luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
5503 commits 1 branch 0 tags 214 MiB
Commit graph

1128 commits

Author SHA1 Message Date
vishalnayak 049e086b07 Fix typo. Closes GH-2528 2017-04-04 12:29:18 -04:00
Jeff Mitchell 709389dd36 Use ParseStringSlice on PKI organization/organizational unit. (#2561) 
After, separately dedup and use new flag to not lowercase value.

Fixes #2555
 2017-04-04 08:54:18 -07:00
Vishal Nayak 003ef004c6 sshca: ensure atleast cert type is allowed (#2508) 2017-03-19 18:58:48 -04:00
Jeff Mitchell 24886c1006 Ensure CN check is made when exclude_cn_from_sans is used 
Fixes #2363
 2017-03-16 11:41:13 -04:00
Jeff Mitchell ae8967d635 Always include a hash of the public key and "vault" (to know where it (#2498) 
came from) when generating a cert for SSH.

Follow on from #2494
 2017-03-16 11:14:17 -04:00
Mike Okner 95df7beed9 Adding allow_user_key_ids field to SSH role config (#2494) 
Adding a boolean field that determines whether users will be allowed to
set the ID of the signed SSH key or whether it will always be the token
display name.  Preventing users from changing the ID and always using
the token name is useful for auditing who actually used a key to access
a remote host since sshd logs key IDs.
 2017-03-16 08:45:11 -04:00
Jeff Mitchell 12e5132779 Allow roles to specify whether CSR SANs should be used instead of (#2489) 
request values. Fix up some documentation.

Fixes #2451
Fixes #2488
 2017-03-15 14:38:18 -04:00
Jeff Mitchell 7ab6844eb4 Set CA chain when intermediate does not have an authority key ID. 
This is essentially an approved review of the code provided in #2465.

Fixes #2465
 2017-03-15 11:52:02 -04:00
Stanislav Grozev 662b372364 Reads on unconfigured SSH CA public key return 400 2017-03-14 10:21:48 -04:00
Stanislav Grozev 7d59d7d3ac Reads on ssh/config/ca return the public keys 
If configured/generated.
 2017-03-14 10:21:48 -04:00
Stanislav Grozev 830de2dbbd If generating an SSH CA signing key - return the public part 
So that the user can actually use the SSH CA, by adding the public key
to their respective sshd_config/authorized_keys, etc.
 2017-03-14 10:21:48 -04:00
Vishal Nayak 220beb2cde doc: ssh allowed_users update (#2462) 
* doc: ssh allowed_users update

* added some more context in default_user field
 2017-03-09 10:34:55 -05:00
vishalnayak f085cd71ab Fix typo 2017-03-08 17:49:39 -05:00
Vishal Nayak 766c2e6ee0 SSH CA enhancements (#2442) 
* Use constants for storage paths

* Upgrade path for public key storage

* Fix calculateValidPrincipals, upgrade ca_private_key, and other changes

* Remove a print statement

* Added tests for upgrade case

* Make exporting consistent in creation bundle

* unexporting and constants

* Move keys into a struct instead of plain string

* minor changes
 2017-03-08 17:36:21 -05:00
Jeff Mitchell 3d162b63cc Use locks in a slice rather than a map, which is faster and makes things cleaner (#2446) 2017-03-07 11:21:32 -05:00
Jeff Mitchell 5119b173c4 Rename helper 'duration' to 'parseutil'. (#2449) 
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.

Have config use ParseBool for UI and disabling mlock/cache.
 2017-03-07 11:21:22 -05:00
Vishal Nayak 4b81bcb379 ssh: Added DeleteOperation to config/ca (#2434) 
* ssh: Added DeleteOperation to config/ca

* Address review feedback
 2017-03-03 10:19:45 -05:00
Vishal Nayak 491a56fe9f AppRole: Support restricted use tokens (#2435) 
* approle: added token_num_uses to the role

* approle: added RUD tests for token_num_uses on role

* approle: doc: added token_num_uses
 2017-03-03 09:31:20 -05:00
Jeff Mitchell 55e69277ce Update SSH CA logic/tests 2017-03-02 16:39:22 -05:00
Vishal Nayak a1331278ff Refactor the generate_signing_key processing (#2430) 2017-03-02 16:22:06 -05:00
Jeff Mitchell fa474924aa Update error text to make it more obvious what the issue is when valid principals aren't found 2017-03-02 15:56:08 -05:00
Jeff Mitchell eca68d5913 Fix a bunch of errors from returning 5xx, and parse more duration types 2017-03-02 15:38:34 -05:00
Will May 70bfdb5ae9 Changes from code review 2017-03-02 14:36:13 -05:00
Will May 36b3d89604 Allow internal generation of the signing SSH key pair 2017-03-02 14:36:13 -05:00
Vishal Nayak 3795d2ea64 Rework ssh ca (#2419) 
* docs: input format for default_critical_options and default_extensions

* s/sshca/ssh

* Added default_critical_options and default_extensions to the read endpoint of role

* Change default time return value to 0
 2017-03-01 15:50:23 -05:00
Will May 9f75f84175 Changes from code review 
Major changes are:
* Remove duplicate code
* Check the public key used to configure the backend is a valid one
 2017-03-01 15:19:18 -05:00
Will May ff1ff02bd7 Changes from code review 
Major changes are:
* Change `allow_{user,host}_certificates` to default to false
* Add separate `allowed_domains` role property
 2017-03-01 15:19:18 -05:00
Will May 099d561b20 Add ability to create SSH certificates 2017-03-01 15:19:18 -05:00
Jeff Mitchell 47f8478a97 Fix github compile breakage after dep upgrade 2017-02-24 15:32:05 -05:00
Vishal Nayak b762c43fe2 Aws Ec2 additional binds for SubnetID, VpcID and Region (#2407) 
* awsec2: Added bound_region

* awsec2: Added bound_subnet_id and bound_vpc_id

* Add bound_subnet_id and bound_vpc_id to docs

* Remove fmt.Printf

* Added crud test for aws ec2 role

* Address review feedback
 2017-02-24 14:19:10 -05:00
vishalnayak 2e911fc650 Fix broken build caused due to resolve merge conflicts 2017-02-24 12:41:20 -05:00
Vishal Nayak c6f138bb9a PKI: Role switch to control lease generation (#2403) 
* pki: Make generation of leases optional

* pki: add tests for upgrading generate_lease

* pki: add tests for leased and non-leased certs

* docs++ pki generate_lease

* Generate lease is applicable for both issuing and signing

* pki: fix tests

* Address review feedback

* Address review feedback
 2017-02-24 12:12:40 -05:00
Saj Goonatilleke 01f3056b8b pki: Include private_key_type on DER-formatted responses from /pki/issue/ (#2405) 2017-02-24 11:17:59 -05:00
Jeff Mitchell c81582fea0 More porting from rep (#2388) 
* More porting from rep

* Address review feedback
 2017-02-16 16:29:30 -05:00
Jeff Mitchell 0c39b613c8 Port some replication bits to OSS (#2386) 2017-02-16 15:15:02 -05:00
Jeff Mitchell d7a6ec8d43 Add some repcluster handling to audit and add some tests (#2384) 
* Add some repcluster handling to audit and add some tests

* Fix incorrect assumption about nil auth
 2017-02-16 13:09:53 -05:00
Jeff Mitchell c96fe56d44 Fix copypasta, thanks tests 2017-02-16 01:32:39 -05:00
Jeff Mitchell 817bec0955 Add Organization support to PKI backend. (#2380) 
Fixes #2369
 2017-02-16 01:04:29 -05:00
Vishal Nayak eb4ef0f6e0 cidrutil: added test data points (#2378) 2017-02-16 00:51:02 -05:00
Vishal Nayak 81c95b36eb aws-ec2 auth: Return the role period in seconds (#2374) 
* aws-ec2 auth: Return the role period in seconds

* cast return values to int64 for comparison with expected values
 2017-02-15 10:57:57 -05:00
Jeff Mitchell 04b4a6aa50 Fix Okta auth issue when a user has no policies and/or groups set. (#2371) 
Fixes #2367
 2017-02-14 16:28:16 -05:00
Tommy Murphy ca06bc0b53 audit: support a configurable prefix string to write before each message (#2359) 
A static token at the beginning of a log line can help systems parse
logs better. For example, rsyslog and syslog-ng will recognize the
'@cee: ' prefix and will parse the rest of the line as a valid json message.
This is useful in environments where there is a mix of structured and
unstructured logs.
 2017-02-10 16:56:28 -08:00
vishalnayak 2bbc247ab4 use net.JoinHostPort 2017-02-08 18:39:09 -05:00
Jeff Mitchell 72db329d67 Add support for backup/multiple LDAP URLs. (#2350) 2017-02-08 14:59:24 -08:00
Jeff Mitchell a217be589c Merge pull request #2154 from fcantournet/default-ldap-username 
ldap auth via cli defaults username to env (#2137)
 2017-02-07 21:47:59 -08:00
Jeff Mitchell a2f07acbc4 Use Getenv instead of LookupEnv 
This prevents returning empty username if LOGNAME is set but empty and USER is set but not empty.
 2017-02-07 21:47:06 -08:00
Jeff Mitchell f05b482e46 Update error text 2017-02-07 21:44:23 -08:00
Jeff Mitchell 8f957579d8 Update some help text for RADIUS 2017-02-07 16:06:27 -05:00
Matteo Sessa 29d9d5676e RADIUS Authentication Backend (#2268) 2017-02-07 16:04:27 -05:00
Brian Kassouf 2923934813 Merge pull request #2326 from hashicorp/pr-2161 
Add Socket Audit Backend
 2017-02-07 11:27:25 -08:00