comparison 2016-07-01 13:55:06 -04:00
Jeff Mitchell a2e95614d6 Have SQL backends Ping() before access. 
If unsuccessful, reestablish connections as needed.
 2016-07-01 12:02:17 -04:00
Jeff Mitchell e50e331ffc Always run transit acceptance tests 2016-07-01 11:45:56 -04:00