luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
2849 commits 1 branch 0 tags 214 MiB
Commit graph

506 commits

Author SHA1 Message Date
Jeff Mitchell 7d41607b6e Add "tidy/" which allows removing expired certificates. 
A buffer is used to ensure that we only remove certificates that are
both expired and for which the buffer has past. Options allow removal
from revoked/ and/or certs/.
 2016-02-24 21:24:48 -05:00
vishalnayak 69bcbb28aa rename verify_cert as disable_binding and invert the logic 2016-02-24 21:01:21 -05:00
vishalnayak 902c780f2b make the verification of certs in renewal configurable 2016-02-24 16:42:20 -05:00
vishalnayak bc4710eb06 Cert: renewal enhancements 2016-02-24 14:31:38 -05:00
vishalnayak 053bbd97ea check CIDR block for renewal as well 2016-02-24 10:55:31 -05:00
vishalnayak 978075a1b4 Added renewal capability to app-id backend 2016-02-24 10:40:15 -05:00
Matt Hurne 11187112bc Improve error message returned when client attempts to generate STS credentials for a managed policy; addresses #1113 2016-02-23 08:58:28 -05:00
Jeff Mitchell f56e4a604d Merge pull request #1114 from hashicorp/dont-delete-certs 
Do not delete certs (or revocation information)
 2016-02-22 16:11:13 -05:00
Jeff Mitchell 4514192145 Address review feedback 2016-02-22 16:11:01 -05:00
Jeff Mitchell f43ab6a25d Remove extra debugging from PKI tests 2016-02-22 13:39:05 -05:00
Jeff Mitchell f27eab1d28 Do not delete certs (or revocation information) to avoid potential 
issues related to time synchronization. A function will be added to
allow operators to perform cleanup at chosen times.
 2016-02-22 13:36:17 -05:00
Jeff Mitchell 51ced69bf8 Fix issue where leftover values after cn tests could trigger errors in ipsan tests 2016-02-22 13:35:57 -05:00
Vishal Nayak 949f8a6b69 Merge pull request #1112 from hashicorp/1089-postgres-connection-url 
postgres: connection_url fix
 2016-02-22 11:36:04 -05:00
Jeff Mitchell 4c327ca4cc More improvements to PKI tests; allow setting a specific seed, output 
the seed to the console, and split generated steps to make it
understandable which seed is for which set of steps.
 2016-02-22 11:22:52 -05:00
vishalnayak c9899a5300 postgres: connection_url fix 2016-02-22 11:22:49 -05:00
Jeff Mitchell 8d4c6f4c98 Use more fuzziness in PKI backend tests 2016-02-22 10:59:37 -05:00
Jeff Mitchell 392a26e9cd Better handle errors from fetchCertBySerial 2016-02-22 10:36:26 -05:00
Jeff Mitchell fab2d8687a Remove root requirement for certs/ and crls/ in TLS auth backend. 
Fixes #468
 2016-02-21 15:33:33 -05:00
Jeff Mitchell 58432c5d57 Add tests for minimum key size checking. (This will also verify that the 
key type matches that of the role, since type assertions are required to
check the bit size). Like the rest, these are fuzz tests; I have
verified that the random seed will eventually hit error conditions if
ErrorOk is not set correctly when we expect an error.
 2016-02-19 21:39:40 -05:00
Jeff Mitchell c57b646848 Check role key type and bits when signing CSR. 
Two exceptions: signing an intermediate CA CSR, and signing a CSR via
the 'sign-verbatim' path.
 2016-02-19 20:50:49 -05:00
vishalnayak c4abe72075 Cap the length midString in IAM user's username to 42 2016-02-19 18:31:10 -05:00
Vishal Nayak 773de69796 Merge pull request #1102 from hashicorp/shorten-aws-usernames 
Set limits on generated IAM user and STS token names.
 2016-02-19 18:25:29 -05:00
Jeff Mitchell 574542b683 Some minor changes in mysql commenting and names 2016-02-19 16:44:52 -05:00
Jeff Mitchell 25b9f9b4a6 Set limits on generated IAM user and STS token names. 
Fixes #1031
Fixes #1063
 2016-02-19 16:35:06 -05:00
vishalnayak a16055c809 mysql: fix error message 2016-02-19 16:07:06 -05:00
vishalnayak 38b55bd8b1 Don't deprecate value field yet 2016-02-19 16:07:06 -05:00
vishalnayak 99f4969b20 Removed connectionString.ConnectionString 2016-02-19 16:07:05 -05:00
vishalnayak 380b662c3d mysql: provide allow_verification option to disable connection_url check 2016-02-19 16:07:05 -05:00
Jeff Mitchell 6df75231b8 Merge pull request #1100 from hashicorp/issue-1030 
Properly escape filter values in LDAP filters
 2016-02-19 14:56:40 -05:00
Jeff Mitchell 7fc4ee1ed7 Disallow 1024-bit RSA keys. 
Existing certificates are kept but roles with key bits < 2048 will need
to be updated as the signing/issuing functions now enforce this.
 2016-02-19 14:33:02 -05:00
Jeff Mitchell 05b5ff69ed Address some feedback on ldap escaping help text 2016-02-19 13:47:26 -05:00
Jeff Mitchell d7b40b32db Properly escape filter values. 
Fixes #1030
 2016-02-19 13:16:52 -05:00
Jeff Mitchell c67871c36e Update LDAP documentation with a note on escaping 2016-02-19 13:16:18 -05:00
Jeff Mitchell d3f3122307 Add tests to ldap using the discover capability 2016-02-19 11:46:59 -05:00
Jeff Mitchell 154c326060 Add ldap tests that use a bind dn and bind password 2016-02-19 11:38:27 -05:00
Vishal Nayak 3e1a07d3d0 Merge pull request #1047 from hashicorp/vault-iss999-github-renewal 
GitHub renewal enhancements
 2016-02-18 16:47:15 -05:00
Vishal Nayak ba134f5a7a Merge pull request #1086 from hashicorp/iss962-verify-otp-response-code 
SSH: Fix response code for ssh/verify
 2016-02-18 13:32:28 -05:00
vishalnayak a6f3b31a36 ssh: Fix response code for ssh/verify 2016-02-16 19:46:29 -05:00
vishalnayak d9536043e7 Pki: Respond user error when cert is not found instead of internal error 2016-02-16 17:58:57 -05:00
vishalnayak 0b44d81a16 Github renewal enhancement 2016-02-11 20:42:42 -05:00
Jeff Mitchell 3378db0166 Merge pull request #1061 from tomrittervg/tomrittervg-typos-1 
Fix some typos
 2016-02-11 15:12:09 -05:00
Jeff Mitchell 880c9798b7 Merge pull request #1062 from tomrittervg/tomrittervg-AllowedBaseDomain-migration 
AllowedBaseDomain will stay non-empty in certain error conditions. None of these conditions should be hit anyways, but this provides an extra safety check.
 2016-02-11 15:07:54 -05:00
Jeff Mitchell 46b22745c6 Merge pull request #1053 from mwielgoszewski/postgresql-revocation 
Fix PostgreSQL secret backend issues revoking users
 2016-02-11 12:52:37 -05:00
Tom Ritter a10dc14625 Fix AllowedBaseDomain Migration 
AllowedBaseDomain is only zero-ed out if the domain is not found in the (new) AllowedDomains configuration setting. If the domain is found, AllowedBaseDomain is not emptied and this code will be run every single time.

//untested
 2016-02-09 15:42:15 -06:00
Tom Ritter 940a58cb9d Typo in error message in path_intermediate.go 2016-02-09 15:08:30 -06:00
Tom Ritter e5952a1c28 Typo in policy.go 2016-02-08 12:00:06 -06:00
Jeff Mitchell 4771884c78 Add slack on NotBefore value for generated certs. 
This fixes an issue where, due to clock skew, one system can get a cert
and try to use it before it thinks it's actually valid. The tolerance of
30 seconds should be high enough for pretty much any set of systems
using NTP.

Fixes #1035
 2016-02-07 14:00:03 -05:00
Jeff Mitchell eb1deefac1 Introduce a locking inmem storage for unit tests that are doing concurrent things 2016-02-04 09:40:35 -05:00
Jeff Mitchell 70eeaa1519 Add transit fuzz test 2016-02-03 17:36:15 -05:00
Vishal Nayak d02930fd95 Merge pull request #1013 from hashicorp/fix-ssh-tests 
Fix SSH tests
 2016-02-02 14:22:09 -05:00