Commit graph

338 commits

Author SHA1 Message Date
Jeff Mitchell f1cc16b77f Remove manual selection of nextprotos from tls config coming from certutil; it's really not up to us to dictate third party requirements 2016-07-22 11:12:46 -04:00
vishalnayak 8dc3a830dc Address review feedback 2016-07-22 10:21:45 -04:00
vishalnayak 58bd985551 Address review feedback from @jefferai 2016-07-22 08:44:16 -04:00
vishalnayak 765d131b47 Added service-tags config option to provide additional tags to registered service 2016-07-22 04:41:48 -04:00
Vishal Nayak 9bb89431dc Merge pull request #1632 from hashicorp/lib-locks-create
Added helper to create locks
2016-07-21 10:23:34 -04:00
Jeff Mitchell 3ec81debe7 Trim leading/trailing space around PEM bundles.
Fixes #1634
2016-07-20 13:57:49 -04:00
vishalnayak ba4dc638bf Added test for CreateLocks 2016-07-20 05:37:38 -04:00
vishalnayak 331f229858 Added a cap of 256 for CreateLocks utility 2016-07-20 04:48:35 -04:00
vishalnayak 50e8a189e9 Added helper to create locks 2016-07-19 21:37:28 -04:00
vishalnayak c14235b206 Merge branch 'master-oss' into json-use-number
Conflicts:
	http/handler.go
	logical/framework/field_data.go
	logical/framework/wal.go
	vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
vishalnayak de19314f18 Address review feedback 2016-07-13 11:52:26 -04:00
vishalnayak f78f303787 git add tlsutil 2016-07-13 11:29:17 -04:00
vishalnayak f34f0ef503 Make 'tls_min_version' configurable 2016-07-12 19:32:47 -04:00
vishalnayak 46d34130ac Set minimum TLS version in all tls.Config objects 2016-07-12 17:06:28 -04:00
Jeff Mitchell 5b210b2a1f Return a duration instead and port a few other places to use it 2016-07-11 18:19:35 +00:00
Jeff Mitchell ab6c2bc5e8 Factor out parsing duration second type and use it for parsing tune values too 2016-07-11 17:53:39 +00:00
vishalnayak 10b5f6648b Added jsonutil functional tests 2016-07-07 12:12:51 -04:00
vishalnayak 14fd963d9f Input validations for jsonutil 2016-07-07 11:29:38 -04:00
vishalnayak 60912bdf65 Added jsonutil helper 2016-07-07 10:51:49 -04:00
vishalnayak ad7cb2c8f1 Added JSON Decode and Encode helpers.
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
vishalnayak 1e4834bd20 Remove addDefault param from ParsePolicies 2016-05-31 13:39:58 -04:00
vishalnayak 49b4c83580 Adding default policies while creating tokens 2016-05-31 13:39:58 -04:00
Sean Chittenden 7a4b31ce51
Speling police 2016-05-15 09:58:36 -07:00
Sean Chittenden 8c9dadf82b
Don't build mlock for NetBSD
NetBSD doesn't have the right symbols defined in Go for mlockall support.  The OS supports it just fine, but the definitions aren't present in Go.  If someone wanted to they could add support XOR the values from `sys/mman.h` for `MCL_CURRENT | MCL_FUTURE` which is almost certainly `0x01 | 0x02` but we're not going to do that in code due to the maintenance of a one-off just for NetBSD.  PR's welcome.
2016-05-10 16:39:54 -07:00
Jeff Mitchell 80407eeba8 Fix up commenting 2016-05-05 10:31:50 -04:00
Jeff Mitchell b6b9cd6f1f Merge remote-tracking branch 'origin/master' into aws-cred-chain 2016-05-05 10:31:12 -04:00
vishalnayak 314a1f9406 Updates to policy and string helpers 2016-05-05 10:22:28 -04:00
vishalnayak 0cec22d27a Lower case all policy values in ParsePolicies before processing 2016-05-05 05:22:59 -04:00
Jeff Mitchell 1b0df1d46f Cleanups, add shared provider, ability to specify http client, and port S3 physical backend over 2016-05-03 17:01:02 -04:00
Jeff Mitchell 7fbe5d2eaa Region is required so error in awsutil if not set and set if empty in client code in logical/aws 2016-05-03 15:25:11 -04:00
Jeff Mitchell a244ef8a00 Refactor AWS credential code into a function that returns a static->env->instance chain 2016-05-03 15:10:35 -04:00
Adam Shannon fb07d07ad9 all: Cleanup from running go vet 2016-04-13 14:38:29 -05:00
Sean Chittenden 09ad6317ea Merge pull request #1297 from hashicorp/f-bsd-mlock
F bsd mlock
2016-04-06 13:57:34 -07:00
Sean Chittenden b178bfabd9 Fix the build targets
I'm not entirely sure why this didn't work, but explicitly list the unsupported platforms as identified by `go tool dist list`
2016-04-05 22:24:53 -07:00
vishalnayak e3a1ee92b5 Utility Enhancements 2016-04-05 20:32:59 -04:00
Sean Chittenden 2374129c33 Consolidate mlock calls into one place
In theory Android and NaCL could build Vault now, too.

List of targets derived from: `go tool dist list`
2016-04-05 13:57:29 -07:00
Sean Chittenden 308057a4a9 Switch Linux over to using the x/sys/unix package
Same syscall interface, but the `x/sys/unix` package is not frozen.  No functional change from this commit.
2016-04-05 12:19:46 -07:00
Sean Chittenden dcde117bcb go fmt was here, no functional change 2016-04-05 12:18:45 -07:00
Sean Chittenden 087e7c94d3 Add Vault support for the *BSDs, including Darwin
The `syscall` package has been frozen in favor of `x/sys`.  As a result, all of the BSDs are supported and do have `mlockall(2)` support in current versions of Go.
2016-04-05 12:18:19 -07:00
vishalnayak 95abdebb06 Added AcceptanceTest boolean to logical.TestCase 2016-04-05 15:10:44 -04:00
Jeff Mitchell c50276ec17 Fix using wrong var 2016-03-24 10:23:09 -04:00
Jeff Mitchell 4c4a65ebd0 Properly check for policy equivalency during renewal.
This introduces a function that compares two string policy sets while
ignoring the presence of "default" (since it's added by core, not the
backend), and ensuring that ordering and/or duplication are not failure
conditions.

Fixes #1256
2016-03-24 09:41:51 -04:00
Jeff Mitchell 786bce24b1 Remove us building Solaris binaries for the moment, as they don't build successfully 2016-03-16 15:47:55 -04:00
Tom Ritter 8901c0b67d Type in kdf.go 2016-02-08 14:39:46 -06:00
Jeff Mitchell 7a59af7d18 Fix lost code after rebase 2016-01-19 19:19:07 -05:00
Jeff Mitchell 973c888833 RootGeneration->GenerateRoot 2016-01-19 18:28:10 -05:00
Jeff Mitchell 3b100c5965 Address most of the review feedback 2016-01-19 18:28:10 -05:00
Jeff Mitchell 3b994dbc7f Add the ability to generate root tokens via unseal keys. 2016-01-19 18:28:10 -05:00
Jeff Mitchell 630b2d83a7 Allow ASCII-armored PGP pub keys to be passed into -pgp-keys.
Fixes #940
2016-01-18 17:01:52 -05:00
Jeff Mitchell 9c5ad28632 Update deps, and adjust usage of go-uuid to match new return values 2016-01-13 13:40:08 -05:00
Jeff Mitchell f3ce90164f WriteOperation -> UpdateOperation 2016-01-08 13:03:03 -05:00
Jeff Mitchell a094eedce2 Add rekey nonce/backup. 2016-01-06 09:54:35 -05:00
Jeff Mitchell 8d1e5cb50d Add returning which user names could not be looked up 2016-01-04 13:56:45 -05:00
Jeff Mitchell 90ec946dab Address review feedback. 2016-01-04 11:18:04 -05:00
Jeff Mitchell d11509830f Happy New Year everyone! (Add keybase support for PGP keys.)
Keys specified in rekey and init operations can now be sourced from
keybase.io by using "keybase:[username]" as the key.
2015-12-31 20:47:41 -05:00
Jeff Mitchell 4dac5f5a0e Merge pull request #829 from andrewstuart/master
Add parsing of pkcs#8-encoded bundles for pki/config/ca
2015-12-22 10:06:59 -05:00
Jeff Mitchell f2da5b639f Migrate 'uuid' to 'go-uuid' to better fit HC naming convention 2015-12-16 12:56:20 -05:00
Charles Phillips 4cb2941b77 [helper] support mlock on Solaris/SmartOS 2015-12-15 11:28:16 -08:00
Andrew Stuart c81e5c41d2
Update PrivateKeyType to string, update switch statement. 2015-12-14 11:16:47 -07:00
Andrew Stuart 100465fee8
Remove unnecessary cast 2015-12-14 06:17:20 -07:00
Andrew Stuart 567282170f
Remove printf call from test 2015-12-11 15:47:00 -07:00
Andrew Stuart ae9e842841
Merge branch 'pkcs8' 2015-12-11 15:22:43 -07:00
Andrew Stuart 43bd14a755
Add benchmark for certutil bundle parsing 2015-12-11 15:17:49 -07:00
Andrew Stuart 551591fb70
Remove debugging print statement in compareCertBundleToParsedCertBundle 2015-12-11 15:17:49 -07:00
Andrew Stuart b277eb9f14
Remove flag check before trying pkcs8 parsing. 2015-12-11 15:17:49 -07:00
Andrew Stuart 6f672a9589
Add pkcs8 flag setting in ParsePEMBundle 2015-12-11 15:17:49 -07:00
Andrew Stuart 4da225d39e
Update tests and finish implementation of PKCS8 handling 2015-12-11 15:17:49 -07:00
Andrew Stuart 25667df5f7
Update ParsePEMBundle to properly handle pkcs#8
Implementation based on be16001187/src/crypto/tls/tls.go (L273-L290)
2015-12-11 15:17:49 -07:00
Andrew Stuart 2861be29a4
Move to pem.Block.Type-based decoding 2015-12-11 14:57:33 -07:00
Andrew Stuart 9d97cc36c9
Add benchmark for certutil bundle parsing 2015-12-11 09:58:49 -07:00
Andrew Stuart e70b0b86e2
Merge branch 'master' into pkcs8 2015-12-10 21:02:59 -07:00
Andrew Stuart 572f587093
Update flag to field with format info 2015-12-10 21:02:31 -07:00
Andrew Stuart 889245c990
Remove debugging print statement in compareCertBundleToParsedCertBundle 2015-12-10 16:33:42 -07:00
Andrew Stuart cdeca4ed92
Remove flag check before trying pkcs8 parsing. 2015-12-09 19:41:32 -07:00
Andrew Stuart ef2be34985 Remove flag check before trying pkcs8 parsing. 2015-12-09 15:33:25 -07:00
Andrew Stuart a3b096e3fe Add pkcs8 flag setting in ParsePEMBundle 2015-12-09 15:33:25 -07:00
Andrew Stuart 7d274cbb0b Update tests and finish implementation of PKCS8 handling 2015-12-09 15:33:25 -07:00
Andrew Stuart db48b7fccf Update ParsePEMBundle to properly handle pkcs#8
Implementation based on be16001187/src/crypto/tls/tls.go (L273-L290)
2015-12-09 15:29:13 -07:00
Jeff Mitchell 22a6d6fa22 Merge branch 'master' into pki-csrs 2015-11-20 12:48:38 -05:00
Jeff Mitchell 0dbe15cb87 Mostly revert changes to certutil as the embedded struct stuff was being
problematic.
2015-11-19 14:18:39 -05:00
Jeff Mitchell f41a2e562a fix tests 2015-11-19 10:13:28 -05:00
Jeff Mitchell 26c8cf874d Move public key comparison logic to its own function 2015-11-19 09:51:18 -05:00
Jeff Mitchell 4681d027c0 Move serial number generation and key validation into certutil; centralize format and key verification 2015-11-19 09:51:18 -05:00
Jeff Mitchell 5510a2b16f Add unit tests for CSR bundle conversion 2015-11-19 09:51:18 -05:00
Jeff Mitchell 54fccb2ff4 Add support for EC CA keys, output to base64-encoded DER instead of PEM, and tests for all of those. Also note that Go 1.5 is now required. 2015-11-19 09:51:17 -05:00
Jeff Mitchell b2df079446 Add unit tests to test signing logic, fix up test logic for names 2015-11-19 09:51:17 -05:00
Jeff Mitchell 1cec03d9ca Implement CA cert/CSR generation. CA certs can be self-signed or
generate an intermediate CSR, which can be signed.
2015-11-19 09:51:17 -05:00
Jeff Mitchell 1c7157e632 Reintroduce the ability to look up obfuscated values in the audit log
with a new endpoint '/sys/audit-hash', which returns the given input
string hashed with the given audit backend's hash function and salt
(currently, always HMAC-SHA256 and a backend-specific salt).

In the process of adding the HTTP handler, this also removes the custom
HTTP handlers for the other audit endpoints, which were simply
forwarding to the logical system backend. This means that the various
audit functions will now redirect correctly from a standby to master.
(Tests all pass.)

Fixes #784
2015-11-18 20:26:03 -05:00
Jeff Mitchell c66f0918be Add delete method, and ability to delete only one serial as well as an entire set. 2015-11-03 10:52:20 -05:00
Mitchell Hashimoto 2917e6be2f helper/password: interrupt should exit readline 2015-10-16 16:01:19 -07:00
Jeff Mitchell a9155ef85e Use split-out hashicorp/uuid 2015-10-12 14:07:12 -04:00
Jeff Mitchell ad840233eb Allow base64-encoded keys to be used on the CLI for init/rekey.
Fixes #653.
2015-10-06 12:47:01 -04:00
Jeff Mitchell 8d71601221 Changes to salt to clean up HMAC stuff. 2015-09-18 18:13:10 -04:00
Jeff Mitchell 5dde76fa1c Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass. 2015-09-18 17:38:30 -04:00
Jeff Mitchell b655f6b858 Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash. 2015-09-18 17:38:22 -04:00
Jeff Mitchell 8669a87fdd When using PGP encryption on unseal keys, encrypt the hexencoded string rather than the raw bytes. 2015-08-26 07:59:50 -07:00
Jeff Mitchell cc232e6f79 Address comments from review. 2015-08-25 15:33:58 -07:00
Jeff Mitchell c887df93cc Add support for pgp-keys argument to rekey, as well as tests, plus
refactor common bits out of init.
2015-08-25 14:52:13 -07:00
Bradley Girardeau aa55d36f03 Clean up naming and add documentation 2015-07-30 17:36:40 -07:00
Bradley Girardeau d26b77b4f4 mfa: code cleanup 2015-07-28 11:55:46 -07:00
Bradley Girardeau 6697012dd3 mfa: improve edge cases and documentation 2015-07-27 21:14:00 -07:00
Bradley Girardeau 15c9e0cfc3 mfa duo: better error messages 2015-07-27 21:14:00 -07:00
Bradley Girardeau e45f957bcc mfa: add test cases for MFA, Duo 2015-07-27 21:14:00 -07:00
Bradley Girardeau 5cf78d8ba2 mfa: add MFA wrapper with Duo second factor 2015-07-27 21:14:00 -07:00
Armon Dadgar 81f39fbc16 helper/kdf: changing argument name for clarity 2015-07-05 14:01:56 -07:00
Armon Dadgar bd347e0430 helper/kdf: adding lib for key derivation from NIST800-108 2015-07-05 14:01:21 -07:00
Armon Dadgar 3084f64e5c helper/salt: track if salt was generated 2015-06-30 16:47:49 -07:00
Armon Dadgar a2eb1210a7 helper/salt: adding little helper for salting 2015-06-30 14:04:18 -07:00
Armon Dadgar 8bc99f8c23 helper/uuid: single generateUUID definition 2015-06-30 12:38:32 -07:00
Armon Dadgar 3902626163 Merge pull request #310 from jefferai/f-pki
Initial PKI backend implementation
2015-06-21 11:12:22 +01:00
Steve Wills 7244094509 allow building on FreeBSD
Allow this file to build on FreeBSD
2015-06-19 16:59:24 -04:00
Jeff Mitchell 390f769d1a Add unit tests for certutil, and fix a whitespace stripping issue.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-19 16:06:56 -04:00
Jeff Mitchell a6fc48b854 A few things:
* Add comments to every non-obvious (e.g. not basic read/write handler type) function
* Remove revoked/ endpoint, at least for now
* Add configurable CRL lifetime
* Cleanup
* Address some comments from code review

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-19 12:48:18 -04:00
Jeff Mitchell 34f495a354 Refactor to allow only issuing CAs to be set and not have things blow up. This is useful/important for e.g. the Cassandra backend, where you may want to do TLS with a specific CA cert for server validation, but not actually do client authentication with a client cert.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-18 15:22:58 -04:00
Jeff Mitchell 9e00ca769a Restructure a little bit to make the helper library fully standalone. This makes it easier to move around later if desired, and for use by external programs.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-18 06:42:57 -04:00
Jeff Mitchell 29e7ec3e21 A lot of refactoring: move PEM bundle parsing into helper/certutil, so that it is usable by other backends that want to use it to get the necessary data for TLS auth.
Also, enhance the raw cert bundle => parsed cert bundle to make it more useful and perform more validation checks.

More refactoring could be done within the PKI backend itself, but that can wait.

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-17 16:07:20 -04:00
Mitchell Hashimoto 8d39d21ac2 helper/kv-builder: blank values should not panic 2015-06-16 10:00:02 -07:00
Mark Junker 787a4bc4b5 Fixes #83 2015-04-29 10:20:09 +02:00
Mitchell Hashimoto b5f8f3b05a vault: add helper/mlock for doing mlock 2015-04-28 14:59:43 -07:00
Mitchell Hashimoto fa80e90b1a helper/passsword: fix windows compilation 2015-04-28 09:23:48 -07:00
Mitchell Hashimoto 8e3746d347 helper/kv-builder 2015-04-07 22:30:25 -07:00
Mitchell Hashimoto 481628c41f command/auth: framework for supporting more auth methods 2015-04-05 20:50:18 -07:00
Mitchell Hashimoto afc71d2a7b command/server: cleaner output 2015-04-04 12:06:41 -07:00
Mitchell Hashimoto 2e9e4ee93d helper/password: catch ctrl-c if possible 2015-04-01 17:27:29 -07:00
Mitchell Hashimoto 11f8423b4f logical/framework, logical/testing 2015-03-15 16:39:49 -07:00
Mitchell Hashimoto a0232eedd7 helper/backend: use logical package 2015-03-15 14:57:19 -07:00
Mitchell Hashimoto 857e00bcdc helper/backend: start acceptance test framework 2015-03-14 17:18:19 -07:00
Mitchell Hashimoto accd8c29ca helper/backend: auto-generate help route 2015-03-14 10:12:50 -07:00
Mitchell Hashimoto e8e55ef8b1 helper/backend: one callback per operation 2015-03-14 00:19:25 -07:00
Mitchell Hashimoto 7f87d9ea6f helper/backend: HandleRequest works 2015-03-13 23:58:20 -07:00
Mitchell Hashimoto d17c3d87d3 helper/backend: store captures for a path 2015-03-13 23:48:49 -07:00
Mitchell Hashimoto c4e35ffb7d helper/backend: cache route regexps (98% speedup)
benchmark                 old ns/op     new ns/op     delta
BenchmarkBackendRoute     49144         589           -98.80%
2015-03-13 23:25:17 -07:00
Mitchell Hashimoto e5871abf77 helper/backend: benchmark route 2015-03-13 23:22:48 -07:00
Mitchell Hashimoto 0751c5db12 helper/backend: basic path routing (naive) 2015-03-13 23:17:25 -07:00
Mitchell Hashimoto a68eb1a994 helper/backend: add default values 2015-03-13 21:15:20 -07:00
Mitchell Hashimoto 33a08fbfa0 helper/backend: start this thing 2015-03-13 21:11:19 -07:00
Mitchell Hashimoto d88c20e293 command/server: add config loading 2015-03-12 15:21:11 -07:00
Mitchell Hashimoto a524ef6537 helper/password: for reading passwords securely 2015-03-04 00:31:35 -08:00