Commit graph

1475 commits

Author SHA1 Message Date
Brian Kassouf d7dd0ab35c Merge branch 'database-refactor' of github.com:hashicorp/vault into database-refactor 2017-04-03 17:52:41 -07:00
Brian Kassouf e8781b6a2b Plugin catalog 2017-04-03 17:52:29 -07:00
Calvin Leung Huang aa15a1d3a9 Database refactor mssql (#2562)
* WIP on mssql secret backend refactor

* Add RevokeUser test, and use sqlserver driver internally

* Remove debug statements

* Fix code comment
2017-04-03 09:59:30 -07:00
Brian Kassouf 210fa77e3c fix for plugin commands that have more than one paramater 2017-03-28 14:37:57 -07:00
Brian Kassouf 50729a4528 Add comments to connection and credential producers 2017-03-28 13:08:11 -07:00
Brian Kassouf b09526e1c9 Cleanup the db factory code and add comments 2017-03-28 12:57:30 -07:00
Brian Kassouf 6b877039e7 Update tests 2017-03-28 12:20:17 -07:00
Brian Kassouf c50a6ebc39 Add functionaility to build db objects from disk so restarts work 2017-03-28 11:30:45 -07:00
Brian Kassouf 02b0230f19 Fix for checking types of database on update 2017-03-28 10:04:42 -07:00
Brian Kassouf 494f963581 Wrap the database calls with tracing information 2017-03-27 15:17:28 -07:00
Brian Kassouf 2799586f45 Remove the unused sync.Once object 2017-03-27 11:46:20 -07:00
Brian Kassouf 29ae4602dc More work on getting tests to pass 2017-03-23 15:54:15 -07:00
Brian Kassouf c0223d888e Remove unsused code block 2017-03-22 17:09:39 -07:00
Brian Kassouf 1068076703 s/postgres/mysql/ 2017-03-22 16:44:33 -07:00
Brian Kassouf dac1bb210b Add test files for postgres and mysql databases 2017-03-22 16:39:08 -07:00
Brian Kassouf ae9961b811 Add a error message for empty creation statement 2017-03-22 12:40:16 -07:00
Brian Kassouf c55bef85d3 Fix race with deleting the connection 2017-03-22 09:54:19 -07:00
Brian Kassouf 85ef468d46 Add a delete method 2017-03-21 17:19:30 -07:00
Brian Kassouf 83ff132705 Verify connections regardless of if this connections is already existing 2017-03-21 16:05:59 -07:00
Vishal Nayak 003ef004c6 sshca: ensure atleast cert type is allowed (#2508) 2017-03-19 18:58:48 -04:00
Brian Kassouf a4e5e0f8c9 Comment and fix plugin Type function 2017-03-16 18:24:56 -07:00
Brian Kassouf 417770a58f Change the handshake config from the default 2017-03-16 17:51:25 -07:00
Brian Kassouf 2873825848 Add a secure config to verify the checksum of the plugin 2017-03-16 16:20:18 -07:00
Brian Kassouf f2df4ef0e7 Comment and slight refactor of the TLS plugin helper 2017-03-16 14:14:49 -07:00
Brian Kassouf 0a52ea5c69 Break tls code into helper library 2017-03-16 11:55:21 -07:00
Jeff Mitchell 24886c1006 Ensure CN check is made when exclude_cn_from_sans is used
Fixes #2363
2017-03-16 11:41:13 -04:00
Jeff Mitchell ae8967d635 Always include a hash of the public key and "vault" (to know where it (#2498)
came from) when generating a cert for SSH.

Follow on from #2494
2017-03-16 11:14:17 -04:00
Mike Okner 95df7beed9 Adding allow_user_key_ids field to SSH role config (#2494)
Adding a boolean field that determines whether users will be allowed to
set the ID of the signed SSH key or whether it will always be the token
display name.  Preventing users from changing the ID and always using
the token name is useful for auditing who actually used a key to access
a remote host since sshd logs key IDs.
2017-03-16 08:45:11 -04:00
Brian Kassouf eb6117cbb2 Work on TLS communication over plugins 2017-03-15 17:14:48 -07:00
Jeff Mitchell 12e5132779 Allow roles to specify whether CSR SANs should be used instead of (#2489)
request values. Fix up some documentation.

Fixes #2451
Fixes #2488
2017-03-15 14:38:18 -04:00
Jeff Mitchell 7ab6844eb4 Set CA chain when intermediate does not have an authority key ID.
This is essentially an approved review of the code provided in #2465.

Fixes #2465
2017-03-15 11:52:02 -04:00
Brian Kassouf 3ecb344878 wrap plugin database type with metrics middleware 2017-03-14 13:12:47 -07:00
Brian Kassouf 822a3eb20a Add a metrics middleware 2017-03-14 13:11:28 -07:00
Stanislav Grozev 662b372364 Reads on unconfigured SSH CA public key return 400 2017-03-14 10:21:48 -04:00
Stanislav Grozev 7d59d7d3ac Reads on ssh/config/ca return the public keys
If configured/generated.
2017-03-14 10:21:48 -04:00
Stanislav Grozev 830de2dbbd If generating an SSH CA signing key - return the public part
So that the user can actually use the SSH CA, by adding the public key
to their respective sshd_config/authorized_keys, etc.
2017-03-14 10:21:48 -04:00
Brian Kassouf 2054fff890 Add a way to initalize plugins and builtin databases the same way. 2017-03-13 14:39:55 -07:00
Brian Kassouf 71b81aad23 Add checksum attribute 2017-03-10 14:10:42 -08:00
Brian Kassouf a11911d4d4 Rename reset to close 2017-03-09 22:35:45 -08:00
Brian Kassouf fda45f531d Add special path to enforce root on plugin configuration 2017-03-09 21:31:29 -08:00
Brian Kassouf 748c70cfb4 Add plugin file 2017-03-09 17:43:58 -08:00
Brian Kassouf 9099231229 Add plugin features 2017-03-09 17:43:37 -08:00
Vishal Nayak 220beb2cde doc: ssh allowed_users update (#2462)
* doc: ssh allowed_users update

* added some more context in default_user field
2017-03-09 10:34:55 -05:00
vishalnayak f085cd71ab Fix typo 2017-03-08 17:49:39 -05:00
Brian Kassouf b7128f8370 Update secrets fields 2017-03-08 14:46:53 -08:00
Vishal Nayak 766c2e6ee0 SSH CA enhancements (#2442)
* Use constants for storage paths

* Upgrade path for public key storage

* Fix calculateValidPrincipals, upgrade ca_private_key, and other changes

* Remove a print statement

* Added tests for upgrade case

* Make exporting consistent in creation bundle

* unexporting and constants

* Move keys into a struct instead of plain string

* minor changes
2017-03-08 17:36:21 -05:00
Brian Kassouf 2fb6bf9882 Fix renew and revoke calls 2017-03-07 17:21:44 -08:00
Brian Kassouf b7c3b4b0d7 Add defaults to the cassandra databse type 2017-03-07 17:00:52 -08:00
Brian Kassouf 3976a2a0a6 Pass statements object 2017-03-07 16:48:17 -08:00
Brian Kassouf 843d584254 Remove unused sql object 2017-03-07 15:34:23 -08:00
Brian Kassouf 919155ab12 Remove double lock 2017-03-07 15:33:05 -08:00
Brian Kassouf c959882b93 Update locking functionaility 2017-03-07 13:48:29 -08:00
Jeff Mitchell 3d162b63cc Use locks in a slice rather than a map, which is faster and makes things cleaner (#2446) 2017-03-07 11:21:32 -05:00
Jeff Mitchell 5119b173c4 Rename helper 'duration' to 'parseutil'. (#2449)
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.

Have config use ParseBool for UI and disabling mlock/cache.
2017-03-07 11:21:22 -05:00
Brian Kassouf bc53e119ca rename mysql variable 2017-03-03 15:07:41 -08:00
Brian Kassouf bba832e6bf Make db instances immutable and add a reset path to tear down and create a new database instance with an updated config 2017-03-03 14:38:49 -08:00
Brian Kassouf 29e07ac9e8 Fix mysql connections 2017-03-03 14:38:49 -08:00
Brian Kassouf 24ddea9954 Add mysql into the factory 2017-03-03 14:38:48 -08:00
Brian Kassouf 8e8f260d96 Add max connection lifetime param and set consistancy on cassandra session 2017-03-03 14:38:48 -08:00
Brian Kassouf 1f009518cd s/Statement/Statements/ 2017-03-03 14:38:48 -08:00
Brian Kassouf 46aa7142c1 Add mysql database type 2017-03-03 14:38:48 -08:00
Brian Kassouf 2ec5ab5616 More work on refactor and cassandra database 2017-03-03 14:38:48 -08:00
Brian Kassouf acdcd79af3 Begin work on database refactor 2017-03-03 14:38:48 -08:00
Vishal Nayak 4b81bcb379 ssh: Added DeleteOperation to config/ca (#2434)
* ssh: Added DeleteOperation to config/ca

* Address review feedback
2017-03-03 10:19:45 -05:00
Vishal Nayak 491a56fe9f AppRole: Support restricted use tokens (#2435)
* approle: added token_num_uses to the role

* approle: added RUD tests for token_num_uses on role

* approle: doc: added token_num_uses
2017-03-03 09:31:20 -05:00
Jeff Mitchell 55e69277ce Update SSH CA logic/tests 2017-03-02 16:39:22 -05:00
Vishal Nayak a1331278ff Refactor the generate_signing_key processing (#2430) 2017-03-02 16:22:06 -05:00
Jeff Mitchell fa474924aa Update error text to make it more obvious what the issue is when valid principals aren't found 2017-03-02 15:56:08 -05:00
Jeff Mitchell eca68d5913 Fix a bunch of errors from returning 5xx, and parse more duration types 2017-03-02 15:38:34 -05:00
Will May 70bfdb5ae9 Changes from code review 2017-03-02 14:36:13 -05:00
Will May 36b3d89604 Allow internal generation of the signing SSH key pair 2017-03-02 14:36:13 -05:00
Vishal Nayak 3795d2ea64 Rework ssh ca (#2419)
* docs: input format for default_critical_options and default_extensions

* s/sshca/ssh

* Added default_critical_options and default_extensions to the read endpoint of role

* Change default time return value to 0
2017-03-01 15:50:23 -05:00
Will May 9f75f84175 Changes from code review
Major changes are:
* Remove duplicate code
* Check the public key used to configure the backend is a valid one
2017-03-01 15:19:18 -05:00
Will May ff1ff02bd7 Changes from code review
Major changes are:
* Change `allow_{user,host}_certificates` to default to false
* Add separate `allowed_domains` role property
2017-03-01 15:19:18 -05:00
Will May 099d561b20 Add ability to create SSH certificates 2017-03-01 15:19:18 -05:00
Jeff Mitchell 47f8478a97 Fix github compile breakage after dep upgrade 2017-02-24 15:32:05 -05:00
Vishal Nayak b762c43fe2 Aws Ec2 additional binds for SubnetID, VpcID and Region (#2407)
* awsec2: Added bound_region

* awsec2: Added bound_subnet_id and bound_vpc_id

* Add bound_subnet_id and bound_vpc_id to docs

* Remove fmt.Printf

* Added crud test for aws ec2 role

* Address review feedback
2017-02-24 14:19:10 -05:00
vishalnayak 2e911fc650 Fix broken build caused due to resolve merge conflicts 2017-02-24 12:41:20 -05:00
Vishal Nayak c6f138bb9a PKI: Role switch to control lease generation (#2403)
* pki: Make generation of leases optional

* pki: add tests for upgrading generate_lease

* pki: add tests for leased and non-leased certs

* docs++ pki generate_lease

* Generate lease is applicable for both issuing and signing

* pki: fix tests

* Address review feedback

* Address review feedback
2017-02-24 12:12:40 -05:00
Saj Goonatilleke 01f3056b8b pki: Include private_key_type on DER-formatted responses from /pki/issue/ (#2405) 2017-02-24 11:17:59 -05:00
Jeff Mitchell c81582fea0 More porting from rep (#2388)
* More porting from rep

* Address review feedback
2017-02-16 16:29:30 -05:00
Jeff Mitchell 0c39b613c8 Port some replication bits to OSS (#2386) 2017-02-16 15:15:02 -05:00
Jeff Mitchell d7a6ec8d43 Add some repcluster handling to audit and add some tests (#2384)
* Add some repcluster handling to audit and add some tests

* Fix incorrect assumption about nil auth
2017-02-16 13:09:53 -05:00
Jeff Mitchell c96fe56d44 Fix copypasta, thanks tests 2017-02-16 01:32:39 -05:00
Jeff Mitchell 817bec0955 Add Organization support to PKI backend. (#2380)
Fixes #2369
2017-02-16 01:04:29 -05:00
Vishal Nayak eb4ef0f6e0 cidrutil: added test data points (#2378) 2017-02-16 00:51:02 -05:00
Vishal Nayak 81c95b36eb aws-ec2 auth: Return the role period in seconds (#2374)
* aws-ec2 auth: Return the role period in seconds

* cast return values to int64 for comparison with expected values
2017-02-15 10:57:57 -05:00
Jeff Mitchell 04b4a6aa50 Fix Okta auth issue when a user has no policies and/or groups set. (#2371)
Fixes #2367
2017-02-14 16:28:16 -05:00
Tommy Murphy ca06bc0b53 audit: support a configurable prefix string to write before each message (#2359)
A static token at the beginning of a log line can help systems parse
logs better. For example, rsyslog and syslog-ng will recognize the
'@cee: ' prefix and will parse the rest of the line as a valid json message.
This is useful in environments where there is a mix of structured and
unstructured logs.
2017-02-10 16:56:28 -08:00
vishalnayak 2bbc247ab4 use net.JoinHostPort 2017-02-08 18:39:09 -05:00
Jeff Mitchell 72db329d67 Add support for backup/multiple LDAP URLs. (#2350) 2017-02-08 14:59:24 -08:00
Jeff Mitchell a217be589c Merge pull request #2154 from fcantournet/default-ldap-username
ldap auth via cli defaults username to env (#2137)
2017-02-07 21:47:59 -08:00
Jeff Mitchell a2f07acbc4 Use Getenv instead of LookupEnv
This prevents returning empty username if LOGNAME is set but empty and USER is set but not empty.
2017-02-07 21:47:06 -08:00
Jeff Mitchell f05b482e46 Update error text 2017-02-07 21:44:23 -08:00
Jeff Mitchell 8f957579d8 Update some help text for RADIUS 2017-02-07 16:06:27 -05:00
Matteo Sessa 29d9d5676e RADIUS Authentication Backend (#2268) 2017-02-07 16:04:27 -05:00
Brian Kassouf 2923934813 Merge pull request #2326 from hashicorp/pr-2161
Add Socket Audit Backend
2017-02-07 11:27:25 -08:00
Vishal Nayak 7f2717b74a transit: change batch input format (#2331)
* transit: change batch input format

* transit: no json-in-json for batch response

* docs: transit: update batch input format

* transit: fix tests after changing response format
2017-02-06 14:56:16 -05:00
Brian Kassouf 09049c2787 Added a single retry after a reconnection 2017-02-06 11:38:38 -08:00
Brian Kassouf af1847f2b4 Update the docs and move the logic for reconnecting into its own function 2017-02-04 16:55:17 -08:00
Jeff Mitchell 5de633fd27 Make userpass help text mention radius too 2017-02-04 07:48:30 -05:00
Jeff Mitchell a8ea05f365 Add default mount param to userpass cli handler 2017-02-04 07:47:09 -05:00
Brian Kassouf b38eeec96a Add write deadline and a Reload function 2017-02-02 15:44:56 -08:00
Harrison Harnisch b09077c2d8 add socket audit backend 2017-02-02 14:21:48 -08:00
Brian Kassouf 6701ba8a10 Configure the request headers that are output to the audit log (#2321)
* Add /sys/config/audited-headers endpoint for configuring the headers that will be audited

* Remove some debug lines

* Add a persistant layer and refactor a bit

* update the api endpoints to be more restful

* Add comments and clean up a few functions

* Remove unneeded hash structure functionaility

* Fix existing tests

* Add tests

* Add test for Applying the header config

* Add Benchmark for the ApplyConfig method

* ResetTimer on the benchmark:

* Update the headers comment

* Add test for audit broker

* Use hyphens instead of camel case

* Add size paramater to the allocation of the result map

* Fix the tests for the audit broker

* PR feedback

* update the path and permissions on config/* paths

* Add docs file

* Fix TestSystemBackend_RootPaths test
2017-02-02 11:49:20 -08:00
Vishal Nayak 5fb28f53cb Transit: Support batch encryption and decryption (#2143)
* Transit: Support batch encryption

* Address review feedback

* Make the normal flow go through as a batch request

* Transit: Error out if encryption fails during batch processing

* Transit: Infer the 'derived' parameter based on 'context' being set

* Transit: Batch encryption doc updates

* Transit: Return a JSON string instead of []byte

* Transit: Add batch encryption tests

* Remove plaintext empty check

* Added tests for batch encryption, more coming..

* Added more batch encryption tests

* Check for base64 decoding of plaintext before encrypting

* Transit: Support batch decryption

* Transit: Added tests for batch decryption

* Transit: Doc update for batch decryption

* Transit: Sync the path-help and website docs for decrypt endpoint

* Add batch processing for rewrap

* transit: input validation for context

* transit: add rewrap batch option to docs

* Remove unnecessary variables from test

* transit: Added tests for rewrap use cases

* Address review feedback

* Address review feedback

* Address review feedback

* transit: move input checking out of critical path

* transit: allow empty plaintexts for batch encryption

* transit: use common structs for batch processing

* transit: avoid duplicate creation of structs; add omitempty to response structs

* transit: address review feedback

* transit: fix tests

* address review feedback

* transit: fix tests

* transit: rewrap encrypt user error should not error out

* transit: error out for internal errors
2017-02-02 14:24:20 -05:00
Vishal Nayak 3457a11afd awsec2: support periodic tokens (#2324)
* awsec2: support periodic tokens

* awsec2: add api docs for 'period'
2017-02-02 13:28:01 -05:00
Vishal Nayak 14fcc4b6eb approle: secret-id listing lock sanity check (#2315)
* approle: secret-id listing lock sanity

* Skip processing an empty secretIDHMAC item during the iteration

* approle: use dedicated lock for listing of secret-id-accessors
2017-02-01 18:13:49 -05:00
louism517 0548555219 Support for Cross-Account AWS Auth (#2148) 2017-02-01 14:16:03 -05:00
Jeff Mitchell 47274eca88 Add cleanup functions to multiple DB backends. (#2313)
Ensure it's called on unmount, not just for seal.
2017-02-01 14:05:25 -05:00
Jeff Mitchell f1a5a858d3 Make export errors a bit more meaningful 2017-01-30 09:25:50 -05:00
Jeff Mitchell 2e15dc93df Have transit exporting return the same structure regardless of one key or many 2017-01-28 10:37:35 -05:00
Shane Starcher 6033ea884c Okta implementation (#1966) 2017-01-26 19:08:52 -05:00
Brian Kassouf e788780709 Migrate cassandra test from acceptance to dockertest (#2295) 2017-01-25 15:37:55 -05:00
Jeff Mitchell f43a041bf2 Revert "Disable PKI OU tests to fix the build"
This reverts commit b1ab7c5603180af9073caab1b3022ca438dc12be.
2017-01-24 09:58:28 -05:00
vishalnayak c8b6ab7223 Disable PKI OU tests to fix the build 2017-01-24 06:25:56 -05:00
joe miller 98df700495 allow roles to set OU value in certificates issued by the pki backend (#2251) 2017-01-23 12:44:45 -05:00
Chris Hoffman 7568a212b1 Adding support for exportable transit keys (#2133) 2017-01-23 11:04:43 -05:00
Vishal Nayak 5aba2d47b6 ldap: Minor enhancements, tests and doc update (#2272) 2017-01-23 10:56:43 -05:00
Vishal Nayak fa7d61baa3 Merge pull request #2202 from fcantournet/fix_govet_fatalf
all: test: Fix govet warnings
2017-01-17 16:45:35 -05:00
Vishal Nayak 1d7ded02b4 Merge pull request #2152 from mr-tron/master
Thanks for submitting this. I am going to merge this in and write tests.
2017-01-13 14:29:46 -05:00
Vishal Nayak e019cca4ea Merge pull request #2257 from bkrodgers/git-config-read
Added a 'read' for github config
2017-01-11 12:23:00 -05:00
Brian Rodgers f33d35f3de Added a nil check for config and renamed org field internally. 2017-01-11 11:04:15 -06:00
Matthew Irish cb8bbc4fbd Transit key actions (#2254)
* add supports_* for transit key reads

* update transit docs with new supports_* fields
2017-01-11 10:05:06 -06:00
Brian Rodgers a8f12dff01 Added a 'read' for github config 2017-01-10 18:21:31 -06:00
joe miller 78dacc154a sign-verbatim should set use_csr_common_name to true (#2243) 2017-01-10 09:47:59 -05:00
Jeff Mitchell 80dc5819d3 Use dockertest.v2 (#2247)
New dockertest has a totally different API and will require some serious
refactoring. This will tide over until then by pinning the API version.
2017-01-09 13:46:54 -05:00
Félix Cantournet 103b7ceab2 all: test: Fix govet warnings
Fix calls to t.Fatal() with formatting.
Fixed some calls to Fatalf() with wrong formatting
2016-12-21 19:44:07 +01:00
vishalnayak 1816446f46 Address review feedback 2016-12-20 11:19:47 -05:00
vishalnayak b3e323bbcc pki: Avoiding a storage read 2016-12-20 11:07:20 -05:00
Brian Nuszkowski db5e0bb3c3 Minor cleanup in audit backend (#2194) 2016-12-19 15:35:55 -05:00
vishalnayak 2e23f1a992 pki: Appended error to error message 2016-12-19 10:49:32 -05:00
vishalnayak ba1cc709bd PKI: Added error to the error message 2016-12-19 10:47:29 -05:00
Jeff Mitchell bb54bd40f6 normalize some capitlization in error messages 2016-12-15 19:02:33 -05:00
Jeff Mitchell 8fff7daf51 Don't panic when TLS is enabled but the initial dial doesn't return a connection (#2188)
Related to #2186
2016-12-15 15:49:30 -05:00
Félix Cantournet e818efde7c ldap auth via cli defaults username to env (#2137)
try to guess the username from 'LOGNAME' or if it isn't set 'USER'
2016-12-02 19:08:32 +01:00
Jeff Mitchell 6ee61af87f Fix nil value panic when Consul returns a user error (#2145) 2016-12-01 10:22:32 -08:00
Brian Nuszkowski 3d66907966 Disallow passwords LDAP binds by default (#2103) 2016-12-01 10:11:40 -08:00
Denis Subbotin 2797c609b0 fix checking that users policies is not nil 2016-11-29 16:35:49 +03:00
Denis Subbotin cc374b3e2c add support per user acl for ldap users 2016-11-29 13:32:59 +03:00
Thomas Soëte 5eaef287a8 Close ldap connection to avoid leak (#2130) 2016-11-28 09:31:36 -08:00
Jeff Mitchell 890c19312f Update path help for approle secret id TTL 2016-11-15 11:50:51 -05:00
Daniel Somerfield 637414a623 Added support for individual user policy mapping in github auth backend. (#2079) 2016-11-10 16:21:14 -05:00
vascop ba3dc07bb3 Fix typo and remove trailing whitespace. (#2074) 2016-11-08 09:32:23 -05:00
Jeff Mitchell aa68041231 Fix GitHub tests 2016-11-08 07:13:42 -05:00
Glenn McAllister 50c8af0515 Add ldap tls_max_version config (#2060) 2016-11-07 13:43:39 -05:00
Jeff Mitchell 26fa2655b1 Add listing to Consul secret roles (#2065) 2016-11-04 12:35:16 -04:00
vishalnayak 65f0ce8ca3 Remove the sanity check which is not proving to be useful 2016-10-27 19:11:26 -04:00
vishalnayak dc93e57cf1 Return the revocation_sql from role read all the time 2016-10-27 12:24:31 -04:00
vishalnayak e0fb8c17ce Added revocation_sql to the website docs 2016-10-27 12:15:08 -04:00
vishalnayak c14a6c8666 Move policy test to keysutil package 2016-10-26 19:57:28 -04:00
vishalnayak 6d1e1a3ba5 Pulled out transit's lock manager and policy structs into a helper 2016-10-26 19:52:31 -04:00
Vishal Nayak 79d45355c8 Merge pull request #2004 from hashicorp/role-id-update
Fix regression caused by not creating a role_id secondary index
2016-10-26 16:29:46 -04:00
vishalnayak 931c96d1ba ssh: Use temporary file to store the identity file 2016-10-18 12:50:12 -04:00
Vishal Nayak 6dd560d9c6 Merge pull request #2005 from hashicorp/dedup-ldap-policies
Deduplicate the policies in ldap backend
2016-10-18 10:42:11 -04:00
Chris Hoffman 4b6e82afcb Add ability to list keys in transit backend (#1987) 2016-10-18 10:13:01 -04:00
vishalnayak 2ce8bc95eb Deduplicate the policies in ldap backend 2016-10-14 17:20:50 -04:00
vishalnayak 1487dce475 Fix regression caused by not creating a role_id secondary index 2016-10-14 12:56:29 -04:00
Laura Bennett dcf44a8fc7 Merge pull request #1980 from hashicorp/audit-update
Audit file update
2016-10-10 14:34:53 -04:00
Laura Bennett 0da9d1ac0c test updates to address feedback 2016-10-10 12:58:30 -04:00
Laura Bennett 5ce9737eb4 address feedback 2016-10-10 12:16:55 -04:00
Laura Bennett 962a383bfb address latest feedback 2016-10-10 11:58:26 -04:00
Laura Bennett 290ccee990 minor fix 2016-10-10 10:05:36 -04:00
Laura Bennett 9fc5a37e84 address feedback 2016-10-09 22:23:30 -04:00
Laura Bennett 05519a1267 adding unit tests for file mode 2016-10-09 00:33:24 -04:00
Laura Bennett e5a7e3d6cb initial commit to fix empty consistency option issue 2016-10-08 20:22:26 -04:00
Laura Bennett 1b8d12fe82 changes for 'mode' 2016-10-08 19:52:49 -04:00
Laura Bennett 60ceea5532 initial commit for adding audit file permission changes 2016-10-07 15:09:32 -04:00
Michael S. Fischer c45ab41b39 Update aws-ec2 configuration help
Updated to reflect enhanced functionality and clarify necessary
permissions.
2016-10-05 12:40:58 -07:00
Jeff Mitchell 70a9fc47b4 Don't use quoted identifier for the username 2016-10-05 14:31:19 -04:00
Jeff Mitchell 7f9a88d8db Postgres revocation sql, beta mode (#1972) 2016-10-05 13:52:59 -04:00
vishalnayak de5dec6b15 Refactor mysql's revoke SQL 2016-10-04 19:30:25 -04:00
Vishal Nayak 1ab7023483 Merge pull request #1914 from jpweber/mysql-revoke
Mysql revoke with non-wildcard hosts
2016-10-04 17:44:15 -04:00
Jim Weber 87f206b536 removed an unused ok variable. Added warning and force use for default queries if role is nil 2016-10-04 17:15:29 -04:00
vishalnayak 0f8c132ede Minor doc updates 2016-10-04 15:46:09 -04:00
vishalnayak 2e1aa80f31 Address review feedback 2 2016-10-04 15:30:42 -04:00
vishalnayak 59475d7f14 Address review feedback 2016-10-04 15:05:44 -04:00
Jim Weber cc38f3253a fixed an incorrect assignment 2016-10-03 21:51:40 -04:00
vishalnayak 348a09e05f Add only relevant certificates 2016-10-03 20:34:28 -04:00
vishalnayak dbd364453e aws-ec2 config endpoints support type option to distinguish certs 2016-10-03 20:25:07 -04:00
Jim Weber ac78ddc178 More resilient around cases of missing role names and using the default when needed. 2016-10-03 20:20:00 -04:00
vishalnayak b105f8ccf3 Authenticate aws-ec2 instances using identity document and its RSA signature 2016-10-03 18:57:41 -04:00
Jim Weber 0a7f1089ca Refactored logic some to make sure we can always fall back to default revoke statments
Changed rolename to role
made default sql revoke statments a const
2016-10-03 15:59:56 -04:00
Jim Weber 704fccaf2e fixed some more issues I had with the tests. 2016-10-03 15:58:09 -04:00
Jim Weber a2d6624a69 renamed rolname to role 2016-10-03 15:57:47 -04:00
Jim Weber bfb0c2d3ff Reduced duplicated code and fixed comments and simple variable name mistakes 2016-10-03 14:53:05 -04:00
Jim Weber bb70ecc5a7 Added test for revoking mysql user with wild card host and non-wildcard host 2016-10-02 22:28:54 -04:00
Jim Weber dbb00534d9 saving role name to the Secret Internal data. Default revoke query added
The rolename is now saved to the secret internal data for fetching
later during the user revocation process. No longer deriving the role
name from request path

Added support for default revoke SQL statements that will provide the
same functionality as before. If not revoke SQL statements are provided
the default statements are used.

Cleaned up personal ignores from the .gitignore file
2016-10-02 18:53:16 -04:00
Jeff Mitchell 6d00f0c483 Adds HUP support for audit log files to close and reopen. (#1953)
Adds HUP support for audit log files to close and reopen. This makes it
much easier to deal with normal log rotation methods.

As part of testing this I noticed that HUP and other items that come out
of command/server.go are going to stderr, which is where our normal log
lines go. This isn't so much problematic with our normal output but as
we officially move to supporting other formats this can cause
interleaving issues, so I moved those to stdout instead.
2016-09-30 12:04:50 -07:00
Vishal Nayak 4c74b646fe Merge pull request #1947 from hashicorp/secret-id-lookup-delete
Introduce lookup and destroy endpoints for secret IDs and its accessors
2016-09-29 10:19:54 -04:00
vishalnayak 34e76f8b41 Added website docs for lookup and destroy APIs 2016-09-28 22:11:48 -04:00
vishalnayak d20819949c Make secret-id reading and deleting, a POST op instead of GET 2016-09-28 20:22:37 -04:00
Michael S. Fischer 2dd1f584e6 Update documentation for required AWS API permissions
In order for Vault to map IAM instance profiles to roles, Vault
must query the 'iam:GetInstanceProfile' API, so update the documentation
and help to include the additional permissions needed.
2016-09-28 16:50:20 -07:00
Jeff Mitchell f0203741ff Change default TTL from 30 to 32 to accommodate monthly operations (#1942) 2016-09-28 18:32:49 -04:00
Vishal Nayak 5adfaa0d7d Merge pull request #1939 from hashicorp/secret-id-upgrade
Respond secret_id_num_uses and deprecate SecretIDNumUses
2016-09-28 18:16:07 -04:00
vishalnayak e9142f418a Added todo to remind removal of upgrade code 2016-09-28 18:17:13 -04:00
vishalnayak e01f99f042 Check for prefix match instead of exact match for IAM bound parameters 2016-09-28 18:08:28 -04:00
vishalnayak 21d9731286 Don't reset the deprecated value yet 2016-09-28 15:48:50 -04:00
Vishal Nayak 4a30a6b4f8 Merge pull request #1913 from hashicorp/bound-iam-instance-profile-arn
Proper naming for bound_iam_instance_profile_arn
2016-09-28 15:34:56 -04:00
vishalnayak 31e450a175 Add some validation checks 2016-09-28 15:36:02 -04:00
vishalnayak 9eabf75f5f Fix the misplaced response warning 2016-09-28 14:20:03 -04:00
vishalnayak a2338f5970 Added testcase to check secret_id_num_uses 2016-09-28 13:58:53 -04:00
vishalnayak ba1d238f9b Pull out reading and storing of secret ID into separate functions and handle upgrade properly 2016-09-28 12:42:26 -04:00
Laura Bennett 010293ccc3 Merge pull request #1931 from hashicorp/cass-consistency
Adding consistency into cassandra
2016-09-27 21:12:02 -04:00
Chris Hoffman d235acf809 Adding support for chained intermediate CAs in pki backend (#1694) 2016-09-27 17:50:17 -07:00
Laura Bennett 5ac43873c4 minor updates 2016-09-27 20:35:11 -04:00
Laura Bennett e14fe05c13 added parsing at role creation 2016-09-27 16:01:51 -04:00
Laura Bennett 4938aa56bf initial commit for consistency added into cassandra 2016-09-27 13:25:18 -04:00
Mikhail Zholobov 5eff59c410
Fix "SecretIDNumUses" in AppRole auth backend
There was a typo.
2016-09-27 17:26:52 +03:00
Vishal Nayak b1ee56a15b Merge pull request #1910 from hashicorp/secret-id-cidr-list
CIDR restrictions on Secret ID
2016-09-26 10:22:48 -04:00
Vishal Nayak a4b119dc25 Merge pull request #1920 from legal90/fix-approle-delete
Fix panic on deleting the AppRole which doesn't exist
2016-09-26 10:05:33 -04:00
Mikhail Zholobov 3f77013004
Fix panic on deleting the AppRole which doesn't exist
#pathRoleDelete should return silently if the specified  AppRole doesn't exist
Fixes GH-1919
2016-09-26 16:55:08 +03:00
vishalnayak da5b5d3a8e Address review feedback from @jefferai 2016-09-26 09:53:24 -04:00
vishalnayak d080107a87 Update docs to contain bound_iam_role_arn 2016-09-26 09:37:38 -04:00
vishalnayak bf0b7f218e Implemented bound_iam_role_arn constraint 2016-09-23 21:35:36 -04:00
Jim Weber e0ea497cfe Getting role name from the creds path used in revocation 2016-09-23 16:57:08 -04:00
Jim Weber 8709406eb3 secretCredsRevoke command no longer uses hardcoded query
The removal of a user from the db is now handled similar to the
creation. The SQL is read out of a key from the role and then executed
with values substituted for username.
2016-09-23 16:05:49 -04:00
Jim Weber 1bed6bfc2c Added support for a revokeSQL key value pair to the role 2016-09-23 16:00:23 -04:00
Jeff Mitchell 6bf871995b Don't use time.Time in responses. (#1912)
This fixes #1911 but not directly; it doesn't address the cause of the
panic. However, it turns out that this is the correct fix anyways,
because it ensures that the value being logged is RFC3339 format, which
is what the time turns into in JSON but not the normal time string
value, so what we audit log (and HMAC) matches what we are returning.
2016-09-23 12:32:07 -04:00
vishalnayak e0c41f02c8 Fix incorrect naming of bound_iam_instance_profile_arn 2016-09-23 11:22:23 -04:00
vishalnayak c26754000b Fix ssh tests 2016-09-22 11:37:55 -04:00
vishalnayak aaadd4ad97 Store the CIDR list in the secret ID storage entry.
Use the stored information to validate the source address and credential issue time.
Correct the logic used to verify BoundCIDRList on the role.
Reverify the subset requirements between secret ID and role during credential issue time.
2016-09-21 20:19:26 -04:00
vishalnayak 578b82acf5 Pass only valid inputs to validation methods 2016-09-21 15:44:54 -04:00
vishalnayak 93604e1e2e Added cidrutil helper 2016-09-21 13:58:32 -04:00
Jeff Mitchell 676e7e0f07 Ensure upgrades have a valid HMAC key 2016-09-21 11:10:57 -04:00
Jeff Mitchell 0ff76e16d2 Transit and audit enhancements 2016-09-21 10:49:26 -04:00
Chris Hoffman 5c241d31e7 Renaming ttl_max -> max_ttl in mssql backend (#1905) 2016-09-20 12:39:02 -04:00
Vishal Nayak 97dc0e9f64 Merge pull request #1897 from hashicorp/secret-id-accessor-locks
Safely manipulate secret id accessors
2016-09-19 11:37:38 -04:00
vishalnayak fefd3a6c0b s/GetOctalFormatted/GetHexFormatted 2016-09-16 17:47:15 -04:00
Jeff Mitchell 897d3c6d2c Rename GetOctalFormatted and add serial number to ParsedCertBundle. Basically a noop. 2016-09-16 11:05:43 -04:00
vishalnayak ba72e7887a Safely manipulate secret id accessors 2016-09-15 18:13:50 -04:00
Vishal Nayak 61664bc653 Merge pull request #1886 from hashicorp/approle-upgrade-notes
upgrade notes entry for approle constraint and warning on role read
2016-09-15 12:14:01 -04:00
vishalnayak 5597156886 check for nil role 2016-09-15 12:10:40 -04:00
vishalnayak 92986bb2a0 Address review feedback 2016-09-15 11:41:52 -04:00
vishalnayak a1de742dce s/disableReauthenticationNonce/reauthentication-disabled-nonce 2016-09-15 11:29:02 -04:00
vishalnayak 9bca127631 Updated docs with nonce usage 2016-09-14 19:31:09 -04:00
vishalnayak 857f921d76 Added comment 2016-09-14 18:27:35 -04:00
vishalnayak 39796e8801 Disable reauthentication if nonce is explicitly set to empty 2016-09-14 17:58:00 -04:00
vishalnayak d0e4d77fce address review feedback 2016-09-14 14:28:02 -04:00
vishalnayak d7ce69c5eb Remove the client nonce being empty check 2016-09-14 14:28:02 -04:00
vishalnayak 53c919b1d0 Generate the nonce by default 2016-09-14 14:28:02 -04:00
vishalnayak 455a4ae055 address review feedback 2016-09-14 12:08:35 -04:00
vishalnayak b1392567d1 Use constant time comparisons for client nonce 2016-09-13 20:12:43 -04:00
vishalnayak d2e66014ba Address review feedback 2016-09-13 18:30:04 -04:00
Jeff Mitchell 29b67141eb Only use running state for checking if instance is alive. (#1885)
Fixes #1884
2016-09-13 18:08:05 -04:00
vishalnayak 99a2655d8e upgrade notes entry for approle constraint and warning on role read 2016-09-13 17:44:07 -04:00
vishalnayak bef9c2ee61 Ensure at least one constraint on the role 2016-09-13 16:03:15 -04:00
Jeff Mitchell 197c7eae5f Allow encrypting empty ciphertext values. (#1881)
Replaces #1874
2016-09-13 12:00:04 -04:00
vishalnayak b599948e1c Use uuid.GenerateRandomBytes 2016-09-09 14:17:09 -04:00
vishalnayak 127f61473b Not exposing structs from the backend's package 2016-09-01 11:57:28 -04:00
Jeff Mitchell 1db0544b7a Use unexported kdf const names 2016-08-31 07:19:58 -04:00
Vishal Nayak c46a7391c0 Merge pull request #1799 from hashicorp/fix-role-locking
approle: fix racy updates problem for roles
2016-08-30 16:46:40 -04:00
vishalnayak cdcfa4572f Address review feedback 2016-08-30 16:36:58 -04:00
Jeff Mitchell d2239d22d9 Use hkdf for transit key derivation for new keys (#1812)
Use hkdf for transit key derivation for new keys
2016-08-30 16:29:09 -04:00
vishalnayak 29b9295673 approle: fix racy updates problem for roles 2016-08-30 16:11:14 -04:00
vishalnayak 9dbc97028b STS path field description update 2016-08-30 10:53:21 -04:00
vishalnayak 0b07ec7303 Added UpdateOperation to logical AWS STS path 2016-08-30 10:30:13 -04:00
Vishal Nayak cdd1d96a64 Merge pull request #1804 from hashicorp/issue-1800
Mark STS secrets as non-renwable
2016-08-29 11:46:19 -04:00
navinanandaraj 8612b6139e Fixes #1801 Reuse Cassandra session object for create creds (#1802) 2016-08-28 17:32:41 -04:00
Jeff Mitchell f0537572a8 Mark STS secrets as non-renwable
Ping #1800
2016-08-28 14:27:56 -04:00
Jeff Mitchell 0b113f7916 Derive nonce fully in convergent mode (#1796)
Ping #1794
2016-08-26 17:01:56 -04:00
Jeff Mitchell 2f5876dfe9 Use key derivation for convergent nonce. (#1794)
Use key derivation for convergent nonce.

Fixes #1792
2016-08-26 14:11:03 -04:00
Jeff Mitchell 28739f3528 Decode secret internal data into struct and fix type assertion. (#1781) 2016-08-24 15:04:04 -04:00
Jeff Mitchell d1284944c3 Merge pull request #1755 from hashicorp/logxi
Convert to logxi
2016-08-21 19:28:18 -04:00
Jeff Mitchell 58b32e5432 Convert to logxi 2016-08-21 18:13:37 -04:00
vishalnayak 524ed6db37 Extract out common code 2016-08-21 15:46:11 -04:00
vishalnayak dfe73733d5 Seperate endpoints for read/delete using secret-id and accessor 2016-08-21 14:42:49 -04:00
Jeff Mitchell 2860dcc60f gofmt 2016-08-19 16:48:32 -04:00
vishalnayak 7ce631f1dc Pretty print the warning 2016-08-18 16:09:10 -04:00
vishalnayak 870ffd6fd8 Use shortestTTL value during renewals too 2016-08-18 15:43:58 -04:00
vishalnayak 4f1c47478e When TTL is not set, consider the system default TTL as well 2016-08-18 15:37:59 -04:00
vishalnayak 56b8c33c95 aws-ec2: se max_ttl when ttl is not set, during login 2016-08-18 15:16:32 -04:00
Jeff Mitchell 638e61192a Actually show the error occurring if a file audit log can't be opened 2016-08-15 16:26:36 -04:00
Jeff Mitchell 86874def5c Parameter change
Both revocation times are UTC so clarify via parameter name that it's just a formatting difference. Also leave as a time.Time here, as it automatically marshals into RFC3339.
2016-08-14 21:43:57 -04:00
Jeff Mitchell 39cfd116b6 Cleanup 2016-08-13 11:52:09 -04:00
Jeff Mitchell 1b8711e7b7 Ensure utc value is not zero before adding 2016-08-13 11:50:57 -04:00
Jeff Mitchell d6d08250ff Ensure values to be encoded in a CRL are in UTC. This aligns with the
RFC. You might expect Go to ensure this in the CRL generation call,
but...it doesn't.

Fixes #1727
2016-08-13 08:40:09 -04:00
vishalnayak b150c14caa Address review feedback by @jefferai 2016-08-09 17:45:42 -04:00
vishalnayak 8d261b1a78 Added ttl field to aws-ec2 auth backend role 2016-08-09 17:29:45 -04:00
Jeff Mitchell b69ed7ea93 Fix build 2016-08-08 17:00:59 -04:00
Jeff Mitchell 7f6c58b807 Address review feedback 2016-08-08 16:30:48 -04:00
Jeff Mitchell 0a67bcb5bd Merge pull request #1696 from hashicorp/transit-convergent-specify-nonce
Require nonce specification for more flexibility
2016-08-08 11:41:10 -04:00
Jeff Mitchell 1f198e9256 Return warning about ACLing the LDAP configuration endpoint.
Fixes #1263
2016-08-08 10:18:36 -04:00
Jeff Mitchell 606ba64e23 Remove context-as-nonce, add docs, and properly support datakey 2016-08-07 15:53:40 -04:00
Jeff Mitchell 1976bc0534 Add unit tests for convergence in non-context mode 2016-08-07 15:16:36 -04:00
Jeff Mitchell 8b1d47037e Refactor convergent encryption to make specifying a nonce in addition to context possible 2016-08-05 17:52:44 -04:00
Vincent Batoufflet 0b73c2ff9a Fix PKI logical backend email alt_names 2016-08-04 12:10:34 +02:00
Jeff Mitchell 58e9cbbfc6 Add postgres test for block statements 2016-08-03 15:34:50 -04:00
Jeff Mitchell 9e204bd88c Add arbitrary string slice parsing.
Like the KV function, this supports either separated strings or JSON
strings, base64-encoded or not.

Fixes #1619 in theory.
2016-08-03 14:24:16 -04:00
Jeff Mitchell c025b292b5 Cleanup 2016-08-03 13:09:12 -04:00
vishalnayak cff7aada7a Fix invalid input getting marked as internal error 2016-07-28 16:23:11 -04:00
Jeff Mitchell e0c5f5f5fa Add convergence tests to transit backend 2016-07-28 11:30:52 -04:00
vishalnayak a6907769b0 AppRole authentication backend 2016-07-26 09:32:41 -04:00
Jeff Mitchell 0cfb112e87 Explicitly set invalid request status when a password isn't included 2016-07-25 11:14:15 -04:00
Jeff Mitchell dc4b85b55e Don't return 500 for user error in userpass when setting password 2016-07-25 11:09:46 -04:00
Jeff Mitchell d4c3e27c4e Fix re-specification of filter 2016-07-25 09:08:29 -04:00
Oren Shomron cd6d114e42 LDAP Auth Backend Overhaul
--------------------------

Added new configuration option to ldap auth backend - groupfilter.
GroupFilter accepts a Go template which will be used in conjunction with
GroupDN for finding the groups a user is a member of. The template will
be provided with context consisting of UserDN and Username.

Simplified group membership lookup significantly to support multiple use-cases:
  * Enumerating groups via memberOf attribute on user object
  * Previous default behavior of querying groups based on member/memberUid/uniqueMember attributes
  * Custom queries to support nested groups in AD via LDAP_MATCHING_RULE_IN_CHAIN matchind rule

There is now a new configuration option - groupattr - which specifies
how to resolve group membership from the objects returned by the primary groupfilter query.

Additional changes:
  * Clarify documentation for LDAP auth backend.
  * Reworked how default values are set, added tests
  * Removed Dial from LDAP config read. Network should not affect configuration.
2016-07-22 21:20:05 -04:00
Jeff Mitchell 68dcf677fa Fix panic if no certificates are supplied by client
Fixes #1637
2016-07-21 10:20:41 -04:00
Jeff Mitchell b353e44209 Fix build 2016-07-21 09:53:41 -04:00
Jeff Mitchell d335038b40 Ensure we never return a nil set of trusted CA certs
Fixes #1637
2016-07-21 09:50:31 -04:00
Laura Bennett 559b0a5006 Merge pull request #1635 from hashicorp/mysql-idle-conns
Added maximum idle connections to mysql to close hashicorp/vault#1616
2016-07-20 15:31:37 -04:00
Jeff Mitchell b558c35943 Set defaults to handle upgrade cases.
Ping #1604
2016-07-20 14:07:19 -04:00
Jeff Mitchell f2b6569b0b Merge pull request #1604 from memory/mysql-displayname-2
concat role name and token displayname to form mysql username
2016-07-20 14:02:17 -04:00
Nathan J. Mehl ea294f1d27 use both role name and token display name to form mysql username 2016-07-20 10:17:00 -07:00
Laura Bennett e6bf4fa489 whitespace error corrected 2016-07-20 12:00:05 -04:00
Nathan J. Mehl 0483457ad2 respond to feedback from @vishalnayak
- split out usernameLength and displaynameLength truncation values,
  as they are different things

- fetch username and displayname lengths from the role, not from
  the request parameters

- add appropriate defaults for username and displayname lengths
2016-07-20 06:36:51 -07:00
Laura Bennett 7cdb8a28bc max_idle_connections added 2016-07-20 09:26:26 -04:00
Laura Bennett 03c7eb7d18 initial commit before rebase to stay current with master 2016-07-19 14:18:37 -04:00
Jeff Mitchell 30ca541f99 Merge pull request #1414 from mhurne/mongodb-secret-backend
Add mongodb secret backend
2016-07-19 13:56:15 -04:00
Jeff Mitchell 3334b22993 Some minor linting 2016-07-19 13:54:18 -04:00
Matt Hurne 0f9ee8fbed Merge branch 'master' into mongodb-secret-backend 2016-07-19 12:47:58 -04:00
Matt Hurne 072c5bc915 mongodb secret backend: Remove redundant type declarations 2016-07-19 12:35:14 -04:00
Matt Hurne c7d42cb112 mongodb secret backend: Fix broken tests, clean up unused parameters 2016-07-19 12:26:23 -04:00
Vishal Nayak fbb04349b5 Merge pull request #1629 from hashicorp/remove-verify-connection
Remove unused VerifyConnection from storage entries of SQL backends
2016-07-19 12:21:23 -04:00
Vishal Nayak 8a1bb1626a Merge pull request #1583 from hashicorp/ssh-allowed-roles
Add allowed_roles to ssh-helper-config and return role name from verify call
2016-07-19 12:04:12 -04:00
vishalnayak 7fb04a1bbd Remove unused VerifyConnection from storage entries of SQL backends 2016-07-19 11:55:49 -04:00
Matt Hurne 316837857b mongodb secret backend: Return lease ttl and max_ttl in lease read in seconds rather than as duration strings 2016-07-19 11:23:56 -04:00
Matt Hurne f18d98272d mongodb secret backend: Don't bother persisting verify_connection field in connection config 2016-07-19 11:20:45 -04:00
Matt Hurne f8e6bcbb69 mongodb secret backend: Handle cases where stored username or db is not a string as expected when revoking credentials 2016-07-19 11:18:00 -04:00
Matt Hurne 75a5fbd8fe Merge branch 'master' into mongodb-secret-backend 2016-07-19 10:38:45 -04:00
Jeff Mitchell 434ed2faf2 Merge pull request #1573 from mickhansen/logical-postgresql-revoke-sequences
handle revocations for roles that have privileges on sequences
2016-07-18 13:30:42 -04:00
vishalnayak c14235b206 Merge branch 'master-oss' into json-use-number
Conflicts:
	http/handler.go
	logical/framework/field_data.go
	logical/framework/wal.go
	vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
Vishal Nayak cdf58da43b Merge pull request #1610 from hashicorp/min-tls-ver-12
Set minimum TLS version in all tls.Config objects
2016-07-13 10:53:14 -06:00
vishalnayak 09a4142fd3 Handled upgrade path for TLSMinVersion 2016-07-13 12:42:51 -04:00
Vishal Nayak 9f1e6c7b26 Merge pull request #1607 from hashicorp/standardize-time
Remove redundant invocations of UTC() call on `time.Time` objects
2016-07-13 10:19:23 -06:00
vishalnayak de19314f18 Address review feedback 2016-07-13 11:52:26 -04:00
vishalnayak 407722a9b4 Added tls_min_version to consul storage backend 2016-07-12 20:10:54 -04:00
Nathan J. Mehl 314a5ecec0 allow overriding the default truncation length for mysql usernames
see https://github.com/hashicorp/vault/issues/1605
2016-07-12 17:05:43 -07:00
vishalnayak f34f0ef503 Make 'tls_min_version' configurable 2016-07-12 19:32:47 -04:00
vishalnayak 46d34130ac Set minimum TLS version in all tls.Config objects 2016-07-12 17:06:28 -04:00
vishalnayak 8269f323d3 Revert 'risky' changes 2016-07-12 16:38:07 -04:00
Jeff Mitchell 57cdb58374 Switch to pester from go-retryablehttp to avoid swallowing 500 error messages 2016-07-11 21:37:46 +00:00
Mick Hansen 9ee4542a7c incorporate code style guidelines 2016-07-11 13:35:35 +02:00
Mick Hansen c25788e1d4 handle revocations for roles that have privileges on sequences 2016-07-11 13:16:45 +02:00
Nathan J. Mehl 2cf4490b37 use role name rather than token displayname in generated mysql usernames
If a single token generates multiple myself roles, the generated mysql
username was previously prepended with the displayname of the vault
user; this makes the output of `show processlist` in mysql potentially
difficult to correlate with the roles actually in use without cross-
checking against the vault audit log.

See https://github.com/hashicorp/vault/pull/1603 for further discussion.
2016-07-10 15:57:47 -07:00
Matt Hurne 6505e85dae mongodb secret backend: Improve safety of MongoDB roles storage 2016-07-09 21:12:42 -04:00
vishalnayak e09b40e155 Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC 2016-07-08 18:30:18 -04:00
Matt Hurne bb8a45eb8b Format code in mongodb secret backend 2016-07-07 23:16:11 -04:00
Matt Hurne 8d5a7992c1 mongodb secret backend: Improve and correct errors in documentation; improve "parameter is required" error response messages 2016-07-07 23:09:45 -04:00
Matt Hurne eee6f04e40 mongodb secret backend: Refactor to eliminate unnecessary variable 2016-07-07 22:29:17 -04:00
Matt Hurne ce845df43c mongodb secret backend: Consider a "user not found" response a success when removing a user from Mongo 2016-07-07 22:27:47 -04:00
Matt Hurne 138d74f745 mongodb secret backend: Improve roles path help 2016-07-07 22:16:34 -04:00
Matt Hurne 7f9d91acb6 mongodb secret backend: Remove default value for Mongo authentication DB for roles; validate that role name and authentication db were specified when creating a role 2016-07-07 22:09:00 -04:00
Matt Hurne de84cdabe6 mongodb secret backend: Leverage framework.TypeDurationSecond to simplify storage of lease ttl and max_ttl 2016-07-07 21:48:44 -04:00
Matt Hurne 6d7c9f5424 mongodb secret backend: Verify existing Session is still working before reusing it 2016-07-07 21:37:44 -04:00
vishalnayak db3670c353 Fix transit tests 2016-07-06 22:04:08 -04:00
vishalnayak ad7cb2c8f1 Added JSON Decode and Encode helpers.
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
vishalnayak 5367a7223d Add allowed_roles to ssh-helper-config and return role name from verify call 2016-07-05 11:14:29 -04:00
Matt Hurne 769d20c770 Merge branch 'master' into mongodb-secret-backend 2016-07-05 09:33:12 -04:00
Matt Hurne ba9c97b915 mongodb secret backend: Add support for reading connection configuration; Dockerize tests 2016-07-05 09:32:38 -04:00