Commit graph

1579 commits

Author SHA1 Message Date
Erik Kristensen 2233f993ae initial pass at JWT secret backend 2015-08-06 17:49:44 -06:00
vishalnayak e5080a7f32 Merging with master 2015-08-06 18:44:40 -04:00
vishalnayak 32502977f6 Vault SSH: Automate OTP typing if sshpass is installed 2015-08-06 17:00:50 -04:00
vishalnayak 0af97b8291 Vault SSH: uninstall dynamic keys using script 2015-08-06 15:50:12 -04:00
vishalnayak 3dd8fe750d Vault SSH: Script to install dynamic keys in target 2015-08-06 14:48:19 -04:00
Paul Hinze fc9de56736 Update vault code to match latest aws-sdk-go APIs 2015-08-06 11:37:08 -05:00
Seth Vargo bfd4b818b8 Update to latest aws and move off of hashicorp/aws-sdk-go 2015-08-06 12:26:41 -04:00
vishalnayak 9aa075f3c7 Vault SSH: Added 'echo' path to SSH 2015-08-04 15:30:24 -04:00
vishalnayak 476da10f1c Vault SSH: Testing OTP creation 2015-08-03 19:04:07 -04:00
vishalnayak 8409ba7210 Vault SSH: CRUD tests for named keys 2015-08-03 16:18:14 -04:00
vishalnayak b7c7befe68 Vault SSH: CRUD test for lookup API 2015-08-03 11:22:00 -04:00
vishalnayak c4bd85c241 Vault SSH: CRUD test for dynamic role 2015-07-31 15:17:40 -04:00
vishalnayak c7ef0b95c2 Vault SSH: CRUD test case for OTP Role 2015-07-31 13:24:23 -04:00
vishalnayak 61c9f884a4 Vault SSH: Review Rework 2015-07-29 14:21:36 -04:00
Vishal Nayak 4b4df4271d Vault SSH: Refactoring 2015-07-27 16:42:03 -04:00
Vishal Nayak 2e7612a149 Vault SSH: admin_user/default_user fix 2015-07-27 15:03:10 -04:00
Vishal Nayak e9f507caf0 Vault SSH: Refactoring 2015-07-27 13:02:31 -04:00
Vishal Nayak b532ee0bf4 Vault SSH: Dynamic Key test case fix 2015-07-24 12:13:26 -04:00
Vishal Nayak e8daf2d0a5 Vault SSH: keys/ designated special path 2015-07-23 18:12:13 -04:00
Vishal Nayak 791a250732 Vault SSH: Support OTP key type from CLI 2015-07-23 17:20:28 -04:00
Vishal Nayak 47197d4cb3 Vault SSH: Added vault server otp verify API 2015-07-22 16:00:58 -04:00
Vishal Nayak 93f7448487 Vault SSH: Vault agent support 2015-07-22 14:15:19 -04:00
Vishal Nayak ed258f80c6 Vault SSH: Refactoring and fixes 2015-07-10 18:44:31 -06:00
Vishal Nayak 89a0e37a89 Vault SSH: Backend and CLI testing 2015-07-10 16:18:02 -06:00
Vishal Nayak 3c7dd8611c Vault SSH: Test case skeleton 2015-07-10 09:56:14 -06:00
Vishal Nayak 73414154f8 Vault SSH: Made port number configurable 2015-07-06 16:56:45 -04:00
Vishal Nayak 88a3c5d41a Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-07-06 11:05:08 -04:00
Armon Dadgar 0be3d419c8 secret/transit: address PR feedback 2015-07-05 19:58:31 -06:00
Armon Dadgar 8293457633 secret/transit: use base64 for context to allow binary 2015-07-05 14:37:51 -07:00
Armon Dadgar f0eec18cc7 secret/transit: testing key derivation 2015-07-05 14:30:45 -07:00
Armon Dadgar 143cd0875e secret/transit: support key derivation in encrypt/decrypt 2015-07-05 14:19:24 -07:00
Armon Dadgar ae9591004b secret/transit: check for context for derived keys 2015-07-05 14:12:07 -07:00
Armon Dadgar b30dbce404 secret/transit: support derived keys 2015-07-05 14:11:02 -07:00
Vishal Nayak 425b69be32 Vault SSH: PR review rework: Formatting/Refactoring 2015-07-02 19:52:47 -04:00
Vishal Nayak c0a62f28b1 Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-07-02 17:23:13 -04:00
Vishal Nayak a1e2705173 Vault SSH: PR review rework 2015-07-02 17:23:09 -04:00
Jeff Mitchell 13c5fe0a16 Fix regexes to allow hyphens in role names, as the documentation shows 2015-07-01 20:39:18 -05:00
Vishal Nayak 30a24eef2c Vault SSH: review rework: formatted and moved code 2015-07-01 21:26:42 -04:00
Vishal Nayak 67e543a863 Vault SSH: Regex supports hypen in key name and role names 2015-07-01 21:05:52 -04:00
Vishal Nayak bb16052141 Vault SSH: replaced concatenated strings by fmt.Sprintf 2015-07-01 20:35:11 -04:00
Vishal Nayak d691a95531 Vault SSH: PR review rework - 1 2015-07-01 11:58:49 -04:00
Vishal Nayak 1f001d283f For SSH backend, allow factory to be provided instead of Backend 2015-07-01 09:37:11 -04:00
Vishal Nayak 3b0ff5b5f1 Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-07-01 09:31:25 -04:00
Armon Dadgar 4b27e4d8c5 Remove SetLogger, and unify on framework.Setup 2015-06-30 17:45:20 -07:00
Armon Dadgar 5d69e7da90 Updating for backend API change 2015-06-30 17:36:12 -07:00
Vishal Nayak b0043737af lease handling fix 2015-06-30 20:21:41 -04:00
Vishal Nayak 8627f3c360 Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-06-30 18:33:37 -04:00
Vishal Nayak 5e5e6788be Input validations, help strings, default_user support 2015-06-30 18:33:17 -04:00
Armon Dadgar 8bc99f8c23 helper/uuid: single generateUUID definition 2015-06-30 12:38:32 -07:00
Jeff Mitchell 762108d9eb Put timestamp back into the username. Since Cassandra doesn't support expiration, this can be used by scripts to manually clean up old users if revocation fails for some reason.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-30 11:15:46 -04:00
Jeff Mitchell 42b90fa9b9 Address some issues from code review.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-30 09:27:23 -04:00
Jeff Mitchell fccbc587c6 A Cassandra secrets backend.
Supports creation and deletion of users in Cassandra using flexible CQL queries.

TLS, including client authentication, is supported.

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-30 09:04:01 -04:00
Vishal Nayak 91ed2dcdc2 Refactoring changes 2015-06-29 22:00:08 -04:00
Vishal Nayak 0f2c1f867e SCP in pure GO and CIDR parsing fix 2015-06-29 11:49:34 -04:00
Vishal Nayak 29696d4b6b Creating SSH keys and removal of files in pure 'go' 2015-06-26 15:43:27 -04:00
Vishal Nayak 8c15e2313b ssh/lookup implementation and refactoring 2015-06-25 21:47:32 -04:00
Vishal Nayak f39df58eef Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-06-24 18:13:26 -04:00
Vishal Nayak b237a3bcc2 POC: Rework. Doing away with policy file. 2015-06-24 18:13:12 -04:00
Jeff Mitchell e086879fa3 Merge remote-tracking branch 'upstream/master' into f-pki 2015-06-19 13:01:26 -04:00
Vishal Nayak f8d164f477 SSHs to multiple users by registering the respective host keys 2015-06-19 12:59:36 -04:00
Jeff Mitchell a6fc48b854 A few things:
* Add comments to every non-obvious (e.g. not basic read/write handler type) function
* Remove revoked/ endpoint, at least for now
* Add configurable CRL lifetime
* Cleanup
* Address some comments from code review

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-19 12:48:18 -04:00
Vishal Nayak 90605c6079 merging with master 2015-06-18 20:51:11 -04:00
Vishal Nayak 8d98968a54 Roles, key renewal handled. End-to-end basic flow working. 2015-06-18 20:48:41 -04:00
Jeff Mitchell 34f495a354 Refactor to allow only issuing CAs to be set and not have things blow up. This is useful/important for e.g. the Cassandra backend, where you may want to do TLS with a specific CA cert for server validation, but not actually do client authentication with a client cert.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-18 15:22:58 -04:00
Vishal Nayak 2aed5f8798 Implementation for storing and deleting the host information in Vault 2015-06-17 22:10:47 -04:00
Armon Dadgar d34861b811 secret/transit: allow policies to be upserted 2015-06-17 18:51:05 -07:00
Armon Dadgar f53d31a580 secret/transit: Use special endpoint to get underlying keys. Fixes #219 2015-06-17 18:42:23 -07:00
Vishal Nayak cfef144dc2 Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-06-17 20:34:56 -04:00
Vishal Nayak 303a7cef9a Received OTK in SSH client. Forked SSH process from CLI. Added utility file for SSH. 2015-06-17 20:33:03 -04:00
Armon Dadgar 45d3c512fb builtin: fixing API change in logical framework 2015-06-17 14:34:11 -07:00
Armon Dadgar 30de4ea80d secret/postgres: Ensure sane username length. Fixes #326 2015-06-17 13:31:56 -07:00
Jeff Mitchell 29e7ec3e21 A lot of refactoring: move PEM bundle parsing into helper/certutil, so that it is usable by other backends that want to use it to get the necessary data for TLS auth.
Also, enhance the raw cert bundle => parsed cert bundle to make it more useful and perform more validation checks.

More refactoring could be done within the PKI backend itself, but that can wait.

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-17 16:07:20 -04:00
Vishal Nayak 3ed73d98c2 Added: Ssh CLI command and API, config lease impl, sshConnect path to backend, http handler for Ssh connect 2015-06-17 12:39:49 -04:00
Vishal Nayak 08c921c75e Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 16:58:54 -04:00
Jeff Mitchell 03b0675350 A bunch of cleanup and moving around. logical/certutil is a package that now has helper functions
useful for other parts of Vault (including the API) to take advantage of.

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-16 13:43:12 -04:00
Jeff Mitchell ae1cbc1a7a Erp, forgot this feedback...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-11 23:16:13 -04:00
Jeff Mitchell 7cf1f186ed Add locking for revocation/CRL generation. I originally was going to use an RWMutex but punted, because it's not worth trying to save some milliseconds with the possibility of getting something wrong. So the entire operations are now wrapped, which is minimally slower but very safe.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-11 22:28:13 -04:00
Jeff Mitchell 018c0ec7f5 Address most of Armon's initial feedback.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-11 21:57:05 -04:00
Jeff Mitchell 1513e2baa4 Add acceptance tests
* CA bundle uploading
* Basic role creation
* Common Name restrictions
* IP SAN restrictions
* EC + RSA keys
* Various key usages
* Lease times
* CA fetching in various formats
* DNS SAN handling

Also, fix a bug when trying to get code signing certificates.

Not tested:
* Revocation (I believe this is impossible with the current testing framework)

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-08 00:06:09 -04:00
Jeff Mitchell 0d832de65d Initial PKI backend implementation.
Complete:
* Up-to-date API documents
* Backend configuration (root certificate and private key)
* Highly granular role configuration
* Certificate generation
* CN checking against role
* IP and DNS subject alternative names
* Server, client, and code signing usage types
* Later certificate (but not private key) retrieval
* CRL creation and update
* CRL/CA bare endpoints (for cert extensions)
* Revocation (both Vault-native and by serial number)
* CRL force-rotation endpoint

Missing:
* OCSP support (can't implement without changes in Vault)
* Unit tests

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-08 00:06:09 -04:00
Jonathan Sokolowski 348924eaab logical/consul: Combine policy and lease into single storage struct 2015-05-28 09:36:23 +10:00
Jonathan Sokolowski 6b0820d709 logical/consul: custom lease time for roles 2015-05-27 09:53:46 +10:00
Armon Dadgar 434305a6c2 secret/aws: Using roles instead of policy 2015-04-27 14:20:28 -07:00
Armon Dadgar 5edf8cf3a8 Do not root protect role configurations 2015-04-27 14:07:20 -07:00
Armon Dadgar 12e8c0f8cf secret/postgres: secret/mysql: roles endpoints root protected 2015-04-27 14:04:10 -07:00
Armon Dadgar 816d981d1a secret/consul: replace policy with roles, and prefix the token path 2015-04-27 13:59:56 -07:00
Armon Dadgar 6a38090822 secret/transit: rename policy to keys 2015-04-27 13:52:47 -07:00
Armon Dadgar 793e6efef4 secret/transit: Adding more help. Fixes #41 2015-04-27 12:47:09 -07:00
Armon Dadgar a753fadcb4 secret/postgresql: testing support for multiple statements 2015-04-27 12:00:07 -07:00
Armon Dadgar 1c8288c3da secret/postgresql: support multiple sql statements 2015-04-27 11:31:27 -07:00
Armon Dadgar 50879eb2e5 mysql: cleanup 2015-04-27 11:31:11 -07:00
Armon Dadgar 9cae5520a0 logical/consul: Added missing policy endpoints 2015-04-27 11:08:37 -07:00
Armon Dadgar 1d95694a7c secret/mysql: improve the example statement 2015-04-25 12:58:50 -07:00
Armon Dadgar 503241eeee secret/mysql: adding acceptance test 2015-04-25 12:56:23 -07:00
Armon Dadgar e378f5c4a2 secret/mysql: fixing mysql oddities 2015-04-25 12:56:11 -07:00
Armon Dadgar 57e66f3b6c secret/mysql: initial pass at mysql secret backend 2015-04-25 12:05:26 -07:00
Mitchell Hashimoto 17676af663 logical/postgresql: when renewing, alter the valid until 2015-04-18 22:55:33 -07:00
Mitchell Hashimoto 4e21f702a8 logical/consul: leasing 2015-04-18 22:29:46 -07:00
Mitchell Hashimoto 517236ea50 logical/consul: config/access is the new path for config 2015-04-18 22:28:53 -07:00
Mitchell Hashimoto 23a156b414 logical/aws: leasing/renewal support 2015-04-18 22:25:37 -07:00
Mitchell Hashimoto 2a8dfd85f4 logical/aws: fix build 2015-04-18 22:22:35 -07:00
Mitchell Hashimoto 208dd1e8be logical/aws: move root creds config to config/root 2015-04-18 22:21:31 -07:00
Mitchell Hashimoto f61626f7a6 logical/aws: support read/delete policies 2015-04-18 22:13:12 -07:00
Mitchell Hashimoto 79ccb2f412 logical/postgresql: support deleting roles and reading them 2015-04-18 21:59:59 -07:00
Mitchell Hashimoto 84bca3ef28 logical/postgresql: renew for secret 2015-04-18 21:47:19 -07:00
Mitchell Hashimoto e1e5c47362 logical/postgresql: leasing 2015-04-18 21:45:05 -07:00
Mitchell Hashimoto 8edc4d1241 logical/postgres: no session limit 2015-04-18 18:42:57 -07:00
Mitchell Hashimoto 39b8ae1b31 logical/postgers: update docs properly 2015-04-18 18:42:26 -07:00
Mitchell Hashimoto 6e10c415ef logical/postgresql: leases 2015-04-18 18:40:03 -07:00
Mitchell Hashimoto 2120235a2e logical/postgresql: create DB credentials 2015-04-18 18:37:27 -07:00
Mitchell Hashimoto d0eb1b9a74 logical/postgresql: creating roles 2015-04-18 18:09:33 -07:00
Mitchell Hashimoto d96b64286a logical/postgresql: connection 2015-04-18 17:34:36 -07:00
Armon Dadgar 07bffafbbd Adding transit logical backend 2015-04-15 17:08:12 -07:00
Armon Dadgar 381aa0f7af logical/aws: Use display name for IAM username 2015-04-15 15:05:00 -07:00
Armon Dadgar 489e79ffd3 logical/consul: Use the DisplayName for the ACL token name 2015-04-15 15:03:05 -07:00
Mitchell Hashimoto 48205d166b rename vault id to lease id all over 2015-04-10 20:35:14 -07:00
Mitchell Hashimoto 8dc9e0e0d5 logical/framework: better string values for types 2015-04-03 21:15:59 -07:00
Mitchell Hashimoto ec9df0439b logical/aws: help 2015-04-03 21:10:54 -07:00
Mitchell Hashimoto 0bbad03c70 logical/framework: support root help 2015-04-03 20:36:47 -07:00
Mitchell Hashimoto 486c3d7f30 logical/aws: policy doesn't need to be base64 2015-03-31 17:26:41 -07:00
Mitchell Hashimoto b12feccf38 logical/*: fix compilation errors 2015-03-30 20:30:07 -07:00
Mitchell Hashimoto db65fd7b95 command: unit tests pass 2015-03-29 16:20:34 -07:00
Mitchell Hashimoto 3270349456 logical/consul: actual test that the token works 2015-03-21 17:23:44 +01:00
Mitchell Hashimoto 55a3423c60 logical/consul 2015-03-21 17:19:37 +01:00
Mitchell Hashimoto 05246433bb logical/aws: refactor access key create to the secret file 2015-03-21 11:49:56 +01:00
Mitchell Hashimoto 665cbaa3e4 logical/aws: remove debug I was using to test rollback :) 2015-03-21 11:20:22 +01:00
Mitchell Hashimoto 9e4b9d593b logical/aws: WAL entry for users, rollback 2015-03-21 11:18:46 +01:00
Mitchell Hashimoto 86a6062ba2 main: enable AWS backend 2015-03-20 19:32:18 +01:00
Mitchell Hashimoto 62d9bec8be logical/aws 2015-03-20 19:03:20 +01:00