f6092f8311
Don't run transit fuzzing if not during acceptance tests
2016-02-29 14:44:04 -05:00
2205133ae4
Only run PKI backend setup functions when TF_ACC is set
2016-02-29 14:41:14 -05:00
cf672400d6
fixed the error log message
2016-02-29 10:41:10 -05:00
dca18aec2e
replaced old certs, with new certs generated from PKI backend, containing IP SANs
2016-02-28 22:15:54 -05:00
7ae573b35b
Apply hyphen/underscore replacement across the entire username.
...
Handles app-id generated display names.
Fixes #1140
2016-02-26 15:26:23 -05:00
e2c15eb693
Merge pull request #1129 from hashicorp/pki-tidy
...
Add "pki/tidy" which allows removing expired certificates.
2016-02-25 10:39:54 -05:00
6b6005ee2e
Remove root token requirement from GitHub configuration
2016-02-25 08:51:53 -05:00
8ca847c9b3
Be more explicit about buffer type
2016-02-24 22:05:39 -05:00
7d41607b6e
Add "tidy/" which allows removing expired certificates.
...
A buffer is used to ensure that we only remove certificates that are
both expired and for which the buffer has past. Options allow removal
from revoked/ and/or certs/.
2016-02-24 21:24:48 -05:00
69bcbb28aa
rename verify_cert as disable_binding and invert the logic
2016-02-24 21:01:21 -05:00
902c780f2b
make the verification of certs in renewal configurable
2016-02-24 16:42:20 -05:00
bc4710eb06
Cert: renewal enhancements
2016-02-24 14:31:38 -05:00
053bbd97ea
check CIDR block for renewal as well
2016-02-24 10:55:31 -05:00
978075a1b4
Added renewal capability to app-id backend
2016-02-24 10:40:15 -05:00
11187112bc
Improve error message returned when client attempts to generate STS credentials for a managed policy; addresses #1113
2016-02-23 08:58:28 -05:00
f56e4a604d
Merge pull request #1114 from hashicorp/dont-delete-certs
...
Do not delete certs (or revocation information)
2016-02-22 16:11:13 -05:00
4514192145
Address review feedback
2016-02-22 16:11:01 -05:00
f43ab6a25d
Remove extra debugging from PKI tests
2016-02-22 13:39:05 -05:00
f27eab1d28
Do not delete certs (or revocation information) to avoid potential
...
issues related to time synchronization. A function will be added to
allow operators to perform cleanup at chosen times.
2016-02-22 13:36:17 -05:00
51ced69bf8
Fix issue where leftover values after cn tests could trigger errors in ipsan tests
2016-02-22 13:35:57 -05:00
949f8a6b69
Merge pull request #1112 from hashicorp/1089-postgres-connection-url
...
postgres: connection_url fix
2016-02-22 11:36:04 -05:00
4c327ca4cc
More improvements to PKI tests; allow setting a specific seed, output
...
the seed to the console, and split generated steps to make it
understandable which seed is for which set of steps.
2016-02-22 11:22:52 -05:00
c9899a5300
postgres: connection_url fix
2016-02-22 11:22:49 -05:00
8d4c6f4c98
Use more fuzziness in PKI backend tests
2016-02-22 10:59:37 -05:00
392a26e9cd
Better handle errors from fetchCertBySerial
2016-02-22 10:36:26 -05:00
fab2d8687a
Remove root requirement for certs/ and crls/ in TLS auth backend.
...
Fixes #468
2016-02-21 15:33:33 -05:00
58432c5d57
Add tests for minimum key size checking. (This will also verify that the
...
key type matches that of the role, since type assertions are required to
check the bit size). Like the rest, these are fuzz tests; I have
verified that the random seed will eventually hit error conditions if
ErrorOk is not set correctly when we expect an error.
2016-02-19 21:39:40 -05:00
c57b646848
Check role key type and bits when signing CSR.
...
Two exceptions: signing an intermediate CA CSR, and signing a CSR via
the 'sign-verbatim' path.
2016-02-19 20:50:49 -05:00
c4abe72075
Cap the length midString in IAM user's username to 42
2016-02-19 18:31:10 -05:00
773de69796
Merge pull request #1102 from hashicorp/shorten-aws-usernames
...
Set limits on generated IAM user and STS token names.
2016-02-19 18:25:29 -05:00
574542b683
Some minor changes in mysql commenting and names
2016-02-19 16:44:52 -05:00
25b9f9b4a6
Set limits on generated IAM user and STS token names.
...
Fixes #1031
Fixes #1063
2016-02-19 16:35:06 -05:00
a16055c809
mysql: fix error message
2016-02-19 16:07:06 -05:00
38b55bd8b1
Don't deprecate value field yet
2016-02-19 16:07:06 -05:00
99f4969b20
Removed connectionString.ConnectionString
2016-02-19 16:07:05 -05:00
380b662c3d
mysql: provide allow_verification option to disable connection_url check
2016-02-19 16:07:05 -05:00
6df75231b8
Merge pull request #1100 from hashicorp/issue-1030
...
Properly escape filter values in LDAP filters
2016-02-19 14:56:40 -05:00
7fc4ee1ed7
Disallow 1024-bit RSA keys.
...
Existing certificates are kept but roles with key bits < 2048 will need
to be updated as the signing/issuing functions now enforce this.
2016-02-19 14:33:02 -05:00
05b5ff69ed
Address some feedback on ldap escaping help text
2016-02-19 13:47:26 -05:00
d7b40b32db
Properly escape filter values.
...
Fixes #1030
2016-02-19 13:16:52 -05:00
c67871c36e
Update LDAP documentation with a note on escaping
2016-02-19 13:16:18 -05:00
d3f3122307
Add tests to ldap using the discover capability
2016-02-19 11:46:59 -05:00
154c326060
Add ldap tests that use a bind dn and bind password
2016-02-19 11:38:27 -05:00
3e1a07d3d0
Merge pull request #1047 from hashicorp/vault-iss999-github-renewal
...
GitHub renewal enhancements
2016-02-18 16:47:15 -05:00
ba134f5a7a
Merge pull request #1086 from hashicorp/iss962-verify-otp-response-code
...
SSH: Fix response code for ssh/verify
2016-02-18 13:32:28 -05:00
a6f3b31a36
ssh: Fix response code for ssh/verify
2016-02-16 19:46:29 -05:00
d9536043e7
Pki: Respond user error when cert is not found instead of internal error
2016-02-16 17:58:57 -05:00
0b44d81a16
Github renewal enhancement
2016-02-11 20:42:42 -05:00
3378db0166
Merge pull request #1061 from tomrittervg/tomrittervg-typos-1
...
Fix some typos
2016-02-11 15:12:09 -05:00
880c9798b7
Merge pull request #1062 from tomrittervg/tomrittervg-AllowedBaseDomain-migration
...
AllowedBaseDomain will stay non-empty in certain error conditions. None of these conditions should be hit anyways, but this provides an extra safety check.
2016-02-11 15:07:54 -05:00
46b22745c6
Merge pull request #1053 from mwielgoszewski/postgresql-revocation
...
Fix PostgreSQL secret backend issues revoking users
2016-02-11 12:52:37 -05:00
a10dc14625
Fix AllowedBaseDomain Migration
...
AllowedBaseDomain is only zero-ed out if the domain is not found in the (new) AllowedDomains configuration setting. If the domain is found, AllowedBaseDomain is not emptied and this code will be run every single time.
//untested
2016-02-09 15:42:15 -06:00
940a58cb9d
Typo in error message in path_intermediate.go
2016-02-09 15:08:30 -06:00
e5952a1c28
Typo in policy.go
2016-02-08 12:00:06 -06:00
4771884c78
Add slack on NotBefore value for generated certs.
...
This fixes an issue where, due to clock skew, one system can get a cert
and try to use it before it thinks it's actually valid. The tolerance of
30 seconds should be high enough for pretty much any set of systems
using NTP.
Fixes #1035
2016-02-07 14:00:03 -05:00
eb1deefac1
Introduce a locking inmem storage for unit tests that are doing concurrent things
2016-02-04 09:40:35 -05:00
70eeaa1519
Add transit fuzz test
2016-02-03 17:36:15 -05:00
d02930fd95
Merge pull request #1013 from hashicorp/fix-ssh-tests
...
Fix SSH tests
2016-02-02 14:22:09 -05:00
f2e8ac0658
Fix SSH test cases.
2016-02-02 12:32:50 -05:00
159754acf2
Use capabilities to determine upsert-ability in transit.
2016-02-02 10:03:14 -05:00
5ef8839e48
Revert "Re-add upsert into transit. Defaults to off and a new endpoint /config"
...
This reverts commit dc27d012c0357f93bfd5bd8d480f3e229166307a.
2016-02-02 09:26:25 -05:00
1d385b4de3
Re-add upsert into transit. Defaults to off and a new endpoint /config
...
can be used to turn it on for a given mount.
2016-02-01 20:13:57 -05:00
20f45678e6
Fix comment text
2016-02-01 17:20:16 -05:00
fc6d23a54e
Allow the format to be specified as pem_bundle, which creates a
...
concatenated PEM file.
Fixes #992
2016-02-01 13:19:41 -05:00
af73d965a4
Cassandra:
...
* Add ability to change protocol version
* Remove config as a root path, use normal ACLs
* Update docs
2016-02-01 10:27:26 -05:00
627082b838
Remove grace periods
2016-01-31 19:33:16 -05:00
61eec74b4e
Remove app-id renewal for the moment until verification logic is added
2016-01-31 19:12:20 -05:00
470ea58d73
Match leases in the test
2016-01-29 20:45:38 -05:00
bf13d68372
Fix userpass acceptance tests by giving it a system view
2016-01-29 20:14:14 -05:00
bab1220fb8
Fix building of consul backend test
2016-01-29 20:03:38 -05:00
d3a705f17b
Make backends much more consistent:
...
1) Use the new LeaseExtend
2) Use default values controlled by mount tuning/system defaults instead
of a random hard coded value
3) Remove grace periods
2016-01-29 20:03:37 -05:00
02cd4d7bf6
Merge pull request #979 from hashicorp/transit-locking
...
Implement locking in the transit backend.
2016-01-29 14:40:32 -05:00
073e755aa6
Update error return strings
2016-01-29 14:40:13 -05:00
3396b42c6c
Address final review feedback
2016-01-29 14:33:51 -05:00
cb1928451b
Only specify cert sign / CRL sign for CAs and only specify extended key
...
usages for clients.
This will hopefully fully get rid of the various incompatible ways that
various browsers/libraries deal with key usages.
Fixes #987
2016-01-29 10:26:35 -05:00
2015118958
Add listing of roles to PKI
2016-01-28 15:18:07 -05:00
f8a375777b
Add list support for mysql roles
2016-01-28 15:04:25 -05:00
62e3ac83f8
Add list support for postgres roles
2016-01-28 14:41:50 -05:00
7be090b185
Fix postgres backend test SQL for user priv checking
2016-01-28 14:41:13 -05:00
12bd2f430b
Ensure generatePolicy checks disk, not just the cache, now that we aren't eager loading
2016-01-28 13:10:59 -05:00
dd57a3f55d
Add listing of roles to ssh backend
2016-01-28 12:48:00 -05:00
dd1b94fbd6
Remove eager loading
2016-01-28 08:59:05 -05:00
be83340b14
Embed the cache directly
2016-01-27 21:59:20 -05:00
1ebae324ce
Merge pull request #942 from wikiwi/fix-ssh-open-con
...
Cleanly close SSH connections
2016-01-27 17:18:54 -05:00
01102f0d06
Merge pull request #975 from vetinari/ldapbind
...
Implement LDAP username/password binding support, as well as anonymous search.
2016-01-27 17:06:45 -05:00
48c9f79896
Implement locking in the transit backend.
...
This ensures that we can safely rotate and modify configuration
parameters with multiple requests in flight.
As a side effect we also get a cache, which should provide a nice
speedup since we don't need to decrypt/deserialize constantly, which
would happen even with the physical LRU.
2016-01-27 17:03:21 -05:00
d1b2bf3183
Move archive location; also detect first load of a policy after archive
...
is added and cause the keys to be copied to the archive.
2016-01-27 13:41:37 -05:00
369d0bbad0
Address review feedback
2016-01-27 13:41:37 -05:00
e5a58109ec
Store all keys in archive always
2016-01-27 13:41:37 -05:00
30ffc18c19
Add unit tests
2016-01-27 13:41:37 -05:00
5000711a67
Force min decrypt version to 1 if it's zero, which allows fixing problematic archiving logic
2016-01-27 13:41:37 -05:00
7a27dd5cb3
Fix logic bug when restoring keys
2016-01-27 13:41:37 -05:00
004b35be36
Fix decrementing instead of incrementing
2016-01-27 13:41:37 -05:00
beafe25508
Initial transit key archiving work
2016-01-27 13:41:37 -05:00
0db33274b7
discover bind dn with anonymous binds
2016-01-27 17:06:27 +01:00
4606cd1492
fix stupid c&p error
2016-01-26 16:15:25 +01:00
6a570345a0
add binddn/bindpath to search for the users bind DN
2016-01-26 15:56:41 +01:00
7390cd5264
Add a max_idle_connections parameter.
2016-01-25 14:47:07 -05:00
12c00b97ef
Allow backends to see taint status.
...
This can be seen via System(). In the PKI backend, if the CA is
reconfigured but not fully (e.g. an intermediate CSR is generated but no
corresponding cert set) and there are already leases (issued certs), the
CRL is unable to be built. As a result revocation fails. But in this
case we don't actually need revocation to be successful since the CRL is
useless after unmounting. By checking taint status we know if we can
simply fast-path out of revocation with a success in this case.
Fixes #946
2016-01-22 17:01:22 -05:00
70ef2e3398
STS now uses root vault user for keys
...
The secretAccessKeysRevoke revoke function now asserts that it is
not dealing with STS keys by checking a new internal data flag. Defaults
to IAM when the flag is not found.
Factored out genUsername into its own function to share between STS and
IAM secret creation functions.
Fixed bad call to "WriteOperation" instead of "UpdateOperation" in
aws/backend_test
2016-01-21 15:04:16 -05:00
4abca91d66
Renamed sts duration to ttl and added STS permissions note.
2016-01-21 14:28:34 -05:00
f251b13aaa
Removing debug print statement from sts code
2016-01-21 14:05:10 -05:00
1cf8153dfd
Fixed duration type and added acceptance test for sts
2016-01-21 14:05:10 -05:00
71afb7cff0
Configurable sts duration
2016-01-21 14:05:09 -05:00
8fecccde21
Add STS path to AWS backend.
...
The new STS path allows for obtaining the same credentials that you would get
from the AWS "creds" path, except it will also provide a security token, and
will not have an annoyingly long propagation time before returning to the user.
2016-01-21 14:05:09 -05:00
0f0949ab06
Merge pull request #895 from nickithewatt/aws-prexisting-policies
...
Allow use of pre-existing policies for AWS users
2016-01-21 13:23:37 -05:00
f3e5e44cd0
Cleanly close SSH connections
2016-01-19 07:59:08 +01:00
9c5ad28632
Update deps, and adjust usage of go-uuid to match new return values
2016-01-13 13:40:08 -05:00
f3ce90164f
WriteOperation -> UpdateOperation
2016-01-08 13:03:03 -05:00
bde81080c9
Address issues with properly revoking a user via these additional REVOKE statements
2016-01-06 09:22:55 -05:00
62c22a5f73
Updated AWS policy help messages
2015-12-30 19:41:07 +00:00
cd4ca21b58
Allow use of pre-existing policies for AWS users
2015-12-30 18:05:54 +00:00
134b4d2a42
Built on GH-890 to add other types
2015-12-29 13:07:24 -05:00
b85c29349f
Merge pull request #890 from ironSource/pki-fix
...
fix CA compatibility with OpenSSL
2015-12-29 12:04:03 -06:00
fba756075a
fix CA compatibility with OpenSSL
2015-12-29 18:52:43 +02:00
1a324cf347
Make TokenHelper an interface and split exisiting functionality
...
Functionality is split into ExternalTokenHelper, which is used if a path
is given in a configuration file, and InternalTokenHelper which is used
otherwise. The internal helper no longer shells out to the same Vault
binary, instead performing the same actions with internal code. This
avoids problems using dev mode when there are spaces in paths or when
the binary is built in a container without a shell.
Fixes #850 among others
2015-12-22 10:23:30 -05:00
f2da5b639f
Migrate 'uuid' to 'go-uuid' to better fit HC naming convention
2015-12-16 12:56:20 -05:00
dd445a53a5
Update key usage logic
...
* Move to one place for both code paths
* Assign ExtKeyUsageAny to CA certs to help with validation with the
Windows Crypto API and Go's validation logic
Fixes #846
2015-12-14 14:23:51 -05:00
6ad1b75caf
Merge branch 'master' into pki-csrs
2015-12-01 00:09:23 -05:00
64cd58463b
Fix AWS tests
2015-12-01 00:05:04 -05:00
4eec9d69e8
Change allowed_base_domain to allowed_domains and allow_base_domain to
...
allow_bare_domains, for comma-separated multi-domain support.
2015-11-30 23:49:11 -05:00
b6c49ddf01
Remove token display names from input options as there isn't a viable
...
use-case for it at the moment
2015-11-30 18:07:42 -05:00
cf366bda9c
Greatly simplify and fix the name validation function, as well as fully
...
comment it.
2015-11-23 14:15:32 -05:00
22a6d6fa22
Merge branch 'master' into pki-csrs
2015-11-20 12:48:38 -05:00
25e359084c
Update documentation, some comments, make code cleaner, and make generated roots be revoked when their TTL is up
2015-11-19 17:14:22 -05:00
0dbe15cb87
Mostly revert changes to certutil as the embedded struct stuff was being
...
problematic.
2015-11-19 14:18:39 -05:00
af3d6ced8e
Update validator function for URIs. Change example of entering a CA to a
...
root cert generation. Other minor documentation updates. Fix private key
output in issue/sign.
2015-11-19 11:35:17 -05:00
f41a2e562a
fix tests
2015-11-19 10:13:28 -05:00
a95228e4ee
Split root and intermediate functionality into their own sections in the API. Update documentation. Add sign-verbatim endpoint.
2015-11-19 09:51:18 -05:00
26c8cf874d
Move public key comparison logic to its own function
2015-11-19 09:51:18 -05:00
4681d027c0
Move serial number generation and key validation into certutil; centralize format and key verification
2015-11-19 09:51:18 -05:00
c6ba4f24bc
Add URL validation
2015-11-19 09:51:18 -05:00
b14050bebc
Fix zero path length handling, and move common field defs elsewhere
2015-11-19 09:51:18 -05:00
8008451fb5
Fix logic around zero path length -- only restrict issuing intermediate CAs in this case
2015-11-19 09:51:18 -05:00
c461652b40
Address some feedback from review
2015-11-19 09:51:18 -05:00
ed62afec14
Large documentation updates, remove the pathlength path in favor of
...
making that a parameter at CA generation/sign time, and allow more
fields to be configured at CSR generation time.
2015-11-19 09:51:18 -05:00
5970cb76b6
Add path length paths and unit tests to verify same.
2015-11-19 09:51:18 -05:00
ca844b1dc1
Add URLs methods to set OCSP/CRL/CA urls in issued certs, and tests.
2015-11-19 09:51:18 -05:00
4cb10abcc0
Add tests for using raw CSR values
2015-11-19 09:51:18 -05:00
83975314c7
Change a few checks on names:
...
- Allow an email address to be the common name of a cert even if email
protection isn't in the role if any name is set to true (this allows
certificates with a common name entry of an email address but used for
other purposes; here just for CA cert signing).
- Don't check the user part of an email against the hostname regex.
Emails can contain e.g. "+" and "_" and these should be allowed even
though they're not part of a valid hostname.
Also, fix a nil pointer issue.
2015-11-19 09:51:17 -05:00
deb5131cd3
Add config/urls CRUD operations to get and set the URLs encoded into
...
certificates for the issuing certificate URL, CRL distribution points,
and OCSP servers.
2015-11-19 09:51:17 -05:00
779efbbbc3
Change use_csr_subject to use_csr_values; copy not only the subject, but
...
also the alternate names and the extensions over as well.
2015-11-19 09:51:17 -05:00
76af733ee2
Remove setting serial number in the pkix Subject
2015-11-19 09:51:17 -05:00
54c5c232fd
Add a flag so that when signing CA certificates, the Subject (including names and extra names) can be used verbatim from the CSR
2015-11-19 09:51:17 -05:00
7c5a174493
Add capability to use the CSR's common name (by default for CA CSRs if
...
no common_name parameter is given, role-controlled for non-CA CSRs).
Fix logic around the CA/CRL endpoints. Now settable when generating a
self-signed root or setting a CA cert into the backend; if not set,
these values are not set in issued certs. Not required when signing an
intermediate cert (and in fact it was wrong to do so in the first
place).
2015-11-19 09:51:17 -05:00
54fccb2ff4
Add support for EC CA keys, output to base64-encoded DER instead of PEM, and tests for all of those. Also note that Go 1.5 is now required.
2015-11-19 09:51:17 -05:00
4261e594af
Address some minor PR feedback
2015-11-19 09:51:17 -05:00
69794c7078
Fix otto import of uuid
2015-11-19 09:51:17 -05:00
f16d8b8cd2
Cleanup, and add ability to sign CA CSRs that aren't destined for Vault
2015-11-19 09:51:17 -05:00
ea676ad4cc
Add tests for intermediate signing and CRL, and fix a couple things
...
Completes extra functionality.
2015-11-19 09:51:17 -05:00
Jeff Mitchell